Puppet users - Sep 2013 - Setting up PE from scratch with PuppetDB/Postgres on separate box

Hi All,

I''m trying to setup a new Pupp Ent instance from scratch with 
PuppetDB/Postgres on a sep box. I think I have it working, but it took a 
bit of doing. I just wanted to check that there''s not a more straight 
forward way.

I''m aiming for an HA proxy load balanced pair of PuppetMasters, CA
active
on only one, with replicated pair of PuppetDB/Postgres.

First of all...the assumptions.....it seems that it not possible to install 
the console role (on the PM) without also installing PuppetDB (with option 
to connect to remote PG server). I was imagining that my PuppetDB jetty 
containers would both sit happily only on the 2 database servers, and not 
be required on the PM?? I was imagining that 
/etc/puppetlabs/puppet/puppetdb.conf on the PMs would "simply" point
down
to the active PG PuppetDB instance?? False assumption?

The next question I just wanted to validate....the only way I could get the 
installer to play nice, was to install the DB layer first, with it 
continuing on not having a PM to point at yet, then loading up the PM, 
*having* to say Yes to the PuppetDB option, in order to get a console on 
the PM, then specifying a remote PG database server.

If one does have to install the DB first, then maybe the following link 
needs to be updated?

http://docs.puppetlabs.com/pe/latest/install_system_requirements.html

Then had to remove DB server''s ssl dir, regenerate and sign the request
on
the PM (CA), then run puppetdb-ssl-setup to finish off.

So I''ve ended up with PuppetDB running on both my PM *and* of course on
my
DB. I feel like I should be doing a `service pe-puppetdb stop` on the PM.

There didn''t seem to be any prebaked examples/answers files that 
accommodated this (reasonably std) architecture?? Lots of other great 
examples though.

Is my setup the correct way to go about this???

The next stage will be to use the same answers file from PM1 on PM2, 
disabling the ca_server, and assuring that my dns_alt_names have both the 
puppet service address, and the addresses of both of the PMs.

There seems to be a patch required to allow PuppetDB to drive a replicated 
Postgres pair via Puppet Enterprise itself. Nice that this is now possible!

One last question....and assuming I can run PuppetDB on both Postgres 
servers, with both pointing at the active PG box......I''m also assuming
that I should also be configuring HAProxy to load balance requests to both 
PuppetDB instances?? i.e. load balance the SSL connects over 8081??  If so, 
I''m smelling some SSL challenges ahead.....anybody got any thoughts on
that
one? If both PuppetDB instances are signed against the primary CA, should 
all else be fine?

Thanks for your input, and I''m happy to post updates if anybody has any
suggestions.

Steven

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Hi Steven,

I''m attempting the same thing you are.  I see that 
my /etc/puppetlabs/puppet/puppetdb.conf keeps getting overwritten on my 
Puppet Master to point back to the Puppet Master instead of my PuppetDB 
host.  Do you know where this is being set?

Thanks!
Matt

On Tuesday, September 10, 2013 6:27:22 AM UTC-4, Steven James
wrote:
>
> Hi All,
>
> I''m trying to setup a new Pupp Ent instance from scratch with 
> PuppetDB/Postgres on a sep box. I think I have it working, but it took a 
> bit of doing. I just wanted to check that there''s not a more
straight
> forward way.
>
> I''m aiming for an HA proxy load balanced pair of PuppetMasters, CA
active
> on only one, with replicated pair of PuppetDB/Postgres.
>
> First of all...the assumptions.....it seems that it not possible to 
> install the console role (on the PM) without also installing PuppetDB (with
> option to connect to remote PG server). I was imagining that my PuppetDB 
> jetty containers would both sit happily only on the 2 database servers, and
> not be required on the PM?? I was imagining that 
> /etc/puppetlabs/puppet/puppetdb.conf on the PMs would "simply"
point down
> to the active PG PuppetDB instance?? False assumption?
>
> The next question I just wanted to validate....the only way I could get 
> the installer to play nice, was to install the DB layer first, with it 
> continuing on not having a PM to point at yet, then loading up the PM, 
> *having* to say Yes to the PuppetDB option, in order to get a console on 
> the PM, then specifying a remote PG database server.
>
> If one does have to install the DB first, then maybe the following link 
> needs to be updated?
>
> http://docs.puppetlabs.com/pe/latest/install_system_requirements.html
>
> Then had to remove DB server''s ssl dir, regenerate and sign the
request on
> the PM (CA), then run puppetdb-ssl-setup to finish off.
>
> So I''ve ended up with PuppetDB running on both my PM *and* of
course on my
> DB. I feel like I should be doing a `service pe-puppetdb stop` on the PM.
>
> There didn''t seem to be any prebaked examples/answers files that 
> accommodated this (reasonably std) architecture?? Lots of other great 
> examples though.
>
> Is my setup the correct way to go about this???
>
> The next stage will be to use the same answers file from PM1 on PM2, 
> disabling the ca_server, and assuring that my dns_alt_names have both the 
> puppet service address, and the addresses of both of the PMs.
>
> There seems to be a patch required to allow PuppetDB to drive a replicated 
> Postgres pair via Puppet Enterprise itself. Nice that this is now possible!
>
> One last question....and assuming I can run PuppetDB on both Postgres 
> servers, with both pointing at the active PG box......I''m also
assuming
> that I should also be configuring HAProxy to load balance requests to both 
> PuppetDB instances?? i.e. load balance the SSL connects over 8081??  If so,
> I''m smelling some SSL challenges ahead.....anybody got any
thoughts on that
> one? If both PuppetDB instances are signed against the primary CA, should 
> all else be fine?
>
> Thanks for your input, and I''m happy to post updates if anybody
has any
> suggestions.
>
> Steven
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/01b677c3-59f9-4c5d-b313-70686f5dcf66%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.