Running Puppet Master under Apache and Passenger – CentOS 6.4

I have been running my puppetmaster using the embedded WEBrick server for a while. I decided it was time to migrate to something a little more robust – namely Apache and Passenger. I loosely followed the documentation available on the Puppet site, although that covers Passenger 3.0.x and I’m using 4.0.x, and the supplied Apache configuration does not work. There were also a few other changes I had to make along the way to suit my configuration requirements. My puppetmaster is running CentOS 6.4.

First off, as much as it pained me, I had to turn off SELinux. I did run through iterations of:

but the automatically generated policy was very unwieldy. The server is in a secure VLAN with a thorough lockdown applied anyway, so until I find time to write a custom SELinux policy for this:

I then verified my current state – I’m running the standard puppetmaster (version 3.2.1) from the Puppet yum repos, and iptables is configured appropriately for port 8140/tcp, etc. Everything is operating as expected prior to the migration:

The first step is to install all prerequisite packages and their dependencies:

Next, install the rack and passenger gems, and their dependencies:

Now, run through the apache2 module build utility that comes with Passenger. This is a TUI application that will verify that all prerequisites are met prior to building the module. Once it has completed the build, it’ll give you the appropriate directives (LoadModule, PassengerRoot and PassengerDefaultRuby) you need to add into your Apache configuration.

The Puppet documentation has the Rack application running out of /usr/share … which to me is a terrible thing. I decided I’d like mine to run out of /var/lib/puppet/rack instead. Create the appropriate directories, and copy in the file. Ensure permissions are correct:

Because Apache will need to access these directories, add an ACL (presuming your filesystem supports them) to /var/lib/puppet for your webserver user (in my case, apache):

Now, create your Apache VirtualHost configuration. Two of the directives provided in the Puppet document (PassengerUseGlobalQueue and RackAutoDetect) are no longer required, and if you use passenger as the module name you’ll find that the symbol is undefined – for Passenger 4.0.x you need passenger_module in your LoadModule directive.

I created this file at /etc/httpd/conf.d/00-default-vhost-puppetmaster.conf. You will need to modify the paths to your certificates as pertinent to your configuration. You may also need to adjust some of the other values according to your setup:

Now, stop the existing WEBrick implementation:

And, all things being well, start Apache without errors:

Initiate a few puppet runs from your clients, and check that all is well:

If so, disable the original implementation and enable the new via chkconfig, and you’re done!

You can view the status of passenger at any time with the passenger-status command: