1 # Puppet infrastructure
3 handel.debian.org is our current puppetmaster. Currently, it handles
4 configuration of samhain, munin, apt, and exim (although more to come -
5 this list is likely to get out of date quickly).
7 To set up a new host to be a puppet client, do the following:
8 : ::client:: && apt-get install puppet &&
9 /etc/init.d/puppet stop &&
10 puppetd -w 5 --debug -t --factsync
12 This will not overwrite anything yet, since handel has not signed the
13 client cert. Now is the time to abort if you are getting cold feet.
15 Compare incoming csr request:
17 : __handel__ && echo -n 'Client name: ' && read client &&
18 sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
20 : ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem
22 If you're satisfied, sign the request on handel with:
23 : __handel__ && puppetca --sign $client.debian.org
25 bootstrap client knowledge of puppet ca:
27 : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
28 cat /var/lib/puppet/ssl/certs/ca.pem &&
30 echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
31 cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
34 and execute this on the client.
35 : ::client:: copy paste the thing you just created on handel
37 If this is a busy mail host, you might want to stop exim before proceeding
38 although the config files should remain identical before and after.
40 Then run (this will change the configs in /etc):
41 : ::client:: && puppetd -w 5 --debug -t --factsync
43 This run will start puppet after reconfiguring it, so if you are
44 unhappy with what just happened, you'll need to stop it again to do
47 Finally, for some reason, the switch to puppet seems to heavily confuse
48 samhain (possibly the config file getting changed out from under it?).
49 You may need to run samhain update after getting puppet going.
51 When you're happy with everything, add teh new host to the puppet
52 hostgroup in dsa-nagios.
projects / mirror / dsa-wiki.git / blob