To set up a new host to be a puppet client, do the following:
- : ::client:: && apt-get install puppet &&
- /etc/init.d/puppet stop &&
- puppetd -w 5 --debug -t --factsync
+Make sure you have set up the IP address for the new machine in ud-ldap.
+After that run puppet on puppetmaster once, so the ferm config get
+adjusted.
+
+ : __handel__ && puppet agent --no-daemonize --onetime --environment=production
+
+ : ::client:: && me=$(hostname -f) && [ "$me" != "${me%debian.org}" ] && apt-get update &&
+ apt-get install -y --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release &&
+ service puppet stop &&
+ (puppet agent --no-daemonize --onetime || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: && echo &&
+ sha256sum $me.pem &&
+ echo && echo && cd /
This will not overwrite anything yet, since handel has not signed the
client cert. Now is the time to abort if you are getting cold feet.
Compare incoming csr request:
-on handel:
-
- : __handel__ && echo -n 'Client name: ' && read client &&
- sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
-on new client:
-
- : ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem
-
-If you're satisfied, sign the request on handel with:
-
- : __handel__ && puppetca --sign $client.debian.org
-
-bootstrap client knowledge of puppet ca:
-on handel:
-
- : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+on handel, paste the sha256output::
+
+ : __handel__ &&
+ ud-replicate && sudo -u puppet make -C /srv/puppet.debian.org/ca/ install &&
+ echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppetca --sign $(basename "$filename" .pem) &&
+ echo && echo && echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
- echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
- cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
- echo 'EOF'
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ cd / &&
+ echo 'puppet agent --enable' &&
+ echo 'puppet agent --no-daemonize --onetime --pluginsync' &&
+ echo 'puppet agent --no-daemonize --onetime --pluginsync'
and execute this on the client.
- : ::client:: copy paste the thing you just created on handel
+ : ::client:: copy paste the thing you just created on handel
If this is a busy mail host, you might want to stop exim before proceeding
although the config files should remain identical before and after.
+Try this once if you're nervous:
+
+ : ::client:: && puppet agent --no-daemonize --onetime --pluginsync --noop
+
+It will tell you what would have changed without actually doing it.
+
Then run (this will change the configs in /etc):
- : ::client:: && puppetd -w 5 --debug -t --factsync
+ : ::client:: && puppet agent --no-daemonize --onetime --pluginsync
-This run will start puppet after reconfiguring it, so if you are
-unhappy with what just happened, you'll need to stop it again to do
+This run will start puppet after reconfiguring it, so if you are
+unhappy with what just happened, you'll need to stop it again to do
repair.
-Finally, for some reason, the switch to puppet seems to heavily confuse
-samhain (possibly the config file getting changed out from under it?).
+Double check apt - the puppet setup usually results in duplicate apt
+sources, since we ship a few under sources.list.d. Remove any unnecessary
+entries from sources.list.
+
+On handel, make sure the certs exist for the new host
+
+
+We ship a samhain config file that includes /lib and /usr/lib. This will
+almost certainly be different than the config file on the machine, so it
+will result in 1000s of files changed.
You may need to run samhain update after getting puppet going.
-When you're happy with everything, add teh new host to the puppet
-hostgroup in dsa-nagios.
+The puppet repository is public, but we sometimes need to keep passwords
+in puppet. There are many ways to do this - hiera-gpg, ENC, etc. We've
+settled on a fairly simple one. Log into handel, create a new manifest
+in the relevant module (call is something like "params.pp"). You can add
+passwords to this file. To stop git complaining on push, make sure you
+update .gitignore for the new file. Now you can import this file where
+you need passwords and use them.