FAQ
I'm planning some disaster scenarios for our Puppet master, and was curious
what data needs to be restored if I need to rebuild a Puppet master from
scratch? i.e. what needs to be backed up?

Are all necessary certs in `/var/lib/puppet/ssl`. Should that whole
directory get backed up? Or only certain files in there?

Is there any other data I need to back up?

Best,
Mitchell

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Nick Fagerlund at Aug 1, 2012 at 10:35 pm
    Hey, Mitchell,

    HMM. Sounds like the docs team needs to get on this.

    (<-- is 1/2 the docs team)

    I'm going to name some special directory or file names below. These are all
    puppet config settings, and you can get the current value for them on any
    machine by running puppet master --configprint <setting>.

    SSL STUFF:

    Location: "ssldir" (varies by distro; use --configprint to discover.)

    Important and irreplaceable. If you lose the SSL info on your CA puppet
    master, you'll have to go through all of your agent nodes, delete their
    ssldir, and request a new certificate. Doable, but a huge pain in the ass.

    There shouldn't be any crucial ssl info outside the ssldir, unless one of
    the "ca*" settings got messed with in your puppet.conf. Don't worry about
    ssl info on non-master nodes; you can decommission their old cert w/ puppet
    cert clean, and issue them a new one when you bring them back to life.

    MODULES AND MANIFESTS

    Location: every directory in "modulepath," the "manifest" file (AKA
    site.pp), and anything `import`-ed into the main manifest.

    Hopefully you have this under version control in an external git repo or
    something anyway, but yeah, make sure this is well-backed-up.

    PUPPET.CONF

    This might well have external service configurations, database passwords,
    all kinds of stuff. Probably back it up.

    AUTH.CONF

    Just because if you poked a hole for an external service, you'll want a
    reminder around about how it was rigged.

    HIERA/EXTLOOKUP DATA

    If you're using it, you probably know where it is. It is probably very
    important, and should probably also be in version control anyway.

    DASHBOARD/CONSOLE DATA

    You'll have to dump the MySQL databases on a regular basis. There are rake
    tasks to help with that.

    MCOLLECTIVE STUFF

    Hopefully you're managing your MCollective keys and plugins with puppet
    anyway, so you've already handled this by backing up your modules and hiera
    data.

    CUSTOM ENC DATA/CODE

    If you built an ENC, you should be backing up its data source.


    I feel like that's about it? Did I miss anything?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/fW14AzNzHZoJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Mitchell Hashimoto at Aug 1, 2012 at 11:40 pm

    On Wed, Aug 1, 2012 at 3:35 PM, Nick Fagerlund wrote:

    Hey, Mitchell,

    HMM. Sounds like the docs team needs to get on this.

    (<-- is 1/2 the docs team)

    I'm going to name some special directory or file names below. These are
    all puppet config settings, and you can get the current value for them on
    any machine by running puppet master --configprint <setting>.

    SSL STUFF:

    Location: "ssldir" (varies by distro; use --configprint to discover.)

    Important and irreplaceable. If you lose the SSL info on your CA puppet
    master, you'll have to go through all of your agent nodes, delete their
    ssldir, and request a new certificate. Doable, but a huge pain in the ass.

    There shouldn't be any crucial ssl info outside the ssldir, unless one of
    the "ca*" settings got messed with in your puppet.conf. Don't worry about
    ssl info on non-master nodes; you can decommission their old cert w/ puppet
    cert clean, and issue them a new one when you bring them back to life.

    MODULES AND MANIFESTS

    Location: every directory in "modulepath," the "manifest" file (AKA
    site.pp), and anything `import`-ed into the main manifest.

    Hopefully you have this under version control in an external git repo or
    something anyway, but yeah, make sure this is well-backed-up.

    PUPPET.CONF

    This might well have external service configurations, database passwords,
    all kinds of stuff. Probably back it up.

    AUTH.CONF

    Just because if you poked a hole for an external service, you'll want a
    reminder around about how it was rigged.

    HIERA/EXTLOOKUP DATA

    If you're using it, you probably know where it is. It is probably very
    important, and should probably also be in version control anyway.

    DASHBOARD/CONSOLE DATA

    You'll have to dump the MySQL databases on a regular basis. There are rake
    tasks to help with that.

    MCOLLECTIVE STUFF

    Hopefully you're managing your MCollective keys and plugins with puppet
    anyway, so you've already handled this by backing up your modules and hiera
    data.

    CUSTOM ENC DATA/CODE

    If you built an ENC, you should be backing up its data source.


    I feel like that's about it? Did I miss anything?
    Looks good. Most of our data (hiera, modules, and conf) is in version
    control so the only thing we really need to back up is SSL. Perfect!

    Thanks,
    Mitchelll

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/fW14AzNzHZoJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJul 31, '12 at 8:45p
activeAug 1, '12 at 11:40p
posts3
users2
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase