Configuring puppet master ubuntu/debian

Sep 14, 2011   #howto  #puppet  #sysadmin 

Installing puppet version 2.7.3

I will be installing the package via ruby gems. I do not like it all but the packages available in the apt repository are to old.

Install ruby, rubygems and dependencies

apt-get install ruby rubygems libopenssl-ruby

Install puppet via gem

gem install puppet --version=2.7.3

Puppet executables

You have to options here:

Add the gem bin path to your .profile

echo export PATH="$PATH:/var/lib/gems/1.8/bin" >> /root/.profile
cd /root && . .profile

or run the install.rb for puppet and facter:


Create puppet users

The no-daemonize option keeps puppet in the foreground. CTRL-c to exit once puppet is done adding users. The verbose option will help you see when it is done.

puppet master --mkusers --no-daemonize --verbose

Puppet configuration file

If you want a template puppet.conf use genconfig to make one:

puppet master --genconfig > /etc/puppet/puppet.conf

If you choose to use puppet to generate you configuration file be aware you will have to comment out the following the line /var/lib/puppet/facts/ in the puppet.conf configuration file. I have created a bug with puppet labs on this.

# factdest = /var/lib/puppet/facts/

Configuring puppet to use passenger

Edit the /etc/init.d/pupppet.conf and set the ssl_client_header and ssl_client_verify_header under the [master] section.

ssl_client_verify_header = SSL_CLIENT_VERIFY
ssl_client_header = SSL_CLIENT_S_DN

Install and configure rack

gem install rack
mkdir -p /etc/puppet/rack/public
cp /var/lib/gems/1.8/gems/puppet-2.7.3/ext/rack/files/ /etc/puppet/rack/
chown puppet /etc/puppet/rack/

Passenger dependencies

apt-get install build-essential libcurl4-openssl-dev libssl-dev zlib1g-dev apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev ruby-dev

Install passenger

gem install passenger --version=3.0.9

Install Passenger Module

/var/lib/gems/1.8/bin/passenger-install-apache2-module --auto
a2enmod ssl
cat > /etc/apache2/mods-available/passenger.conf <<EOF
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
cat > /etc/apache2/mods-available/passenger.load <<EOF
LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-3.0.9/ext/apache2/
PassengerRoot /var/lib/gems/1.8/gems/passenger-3.0.9
PassengerRuby /usr/bin/ruby1.8
a2enmod passenger

Configure apache to listen on port 8140

cat >> /etc/apache2/ports.conf <<EOF
<IfModule passenger_module>
    Listen 8140

Setup puppetmaster virtual site

PUPPETHOST=`facter fqdn`
cat > /etc/apache2/sites-available/puppetmasterd <<EOF
<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /etc/puppet/ssl/certs/$PUPPETHOST.pem
        SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/$PUPPETHOST.pem
        SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /etc/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        DocumentRoot /etc/puppet/rack/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
a2ensite puppetmasterd
service apache2 restart