Using Mongrel On Enterprise Linux
Version 5 (Tim Edwards, 11/12/2010 02:08 pm)
| 1 | 1 | # Mongrel and Apache on Enterprise Linux |
|
|---|---|---|---|
| 2 | 1 | ||
| 3 | 1 | This is a sample configuration process to configure the Puppet |
|
| 4 | 1 | Master to use Mongrel behind an Apache Proxy Balancer on Enterprise |
|
| 5 | 1 | Linux, i.e. Red Hat, CentOS or Oracle. This has been tested on |
|
| 6 | 1 | CentOS 5 and Oracle Enterprise Linux 5, but should also work for |
|
| 7 | 1 | EL4 distributions. |
|
| 8 | 1 | ||
| 9 | 1 | ## Prerequisites |
|
| 10 | 1 | ||
| 11 | 1 | Enable and configure the appropriate Yum repositories. Puppet and |
|
| 12 | 1 | Facter can be found in the |
|
| 13 | 3 | Ricky Zhou | [EPEL](https://fedoraproject.org/wiki/EPEL) repository. You |
| 14 | 1 | should follow the instructions on that site to enable EPEL prior to |
|
| 15 | 1 | starting this process. You should also ensure that your chosen |
|
| 16 | 1 | package manager (up2date or yum) is configured correctly. |
|
| 17 | 1 | ||
| 18 | 1 | *In this example I use **puppet.server.fqdn** to represent the fully qualified domain name of your Puppet Master. You should be sure to use your own fully qualified domain name instead of my example. This should be set in **/etc/hosts** and **/etc/sysconfig/network** before you start. Ensure that the **/etc/hosts** entry points to your proper IP address and is not set to 127.0.0.1.* |
|
| 19 | 1 | ||
| 20 | 1 | Sample **/etc/hosts**: |
|
| 21 | 1 | ||
| 22 | 1 | # Do not remove the following line, or various programs |
|
| 23 | 1 | # that require network functionality will fail. |
|
| 24 | 1 | 127.0.0.1 localhost.localdomain localhost |
|
| 25 | 1 | 192.168.0.1 puppet.server.fqdn puppet |
|
| 26 | 1 | ||
| 27 | 1 | Note that Puppet clients try to connect to a server called "puppet" |
|
| 28 | 1 | unless otherwise configured. You should add a DNS CNAME of "puppet" |
|
| 29 | 1 | for your Puppet Master and ensure that the **/etc/resolv.conf** |
|
| 30 | 1 | contains an appropriate *search* line so that your clients can |
|
| 31 | 1 | successfully resolve the "puppet" alias. Both the fully qualified |
|
| 32 | 1 | domain name *and* the "puppet" alias should be resolvable. |
|
| 33 | 1 | ||
| 34 | 1 | ## Puppet Master RPM Installation |
|
| 35 | 1 | ||
| 36 | 1 | To install the Puppet Master, run the following as root: |
|
| 37 | 1 | ||
| 38 | 1 | # yum install subversion puppet-server rubygem-mongrel |
|
| 39 | 1 | ||
| 40 | 1 | *(You may need to use **up2date** instead of **yum** if you are running Red Hat Enterprise Linux 4 or Oracle Enterprise Linux).* |
|
| 41 | 1 | ||
| 42 | 1 | This will install all the necessary RPMs. |
|
| 43 | 1 | ||
| 44 | 1 | ## Puppet Master Configuration |
|
| 45 | 1 | ||
| 46 | 1 | Either use the [[Simplest Puppet Install Recipe]] to get started or |
|
| 47 | 1 | copy your existing manifests to **/etc/puppet**. At the very least, |
|
| 48 | 1 | you should have a **site.pp** file in **/etc/puppet/manifests/** so |
|
| 49 | 1 | that the Puppet Master can start successfully. |
|
| 50 | 1 | ||
| 51 | 1 | Next, start the Puppet Master once to create local certificates: |
|
| 52 | 1 | ||
| 53 | 1 | # service puppetmaster start |
|
| 54 | 1 | # service puppetmaster stop |
|
| 55 | 1 | ||
| 56 | 1 | This first run is required to create the following certificates: |
|
| 57 | 1 | ||
| 58 | 1 | ./ssl/private_keys/puppet.server.fqdn.pem |
|
| 59 | 1 | ./ssl/public_keys/puppet.server.fqdn.pem |
|
| 60 | 1 | ./ssl/ca/signed/puppet.server.fqdn.pem |
|
| 61 | 1 | ./ssl/certs/puppet.server.fqdn.pem |
|
| 62 | 1 | ||
| 63 | 1 | if *./ssl/certs/puppet.server.fqdn.pem* doesn't exist type : |
|
| 64 | 1 | ||
| 65 | 1 | # puppetca --generate puppet.server.fqdn |
|
| 66 | 1 | ||
| 67 | 1 | These certificates are used for the Apache Proxy configuration and |
|
| 68 | 1 | must exist before you continue. You can verify that Puppet has |
|
| 69 | 1 | successfully created these certificates by issuing the command: |
|
| 70 | 1 | ||
| 71 | 1 | # puppetca --list --all |
|
| 72 | 1 | ||
| 73 | 1 | This should list the Puppet Master as a signed certificate. Once |
|
| 74 | 1 | this has been verified, edit **/etc/sysconfig/puppetmaster** to |
|
| 75 | 1 | enable the Mongrel-based webserver by uncommenting the following |
|
| 76 | 1 | line: |
|
| 77 | 1 | ||
| 78 | 1 | PUPPETMASTER_PORTS=( 18140 18141 18142 18143 ) |
|
| 79 | 1 | ||
| 80 | 1 | This will configure the Puppet Master to start using the Mongrel |
|
| 81 | 1 | webserver on all four specified ports. You can verify this by |
|
| 82 | 1 | issuing: |
|
| 83 | 1 | ||
| 84 | 1 | # service puppetmaster start |
|
| 85 | 1 | ||
| 86 | 1 | The startup sequence should show all four ports starting up |
|
| 87 | 1 | successfully. If this is true, then set the service to start |
|
| 88 | 1 | automatically on boot: |
|
| 89 | 1 | ||
| 90 | 1 | # chkconfig puppetmaster on |
|
| 91 | 1 | ||
| 92 | 1 | ## Apache Proxy Configuration |
|
| 93 | 1 | ||
| 94 | 1 | Apache is used to provide an SSL proxy from the Puppet clients to |
|
| 95 | 1 | the four Mongrel-based Puppet Master servers. First, ensure that |
|
| 96 | 1 | Apache is installed with SSL support: |
|
| 97 | 1 | ||
| 98 | 1 | # yum install httpd mod_ssl |
|
| 99 | 1 | ||
| 100 | 1 | *(Again, you may need to use **up2date** instead of **yum** in certain circumstances).* |
|
| 101 | 1 | ||
| 102 | 1 | You can now create the following configuration file at |
|
| 103 | 1 | **/etc/httpd/conf.d/puppet.conf**: |
|
| 104 | 1 | ||
| 105 | 1 | Listen 8140 |
|
| 106 | 1 | ||
| 107 | 1 | <Proxy balancer://puppetmaster> |
|
| 108 | 1 | BalancerMember http://127.0.0.1:18140 |
|
| 109 | 1 | BalancerMember http://127.0.0.1:18141 |
|
| 110 | 1 | BalancerMember http://127.0.0.1:18142 |
|
| 111 | 1 | BalancerMember http://127.0.0.1:18143 |
|
| 112 | 1 | </Proxy> |
|
| 113 | 1 | ||
| 114 | 1 | <VirtualHost *:8140> |
|
| 115 | 1 | SSLEngine On |
|
| 116 | 1 | SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA |
|
| 117 | 1 | SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.server.fqdn.pem |
|
| 118 | 1 | SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.server.fqdn.pem |
|
| 119 | 1 | SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem |
|
| 120 | 1 | SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem |
|
| 121 | 3 | Ricky Zhou | SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem |
| 122 | 4 | Todd Zullinger | SSLVerifyClient require |
| 123 | 1 | SSLVerifyDepth 1 |
|
| 124 | 1 | SSLOptions +StdEnvVars |
|
| 125 | 1 | ||
| 126 | 1 | RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e |
|
| 127 | 1 | RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e |
|
| 128 | 1 | ||
| 129 | 1 | <Location /> |
|
| 130 | 1 | SetHandler balancer-manager |
|
| 131 | 1 | Order allow,deny |
|
| 132 | 1 | Allow from all |
|
| 133 | 1 | </Location> |
|
| 134 | 1 | ||
| 135 | 1 | ProxyPass / balancer://puppetmaster/ |
|
| 136 | 1 | ProxyPassReverse / balancer://puppetmaster/ |
|
| 137 | 1 | ProxyPreserveHost On |
|
| 138 | 1 | ||
| 139 | 1 | ErrorLog /var/log/httpd/balancer_error_log |
|
| 140 | 1 | CustomLog /var/log/httpd/balancer_access_log combined |
|
| 141 | 1 | CustomLog /var/log/httpd/balancer_ssl_requests "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
|
| 142 | 1 | ||
| 143 | 1 | </VirtualHost> |
|
| 144 | 1 | ||
| 145 | 1 | Note that I reference **puppet.server.fqdn** in the configuration |
|
| 146 | 1 | file. This should be changed to your proper Puppet Master fully |
|
| 147 | 1 | qualified domain name. |
|
| 148 | 1 | ||
| 149 | 1 | You can now test the Apache configuration: |
|
| 150 | 1 | ||
| 151 | 1 | # service httpd configtest |
|
| 152 | 1 | ||
| 153 | 3 | Ricky Zhou | If you get a “Syntax OK†message, start Apache and configure it to |
| 154 | 1 | automatically start on boot: |
|
| 155 | 1 | ||
| 156 | 1 | # service httpd start |
|
| 157 | 1 | # chkconfig httpd on |
|
| 158 | 1 | ||
| 159 | 1 | You may see an error like this when starting httpd: |
|
| 160 | 1 | ||
| 161 | 1 | Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:8140 |
|
| 162 | 1 | (13)Permission denied: make_sock: could not bind to address 0.0.0.0:8140 |
|
| 163 | 1 | no listening sockets available, shutting down |
|
| 164 | 1 | Unable to open logs |
|
| 165 | 1 | [FAILED] |
|
| 166 | 1 | ||
| 167 | 1 | This may be caused by SELinux restrictions. You can fix it with |
|
| 168 | 1 | semanage: |
|
| 169 | 1 | ||
| 170 | 1 | semanage port -a -t http_port_t -p tcp 8140 |
|
| 171 | 1 | service httpd start |
|
| 172 | 1 | ||
| 173 | 1 | Configuration of the Puppet Master is now complete! Your Puppet |
|
| 174 | 1 | clients will connect to Apache on port 8140 and Apache will balance |
|
| 175 | 1 | those requests across the four Puppet Master Mongrel instances. |
|
| 176 | 5 | Tim Edwards | |
| 177 | 5 | Tim Edwards | |
| 178 | 5 | Tim Edwards | # Client certificate verification |
| 179 | 5 | Tim Edwards | |
| 180 | 5 | Tim Edwards | With the apache option: |
| 181 | 5 | Tim Edwards | |
| 182 | 5 | Tim Edwards | SSLVerifyClient optional|require |
| 183 | 5 | Tim Edwards | |
| 184 | 5 | Tim Edwards | you control how Apache wil check the client certification. You can either, set the different certificate request path to not require verification, or disable it (unless you have another ca server or another way of distributing the certificates). So: |
| 185 | 5 | Tim Edwards | |
| 186 | 5 | Tim Edwards | * by enabling require, you basically say - the client is already suppose to have a certificate that I could verify. If certificate is not signed in puppetmaster you will get the error: |
| 187 | 5 | Tim Edwards | |
| 188 | 5 | Tim Edwards | err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure |
| 189 | 5 | Tim Edwards | |
| 190 | 5 | Tim Edwards | * "optional" will simulate the behaviour of an default standalone puppetmaster (without apache). |