Multi-master with SRV records

183 views
Skip to first unread message

Justin Lambert

unread,
May 5, 2015, 4:09:31 PM5/5/15
to puppet...@googlegroups.com

I need to build a new puppet environment and was looking at using SRV records for a multi-master setup.  Having a single master and SRV records works great, but I haven’t successfully been able to build a second master.

https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-4-dns-srv-records makes it sound like magic, just additional nodes to the record set for _x-puppet._tcp.  

Option 1B (https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-1-direct-agent-nodes-to-the-ca-master) for centralizing the CA is a bit more vague.  Setting the _x-puppet-ca._tcp record is easy enough, but do I also need to set the dns_alt_names on the certificate to all of the servers that would be added to the _x-puppet._tcp record?

I have been trying to find a more detailed tutorial online, but so far have been unsuccessful.

Thanks,

jl

Christopher Wood

unread,
May 5, 2015, 4:34:02 PM5/5/15
to puppet...@googlegroups.com
On Tue, May 05, 2015 at 12:46:10PM -0700, Justin Lambert wrote:
>
>
> I need to build a new puppet environment and was looking at using SRV
> records for a multi-master setup. Having a single master and SRV records
> works great, but I haven’t successfully been able to build a second master.
>
> https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-4-dns-srv-records makes
> it sound like magic, just additional nodes to the record set for
> _x-puppet._tcp.
>
> Option 1B (
> https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-1-direct-agent-nodes-to-the-ca-master) for
> centralizing the CA is a bit more vague. Setting the _x-puppet-ca._tcp
> record is easy enough, but do I also need to set the dns_alt_names on the
> certificate to all of the servers that would be added to the _x-puppet._tcp
> record?

Can't comment on the srv thing because I haven't done it, but the cert presented by any given puppetmaster has to match the name the agent thinks it is called or the agent run will fail. It looks like you won't need SAN (Subject Alternative Name) certs unless you have a puppetmaster which may be known by more than one hostname (in front of and behind a load balancer, for instance).

> I have been trying to find a more detailed tutorial online, but so far have
> been unsuccessful.
>
> Thanks,
>
> jl
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4dcf2cea-48fb-4dc3-a2ac-b57e7976e038%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Paul Seymour

unread,
May 6, 2015, 5:14:49 AM5/6/15
to puppet...@googlegroups.com
Hello,

I have 5 different Puppet environments running against SRV records with a pair of nodes each (also setting records for fileserver, and report). When I setup the masters I generated the master CA manually essentially with:-

# puppet master --no-daemonize --verbose --dns_alt_names=puppet.<domain>,<master1>,<master2>

Then copied that into place on both masters (I also use btsync to keep the SSL dirs up to date on both).

So it's possible to do it this way even if slightly over-complicated but the situation demanded total HA.

I really wish Puppet-Server, or v4 or whatever it's called did HA in a slightly more supported fashion. Sigh.

Cheers
Reply all
Reply to author
Forward
0 new messages