Puppet users - Apr 2012 - Puppet agent hostname/domain change

Hi Everybody,

I have a puppet setup working, but run into issue, which couldn''t
figure
out how to solve.

Say I have puppet agent generated certificate and signed it on puppet 
master. If somehow puppet agent''s hostname has been changed it will
stop
communication with puppet master. I would like to know if there is a way to 
be able to change hostname of puppet agent, without interruption of 
communication between master and agent.

Thanks,
Artyom

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Been there, done that, got a link for you:

http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

Basically, clean out the certificate info on the client/agent, clear the old
info from the master, and then re-certify the agent/client with the new info.


“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

----- Artyom Krilov <oryades@gmail.com> wrote:
> Hi Everybody,
> 
> I have a puppet setup working, but run into issue, which couldn''t
figure
> out how to solve.
> 
> Say I have puppet agent generated certificate and signed it on puppet 
> master. If somehow puppet agent''s hostname has been changed it
will stop
> communication with puppet master. I would like to know if there is a way to
> be able to change hostname of puppet agent, without interruption of 
> communication between master and agent.
> 
> Thanks,
> Artyom
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Apr 17, 11:34 pm, Artyom Krilov <orya...@gmail.com>
wrote:
> Hi Everybody,
>
> I have a puppet setup working, but run into issue, which couldn''t
figure
> out how to solve.
>
> Say I have puppet agent generated certificate and signed it on puppet
> master. If somehow puppet agent''s hostname has been changed it
will stop
> communication with puppet master. I would like to know if there is a way to
> be able to change hostname of puppet agent, without interruption of
> communication between master and agent.

You may be able to use the ''certname'' parameter in the
client''s
puppet.conf to cause it to continue to present the old certificate,
but that''s a hack, especially if your nodes generally identify
themselves to the master (via their cerificates) according to their
(current) hostnames.

Note that the certname is what gets matched to node declarations, but
the $::hostname fact is always the actual hostname, so mucking with
certnames on an ad hoc basis may produce surprises later.

Note especially that if there is any chance that the original hostname
will be re-used by a different node, then the original and new nodes
cannot both identify themselves to the master by the same identifier
unless you copy the certificate from one to the other.  In that case,
the two will always receive the same configuration, their reports will
be conflated on the master, and other badness may ensue.

If you want always to be able to change nodes'' hostnames without re-
certifying them to the master, then you should make *all* your nodes
use certnames based on some unchanging node property, such as asset
number or MAC address.  Changing over to such a policy will require
you to re-certify every node, of course, and you will need to adjust
your ENC and / or nodes.pp correspondingly, but afterward you will be
able to change any node''s hostname without interrupting its
communication with the master.

If changing hostnames is generally a one-off for you, then you are
much better off simply re-certifying the modified node to the master
afterwards.  Be sure to revoke the old certificate and clean it from
the master (in that order).


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

In this case if hostname changes are frequent I''ll get too much
unnecessary
traffic.

On Wednesday, April 18, 2012 4:35:43 PM UTC+4, Ygor
wrote:
>
> Been there, done that, got a link for you:
>
> http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
>
> Basically, clean out the certificate info on the client/agent, clear the 
> old info from the master, and then re-certify the agent/client with the new
> info.
>
>
> “Sometimes I think the surest sign that intelligent life exists elsewhere 
> in the universe is that none of it has tried to contact us.”
> Bill Waterson (Calvin & Hobbes)
>
> ----- Artyom Krilov <oryades@gmail.com> wrote:
> > Hi Everybody,
> > 
> > I have a puppet setup working, but run into issue, which
couldn''t figure
> > out how to solve.
> > 
> > Say I have puppet agent generated certificate and signed it on puppet 
> > master. If somehow puppet agent''s hostname has been changed
it will stop
> > communication with puppet master. I would like to know if there is a
way
> to 
> > be able to change hostname of puppet agent, without interruption of 
> > communication between master and agent.
> > 
> > Thanks,
> > Artyom
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Puppet Users" group.
> > To view this discussion on the web visit 
> https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to 
> puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> > 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/dhJiviFbymcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for detailed explanation.

Using certname seems to be fine. I''ll create some unchanging property
as a
fact and will use it in manifests.

Thanks,
Artyom

On Wednesday, April 18, 2012 5:29:24 PM UTC+4, jcbollinger
wrote:
>
>
>
> On Apr 17, 11:34 pm, Artyom Krilov <orya...@gmail.com> wrote: 
> > Hi Everybody, 
> > 
> > I have a puppet setup working, but run into issue, which
couldn''t figure
> > out how to solve. 
> > 
> > Say I have puppet agent generated certificate and signed it on puppet 
> > master. If somehow puppet agent''s hostname has been changed
it will stop
> > communication with puppet master. I would like to know if there is a
way
> to 
> > be able to change hostname of puppet agent, without interruption of 
> > communication between master and agent. 
>
>
> You may be able to use the ''certname'' parameter in the
client''s
> puppet.conf to cause it to continue to present the old certificate, 
> but that''s a hack, especially if your nodes generally identify 
> themselves to the master (via their cerificates) according to their 
> (current) hostnames. 
>
> Note that the certname is what gets matched to node declarations, but 
> the $::hostname fact is always the actual hostname, so mucking with 
> certnames on an ad hoc basis may produce surprises later. 
>
> Note especially that if there is any chance that the original hostname 
> will be re-used by a different node, then the original and new nodes 
> cannot both identify themselves to the master by the same identifier 
> unless you copy the certificate from one to the other.  In that case, 
> the two will always receive the same configuration, their reports will 
> be conflated on the master, and other badness may ensue. 
>
> If you want always to be able to change nodes'' hostnames without
re-
> certifying them to the master, then you should make *all* your nodes 
> use certnames based on some unchanging node property, such as asset 
> number or MAC address.  Changing over to such a policy will require 
> you to re-certify every node, of course, and you will need to adjust 
> your ENC and / or nodes.pp correspondingly, but afterward you will be 
> able to change any node''s hostname without interrupting its 
> communication with the master. 
>
> If changing hostnames is generally a one-off for you, then you are 
> much better off simply re-certifying the modified node to the master 
> afterwards.  Be sure to revoke the old certificate and clean it from 
> the master (in that order). 
>
>
> John 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/lG8CuX8nyCsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
>
> Been there, done that, got a link for you:
>
> http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
>
> Basically, clean out the certificate info on the client/agent, clear the 
> old info from the master, and then re-certify the agent/client with the new
> info.
>
>
Though this is an old post thanks a lot for your link shown above.  Is 
puppetca and "puppet cert" one and the same ?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

On Monday, May 13, 2013 8:28:05 AM UTC-5, Balasubramaniam Natarajan
wrote:
>
>
>
> On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
>>
>> Been there, done that, got a link for you:
>>
>> http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
>>
>> Basically, clean out the certificate info on the client/agent, clear
the
>> old info from the master, and then re-certify the agent/client with the
new
>> info.
>>
>>
> Though this is an old post thanks a lot for your link shown above.  Is 
> puppetca and "puppet cert" one and the same ?
>

Newer versions of Puppet have "puppet cert"; older ones have
"puppetca".
There may be a few versions that have both, one as an alias for the other.  
They serve the same purpose in much the same way.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

A moldy oldie, but it was helpful to someone !

On May 13, 2013, at 4:46 PM, jcbollinger wrote:
> On Monday, May 13, 2013 8:28:05 AM UTC-5, Balasubramaniam Natarajan wrote:
> 
> On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
> Been there, done that, got a link for you:
> http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
> 
> Basically, clean out the certificate info on the client/agent, clear the
old info from the master, and then re-certify the agent/client with the new
info.
> 
> 
> 
> Though this is an old post thanks a lot for your link shown above.  Is
puppetca and "puppet cert" one and the same ?
> 
> 
> Newer versions of Puppet have "puppet cert"; older ones have
"puppetca".  There may be a few versions that have both, one as an
alias for the other.  They serve the same purpose in much the same way.
> 
> John
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.