Puppet agent hostname/domain change
Artyom Krilov
Dan White
http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
Basically, clean out the certificate info on the client/agent, clear the old info from the master, and then re-certify the agent/client with the new info.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
jcbollinger
puppet.conf to cause it to continue to present the old certificate,
but that's a hack, especially if your nodes generally identify
themselves to the master (via their cerificates) according to their
(current) hostnames.
Note that the certname is what gets matched to node declarations, but
the $::hostname fact is always the actual hostname, so mucking with
certnames on an ad hoc basis may produce surprises later.
Note especially that if there is any chance that the original hostname
will be re-used by a different node, then the original and new nodes
cannot both identify themselves to the master by the same identifier
unless you copy the certificate from one to the other. In that case,
the two will always receive the same configuration, their reports will
be conflated on the master, and other badness may ensue.
If you want always to be able to change nodes' hostnames without re-
certifying them to the master, then you should make *all* your nodes
use certnames based on some unchanging node property, such as asset
number or MAC address. Changing over to such a policy will require
you to re-certify every node, of course, and you will need to adjust
your ENC and / or nodes.pp correspondingly, but afterward you will be
able to change any node's hostname without interrupting its
communication with the master.
If changing hostnames is generally a one-off for you, then you are
much better off simply re-certifying the modified node to the master
afterwards. Be sure to revoke the old certificate and clean it from
the master (in that order).
John
Artyom Krilov
> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
Artyom Krilov
Balasubramaniam Natarajan
On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
Been there, done that, got a link for you:http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt
Basically, clean out the certificate info on the client/agent, clear the old info from the master, and then re-certify the agent/client with the new info.
Though this is an old post thanks a lot for your link shown above. Is puppetca and "puppet cert" one and the same ?
jcbollinger
Newer versions of Puppet have "puppet cert"; older ones have "puppetca". There may be a few versions that have both, one as an alias for the other. They serve the same purpose in much the same way.
John