Hi. I asked this question in past on this list, and now working to set it running. My idea is to have 2 Puppet servers, who are also the DNS servers. Each one would have itself as the puppet hostname. Both of the servers will pull the manifests from external git repo. The idea goes that each Puppet client will have the 2 Puppet serves as it''s DNS servers, and in case one of them goes down, will ask the other for IP and start working through it. Two things that I would like to know for this: 1) How to set 0 DNS caching in puppet client? 2) What people here think of this approach? Any suggestions? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Apr 13, 2010, at 3:26 PM, SyRenity wrote:> Hi. > > I asked this question in past on this list, and now working to set it > running. > > My idea is to have 2 Puppet servers, who are also the DNS servers. > Each one would have itself as the puppet hostname. > Both of the servers will pull the manifests from external git repo.I''ve heard of people using one DNS server and then telling the DNS server to do whatever magic is needed to make both puppet servers as part of a pool. That will also give you a performance boost. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
How to deal with ssl certs, I have a similar situation where I have two puppetmasters per site and I would like to see them both handle serving puppet data at anytime from a VIP (primary/failover) type of operation. Sent from my iPhone On Apr 13, 2010, at 7:26 PM, Patrick <kc7zzv@gmail.com> wrote:> > On Apr 13, 2010, at 3:26 PM, SyRenity wrote: > >> Hi. >> >> I asked this question in past on this list, and now working to set it >> running. >> >> My idea is to have 2 Puppet servers, who are also the DNS servers. >> Each one would have itself as the puppet hostname. >> Both of the servers will pull the manifests from external git repo. > > I''ve heard of people using one DNS server and then telling the DNS > server to do whatever magic is needed to make both puppet servers as > part of a pool. That will also give you a performance boost. > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com > . > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en > . >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, I suggest you search for a post lohit asked a few days ago. Ohad On Wed, Apr 14, 2010 at 7:39 AM, Christopher Johnston <chjohnst@gmail.com>wrote:> How to deal with ssl certs, I have a similar situation where I have two > puppetmasters per site and I would like to see them both handle serving > puppet data at anytime from a VIP (primary/failover) type of operation. > > Sent from my iPhone > > > On Apr 13, 2010, at 7:26 PM, Patrick <kc7zzv@gmail.com> wrote: > > >> On Apr 13, 2010, at 3:26 PM, SyRenity wrote: >> >> Hi. >>> >>> I asked this question in past on this list, and now working to set it >>> running. >>> >>> My idea is to have 2 Puppet servers, who are also the DNS servers. >>> Each one would have itself as the puppet hostname. >>> Both of the servers will pull the manifests from external git repo. >>> >> >> I''ve heard of people using one DNS server and then telling the DNS server >> to do whatever magic is needed to make both puppet servers as part of a >> pool. That will also give you a performance boost. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Apr 14, 2010 at 7:26 AM, Patrick <kc7zzv@gmail.com> wrote:> > On Apr 13, 2010, at 3:26 PM, SyRenity wrote: > > > Hi. > > > > I asked this question in past on this list, and now working to set it > > running. > > > > My idea is to have 2 Puppet servers, who are also the DNS servers. > > Each one would have itself as the puppet hostname. > > Both of the servers will pull the manifests from external git repo. > > I''ve heard of people using one DNS server and then telling the DNS server > to do whatever magic is needed to make both puppet servers as part of a > pool. That will also give you a performance boost. > > I''m guessing you mean round robin dns entries (as I don''t think puppetsupports SRV records). at least one thing to note (probably not the only one) is that this will only work with 025.x masters/clients if you use multiple environments (you need restful requests which include the environment in the url path). Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 4/13/10 3:26 PM, SyRenity wrote:> Hi. > > I asked this question in past on this list, and now working to set it > running. > > My idea is to have 2 Puppet servers, who are also the DNS servers. > Each one would have itself as the puppet hostname. > Both of the servers will pull the manifests from external git repo.Just set up HAproxy and load balance them. Done. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Apr 13, 2010 at 7:57 PM, Scott Smith <scott@ohlol.net> wrote:> On 4/13/10 3:26 PM, SyRenity wrote: > >> Hi. >> >> I asked this question in past on this list, and now working to set it >> running. >> >> My idea is to have 2 Puppet servers, who are also the DNS servers. >> Each one would have itself as the puppet hostname. >> Both of the servers will pull the manifests from external git repo. >> > > Just set up HAproxy and load balance them. Done. > > +1> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Tony -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Apr 13, 2010 at 07:57:25PM -0700, Scott Smith wrote:> On 4/13/10 3:26 PM, SyRenity wrote: >> Hi. >> >> I asked this question in past on this list, and now working to set it >> running. >> >> My idea is to have 2 Puppet servers, who are also the DNS servers. >> Each one would have itself as the puppet hostname. >> Both of the servers will pull the manifests from external git repo. > > Just set up HAproxy and load balance them. Done.And then don''t forget to make your HAproxy config HA, of course. Or whatever it is you choose to use for load balancing (e.g. LVS). If you want to make your DNS/puppet cluster completely self-contained, you could use Hearbeat to make them an HA pair, assign a "float" address for your official puppetmaster service and have Heartbeat manage that (and any services which need to be associated with it). -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston <chjohnst@gmail.com> wrote:> How to deal with ssl certs, I have a similar situation where I have two > puppetmasters per site and I would like to see them both handle serving > puppet data at anytime from a VIP (primary/failover) type of operation. >How about shared storage for the SSL dir? --Michael -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 4/14/2010 3:42 PM, Michael DeHaan wrote:> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston > <chjohnst@gmail.com> wrote: >> How to deal with ssl certs, I have a similar situation where I have two >> puppetmasters per site and I would like to see them both handle serving >> puppet data at anytime from a VIP (primary/failover) type of operation. >> > > How about shared storage for the SSL dir?Would that be race-free with regards to updating the serial number and stuff? Best Regards, David -- dasz.at OG Tel: +43 (0)664 2602670 Web: http://dasz.at Klosterneuburg UID: ATU64260999 FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
The environments that I am dealing with are very stripped down and self contained (no NFS or shared storage to attach to). I have considered using rsnapshot to keep the certificates in sync. I am going to look for the email that Ohad mentions from lohit on how to deal with certificates. -Chris On Wed, Apr 14, 2010 at 9:42 AM, Michael DeHaan <michael@puppetlabs.com>wrote:> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston > <chjohnst@gmail.com> wrote: > > How to deal with ssl certs, I have a similar situation where I have two > > puppetmasters per site and I would like to see them both handle serving > > puppet data at anytime from a VIP (primary/failover) type of operation. > > > > How about shared storage for the SSL dir? > > --Michael > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
It would do for active/passive though. How about setting up an alias for ca that moved when the ca wasn''t accessible (using --certname), and load balance the puppet serving parts since there''s no race issues there. --Michael On Wed, Apr 14, 2010 at 10:06 AM, David Schmitt <david@dasz.at> wrote:> On 4/14/2010 3:42 PM, Michael DeHaan wrote: >> >> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston >> <chjohnst@gmail.com> wrote: >>> >>> How to deal with ssl certs, I have a similar situation where I have two >>> puppetmasters per site and I would like to see them both handle serving >>> puppet data at anytime from a VIP (primary/failover) type of operation. >>> >> >> How about shared storage for the SSL dir? > > Would that be race-free with regards to updating the serial number and > stuff? > > > Best Regards, David > -- > dasz.at OG Tel: +43 (0)664 2602670 Web: http://dasz.at > Klosterneuburg UID: ATU64260999 > > FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
HAProxy requires one additional server in midst, while I prefer to not have such dependency. On Apr 14, 5:57 am, Scott Smith <sc...@ohlol.net> wrote:> On 4/13/10 3:26 PM, SyRenity wrote: > > > Hi. > > > I asked this question in past on this list, and now working to set it > > running. > > > My idea is to have 2 Puppet servers, who are also the DNS servers. > > Each one would have itself as the puppet hostname. > > Both of the servers will pull the manifests from external git repo. > > Just set up HAproxy and load balance them. Done.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have two servers in every site that are dedicated for infrastructure servers, but they run in active/passive state with a VIP IP that floats between the two of them. That IP is used for DNS, Cobbler, Puppet, ftp, http, etc etc. What I would like is to have SSL certs work between the two nodes but obviously only use the floating VIP. I am not 100% sure on how to accomplish this, as well doing it an automated fashion. I read the puppet scalibility setup on the wiki, assuming thats a chained certificate setup? On Wed, Apr 14, 2010 at 10:34 AM, Michael DeHaan <michael@puppetlabs.com>wrote:> It would do for active/passive though. How about setting up an > alias for ca that moved when the ca wasn''t accessible (using > --certname), and load balance the puppet serving parts since there''s > no race issues there. > > --Michael > > > > On Wed, Apr 14, 2010 at 10:06 AM, David Schmitt <david@dasz.at> wrote: > > On 4/14/2010 3:42 PM, Michael DeHaan wrote: > >> > >> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston > >> <chjohnst@gmail.com> wrote: > >>> > >>> How to deal with ssl certs, I have a similar situation where I have two > >>> puppetmasters per site and I would like to see them both handle > serving > >>> puppet data at anytime from a VIP (primary/failover) type of operation. > >>> > >> > >> How about shared storage for the SSL dir? > > > > Would that be race-free with regards to updating the serial number and > > stuff? > > > > > > Best Regards, David > > -- > > dasz.at OG Tel: +43 (0)664 2602670 Web: http://dasz.at > > Klosterneuburg UID: ATU64260999 > > > > FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi. I actually considered this, but DRBD seems heavy for read-only information, which puppet manifests are. Maybe just using heartbeat both for DNS and Puppet, but as I''m defining both DNS servers on Puppet clients anyhow, it seems redundant. Are there considerations against this approach? Regards. On Apr 14, 5:38 pm, Trevor Hemsley <trevor.hems...@codefarm.com> wrote:> Sounds like an ideal candidate for using DRBD and heartbeat to run > active/standby puppet masters. > > On 14/04/2010 15:34, Michael DeHaan wrote: > > > > > It would do for active/passive though. How about setting up an > > alias for ca that moved when the ca wasn''t accessible (using > > --certname), and load balance the puppet serving parts since there''s > > no race issues there. > > > --Michael > > > On Wed, Apr 14, 2010 at 10:06 AM, David Schmitt <da...@dasz.at> wrote: > > >> On 4/14/2010 3:42 PM, Michael DeHaan wrote: > > >>> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston > >>> <chjoh...@gmail.com> wrote: > > >>>> How to deal with ssl certs, I have a similar situation where I have two > >>>> puppetmasters per site and I would like to see them both handle serving > >>>> puppet data at anytime from a VIP (primary/failover) type of operation. > > >>> How about shared storage for the SSL dir? > > >> Would that be race-free with regards to updating the serial number and > >> stuff? > > >> Best Regards, David > >> -- > >> dasz.at OG Tel: +43 (0)664 2602670 Web:http://dasz.at > >> Klosterneuburg UID: ATU64260999 > > >> FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >>http://groups.google.com/group/puppet-users?hl=en. > > -- > > Trevor Hemsley > Infrastructure Engineer > ................................................. > * C A L Y P S O > * Brighton, UK > > OFFICE +44 (0) 1273 666 350 > FAX +44 (0) 1273 666 351 > > .................................................www.calypso.com > > This electronic-mail might contain confidential information intended > only for the use by the entity named. If the reader of this message is > not the intended recipient, the reader is hereby notified that any > dissemination, distribution or copying is strictly prohibited. > > * P * /*/ Please consider the environment before printing this e-mail /*/-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, You can generate the generate the puppetmaster certificate using the certname and/or certdnsnames options and assign that name to the VIP in a heartbeat cluster. Once the certificate is generated on one server, copy it to the other. Cheers, Atha On Apr 14, 2010, at 17:01 , SyRenity wrote:> Hi. > > I actually considered this, but DRBD seems heavy for read-only > information, which puppet manifests are. > > Maybe just using heartbeat both for DNS and Puppet, but as I''m > defining both DNS servers on Puppet clients anyhow, it seems > redundant. > > Are there considerations against this approach? > > Regards. > > On Apr 14, 5:38 pm, Trevor Hemsley <trevor.hems...@codefarm.com> > wrote: >> Sounds like an ideal candidate for using DRBD and heartbeat to run >> active/standby puppet masters. >> >> On 14/04/2010 15:34, Michael DeHaan wrote: >> >> >> >>> It would do for active/passive though. How about setting up an >>> alias for ca that moved when the ca wasn''t accessible (using >>> --certname), and load balance the puppet serving parts since there''s >>> no race issues there. >> >>> --Michael >> >>> On Wed, Apr 14, 2010 at 10:06 AM, David Schmitt <da...@dasz.at> wrote: >> >>>> On 4/14/2010 3:42 PM, Michael DeHaan wrote: >> >>>>> On Tue, Apr 13, 2010 at 7:39 PM, Christopher Johnston >>>>> <chjoh...@gmail.com> wrote: >> >>>>>> How to deal with ssl certs, I have a similar situation where I have two >>>>>> puppetmasters per site and I would like to see them both handle serving >>>>>> puppet data at anytime from a VIP (primary/failover) type of operation. >> >>>>> How about shared storage for the SSL dir? >> >>>> Would that be race-free with regards to updating the serial number and >>>> stuff? >> >>>> Best Regards, David >>>> -- >>>> dasz.at OG Tel: +43 (0)664 2602670 Web:http://dasz.at >>>> Klosterneuburg UID: ATU64260999 >> >>>> FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg >> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "Puppet Users" group. >>>> To post to this group, send email to puppet-users@googlegroups.com. >>>> To unsubscribe from this group, send email to >>>> puppet-users+unsubscribe@googlegroups.com. >>>> For more options, visit this group at >>>> http://groups.google.com/group/puppet-users?hl=en. >> >> -- >> >> Trevor Hemsley >> Infrastructure Engineer >> ................................................. >> * C A L Y P S O >> * Brighton, UK >> >> OFFICE +44 (0) 1273 666 350 >> FAX +44 (0) 1273 666 351 >> >> .................................................www.calypso.com >> >> This electronic-mail might contain confidential information intended >> only for the use by the entity named. If the reader of this message is >> not the intended recipient, the reader is hereby notified that any >> dissemination, distribution or copying is strictly prohibited. >> >> * P * /*/ Please consider the environment before printing this e-mail /*/ > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.