We are running a couple of Puppet Master version 3.7 (Not PE) on AWS EC2 instances behind an Elastic Load Balancer (mainly for high availability).
Currently the load balancer's check is just TCP connect on port 8140. But this didn't detect that one of the instances was hung (it was still accepting the initial TCP connection but not doing anything with it).
I'm looking for way to actually send a meaningful "no-op" request to the puppet master and have it send back a result.
More specific requirements:
- It shouldn't trigger heavy processing (the checks happen every few seconds)
- It should succeed if the puppet master is able to actually handle "real request" and fail otherwise.
- It should be possible to execute from ELB (i.e. basically it should return "200 OK" on successful https requests on a static path.
Is there a good static path I can give the health check to use? So far I haven't found any.
What you could use as a check if puppet master is working correctly is to set up some kind of API query, for example:
Offcourse, API access won't be available by default, meaning you will have to use the SSL certificates of a signed client to be able to access the REST API. Also, all certificates won't have all the needed permissions.
This is an example how to do a full manifest compilation:
Don't know if it's possible to integrate certificates into ELB checks, but if it's not, maybe you can play around REST API access controls and set up something along these lines in auth.conf:
Restart puppetmaster, and try simple check:
This should work. Just be carefull with auth.conf not to overextend yourself!
To see all the available API keys, take a look at REST API documentation on PuppetLabs site.