[Puppet Users] EC2 master restart, broken agents
A quick overview of our setup:
We have an EBS-backed puppet master instance with an Elastic IP, and a
number of puppet agent AMI images in various regions. When these AMIs
were created, they were authenticated with the puppet master using the
following command:
# puppet agent --certname=$(cat /etc/puppet/certname) --server
puppet.ourdomain.net --waitforcert 30 --test
...and accepted on the puppet master with:
# puppet cert --certname=$(cat /etc/puppet/certname) --sign {instance-
name}
Spinning up new instances of the AMIs worked without issue.
Now, the problem:
Recently we had to reboot our puppet master instance. As expected, the
Elastic IP stayed the same. As far as we can tell, the *hostname*
stayed the same also. Since it was just a reboot, this can happen.
However, despite setting the --certname on both the master and agent
and the IP and hostname not changing, our agents are now complaining
that the hostname not match with the server certificate.
We're at a loss on how to fix this. We'd rather fix this on the server
rather than have to re-image the AMIs, as it was a time-consuming
operation and we can't put aside time to re-image the AMIs every time
the master reboots.
Any suggestions on how to track down where the problem is or how to
fix it?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: EC2 master restart, broken agents
Ignore everything I wrote -- my configuration file which started up the puppet master sets the --certname, however it was corrupt after a config tweak. Fixing that fixed the communication. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Make puppet clients look at a domain name rather than an IP?
On Feb 16, 2:40 pm, Nigel Kersten ni...@puppetlabs.com wrote: Where does it say this Phillip? We must have some unclear documentation. http://docs.puppetlabs.com/guides/configuring.html#configure-dns-optional It is quite confusing... I struggled for a moment getting a puppet- master daemon running, too - the configuration documentation could maybe do with a little more work for those not used to the ruby environment or usual set-up of ruby daemons. The following paragraph threw me (from http://docs.puppetlabs.com/guides/configuring.html#start-the-central-daemon): If you’re running on Red Hat, CentOS, Fedora, Debian, Ubuntu, or Solaris, the OS package already contains a suitable init script. If you don’t have one, you can either create your own using an existing init script as an example, or simply run without one (though this is not advisable for production environments). ... sounds fine, however there's no example of how to actually run the puppet master directly on the command-line (I'd installed via a ruby gem). -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] hostname not match with the server certificate error
Hi all I'm trying to set up a separate puppet master and client on EC2. I've used two instances of CentOS5.4 with nothing other than the base install and have installed puppet via the ruby gems. Puppet is at 2.6.4 on both machines. I've been following the guide to get a basic configuration working (http://docs.puppetlabs.com/guides/configuring.html) with a little tweak because I'm on EC2, but I'm not able to authenticate my agent with the master. Here's the steps I'm taking, and the output: [agent]# echo foobar /etc/puppet/certname [agent]# puppet agent --certname=$(cat /etc/puppet/certname) --server puppet.mydomain.org --waitforcert 30 --test info: Creating a new SSL key for webserver warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for webserver info: Certificate Request fingerprint (md5): SO:ME:RA:ND:OM:NU:MB:ER:SS warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Then on the master: [master]# puppet cert --list foobar [master]# puppet cert --sign foobar notice: Signed certificate request for foobar notice: Removing file Puppet::SSL::CertificateRequest foobar at '/etc/ puppet/ssl/ca/requests/foobar.pem' Then back on the client: info: Caching certificate for foobar err: Could not retrieve catalog from remote server: hostname not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I'm not entirely sure what I'm not doing right. The docs don't provide much help for this error, nor does the troubleshooting section. I'm rather stuck! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Is it possible to configure multi-master/circular replication for MySQL?
Is it possible for puppet to configure a set of MySQL masters and manage circular replication, so that if additional master nodes are required (or need to be stopped moved) puppet can add them to the set and bring them up to date? How would it cope with unresponsive nodes; could puppet reconfigure the set to remove it from the config of the various other nodes to ensure the chain isn't broken? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Pre-sign offline servers?
How can I pre-sign a server which doesn't yet have a domain pointing to it? I'm trying to get an EC2 base image together which is pre-signed with our master, so I can spin-up as many instances as required. These instances which will all share the same characteristics and files (they're basically dupes), and will all sit behind a load-balancer, so they've all been given the same hostname/fqdn. I've tried following the steps outlined in a serverfault[1] answer but I seem to only get the following error: # puppetd --fqdn webserver --server puppet.my.org --waitforcert 60 -- test err: Could not retrieve catalog from remote server: hostname not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Can anyone point me to, or possibly provide, the steps I need to follow to (pre-)sign this image? [1] http://serverfault.com/questions/137292 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Pre-sign offline servers?
Should probably mention: Master is a CentOS 5.2 box running puppet 0.25.4, not running inside EC2. Client is a CentOS 5.4 box also running puppet 0.25.4, EC2 instance. Puppet has been installed from yum on both machines, and both are clean. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppetmaster not responding
I'm unable to get a response from the puppetmaster I'm testing with. `netstat -apn` shows puppetmaster/ruby listening on port 8140, but telnet connections are refused both from a different location and from the commandline on the master server. I've restarted a number of times but I'm still getting nothing, and AFAICT there aren't any conflicting firewall rules; I've even switched it off to be doubly-sure. Any suggestions as to why it wouldn't be responding? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet EC2: Attach an EBS volume at boot?
So, am I correct in thinking then that the following workflow *can't* be done with puppet? 1) The EC2 instance starts up, and the puppet client on the instance connects to the puppet master. 2) The puppet client receives the EC2 authentication credentials (env vars, certs, etc) from the master. 3) The master tells the client which EBS volums to attach at which mount points. 4) The client uses the authentication credentials to execute the EC2 commands to attach the volumes. 5) The client then removes the EC2 creds (unset env vars, rm certs, etc) for security. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet EC2: Attach an EBS volume at boot?
On Apr 21, 6:06 pm, Ken k...@bob.sh wrote: My main problem is defining in puppet the name of the EBS volume to attach, and having the puppet client on the EC2 instance actually *attach* the volume after it has spun-up. Is this because you want to be able to convert the EBS id to a /dev/ sdX device? So the EBS volume id is what you reference in your configuration ...? Not exactly. I'm working with an OpenSolaris instance. What I'm hoping puppet can do is, when the instance starts up, issue the ec2 commands to attach a specified EBS volume to itself then keep checking whether the drive is available before issuing the ZFS commands to import the newly-attached drive. Would this be possible? If so, which sections of the documentation should I be focussing on? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet EC2: Attach an EBS volume at boot?
On Apr 22, 9:26 am, Matt mattmora...@gmail.com wrote: I personally prefer to set-up the instances externally with some other tool, saves having AWS credentials on the EC2 instance. So there's no way for the puppet config on the master to have the AWS credentials and pass them down to the instance/client? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet EC2: Attach an EBS volume at boot?
On Apr 22, 12:04 pm, Ken k...@bob.sh wrote: I personally prefer to set-up the instances externally with some other tool, saves having AWS credentials on the EC2 instance. I agree. Its a concern that each box will have so much control over not only themselves but other instances that the key has access to. If that 1 box is compromised then the would-be hacker can take control of all the other boxes as well. Can the puppet master issue the ec2 commands from the main server then? If not, any suggestions for other tools with which I can automate this part of the process? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet EC2: Attach an EBS volume at boot?
Is it possible, using puppet, to configure an EC2 instance so that when it boots it attaches mounts an EBS volume? If so, what steps would one take to achieve this? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet EC2: Attach an EBS volume at boot?
Thanks for the reply. I think the mounting part should be straight
forward.
My main problem is defining in puppet the name of the EBS volume to
attach, and having the puppet client on the EC2 instance actually
*attach* the volume after it has spun-up.
On Apr 21, 1:07 pm, Ken k...@bob.sh wrote:
Is it possible, using puppet, to configure an EC2 instance so that
when it boots it attaches mounts an EBS volume? If so, what steps
would one take to achieve this?
The mounting should normally be done by your os - ie. put the entry
in /etc/fstab.
However - puppet can manage the /etc/fstab file with the 'mount'
resource if you wanted:
http://docs.puppetlabs.com/references/stable/type.html#mount
But - I'm guessing your problem is that you don't want to re-create
your EBS/AMI image every time you change /etc/fstab right?
If you didn't want to save the entry in fstab and do the whole
'snapshot' image thing (to persist your /etc/fstab entry in your EBS/
AMI image) you could have puppet always start at bootup and let puppet
do the mounting.
Puppet will mount the file-system at any time quite happily in this
regard. Just need to make sure that your ensure line is 'mounted'. For
example:
mount {/mnt/point:
device = /dev/sdc1,
ensure = mounted,
...
}
Just make sure you getting your ordering right - as most people would
be used to mounts appearing quite early in any boot sequence ... if
you manage your service starts in puppet as well, you can let puppet
do the ordering for you.
ken.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Is it possible for puppet to compile packages?
We use Nginx rather than apache due to a number of useful modules, however these modules need to be compiled in and therefore we're unable to use a package manager for installation. Would it be possible with puppet to grab specific versions of the various source files, compile them, and then configure the servers? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
