Hi All, We are going to setup two puppet masters, each will include the full stack of services. Apache as the frontend on both load balancing to the backend services on both. We will be using keepalived and VIP whose A record is puppet.domain. We would like to have the CA in active/active on the two servers. The question then is what is the best method for synchronizing certs between these hosts bi-directionally? My first thought was doing something with inotify but then there is also unison. While we may end up doing as Pro Puppet suggests and having only one be active and the other CA a hot standby, it would still be best to sync bi-directionally. What are others doing? -Ryan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In our case the ssldir is on a shared filesystem. On Mon, Dec 19, 2011 at 5:15 PM, Ryan Bowlby <rbowlby83@gmail.com> wrote:> Hi All, > > We are going to setup two puppet masters, each will include the full > stack of services. Apache as the frontend on both load balancing to > the backend services on both. We will be using keepalived and VIP > whose A record is puppet.domain. > > We would like to have the CA in active/active on the two servers. The > question then is what is the best method for synchronizing certs > between these hosts bi-directionally? My first thought was doing > something with inotify but then there is also unison. > > While we may end up doing as Pro Puppet suggests and having only one > be active and the other CA a hot standby, it would still be best to > sync bi-directionally. What are others doing? > > -Ryan > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I am working on an idea for using my Cobbler-Server/PuppetMaster as a CA for TLS/SSL (R)syslogging where the CA generates all the certs. That way, bi-directional cert sync in unnecessary. The PuppetMaster becomes the CertMaster. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) ----- Aaron Grewell <aaron.grewell@gmail.com> wrote:> In our case the ssldir is on a shared filesystem. > > On Mon, Dec 19, 2011 at 5:15 PM, Ryan Bowlby <rbowlby83@gmail.com> wrote: > > Hi All, > > > > We are going to setup two puppet masters, each will include the full > > stack of services. Apache as the frontend on both load balancing to > > the backend services on both. We will be using keepalived and VIP > > whose A record is puppet.domain. > > > > We would like to have the CA in active/active on the two servers. The > > question then is what is the best method for synchronizing certs > > between these hosts bi-directionally? My first thought was doing > > something with inotify but then there is also unison. > > > > While we may end up doing as Pro Puppet suggests and having only one > > be active and the other CA a hot standby, it would still be best to > > sync bi-directionally. What are others doing? > > > > -Ryan > > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.