Puppet users - Jul 2008 - Re: Puppet - LDAP OR HA

Hi,

We did it in a difference approach.

We have puppet master, which is our main server,
this servers signs the other puppet masters, and they in turn sign
their clients.

see Centralised Puppet Infrastructure in
http://reductivelabs.com/trac/puppet/wiki/PuppetScalability

Ohad

On Tue, Jul 29, 2008 at 5:19 AM, Vipul Ramani <vipulramani@gmail.com>
wrote:
>
> Hi Folks,
>
> Puppet is rocking.. I am trying to achive puppet master server with
> HA. any idea about what are the options we can use.
>
> i have couple of question if some 1 help to get answers. Please
> suggest your idea !!!
>
> 1) is it possible to store client''s  certificate in LDAP instead
of
> file ( on puppetmaster/etc/puppet/ssl/ca...) ?  as i see schema , i
> feel it does not supported ... But Luke are you plan to do some
> enhancement on LDAP features ?
>
> 2) If i copy all files including certificates from puppetmaster-
> server1 to puppetmaster-server2..so in this case all puppet-client can
> communicate to puppetmaster-server2 ( hostname of puppetmaster-server1
> and puppetmaster-server2 are same).
> I am thinking of this reason i want minimum downtime when my
> puppetmaster server is unavailable for longer time ( crash or some
> other reasons )
>
>
> Regards
> Vipul Ramani
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008/7/28 Ohad Levy <ohadlevy@gmail.com>:
>
> Hi,
>
> We did it in a difference approach.
>
> We have puppet master, which is our main server,
> this servers signs the other puppet masters, and they in turn sign
> their clients.
>
> see Centralised Puppet Infrastructure in
> http://reductivelabs.com/trac/puppet/wiki/PuppetScalability
>
> Ohad
>
Similarly we have a cluster of machines that generate the client certs
which are valid to all of the puppetmasters.  I wrote a simple web
service (~ 30 lines of php) for generating the client certs so it was
easy to make HA.  The above link helped out quite a bit,  though I
think you''ll benefit from understanding SSL a bit more than is covered
there.  This setup has really made a positive difference for our
infrastructure.

.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> Similarly we have a cluster of machines that generate the client certs
> which are valid to all of the puppetmasters.
So how does your infrastructures works? you have multiple CA servers?
do you use certificate chain?
>  I wrote a simple web
> service (~ 30 lines of php) for generating the client certs so it was
> easy to make HA.
Does it mean you download the certificate from a web server? you are
not using the built in puppet methods?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008/7/28 Ohad Levy <ohadlevy@gmail.com>:
>
>> Similarly we have a cluster of machines that generate the client certs
>> which are valid to all of the puppetmasters.
>
> So how does your infrastructures works? you have multiple CA servers?
> do you use certificate chain?
Yes, we push all of the CA server''s certs to all of the puppetmasters,
as well as the rest of the chain.  The puppetmaster certs are created
seperately from the client certs, and are created from a higher level
cert than the clients are.  Part of that has more to do with how we
refer to the puppetmasters (needed more / different terms in the
Server Alternate Names).   There is a page on the wiki that I loosely
followed to achive these goals:

http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities

There is a note on that page regarding it currently not working, I
have some plan on updating the page with the exact methods I used to
get it all up and running in the not too distant future.

>>  I wrote a simple web
>> service (~ 30 lines of php) for generating the client certs so it was
>> easy to make HA.
>
> Does it mean you download the certificate from a web server? you are
> not using the built in puppet methods?
Yeah, on some level you''re going to end up picking between designing a
trust system you can live with or choosing to have manual intervention
whenever you install a system.  I''m not very trusting, but I''m
also
lazy: I figured it would just be easier in the end if I build
something I wasn''t worried about that didn''t need to be
touched when a
new system came online.  There are a number of parts to it but in the
end, from the client''s perspective when it is installed getting a cert
more or less looks like:

curl https://puppetca | tar xC /

Then I go about running puppet and such.  FWIW I am using puppetca
--generate for generating the client cert (seemed wasteful to write
another script to do the same thing when Luke has already provided one
that works perfectly), then just tar''ing it up and shipping it over
https to the client.

To briefly get back on with the subject of this thread, we achieve HA
through the use of load balancers. We can get away with doing that
because our certs are decoupled from any one puppetmaster.

.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RijilV wrote:
> Server Alternate Names).   There is a page on the wiki that I loosely
> followed to achive these goals:
> 
> http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
> 
Lots of excellent discussion - sounds like a lot of material that would
serve people well and should be documented on the wiki.  Please update
relevant pages with your experiences.

Thanks

James Turnbull

- --
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIjrQv9hTGvAxC30ARAoCfAKC6QxmNQcKOlU4jCwlKRTOqUx6EpgCeKAKi
jIj+l09McmNisfluwm4O93g=5yWv
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi,

The environment we use is documented under Centralised Puppet
Infrastructure in
http://reductivelabs.com/trac/puppet/wiki/PuppetScalability

Does anyone miss anything? I would be happy to extend it.

Ohad
On Tue, Jul 29, 2008 at 2:09 PM, James Turnbull <james@lovedthanlost.net>
wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> RijilV wrote:
>> Server Alternate Names).   There is a page on the wiki that I loosely
>> followed to achive these goals:
>>
>>
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
>>
>
> Lots of excellent discussion - sounds like a lot of material that would
> serve people well and should be documented on the wiki.  Please update
> relevant pages with your experiences.
>
> Thanks
>
> James Turnbull
>
> - --
> Author of:
> * Pulling Strings with Puppet
> (http://www.amazon.com/gp/product/1590599780/)
> * Pro Nagios 2.0
> (http://www.amazon.com/gp/product/1590596099/)
> * Hardening Linux
> (http://www.amazon.com/gp/product/1590594444/)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIjrQv9hTGvAxC30ARAoCfAKC6QxmNQcKOlU4jCwlKRTOqUx6EpgCeKAKi
> jIj+l09McmNisfluwm4O93g> =5yWv
> -----END PGP SIGNATURE-----
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---