On 06/20/2010 08:47 PM, Patrick Mohr wrote:
You've got some problems that are caused because the packages didn't do things
you need done, and other problems that are unrelated.
On the clients, puppetd will automatically look for the server at puppet, and should use
the search domain. You really want to change DNS so that the puppetmaster has a DNS name
of puppet. If it's working, "ping puppet" should ping the puppet master. At
this point the server flag should be needed anymore.
So the certificate would need to be regenerated at this point. Is it
just a matter of:
Is it a matter of changing:
1. certname = servercharlie.bestgroup
to
certname = puppet
2. restart puppetmasterd (does puppetmasterd know to reconfigure the
certificates?)
3. change /etc/hosts/ entry on client node (I guess /etc/puppet/ssl/ has
to be deleted?)
4. rerun puppetca on the master.
Sorry, this may seem trivial, but I don't feel like breaking the setup
at this point.
On the master, you need to create a user and group called puppet. This user
needs read-only access to everything in/etc/puppet and read-write access to
everything in /var/lib/puppet. (These are standard locations for Debian, but
they might be in a different place in your version of puppet. Some of the
files in these directories should not be world-readable, so it's easier to just
make both of them be not world-readable.
I'm assuming that you are using puppet version 0.25.4 or above. If you aren't,
you should upgrade now.
I am.
For startup scripts, it's probably easier to get the scripts from the official
packages or the examples than it is to write your own.
I did.
Hints:
puppetd is normally be run as root so it can administrate your (puppet) clients.
puppetmaster is normally run as puppet because it doesn't need to make changes
to the server.
Summery:
1) Make sure that running "ping puppet" on the client pings the server.
2) Add a user called puppet
3) Add a group called puppet
4) chown -R root:puppet /etc/puppet
5) chown -R puppet:puppet /var/lib/puppet
6) Set permissions on /etc/puppet to 640 and 750
7) Set permissions on /var/lib/puppet to 660 and 770
Summaries are nice :) Seems like I have most of this covered. I'm going
to check the permissions again. I also wasn't able to find any log files
when I wanted to watch them one time, but I imagine that I can address
this in the config.
PS if you aren't using version control yet, start using it now. Even if you
don't use comments, tags, and branches, it will still allow you to:
1) Revert stupid mistakes
2) Do a binary search through your revisions to find out what change caused a
bug.
I am using version control. It does feel sort of weird having a git
repository in /etc/ though.
Thanks.
Regards,
Chris
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
