Some operators don't like running important services in the Java Virtual Machine, for various reasons, such as its memory requirements. As of Puppet 4, alternatives to puppetserver are still available, so the requirement can be avoided.
The best way to run the master without the JVM is a web server with a support for Passenger. In this context, the Puppet master runs as a Rack application. The most common setup comprises the Apache web server and mod_passenger. Setting this up is quite straightforward and documentation is plentiful. We will therefore, concentrate on an attractive alternative.
Unfortunately, the Puppet 4 package cannot be made to work with Passenger easily. The best way to achieve this was a manual Puppet installation from the source, at the time of writing this. With Puppet 3.x, Passenger was the default for a long time, and making it work with Nginx is quite simple with the following instructions.
Nginx is a lean and fast web server that is ever increasing in popularity. It can run your Puppet master through Passenger just like Apache, so you don't need to install and run the latter. Unfortunately, the stock version of Nginx cannot run Passenger through a module. The Phusion project supplies packages for the more popular Linux distributions. The following instructions are applicable to Debian:
- Follow the instructions at https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html#install_on_debian_ubuntu in order to install the appropriate Nginx packages.
- In the
/etc/nginx/nginx.conffile, uncomment or insert thepassengerspecific statements:passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini; passenger_ruby /usr/bin/ruby;
- Prepare the
Railsroot:root@puppetmaster# mkdir -p /etc/puppet/rack/{tmp,public} root@puppetmaster# install -o puppet -g puppet /usr/share/puppet/rack/config.ru /etc/puppet/rack
- Create a vhost for Puppet at
/etc/nginx/sites-available/puppetmaster. Older versions of Passenger usepassenger_set_cgi_paraminstead ofpassenger_env_var:server { listen 8140; server_name master.example.net; root /etc/puppet/rack/public; ssl on; ssl_certificate /var/lib/puppet/ssl/certs/master.example.net.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/master.example.net.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_verify_client optional; ssl_verify_depth 1; passenger_enabled on; passenger_env_var HTTPS on; passenger_env_var SSL_CLIENT_S_DN $ssl_client_s_dn; passenger_env_var SSL_CLIENT_VERIFY $ssl_client_verify; } - Enable the vhost and restart Nginx:
root@puppetmaster# ln -s ../sites-available/puppetmaster /etc/nginx/sites-enabled/puppetmaster root@puppetmaster# /etc/init.d/nginx restart
Nginx is now running the Puppet master service for you through Passenger.The mentioned configuration is bare boned, and you might wish to extend it for tuning and features.
Both Passenger and puppetserver have their share of complexity. These are much less visible to the user in the case of puppetserver, however. All that's needed is the software package and a Java runtime. The internals are well hidden.
The following diagram highlights the differences:
With puppetserver, both the web service and the Ruby runtimes share a single JVM. This allows a better overall performance, and is easier to set up. All new setups should therefore, prefer puppetserver over Passenger.