Puppet users - Jun 2009 - Another Redundant Puppet Master Servers Thread

So it looks like at least the linux side of things is sorted at my
site, which means i''m approaching go-live.

With CFengine we''ve had two servers defined in the configuration, but
puppet doesn''t seem to do that and there are other issues with this
setup (well our current setup of cfengine anyway). My plan was this:

My dev host remains that - new modules and such get built on it, and
when it''s tested and working we check it in to svn.

My prod hosts update from svn via cron every X minutes (thinking
between 5 and 15) and serve their data.

Which leads to my two questions:
1) how do i keep the certs on both prod hosts ? I assume they ID the
host uniquely, so just copying them across is not the way forward,
though i''m planning to use some sort of IP failover between the two
prod hosts, and i''m thinking signing against the shared IP may be
sufficient (have not tried).
2) has anyone used puppet with IP failover ? My Red Hat Cluster Suite
nodes are currently intent on upsetting me so i''m inclined not to go
that way, rather i''m considering ucarp. Regardless, has anyone tried
puppet + IP failover?

I guess there is a 3: is there a way of just specifying two hosts in
the config (and what does that mean to certificates)?

Cheers
chakkerz
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2009/6/11 chakkerz <chakkerz@gmail.com>:
> Which leads to my two questions:
> 1) how do i keep the certs on both prod hosts ? I assume they ID the
> host uniquely, so just copying them across is not the way forward,
> though i''m planning to use some sort of IP failover between the
two
> prod hosts, and i''m thinking signing against the shared IP may be
> sufficient (have not tried).
So, you don''t need the client certs on any puppetmaster.   All that is
important is that the client trusts the master''s cert, and that the
master trusts the client''s cert.  Probably the easiest way of doing
that is (1) just putting the same cert on both puppetmasters, or (2)
including the contents of both ca.pem on all hosts, and lastly (3)
creating a rootCA that all parties trust and just sign all the keys
accordingly.

And also fwiw, the host is only identified by its FQDN by default -
its the CN in the cert.
> 2) has anyone used puppet with IP failover ? My Red Hat Cluster Suite
> nodes are currently intent on upsetting me so i''m inclined not to
go
> that way, rather i''m considering ucarp. Regardless, has anyone
tried
> puppet + IP failover?
We did it in active-active with load balancers, which could have
easily been active-passive.  Its just a simple web service from the
perspective of high availability.  When the move to REST is complete
it''ll be even more simple.
> I guess there is a 3: is there a way of just specifying two hosts in
> the config (and what does that mean to certificates)?
No, I assume the thought being high availability would be handled
outside of the client.  This has come up a few times now though... I
think I''d rather see ordered A or SRV RRs.


.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Sounds sensible and straight forward. Thanks for that!
chakkerz
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---