Harihara Vinayakaram
2010-Jul-14 14:15 UTC
[Puppet Users] Puppet DDNS and Preseed -- Any easier alternative
Hi I have a set up that runs puppetmasterd, DDNS , DHCP etc on one server . I have managed to PXE boot Ubuntu 10.04 clients and setup puppet clients . The ultimate goal is to run Hadoop on the nodes. I have some observations on the process and I am wondering if there is any easier way to do . I am running this on 50 physical nodes. 1. Puppet clients work only if the DNS (both forward and revese work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in the only way . This needs a dhclient-exit-hook per machine and also a send fqdn.fqdn from each machine''s dhclient.conf . To solve this my preseed.cfg contains a late-command which transfers a script to the client machine which does a series of wget and some sed manipulations . Looking from the outside it does looks a bit complicated and I see a maintenance proble Is there a easier way to do this ? Regards Hari -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2010-Jul-14 14:23 UTC
Re: [Puppet Users] Puppet DDNS and Preseed -- Any easier alternative
are those clients which roam across subnets? (just to be sure why you are using ddns). you might consider using the certname option in puppet.conf to avoid the certificate name and fqdn fact. if you dont need it, and you are ok with pre-defining the hostname values, you might look at foreman as an alternative (http://theforeman.org). Ohad On Wed, Jul 14, 2010 at 10:15 PM, Harihara Vinayakaram <hvram1@gmail.com>wrote:> Hi > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one > server . I have managed to PXE boot Ubuntu 10.04 clients and setup > puppet clients . The ultimate goal is to run Hadoop on the nodes. I > have some observations on the process and I am wondering if there is > any easier way to do . I am running this on 50 physical nodes. > > 1. Puppet clients work only if the DNS (both forward and revese > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in > the only way . This needs a dhclient-exit-hook per machine and also a > send fqdn.fqdn from each machine''s dhclient.conf . > > To solve this my preseed.cfg contains a late-command which > transfers a script to the client machine which does a series of wget > and some sed manipulations . Looking from the outside it does looks a > bit complicated and I see a maintenance proble Is there a easier way > to do this ? > > Regards > Hari > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Joe McDonagh
2010-Jul-14 14:27 UTC
Re: [Puppet Users] Puppet DDNS and Preseed -- Any easier alternative
On 07/14/2010 10:15 AM, Harihara Vinayakaram wrote:> Hi > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one > server . I have managed to PXE boot Ubuntu 10.04 clients and setup > puppet clients . The ultimate goal is to run Hadoop on the nodes. I > have some observations on the process and I am wondering if there is > any easier way to do . I am running this on 50 physical nodes. > > 1. Puppet clients work only if the DNS (both forward and revese > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in > the only way . This needs a dhclient-exit-hook per machine and also a > send fqdn.fqdn from each machine''s dhclient.conf . > > To solve this my preseed.cfg contains a late-command which > transfers a script to the client machine which does a series of wget > and some sed manipulations . Looking from the outside it does looks a > bit complicated and I see a maintenance proble Is there a easier way > to do this ? > > Regards > Hari > >Hari, this is sort of OT but I''ve been lightly piloting Ubuntu 10.04 and I''ve noticed that for some reason my partman-auto recipe which worked fine in 8.04 is creating disproportionately large swap partitions. Are you using partman-auto? If so, could I see the config block? Thanks. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode "When the going gets weird, the weird turn pro." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steven Wagner
2010-Jul-14 15:41 UTC
Re: [Puppet Users] Puppet DDNS and Preseed -- Any easier alternative
ISC dhcpd supports secure DDNS updates. It will send an update as it''s handing out an IP address. For this to work, you do need to figure out a way to determine the DDNS hostname. You can trust the hostname passed by the client, and/or you can override it with one you generate yourself. The way I''m handling DDNS is: * Generic forward/reverse rules in dhcpd.conf for everybody. * Specifically-named host entries get added/sync''d to dhcpd.conf through Cobbler. * An additional layer of A/PTR and CNAME records is handled through a Puppet class. The first two points are pretty well-documented through Google. The last seemed like a neat way of dealing with vhosts and Puppet nodes in general, and was kind of my test class for storeconfigs. DDNS update objects are exported on the Puppet clients (as part of an Apache vhost declaration, for example) and collected on the server that runs Cobbler and DHCP (which is authorized to send DDNS updates to the domains we''re working with). It works pretty well! On Jul 14, 2010, at 9:15 AM, Harihara Vinayakaram wrote:> Hi > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one > server . I have managed to PXE boot Ubuntu 10.04 clients and setup > puppet clients . The ultimate goal is to run Hadoop on the nodes. I > have some observations on the process and I am wondering if there is > any easier way to do . I am running this on 50 physical nodes. > > 1. Puppet clients work only if the DNS (both forward and revese > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in > the only way . This needs a dhclient-exit-hook per machine and also a > send fqdn.fqdn from each machine''s dhclient.conf . > > To solve this my preseed.cfg contains a late-command which > transfers a script to the client machine which does a series of wget > and some sed manipulations . Looking from the outside it does looks a > bit complicated and I see a maintenance proble Is there a easier way > to do this ? > > Regards > Hari > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com > . > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick Mohr
2010-Jul-14 18:01 UTC
Re: [Puppet Users] Puppet DDNS and Preseed -- Any easier alternative
On Jul 14, 2010, at 7:27 AM, Joe McDonagh wrote:> On 07/14/2010 10:15 AM, Harihara Vinayakaram wrote: >> Hi >> I have a set up that runs puppetmasterd, DDNS , DHCP etc on one >> server . I have managed to PXE boot Ubuntu 10.04 clients and setup >> puppet clients . The ultimate goal is to run Hadoop on the nodes. I >> have some observations on the process and I am wondering if there is >> any easier way to do . I am running this on 50 physical nodes. >> >> 1. Puppet clients work only if the DNS (both forward and revese >> work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in >> the only way . This needs a dhclient-exit-hook per machine and also a >> send fqdn.fqdn from each machine''s dhclient.conf . >> >> To solve this my preseed.cfg contains a late-command which >> transfers a script to the client machine which does a series of wget >> and some sed manipulations . Looking from the outside it does looks a >> bit complicated and I see a maintenance proble Is there a easier way >> to do this ? >> >> Regards >> Hari >> >> > Hari, this is sort of OT but I''ve been lightly piloting Ubuntu 10.04 and I''ve noticed that for some reason my partman-auto recipe which worked fine in 8.04 is creating disproportionately large swap partitions. Are you using partman-auto? If so, could I see the config block? Thanks. >I hope the attachment comes though. Don''t forget to: *) Change line 66 *) Change the passwords *) Changed the groups the created user is added to *) Change the last line if you don''t want puppet auto-starting. You should also be aware of https://bugs.launchpad.net/bugs/570805 if you use ext4. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Harihara Vinayakaram
2010-Jul-15 11:53 UTC
[Puppet Users] Re: Puppet DDNS and Preseed -- Any easier alternative
Hi Wagner Could you elaborate a bit more please. The problem for me is that only secure updates work for the DDNS . I have got it working by doing an update of the dhclient.conf, dhclient-exit-hooks as well as the keys as part of the preseed late_command . But it looks more of a hack to me and I am looking at a easier way to do this. Doing from puppet seems a nice thing to do but my puppet clients cannot be signed since the reverse DNS is not working until the nsupdate is done . I am using auto sign . would love to get more details about your setup Thanks Regards Hari On Jul 14, 8:41 pm, Steven Wagner <leftath...@gmail.com> wrote:> ISC dhcpd supports secure DDNS updates. It will send an update as > it''s handing out an IP address. For this to work, you do need to > figure out a way to determine the DDNS hostname. You can trust the > hostname passed by the client, and/or you can override it with one you > generate yourself. > > The way I''m handling DDNS is: > > * Generic forward/reverse rules in dhcpd.conf for everybody. > * Specifically-named host entries get added/sync''d to dhcpd.conf > through Cobbler. > * An additional layer of A/PTR and CNAME records is handled through a > Puppet class. > > The first two points are pretty well-documented through Google. The > last seemed like a neat way of dealing with vhosts and Puppet nodes in > general, and was kind of my test class for storeconfigs. DDNS update > objects are exported on the Puppet clients (as part of an Apache vhost > declaration, for example) and collected on the server that runs > Cobbler and DHCP (which is authorized to send DDNS updates to the > domains we''re working with). > > It works pretty well! > > On Jul 14, 2010, at 9:15 AM, Harihara Vinayakaram wrote:> Hi > > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one > > server . I have managed to PXE boot Ubuntu 10.04 clients and setup > > puppet clients . The ultimate goal is to run Hadoop on the nodes. I > > have some observations on the process and I am wondering if there is > > any easier way to do . I am running this on 50 physical nodes. > > > 1. Puppet clients work only if the DNS (both forward and revese > > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in > > the only way . This needs a dhclient-exit-hook per machine and also a > > send fqdn.fqdn from each machine''s dhclient.conf . > > > To solve this my preseed.cfg contains a late-command which > > transfers a script to the client machine which does a series of wget > > and some sed manipulations . Looking from the outside it does looks a > > bit complicated and I see a maintenance proble Is there a easier way > > to do this ? > > > Regards > > Hari > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com > > . > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en > > .-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
steve .
2010-Jul-15 18:22 UTC
Re: [Puppet Users] Re: Puppet DDNS and Preseed -- Any easier alternative
It seems like it would be a big headache to do this via dhclient for new Puppet hosts, unless you want to set up a means of distributing a default dhclient.conf to all new hosts... I''ve centralized all DDNS updates on the "provisioning server," which runs Puppet and the Cobbler services (DHCP, TFTP, NFS/HTTP repository mirroring). If all you want to do is get your DHCP server to send DDNS updates to your nameserver, that''s an implementation-specific question. ISC DHCPD supports secure DDNS updates, but I''m saddled with AD primaries and I immediately got a twitchy feeling at the idea of integrating my open, standards-based DHCP server with my "open," "standards-based" Microsoft AD nameserver. My solution was to allow insecure updates to some private zone files from only one IP - the DHCP server. It''s not ideal, but somehow I don''t think setting up secure DNS updates would be as simple as it is with bind... On the DHCP server, I added these lines to the global section of the dhcpd.conf file (actually the config template, since cobbler auto-generates a new one every time I run "cobbler sync" ): # works with AD ddns-update-style interim; # fancy default hostname generator, prefers client-supplied hostname, then configured dhcpd.conf hostname, then finally defaults to "dhcp-AAA-BBB-CCC-DDD") ddns-hostname = pick(option fqdn.hostname, option host-name, concat ( "dhcp-",binary-to-ascii(10,8, "-", leased-address)) ); # domain name to use for ddns. ddns-domainname "whatever.local"; # this actually turns on ddns updates. ddns-updates on; # let host-supplied hostnames through. windows clients LOVE this. use-host-decl-names on; # send nsupdates even on static DHCP leases. update-static-leases on; # don''t let clients update their own address records. deny client-updates; # don''t allow duplicate A / PTR records. deny duplicates; [-- stop copying here. --] This is pretty much the config I use, and it works for me. On Thu, Jul 15, 2010 at 6:53 AM, Harihara Vinayakaram <hvram1@gmail.com> wrote:> Hi Wagner > Could you elaborate a bit more please. The problem for me is that > only secure updates work for the DDNS . I have got it working by doing > an update of the dhclient.conf, dhclient-exit-hooks as well as the > keys as part of the preseed late_command . But it looks more of a hack > to me and I am looking at a easier way to do this. > > Doing from puppet seems a nice thing to do but my puppet clients > cannot be signed since the reverse DNS is not working until the > nsupdate is done . I am using auto sign . > > would love to get more details about your setup > > Thanks > Regards > Hari > > On Jul 14, 8:41 pm, Steven Wagner <leftath...@gmail.com> wrote: >> ISC dhcpd supports secure DDNS updates. It will send an update as >> it''s handing out an IP address. For this to work, you do need to >> figure out a way to determine the DDNS hostname. You can trust the >> hostname passed by the client, and/or you can override it with one you >> generate yourself. >> >> The way I''m handling DDNS is: >> >> * Generic forward/reverse rules in dhcpd.conf for everybody. >> * Specifically-named host entries get added/sync''d to dhcpd.conf >> through Cobbler. >> * An additional layer of A/PTR and CNAME records is handled through a >> Puppet class. >> >> The first two points are pretty well-documented through Google. The >> last seemed like a neat way of dealing with vhosts and Puppet nodes in >> general, and was kind of my test class for storeconfigs. DDNS update >> objects are exported on the Puppet clients (as part of an Apache vhost >> declaration, for example) and collected on the server that runs >> Cobbler and DHCP (which is authorized to send DDNS updates to the >> domains we''re working with). >> >> It works pretty well! >> >> On Jul 14, 2010, at 9:15 AM, Harihara Vinayakaram wrote:> Hi >> > I have a set up that runs puppetmasterd, DDNS , DHCP etc on one >> > server . I have managed to PXE boot Ubuntu 10.04 clients and setup >> > puppet clients . The ultimate goal is to run Hadoop on the nodes. I >> > have some observations on the process and I am wondering if there is >> > any easier way to do . I am running this on 50 physical nodes. >> >> > 1. Puppet clients work only if the DNS (both forward and revese >> > work ). For DDNS to work (at least on Ubuntu clients) secure DDNS in >> > the only way . This needs a dhclient-exit-hook per machine and also a >> > send fqdn.fqdn from each machine''s dhclient.conf . >> >> > To solve this my preseed.cfg contains a late-command which >> > transfers a script to the client machine which does a series of wget >> > and some sed manipulations . Looking from the outside it does looks a >> > bit complicated and I see a maintenance proble Is there a easier way >> > to do this ? >> >> > Regards >> > Hari >> >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com >> > . >> > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en >> > . > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.