Puppet users - Oct 2007 - puppetd can set more than one server address

hi,all
       I want set up a puppet HA structure.  but if the puppetd can
set more than one server address ,the work will be simple :D
      if one puppetmaster have error, the client can auto try the
next.   I think I can use the heartbeat or dns to do this same
thing,but not so good. so I want know the puppetd can direct set in
the configure file ? if not,will be add this option?


-- 
Huang Mingyou

huang mingyou wrote:
> hi,all
>        I want set up a puppet HA structure.  but if the puppetd can
> set more than one server address ,the work will be simple :D
>       if one puppetmaster have error, the client can auto try the
> next.   I think I can use the heartbeat or dns to do this same
> thing,but not so good. so I want know the puppetd can direct set in
> the configure file ? if not,will be add this option?
> 
> 
Not totally on topic but have a look at:

http://reductivelabs.com/trac/puppet/wiki/UsingMongrel

and

http://reductivelabs.com/trac/puppet/wiki/PuppetScalability

Regards

James Turnbull

-- 
James Turnbull <james@lovedthanlost.net>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)



_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

yes, I had look this, But the apache server is a single fail point. if
I run 2 apache + puppet server group ,how can the puppted client to
auto choose a good point ?

On 31/10/2007, James Turnbull <james@lovedthanlost.net>
wrote:
> huang mingyou wrote:
> > hi,all
> >        I want set up a puppet HA structure.  but if the puppetd can
> > set more than one server address ,the work will be simple :D
> >       if one puppetmaster have error, the client can auto try the
> > next.   I think I can use the heartbeat or dns to do this same
> > thing,but not so good. so I want know the puppetd can direct set in
> > the configure file ? if not,will be add this option?
> >
> >
>
> Not totally on topic but have a look at:
>
> http://reductivelabs.com/trac/puppet/wiki/UsingMongrel
>
> and
>
> http://reductivelabs.com/trac/puppet/wiki/PuppetScalability
>
> Regards
>
> James Turnbull
>
> --
> James Turnbull <james@lovedthanlost.net>
> ---
> Author of Pro Nagios 2.0
> (http://www.amazon.com/gp/product/1590596099/)
>
> Hardening Linux
> (http://www.amazon.com/gp/product/1590594444/)
> ---
> PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
>
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>
>
>

-- 
Huang Mingyou

On Wed, Oct 31, 2007 at 03:13:23PM +0800, huang mingyou
wrote:
>        I want set up a puppet HA structure.  but if the puppetd can
> set more than one server address ,the work will be simple :D
>       if one puppetmaster have error, the client can auto try the
> next.   I think I can use the heartbeat or dns to do this same
> thing,but not so good. so I want know the puppetd can direct set in
> the configure file ? if not,will be add this option?
I''m pretty sure that --server can''t take anything except a
single name or
address.  It would be possible to modify all of the relevant sections of
puppetd to split server specs on commas or something, but it wouldn''t
be
simple.

- Matt

-- 
MySQL seems to be the Windows of the database world. Broken, underspecced,      
and mainly only popular due to inertia and people who don''t really know
what
they''re doing.
		-- Peter Corlett, in the Monastery

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

huang mingyou wrote:
> yes, I had look this, But the apache server is a single fail point. if
> I run 2 apache + puppet server group ,how can the puppted client to
> auto choose a good point ?
At the moment the only way would be a load balancer with a VIP or round
robin DNS.  The recommended course if neither of these suits is
obviously to log a ticket - giving money to Luke will also speed up the
development of such functionality. :)

Regards

James Turnbull

- --
James Turnbull <james@lovedthanlost.net>
- ---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
- ---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHKEKO9hTGvAxC30ARAowZAKDHD/n4ngyUYnNswfQBlTl6Q4fsjgCeKmu8
H0Kx0HPlT7B8EhKRjZfsWYw=4jKb
-----END PGP SIGNATURE-----

On Wed, Oct 31, 2007 at 04:25:59PM +0800, huang mingyou
wrote:
> yes, I had look this, But the apache server is a single fail point. if
> I run 2 apache + puppet server group ,how can the puppted client to
> auto choose a good point ?
You can run two machines in an Active/Passive configuration using Heartbeat 
(or similar), using a ''floating'' IP for the puppetd to connect
to.  This IP
is managed by Heartbeat and assigned to whichever node is primary.

HTH,

-- 
Sam Bashton - Bashton Ltd, Manchester, England
Linux Consultancy / VOIP Telephony / High Availability Systems
www.bashton.com - 0161-424-9600


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

huang mingyou wrote:
> yes, I had look this, But the apache server is a single fail point. if
> I run 2 apache + puppet server group ,how can the puppted client to
> auto choose a good point ?
> 
You could use VRRP/CARP to create a virtual IP shared between the two 
apache load balancers. First box goes down, the second one takes over 
the VIP. It''s also possible to use OSPF to do the failover without the 
limitation of both boxes having to be on the same subnet.

-- 
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield

If practice makes perfect, and nobody''s perfect, why practice?

Sam Bashton wrote:
> On Wed, Oct 31, 2007 at 04:25:59PM +0800, huang mingyou wrote:
>> yes, I had look this, But the apache server is a single fail point. if
>> I run 2 apache + puppet server group ,how can the puppted client to
>> auto choose a good point ?
> 
> You can run two machines in an Active/Passive configuration using Heartbeat
> (or similar), using a ''floating'' IP for the puppetd to
connect to.  This IP
> is managed by Heartbeat and assigned to whichever node is primary.
> 
> HTH,
> 
Darn. Beat me to it.


-- 
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield

If practice makes perfect, and nobody''s perfect, why practice?

The SSL certificate infrastructure is the difficult bit once you do
this.  Be aware of David Lutterkort''s and others'' earlier
postings to
this ML, subject "Warning for Fedora Core users" in October 07.
http://mail.madstop.com/pipermail/puppet-users/.

I''m still scratching my head as how to deal with this internally -
whether to use the workaround or get more sophisticated.

Derek
 

-----Original Message-----
From: puppet-users-bounces@madstop.com
[mailto:puppet-users-bounces@madstop.com] On Behalf Of Russell Jackson
Sent: 31 October 2007 09:21
To: Sam Bashton; Puppet User Discussion
Subject: Re: [Puppet-users] puppetd can set more than one server address

Sam Bashton wrote:
> On Wed, Oct 31, 2007 at 04:25:59PM +0800, huang mingyou wrote:
>> yes, I had look this, But the apache server is a single fail point. 
>> if I run 2 apache + puppet server group ,how can the puppted client 
>> to auto choose a good point ?
> 
> You can run two machines in an Active/Passive configuration using 
> Heartbeat (or similar), using a ''floating'' IP for the
puppetd to
> connect to.  This IP is managed by Heartbeat and assigned to whichever
node is primary.
> 
> HTH,
> 
Darn. Beat me to it.


--
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield

If practice makes perfect, and nobody''s perfect, why practice?
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
------------------------------------------------------------------------
For important statutory and regulatory disclosures and more information about
Barclays Capital, please visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays Group does not
accept legal responsibility for the contents of this message.  Although the
Barclays Group operates anti-virus programmes, it does not accept responsibility
for any damage whatsoever that is caused by viruses being passed.  Any views or
opinions presented are solely those of the author and do not necessarily
represent those of the Barclays Group.  Replies to this email may be monitored
by the Barclays Group for operational or business reasons.

Barclays Capital is the investment banking division of Barclays Bank PLC, a
company registered in England (number 1026167) with its registered office at 1
Churchill Place, London, E14 5HP. This email may relate to or be sent from other
members of the Barclays Group.
------------------------------------------------------------------------

the ssl certificate can use only one shared CA, all the manifest and
ssl certificate managed by  svn . and use the svk check it out  on the
host that run the puppetmaster . (svk is A Distributed Version Control
System).

so may me the structure is like this.

svn
|-------svk+puppetmaster 1
|
|-------svk+puppetmaster 2

use hearbeat or other something share a ip is a good idea, but when
the puppetmaster is not in the same LAN, it''s will be a problem. :D


On 31/10/2007, Derek.Whayman@barclayscapital.com
<Derek.Whayman@barclayscapital.com> wrote:
> The SSL certificate infrastructure is the difficult bit once you do
> this.  Be aware of David Lutterkort''s and others'' earlier
postings to
> this ML, subject "Warning for Fedora Core users" in October 07.
> http://mail.madstop.com/pipermail/puppet-users/.
>
> I''m still scratching my head as how to deal with this internally -
> whether to use the workaround or get more sophisticated.
>
> Derek
>
>
> -----Original Message-----
> From: puppet-users-bounces@madstop.com
> [mailto:puppet-users-bounces@madstop.com] On Behalf Of Russell Jackson
> Sent: 31 October 2007 09:21
> To: Sam Bashton; Puppet User Discussion
> Subject: Re: [Puppet-users] puppetd can set more than one server address
>
> Sam Bashton wrote:
> > On Wed, Oct 31, 2007 at 04:25:59PM +0800, huang mingyou wrote:
> >> yes, I had look this, But the apache server is a single fail
point.
> >> if I run 2 apache + puppet server group ,how can the puppted
client
> >> to auto choose a good point ?
> >
> > You can run two machines in an Active/Passive configuration using
> > Heartbeat (or similar), using a ''floating'' IP for
the puppetd to
> > connect to.  This IP is managed by Heartbeat and assigned to whichever
> node is primary.
> >
> > HTH,
> >
>
> Darn. Beat me to it.
>
>
> --
> Russell A. Jackson <raj@csub.edu>
> Network Analyst
> California State University, Bakersfield
>
> If practice makes perfect, and nobody''s perfect, why practice?
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
> ------------------------------------------------------------------------
> For important statutory and regulatory disclosures and more information
about Barclays Capital, please visit our web site at http://www.barcap.com.
>
> Internet communications are not secure and therefore the Barclays Group
does not accept legal responsibility for the contents of this message.  Although
the Barclays Group operates anti-virus programmes, it does not accept
responsibility for any damage whatsoever that is caused by viruses being passed.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of the Barclays Group.  Replies to this email may be
monitored by the Barclays Group for operational or business reasons.
>
> Barclays Capital is the investment banking division of Barclays Bank PLC, a
company registered in England (number 1026167) with its registered office at 1
Churchill Place, London, E14 5HP. This email may relate to or be sent from other
members of the Barclays Group.
> ------------------------------------------------------------------------
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

-- 
Huang Mingyou

huang mingyou wrote:
> the ssl certificate can use only one shared CA, all the manifest and
> ssl certificate managed by  svn . and use the svk check it out  on the
> host that run the puppetmaster . (svk is A Distributed Version Control
> System).
> 
> so may me the structure is like this.
> 
> svn
> |-------svk+puppetmaster 1
> |
> |-------svk+puppetmaster 2
> 
> use hearbeat or other something share a ip is a good idea, but when
> the puppetmaster is not in the same LAN, it''s will be a problem.
:D
> 
> 
Is this really a problem worth solving? The nodes don''t go down if they
can''t contact the
master. They still have their configurations cached locally, so they should
continue
having their configurations enforced. The worse that happens is that new
configurations
can''t be pushed until the outage is corrected.

-- 
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield

DALLAS:
	The city that chose Astroturf to
	keep the cheerleaders from grazing.


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

> Is this really a problem worth solving? The nodes don''t go down if
they can''t contact the
> master. They still have their configurations cached locally, so they should
continue
> having their configurations enforced. The worse that happens is that new
configurations
> can''t be pushed until the outage is corrected.
For me yes.  I''d want to see redundant puppet masters across all of my 
sites (or least geographically close to their clients).  My 
puppetmasters will probably also be the distribution servers (both 
puppet and yum repo).

There is also the case where traffic between two sites might be limited, 
again where a local puppet master would to sync from a root master so 
that the local clients stay in sync.  ACL''s, great walls, randomized
rst
packets all abound.

I''m doing this with subversion to check out the puppetmaster configs on
my local back-up hosts which seem sort of ghetto but it works.

Cheers,
Ryan

On Oct 31, 2007 4:10 PM, Ryan Dooley <rd@powerset.com>
wrote:
>
> For me yes.  I''d want to see redundant puppet masters across all
of my
> sites (or least geographically close to their clients).  My
> puppetmasters will probably also be the distribution servers (both
> puppet and yum repo).
>
> There is also the case where traffic between two sites might be limited,
> again where a local puppet master would to sync from a root master so
> that the local clients stay in sync.  ACL''s, great walls,
randomized rst
> packets all abound.
>
> I''m doing this with subversion to check out the puppetmaster
configs on
> my local back-up hosts which seem sort of ghetto but it works.
>
Puppet probably should support multiple IP addresses for a single DNS
name.  It is standard for network applications to go through the list
of IP addresses until they find one that works.  The IP addresses can
round-robined by DNS.  If people wanted priorities and different ports
for a single name, it would be possible to use SRV DNS records.

 - Ian

Ryan Dooley wrote:
>> Is this really a problem worth solving? The nodes don''t go
down if they can''t contact the
>> master. They still have their configurations cached locally, so they
should continue
>> having their configurations enforced. The worse that happens is that
new configurations
>> can''t be pushed until the outage is corrected.
> 
> For me yes.  I''d want to see redundant puppet masters across all
of my
> sites (or least geographically close to their clients).  My 
> puppetmasters will probably also be the distribution servers (both 
> puppet and yum repo).
> 
> There is also the case where traffic between two sites might be limited, 
> again where a local puppet master would to sync from a root master so 
> that the local clients stay in sync.  ACL''s, great walls,
randomized rst
> packets all abound.
> 
> I''m doing this with subversion to check out the puppetmaster
configs on
> my local back-up hosts which seem sort of ghetto but it works.
> 
I''m not sure what''s ghetto about it. Its an efficient
replication mechanism especially if
you use hooks to trigger the updates instead of having a cron job poll for
updates.

I currently use svnsync to replicate commits out to a local repository at each
site and
then a post-commit hook to update the local puppetmaster manifests/modules/etc
and trigger
client runs via puppetrun. The short coming is the single master subversion
repository.

I''m not sure puppet should get into the business of file replication
when there are
already tools to do this.

-- 
Russell A. Jackson <raj@csub.edu>
Network Analyst
California State University, Bakersfield

Do not think by infection, catching an opinion like a cold.


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

> I''m not sure what''s ghetto about it. Its an efficient
replication mechanism especially if
> you use hooks to trigger the updates instead of having a cron job poll for
updates.
Okay, I''ll buy that.  What I''m writing now uses an inotify lib
(rinotify) to trigger file replications to the slave master (one one at 
the moment so I''m not sure how well it scales).
> I currently use svnsync to replicate commits out to a local repository at
each site and
> then a post-commit hook to update the local puppetmaster
manifests/modules/etc and trigger
> client runs via puppetrun. The short coming is the single master subversion
repository.
Yea, having a multimaster repository would be nice.
> I''m not sure puppet should get into the business of file
replication when there are
> already tools to do this.
Fair enough.

Cheers,
Ryan

I think use svk mirror the svn repository is also a good idea :)

if use dns round-robined ip , there maybe have some trouble when one
of the puppetmaster down,and the dns return this ip.

any way ,if the puppetd can auto choose a live puppetmaster server
will be the best and simplest way to resolve this problem.

On 01/11/2007, Ryan Dooley <rd@powerset.com>
wrote:
>
> > I''m not sure what''s ghetto about it. Its an
efficient replication mechanism especially if
> > you use hooks to trigger the updates instead of having a cron job poll
for updates.
>
> Okay, I''ll buy that.  What I''m writing now uses an
inotify lib
> (rinotify) to trigger file replications to the slave master (one one at
> the moment so I''m not sure how well it scales).
>
> > I currently use svnsync to replicate commits out to a local repository
at each site and
> > then a post-commit hook to update the local puppetmaster
manifests/modules/etc and trigger
> > client runs via puppetrun. The short coming is the single master
subversion repository.
>
> Yea, having a multimaster repository would be nice.
>
> > I''m not sure puppet should get into the business of file
replication when there are
> > already tools to do this.
>
> Fair enough.
>
> Cheers,
> Ryan
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

-- 
Huang Mingyou