Puppet users - Jul 2012 - What data to restore an existing Puppet Master?

I''m planning some disaster scenarios for our Puppet master, and was
curious
what data needs to be restored if I need to rebuild a Puppet master from
scratch? i.e. what needs to be backed up?

Are all necessary certs in `/var/lib/puppet/ssl`. Should that whole
directory get backed up? Or only certain files in there?

Is there any other data I need to back up?

Best,
Mitchell

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hey, Mitchell,

HMM. Sounds like the docs team needs to get on this. 

(<-- is 1/2 the docs team)

I''m going to name some special directory or file names below. These are
all
puppet config settings, and you can get the current value for them on any 
machine by running puppet master --configprint <setting>.

SSL STUFF:

Location: "ssldir" (varies by distro; use --configprint to discover.)

Important and irreplaceable. If you lose the SSL info on your CA puppet 
master, you''ll have to go through all of your agent nodes, delete their
ssldir, and request a new certificate. Doable, but a huge pain in the ass.

There shouldn''t be any crucial ssl info outside the ssldir, unless one
of
the "ca*" settings got messed with in your puppet.conf. Don''t
worry about
ssl info on non-master nodes; you can decommission their old cert w/ puppet 
cert clean, and issue them a new one when you bring them back to life. 

MODULES AND MANIFESTS

Location: every directory in "modulepath," the "manifest"
file (AKA
site.pp), and anything `import`-ed into the main manifest.

Hopefully you have this under version control in an external git repo or 
something anyway, but yeah, make sure this is well-backed-up.

PUPPET.CONF

This might well have external service configurations, database passwords, 
all kinds of stuff. Probably back it up.

AUTH.CONF

Just because if you poked a hole for an external service, you''ll want a
reminder around about how it was rigged. 

HIERA/EXTLOOKUP DATA

If you''re using it, you probably know where it is. It is probably very 
important, and should probably also be in version control anyway. 

DASHBOARD/CONSOLE DATA

You''ll have to dump the MySQL databases on a regular basis. There are
rake
tasks to help with that. 

MCOLLECTIVE STUFF

Hopefully you''re managing your MCollective keys and plugins with puppet
anyway, so you''ve already handled this by backing up your modules and
hiera
data.

CUSTOM ENC DATA/CODE

If you built an ENC, you should be backing up its data source. 


I feel like that''s about it? Did I miss anything? 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/fW14AzNzHZoJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, Aug 1, 2012 at 3:35 PM, Nick Fagerlund <
nick.fagerlund@puppetlabs.com> wrote:
> Hey, Mitchell,
>
> HMM. Sounds like the docs team needs to get on this.
>
> (<-- is 1/2 the docs team)
>
> I''m going to name some special directory or file names below.
These are
> all puppet config settings, and you can get the current value for them on
> any machine by running puppet master --configprint <setting>.
>
> SSL STUFF:
>
> Location: "ssldir" (varies by distro; use --configprint to
discover.)
>
> Important and irreplaceable. If you lose the SSL info on your CA puppet
> master, you''ll have to go through all of your agent nodes, delete
their
> ssldir, and request a new certificate. Doable, but a huge pain in the ass.
>
> There shouldn''t be any crucial ssl info outside the ssldir, unless
one of
> the "ca*" settings got messed with in your puppet.conf.
Don''t worry about
> ssl info on non-master nodes; you can decommission their old cert w/ puppet
> cert clean, and issue them a new one when you bring them back to life.
>
> MODULES AND MANIFESTS
>
> Location: every directory in "modulepath," the
"manifest" file (AKA
> site.pp), and anything `import`-ed into the main manifest.
>
> Hopefully you have this under version control in an external git repo or
> something anyway, but yeah, make sure this is well-backed-up.
>
> PUPPET.CONF
>
> This might well have external service configurations, database passwords,
> all kinds of stuff. Probably back it up.
>
> AUTH.CONF
>
> Just because if you poked a hole for an external service, you''ll
want a
> reminder around about how it was rigged.
>
> HIERA/EXTLOOKUP DATA
>
> If you''re using it, you probably know where it is. It is probably
very
> important, and should probably also be in version control anyway.
>
> DASHBOARD/CONSOLE DATA
>
> You''ll have to dump the MySQL databases on a regular basis. There
are rake
> tasks to help with that.
>
> MCOLLECTIVE STUFF
>
> Hopefully you''re managing your MCollective keys and plugins with
puppet
> anyway, so you''ve already handled this by backing up your modules
and hiera
> data.
>
> CUSTOM ENC DATA/CODE
>
> If you built an ENC, you should be backing up its data source.
>
>
> I feel like that''s about it? Did I miss anything?
>
Looks good. Most of our data (hiera, modules, and conf) is in version
control so the only thing we really need to back up is SSL. Perfect!

Thanks,
Mitchelll

>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/fW14AzNzHZoJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.