and one less factsync

[mirror/dsa-wiki.git] / input / howto / puppet-setup.mdwn

diff --git a/input/howto/puppet-setup.mdwn b/input/howto/puppet-setup.mdwn
index 9503e96..caf536b 100644 (file)
--- a/input/howto/puppet-setup.mdwn
+++ b/input/howto/puppet-setup.mdwn
@@ -6,9 +6,16 @@ this list is likely to get out of date quickly).
 
 To set up a new host to be a puppet client, do the following:
 
-       : ::client:: && apt-get install puppet &&
+Make sure you have set up the IP address for the new machine in ud-ldap.
+After that run puppet on puppetmaster once, so the ferm config get
+adjusted.
+
+        : __handel__ && puppetd -t --environment=production
+
+        : ::client:: && apt-get update &&
+                apt-get install --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses &&
                 /etc/init.d/puppet stop &&
-                puppetd -w 5 --debug -t --factsync
+                puppetd -w 5 -t
 
 This will not overwrite anything yet, since handel has not signed the
 client cert.  Now is the time to abort if you are getting cold feet.
@@ -16,20 +23,20 @@ client cert.  Now is the time to abort if you are getting cold feet.
 Compare incoming csr request:
 on handel:
 
-       : __handel__ && echo -n 'Client name: ' && read client &&
+        : __handel__ && echo -n 'Client name: ' && read client &&
                 sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
 on new client:
 
-       : ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem
+        : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem
 
 If you're satisfied, sign the request on handel with:
 
-       : __handel__ && puppetca --sign $client.debian.org
+        : __handel__ && puppetca --sign $client.debian.org
 
 bootstrap client knowledge of puppet ca:
 on handel:
 
-       : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+        : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
                 cat /var/lib/puppet/ssl/certs/ca.pem &&
                 echo 'EOF' &&
                 echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
@@ -38,22 +45,26 @@ on handel:
 
 and execute this on the client.
 
-       : ::client:: copy paste the thing you just created on handel
+        : ::client:: copy paste the thing you just created on handel
 
 If this is a busy mail host, you might want to stop exim before proceeding
 although the config files should remain identical before and after.
 
 Then run (this will change the configs in /etc):
 
-       : ::client:: && puppetd -w 5 --debug -t --factsync
+        : ::client:: && puppetd -w 5 --debug -t
 
 This run will start puppet after reconfiguring it, so if you are 
 unhappy with what just happened, you'll need to stop it again to do 
 repair.
 
-Finally, for some reason, the switch to puppet seems to heavily confuse
-samhain (possibly the config file getting changed out from under it?).
+Double check apt - the puppet setup usually results in duplicate apt
+sources, since we ship a few under sources.list.d.  Remove any unnecessary
+entries from sources.list.
+
+We ship a samhain config file that includes /lib and /usr/lib.  This will
+almost certainly be different than the config file on the machine, so it
+will result in 1000s of files changed.
 You may need to run samhain update after getting puppet going.
 
-When you're happy with everything, add teh new host to the puppet
-hostgroup in dsa-nagios.
+# vim:textwidth=72 sw=8 ts=8 et