FAQ
Hi Puppet Gurus

I am running puppet 2.6.16, ruby 1.8.7-p249, on puppet server with
passenger on Apache. These are my gems:
builder (2.1.2)
fastthread (1.0.7)
mysql (2.8.1)
passenger (2.2.14)
rack (1.1.0)
rake (0.8.7)

We manually manage autosign.conf to allow new builds to continue so
certificates can be signed automatically. This has been working well for a
couple of years, but I've always wondered what triggers the puppet master
to sign the certificate. We can wait 5-10 minutes for a signing request to
be fulfilled.

We made a change last week to now use short names as the certificate names
(not FQDN) and now we're looking closer to 30 minutes for a request to be
signed :-(

The only correlation I can see in the logs is that just before a request is
signed, a new puppetmasterd is spawned by passenger:

Aug 28 22:15:09 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice]
labcsvr004 has a waiting certificate request
Aug 28 22:24:06 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice]
Compiled catalog for engnadm010.bfm.com in environment lab in 19.65 seconds
Aug 28 22:37:11 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice]
labcsvr004 has a waiting certificate request
Aug 28 22:39:47 engnadm010 puppet-master[27717]: [ID 702911 daemon.notice]
Starting Puppet master version 2.6.16
Aug 28 22:40:52 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice]
Signed certificate request for labcsvr004

Here are my passenger Apache config entries:
PassengerHighPerformance on
PassengerMaxPoolSize 15
PassengerPoolIdleTime 300
PassengerUseGlobalQueue on
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Is there any way I can speed up things so that puppet signs the request
immediately?

Thanks

John

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Peter Bukowinski at Aug 30, 2012 at 4:03 am
    How many nodes is your puppetmaster currently servicing? I have one servicing about 700 nodes, splayed over an hour check-in interval, and any new nodes I add (that fall into my autosign subdomain) get signed immediately on their first puppet run.

    -- Peter Bukowinski
    On Aug 29, 2012, at 8:50 PM, John Warburton wrote:

    Hi Puppet Gurus

    I am running puppet 2.6.16, ruby 1.8.7-p249, on puppet server with passenger on Apache. These are my gems:
    builder (2.1.2)
    fastthread (1.0.7)
    mysql (2.8.1)
    passenger (2.2.14)
    rack (1.1.0)
    rake (0.8.7)

    We manually manage autosign.conf to allow new builds to continue so certificates can be signed automatically. This has been working well for a couple of years, but I've always wondered what triggers the puppet master to sign the certificate. We can wait 5-10 minutes for a signing request to be fulfilled.

    We made a change last week to now use short names as the certificate names (not FQDN) and now we're looking closer to 30 minutes for a request to be signed :-(

    The only correlation I can see in the logs is that just before a request is signed, a new puppetmasterd is spawned by passenger:

    Aug 28 22:15:09 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request
    Aug 28 22:24:06 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] Compiled catalog for engnadm010.bfm.com in environment lab in 19.65 seconds
    Aug 28 22:37:11 engnadm010 puppet-master[26031]: [ID 702911 daemon.notice] labcsvr004 has a waiting certificate request
    Aug 28 22:39:47 engnadm010 puppet-master[27717]: [ID 702911 daemon.notice] Starting Puppet master version 2.6.16
    Aug 28 22:40:52 engnadm010 puppet-master[26047]: [ID 702911 daemon.notice] Signed certificate request for labcsvr004

    Here are my passenger Apache config entries:
    PassengerHighPerformance on
    PassengerMaxPoolSize 15
    PassengerPoolIdleTime 300
    PassengerUseGlobalQueue on
    PassengerStatThrottleRate 120
    RackAutoDetect Off
    RailsAutoDetect Off

    Is there any way I can speed up things so that puppet signs the request immediately?

    Thanks

    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • John Warburton at Aug 30, 2012 at 4:57 am

    On 30 August 2012 14:03, Peter Bukowinski wrote:

    How many nodes is your puppetmaster currently servicing? I have one
    servicing about 700 nodes, splayed over an hour check-in interval, and any
    new nodes I add (that fall into my autosign subdomain) get signed
    immediately on their first puppet run.

    We run puppet twice daily (6am & 6pm splayed over an hour), and most
    builds are done outside of that time frame so the puppet server is pretty
    idle as you can see in my example - just one catalog compile to do in
    between request & signing

    Here's an example of a signing request on an idle server last week before
    the short name certificates (no correlation to restarting the daemon
    here...)

    Aug 23 10:37:43 cornadm010 puppet-master[25783]: [ID 702911 daemon.notice]
    blkasec001.domain.com has a waiting certificate request
    Aug 23 10:44:24 cornadm010 puppet-master[25783]: [ID 702911 daemon.notice]
    Signed certificate request for blkasec001.domain.com

    Thanks for taking a look

    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedAug 30, '12 at 3:51a
activeAug 30, '12 at 4:57a
posts3
users2
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase