puppet4 passenger布署
本文参考自puppetlabs官方passenger布署文档,增加了一些细节的处理,比官方文档更详细。本文测试环境为centos6.2,puppet4.3。
安装apache
yum install httpd httpd-devel
卸载系统自带ruby
由于puppet4.3已经自带了2.1的ruby,可能会与系统自带版本冲突,所以卸载掉比较安全,免得ruby环境太混乱了。
yum remove ruby
将puppet下的bin目录加到PATH里去,再执行ruby -v看到的ruby版本就是puppet自带的版本了。
export PATH=$PATH:/opt/puppetlabs/puppet/bin
ruby -v
ruby 2.1.7p400 (2015-08-18 revision 51632) [x86_64-linux]
用gem安装puppet代码
如果默认gem源用不了,就用http的源试下。
gem sources --remove https://rubygems.org/
gem sources -a http://rubygems.org/
gem install -V puppet -v 4.3.1
安装Rack/Passenger
注意,修改passenger-install-apache2-module的ruby路径为puppet自带ruby路径:/opt/puppetlabs/puppet/bin/ruby。
gem install -V rack passenger
vim /usr/bin/passenger-install-apache2-module
#!/opt/puppetlabs/puppet/bin/ruby
passenger-install-apache2-module
将以下代码拷贝至apache配置文件里,不同的环境配置可能不同,按照passenger-install-apache2-module的提示来。最后回车就搞定了。
LoadModule passenger_module /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/passenger-5.0.27/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/passenger-5.0.27
PassengerDefaultRuby /opt/puppetlabs/puppet/bin/ruby
</IfModule>
安装Puppet Master Rack
找到config.ru文件,这个文件应该在puppet代码下面,
# locate config.ru
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/puppet-4.3.1/ext/rack/config.ru
然后给应用程序建目录,并把刚刚找到的config.ru文件拷贝过去,将config.ru属主权限改成puppet,
$ sudo mkdir -p /usr/share/puppet/rack/puppetmasterd
$ sudo mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp
$ sudo cp /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/puppet-4.3.1/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/
$ sudo chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru
最终目录结构如下:
# tree /usr/share/puppet
/usr/share/puppet
└── rack
└── puppetmasterd
├── config.ru
├── public
└── tmp
4 directories, 1 file
配置apache
在/etc/httpd/conf.d新建puppetmaster.conf文件,将下面内容拷贝进去。将SSL文件路径修改成自己的实际路径。
# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.
# Debian/Ubuntu:
#LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby1.8
# RHEL/CentOS:
#LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so
#PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x
#PassengerRuby /usr/bin/ruby
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 12
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
# Make Apache hand off HTTP requests to Puppet earlier, at the cost of
# interfering with mod_proxy, mod_rewrite, etc. See note below.
PassengerHighPerformance On
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppet-server.example.com.pem
SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppet-server.example.pem
SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking. If you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# These request headers are used to pass the client certificate
# authentication information on to the Puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log
CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined
</VirtualHost>
重启apache,到这里安装应该是完成了,到客户端执行puppet agent -t试下,结果抛出一堆错误,查看apahce错误日志,发现/bin/uname这个东西puppet没有执行权限,加上权限,再来。
message from application: Permission denied - /bin/uname (Errno::EACCES)
chmod +x /bin/uname
/etc/init.d/httpd restart
很不幸,依然报错,那就继续排错。花了不小力气,最后发现居然是/var/log/puppetlabs/puppetmaster这个路径没有建立导致。建好目录后,就一切ok了,最后附图一张。