Puppet users - Apr 2008 - Template variable "hostname" not working with certname= parameter?

I recently upgraded my Puppetmaster to 0.24.4 and it looks like my templates
are not working properly.  All of my clients use the same certificate, built
by my original client "xx".  I do this using the certname=blah
parameter in
the puppet.conf on each client.  Up until I upgraded each client would use
the "xx" certificate (which I had renamed to "blah") and
everything worked
great.  Now however, they are all connecting as "xx" and reconfiguring
the
systems (i.e. DHCP3.conf) as if thier hostname was "xx".  I ran facter
on
each client and it is reporting the name properly, however when puppetmaster
reads it it is using the certname (or something) instead of the real
hostname provided by facter.

Is anyone else having this issue?  Am I doing something wrong?  I''m
running
Debian on both the server and the clients and using the latest backport
pacakge to install puppet.

Thanx!
  Richard

P.S. I made this
comment<http://reductivelabs.com/trac/puppet/ticket/1178#comment:7>on
a ticket that looked like it might describe the problem I was having.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

OK, I''ve done a little more digging but I''m still not much
closer to
an answer.  It looks like most of the other "facters" work properly,
or at least the ones I tested: domain, ipaddress, uniqueid,
macaddress, & operatingsystem.  The only one that didn''t work fully
is
fqdn and it got the hostname wrong and listed it as "xx".

I tried to do a little debugging and as far as I can see the hostname
gets saved in the facts structure just fine.  I''m not a Ruby developer
so I had to rely on inserting "Puppet.debug" statements everywhere.
The problem with this method is that I can''t follow the code and find
out when/where it''s actually replacing the proper hostname with the
hostname from the SSL certificate.  Does anyone have any pointers on
either where the template replacement takes place?  Even better would
be a couple of pointers on debugging Puppet on Debian.  I tried to
install "ruby-debug" from gems (and it seems to work) but it
can''t
find the debugger libraries and rdebug is nowhere to be found.  I''m
kinda lost...  :/

Thanx!
  Richard

On Apr 27, 6:27 am, "Richard Hurt" <rnh...@gmail.com>
wrote:
> I recently upgraded my Puppetmaster to 0.24.4 and it looks like my
templates
> are not working properly.  All of my clients use the same certificate,
built
> by my original client "xx".  I do this using the certname=blah
parameter in
> the puppet.conf on each client.  Up until I upgraded each client would use
> the "xx" certificate (which I had renamed to "blah")
and everything worked
> great.  Now however, they are all connecting as "xx" and
reconfiguring the
> systems (i.e. DHCP3.conf) as if thier hostname was "xx".  I ran
facter on
> each client and it is reporting the name properly, however when
puppetmaster
> reads it it is using the certname (or something) instead of the real
> hostname provided by facter.
>
> Is anyone else having this issue?  Am I doing something wrong?
 I''m running
> Debian on both the server and the clients and using the latest backport
> pacakge to install puppet.
>
> Thanx!
>   Richard
>
> P.S. I made this
> comment<http://reductivelabs.com/trac/puppet/ticket/1178#comment:7>on
> a ticket that looked like it might describe the problem I was having.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 28, 2008, at 9:48 AM, Richard wrote:
> OK, I''ve done a little more digging but I''m still not
much closer to
> an answer.  It looks like most of the other "facters" work
properly,
> or at least the ones I tested: domain, ipaddress, uniqueid,
> macaddress, & operatingsystem.  The only one that didn''t work
fully is
> fqdn and it got the hostname wrong and listed it as "xx".
Sorry; your email has been in my todo folder for a bit now.

I consider this an unsupported certificate setup.  It''s easy to make  
sure each host has a unique certificate, so there''s no real reason to  
use the same certificate everywhere.  Do you have a clear technical  
reason to use the same certificate everywhere?

There''s a bug in 0.24.4 that causes some hostname confusion if you  
have ''node_name'' set to ''facter'', rather
than the default of ''cert''; I
should be fixing that soon, but I can almost guarantee you that it  
will just codify the problems you''re having, rather than fixing them.
>
> I tried to do a little debugging and as far as I can see the hostname
> gets saved in the facts structure just fine.  I''m not a Ruby
developer
> so I had to rely on inserting "Puppet.debug" statements
everywhere.
> The problem with this method is that I can''t follow the code and
find
> out when/where it''s actually replacing the proper hostname with
the
> hostname from the SSL certificate.  Does anyone have any pointers on
> either where the template replacement takes place?  Even better would
> be a couple of pointers on debugging Puppet on Debian.  I tried to
> install "ruby-debug" from gems (and it seems to work) but it
can''t
> find the debugger libraries and rdebug is nowhere to be found. 
I''m
> kinda lost...  :/
>

Things are a bit messy right now, because we''re mid-transition (from  
an admittedly also-messy place).  You can see the hostname changes  
happen in network/handler/master.rb and node.rb, mostly.

-- 
Nothing is impossible for the man who doesn''t have to do it himself.
-- A. H. Weiler
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 28, 11:05 am, Luke Kanies <l...@madstop.com>
wrote:
> Sorry; your email has been in my todo folder for a bit now.
No problem.
> I consider this an unsupported certificate setup.  It''s easy to
make  
> sure each host has a unique certificate, so there''s no real reason
to  
> use the same certificate everywhere.  Do you have a clear technical  
> reason to use the same certificate everywhere?
The only real reason I decoupled the certname is that the hostname of
any particular client will probably change and the domain will
definitely change.  Does this cause a problem for Puppet?  Also, I
don''t really need separate certificates as all machines will be
configured similarly and I am just trying to cut down on the number of
certificates I have to deal with.
> There''s a bug in 0.24.4 that causes some hostname confusion if you
 
> have ''node_name'' set to ''facter'',
rather than the default of ''cert''; I  
> should be fixing that soon, but I can almost guarantee you that it  
> will just codify the problems you''re having, rather than fixing
them.
Agreed.
> Things are a bit messy right now, because we''re mid-transition
(from  
> an admittedly also-messy place).  You can see the hostname changes  
> happen in network/handler/master.rb and node.rb, mostly.
I hopefully wont need to dig in very far as I think your feedback
above is probably valid.  I''ve been bending the rules a bit and
it''s
come back to bite me - and I''m OK with that.  :)

Thanx!
  Richard
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 28, 2008, at 11:12 AM, Richard wrote:
> The only real reason I decoupled the certname is that the hostname of
> any particular client will probably change and the domain will
> definitely change.  Does this cause a problem for Puppet?  Also, I
> don''t really need separate certificates as all machines will be
> configured similarly and I am just trying to cut down on the number of
> certificates I have to deal with.

In this situation, others usually use some kind of UUID for each host,  
such as maybe the MAC address.  It doesn''t matter what you use, it  
just needs to be unique.  I think there''s a page up on the wiki about  
this, but I don''t remember the name.

Just set the ''certname'' parameter for each host to be the name
you
want.  If you then want to use the Facter hostname to look up your  
hosts, then set ''node_name'' to facter, but note there is that
open bug
about this (the ''inconsistent node names'' bug).

-- 
I do not feel obliged to believe that the same God who has endowed us
with sense, reason, and intellect has intended us to forgo their use.
     -- Galileo Galilei
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---