Debugging Puppetmaster with Apache/Rack/Passenger

Christian Flamm

unread,

Jul 23, 2013, 4:14:54 AM7/23/13

to puppet...@googlegroups.com

Hi,

I'm currently trying to debug a performance issue I'm having. Therefore I would need "DEBUG" output. When using one puppetmaster process, this is fairly easy by starting it like this:

> puppet master --no-daemonize --debug

Now I need to see this debug output when running puppetmaster the way I ususally do - using Apache/Rack/Passenger. After looking around a bit in the vhost config file

> cat /etc/httpd/conf.d/puppetmaster.conf

LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.10/buildout/apache2/mod_passenger.so

PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.10

PassengerDefaultRuby /usr/bin/ruby

# TODO evaluate benefit of ThrottleRate

PassengerStatThrottleRate 120

PassengerHighPerformance On

PassengerMaxPoolSize 12

PassengerMaxRequests 1000

PassengerPoolIdleTime 600

Listen 8140

SSLEngine On

# Only allow high security cryptography. Alter if needed for compatibility.

SSLProtocol All -SSLv2

SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP

SSLCertificateFile /var/lib/puppet/ssl/certs/<puppetmaster>.pem

SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<puppetmaster>.pem

SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem

SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars +ExportCertData

# These request headers are used to pass the client certificate

# authentication information on to the puppet master process

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/

Options None

AllowOverride None

Order Allow,Deny

Allow from All

</Directory>

</VirtualHost>

I had a look at "/usr/share/puppet/rack/puppetmasterd/config.ru" which contains this:

[snippet]

# if you want debugging:

# ARGV << "--debug"

... so I enabled it. But this actually only gives me extra lines I believe belong to "INFO" log level:

Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[^/catalog/([^/]+)$]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[^/catalog/([^/]+)$]) allowing $1 access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[^/node/([^/]+)$]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[^/node/([^/]+)$]) allowing $1 access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_revocation_list/ca]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_revocation_list/ca]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/report]) allowing 'method' save Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/report]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/file]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/ca]) adding authentication any Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/ca]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/ca]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/]) adding authentication any Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate/]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_request]) adding authentication any Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_request]) allowing 'method' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_request]) allowing 'method' save Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_request]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/]) adding authentication any Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: Inserting default '~ ^/report/([^/]+)$' (auth true) ACL Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: Inserting default '/status' (auth true) ACL

All the "DEBUG" lines I'm used to (e.g. "Debug: PROFILE...") are missing - but they are there using "puppet master --no-daemonize --debug".

What am I doing wrong? Thanks in advance.

Keith Burdis

unread,

Jul 24, 2013, 3:42:14 AM7/24/13

to puppet-users

I believe the --debug in config.ru sends output to syslog so either look in /var/log/messages (or similar) or specify a log destination filename like:

ARGV << "--logdest" << "/var/log/puppet/puppet-master.log"

- Keith

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Christian Flamm

unread,

Jul 24, 2013, 3:59:40 AM7/24/13

to puppet...@googlegroups.com

Did what you posted.

Strange thing happened: nothing appears in the specified logdest. Instead: the (wanted) debug output it now sent to apache's error log!

I have no idea what's going on - but at least I have the output I was looking for :-/

Thanks,

Christian

Christian Flamm

unread,

Jul 24, 2013, 7:31:52 AM7/24/13

to puppet...@googlegroups.com

Debug output is sent to Apache error log, because of missing permissions to write to the defined logdest.

So - bottom line - thanks for your reply, "--logdest" is necessary. Without it debug output is (per default) not sent to /var/log/messages.

Reply all

Reply to author

Forward