Starting over with Puppet Master and Puppet Client
314 views
Skip to first unread message
tas
Jun 14, 2012, 5:35:12 PM6/14/12
to puppet...@googlegroups.com
I am making a huge mess, so I'd rather to start over and configure them.
This is a total newbie trying to setup something for his lab.... I think this would also help many people out there..
Part I.
I reinstalled puppetmaster and puppet on the master and client machine.
Here is the /etc/hosts for the master
Here is the /etc/hosts on the client
So for this step one... how am I supposed to tweak things??? Uncomment what I have?
----------------
Part II.
I started puppetmaster on the master machine like this
Then on client:
It hangs there, so back to master and check the cert list
I got none!
By the way, I have to add double dash in front of list, because of this:
So what should I do? I am not sure where the Doc covers this...
Should I issue sudo puppetca --sign giab10 on the master???
Please guide me through this. Thanks!
This is a total newbie trying to setup something for his lab.... I think this would also help many people out there..
Part I.
I reinstalled puppetmaster and puppet on the master and client machine.
Here is the /etc/hosts for the master
127.0.0.1 localhost
127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.abc.edu ghive-ldap
#10.10.0.57 ghive-ldap.abc.edu puppet
10.10.0.56 giab10
You see the line I commented out? In many tutorials, they say put the default puuet after there. I am not sure if I am supposed to do that (repeating a line like that...)? Everything else is default (our sys admin sets up that way...)127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.abc.edu ghive-ldap
#10.10.0.57 ghive-ldap.abc.edu puppet
10.10.0.56 giab10
Here is the /etc/hosts on the client
127.0.0.1 localhost
127.0.1.1 giab10
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
130.55.57.51 ghive-ldap
I can ping puppet, ghive-ldap, giab10.....127.0.1.1 giab10
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
130.55.57.51 ghive-ldap
So for this step one... how am I supposed to tweak things??? Uncomment what I have?
----------------
Part II.
I started puppetmaster on the master machine like this
Then on client:
sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
It hangs there, so back to master and check the cert list
sudo puppet cert --list
I got none!
By the way, I have to add double dash in front of list, because of this:
sudo puppet cert list
Invalid method to apply
Invalid method to apply
So what should I do? I am not sure where the Doc covers this...
Should I issue sudo puppetca --sign giab10 on the master???
Please guide me through this. Thanks!
Dan White
Jun 14, 2012, 5:53:53 PM6/14/12
to puppet...@googlegroups.com
Silly Question Number One:
What node definitions do you have in your manifest ?
Classically, you have *.pp files in /etc/puppet/manifest/nodes that are referenced from /etc/puppet/manifest/site.pp
As an example, this line is in my site.pp file:
import "nodes/*-nodes.pp"
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- tas <gokop...@gmail.com> wrote:
> I am making a huge mess, so I'd rather to start over and configure them.
>
> This is a total newbie trying to setup something for his lab.... I think
> this would also help many people out there..
> *
> Part I. *
> *Part II.
> *
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
What node definitions do you have in your manifest ?
Classically, you have *.pp files in /etc/puppet/manifest/nodes that are referenced from /etc/puppet/manifest/site.pp
As an example, this line is in my site.pp file:
import "nodes/*-nodes.pp"
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- tas <gokop...@gmail.com> wrote:
> I am making a huge mess, so I'd rather to start over and configure them.
>
> This is a total newbie trying to setup something for his lab.... I think
> this would also help many people out there..
> Part I. *
> *
> I started puppetmaster on the master machine like this
>
> Then on client:
> sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
>
> It hangs there, so back to master and check the cert list
> sudo puppet cert --list
>
> I got none!
>
> By the way, I have to add double dash in front of list, because of this:
> sudo puppet cert list
> Invalid method to apply
>
> So what should I do? I am not sure where the Doc covers this...
> Should I issue sudo puppetca --sign giab10 on the master???
>
> Please guide me through this. Thanks!
>
>
> --
>
> Then on client:
> sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
> warning: peer certificate won't be verified in this SSL session
>
> It hangs there, so back to master and check the cert list
> sudo puppet cert --list
>
> I got none!
>
> By the way, I have to add double dash in front of list, because of this:
> sudo puppet cert list
> Invalid method to apply
>
> So what should I do? I am not sure where the Doc covers this...
> Should I issue sudo puppetca --sign giab10 on the master???
>
> Please guide me through this. Thanks!
>
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
tas
Jun 14, 2012, 6:22:09 PM6/14/12
to puppet...@googlegroups.com
Dear Ygor,
I am afraid I don't have any node definition. I search through... none.
We basically first blueprint our blueprint machine, generate puppet files, and then move them to the puppetmaster's /etc/puppet/modules
Then there is an init.pp file.
root@ghive-ldap:/etc/puppet# ls -r
ssl modules manifests
root@ghive-ldap:/etc/puppet/manifests# ls (gives none...)
root@ghive-ldap:/etc/puppet/modules# ls
files manifests templates
root@ghive-ldap:/etc/puppet/modules/manifests# ls
init.pp
I don't have site.pp... according to the previous tech's manual (giab012412 is the blueprint name, used to generate puppets)
Thanks...
Sorry for making things so confusing...
John
I am afraid I don't have any node definition. I search through... none.
We basically first blueprint our blueprint machine, generate puppet files, and then move them to the puppetmaster's /etc/puppet/modules
Then there is an init.pp file.
root@ghive-ldap:/etc/puppet# ls -r
ssl modules manifests
root@ghive-ldap:/etc/puppet/manifests# ls (gives none...)
root@ghive-ldap:/etc/puppet/modules# ls
files manifests templates
root@ghive-ldap:/etc/puppet/modules/manifests# ls
init.pp
I don't have site.pp... according to the previous tech's manual (giab012412 is the blueprint name, used to generate puppets)
Then, in /etc/puppet/manifests/site.pp modify the line that reads
"include giab.." to say "include giab012412". This will tell the puppetmaster
to apply the new giab blueprint to all giabs that connect to it.
"include giab.." to say "include giab012412". This will tell the puppetmaster
to apply the new giab blueprint to all giabs that connect to it.
Thanks...
Sorry for making things so confusing...
John
> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
Dan White
Jun 14, 2012, 6:26:05 PM6/14/12
to puppet...@googlegroups.com
Without a default node definition as an absolute minimum,
what is the Puppet Master supposed to do when queried by the Puppet Client/Agent ?
I believe it will do exactly what your servers are doing: bupkis !
http://en.wiktionary.org/wiki/bupkis
> > puppet-users...@googlegroups.com.
what is the Puppet Master supposed to do when queried by the Puppet Client/Agent ?
I believe it will do exactly what your servers are doing: bupkis !
http://en.wiktionary.org/wiki/bupkis
> > > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> > >
> >
> >
>
> > http://groups.google.com/group/puppet-users?hl=en.
> > >
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aeE-5g1vAWkJ.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
tas
Jun 14, 2012, 7:39:36 PM6/14/12
to puppet...@googlegroups.com
Dear Ygor,
Thank you for the guidance.
I didn't know we have to specify one... almost every single tutorial I visit didn't mention it :( bad...
http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
Based on that tutorial, since I blueprint my server....
I ran puppetd --test on client and didn't get anything back. No one is waiting to be signed by the master.
Structure of my Master
site.pp has the following ('giab10' is the host name of the client)
The fileserver.conf is setup like this (the ip for client is 10.10.0.56....)
Any idea? Thanks!
Thank you for the guidance.
I didn't know we have to specify one... almost every single tutorial I visit didn't mention it :( bad...
http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
Based on that tutorial, since I blueprint my server....
I ran puppetd --test on client and didn't get anything back. No one is waiting to be signed by the master.
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
Structure of my Master
fileserver.conf
manifests ===> site.pp
modules ===> giab061112
===> files ==> tmp
==> xxxxxxxxxxx.tar
manifests ==> init.pp
templates ==> etc files
ssl
site.pp has the following ('giab10' is the host name of the client)
node giab061112 {
include giab061112
}
node 'giab10' inherits giab061112 {
}
include giab061112
}
node 'giab10' inherits giab061112 {
}
The fileserver.conf is setup like this (the ip for client is 10.10.0.56....)
Any idea? Thanks!
> > puppet-users+unsubscribe@googlegroups.com.
> > > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> > >
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aeE-5g1vAWkJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
jcbollinger
Jun 15, 2012, 10:31:50 AM6/15/12
to puppet...@googlegroups.com
On Thursday, June 14, 2012 6:39:36 PM UTC-5, tas wrote:
Dear Ygor,
Thank you for the guidance.
I didn't know we have to specify one... almost every single tutorial I visit didn't mention it :( bad...
http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
4. Edit /etc/puppet/manifests/site.pp, this is the default file
puppet looks for, and loads first. For now you probably want to do it in
here, but later put it into node.pp or something(assuming client name
is blogtest.test.com)
node vpsblueprint {
include vps_blueprint
}
node 'blogtest.test.com' inherits vpsblueprint{
}
This tells puppet for the client connecting with the hostname
blogtest.test.com it should use the vpsblueprint node, which includes
the vps_blueprint module.
I must say that I have not noticed tutorials to be systematically deficient in that regard. Puppetlabs's own cover the topic, and I don't recall seeing any full-blown tutorials that miss it. More narrowly-focused tutorials might omit it where it would be out of scope, of course.
John
tas
Jun 15, 2012, 12:24:04 PM6/15/12
to puppet...@googlegroups.com
Thanks John.
Yes. So I have a similar node configuration setup, as described in the previous post. I am writing out these steps so I can document this and hopefully will benefit more people....
on master:
on client
Check cert list on master, none.
NOW
on client, delete sudo rm -rf /var/lib/puppet/ssl
then run sudo puppetd -tdv
Back to master....
Can we test again? Back to client...
AHHHH... Try this? First delete the ssl....
NO LUCK....
Where's the problem?
Thanks.
Yes. So I have a similar node configuration setup, as described in the previous post. I am writing out these steps so I can document this and hopefully will benefit more people....
on master:
service puppetmaster stop
service puppetmaster start
service puppetmaster start
on client
service puppet stop
puppet agent --test
puppet agent --test
Check cert list on master, none.
NOW
on client, delete sudo rm -rf /var/lib/puppet/ssl
then run sudo puppetd -tdv
info: Creating a new SSL key for giab10
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for giab10Wow...
info: Certificate Request fingerprint (md5): FF:FF:...........
Back to master....
sudo puppetca --list
giab10 (FF:FF:...................)
glasslab@ghive-ldap:~$ sudo puppet cert sign giab1
notice: Signed certificate request for giab10
notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/etc/puppet/ssl/ca/requests/giab10.pem'
Cool.giab10 (FF:FF:...................)
glasslab@ghive-ldap:~$ sudo puppet cert sign giab1
notice: Signed certificate request for giab10
notice: Removing file Puppet::SSL::CertificateRequest giab10 at '/etc/puppet/ssl/ca/requests/giab10.pem'
Can we test again? Back to client...
sudo puppet agent --test
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
AHHHH... Try this? First delete the ssl....
sudo rm -rf /etc/puppet/ssl/
giabadmin@giab10:~$ sudo puppet agent --server puppet --waitforcert 60 --test --verbose
sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
or
sudo puppet agent --test
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
NO LUCK....
Where's the problem?
Thanks.
tas
Jun 15, 2012, 12:32:11 PM6/15/12
to puppet...@googlegroups.com
By the way,
sudo puppetd -tdv did this again I receive the same SSL error....
My /etc/hosts on client looks like this
On the client I have this
sudo puppetd -tdv did this again I receive the same SSL error....
My /etc/hosts on client looks like this
134.74.77.21 ghive-ldap.domain.com ghive-ldap puppet
On the client I have this
127.0.0.1 localhost
127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.domain.com ghive-ldap
10.10.0.57 ghive-ldap.domain.com puppet <--------- I added this line myself
10.10.0.56 giab10
127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.domain.com ghive-ldap
10.10.0.57 ghive-ldap.domain.com puppet <--------- I added this line myself
10.10.0.56 giab10
Philip Brown
Jun 15, 2012, 12:44:44 PM6/15/12
to puppet...@googlegroups.com
On Thursday, June 14, 2012 3:26:05 PM UTC-7, Ygor wrote:
Without a default node definition as an absolute minimum,
what is the Puppet Master supposed to do when queried by the Puppet Client/Agent ?
I believe it will do exactly what your servers are doing: bupkis !
Minor point of pedantry:
While I think having node definitions are a good idea; technically speaking, I dont think they are required. I think it is possible to have a site.pp that does exactly the same thing for all machines, and that is technically "legal" puppetry.
But I'm not an expert, so please take my statement with a grain of salt.
tas
Jun 15, 2012, 12:57:19 PM6/15/12
to puppet...@googlegroups.com
Thanks for the suggestion, Phillp. Keep this thread alive :))) I mean docs are great, but sometimes a more comprehensive step-by-step like this one might serve better.
Any case, anyone know how to deal with the latest issue I have above?
Thanks...
Any case, anyone know how to deal with the latest issue I have above?
Thanks...
jcbollinger
Jun 15, 2012, 6:29:01 PM6/15/12
to puppet...@googlegroups.com
On Friday, June 15, 2012 11:32:11 AM UTC-5, tas wrote:
By the way,
sudo puppetd -tdv did this again I receive the same SSL error....
My /etc/hosts on client looks like this134.74.77.21 ghive-ldap.domain.com ghive-ldap puppet
On the client I have this127.0.0.1 localhost
127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.domain.com ghive-ldap
10.10.0.57 ghive-ldap.domain.com puppet <--------- I added this line myself
10.10.0.56 giab10
John
Reply all
Reply to author
Forward
0 new messages