Hi Gonzalo,
> Has anyone done this sort of thing? How'd you get around the SSL issues? I
> could use the same CA cert on both Puppet servers but I assume that won't
> work as the hostnames are different?
I am actually doing this, but on the same puppet server. What I have done is the following:
- Main puppet master runs as user puppet, with default parameters. The /etc/puppet directory is a Git checkout.
- Then, as my normal username, I run another instance of puppet master, listening on a different port, with my local changes:
* I choose a unique $PORT for each user, this way you can have as many puppetmasters as you want.
* I create a runtime-puppet directory with empty 'rundir' and 'logdir' subdirectories. They just get the logs and the pidfile.
* Then, I populate a third 'vardir' subdirectory it with a copy of /var/lib/puppet, that brings together all the certificates. You may need to change the ownership of that directory to your username, for the private key. The client's keys may be shared with simlinks if you like, otherwise you will need to sync both directories every time you have a new cert.
* Finally puppetmasterd runs as my username, this way:
puppetmasterd --rundir=/home/pablof/runtime-puppet/rundir --vardir=/home/pablof/runtime-puppet/vardir --confdir=/home/pablof/puppet-tree --logdir=/home/pablof/runtime-puppet/logdir --masterport=$PORT "$@"
You can then have in --confdir (I call it puppet-tree) a local copy of the /etc/puppet dir I share with Git. This way I make my local copies, without pushing the changes, and my private puppetmasterd sees them instantly. If I want to have a single node pick up my temp configuration, I stop puppetd there, and run by hand (in the client): puppetd -t --masterport=$PORT, with the same $PORT I used in the puppetmasterd.
Easy, and It works like a charm.
But if you need it to be different machines, I don't know what will happen with the server certificate. If puppetd is smart enough, it won't let you, but maybe you can trick your client with a temporal /etc/hosts entry, may be worth a try.
Good luck!
Pablo
As other have suggested, environments might be an easier way to do this.
> I ran into some SSL trouble. When I point at the staging server, I get
> various SSL related errors and I assume it's because the ca cert is
> different. I can get around it by clearing /var/lib/puppet/ssl and
> regenerating/signing the certificate, but I have to do the same thing when I
> go back to the production server which is not what I was hoping for.
The issue here is you are running two puppet master with two different
self signed CA. If you intend all puppet agents to connect to both
system, only run CA on one master and configure the second master
ca=false. Generate the second master's cert on the CA server with the
appropriate dns_alt_name:
puppet cert -g secondmaster --dns_alt_name='secondmaster,secondmaster.foo.lan'
Copy this cert to the appropriate location on your secondary puppet
master. All puppet agent should configure puppet_ca to the master
running ca, and they should be able to connect to both server.
Thanks,
Nan