Hi Gonzalo, > Has anyone done this sort of thing? How'd you get around the SSL issues? I > could use the same CA cert on both Puppet servers but I assume that won't > work as the hostnames are different?
I am actually doing this, but on the same puppet server. What I have done is the following: - Main puppet master runs as user puppet, with default parameters. The /etc/puppet directory is a Git checkout. - Then, as my normal username, I run another instance of puppet master, listening on a different port, with my local changes: * I choose a unique $PORT for each user, this way you can have as many puppetmasters as you want. * I create a runtime-puppet directory with empty 'rundir' and 'logdir' subdirectories. They just get the logs and the pidfile. * Then, I populate a third 'vardir' subdirectory it with a copy of /var/lib/puppet, that brings together all the certificates. You may need to change the ownership of that directory to your username, for the private key. The client's keys may be shared with simlinks if you like, otherwise you will need to sync both directories every time you have a new cert. * Finally puppetmasterd runs as my username, this way: puppetmasterd --rundir=/home/pablof/runtime-puppet/rundir -- vardir=/home/pablof/runtime-puppet/vardir --confdir=/home/pablof/puppet-tree --logdir=/home/pablof/runtime-puppet/logdir --masterport=$PORT "$@" You can then have in --confdir (I call it puppet-tree) a local copy of the /etc/puppet dir I share with Git. This way I make my local copies, without pushing the changes, and my private puppetmasterd sees them instantly. If I want to have a single node pick up my temp configuration, I stop puppetd there, and run by hand (in the client): puppetd -t --masterport=$PORT, with the same $PORT I used in the puppetmasterd. Easy, and It works like a charm. But if you need it to be different machines, I don't know what will happen with the server certificate. If puppetd is smart enough, it won't let you, but maybe you can trick your client with a temporal /etc/hosts entry, may be worth a try. Good luck! Pablo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
