Hi Kevin,
Are you stuck on anything specifically? Do you have an existing single
Puppet-Master-and-CA with signed client certs? I''ve done a migration
from a single master/ca to separate CA with IP load balanced masters
(not RR DNS balanced) following Dan''s blog post about creating certs
with Cert DNS Names.
I''d advise taking an rsync backup of /var/lib/puppet/ssl before
starting so you can always go back to a single master and start again
if it goes horribly wrong.
What I did was create two new servers, one for a Puppet CA and one for
a second Puppet Master. I used my existing CA on the old master to
generate new certificates with Cert DNS Names of ''puppet-ca''
for my CA
and ''puppet'' for the new Master and distributed them to the
new
servers accordingly, confirming both new clients can talk Puppet to
the old master.
I''ve then rsync''d the entire ssl/ca/ dir from old master to
new puppet-
ca as well as put all my modules and manifests on new puppet-ca, then
confirmed puppet-ca can use itself as a master. I NFS mount the
modules, manifests and ca directory from puppet-ca onto the new puppet
server, and confirm it also works as a Puppet master. I have puppet-
ca''s Apache listen on 8141 for cert signing only, and use ldirectord
(ipvsadm / Linux Virtual Server) to Direct Route port 8140 traffic to
the new Puppet master, making sure it still functions behind a load
balancer. I set ca=false in this Puppet Master''s puppet.conf so it
won''t act as a CA.
I then make the old Puppet master the same as the new (NFS mounts
replacing writeable directories), add it to the load balancer. At this
point all the existing puppet clients are still pointing to the old
server, but it''s ok as no new signing requests are coming in. I then
use Puppet to do a site wide change of all client puppet.confs to say
ca_server=puppet-ca and ca_port=8141, and tell them all that the IP
address of "puppet" is now the cluster IP (/etc/hosts). Aside from the
time that Apache was down on the masters when doing file system stuff,
the migration was seamless.
Hope that helps,
-Luke
On Jan 26, 12:11 pm, linuxbsdfreak <linuxbsdfr...@gmail.com>
wrote:> Hello All,
>
> I require some help for creating multiple puppetmaster with separate
> Puppet CA server. I followed the steps given in the link below for
> creating a separate CA server
>
> http://bodepd.com/wordpress/?p=7
>
> My requirement is to create 2 Puppetmasters running nginx and unicorn
> which will be loadbalanced via RR DNS with a separate single Puppet
> CA server only for issuing and signing certificate requests also
> running under nginx and unicorn. Anyone who has had any success in
> setting up this way, could help me point me to the configuration.
>
> Regards,
> Kevin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.