Proper DNS configuration with Puppet

413 views
Skip to first unread message

Forrie

unread,
Jan 18, 2010, 4:11:00 PM1/18/10
to Puppet Users
Puppet docs require a PUPPET server name -- which I presumed a CNAME
would suffice. However, I'm finding that's not the case - as the SSL
cert generated is for the actual system name pupptmasterd runs on
(makes sense).

The server that puppetmasterd is running on services other purposes,
and I don't want to call it puppet. I'm wondering if this is simply
for cosmetic needs say, for new clients.


Thanks.

Scott Smith

unread,
Jan 18, 2010, 4:33:41 PM1/18/10
to puppet...@googlegroups.com

Use a DNS alias with no PTR or a CNAME. Also look at the certdnsnames parameter.

-scott

Silviu Paragina

unread,
Jan 19, 2010, 5:09:55 AM1/19/10
to puppet...@googlegroups.com
CNAME dns entries work with puppet. You must realize that they might not
be as reliable, but they work. Make sure the value of server config
parameter on the client is either equal to certname or in certdnsnames
on the server. This also goes for the client on the server. Check
http://docs.reductivelabs.com/references/stable/configuration.html for
further details ;)

Silviu

Trevor Vaughan

unread,
Jan 19, 2010, 9:02:26 AM1/19/10
to puppet...@googlegroups.com
Your forward DNS name can be anything.

Your reverse DNS name *must* be one of the DNS entries in your cert,
the primary hostname by default.

Trevor

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
>
>

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvau...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

jcbollinger

unread,
Jan 19, 2010, 9:03:15 AM1/19/10
to Puppet Users

Puppetd is configured to use the server name "puppet" by default, but
you can easily point it to any other name. The startup option --
server=<alternative.name> does this. If you have installed Puppet via
the RPM then you have a file /etc/sysconfig/puppet wherein you can
record the appropriate server name; the init script thereafter will
automatically add that option when it starts puppetd.

Using the default name can be somewhat advantageous when bringing up
new clients from scratch (one less thing to manually configure), but
otherwise I don't think it gains you anything.


John

R.I.Pienaar

unread,
Jan 19, 2010, 9:07:54 AM1/19/10
to puppet...@googlegroups.com
hey,

----- "jcbollinger" <John.Bo...@stJude.org> wrote:

> On Jan 18, 3:11 pm, Forrie <for...@gmail.com> wrote:
> > Puppet docs require a PUPPET server name -- which I presumed a
> CNAME
> > would suffice.  However, I'm finding that's not the case - as the
> SSL
> > cert generated is for the actual system name pupptmasterd runs on
> > (makes sense).
> >
> > The server that puppetmasterd is running on services other
> purposes,
> > and I don't want to call it puppet.  I'm wondering if this is
> simply
> > for cosmetic needs say, for new clients.
>
> Puppetd is configured to use the server name "puppet" by default, but
> you can easily point it to any other name. The startup option --
> server=<alternative.name> does this. If you have installed Puppet
> via the RPM then you have a file /etc/sysconfig/puppet wherein you can
> record the appropriate server name; the init script thereafter will
> automatically add that option when it starts puppetd.

I'd avoid editing the sysconfig file for this purpose, it just makes running commands like puppetd --test a pain. Editing the puppet.conf is best. Changing the hostname also has implications on the server thought to keep in mind.

>
> Using the default name can be somewhat advantageous when bringing up
> new clients from scratch (one less thing to manually configure), but
> otherwise I don't think it gains you anything.


It also takes away, say you manage laptops and you use 'puppet' you can have quite big problems if you move that laptop to another environment that also use puppet. For servers on a lan though it helps a lot.

CNAMEs work perfectly.

Todd Zullinger

unread,
Jan 19, 2010, 10:29:27 AM1/19/10
to puppet...@googlegroups.com
R.I.Pienaar wrote:
> I'd avoid editing the sysconfig file for this purpose, it just makes
> running commands like puppetd --test a pain. Editing the
> puppet.conf is best.

That's good advice. As David Lutterkort noted in #2699¹:

"... the sysconfig files were created before puppet had its own
config files; nowadays, they are not needed anymore, and we should
figure out ways to remove them completely (maybe start with
including a comment at the top "Legacy cruft - set these up in the
puppet config files instead")"

We didn't go that far because things like

PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )

aren't something that can be handled in the puppet.conf. But most of
the other settings in the sysconfig files are better placed in
puppet.conf. Does adding something like this to the top of the
sysconfig files sound good?

#
# NOTE: Most of these options are better set in /etc/puppet/puppet.conf
#

¹ http://projects.reductivelabs.com/issues/2699#note-6

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All I really want for Christmas is Santa's list of Naughty Girls.

Reply all
Reply to author
Forward
0 new messages