Using puppet on a private network?

75 views
Skip to first unread message

Larry Ludwig

unread,
Apr 7, 2008, 7:43:55 PM4/7/08
to Puppet Users
Hi we are getting ready to deploy Puppet on our network. Our managed
servers/VPSes are multi-homed (ie a public and private network) the
uname -a of the server is associated with public name (in our case
empoweringmedia.net) and not the private network name. This causes a
host name mismatch with puppet.

My question can puppet clients create certs for the internal network
side and then send this to the puppetmaster, which only listens on the
private network?

I would prefer NOT to have puppetd and puppetmasterd on the public
side of our network. Even though SSL is pretty security there is no
reason in our case to keep it on the public side.

If this feature isn't possible, can I suggest this in a future
version.

Thanks..

--
Larry Ludwig
HostCube - Managed and Unmanaged Xen VPes
http://www.hostcube.com/

huangmingyou

unread,
Apr 7, 2008, 9:27:25 PM4/7/08
to Puppet Users
in the client side ,you can set the sertname to private name. in the
server side, you can set the bindaddress to private network address.

David Schmitt

unread,
Apr 8, 2008, 2:30:08 AM4/8/08
to puppet...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 April 2008, huangmingyou wrote:
> in the client side ,you can set the sertname to private name. in the
> server side, you can set the bindaddress to private network address.

Exactly. certname is spelled with a 'c' in front though.

Formore Information, look at the
http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference

Regards, DavidS


>
> On Apr 8, 7:43 am, Larry Ludwig <larry...@gmail.com> wrote:
> > Hi we are getting ready to deploy Puppet on our network. Our managed
> > servers/VPSes are multi-homed (ie a public and private network) the
> > uname -a of the server is associated with public name (in our case
> > empoweringmedia.net) and not the private network name. This causes a
> > host name mismatch with puppet.
> >
> > My question can puppet clients create certs for the internal network
> > side and then send this to the puppetmaster, which only listens on the
> > private network?
> >
> > I would prefer NOT to have puppetd and puppetmasterd on the public
> > side of our network. Even though SSL is pretty security there is no
> > reason in our case to keep it on the public side.
> >
> > If this feature isn't possible, can I suggest this in a future
> > version.
> >
> > Thanks..
> >
> > --
> > Larry Ludwig
> > HostCube - Managed and Unmanaged Xen VPeshttp://www.hostcube.com/
>
>


- --
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH+xDw/Pp1N6Uzh0URAgL5AJ9z3pP7u+5Wd1z3c2Ypq4DhUKBX1gCdGqCC
1v+JxCDwxoGMBU3/r3ZPusk=
=YWok
-----END PGP SIGNATURE-----

Larry Ludwig

unread,
Apr 8, 2008, 8:36:03 AM4/8/08
to Puppet Users

> Exactly. certname is spelled with a 'c' in front though.
>

So you set this name in puppetd config BEFORE your start (which
creates the cert)?

Trevor Vaughan

unread,
Apr 8, 2008, 9:59:26 AM4/8/08
to puppet...@googlegroups.com
Also, you can set up an administrative VLAN with split DNS which
should solve your problems.

Just bind your Xen interfaces to the appropriate VLAN and away you go.

Not out of band, but technically private.

Trevor

Nigel Kersten

unread,
Apr 10, 2008, 4:29:33 PM4/10/08
to puppet...@googlegroups.com

Yes.

There's no necessary relationship between certname and hostname on the client though.

We use UUIDs for our certnames.



--
Nigel Kersten
Systems Administrator
MacOps

Larry Ludwig

unread,
Apr 11, 2008, 12:07:10 AM4/11/08
to Puppet Users
Ok thanks.

On Apr 10, 4:29 pm, "Nigel Kersten" <nig...@google.com> wrote:

Larry Ludwig

unread,
Apr 11, 2008, 2:28:53 PM4/11/08
to Puppet Users
Sorry to be a pain about this... I actualy set this up per
instructions

I still get:

Apr 11 14:25:16 devcentos46 puppetd[19317]: Could not retrieve
catalog: Certificates were not trusted: certificate verify failed

I have the certname= node.privatename

set to the private network.

on the puppetmaster I have:

bindaddress=puppet.privatename
certname=puppet.privatename

a netstat -anp shows it's listening on the proper IP address/port.

what am I doing wrong?

Larry Ludwig

unread,
Apr 11, 2008, 2:44:31 PM4/11/08
to Puppet Users
fixed it:

either deleting
/var/lib/puppet/ssl folder

or in [puppetd] adding:
bindaddress=node.privatename
Reply all
Reply to author
Forward
0 new messages