Hi Puppet Gurus I am running puppet 2.6.16, ruby 1.8.7-p249, on puppet server with passenger on Apache. These are my gems: builder (2.1.2) fastthread (1.0.7) mysql (2.8.1) passenger (2.2.14) rack (1.1.0) rake (0.8.7) We manually manage autosign.conf to allow new builds to continue so certificates can be signed automatically. This has been working well for a couple of years, but I''ve always wondered what triggers the puppet master to sign the certificate. We can wait 5-10 minutes for a signing request to be fulfilled. We made a change last week to now use short names as the certificate names (not FQDN) and now we''re looking closer to 30 minutes for a request to be signed :-( The only correlation I can see in the logs is that just before a request is signed, a new puppetmasterd is spawned by passenger: Aug 28 22:15:09 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request Aug 28 22:24:06 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] Compiled catalog for engnadm010.bfm.com in environment lab in 19.65 seconds Aug 28 22:37:11 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request Aug 28 22:39:47 engnadm010 puppet-master[27717]: [ID 702911 daemon.notice] Starting Puppet master version 2.6.16 Aug 28 22:40:52 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] Signed certificate request for labcsvr004 Here are my passenger Apache config entries: PassengerHighPerformance on PassengerMaxPoolSize 15 PassengerPoolIdleTime 300 PassengerUseGlobalQueue on PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Is there any way I can speed up things so that puppet signs the request immediately? Thanks John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
How many nodes is your puppetmaster currently servicing? I have one servicing about 700 nodes, splayed over an hour check-in interval, and any new nodes I add (that fall into my autosign subdomain) get signed immediately on their first puppet run. -- Peter Bukowinski On Aug 29, 2012, at 8:50 PM, John Warburton <jwarburton@gmail.com> wrote:> Hi Puppet Gurus > > I am running puppet 2.6.16, ruby 1.8.7-p249, on puppet server with passenger on Apache. These are my gems: > builder (2.1.2) > fastthread (1.0.7) > mysql (2.8.1) > passenger (2.2.14) > rack (1.1.0) > rake (0.8.7) > > We manually manage autosign.conf to allow new builds to continue so certificates can be signed automatically. This has been working well for a couple of years, but I''ve always wondered what triggers the puppet master to sign the certificate. We can wait 5-10 minutes for a signing request to be fulfilled. > > We made a change last week to now use short names as the certificate names (not FQDN) and now we''re looking closer to 30 minutes for a request to be signed :-( > > The only correlation I can see in the logs is that just before a request is signed, a new puppetmasterd is spawned by passenger: > > Aug 28 22:15:09 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request > Aug 28 22:24:06 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] Compiled catalog for engnadm010.bfm.com in environment lab in 19.65 seconds > Aug 28 22:37:11 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request > Aug 28 22:39:47 engnadm010 puppet-master[27717]: [ID 702911 daemon.notice] Starting Puppet master version 2.6.16 > Aug 28 22:40:52 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] Signed certificate request for labcsvr004 > > Here are my passenger Apache config entries: > PassengerHighPerformance on > PassengerMaxPoolSize 15 > PassengerPoolIdleTime 300 > PassengerUseGlobalQueue on > PassengerStatThrottleRate 120 > RackAutoDetect Off > RailsAutoDetect Off > > Is there any way I can speed up things so that puppet signs the request immediately? > > Thanks > > John > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 30 August 2012 14:03, Peter Bukowinski <pmbuko@gmail.com> wrote:> How many nodes is your puppetmaster currently servicing? I have one > servicing about 700 nodes, splayed over an hour check-in interval, and any > new nodes I add (that fall into my autosign subdomain) get signed > immediately on their first puppet run. > > We run puppet twice daily (6am & 6pm splayed over an hour), and mostbuilds are done outside of that time frame so the puppet server is pretty idle as you can see in my example - just one catalog compile to do in between request & signing Here''s an example of a signing request on an idle server last week before the short name certificates (no correlation to restarting the daemon here...) Aug 23 10:37:43 cornadm010 puppet-master[25783]: [ID 702911 daemon.notice] blkasec001.domain.com has a waiting certificate request Aug 23 10:44:24 cornadm010 puppet-master[25783]: [ID 702911 daemon.notice] Signed certificate request for blkasec001.domain.com Thanks for taking a look John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.