Puppet users - Jun 2008 - Reconstructing a dead puppetmaster

Has anyone written up the steps required to rebuild a puppetmaster
when one has died, or more commonly when one wants to move it from one
hosting provider to another? (Assume it''s a VPS so that I
can''t
physically move the server.)

My one requirement is that I not have to log into each client, clean
out the cert stuff, and then re-sign everyone''s certificate. I think
the steps are something like this:

1. Set up the new server, install puppetmaster, unzip your /etc/puppet
backup and whatever templates/fileserver files you have. (I''m not
using storedconfig so this step is fairly stateless and simple for
me.)

2. ??? that causes clients to agree that the new puppetmaster is
genuine.

3. Update your puppetmaster''s DNS entry to the new puppetmaster IP
address.

4. Wait one TTL, then when requests to the old puppetmaster have died
off, take it out back behind the barn and shoot it.

I would guess that #2 could be something like "unzip /var/lib/puppet/
ssl from the old puppetmaster to the new one," but I''d like
something
more trustworthy than my own educated guess.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi,

The way I see it is that if you take care for the certificates, than all the
other steps are real easy.
if you check the centralized puppet infrastructure page at
http://reductivelabs.com/trac/puppet/wiki/PuppetScalability, you could
design a puppet master who signs other puppetmasters certificate.
and than you could tell the clients to trust any puppet master which was
signed by the root puppet master, making its unnecessary to sign all clients
again.

in our environment we build puppet masters by another puppetmaster....  and
then the only thing we need to change is the dns entry.

Cheers,
Ohad

On Wed, Jun 4, 2008 at 5:11 AM, Mike <mike.tsao@gmail.com> wrote:
>
> Has anyone written up the steps required to rebuild a puppetmaster
> when one has died, or more commonly when one wants to move it from one
> hosting provider to another? (Assume it''s a VPS so that I
can''t
> physically move the server.)
>
> My one requirement is that I not have to log into each client, clean
> out the cert stuff, and then re-sign everyone''s certificate. I
think
> the steps are something like this:
>
> 1. Set up the new server, install puppetmaster, unzip your /etc/puppet
> backup and whatever templates/fileserver files you have. (I''m not
> using storedconfig so this step is fairly stateless and simple for
> me.)
>
> 2. ??? that causes clients to agree that the new puppetmaster is
> genuine.
>
> 3. Update your puppetmaster''s DNS entry to the new puppetmaster IP
> address.
>
> 4. Wait one TTL, then when requests to the old puppetmaster have died
> off, take it out back behind the barn and shoot it.
>
> I would guess that #2 could be something like "unzip /var/lib/puppet/
> ssl from the old puppetmaster to the new one," but I''d like
something
> more trustworthy than my own educated guess.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---