Grokbase Groups Puppet puppet-users April 2012
FAQ
Hi Everybody,

I have a puppet setup working, but run into issue, which couldn't figure
out how to solve.

Say I have puppet agent generated certificate and signed it on puppet
master. If somehow puppet agent's hostname has been changed it will stop
communication with puppet master. I would like to know if there is a way to
be able to change hostname of puppet agent, without interruption of
communication between master and agent.

Thanks,
Artyom

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Dan White at Apr 18, 2012 at 12:36 pm
    Been there, done that, got a link for you:

    http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

    Basically, clean out the certificate info on the client/agent, clear the old info from the master, and then re-certify the agent/client with the new info.


    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Artyom Krilov wrote:
    Hi Everybody,

    I have a puppet setup working, but run into issue, which couldn't figure
    out how to solve.

    Say I have puppet agent generated certificate and signed it on puppet
    master. If somehow puppet agent's hostname has been changed it will stop
    communication with puppet master. I would like to know if there is a way to
    be able to change hostname of puppet agent, without interruption of
    communication between master and agent.

    Thanks,
    Artyom

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to [email protected].
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to [email protected].
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Artyom Krilov at Apr 18, 2012 at 2:38 pm
    In this case if hostname changes are frequent I'll get too much unnecessary
    traffic.
    On Wednesday, April 18, 2012 4:35:43 PM UTC+4, Ygor wrote:

    Been there, done that, got a link for you:

    http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

    Basically, clean out the certificate info on the client/agent, clear the
    old info from the master, and then re-certify the agent/client with the new
    info.


    “Sometimes I think the surest sign that intelligent life exists elsewhere
    in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Artyom Krilov wrote:
    Hi Everybody,

    I have a puppet setup working, but run into issue, which couldn't figure
    out how to solve.

    Say I have puppet agent generated certificate and signed it on puppet
    master. If somehow puppet agent's hostname has been changed it will stop
    communication with puppet master. I would like to know if there is a way to
    be able to change hostname of puppet agent, without interruption of
    communication between master and agent.

    Thanks,
    Artyom

    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/59luyETIc-0J.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to
    [email protected].
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dhJiviFbymcJ.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to [email protected].
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Balasubramaniam Natarajan at May 13, 2013 at 1:28 pm

    On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
    Been there, done that, got a link for you:

    http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

    Basically, clean out the certificate info on the client/agent, clear the
    old info from the master, and then re-certify the agent/client with the new
    info.
    Though this is an old post thanks a lot for your link shown above. Is
    puppetca and "puppet cert" one and the same ?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
    To post to this group, send email to [email protected].
    Visit this group at http://groups.google.com/group/puppet-users?hl=en.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jcbollinger at May 13, 2013 at 8:46 pm

    On Monday, May 13, 2013 8:28:05 AM UTC-5, Balasubramaniam Natarajan wrote:

    On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:

    Been there, done that, got a link for you:

    http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

    Basically, clean out the certificate info on the client/agent, clear the
    old info from the master, and then re-certify the agent/client with the new
    info.
    Though this is an old post thanks a lot for your link shown above. Is
    puppetca and "puppet cert" one and the same ?

    Newer versions of Puppet have "puppet cert"; older ones have "puppetca".
    There may be a few versions that have both, one as an alias for the other.
    They serve the same purpose in much the same way.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
    To post to this group, send email to [email protected].
    Visit this group at http://groups.google.com/group/puppet-users?hl=en.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Dan White at May 14, 2013 at 12:51 am
    A moldy oldie, but it was helpful to someone !
    On May 13, 2013, at 4:46 PM, jcbollinger wrote:
    On Monday, May 13, 2013 8:28:05 AM UTC-5, Balasubramaniam Natarajan wrote:

    On Wednesday, 18 April 2012 08:35:43 UTC-4, Ygor wrote:
    Been there, done that, got a link for you:
    http://infrastructure.fedoraproject.org/infra/docs/infra-hostrename.txt

    Basically, clean out the certificate info on the client/agent, clear the old info from the master, and then re-certify the agent/client with the new info.



    Though this is an old post thanks a lot for your link shown above. Is puppetca and "puppet cert" one and the same ?


    Newer versions of Puppet have "puppet cert"; older ones have "puppetca". There may be a few versions that have both, one as an alias for the other. They serve the same purpose in much the same way.

    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
    To post to this group, send email to [email protected].
    Visit this group at http://groups.google.com/group/puppet-users?hl=en.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jcbollinger at Apr 18, 2012 at 1:29 pm

    On Apr 17, 11:34 pm, Artyom Krilov wrote:
    Hi Everybody,

    I have a puppet setup working, but run into issue, which couldn't figure
    out how to solve.

    Say I have puppet agent generated certificate and signed it on puppet
    master. If somehow puppet agent's hostname has been changed it will stop
    communication with puppet master. I would like to know if there is a way to
    be able to change hostname of puppet agent, without interruption of
    communication between master and agent.

    You may be able to use the 'certname' parameter in the client's
    puppet.conf to cause it to continue to present the old certificate,
    but that's a hack, especially if your nodes generally identify
    themselves to the master (via their cerificates) according to their
    (current) hostnames.

    Note that the certname is what gets matched to node declarations, but
    the $::hostname fact is always the actual hostname, so mucking with
    certnames on an ad hoc basis may produce surprises later.

    Note especially that if there is any chance that the original hostname
    will be re-used by a different node, then the original and new nodes
    cannot both identify themselves to the master by the same identifier
    unless you copy the certificate from one to the other. In that case,
    the two will always receive the same configuration, their reports will
    be conflated on the master, and other badness may ensue.

    If you want always to be able to change nodes' hostnames without re-
    certifying them to the master, then you should make *all* your nodes
    use certnames based on some unchanging node property, such as asset
    number or MAC address. Changing over to such a policy will require
    you to re-certify every node, of course, and you will need to adjust
    your ENC and / or nodes.pp correspondingly, but afterward you will be
    able to change any node's hostname without interrupting its
    communication with the master.

    If changing hostnames is generally a one-off for you, then you are
    much better off simply re-certifying the modified node to the master
    afterwards. Be sure to revoke the old certificate and clean it from
    the master (in that order).


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to [email protected].
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Artyom Krilov at Apr 18, 2012 at 2:38 pm
    Thanks for detailed explanation.

    Using certname seems to be fine. I'll create some unchanging property as a
    fact and will use it in manifests.

    Thanks,
    Artyom
    On Wednesday, April 18, 2012 5:29:24 PM UTC+4, jcbollinger wrote:


    On Apr 17, 11:34 pm, Artyom Krilov wrote:
    Hi Everybody,

    I have a puppet setup working, but run into issue, which couldn't figure
    out how to solve.

    Say I have puppet agent generated certificate and signed it on puppet
    master. If somehow puppet agent's hostname has been changed it will stop
    communication with puppet master. I would like to know if there is a way to
    be able to change hostname of puppet agent, without interruption of
    communication between master and agent.

    You may be able to use the 'certname' parameter in the client's
    puppet.conf to cause it to continue to present the old certificate,
    but that's a hack, especially if your nodes generally identify
    themselves to the master (via their cerificates) according to their
    (current) hostnames.

    Note that the certname is what gets matched to node declarations, but
    the $::hostname fact is always the actual hostname, so mucking with
    certnames on an ad hoc basis may produce surprises later.

    Note especially that if there is any chance that the original hostname
    will be re-used by a different node, then the original and new nodes
    cannot both identify themselves to the master by the same identifier
    unless you copy the certificate from one to the other. In that case,
    the two will always receive the same configuration, their reports will
    be conflated on the master, and other badness may ensue.

    If you want always to be able to change nodes' hostnames without re-
    certifying them to the master, then you should make *all* your nodes
    use certnames based on some unchanging node property, such as asset
    number or MAC address. Changing over to such a policy will require
    you to re-certify every node, of course, and you will need to adjust
    your ENC and / or nodes.pp correspondingly, but afterward you will be
    able to change any node's hostname without interrupting its
    communication with the master.

    If changing hostnames is generally a one-off for you, then you are
    much better off simply re-certifying the modified node to the master
    afterwards. Be sure to revoke the old certificate and clean it from
    the master (in that order).


    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/lG8CuX8nyCsJ.
    To post to this group, send email to [email protected].
    To unsubscribe from this group, send email to [email protected].
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedApr 18, '12 at 7:12a
activeMay 14, '13 at 12:51a
posts8
users4
websitepuppetlabs.com

4 users in discussion

Artyom Krilov: 3 posts Jcbollinger: 2 posts Dan White: 2 posts Balasubramaniam Natarajan: 1 post

Content

People

Support

Translate

site design / logo © 2023 Grokbase