Can you describe how to set this up?
On Wed, Mar 31, 2010 at 11:23 AM, Ohad Levy <ohadl...@gmail.com> wrote: > LOhit, > > The main two things to take into account are: > > 1. keep your manifests elsewhere, IMHO puppetmasters always gets RO > copy of your puppet data (e.g. from a VCS). > 2. Solve the SSL hell, then everything is simple. > > I've been using in my setup (with approx 15 productive puppetmasters and > about 20 development puppetmasters) a chained CA. > > What it means is that you have one puppet master, which signs other puppet > masters. > in turn, the masters sign the clients, and as they are trusting each other, > you can connect from any server (or client) to any other server without SSL > errors. > > the top level CA can be shut down (even better to keep the SSL data some > where offline) and use it only when you need to sign a new puppet master. > > I find this way relatively clean, and nothing usually happens if i end up > blowing up a puppet master or killing its certificate (as currently 025.4 is > doing but its already fixed for 025.5). > > Ohad > > > On Wed, Mar 31, 2010 at 6:52 PM, LOhit <lohi...@gmail.com> wrote: > >> Hi, >> >> Since puppet doesn't have HA/fail over capabilities as of now. How does >> one mitigate a puppet master failure( Ex. Hardware). When you replace the >> server and configure the Puppet masterd, the clients may no longer be able >> to communicate with the server, since the server's SSL certificates would >> have changed. >> >> BTW, I am using puppet to manage about 700+ hosts, I am beginning to worry >> about the scenario as mentioned above. I definitely don't want to login to >> each host to clear the "ssl" directory to make it request new certificate. >> >> Thanks, >> -- >> LOhit >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
