Leej
2012-Jul-02 20:58 UTC
[Puppet Users] bootstrap aws instance - set server address in instance puppet.conf?
Hello, new user here. I''m trying to bootstrap an aws instance and need to change the server setting in puppet.conf on the client/instance that is created. Is there anyway to do this beyond modifying hosts post-hoc? puppet node_aws bootstrap --image ami-e1e8d395 --keyname mykey --login ubuntu --keyfile ~mykeyfile.pem --puppetagent-certname aws_server_test --region=eu-west-1 --type t1.micro -g webserver This provisions an instance but fails to register a cert request on the puppetmaster with : notice: Puppet is now installed on: blahblah.eu-west-1.compute.amazonaws.com notice: No classification method selected notice: Signing certificate ... err: Signing certificate ... Failed err: Signing certificate error: Could not render to pson: getaddrinfo: Name or service not known Checking the instances puppet.conf shows that the server config variable is set to "puppet" which I want to change to "myserver.somewhere.com". Now I dont know if this behaviour is a bug, I would have thought that since I''m running puppet from the master server, bootstrapping should be able to update the server variable correctly or there should at least be a command line option. I know I can run a script at somepoint and modify my hosts files but I''m trying to keep things automated and simple. What am I missing? I should also note, if I ssh into the created instance I can modify the puppet.conf file with the correct server name and a certificate request is issued which I can then sign. Any help.best practices greatly appreciated - lj. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QHVnlhPb5lUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Leej
2012-Jul-02 21:20 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
And 5 minutes later I read the man page docs.puppetlabs.com/pe/2.0/cloudprovisioner_man_node_aws.html *"Note that any configuration parameter that''s valid in the configuration file is also a valid long argument, although it may or may not be relevant to the present action. For example, server is a valid configuration parameter, so you can specify --server <servername> as an argument.". *I would normally feel really stupid, but I''m just too happy to have found that :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Q5g28CejCBMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Leej
2012-Jul-03 13:12 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
So I''ve cracked the initial problem and I can deploy an instance and auto configure puppet but I am still missing something, possibly a conceptual misunderstanding on my part. I spin up an aws instance with : puppet node_aws bootstrap --image ami-e1e8d395 --keyname puppet --login ubuntu --keyfile ~puppet.pem --puppetagent-certname new_certname_1 --region=eu-west-1 --type t1.micro -g webserver --server mypuppetserver.somewhere.com This fails with : notice: Waiting for SSH response ... Done notice: Installing Puppet ... notice: Puppet is now installed on: blahblah.eu-west-1.compute.amazonaws.com notice: No classification method selected notice: Signing certificate ... err: Signing certificate ... Failed err: Signing certificate error: Could not render to pson: The certificate retrieved from the master does not match the agent''s private key. Certificate fingerprint: 35:39:B7:DD:19:0E:7A:D6:07:AE:6D:64:FF:2E:92:37 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean mypuppetserver.somewhere.com On the agent: rm -f /home/lj/.puppet/ssl/certs/mypuppetserver.somewhere.com.pem puppet agent -t However if I sign the certificate by hand on the puppet server : sudo puppetca -s new_certname_1 My client then (eventually) will update via puppet, so things are *almost* working, although the error is misleading. So here are my questions. 1) I obviously want to maintain a secure install so I want to sign the certificates. Should node_aws bootstrap be signing the certificates automatically (as it seems to be attempting to do)? Is it possible to create a certificate before bootstrapping the instance so that there is a certificate ready and waiting for the client? 2) I dont know the ip address or have a fqdn for the instances I am spinning up. I want to put some files on my clients. In fileserver.conf I am using the cert_name to control access e.g. [files] path /etc/puppet/files allow new_certname_1 I was surprised that this worked. Now heres where my conceptual understanding is failing me - since it seems every certname has to be unique (e.g. I cant just create a group controlled by the certificate name) how can I restrict access to the fileserver when provisioning new instances without manually modifying the fileserver.conf? 3) I should also ask - does a client need to be authenticated via its certificate before it will be given access to the fileserver? If so I assume I could then just use * since the certification requirement would reject uncertified clients. Sorry this is possibly a stupid question but it is not clear from the documentation but if so my second question is moot. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RZS1zkbF7scJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dani Castro
2012-Sep-28 22:51 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
Hi Lee, I am also new with Puppet, and I am facing the same problem. Did you get how to solve it? I am starting to feel that I am hitting a wall... Thanks, On Tuesday, July 3, 2012 3:12:38 PM UTC+2, Leej wrote:> > So I''ve cracked the initial problem and I can deploy an instance and auto > configure puppet but I am still missing something, possibly a conceptual > misunderstanding on my part. > > I spin up an aws instance with : > > puppet node_aws bootstrap --image ami-e1e8d395 --keyname puppet --login > ubuntu --keyfile ~puppet.pem --puppetagent-certname new_certname_1 > --region=eu-west-1 --type t1.micro -g webserver --server > mypuppetserver.somewhere.com > > This fails with : > > notice: Waiting for SSH response ... Done > notice: Installing Puppet ... > notice: Puppet is now installed on: > blahblah.eu-west-1.compute.amazonaws.com > notice: No classification method selected > notice: Signing certificate ... > err: Signing certificate ... Failed > err: Signing certificate error: Could not render to pson: The certificate > retrieved from the master does not match the agent''s private key. > Certificate fingerprint: 35:39:B7:DD:19:0E:7A:D6:07:AE:6D:64:FF:2E:92:37 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean mypuppetserver.somewhere.com > On the agent: > rm -f /home/lj/.puppet/ssl/certs/mypuppetserver.somewhere.com.pem > puppet agent -t > > However if I sign the certificate by hand on the puppet server : > > sudo puppetca -s new_certname_1 > > My client then (eventually) will update via puppet, so things are *almost* > working, although the error is misleading. > > So here are my questions. > > 1) I obviously want to maintain a secure install so I want to sign the > certificates. Should node_aws bootstrap be signing the certificates > automatically (as it seems to be attempting to do)? Is it possible to > create a certificate before bootstrapping the instance so that there is a > certificate ready and waiting for the client? > > 2) I dont know the ip address or have a fqdn for the instances I am > spinning up. I want to put some files on my clients. In fileserver.conf I > am using the cert_name to control access e.g. > > [files] > path /etc/puppet/files > allow new_certname_1 > > I was surprised that this worked. > > Now heres where my conceptual understanding is failing me - since it seems > every certname has to be unique (e.g. I cant just create a group controlled > by the certificate name) how can I restrict access to the fileserver when > provisioning new instances without manually modifying the fileserver.conf? > > 3) I should also ask - does a client need to be authenticated via its > certificate before it will be given access to the fileserver? If so I > assume I could then just use * since the certification requirement would > reject uncertified clients. Sorry this is possibly a stupid question but it > is not clear from the documentation but if so my second question is moot. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/eUWoAFFgKG4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
sajan Tharayil
2012-Oct-29 07:20 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
On Tuesday, 3 July 2012 02:28:28 UTC+5:30, Leej wrote:> > *Hello, new user here. I''m trying to bootstrap an aws instance and need > to change the server setting in puppet.conf on the client/instance that is > created. Is there anyway to do this beyond modifying hosts post-hoc?*You can create a new AMI with a post install script call. (The Post install script can be kept on a webserver) and you can do what ever you want in that script like setting proper /etc/hosts, setting proper hostname and reverse mapping, setting proper resolver.conf file etc.> > > puppet node_aws bootstrap --image ami-e1e8d395 --keyname mykey --login > ubuntu --keyfile ~mykeyfile.pem --puppetagent-certname aws_server_test > --region=eu-west-1 --type t1.micro -g webserver> This provisions an instance but fails to register a cert request on the > puppetmaster with : > > notice: Puppet is now installed on: > blahblah.eu-west-1.compute.amazonaws.com > notice: No classification method selected > notice: Signing certificate ... > err: Signing certificate ... Failed > err: Signing certificate error: Could not render to pson: getaddrinfo: > Name or service not known > > Checking the instances puppet.conf shows that the server config variable > is set to "puppet" which I want to change to "myserver.somewhere.com". > Now I dont know if this behaviour is a bug, I would have thought that since > I''m running puppet from the master server, bootstrapping should be able to > update the server variable correctly or there should at least be a command > line option. >This can be done in many ways: 1. Create a puppet agent wrapper which runs puppet every x interval and syncs with the right puppet master (Agent should run like puppetd --test --server <server name> 2. If you have a DNS service set the DNS to search for the domain (If you do ping puppet, it should do ping puppet.company .com). For this you will have to set your resolver.conf file to search company.com. 3. Have a /etc/hosts file entry to resolve puppet> > I know I can run a script at somepoint and modify my hosts files but I''m > trying to keep things automated and simple. What am I missing? > > I should also note, if I ssh into the created instance I can modify the > puppet.conf file with the correct server name and a certificate request is > issued which I can then sign. > > Any help.best practices greatly appreciated - lj. >Best practices : 1. Keep your puppet master and Puppet CA separate 2. Have a proper DNS setup 3. Make all resolving through Resolver.conf file 4. Have a proper post install script which does hostname setting, hostname reverse mapping in /etc/hosts file, setting resolver.conf file, installing puppet agent or whatever wrapper you may have on top of puppet agent 4. Remove puppet default agent run from /etc/init.d and have a daemon tool service which run puppet manually like puppetd --test 5. Keep a proper hostname standard and ask puppetCA to sign only the hostnames allowed. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LFmdgE_loigJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Martijn
2012-Oct-29 21:28 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
Here''s another option for people who are not using Puppet Cloud Provisioner, but for example EC2''s autoscaling or launching test-instances by hand.: Ubuntu and Amazon Linux images include a tool called CloudInit, which makes it easy to perform bootstrapping tasks on a new instance. It''s built into the official images. You provide scripts in the ''user-data'' metadata that you enter when you launch an instance. CloudInit takes that input and runs it. It''s quite versatile, supporting various formats such as shell-scripts, cloud-config yaml, upstart jobs, content downloaded from URLs, compressed and mime-multipart content, etc. See https://help.ubuntu.com/community/CloudInit for docs and http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/files/head:/doc/examples/ for some examples. We enter something like the following in the user-data metadata to bootstrap our Puppet nodes. The %i is replaced with the instance-id by Cloud-Init, to generate a unique certname. That''s all that''s needed to bootstrap from a default Ubuntu image to a puppet node. #cloud-config apt_update: true apt_upgrade: true packages: - puppet puppet: conf: agent: server: "puppet.example.com" certname: "%i.web.cluster1.ec2" pluginsync: "true" Regards, Martijn Heemels Op maandag 2 juli 2012 22:58:28 UTC+2 schreef Leej het volgende:> > Hello, new user here. I''m trying to bootstrap an aws instance and need to > change the server setting in puppet.conf on the client/instance that is > created. Is there anyway to do this beyond modifying hosts post-hoc? > > puppet node_aws bootstrap --image ami-e1e8d395 --keyname mykey --login > ubuntu --keyfile ~mykeyfile.pem --puppetagent-certname aws_server_test > --region=eu-west-1 --type t1.micro -g webserver > > This provisions an instance but fails to register a cert request on the > puppetmaster with : > > notice: Puppet is now installed on: > blahblah.eu-west-1.compute.amazonaws.com > notice: No classification method selected > notice: Signing certificate ... > err: Signing certificate ... Failed > err: Signing certificate error: Could not render to pson: getaddrinfo: > Name or service not known > > Checking the instances puppet.conf shows that the server config variable > is set to "puppet" which I want to change to "myserver.somewhere.com". > Now I dont know if this behaviour is a bug, I would have thought that since > I''m running puppet from the master server, bootstrapping should be able to > update the server variable correctly or there should at least be a command > line option. > > I know I can run a script at somepoint and modify my hosts files but I''m > trying to keep things automated and simple. What am I missing? > > I should also note, if I ssh into the created instance I can modify the > puppet.conf file with the correct server name and a certificate request is > issued which I can then sign. > > Any help.best practices greatly appreciated - lj. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TL2I777bKeYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jblaine
2012-Dec-13 16:55 UTC
[Puppet Users] Re: bootstrap aws instance - set server address in instance puppet.conf?
Having the same problem as quoted below. I''m even using autosign for the time-being while trying to solve this. Leej, did you solve this? notice: Waiting for SSH response ... Done> notice: Installing Puppet ... > notice: Puppet is now installed on: > blahblah.eu-west-1.compute.amazonaws.com > notice: No classification method selected > notice: Signing certificate ... > err: Signing certificate ... Failed > err: Signing certificate error: Could not render to pson: The certificate > retrieved from the master does not match the agent''s private key. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zywDZNncfDoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.