How should I run/start puppetmaster using Apache/Passenger??

[Sans]

Dear all,

I'm still trying to understand how this Apache/Passenger thing works.

Running Puppet v2.7.14 on CEntOs 6 and also using Apache/Passenger instead of WEBrick. I was told that puppetmaster service is not required to be running (hence: chkconfig off puppetmaster) running when using httpd and passenger but in my case, if I don't start puppetmasterd manually, none of the agents can connect to the master. I can start httpd just fine and passenger seems to start okay as well. This is my apache configuration file:

# /etc/httpd/conf.d/passenger.conf 
LoadModule passenger_module modules/mod_passenger.so

<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12
    PassengerRuby /usr/bin/ruby
    #PassengerTempDir /var/run/rubygem-passenger

    PassengerHighPerformance on
    PassengerUseGlobalQueue on
    PassengerMaxPoolSize 15
    PassengerPoolIdleTime 150
    PassengerMaxRequests 10000
    PassengerStatThrottleRate 120
    RackAutoDetect Off
    RailsAutoDetect Off
</IfModule>

Upon restart, I see these in the httpd_error log:

[Sat Jun 09 04:06:47 2012] [notice] caught SIGTERM, shutting down
[Sat Jun 09 09:06:51 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Jun 09 09:06:51 2012] [notice] Digest: generating secret for digest authentication ...
[Sat Jun 09 09:06:51 2012] [notice] Digest: done
[Sat Jun 09 09:06:51 2012] [notice] Apache/2.2.15 (Unix) DAV/2 Phusion_Passenger/3.0.12 mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured -- resuming normal operations

And passenger-status prints these info on the screen:

----------- General information -----------
max      = 15
count    = 0
active   = 0
inactive = 0
Waiting on global queue: 0

----------- Application groups -----------

But still, as I said, none of my agents can actually talk to the master until I start *puppetmasterd* manually. Does anyone know what am I still missing? Or, is this the way it supposed too be? Cheers!!

[Denmat]

Hi,

Do you actually have an apache vhost configured for the puppet master?

The doco here is pretty clear on what is needed:

http://docs.puppetlabs.com/guides/passenger.html

Have a look at the file here for an example of what the vhost should look like:

https://github.com/puppetlabs/puppet/blob/master/ext/rack/files/apache2.conf

Also, for emphasis, you need to make sure your config.ru is owned by puppet (trips a few people up).

Cheers,

Den

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/bFZpBN-6YugJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Jeff McCune]

On Mon, Jun 11, 2012 at 4:15 AM, Denmat <tu2b...@gmail.com> wrote:
> Hi,
>
> Do you actually have an apache vhost configured for the puppet master?

Yeah, could you paste the apache configuration that's setting up the
virtual host (vhost) and opening the socket on port 8140?

Something like this (This is the Puppet Enterprise vhost configuration).

Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile
/etc/puppetlabs/puppet/ssl/certs/lab-puppet.dc1.puppetlabs.net.pem
SSLCertificateKeyFile
/etc/puppetlabs/puppet/ssl/private_keys/lab-puppet.dc1.puppetlabs.net.pem
SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/certs/ca.pem
SSLCACertificateFile /etc/puppetlabs/puppet/ssl/certs/ca.pem

SSLCARevocationFile /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On
DocumentRoot /var/opt/lib/pe-puppetmaster/public/
<Directory /var/opt/lib/pe-puppetmaster/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

[Sans]

Hi Den, jeff,
Sorry for my late reply.

Yes, I do have puppetmaster-vost.conf and I've separated the passenger  config file. So, this is what I have:

 

# /etc/httpd/conf.d/puppetmaster.conf

 

Listen 8086

<VirtualHost sdas.dnsdynamic.com:8086>
    SSLEngine on
    SSLProtocol -ALL +SSLv3 +TLSv1

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    SSLCertificateFile      /var/lib/puppet/ssl/certs/sdas.dnsdynamic.com.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/sdas.dnsdynamic.com.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem

    # If Apache complains about invalid signatures on the CRL, you can try disabling
    # CRL checking by commenting the next line, but this is not recommended.
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem

    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars

    DocumentRoot /etc/puppet/rack/public
    RackBaseURI /
    <Directory "/etc/puppet/rack/public">

        Options None
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    LogLevel warn
    ErrorLog /var/log/httpd/puppetm_error.log
    CustomLog /var/log/httpd/puppetm_access.log combined

</VirtualHost> 

# /etc/httpd/conf.d/passenger.conf

LoadModule passenger_module modules/mod_passenger.so

<IfModule mod_passenger.c>
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.12
    PassengerRuby /usr/bin/ruby
    #PassengerTempDir /var/run/rubygem-passenger

    PassengerHighPerformance on
    PassengerUseGlobalQueue on
    PassengerMaxPoolSize 15
    PassengerPoolIdleTime 150
    PassengerMaxRequests 10000
    PassengerStatThrottleRate 120

    RackAutoDetect on
    RailsAutoDetect on
</IfModule>

The only difference, what I can see, with Jeff is that I'm running Puppet on port 8086. This port is also allowed in the iptables. Any thing else should I check?

Cheers,
San

> puppet-users+unsubscribe@googlegroups.com.

> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to

> puppet-users+unsubscribe@googlegroups.com.

[Jo Rhett]

On Jun 11, 2012, at 1:49 PM, Sans wrote:

Yes, I do have puppetmaster-vost.conf and I've separated the passenger  config file. So, this is what I have:

(snip)

The only difference, what I can see, with Jeff is that I'm running Puppet on port 8086. This port is also allowed in the iptables. Any thing else should I check?

Are the puppet clients configured to talk to the puppet master on port 8086?

You need to either reconfigure all of your clients for the alternate port, or reconfigure passenger to use the expected port.

-- 

Jo Rhett

Net Consonance : net philanthropy to improve open source and internet projects.

[Jeff McCune]

On Mon, Jun 11, 2012 at 1:49 PM, Sans <r.sant...@gmail.com> wrote:
> Hi Den, jeff,
> Sorry for my late reply.
>
> Yes, I do have puppetmaster-vost.conf and I've separated the passenger
> config file. So, this is what I have:

I'd try and enable moer debugging information. It seems to me Puppet
is refusing to start for some reason and passenger doesn't know what
to do with a process that is dying underneath it.

In config.ru you can pass the --debug and --trace options to the
puppet master startup process. These should then show up in the HTTP
response from passenger or the httpd_error log.

Could you also paste the config.ru file you're using?

-Jeff

[Sans]

Hi Jeff,

Here is my config.ru (after adding the debug option):

## cat /etc/puppet/rack/config.ru  

# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')

$0 = "master"

# if you want debugging:
ARGV << "--debug"
# ARGV << "--trace"
ARGV << "--rack"
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run

Anything unusual you see in there?

-San

[Sans]

Hi Jo,

Does it really matter? For me it's working with either of these ports - 8140 or 8086. Not really sure about it but just noticed that. Cheers!!

[denmat]

Hi San,

Do you still have your httpd puppet master vhost listening on the non standard port? That is fine, as long as you configure your clients like has been mentioned before. Puppet clients will try to reach port 8140 unless you specify otherwise. 

In your config.ru you can see how passenger calls the puppet master application:

# therefore we need to call run *here*.
run Puppet::Application[:master].run

You don't need to have the webrick puppet master running at all. The config.ru which is read by apache/passenger handles the launching of the puppet master application. You should make sure you are not running the master as a webrick server. 

But it not going to work unless you have your clients hitting the port you have configured your puppet master vhost in apache (which ever port you choose to run it on) - they should be the same. 

Cheers,

Den 

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/So7egVCZkHgJ.

To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

[Sans]

Hi Den,

Hi San,

Do you still have your httpd puppet master vhost listening on the non standard port? That is fine, as long as you configure your clients like has been mentioned before. Puppet clients will try to reach port 8140 unless you specify otherwise. 

Although I've configured agents to listen to the same post as the master, I have a question though: So, it's not possible to start puppetmaster at all, when no agent is installed?

In your config.ru you can see how passenger calls the puppet master application:

# therefore we need to call run *here*.
run Puppet::Application[:master].run

You don't need to have the webrick puppet master running at all. The config.ru which is read by apache/passenger handles the launching of the puppet master application. You should make sure you are not running the master as a webrick server. 

I stopped puppetmaster from starting from init.d script and took it off chkconfig - I think it's enough to make sure puppet is not using WEBrick. Anything else?

Another Q: If I get puppetmaster started correctly from apache/passenger, should I see puppetmaster process running on the server?
 

But it not going to work unless you have your clients hitting the port you have configured your puppet master vhost in apache (which ever port you choose to run it on) - they should be the same. 

Well, that's why I asked my first question: what if I don't have any client configured yet - can't I start my Puppet master at all? In this case, no puppet agent is hitting any port at all, yet.

Cheers,
Santanu

To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.

[jcbollinger]

On Jun 12, 3:40 am, Sans <r.santanu....@gmail.com> wrote:
> Does it really matter? For me it's working with either of these ports -
> 8140 or 8086. Not really sure about it but just noticed that. Cheers!!

[...]

> On Monday, June 11, 2012 10:12:34 PM UTC+1, Jo wrote:
>
> > Are the puppet clients configured to talk to the puppet master on port
> > 8086?
>
> > You need to either reconfigure all of your clients for the alternate port,
> > or reconfigure passenger to use the expected port.

Of course it matters. If clients are trying to contact the master on
port 8140 while the apache vhost is listening on port 8086 instead,
then the client connections will fail. If you then *also* start the
puppetmaster service standalone, listening on port 8140, then the
clients will be able to connect, but they will be going through
webrick to your standalone puppetmaster instead of to the passenger-
hosted master.


John

[Jo Rhett]

Well you are telling me that if you don't run the puppetmaster service (which runs on 8140) then your clients can't connect.  That's because the clients are trying to connect on 8140 but your passenger instance is running on 8086.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QGSmM_F8b2AJ.

To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Sans]

Sorry Jo! I kninda misunderstood a couple of things and you are right - that's exactly what was happening.

Den, Jeff and others,
It seems like I've made a bit progress in this regard - now, if I run puppet agent -t on the agent, it prints a lot of things in html format. Any idea, what I've got myself into now? Cheers!!

On Tuesday, June 12, 2012 8:39:54 PM UTC+1, Jo wrote:

Well you are telling me that if you don't run the puppetmaster service (which runs on 8140) then your clients can't connect.  That's because the clients are trying to connect on 8140 but your passenger instance is running on 8086.

On Jun 12, 2012, at 1:40 AM, Sans wrote:

Does it really matter? For me it's working with either of these ports - 8140 or 8086. Not really sure about it but just noticed that. Cheers!!


On Monday, June 11, 2012 10:12:34 PM UTC+1, Jo wrote:

Are the puppet clients configured to talk to the puppet master on port 8086?

You need to either reconfigure all of your clients for the alternate port, or reconfigure passenger to use the expected port.

-- 

Jo Rhett

Net Consonance : net philanthropy to improve open source and internet projects.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QGSmM_F8b2AJ.
To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Sans]

It's working now; the problem was definitely with the port setting.
Thanks to all of you for your help.

cheers,
San