Hi, Is it possible to make a fully automatic installation of puppet? I''ve tried to do so, but when the puppetd daemon starts after a fresh install it fails showing "No certificates; exiting" in the logs, and exits. The problem is solved if I manually run puppetd with the waitforcert option. Best regards Jose _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Feb 19, 2008, at 6:50 AM, José González Gómez wrote:> Hi, > > Is it possible to make a fully automatic installation of puppet? > I''ve tried to do so, but when the puppetd daemon starts after a > fresh install it fails showing "No certificates; exiting" in the > logs, and exits. The problem is solved if I manually run puppetd > with the waitforcert option.This is possibly a packaging issue, in that some packages might be set up to only run puppetd in -t mode on first run or something. It should work just fine on first run, and just wait for the cert. -- It''s a small world, but I wouldn''t want to paint it. -- Stephen Wright --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote:> Hi, > > Is it possible to make a fully automatic installation of puppet? I''ve tried > to do so, but when the puppetd daemon starts after a fresh install it fails > showing "No certificates; exiting" in the logs, and exits. The problem is > solved if I manually run puppetd with the waitforcert option.On the puppetmaster: You can set up autosign. For example if your domain is "example.com" in /etc/puppet/autosign.conf you could wildcard the domain with "*.example.com" The other piece is adding the following to the [ca] section of puppet.conf. [ca] autosign = true I don''t know how your network is set up but what I do is only install on a subnet reserved for installs. So I can limit autosign to just installs and not the entire domain. Also I put a domain check in my install class for good measure so the class is only run if the machine is in the install subdomain. Also I use node "default" for concurrent installs. Kent
On Feb 19, 2008, at 7:51 AM, Kenton Brede wrote:> > On the puppetmaster: > > You can set up autosign. For example if your domain is "example.com" > in /etc/puppet/autosign.conf you could wildcard the domain with > "*.example.com"You actually don''t need autosign for this -- waitforcert is sufficient, it just means the client will sit until the cert is available, which is functional, just slow. -- Opportunity is missed by most people because it is dressed in overalls and looks like work. -- Thomas A. Edison --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 19/02/2008, Luke Kanies <luke@madstop.com> wrote:> On Feb 19, 2008, at 7:51 AM, Kenton Brede wrote: > > > > On the puppetmaster: > > > > You can set up autosign. For example if your domain is "example.com" > > in /etc/puppet/autosign.conf you could wildcard the domain with > > "*.example.com" > > You actually don''t need autosign for this -- waitforcert is > sufficient, it just means the client will sit until the cert is > available, which is functional, just slow.He said he wanted a "fully automated installation of puppet" and mentioned he had to "manually run puppetd with waitforcert" so I was assuming he didn''t want to use "--waitforcert." Perhaps I misunderstood. Kent
On Feb 19, 2008, at 8:38 AM, Kenton Brede wrote:> He said he wanted a "fully automated installation of puppet" and > mentioned he had to "manually run puppetd with waitforcert" so I was > assuming he didn''t want to use "--waitforcert." Perhaps I > misunderstood.Ah, I missed that; sorry. -- Risk! Risk anything! Care no more for the opinions of others, for those voices. Do the hardest thing on earth for you. Act for yourself. Face the truth. -- Katherine Mansfield --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Feb 19, 2008 2:39 PM, Luke Kanies <luke@madstop.com> wrote:> On Feb 19, 2008, at 6:50 AM, José González Gómez wrote: > > > Hi, > > > > Is it possible to make a fully automatic installation of puppet? > > I''ve tried to do so, but when the puppetd daemon starts after a > > fresh install it fails showing "No certificates; exiting" in the > > logs, and exits. The problem is solved if I manually run puppetd > > with the waitforcert option. > > > This is possibly a packaging issue, in that some packages might be set > up to only run puppetd in -t mode on first run or something. > > It should work just fine on first run, and just wait for the cert. >Ok, I have just noticed that the init script in ubuntu (maybe debian also?) adds -w 0 to the command line options using the DAEMON_OPTS variable, and also sources /etc/default/puppet, so I just created that file while doing the initial install and included DAEMON_OPTS="" in it, but still doesn''t seem to work properly: First time puppetd is run I get this in the log, and puppetd seems to die (autosigning enabled for this machine): Feb 19 15:54:15 server puppetd[4611]: Reopening log files Feb 19 15:54:15 server puppetd[4611]: Other end went away; restarting connection and retrying Feb 19 15:54:15 server puppetd[4611]: Could not request certificate: Certificate retrieval failed: Could not find ca certificate /etc/puppet/ssl/certs/ca.pem If I manually start it again it seems to work ok (I still don''t have a node definition for this machine): Feb 19 15:56:35 server puppetd[4774]: Reopening log files Feb 19 15:56:36 server puppetd[4774]: Got signed certificate Feb 19 15:56:36 server puppetd[4774]: Starting Puppet client version 0.23.2 Feb 19 15:56:38 server puppetd[4774]: Could not retrieve configuration: Could not find node.domain with names node.domain, node Feb 19 15:56:38 server puppetd[4774]: Could not retrieve configuration: Cannot connect to server and there is no cached configuration My puppetd.conf contains the following: [puppetd] vardir = /var/lib/puppet server = puppet.openinput.com masterlog = syslog And this time puppetd is run without any option in the command line: openinput@server:~$ ps -ef | grep puppet root 4774 1 0 15:56 ? 00:00:00 ruby /usr/sbin/puppetd 1000 4818 4668 0 16:01 pts/0 00:00:00 grep puppet Thanks, best regards Jose _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Feb 19, 2008 3:52 PM, Luke Kanies <luke@madstop.com> wrote:> On Feb 19, 2008, at 8:38 AM, Kenton Brede wrote: > > > He said he wanted a "fully automated installation of puppet" and > > mentioned he had to "manually run puppetd with waitforcert" so I was > > assuming he didn''t want to use "--waitforcert." Perhaps I > > misunderstood. > > > Ah, I missed that; sorry. >Sorry, but I don''t see the difference between autosigning and manually signing the certificate. The client is supposed to wait until it gets a signed certificate, so it''s the same from the client''s point of view wether the certificate got signed automatically or not, isn''t it? I don''t consider manually signing a machine''s certificate as not having an automated install, as this is done in the server, not in the client machine I''m installing. Best regards Jose _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Feb 19, 2008, at 9:02 AM, José González Gómez wrote:> > First time puppetd is run I get this in the log, and puppetd seems > to die (autosigning enabled for this machine): > > Feb 19 15:54:15 server puppetd[4611]: Reopening log files > Feb 19 15:54:15 server puppetd[4611]: Other end went away; > restarting connection and retrying > Feb 19 15:54:15 server puppetd[4611]: Could not request certificate: > Certificate retrieval failed: Could not find ca certificate /etc/ > puppet/ssl/certs/ca.pemI *think* the current release doesn''t deal well with problems on the server; should be working well in git, and I promise I''m working as hard as I can to get a release out. -- The time to repair the roof is when the sun is shining. -- John F. Kennedy --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
This is almost exactly what I do. I have a meta package that requires puppet (or rather my local rpm''d version of the gem). This meta package twiddles rc.local for a first run of puppet. My puppet master autosigns certificates and the magic is done. Cheers, Ryan On 2/19/08 5:39 AM, "Luke Kanies" <luke@madstop.com> wrote: On Feb 19, 2008, at 6:50 AM, José González Gómez wrote:> Hi, > > Is it possible to make a fully automatic installation of puppet? > I''ve tried to do so, but when the puppetd daemon starts after a > fresh install it fails showing "No certificates; exiting" in the > logs, and exits. The problem is solved if I manually run puppetd > with the waitforcert option.This is possibly a packaging issue, in that some packages might be set up to only run puppetd in -t mode on first run or something. It should work just fine on first run, and just wait for the cert. -- It''s a small world, but I wouldn''t want to paint it. -- Stephen Wright --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote:> On Feb 19, 2008 3:52 PM, Luke Kanies <luke@madstop.com> wrote: > > > > > On Feb 19, 2008, at 8:38 AM, Kenton Brede wrote: > > > > > He said he wanted a "fully automated installation of puppet" and > > > mentioned he had to "manually run puppetd with waitforcert" so I was > > > assuming he didn''t want to use "--waitforcert." Perhaps I > > > misunderstood. > > > > > > Ah, I missed that; sorry. > > > > Sorry, but I don''t see the difference between autosigning and manually > signing the certificate. The client is supposed to wait until it gets a > signed certificate, so it''s the same from the client''s point of view wether > the certificate got signed automatically or not, isn''t it? I don''t consider > manually signing a machine''s certificate as not having an automated install, > as this is done in the server, not in the client machine I''m installing.With autosigning the certificate from the client is automatically signed by the server. You don''t have to manually run "puppetca --sign test.example.com" on the server. Now that I think of it "automated install" can mean different things to different people. Autosigning is part of my definition :) Given your original post, I''m not sure what problem your trying to solve. Kent
On Feb 19, 2008 5:42 PM, Kenton Brede <kbrede@gmail.com> wrote:> On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote: > > On Feb 19, 2008 3:52 PM, Luke Kanies <luke@madstop.com> wrote: > > > > > > > > On Feb 19, 2008, at 8:38 AM, Kenton Brede wrote: > > > > > > > He said he wanted a "fully automated installation of puppet" and > > > > mentioned he had to "manually run puppetd with waitforcert" so I was > > > > assuming he didn''t want to use "--waitforcert." Perhaps I > > > > misunderstood. > > > > > > > > > Ah, I missed that; sorry. > > > > > > > Sorry, but I don''t see the difference between autosigning and manually > > signing the certificate. The client is supposed to wait until it gets a > > signed certificate, so it''s the same from the client''s point of view > wether > > the certificate got signed automatically or not, isn''t it? I don''t > consider > > manually signing a machine''s certificate as not having an automated > install, > > as this is done in the server, not in the client machine I''m installing. > > With autosigning the certificate from the client is automatically > signed by the server. > You don''t have to manually run "puppetca --sign test.example.com" on > the server. > > Now that I think of it "automated install" can mean different things > to different people. Autosigning is part of my definition :) Given > your original post, I''m not sure what problem your trying to solve. > Kent >The first problem was that puppet failed to wait for the certificate to be signed (due to the init script running puppetd with -w 0). My current problem is that after properly configuring puppet, it fails on the first run, but it works properly after being run the second time. Luke has told me in IRC that this problem may be solved in 0.24.x (I''m using 0.23.2) so I''ll give that version a try, and see if that solves the problem. Thank, best regards Jose _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote:> On Feb 19, 2008 5:42 PM, Kenton Brede <kbrede@gmail.com> wrote: > > > > > > > > > On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote: > > > On Feb 19, 2008 3:52 PM, Luke Kanies <luke@madstop.com> wrote: > > > > > > > > > > > On Feb 19, 2008, at 8:38 AM, Kenton Brede wrote: > > > > > > > > > He said he wanted a "fully automated installation of puppet" and > > > > > mentioned he had to "manually run puppetd with waitforcert" so I was > > > > > assuming he didn''t want to use "--waitforcert." Perhaps I > > > > > misunderstood. > > > > > > > > > > > > Ah, I missed that; sorry. > > > > > > > > > > Sorry, but I don''t see the difference between autosigning and manually > > > signing the certificate. The client is supposed to wait until it gets a > > > signed certificate, so it''s the same from the client''s point of view > wether > > > the certificate got signed automatically or not, isn''t it? I don''t > consider > > > manually signing a machine''s certificate as not having an automated > install, > > > as this is done in the server, not in the client machine I''m installing. > > > > With autosigning the certificate from the client is automatically > > signed by the server. > > You don''t have to manually run "puppetca --sign test.example.com" on > > the server. > > > > Now that I think of it "automated install" can mean different things > > to different people. Autosigning is part of my definition :) Given > > your original post, I''m not sure what problem your trying to solve. > > Kent > > > > The first problem was that puppet failed to wait for the certificate to be > signed (due to the init script running puppetd with -w 0). My current > problem is that after properly configuring puppet, it fails on the first > run, but it works properly after being run the second time. Luke has told me > in IRC that this problem may be solved in 0.24.x (I''m using 0.23.2) so I''ll > give that version a try, and see if that solves the problem.I understand now :) This actually reminds me, I''ve got kickstart populating /etc/rc.local with puppetd twice during my installs, due to the same problem you''re having. I''m running 0.24.x now so I''ll rectify that. Thanks for bringing this up :) Kent
On Feb 19, 2008 6:22 PM, Kenton Brede <kbrede@gmail.com> wrote:> On 19/02/2008, José González Gómez <jgonzalez.openinput@gmail.com> wrote: > > > The first problem was that puppet failed to wait for the certificate to > be > > signed (due to the init script running puppetd with -w 0). My current > > problem is that after properly configuring puppet, it fails on the first > > run, but it works properly after being run the second time. Luke has > told me > > in IRC that this problem may be solved in 0.24.x (I''m using 0.23.2) so > I''ll > > give that version a try, and see if that solves the problem. > > I understand now :) This actually reminds me, I''ve got kickstart > populating /etc/rc.local with puppetd twice during my installs, due to > the same problem you''re having. I''m running 0.24.x now so I''ll > rectify that. Thanks for bringing this up :)Could you please report back if the problem is solved in 0.24.x? Thanks a lot Jose _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Tue, 2008-02-19 at 13:50 +0100, José González Gómez wrote:> Is it possible to make a fully automatic installation of puppet?I blogged about that a while back: [1] and [2] have tips for doing this with Fedora. The blog talks about autosigning, but signing certs manually should also work. David [1] http://watzmann.net/blog/index.php/2006/12/05/kickstarting_into_puppet [2] http://watzmann.net/blog/index.php/2006/05/08/provisioning_puppet
David Lutterkort wrote:> On Tue, 2008-02-19 at 13:50 +0100, José González Gómez wrote: >> Is it possible to make a fully automatic installation of puppet? > > I blogged about that a while back: [1] and [2] have tips for doing this > with Fedora. The blog talks about autosigning, but signing certs > manually should also work.Adding http://blogs.cae.tntech.edu/mwr/2007/04/17/unattended-debian-installations-or-how-i-learned-to-stop-worrying-and-love-the-preseedcfg/ for the Debian users among us. It''s mostly about Debian preseeding, but today I''ve replaced all the cfengine mentions with puppet, since I''ve been running puppet exclusively since at least May 2007. I sign manually, for what it''s worth. I need to proofread my Jumpstart and Puppet for Solaris page, too, to make sure it matches what I currently have working. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu