Configuring puppet with mongrel and apache load balancer

We've been using EC2 quite a bit now for running some services which needs machines to be spawned up on daily basis. This kind of setup is a real pain if it was all to be handled manually. Our backend engineers were smart to design an automated setup using custom AMI which can configure themself using shell scripts. However this meant that upgrading to new versions would be a PITA. Idea of using puppet seem really useful in such situations and I decided to go for installation of puppetmaster on EC2.

Following are the steps I followed to configure puppetmaster with mongrel running behind apache load balancer (I was using plain vanilla CentOS 5.4 AMI):

1. Install puppet-server by following steps mentioned in http://ifireball.wordpress.com/docs/howto-install-puppet-on-centos-50/


2. Edit /etc/sysconfig/puppet and add following statement to end of file:
   PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )


3. Install mongrels : yum install rubygem-mongrel


4. Install apache and mod_ssl : yum install httpd && yum install mod_ssl


5. Create a file /etc/httpd/conf.d/puppet.conf with following content:
   
   
   Listen 8140
   
   <proxy>
   BalancerMember http://127.0.0.1:18140
   BalancerMember http://127.0.0.1:18141
   BalancerMember http://127.0.0.1:18142
   BalancerMember http://127.0.0.1:18143
   </proxy>
   
   <virtualhost>
   SSLEngine On
   SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
   SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.compute-1.internal.pem
   SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.compute-1.internal.pem
   SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
   SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
   SSLVerifyClient optional
   SSLVerifyDepth 1
   SSLOptions +StdEnvVars
   
   RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
   RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
   
   <location>
   SetHandler balancer-manager
   Order allow,deny
   Allow from all
   </location>
   
   ProxyPass / balancer://puppetmaster/
   ProxyPassReverse / balancer://puppetmaster/
   ProxyPreserveHost On
   
   ErrorLog /var/log/httpd/balancer_error_log
   CustomLog /var/log/httpd/balancer_access_log combined
   CustomLog /var/log/httpd/balancer_ssl_requests "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   
   </virtualhost>
6. Edit /etc/init.d/puppetmaster :
   

   
   #!/bin/bash
   # puppetmaster  This shell script enables the puppetmaster server.
   #
   # Author:       Duane Griffin 
   #
   # chkconfig: - 65 45
   #
   # description: Server for the puppet system management tool.
   # processname: puppetmaster
   
   PATH=/usr/bin:/sbin:/bin:/usr/sbin
   export PATH
   
   lockfile=/var/lock/subsys/puppetmaster
   
   # Source function library.
   . /etc/rc.d/init.d/functions
   
   if [ -f /etc/sysconfig/puppetmaster ]; then
    . /etc/sysconfig/puppetmaster
   fi
   
   PUPPETMASTER_OPTS=""
   [ -n "$PUPPETMASTER_MANIFEST" ] && PUPPETMASTER_OPTS="--manifest=${PUPPETMASTER_MANIFEST}"
   if [ -n "$PUPPETMASTER_PORTS" ]; then
    PUPPETMASTER_OPTS="$PUPPETMASTER_OPTS --servertype=mongrel"
   elif [ -n "$PUPPETMASTER_PORTS" ]; then
       PUPPETMASTER_OPTS="${PUPPETMASTER_OPTS} --masterport=${PUPPETMASTER_PORTS[0]}"
   fi
   
   [ -n "$PUPPETMASTER_LOG" ] && PUPPETMASTER_OPTS="${PUPPETMASTER_OPTS} --logdest=${PUPPETMASTER_LOG}"
   PUPPETMASTER_OPTS="${PUPPETMASTER_OPTS} \
    ${PUPPETMASTER_EXTRA_OPTS}"
   
   RETVAL=0
   
   prog=puppetmasterd
   PUPPETMASTER=/usr/sbin/$prog
   
   start() {
    echo -n $"Starting puppetmaster: "
   
    # Confirm the manifest exists
    if [ -r $PUPPETMASTER_MANIFEST ]; then
         if [ -n "$PUPPETMASTER_PORTS" ]; then
             for ((i=0; i<4; masterport="${PUPPETMASTER_PORTS[$i]}" pidfile="/var/run/puppet/puppetmaster.${PUPPETMASTER_PORTS[$i]}.pid" ret="$?;" retval="$ret" retval="$?" i="0;" ret="$?;" retval="$ret" retval="$?" i="0;" ret="$?;" retval="$ret" retval="$?">