Hi all, I''m starting to use EC2, and I''m after some examples of best practices/ tips and tricks from folk with more experience of the Puppet/EC2 combo than me: We''re starting by using EC2 for testing and development purposes. This means that we won''t be running our instances full-time; rather, we''ll be spinning them up and down for a few hours at a time, as and when needed. I''d like the instances to call back to my local puppetmaster to configure themselves post-boot. Now, what I''m not sure about is how to make this play nicely with puppet. If I have an AMI with puppet installed (I''m using an ubuntu base, if it matters), then as soon as I run it, I need to sign it''s certificate. I also need to add a new node definition to my config, since each time the AMI starts it, gets a new host name. So, this is going to be a bit of a faff. I can think of some ways around it; specifying the certname option (which I could do via a userdata script when I boot the VM) would allow me to get around the "each boot is a new node", but I''m not so sure about the certificates. Should I pre-generate the cert and then try and push that to the node when it boots? Or enable autosigning? Any ideas gratefully received! Thanks Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
What I do is this: Delete the certs for hostname X from the puppetmaster. Start the instance from the puppet master machine. Passing a script (that get''s ran at startup). This script does the following: Set the hostname to X. Install puppet on the client (I use bare ubuntu images) Connect to the puppetmaster instance. Mean while the script on the puppet master is waiting for the signing request from X, and as soon as it gets it, it signs it. Hope that helps. On Fri, Sep 11, 2009 at 8:07 AM, Chris <chrismay50@gmail.com> wrote:> > Hi all, > > I''m starting to use EC2, and I''m after some examples of best practices/ > tips and tricks from folk with more experience of the Puppet/EC2 combo > than me: > > We''re starting by using EC2 for testing and development purposes. This > means that we won''t be running our instances full-time; rather, we''ll > be spinning them up and down for a few hours at a time, as and when > needed. I''d like the instances to call back to my local puppetmaster > to configure themselves post-boot. > > Now, what I''m not sure about is how to make this play nicely with > puppet. If I have an AMI with puppet installed (I''m using an ubuntu > base, if it matters), then as soon as I run it, I need to sign it''s > certificate. I also need to add a new node definition to my config, > since each time the AMI starts it, gets a new host name. > > So, this is going to be a bit of a faff. I can think of some ways > around it; specifying the certname option (which I could do via a > userdata script when I boot the VM) would allow me to get around the > "each boot is a new node", but I''m not so sure about the certificates. > Should I pre-generate the cert and then try and push that to the node > when it boots? Or enable autosigning? > > Any ideas gratefully received! > > Thanks > > Chris > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> Mean while the script on the puppet master is waiting for the signing > request from X, and as soon as it gets it, it signs it. > Hope that helps. > On Fri, Sep 11, 2009 at 8:07 AM, Chris <chrismay50@gmail.com> wrote:Presuming your script was using wget or something similar to install the puppet client why don''t you have it download the cert too so you won''t have to sign it every time? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Sep 11, 5:07 am, Chris <chrisma...@gmail.com> wrote:> Hi all, > > I''m starting to use EC2, and I''m after some examples of best practices/ > tips and tricks from folk with more experience of the Puppet/EC2 combo > than me: > > We''re starting by using EC2 for testing and development purposes. This > means that we won''t be running our instances full-time; rather, we''ll > be spinning them up and down for a few hours at a time, as and when > needed. I''d like the instances to call back to my local puppetmaster > to configure themselves post-boot.Chris, I did exactly this. Check out my blog post: http://tech.mangot.com/roller/dave/entry/on_running_terracotta_on_ec2 Works great. Cheers, -Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
2009/9/14 dmangot <dmangot@terracottatech.com>:> > On Sep 11, 5:07 am, Chris <chrisma...@gmail.com> wrote: >> Hi all, >> >> I''m starting to use EC2, and I''m after some examples of best practices/ >> tips and tricks from folk with more experience of the Puppet/EC2 combo >> than me: >> >> We''re starting by using EC2 for testing and development purposes. This >> means that we won''t be running our instances full-time; rather, we''ll >> be spinning them up and down for a few hours at a time, as and when >> needed. I''d like the instances to call back to my local puppetmaster >> to configure themselves post-boot. > > Chris, > > I did exactly this. Check out my blog post: > > http://tech.mangot.com/roller/dave/entry/on_running_terracotta_on_ec2 > > Works great. > > Cheers, > > -Dave >I went along with a slightly different route. 1) Puppetmaster in datacentre exposed with an external DNS. 2) Ruby scipts to start the EC2 instances and create a puppet nodes manifest file with the internal DNS names. 3) Another script then parses for the internal DNSs and cleans the certs on the master, along with removing any existing manifest for that node. 4) cron job script that polls EC2 account for instances and removes ones in the nodes/ec2 directory that are no longer running. I''ve recently rebuilt the AMI and changed the EC2 starting scripts to contain both a URL for the puppet client rpms and the puppet.conf data in the EC2 userdata. This way we don''t need multiple AMIs for different puppetmasters or different versions of the puppet client. Would have loved to talk more about this stuff at puppet camp, shame i''m unlikely to be able to make it. Cheers, Matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks to everyone who''s replied so far (and please, keep the ideas coming!); it''s really useful looking at all the various approaches that people are taking. I think so far I like Tim''s variation on Andreas'' approach the best, though I think that if/when we have more AMIs running, Dave''s puppetmaster-in-the-cloud has some compelling advantages. I look forward to trying a few of these options out in the next few weeks to see what works best for us. Thanks again Chris On Sep 15, 9:35 am, Matt <mattmora...@gmail.com> wrote:> 2009/9/14 dmangot <dman...@terracottatech.com>: > > > > > > > On Sep 11, 5:07 am, Chris <chrisma...@gmail.com> wrote: > >> Hi all, > > >> I''m starting to use EC2, and I''m after some examples of best practices/ > >> tips and tricks from folk with more experience of the Puppet/EC2 combo > >> than me: > > >> We''re starting by using EC2 for testing and development purposes. This > >> means that we won''t be running our instances full-time; rather, we''ll > >> be spinning them up and down for a few hours at a time, as and when > >> needed. I''d like the instances to call back to my local puppetmaster > >> to configure themselves post-boot. > > > Chris, > > > I did exactly this. Check out my blog post: > > >http://tech.mangot.com/roller/dave/entry/on_running_terracotta_on_ec2 > > > Works great. > > > Cheers, > > > -Dave > > I went along with a slightly different route. > > 1) Puppetmaster in datacentre exposed with an external DNS. > 2) Ruby scipts to start the EC2 instances and create a puppet nodes > manifest file with the internal DNS names. > 3) Another script then parses for the internal DNSs and cleans the > certs on the master, along with removing any existing manifest for > that node. > 4) cron job script that polls EC2 account for instances and removes > ones in the nodes/ec2 directory that are no longer running. > > I''ve recently rebuilt the AMI and changed the EC2 starting scripts to > contain both a URL for the puppet client rpms and the puppet.conf data > in the EC2 userdata. This way we don''t need multiple AMIs for > different puppetmasters or different versions of the puppet client. > > Would have loved to talk more about this stuff at puppet camp, shame > i''m unlikely to be able to make it. > > Cheers, > > Matt--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris wrote:> Thanks to everyone who''s replied so far (and please, keep the ideas > coming!); it''s really useful looking at all the various approaches > that people are taking. > > I think so far I like Tim''s variation on Andreas'' approach the best, > though I think that if/when we have more AMIs running, Dave''s > puppetmaster-in-the-cloud has some compelling advantages. I look > forward to trying a few of these options out in the next few weeks to > see what works best for us. >Be great to see all parties document the various approaches on the wiki. Perhaps expanding on: http://reductivelabs.com/trac/puppet/wiki/Recipes/AmazonWebService Regards James Turnbull - -- Author of: * Pro Linux Systems Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBSq+DzSFa/lDkFHAyAQJbywf+I2kQZ41UYZNnMTr1aGPVfW358lFTRKvG BwIqJDIKik29HJlDqukV8Kh8jctwmrg/RKBgul5zRoQvSorV19P8iB8YowAnanyv QBNr4KbHhdNtXXgELzcxUA7UahTYZzMlEKLDUeVTwlMqwwuh7j5CUGUwkho6a3fF lOeahgrSEm5yZMPGqENZ3F/mL3VUgwT8p5zAbY3X2J5Vnr/oLChoxjwEPXAZK/cK p2MvabUtSKCVNxb2zfcvhuL2MMIwg9SWjJJe+r02CV5JsWLvsx0N0bMMGbDErwuR D78022SVg/4Chs6GiHUpywkSckajZv+5eFhoIkTdI2UXRoNmkQxSiQ==5lkQ -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---