On Apr 17, 11:34 pm, Artyom Krilov wrote:
I have a puppet setup working, but run into issue, which couldn't figure
out how to solve.
Say I have puppet agent generated certificate and signed it on puppet
master. If somehow puppet agent's hostname has been changed it will stop
communication with puppet master. I would like to know if there is a way to
be able to change hostname of puppet agent, without interruption of
communication between master and agent.
You may be able to use the 'certname' parameter in the client's
puppet.conf to cause it to continue to present the old certificate,
but that's a hack, especially if your nodes generally identify
themselves to the master (via their cerificates) according to their
Note that the certname is what gets matched to node declarations, but
the $::hostname fact is always the actual hostname, so mucking with
certnames on an ad hoc basis may produce surprises later.
Note especially that if there is any chance that the original hostname
will be re-used by a different node, then the original and new nodes
cannot both identify themselves to the master by the same identifier
unless you copy the certificate from one to the other. In that case,
the two will always receive the same configuration, their reports will
be conflated on the master, and other badness may ensue.
If you want always to be able to change nodes' hostnames without re-
certifying them to the master, then you should make *all* your nodes
use certnames based on some unchanging node property, such as asset
number or MAC address. Changing over to such a policy will require
you to re-certify every node, of course, and you will need to adjust
your ENC and / or nodes.pp correspondingly, but afterward you will be
able to change any node's hostname without interrupting its
communication with the master.
If changing hostnames is generally a one-off for you, then you are
much better off simply re-certifying the modified node to the master
afterwards. Be sure to revoke the old certificate and clean it from
the master (in that order).
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to firstname.lastname@example.org.
To unsubscribe from this group, send email to email@example.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.