Hi, I have just successfully configured Puppet to run with Mongrel, and would like to update the documentation with what I''ve learned. However, since I''m not an expert with these things, I thought I''d share with the list before updating the wiki. So here''s what I''d change: + Remove this picture: http://reductivelabs.com/trac/puppet/attachment/wiki/UsingMongrel/puppetmaster-mongrel.png I just found it confusing and wrong. It implies that a single puppet master contains several Mongrels, and that an external Puppet master must also be run, which is no longer the case. + In my setup I changed the name of the ssl certificate to just "puppet", so that I wouldn''t need a templatized Apache configuration, and figured it''s an option that is worth mentioning. + My previous experience with mongrel_start was that it didn''t help much, because it wasn''t very good at managing the processes separately. My inclination is to remove references to it until someone investigates and does the necessary work. + State that version 0.23.1 is required, and remove stuff about running it with earlier versions. Or is there a reason people would want to stick with earlier versions? + I found that Puppet master wouldn''t create certificates when run with --mongrel, so I added "puppetca --generate puppet" to the install process. Is this a bug or intentional? Either way, it should be mentioned. + Finally, I would include the 3 attached files, a complete httpd.conf so people know which modules are necessary, a puppet.conf specifying a different name for the ssl certificate, and a startup script we use on our Fedora Core machines which manages an httpd and 5 puppet masters. Alex _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Wed, Sep 12, 2007 at 09:02:03AM +0530, Alexander Taler wrote:> + Remove this picture:How about I just fix it instead?> http://reductivelabs.com/trac/puppet/attachment/wiki/UsingMongrel/puppetmaster-mongrel.png > I just found it confusing and wrong. It implies that a single puppet > master contains several Mongrels,Right, that is not true.> and that an external Puppet master > must also be run, which is no longer the case.The _dashed_ line was supposed to mean that it is also possible for the puppetd on the puppet master host to _optionally_ connect to another puppetmaster (not necessarily the one on the same host). But maybe it is really causing more confusion than it is helping. I''ll get rid of that bit. -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Wed, Sep 12, 2007 at 09:15:38AM +0100, Marcin Owsiany wrote:> On Wed, Sep 12, 2007 at 09:02:03AM +0530, Alexander Taler wrote: > > + Remove this picture: > > How about I just fix it instead?Yes that works too. Sorry, I guess I assumed there just wasn''t anyone maintaining the document because it was getting out of date. What did you think of the other changes I suggested? Alex
On Wed, Sep 12, 2007 at 03:49:41PM +0530, Alexander Taler wrote:> On Wed, Sep 12, 2007 at 09:15:38AM +0100, Marcin Owsiany wrote: > > On Wed, Sep 12, 2007 at 09:02:03AM +0530, Alexander Taler wrote: > > > + Remove this picture: > > > > How about I just fix it instead? > > Yes that works too. Sorry, I guess I assumed there just wasn''t > anyone maintaining the document because it was getting out of > date. What did you think of the other changes I suggested?>> + In my setup I changed the name of the ssl certificate to just >> "puppet", so that I wouldn''t need a templatized Apache configuration, >> and figured it''s an option that is worth mentioning.We''re using templatized apache configuration for other reasons, and like to have an FQDN in the name. I guess that having an FQDN in the filename makes it more apparent that it''s something locally-generated, so I would personally leave it that way.>> + My previous experience with mongrel_start was that it didn''t help much, >> because it wasn''t very good at managing the processes separately. My >> inclination is to remove references to it until someone investigates >> and does the necessary work.I guess taking it out would make the chance of someone investigating that even smaller, so I don''t think it''s a good idea.>> + State that version 0.23.1 is required, and remove stuff about running it >> with earlier versions. Or is there a reason people would want to >> stick with earlier versions?That page was written before 0.23.1 was released, so there was a reason then. I guess now it makes sense to remove the bits about running a separate instance.>> + I found that Puppet master wouldn''t create certificates when run with >> --mongrel, so I added "puppetca --generate puppet" to the install process. >> Is this a bug or intentional?No idea.>> Either way, it should be mentioned.I agree.>> + Finally, I would include the 3 attached files, a complete httpd.conf so >> people know which modules are necessary,Why not just add the necessary lines to the conffile snippet that is on the page already? If you add the whole lot, then people won''t know which parts are in fact necessary.>> a puppet.conf specifying a >> different name for the ssl certificate,See my comment on this topic above.>> and a startup script we use on our >> Fedora Core machines which manages an httpd and 5 puppet masters.Yes, I guess it makes sense to provide an example. -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Sep 11, 2007, at 10:32 PM, Alexander Taler wrote:> > + In my setup I changed the name of the ssl certificate to just > "puppet", so that I wouldn''t need a templatized Apache > configuration, > and figured it''s an option that is worth mentioning.I think this is generally a bad idea. Puppet''s auth system is based on the fact that peer to peer authentication works fine because certificates build a trust domain. Once you start using the service names in certificates, you have to move those certs as the services move, which creates a bit of a maintenance nightmare. Templating is a far better choice, IMO.> + My previous experience with mongrel_start was that it didn''t > help much, > because it wasn''t very good at managing the processes > separately. My > inclination is to remove references to it until someone > investigates > and does the necessary work.We need some kind of solution for managing multiple processes; I don''t really care what. It doesn''t matter what is actually said, but the page should certainly mention that we know the problem exists, there are a couple of ways people solve it with Mongrel, and none of them have been seriously investigated with Puppet.> + State that version 0.23.1 is required, and remove stuff about > running it > with earlier versions. Or is there a reason people would want to > stick with earlier versions?It should just state that 0.23.1+ is required.> + I found that Puppet master wouldn''t create certificates when run > with > --mongrel, so I added "puppetca --generate puppet" to the > install process. > Is this a bug or intentional? Either way, it should be mentioned.Sounds like a bug, and yes, it should be added to the page.> + Finally, I would include the 3 attached files, a complete > httpd.conf so > people know which modules are necessary, a puppet.conf specifying a > different name for the ssl certificate, and a startup script we > use on our > Fedora Core machines which manages an httpd and 5 puppet masters.Feel free to add them as attachments to the wiki doc. -- Health nuts are going to feel stupid someday, lying in hospitals dying of nothing. --Redd Foxx --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Wed, 2007-09-12 at 09:02 +0530, Alexander Taler wrote:> Hi, I have just successfully configured Puppet to run with Mongrel, and > would like to update the documentation with what I''ve learned.In the spirit of sharing, the attached tarball contains a puppet module that does most of the setup of a puppetmaster cluster with storeconfigs in a PostgreSQL database. To use, untar in some DIR and run puppet --modulepath $DIR/modules $DIR/modules/cluster/scripts/setup.pp The module contains code to setup the PostgreSQL databse, too, but IIRC that needs a small amount of love; otherwise, you''ll have to setup PostgreSQL manually. This is far from perfect, but I hope it''s a start. If there''s interest in this kind of thing, I''d like to hear about it, especially what people''s preferences on making modules like this available are. David _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
I''ve updated the Mongrel page accounting for feedback. Luckily someone else (mccune) got a nice short Apache configuration in there, much better than mine. I added the example init script. I added the note about puppetmasterd not generating certificates, and reported it as ticket #833. I removed the section about running an external puppetmasterd for signing, and left a brief comment about why 0.23.1 is required. Alex