Puppet users - Jan 2010 - Proper DNS configuration with Puppet

Puppet docs require a PUPPET server name -- which I presumed a CNAME
would suffice.  However, I''m finding that''s not the case - as
the SSL
cert generated is for the actual system name pupptmasterd runs on
(makes sense).

The server that puppetmasterd is running on services other purposes,
and I don''t want to call it puppet.  I''m wondering if this is
simply
for cosmetic needs say, for new clients.


Thanks.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 1/18/10 1:11 PM, Forrie wrote:
> Puppet docs require a PUPPET server name -- which I presumed a CNAME
> would suffice.  However, I''m finding that''s not the case
- as the SSL
> cert generated is for the actual system name pupptmasterd runs on
> (makes sense).
>
> The server that puppetmasterd is running on services other purposes,
> and I don''t want to call it puppet.  I''m wondering if
this is simply
> for cosmetic needs say, for new clients.
Use a DNS alias with no PTR or a CNAME. Also look at the certdnsnames parameter.

-scott

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 18.01.2010 23:33, Scott Smith wrote:
> On 1/18/10 1:11 PM, Forrie wrote:
>> Puppet docs require a PUPPET server name -- which I presumed a CNAME
>> would suffice.  However, I''m finding that''s not the
case - as the SSL
>> cert generated is for the actual system name pupptmasterd runs on
>> (makes sense).
>>
>> The server that puppetmasterd is running on services other purposes,
>> and I don''t want to call it puppet.  I''m wondering if
this is simply
>> for cosmetic needs say, for new clients.
>
> Use a DNS alias with no PTR or a CNAME. Also look at the certdnsnames 
> parameter.
>
> -scott
CNAME dns entries work with puppet. You must realize that they might not 
be as reliable, but they work. Make sure the value of server config 
parameter on the client is either equal to certname or in certdnsnames 
on the server. This also goes for the client on the server. Check 
http://docs.reductivelabs.com/references/stable/configuration.html for 
further details ;)



Silviu

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Your forward DNS name can be anything.

Your reverse DNS name *must* be one of the DNS entries in your cert,
the primary hostname by default.

Trevor

On Mon, Jan 18, 2010 at 4:11 PM, Forrie <forrie@gmail.com>
wrote:
> Puppet docs require a PUPPET server name -- which I presumed a CNAME
> would suffice.  However, I''m finding that''s not the case
- as the SSL
> cert generated is for the actual system name pupptmasterd runs on
> (makes sense).
>
> The server that puppetmasterd is running on services other purposes,
> and I don''t want to call it puppet.  I''m wondering if
this is simply
> for cosmetic needs say, for new clients.
>
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
>
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jan 18, 3:11 pm, Forrie <for...@gmail.com>
wrote:
> Puppet docs require a PUPPET server name -- which I presumed a CNAME
> would suffice.  However, I''m finding that''s not the case
- as the SSL
> cert generated is for the actual system name pupptmasterd runs on
> (makes sense).
>
> The server that puppetmasterd is running on services other purposes,
> and I don''t want to call it puppet.  I''m wondering if
this is simply
> for cosmetic needs say, for new clients.
Puppetd is configured to use the server name "puppet" by default, but
you can easily point it to any other name.  The startup option --
server=<alternative.name> does this.  If you have installed Puppet via
the RPM then you have a file /etc/sysconfig/puppet wherein you can
record the appropriate server name; the init script thereafter will
automatically add that option when it starts puppetd.

Using the default name can be somewhat advantageous when bringing up
new clients from scratch (one less thing to manually configure), but
otherwise I don''t think it gains you anything.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

hey,

----- "jcbollinger" <John.Bollinger@stJude.org> wrote:
> On Jan 18, 3:11 pm, Forrie <for...@gmail.com> wrote:
> > Puppet docs require a PUPPET server name -- which I presumed a
> CNAME
> > would suffice.  However, I''m finding that''s not the
case - as the
> SSL
> > cert generated is for the actual system name pupptmasterd runs on
> > (makes sense).
> >
> > The server that puppetmasterd is running on services other
> purposes,
> > and I don''t want to call it puppet.  I''m wondering
if this is
> simply
> > for cosmetic needs say, for new clients.
> 
> Puppetd is configured to use the server name "puppet" by default,
but
> you can easily point it to any other name.  The startup option --
> server=<alternative.name> does this.  If you have installed Puppet
> via the RPM then you have a file /etc/sysconfig/puppet wherein you can
> record the appropriate server name; the init script thereafter will
> automatically add that option when it starts puppetd.
I''d avoid editing the sysconfig file for this purpose, it just makes
running commands like puppetd --test a pain.  Editing the puppet.conf is best. 
Changing the hostname also has implications on the server thought to keep in
mind.
> 
> Using the default name can be somewhat advantageous when bringing up
> new clients from scratch (one less thing to manually configure), but
> otherwise I don''t think it gains you anything.

It also takes away, say you manage laptops and you use
''puppet'' you can have quite big problems if you move that
laptop to another environment that also use puppet.  For servers on a lan though
it helps a lot.

CNAMEs work perfectly.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

R.I.Pienaar wrote:
> I''d avoid editing the sysconfig file for this purpose, it just
makes
> running commands like puppetd --test a pain.  Editing the
> puppet.conf is best.
That''s good advice.  As David Lutterkort noted in #2699¹:

    "... the sysconfig files were created before puppet had its own
    config files; nowadays, they are not needed anymore, and we should
    figure out ways to remove them completely (maybe start with
    including a comment at the top "Legacy cruft - set these up in the
    puppet config files instead")"

We didn''t go that far because things like

    PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )

aren''t something that can be handled in the puppet.conf.  But most of
the other settings in the sysconfig files are better placed in
puppet.conf.  Does adding something like this to the top of the
sysconfig files sound good?

#
# NOTE: Most of these options are better set in /etc/puppet/puppet.conf
#

¹ http://projects.reductivelabs.com/issues/2699#note-6

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All I really want for Christmas is Santa''s list of Naughty Girls.