Discussion of the Puppet configuration management framework

Jeremy Pruitt | 1 May 2008 03:49

[Puppet Users] Re: what's the google's pupetmaster structure ?


I would also love to get more details on this setup. I have tried
following the Multiple Certificate Authorities page on the wiki but to
no success.

 - Jeremy

On Apr 30, 10:08 am, "Paul Lathrop" <p... <at> tertiusfamily.net> wrote:
> On Tue, Apr 29, 2008 at 5:41 PM, Ohad Levy <ohadl... <at> gmail.com> wrote:
> > We handled the certificate management in a different way, since all of our
> > puppet masters are also puppet clients, there is a hierarchy of
> > certificates, but each puppet master can still sign the clients below, and
> > as its trusted, each client can connect to any other puppet master.
>
> That sounds like a really interesting and useful setup. Would you be
> willing to share more specifics? How did you set this up?
>
> Regards,
> Paul
>
> > On Wed, Apr 30, 2008 at 5:31 AM, Joel Wood <jw... <at> joelwood.com> wrote:
>
> > > On the DNS round robin bit, if you also want some redundancy with your
> > > load distribution you could always use wackamole.  It allows you to share
> > > a pool of virtual ips between a number of hosts.  You can use it with DNS
> > > round robining to give you failover of sorts.
>
> > >http://www.backhand.org/wackamole/
>
> > > -Joel

(Continue reading)

headers

Matt McLeod | 1 May 2008 07:18

[Puppet Users] File source weirdness


Sorry for the rather vague subject-line, but I can't think of any pithy way
to describe what I'm seeing.

I have Puppet 0.24.4 running on a whole bunch of Solaris machines.  Some 10,
some 8, some SPARC, some x86.  On two of them (8/SPARC, but not the only
8/SPARC machines we have!) this:

  file {"/etc/resolv.conf":
    source => [ "puppet:///dist/resolv.conf.$hostname",
                "puppet:///dist/resolv.conf.$location",
                "puppet:///dist/resolv.conf" ]
  }

Results in "/etc/resolv.conf" becoming a symlink to "/etc/resolv.conf.mel"
rather than simply containing the contents of
puppet:///dist/resolv.conf.mel.

($location is set by a custom fact.)

There are other seemingly-identical Solaris 8/SPARC systems running the same
Puppet client and Ruby build (it's all rsynced from one common copy) in the
same machine room which work properly, and it worked properly on these hosts
with our previous version of Puppet (0.24.1).

Anyone else seen anything like this?  It's a bit disconcerting that a "file"
stanza which specifies a source and does not have an "ensure" clause which
would create a link winds up creating a link.

Matt

(Continue reading)

headers

Peter Meier | 1 May 2008 14:31

[Puppet Users] Re: configuring services not to auto-run ("chkconfig off service")


Hi

> Right now I just keep puppet from controlling these service and do it
> "manually" in external scripts, but is there a proper way to do this
> without having to hack puppet too much?

extend puppet's provider for redhat services. it is
lib/puppet/provider/service/redhat.rb .
I think you might subclass it to a new provider or add a certain
parameter which would then force your needs, but by default keep it the
same as it is now.
Would be nice if you can provide a patch for that. :)

greets pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

James Turnbull | 1 May 2008 16:52

[Puppet Users] Re: configuring services not to auto-run ("chkconfig off service")


Peter Meier wrote:
> Hi
>
>   
>> Right now I just keep puppet from controlling these service and do it
>> "manually" in external scripts, but is there a proper way to do this
>> without having to hack puppet too much?
>>     
>
> extend puppet's provider for redhat services. it is
> lib/puppet/provider/service/redhat.rb .
> I think you might subclass it to a new provider or add a certain
> parameter which would then force your needs, but by default keep it the
> same as it is now.
> Would be nice if you can provide a patch for that. :)
>
>   

I agree.  I recently submitted a number of changes to the provider to 
support use of /sbin/service instead of direct calls to init scripts (to 
accomodate SELinux) and I am happy to test additional changes if it 
furthers development of the provider to better suit Red Hat norms.

Regards

James Turnbull

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

(Continue reading)

headers

Ohad Levy | 2 May 2008 04:10

[Puppet Users] Certificate hierarchy - multiple puppet masters setup

Hi,

As some people in the list has requested, I'll try to describe the setup we currently use with multiple puppet masters and "HA/failover".

I tried uploading it to the wiki, but it seems to be down at the time of writing this page...

As we are deploying puppet infrastructure in multiple sites it was important for us to have a centralized management for puppet, but a non centralized "service", we wanted to have the option to switch between puppet masters, and did not like the idea of a single CA for all of our infrastructure.
the main reason against a common ca was, as we are really spread over the world and its common to install 50+ servers in a time frame of a few hours, we didn't want to introduce any type of dependencies.
additionally, revoking works better this way, and well... we just wanted to make it work ;)

Using our solution, you could also use real root CA, your company root or self sign certificate, in some cases it could make sense not to use a self sign if you want to reuse the certificates for Apache, ldap etc.

Since all of our puppet masters are managed as well, we have one root puppet master (i.e. puppet master of the puppet masters), we called it the puppeteer.
the puppeteer installation is like a regular puppet master installation.

We are using Apache + Mongrel: on all puppet masters you should have something like that in your Apache configuration (that's just the ssl part):
<VirtualHost *:8140>
    SSLEngine on
    SSLCipherSuite          SSLv2:-LOW:-EXPORT:RC4+RSA
    SSLCertificateFile      /var/lib/puppet/ssl/certs/your.fqdn.com.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/your.fqdn.com.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          3
    SSLOptions              +StdEnvVars

    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    <Location />

than, let your second puppet master (the second level of the certificate chain) request a certificate from the puppeteer.

setup an openssl.cnf file (just store it somewhere) with the following content (adjust for your needs):
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
[ ca ]
default_ca      = CA_default
[ CA_default ]
dir             = /var/lib/puppet/ssl
new_certs_dir   = $dir/ca/signed
crl_dir         = $dir/ca
database        = $dir/index
certificate     = $dir/ca/ca_crt.pem
serial          = $dir/ca/serial
crl             = $dir/ca/ca_crl.pem
private_key     = $dir/ca/ca_key.pem
RANDFILE        = $dir/private/.rand
x509_extensions = usr_cert
unique_subject = no
name_opt        = ca_default
cert_opt        = ca_default
default_crl_days= 30
default_days    = 3650
default_md      = sha1
preserve        = no
policy          = policy_anything
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName = optional
commonName              = supplied
emailAddress            = optional
[ req ]
default_bits            = 2048
default_keyfile         = ./ca/ca_key.pem
default_md              = sha1
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ root_ca_distinguished_name ]
commonName = XXXXXXXX
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl               = https://puppeteer.your.domain.com/ca_crl.pem
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign, cRLSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

on the puppetmaster:
than copy this file to your new puppet master (e.g. /tmp)
puppetmaster=fqdn
/usr/bin/perl -p -i -e "s/XXXXXXXX/$puppetmaster/" /tmp/openssl.cnf
/usr/bin/openssl req -new -nodes -key /var/lib/puppet/ssl/ca/ca_key.pem -config /tmp/openssl.cnf -out /tmp/${puppetmaster}.csr -passin file:/var/lib/puppet/ssl/ca/private/ca.pass
copy the ${puppetmaster}:/tmp/${puppetmaster}.csr back to the puppeteer

on the puppeteer
touch /var/lib/puppet/ssl/index
# Sign this request with the puppeteer's CA keys
/usr/bin/openssl ca -config openssl.cnf -extfile openssl.cnf -extensions v3_ca -in ${puppetmaster}.csr -out ${puppetmaster}.pem
-passin file:/var/lib/puppet/ssl/ca/private/ca.pass -batch

# Push the new certificate into place on the puppetmaster
scp ${puppetmaster}.pem ${puppetmaster}:/var/lib/puppet/ssl/ca/ca_crt.pem

in your installation process append the content of puppeteer ~puppet/ssl/ca/ca_crt.pem to /var/lib/puppet/ssl/certs/ca.pem on the client

now you should be able to use any puppet master that was signed this way.

Hopefully this helps someone,
Ohad

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

Luke Kanies | 2 May 2008 06:41

[Puppet Users] Re: File source weirdness


On May 1, 2008, at 12:18 AM, Matt McLeod wrote:

> There are other seemingly-identical Solaris 8/SPARC systems running  
> the same
> Puppet client and Ruby build (it's all rsynced from one common copy)  
> in the
> same machine room which work properly, and it worked properly on  
> these hosts
> with our previous version of Puppet (0.24.1).
>
> Anyone else seen anything like this?  It's a bit disconcerting that  
> a "file"
> stanza which specifies a source and does not have an "ensure" clause  
> which
> would create a link winds up creating a link.

The only time I've seen anything like this is when the http keepalive  
was causing file corruption.

You're absolutely sure those broken clients are running 0.24.4?

I just can't imagine this discrepancy in behaviour without some  
distinct configuration difference.

--

-- 
Don't throw away the old bucket until you know whether the new one
holds water. -- Swedish Proverb
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

McLeod, Matt | 2 May 2008 08:37

[Puppet Users] Re: File source weirdness

Luke wrote:
> The only time I've seen anything like this is when the http keepalive
> was causing file corruption.
> 
> You're absolutely sure those broken clients are running 0.24.4?

Yup.  I have two builds of a tree containing the Ruby stable-snapshot
from a few days ago, Puppet 0.24.4, and whatever the latest Facter is
(both installed as gems).  One is built on Solaris 8/SPARC (and running
on both 8 and 10 on SPARC), the other on Solaris 10/x86.

The hosts that are misbehaving are even configured identically in Puppet
to others that aren't -- they're all nodes inheriting the same
"meta-node".

Apologies for the crappy quoting and probably screwed-up wordwrap/etc,
I'm stuck using Outlook/Entourage.

> I just can't imagine this discrepancy in behaviour without some
> distinct configuration difference.

Looking more closely at the OS patch revisions on the two sets of hosts,
it seems that the misbehaving ones have slightly older (relatively
speaking, this is Solaris 8 after all!) versions of a few patches that
may be relevant: the kernel, libc/libc++, and linker patches.  Not sure
I can actually patch those as these are largely "hands off" machines,
but I'll see and report back.

Matt

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

gary | 2 May 2008 10:48

[Puppet Users] How to tell if file replaced? want to run aptitude update after replacement of sources.list


Hi,

I'm wondering how are people deploying new machines with puppet. I
have everything setup properly though I have one question. I have a
local Ubuntu mirror and after replacing sources.list to use the
mirror, I'd like to run aptitude update. I want this to run only when
this file is replaced. Is that possible?

Gary
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

gary | 2 May 2008 11:12

[Puppet Users] Re: How to tell if file replaced? want to run aptitude update after replacement of sources.list


Would this work?

   case $lsbdistcodename {
      feisty: {
         $ubuntu_repo = "ubuntu.domain.com:9999"
         $ubuntu_repo_sec = "ubuntu.domain.com:9999"
         file { "/etc/apt/sources.list.d": ensure => directory,
recurse => true, purge => true, }
         file { "/etc/apt/sources.list": owner => root, group => root,
mode => 0644,
            content => template("apt/sources.list.feisty.erb"),
         }
      }
      hardy: {
         $ubuntu_repo = "ubuntu.domain.com"
         $ubuntu_repo_sec = "ubuntu.domain.com"
         file { "/etc/apt/sources.list": owner => root, group => root,
mode => 0644,
            content  => template("apt/sources.list.hardy.erb"),
         }
      }
   }
   exec { "aptitude update":
      path => ["/usr/bin"],
      subscribe => File["/etc/apt/sources.list"],
      refreshonly => true
   }

}

On May 2, 4:48 pm, gary <garyy... <at> gmail.com> wrote:
> Hi,
>
> I'm wondering how are people deploying new machines with puppet. I
> have everything setup properly though I have one question. I have a
> local Ubuntu mirror and after replacing sources.list to use the
> mirror, I'd like to run aptitude update. I want this to run only when
> this file is replaced. Is that possible?
>
> Gary
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

headers

gary | 2 May 2008 11:13

[Puppet Users] Re: How to tell if file replaced? want to run aptitude update after replacement of sources.list


Would this work?

   case $lsbdistcodename {
      feisty: {
         $ubuntu_repo = "ubuntu.domain.com:9999"
         $ubuntu_repo_sec = "ubuntu.domain.com:9999"
         file { "/etc/apt/sources.list.d": ensure => directory,
recurse => true, purge => true, }
         file { "/etc/apt/sources.list": owner => root, group => root,
mode => 0644,
            content => template("apt/sources.list.feisty.erb"),
         }
      }
      hardy: {
         $ubuntu_repo = "ubuntu.domain.com"
         $ubuntu_repo_sec = "ubuntu.domain.com"
         file { "/etc/apt/sources.list": owner => root, group => root,
mode => 0644,
            content  => template("apt/sources.list.hardy.erb"),
         }
      }
   }
   exec { "aptitude update":
      path => ["/usr/bin"],
      subscribe => File["/etc/apt/sources.list"],
      refreshonly => true
   }

}

On May 2, 4:48 pm, gary <garyy... <at> gmail.com> wrote:
> Hi,
>
> I'm wondering how are people deploying new machines with puppet. I
> have everything setup properly though I have one question. I have a
> local Ubuntu mirror and after replacing sources.list to use the
> mirror, I'd like to run aptitude update. I want this to run only when
> this file is replaced. Is that possible?
>
> Gary
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users-unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

706	May 2013
718	April 2013
931	March 2013
1086	February 2013
1013	January 2013
895	December 2012
1021	November 2012
1265	October 2012
801	September 2012
1200	August 2012
1187	July 2012
1055	June 2012
948	May 2012
813	April 2012
854	March 2012
885	February 2012
826	January 2012
648	December 2011
810	November 2011
731	October 2011
857	September 2011
908	August 2011
730	July 2011
910	June 2011
727	May 2011
852	April 2011
844	March 2011
838	February 2011
962	January 2011
899	December 2010
859	November 2010
711	October 2010
815	September 2010
713	August 2010
778	July 2010
793	June 2010
725	May 2010
721	April 2010
881	March 2010
642	February 2010
524	January 2010
568	December 2009
546	November 2009
576	October 2009
734	September 2009
464	August 2009
562	July 2009
661	June 2009
481	May 2009
511	April 2009
539	March 2009
544	February 2009
507	January 2009
318	December 2008
508	November 2008
387	October 2008
458	September 2008
497	August 2008
497	July 2008
598	June 2008
701	May 2008
660	April 2008
271	March 2008
365	February 2008
337	January 2008
430	December 2007
422	November 2007
380	October 2007
285	September 2007
337	August 2007
391	July 2007
437	June 2007
488	May 2007
485	April 2007
393	March 2007
540	February 2007
356	January 2007
158	December 2006
91	November 2006
184	October 2006
293	September 2006
22	August 2006

Mon	Tue	Wed	Thu	Fri	Sat	Sun

			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31