X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fpuppet-setup.mdwn;h=6a155d69717c1e7a57eb2f2cab8581b304cb440f;hb=10872c48997281bcea11d44fbaaed6c49e1ff21f;hp=9503e9665773ece026a6975ebc746c343a61c329;hpb=8acbf76ef9981318a51a2fc8168c63b1bd8cfecb;p=mirror%2Fdsa-wiki.git

diff --git a/input/howto/puppet-setup.mdwn b/input/howto/puppet-setup.mdwn
index 9503e96..6a155d6 100644
--- a/input/howto/puppet-setup.mdwn
+++ b/input/howto/puppet-setup.mdwn
@@ -6,54 +6,82 @@ this list is likely to get out of date quickly).
 
 To set up a new host to be a puppet client, do the following:
 
-	: ::client:: && apt-get install puppet &&
-                /etc/init.d/puppet stop &&
-                puppetd -w 5 --debug -t --factsync
+Make sure you have set up the IP address for the new machine in ud-ldap.
+After that run puppet on puppetmaster once, so the ferm config get
+adjusted.
+
+        : __handel__ && puppet agent -t --environment=production
+
+        : ::client:: && me=$(hostname -f) && [ "$me" != "${me%debian.org}" ] && apt-get update &&
+                apt-get install -y --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release &&
+                service puppet stop &&
+                (puppet agent -t || true ) &&
+                cd /var/lib/puppet/ssl/certificate_requests &&
+                echo sha256sum output: && echo &&
+                sha256sum $me.pem &&
+                echo && echo && cd /
 
 This will not overwrite anything yet, since handel has not signed the
 client cert.  Now is the time to abort if you are getting cold feet.
 
 Compare incoming csr request:
-on handel:
-
-	: __handel__ && echo -n 'Client name: ' && read client &&
-                sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
-on new client:
-
-	: ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem
-
-If you're satisfied, sign the request on handel with:
-
-	: __handel__ && puppetca --sign $client.debian.org
-
-bootstrap client knowledge of puppet ca:
-on handel:
-
-	: __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+on handel, paste the sha256output::
+
+        : __handel__ &&
+                ud-replicate && sudo -u puppet make -C /srv/puppet.debian.org/ca/ install &&
+                echo "paste sha256sum output now:" &&
+                read sha256 filename &&
+                cd /var/lib/puppet/ssl/ca/requests &&
+                ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+                echo -e "$sha256  $filename" | sha256sum -c &&
+                puppetca --sign $(basename "$filename" .pem) &&
+                echo && echo && echo &&
+                echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
                 cat /var/lib/puppet/ssl/certs/ca.pem &&
                 echo 'EOF' &&
-                echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
-                cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
-                echo 'EOF'
+                echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+                cat /var/lib/puppet/ssl/ca/signed/$filename &&
+                echo 'EOF' &&
+                cd / &&
+                echo 'puppet agent -t --pluginsync'
 
 and execute this on the client.
 
-	: ::client:: copy paste the thing you just created on handel
+        : ::client:: copy paste the thing you just created on handel
 
 If this is a busy mail host, you might want to stop exim before proceeding
 although the config files should remain identical before and after.
 
+Try this once if you're nervous:
+
+        : ::client:: && puppet agent -t --pluginsync --noop
+
+It will tell you what would have changed without actually doing it.
+
 Then run (this will change the configs in /etc):
 
-	: ::client:: && puppetd -w 5 --debug -t --factsync
+        : ::client:: && puppet agent -t --pluginsync
 
-This run will start puppet after reconfiguring it, so if you are 
-unhappy with what just happened, you'll need to stop it again to do 
+This run will start puppet after reconfiguring it, so if you are
+unhappy with what just happened, you'll need to stop it again to do
 repair.
 
-Finally, for some reason, the switch to puppet seems to heavily confuse
-samhain (possibly the config file getting changed out from under it?).
+Double check apt - the puppet setup usually results in duplicate apt
+sources, since we ship a few under sources.list.d.  Remove any unnecessary
+entries from sources.list.
+
+On handel, make sure the certs exist for the new host
+
+
+We ship a samhain config file that includes /lib and /usr/lib.  This will
+almost certainly be different than the config file on the machine, so it
+will result in 1000s of files changed.
 You may need to run samhain update after getting puppet going.
 
-When you're happy with everything, add teh new host to the puppet
-hostgroup in dsa-nagios.
+The puppet repository is public, but we sometimes need to keep passwords
+in puppet.  There are many ways to do this - hiera-gpg, ENC, etc.  We've
+settled on a fairly simple one.  Log into handel, create a new manifest
+in the relevant module (call is something like "params.pp").  You can add
+passwords to this file.  To stop git complaining on push, make sure you
+update .gitignore for the new file.  Now you can import this file where
+you need passwords and use them.