Richard Hurt
2008-Apr-27 10:27 UTC
[Puppet Users] Template variable "hostname" not working with certname= parameter?
I recently upgraded my Puppetmaster to 0.24.4 and it looks like my templates are not working properly. All of my clients use the same certificate, built by my original client "xx". I do this using the certname=blah parameter in the puppet.conf on each client. Up until I upgraded each client would use the "xx" certificate (which I had renamed to "blah") and everything worked great. Now however, they are all connecting as "xx" and reconfiguring the systems (i.e. DHCP3.conf) as if thier hostname was "xx". I ran facter on each client and it is reporting the name properly, however when puppetmaster reads it it is using the certname (or something) instead of the real hostname provided by facter. Is anyone else having this issue? Am I doing something wrong? I''m running Debian on both the server and the clients and using the latest backport pacakge to install puppet. Thanx! Richard P.S. I made this comment<http://reductivelabs.com/trac/puppet/ticket/1178#comment:7>on a ticket that looked like it might describe the problem I was having. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Richard
2008-Apr-28 14:48 UTC
[Puppet Users] Re: Template variable "hostname" not working with certname= parameter?
OK, I''ve done a little more digging but I''m still not much closer to an answer. It looks like most of the other "facters" work properly, or at least the ones I tested: domain, ipaddress, uniqueid, macaddress, & operatingsystem. The only one that didn''t work fully is fqdn and it got the hostname wrong and listed it as "xx". I tried to do a little debugging and as far as I can see the hostname gets saved in the facts structure just fine. I''m not a Ruby developer so I had to rely on inserting "Puppet.debug" statements everywhere. The problem with this method is that I can''t follow the code and find out when/where it''s actually replacing the proper hostname with the hostname from the SSL certificate. Does anyone have any pointers on either where the template replacement takes place? Even better would be a couple of pointers on debugging Puppet on Debian. I tried to install "ruby-debug" from gems (and it seems to work) but it can''t find the debugger libraries and rdebug is nowhere to be found. I''m kinda lost... :/ Thanx! Richard On Apr 27, 6:27 am, "Richard Hurt" <rnh...@gmail.com> wrote:> I recently upgraded my Puppetmaster to 0.24.4 and it looks like my templates > are not working properly. All of my clients use the same certificate, built > by my original client "xx". I do this using the certname=blah parameter in > the puppet.conf on each client. Up until I upgraded each client would use > the "xx" certificate (which I had renamed to "blah") and everything worked > great. Now however, they are all connecting as "xx" and reconfiguring the > systems (i.e. DHCP3.conf) as if thier hostname was "xx". I ran facter on > each client and it is reporting the name properly, however when puppetmaster > reads it it is using the certname (or something) instead of the real > hostname provided by facter. > > Is anyone else having this issue? Am I doing something wrong? I''m running > Debian on both the server and the clients and using the latest backport > pacakge to install puppet. > > Thanx! > Richard > > P.S. I made this > comment<http://reductivelabs.com/trac/puppet/ticket/1178#comment:7>on > a ticket that looked like it might describe the problem I was having.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Apr-28 15:05 UTC
[Puppet Users] Re: Template variable "hostname" not working with certname= parameter?
On Apr 28, 2008, at 9:48 AM, Richard wrote:> OK, I''ve done a little more digging but I''m still not much closer to > an answer. It looks like most of the other "facters" work properly, > or at least the ones I tested: domain, ipaddress, uniqueid, > macaddress, & operatingsystem. The only one that didn''t work fully is > fqdn and it got the hostname wrong and listed it as "xx".Sorry; your email has been in my todo folder for a bit now. I consider this an unsupported certificate setup. It''s easy to make sure each host has a unique certificate, so there''s no real reason to use the same certificate everywhere. Do you have a clear technical reason to use the same certificate everywhere? There''s a bug in 0.24.4 that causes some hostname confusion if you have ''node_name'' set to ''facter'', rather than the default of ''cert''; I should be fixing that soon, but I can almost guarantee you that it will just codify the problems you''re having, rather than fixing them.> > I tried to do a little debugging and as far as I can see the hostname > gets saved in the facts structure just fine. I''m not a Ruby developer > so I had to rely on inserting "Puppet.debug" statements everywhere. > The problem with this method is that I can''t follow the code and find > out when/where it''s actually replacing the proper hostname with the > hostname from the SSL certificate. Does anyone have any pointers on > either where the template replacement takes place? Even better would > be a couple of pointers on debugging Puppet on Debian. I tried to > install "ruby-debug" from gems (and it seems to work) but it can''t > find the debugger libraries and rdebug is nowhere to be found. I''m > kinda lost... :/ >Things are a bit messy right now, because we''re mid-transition (from an admittedly also-messy place). You can see the hostname changes happen in network/handler/master.rb and node.rb, mostly. -- Nothing is impossible for the man who doesn''t have to do it himself. -- A. H. Weiler --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Richard
2008-Apr-28 16:12 UTC
[Puppet Users] Re: Template variable "hostname" not working with certname= parameter?
On Apr 28, 11:05 am, Luke Kanies <l...@madstop.com> wrote:> Sorry; your email has been in my todo folder for a bit now.No problem.> I consider this an unsupported certificate setup. It''s easy to make > sure each host has a unique certificate, so there''s no real reason to > use the same certificate everywhere. Do you have a clear technical > reason to use the same certificate everywhere?The only real reason I decoupled the certname is that the hostname of any particular client will probably change and the domain will definitely change. Does this cause a problem for Puppet? Also, I don''t really need separate certificates as all machines will be configured similarly and I am just trying to cut down on the number of certificates I have to deal with.> There''s a bug in 0.24.4 that causes some hostname confusion if you > have ''node_name'' set to ''facter'', rather than the default of ''cert''; I > should be fixing that soon, but I can almost guarantee you that it > will just codify the problems you''re having, rather than fixing them.Agreed.> Things are a bit messy right now, because we''re mid-transition (from > an admittedly also-messy place). You can see the hostname changes > happen in network/handler/master.rb and node.rb, mostly.I hopefully wont need to dig in very far as I think your feedback above is probably valid. I''ve been bending the rules a bit and it''s come back to bite me - and I''m OK with that. :) Thanx! Richard --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Apr-28 16:17 UTC
[Puppet Users] Re: Template variable "hostname" not working with certname= parameter?
On Apr 28, 2008, at 11:12 AM, Richard wrote:> The only real reason I decoupled the certname is that the hostname of > any particular client will probably change and the domain will > definitely change. Does this cause a problem for Puppet? Also, I > don''t really need separate certificates as all machines will be > configured similarly and I am just trying to cut down on the number of > certificates I have to deal with.In this situation, others usually use some kind of UUID for each host, such as maybe the MAC address. It doesn''t matter what you use, it just needs to be unique. I think there''s a page up on the wiki about this, but I don''t remember the name. Just set the ''certname'' parameter for each host to be the name you want. If you then want to use the Facter hostname to look up your hosts, then set ''node_name'' to facter, but note there is that open bug about this (the ''inconsistent node names'' bug). -- I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forgo their use. -- Galileo Galilei --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Seemingly Similar Threads
- Disabling 'node_name = facter' setting
- How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
- certname doesn't seem to work on the agent
- How can I set certname in managed puppet.conf?
- multiple puppetmasters (w/ Passenger) behind load balancer