Is there an easy way to convert a puppet client into being a puppet master? Here''s the scenario. I''m using puppet to configure all my systems, and would like it to be able to deploy a new puppet master as well. We have systems worldwide so having local puppet masters is very desirable for fault tolerance. So Kickstart (via cobbler) installs a puppet client during the initial system installation, then puppet installs everything else. And I''ve written a puppet-server module to attempt to deploy the puppet-server package, but I end up getting into certificate problems every time. The initial cert draws complaints, so I delete it and clean the certificate from the master, but then the systems will not connect under any circumstances: # puppet agent -t Exiting: no certificate found and waitforcert is disabled There''s no request on the master (either this or the other). Thoughts? Puppet 3.0.1 from puppetlabs rpms on Fedora 17. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VR0FzMXrsPkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 12/12/2012 10:04 PM, Bret Wortman wrote:> Is there an easy way to convert a puppet client into being a puppet master? > > Here''s the scenario. I''m using puppet to configure all my systems, and > would like it to be able to deploy a new puppet master as well. We have > systems worldwide so having local puppet masters is very desirable for > fault tolerance. So Kickstart (via cobbler) installs a puppet client > during the initial system installation, then puppet installs everything > else. And I''ve written a puppet-server module to attempt to deploy the > puppet-server package, but I end up getting into certificate problems > every time. > > The initial cert draws complaints, so I delete it and clean the > certificate from the master, but then the systems will not connect under > any circumstances: > > # puppet agent -t > Exiting: no certificate found and waitforcert is disabled > > There''s no request on the master (either this or the other). > > Thoughts?You should deploy master through cobbler, or run masterless puppet to set up the master. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yeah, I was starting to think that was the solution. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote:> On 12/12/2012 10:04 PM, Bret Wortman wrote: > > Is there an easy way to convert a puppet client into being a puppet master? > > > > Here''s the scenario. I''m using puppet to configure all my systems, and > > would like it to be able to deploy a new puppet master as well. We have > > systems worldwide so having local puppet masters is very desirable for > > fault tolerance. So Kickstart (via cobbler) installs a puppet client > > during the initial system installation, then puppet installs everything > > else. And I''ve written a puppet-server module to attempt to deploy the > > puppet-server package, but I end up getting into certificate problems > > every time. > > > > The initial cert draws complaints, so I delete it and clean the > > certificate from the master, but then the systems will not connect under > > any circumstances: > > > > # puppet agent -t > > Exiting: no certificate found and waitforcert is disabled > > > > There''s no request on the master (either this or the other). > > > > Thoughts? > > You should deploy master through cobbler, or run masterless puppet to > set up the master. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote:> Yeah, I was starting to think that was the solution. > >That''s not strictly necessary, you can install a Puppet Master with Puppet just fine, the problem you''re running into is how to manage the Puppet CA across multiple Masters. This is not an easy problem to solve. If you start a master for the first time it will initialise it''s own personal CA and certificate. This will conflict with the cert it got from the *other* master when it was installed and probably the cause of your connectivity problems. Also, your other agents won''t be able to jump between masters because the CAs are different. I would break the problem into these tasks: - Decide on a centralised CA (a Puppet Master Master even) that you can generate other Puppet Master certificates from and give that cert the ''puppet'' alias if you use it at your sites (puppet ca generate woof.hostname.com --dns-alt-names puppet) - Figure out how to get this Cert and the Master CA onto your new Puppet Master instead of letting the Puppet Mater. NFS? HTTPS download? Package? - Figure out how to share certificates between Puppet Masters so an Agent can check in to different Puppet Masters. Centralised CA? Multi-way rsync? -Luke --> Bret Wortman > http://bretwortman.com/ > http://twitter.com/bretwortman > > On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote: > > On 12/12/2012 10:04 PM, Bret Wortman wrote: > > Is there an easy way to convert a puppet client into being a puppet master? > > Here''s the scenario. I''m using puppet to configure all my systems, and > would like it to be able to deploy a new puppet master as well. We have > systems worldwide so having local puppet masters is very desirable for > fault tolerance. So Kickstart (via cobbler) installs a puppet client > during the initial system installation, then puppet installs everything > else. And I''ve written a puppet-server module to attempt to deploy the > puppet-server package, but I end up getting into certificate problems > every time. > > The initial cert draws complaints, so I delete it and clean the > certificate from the master, but then the systems will not connect under > any circumstances: > > # puppet agent -t > Exiting: no certificate found and waitforcert is disabled > > There''s no request on the master (either this or the other). > > Thoughts? > > > You should deploy master through cobbler, or run masterless puppet to > set up the master. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > puppet-users...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Which files will I need to transfer to the new puppet master? /var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/woof.hostname.com.pem We had been planning for a central "master master" anyway and it already has a dns alias for "puppet". Once I solve the distribution problem, I''ll take on keeping these boxes in sync. * * * Bret Wortman*** http://bretwortman.com/ http://twitter.com/BretWortman On Thu, Dec 13, 2012 at 5:15 AM, Luke Bigum <Luke.Bigum@lmax.com> wrote:> On Wednesday, December 12, 2012 10:35:21 PM UTC, Bret Wortman wrote: > >> Yeah, I was starting to think that was the solution. >> >> > That''s not strictly necessary, you can install a Puppet Master with Puppet > just fine, the problem you''re running into is how to manage the Puppet CA > across multiple Masters. This is not an easy problem to solve. If you start > a master for the first time it will initialise it''s own personal CA and > certificate. This will conflict with the cert it got from the *other* > master when it was installed and probably the cause of your connectivity > problems. Also, your other agents won''t be able to jump between masters > because the CAs are different. > > I would break the problem into these tasks: > > - Decide on a centralised CA (a Puppet Master Master even) that you can > generate other Puppet Master certificates from and give that cert the > ''puppet'' alias if you use it at your sites (puppet ca generate > woof.hostname.com --dns-alt-names puppet) > - Figure out how to get this Cert and the Master CA onto your new Puppet > Master instead of letting the Puppet Mater. NFS? HTTPS download? Package? > - Figure out how to share certificates between Puppet Masters so an Agent > can check in to different Puppet Masters. Centralised CA? Multi-way rsync? > > -Luke > > -- >> Bret Wortman >> http://bretwortman.com/ >> http://twitter.com/bretwortman >> >> On Wednesday, December 12, 2012 at 5:26 PM, Jakov Sosic wrote: >> >> On 12/12/2012 10:04 PM, Bret Wortman wrote: >> >> Is there an easy way to convert a puppet client into being a puppet >> master? >> >> Here''s the scenario. I''m using puppet to configure all my systems, and >> would like it to be able to deploy a new puppet master as well. We have >> systems worldwide so having local puppet masters is very desirable for >> fault tolerance. So Kickstart (via cobbler) installs a puppet client >> during the initial system installation, then puppet installs everything >> else. And I''ve written a puppet-server module to attempt to deploy the >> puppet-server package, but I end up getting into certificate problems >> every time. >> >> The initial cert draws complaints, so I delete it and clean the >> certificate from the master, but then the systems will not connect under >> any circumstances: >> >> # puppet agent -t >> Exiting: no certificate found and waitforcert is disabled >> >> There''s no request on the master (either this or the other). >> >> Thoughts? >> >> >> You should deploy master through cobbler, or run masterless puppet to >> set up the master. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet...@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users...@** >> googlegroups.com. >> For more options, visit this group at http://groups.google.com/** >> group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> >> . >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/tQYBNKzPoQAJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.