migrating to new puppet servers

1,811 views
Skip to first unread message

Roy Nielsen

unread,
Aug 25, 2011, 4:31:44 PM8/25/11
to puppet...@googlegroups.com
Hello,

We need to migrate ~3000 machines to a new puppet server.

What is the recommended method of doing this, considering the cert issues?

Thanks,
-Roy Nielsen

Matthew Nicholson

unread,
Aug 25, 2011, 9:28:29 PM8/25/11
to puppet...@googlegroups.com

Did this recently, basically:

Create a new module to do the work, that:

Upgrades the client
Drops in a new config
Removes old cert from client
Bounces the service

Did about 98% of our ~1600 systems with this, worked well, moved things as they checked in instead of one big push.

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

Nan Liu

unread,
Aug 25, 2011, 10:12:04 PM8/25/11
to puppet...@googlegroups.com
On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen <r...@lanl.gov> wrote:
> Hello,
>
> We need to migrate ~3000 machines to a new puppet server.
>
> What is the recommended method of doing this, considering the cert issues?

Not much, just make sure you generate a cert for the new puppet master
using the existing CA cert. You should not need to replace the
existing agent certs, and this give you an easy way to fail back in
case you run into any issues.

Migrate puppet manifests/configuration.
Copy the old puppet server ssl directory to the new master (replace
everything in there).
Generate a new cert for the new puppet master
$ puppet master --no-daemonize -v
Run puppet cert -p and check the new puppet master cert is signed by
the same CA as existing agent certs.
Test an existing agent against the new master.
$ puppet agent --server new_master -t --noop
Update DNS to new puppet master.

Thanks,

Nan

Jonathan Gazeley

unread,
Aug 31, 2011, 9:34:13 AM8/31/11
to puppet...@googlegroups.com
On 26/08/11 03:12, Nan Liu wrote:
> On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen<r...@lanl.gov> wrote:
>> Hello,
>>
>> We need to migrate ~3000 machines to a new puppet server.
>>
>> What is the recommended method of doing this, considering the cert issues?
>
> Not much, just make sure you generate a cert for the new puppet master
> using the existing CA cert. You should not need to replace the
> existing agent certs, and this give you an easy way to fail back in
> case you run into any issues.

This sounds like a good idea. I find certificates endlessly confusing -
can you please spell this out in detail?

Thanks,
Jonathan

Naresh V

unread,
Aug 31, 2011, 9:39:58 AM8/31/11
to puppet...@googlegroups.com
On 31 August 2011 19:04, Jonathan Gazeley

<jonathan...@bristol.ac.uk> wrote:
> On 26/08/11 03:12, Nan Liu wrote:
>>
>> On Thu, Aug 25, 2011 at 1:31 PM, Roy Nielsen<r...@lanl.gov>  wrote:
>>>
>>> Hello,
>>>
>>> We need to migrate ~3000 machines to a new puppet server.
>>>
>>> What is the recommended method of doing this, considering the cert
>>> issues?
>>
>> Not much, just make sure you generate a cert for the new puppet master
>> using the existing CA cert. You should not need to replace the
>> existing agent certs, and this give you an easy way to fail back in
>> case you run into any issues.
>
> This sounds like a good idea. I find certificates endlessly confusing - can
> you please spell this out in detail?

http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/

> Thanks,
> Jonathan

-Naresh V.

Reply all
Reply to author
Forward
0 new messages