I recently lost the only puppetmaster for a datacenter. I ended up having to build a new one and then hit all clients to remove /var/lib/puppet/ssl and point them to the new one I built. That was not fun. I can start backing up the CA infrastructure on the puppetmaster I suppose but I am wondering how folks out there are protecting against puppetmaster node failure. Can I have 2 physical nodes and use an F5 or another loadbalancer to send requests to both? If yes, anyone know of a HowTo doc to do that? Thanks for your time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Sep 10, 2010 at 9:09 AM, Sukh Khehra <skhehra@proofpoint.com> wrote:> I recently lost the only puppetmaster for a datacenter. I ended up having to > build a new one and then hit all clients to remove /var/lib/puppet/ssl and > point them to the new one I built. That was not fun. > > > > I can start backing up the CA infrastructure on the puppetmaster I suppose > but I am wondering how folks out there are protecting against puppetmaster > node failure. Can I have 2 physical nodes and use an F5 or another > loadbalancer to send requests to both? If yes, anyone know of a HowTo doc to > do that?If you''re on 0.25.x or higher, you can absolutely load balance, as the masters are no longer significantly stateful. It''s just like any web server. There''s nothing special you have to do as far as Puppet is concerned apart from working out how to write your health monitors. We run curl locally on the masters and export the health such that the load balancers can inspect it. If you''re on 0.24.x, you can''t do this if you''re using environments without somehow sharing the state directory amongst masters.> > > > Thanks for your time. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Also you might be interested in putting a vote on this ticket ;) (DNS SRV support for puppet) http://projects.reductivelabs.com/issues/3669 Silviu On 10.09.2010 19:09, Sukh Khehra wrote:> > I recently lost the only puppetmaster for a datacenter. I ended up > having to build a new one and then hit all clients to remove > /var/lib/puppet/ssl and point them to the new one I built. That was > not fun. > > I can start backing up the CA infrastructure on the puppetmaster I > suppose but I am wondering how folks out there are protecting against > puppetmaster node failure. Can I have 2 physical nodes and use an F5 > or another loadbalancer to send requests to both? If yes, anyone know > of a HowTo doc to do that? > > Thanks for your time. > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Sukh, This has always been possible and it was on my list of things to do. My idea was to make systems use the server in their data center and fail over to another data center if it was not responding. You need to setup a global CA infrastructure. This would be one root with all the puppet servers being trusted. Then any puppet server can sign certs and accept certs signed by the other servers. Once that is done the rest of the work is easy. Some people have written instructions on setting it up before. You will need to search for them. You will need to create new certs for every system to get this implemented right. So, it is not a small amount of work. But the sooner it is done the better, since your system count keeps growing. Hope you are doing well, Steven _____ From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Sukh Khehra Sent: Friday, September 10, 2010 9:10 AM To: puppet-users@googlegroups.com Subject: [Puppet Users] puppetmaster HA I recently lost the only puppetmaster for a datacenter. I ended up having to build a new one and then hit all clients to remove /var/lib/puppet/ssl and point them to the new one I built. That was not fun. I can start backing up the CA infrastructure on the puppetmaster I suppose but I am wondering how folks out there are protecting against puppetmaster node failure. Can I have 2 physical nodes and use an F5 or another loadbalancer to send requests to both? If yes, anyone know of a HowTo doc to do that? Thanks for your time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Sep 10, 2010 at 10:40 AM, Steven <snemetz@hotmail.com> wrote:> Hi Sukh, > > > > This has always been possible and it was on my list of things to do. My idea > was to make systems use the server in their data center and fail over to > another data center if it was not responding. > > > > You need to setup a global CA infrastructure. This would be one root with > all the puppet servers being trusted. Then any puppet server can sign certs > and accept certs signed by the other servers. Once that is done the rest of > the work is easy. Some people have written instructions on setting it up > before. You will need to search for them.Or set up a single CA server and use the ''ca_server'' directive on your clients, removing all CA functionality from your "normal" puppetmasters with --no-ca.> > You will need to create new certs for every system to get this implemented > right. So, it is not a small amount of work. But the sooner it is done the > better, since your system count keeps growing. > > > > Hope you are doing well, > > > > Steven > > > > ________________________________ > > From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] > On Behalf Of Sukh Khehra > Sent: Friday, September 10, 2010 9:10 AM > To: puppet-users@googlegroups.com > Subject: [Puppet Users] puppetmaster HA > > > > I recently lost the only puppetmaster for a datacenter. I ended up having to > build a new one and then hit all clients to remove /var/lib/puppet/ssl and > point them to the new one I built. That was not fun. > > > > I can start backing up the CA infrastructure on the puppetmaster I suppose > but I am wondering how folks out there are protecting against puppetmaster > node failure. Can I have 2 physical nodes and use an F5 or another > loadbalancer to send requests to both? If yes, anyone know of a HowTo doc to > do that? > > > > Thanks for your time. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Sep 10, 2010 at 2:09 PM, Nigel Kersten <nigelk@google.com> wrote:> Or set up a single CA server and use the ''ca_server'' directive on your > clients, removing all CA functionality from your "normal" > puppetmasters with --no-ca.Sweeet! -Jack -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Sep 10, 2010 at 03:09:50PM -0700, Nigel Kersten wrote:> On Fri, Sep 10, 2010 at 10:40 AM, Steven <snemetz@hotmail.com> wrote: > > You need to setup a global CA infrastructure. This would be one root with > > all the puppet servers being trusted. Then any puppet server can sign certs > > and accept certs signed by the other servers. Once that is done the rest of > > the work is easy. Some people have written instructions on setting it up > > before. You will need to search for them. > > Or set up a single CA server and use the ''ca_server'' directive on your > clients, removing all CA functionality from your "normal" > puppetmasters with --no-ca.In that type of set up, If you lose your CA does that only prevent signing new clients or is the CA used in the normal course of a puppet run as well? Cheers, John -- John Blog http://www.inodes.org LCA2011 http://www.lca2011.org.au -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Sep 10, 2010 at 4:44 PM, John Ferlito <johnf@inodes.org> wrote:> On Fri, Sep 10, 2010 at 03:09:50PM -0700, Nigel Kersten wrote: >> On Fri, Sep 10, 2010 at 10:40 AM, Steven <snemetz@hotmail.com> wrote: >> > You need to setup a global CA infrastructure. This would be one root with >> > all the puppet servers being trusted. Then any puppet server can sign certs >> > and accept certs signed by the other servers. Once that is done the rest of >> > the work is easy. Some people have written instructions on setting it up >> > before. You will need to search for them. >> >> Or set up a single CA server and use the ''ca_server'' directive on your >> clients, removing all CA functionality from your "normal" >> puppetmasters with --no-ca. > > In that type of set up, If you lose your CA does that only prevent > signing new clients or is the CA used in the normal course of a puppet > run as well?It only prevents signing of new clients. Existing clients continue to function fine. Our methodology here is to regularly rsync the relevant data from the puppetca to all the other puppetmasters, and we can easily enable CA functionality on any other puppetmaster, and we use a CNAME for the CA. That way if the CA is completely dead, we can quickly turn any other server into the CA by modifying a DNS entry.> Cheers, > John > > -- > John > Blog http://www.inodes.org > LCA2011 http://www.lca2011.org.au >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.