After that run puppet on puppetmaster once, so the ferm config get
adjusted.
- : __handel__ && puppetd -w 5 -t --factsync --environment=production
+ : __handel__ && puppet agent -t --environment=production
- : ::client:: && apt-get install --no-install-recommends puppet &&
- /etc/init.d/puppet stop &&
- puppetd -w 5 --debug -t --factsync
+ : ::client:: && me=$(hostname -f) && [ "$me" != "${me%debian.org}" ] && apt-get update &&
+ apt-get install -y --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release &&
+ service puppet stop &&
+ (puppet agent -t || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: && echo &&
+ sha256sum $me.pem &&
+ echo && echo && cd /
This will not overwrite anything yet, since handel has not signed the
client cert. Now is the time to abort if you are getting cold feet.
Compare incoming csr request:
-on handel:
-
- : __handel__ && echo -n 'Client name: ' && read client &&
- sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem
-on new client:
-
- : ::client:: && sha1sum /var/lib/puppet/ssl/csr_$(hostname).debian.org.pem
-
-If you're satisfied, sign the request on handel with:
-
- : __handel__ && puppetca --sign $client.debian.org
-
-bootstrap client knowledge of puppet ca:
-on handel:
-
- : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+on handel, paste the sha256output::
+
+ : __handel__ && echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppetca --sign $(basename "$filename" .pem) &&
+ echo && echo && echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
- echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " &&
- cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem &&
- echo 'EOF'
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ cd /
and execute this on the client.
- : ::client:: copy paste the thing you just created on handel
+ : ::client:: copy paste the thing you just created on handel
If this is a busy mail host, you might want to stop exim before proceeding
although the config files should remain identical before and after.
Then run (this will change the configs in /etc):
- : ::client:: && puppetd -w 5 --debug -t --factsync
+ : ::client:: && puppet agent -t --pluginsync
-This run will start puppet after reconfiguring it, so if you are
-unhappy with what just happened, you'll need to stop it again to do
+This run will start puppet after reconfiguring it, so if you are
+unhappy with what just happened, you'll need to stop it again to do
repair.
Double check apt - the puppet setup usually results in duplicate apt
sources, since we ship a few under sources.list.d. Remove any unnecessary
entries from sources.list.
+On handel, make sure the certs exist for the new host
+
+ : :: handel :: : && sudo -u puppet make -C /srv/puppet.debian.org/ca/ install
+
We ship a samhain config file that includes /lib and /usr/lib. This will
almost certainly be different than the config file on the machine, so it
will result in 1000s of files changed.
You may need to run samhain update after getting puppet going.
+
+# vim:textwidth=72 sw=8 ts=8 et
projects / mirror / dsa-wiki.git / blobdiff