Rupert
2009-Sep-04 13:16 UTC
[Puppet Users] the same puppetmaster in different subnets/vlan
Hello, i have a couple of VLAN where each has its own subnet, now I would like to use one puppetserver for all these machines. the puppetserver has a DNS entry for each subnet and its own IP-Address VLAN 1: puppet-vm1.domain1 172.1.0.1/255.255.255.0 VLAN 2: puppet-vm1.domain2 172.1.1.1/255.255.255.0 ..... the hostname of the puppetserver is puppet-vm1.domain0, puppet created a certificate for this hostname. I would like to keep the client configuration simple and just use "puppet-vm1" in the puppet configfile on all clients. Also the clients should never see any other client in a different subnet. Is the way to get this setup running to create a cert for each of the VLAN names? thnx .l --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Larry Ludwig
2009-Sep-04 13:44 UTC
[Puppet Users] Re: the same puppetmaster in different subnets/vlan
Hi, The only way to do this is separate puppetmasters. SSL CA -> puppetmaster is a one to one relationship. Just curious why do you want separate certs? -L -- Larry Ludwig Reductive Labs --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Rupert
2009-Sep-04 13:52 UTC
[Puppet Users] Re: the same puppetmaster in different subnets/vlan
Hello, i thought that would be a way to get puppet accepting connections from the different clients. I also had the idea that maybe just using puppet-vm1 as a hostname without domain would do the trick because in each subnet i can ping puppet-vm1 and pings the right IP for that subnet. So you say I need different puppetmasters for each VLAN? I have an old setup where I did put puppet-vm1.domain0 "ipinthissubnet" into the /etc/hosts file, but I would like to prevent this, make life more complicated. cheers .l On 4 Sep., 15:44, Larry Ludwig <la...@reductivelabs.com> wrote:> Hi, > > The only way to do this is separate puppetmasters. > > SSL CA -> puppetmaster is a one to one relationship. > > Just curious why do you want separate certs? > > -L > > -- > Larry Ludwig > Reductive Labs--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Rupert
2009-Sep-04 13:59 UTC
[Puppet Users] Re: the same puppetmaster in different subnets/vlan
Hello, my first reply got lost :(. I thought using different certs would bring puppet to accept connections from the client. I have an old setup where I did put the name puppet-vm1.domain0 with the right subnet-IP into the /etc/hosts on each client, so the client could reach the puppetmaster and the hostname matched the cert. By using an DNS entry and just putting puppet-vm1 into the client config i thought i could prevent using the hosts entry and make life more easy. You mean I need to have a puppetmaster for each subnet? cheers On 4 Sep., 15:44, Larry Ludwig <la...@reductivelabs.com> wrote:> Hi, > > The only way to do this is separate puppetmasters. > > SSL CA -> puppetmaster is a one to one relationship. > > Just curious why do you want separate certs? > > -L > > -- > Larry Ludwig > Reductive Labs--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Nigel Kersten
2009-Sep-04 14:30 UTC
[Puppet Users] Re: the same puppetmaster in different subnets/vlan
You could also generate your puppetmaster certs for a hostname that is a DNS view, and set up DNS accordingly so the view resolves to the correct puppet server for each subnet. On Fri, Sep 4, 2009 at 6:44 AM, Larry Ludwig<larry@reductivelabs.com> wrote:> > Hi, > > The only way to do this is separate puppetmasters. > > SSL CA -> puppetmaster is a one to one relationship. > > Just curious why do you want separate certs? > > -L > > -- > Larry Ludwig > Reductive Labs > > > > >-- Nigel Kersten nigelk@google.com System Administrator Google Inc. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---