Hello, We need to migrate ~3000 machines to a new puppet server. What is the recommended method of doing this, considering the cert issues? Thanks, -Roy Nielsen -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matthew Nicholson
2011-Aug-26 01:28 UTC
Re: [Puppet Users] migrating to new puppet servers
Did this recently, basically: Create a new module to do the work, that: Upgrades the client Drops in a new config Removes old cert from client Bounces the service Did about 98% of our ~1600 systems with this, worked well, moved things as they checked in instead of one big push. On Aug 25, 2011 4:31 PM, "Roy Nielsen" <rsn@lanl.gov> wrote:> Hello, > > We need to migrate ~3000 machines to a new puppet server. > > What is the recommended method of doing this, considering the cert issues? > > Thanks, > -Roy Nielsen > > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email topuppet-users+unsubscribe@googlegroups.com.> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen <rsn@lanl.gov> wrote:> Hello, > > We need to migrate ~3000 machines to a new puppet server. > > What is the recommended method of doing this, considering the cert issues?Not much, just make sure you generate a cert for the new puppet master using the existing CA cert. You should not need to replace the existing agent certs, and this give you an easy way to fail back in case you run into any issues. Migrate puppet manifests/configuration. Copy the old puppet server ssl directory to the new master (replace everything in there). Generate a new cert for the new puppet master $ puppet master --no-daemonize -v Run puppet cert -p and check the new puppet master cert is signed by the same CA as existing agent certs. Test an existing agent against the new master. $ puppet agent --server new_master -t --noop Update DNS to new puppet master. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 26/08/11 03:12, Nan Liu wrote:> On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen<rsn@lanl.gov> wrote: >> Hello, >> >> We need to migrate ~3000 machines to a new puppet server. >> >> What is the recommended method of doing this, considering the cert issues? > > Not much, just make sure you generate a cert for the new puppet master > using the existing CA cert. You should not need to replace the > existing agent certs, and this give you an easy way to fail back in > case you run into any issues.This sounds like a good idea. I find certificates endlessly confusing - can you please spell this out in detail? Thanks, Jonathan> > Migrate puppet manifests/configuration. > Copy the old puppet server ssl directory to the new master (replace > everything in there). > Generate a new cert for the new puppet master > $ puppet master --no-daemonize -v > Run puppet cert -p and check the new puppet master cert is signed by > the same CA as existing agent certs. > Test an existing agent against the new master. > $ puppet agent --server new_master -t --noop > Update DNS to new puppet master. > > Thanks, > > Nan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 31 August 2011 19:04, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:> On 26/08/11 03:12, Nan Liu wrote: >> >> On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen<rsn@lanl.gov> wrote: >>> >>> Hello, >>> >>> We need to migrate ~3000 machines to a new puppet server. >>> >>> What is the recommended method of doing this, considering the cert >>> issues? >> >> Not much, just make sure you generate a cert for the new puppet master >> using the existing CA cert. You should not need to replace the >> existing agent certs, and this give you an easy way to fail back in >> case you run into any issues. > > This sounds like a good idea. I find certificates endlessly confusing - can > you please spell this out in detail?http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/> Thanks, > Jonathan-Naresh V. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.