puppet4 passenger布署

本文参考自puppetlabs官方passenger布署文档，增加了一些细节的处理，比官方文档更详细。本文测试环境为centos6.2,puppet4.3。

安装apache

yum install httpd httpd-devel

卸载系统自带ruby

由于puppet4.3已经自带了2.1的ruby,可能会与系统自带版本冲突，所以卸载掉比较安全，免得ruby环境太混乱了。

yum remove ruby

将puppet下的bin目录加到PATH里去，再执行ruby -v看到的ruby版本就是puppet自带的版本了。

export PATH=$PATH:/opt/puppetlabs/puppet/binruby -v         ruby 2.1.7p400 (2015-08-18 revision 51632) [x86_64-linux]

用gem安装puppet代码

如果默认gem源用不了，就用http的源试下。

gem sources --remove https://rubygems.org/gem sources -a http://rubygems.org/gem install -V puppet -v 4.3.1

安装Rack/Passenger

注意，修改passenger-install-apache2-module的ruby路径为puppet自带ruby路径：/opt/puppetlabs/puppet/bin/ruby。

gem install -V rack passengervim /usr/bin/passenger-install-apache2-module#!/opt/puppetlabs/puppet/bin/ruby passenger-install-apache2-module

将以下代码拷贝至apache配置文件里，不同的环境配置可能不同，按照passenger-install-apache2-module的提示来。最后回车就搞定了。

   LoadModule passenger_module /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/passenger-5.0.27/buildout/apache2/mod_passenger.so   <IfModule mod_passenger.c>     PassengerRoot /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/passenger-5.0.27     PassengerDefaultRuby /opt/puppetlabs/puppet/bin/ruby   </IfModule>

安装Puppet Master Rack

找到config.ru文件，这个文件应该在puppet代码下面，

# locate config.ru                                     /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/puppet-4.3.1/ext/rack/config.ru

然后给应用程序建目录，并把刚刚找到的config.ru文件拷贝过去，将config.ru属主权限改成puppet,

$ sudo mkdir -p /usr/share/puppet/rack/puppetmasterd$ sudo mkdir /usr/share/puppet/rack/puppetmasterd/public /usr/share/puppet/rack/puppetmasterd/tmp$ sudo cp /opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/puppet-4.3.1/ext/rack/config.ru /usr/share/puppet/rack/puppetmasterd/$ sudo chown puppet:puppet /usr/share/puppet/rack/puppetmasterd/config.ru

最终目录结构如下：

# tree /usr/share/puppet/usr/share/puppet└── rack    └── puppetmasterd        ├── config.ru        ├── public        └── tmp4 directories, 1 file

配置apache

在/etc/httpd/conf.d新建puppetmaster.conf文件，将下面内容拷贝进去。将SSL文件路径修改成自己的实际路径。

# You'll need to adjust the paths in the Passenger config depending on which OS# you're using, as well as the installed version of Passenger.# Debian/Ubuntu:#LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so#PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.x#PassengerRuby /usr/bin/ruby1.8# RHEL/CentOS:#LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x/ext/apache2/mod_passenger.so#PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.x#PassengerRuby /usr/bin/ruby# And the passenger performance tuning settings:# Set this to about 1.5 times the number of CPU cores in your master:PassengerMaxPoolSize 12# Recycle master processes after they service 1000 requestsPassengerMaxRequests 1000# Stop processes if they sit idle for 10 minutesPassengerPoolIdleTime 600Listen 8140<VirtualHost *:8140>    # Make Apache hand off HTTP requests to Puppet earlier, at the cost of    # interfering with mod_proxy, mod_rewrite, etc. See note below.    PassengerHighPerformance On    SSLEngine On    # Only allow high security cryptography. Alter if needed for compatibility.    SSLProtocol ALL -SSLv2 -SSLv3    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA    SSLHonorCipherOrder     on    SSLCertificateFile      /etc/puppetlabs/puppet/ssl/certs/puppet-server.example.com.pem    SSLCertificateKeyFile   /etc/puppetlabs/puppet/ssl/private_keys/puppet-server.example.pem    SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem    SSLCACertificateFile    /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem    SSLCARevocationFile     /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem    SSLCARevocationCheck    chain    SSLVerifyClient         optional    SSLVerifyDepth          1    SSLOptions              +StdEnvVars +ExportCertData    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none    # which effectively disables CRL checking. If you are using Apache 2.4+ you must    # specify 'SSLCARevocationCheck chain' to actually use the CRL.    # These request headers are used to pass the client certificate    # authentication information on to the Puppet master process    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public    <Directory /usr/share/puppet/rack/puppetmasterd/>      Options None      AllowOverride None      # Apply the right behavior depending on Apache version.      <IfVersion < 2.4>        Order allow,deny        Allow from all      </IfVersion>      <IfVersion >= 2.4>        Require all granted      </IfVersion>    </Directory>    ErrorLog /var/log/httpd/puppet-server.example.com_ssl_error.log    CustomLog /var/log/httpd/puppet-server.example.com_ssl_access.log combined</VirtualHost>

重启apache,到这里安装应该是完成了，到客户端执行puppet agent -t试下，结果抛出一堆错误，查看apahce错误日志，发现/bin/uname这个东西puppet没有执行权限，加上权限，再来。

message from application: Permission denied - /bin/uname (Errno::EACCES) chmod +x /bin/uname /etc/init.d/httpd restart

很不幸，依然报错，那就继续排错。花了不小力气，最后发现居然是/var/log/puppetlabs/puppetmaster这个路径没有建立导致。建好目录后，就一切ok了，最后附图一张。

---