Home / server / Questions / 424713
Accepted
Luke404
Asked: 2012-09-06 13:50:31 +0800 CST

Puppet: is it ok to "force" certname when you expect to shuffle nodes around?

  • 772

We all know (good example on SF) that Puppet hostname detection could be... fun.

At our company (and I guess we're not alone at this) we usually pre-configure servers at our offices and test them before bringing the gear to a remote datacenter and rack them. Of course the reverse dns will change when doing that, even if we don't change the actual hostname of the system.

We're slowly drafting our puppet setup and I'd like to be sure those moves won't create problems. My idea is to explicitly configure the desired full FQDN of the system as certname in puppet.conf at server provision time (before the very first puppet run). My process would look something like this:

  1. basic o.s. installation
  2. basic network configuration, enough to reach the internet and resolve dns
  3. install puppet and set up certname
  4. start puppet and let him manage the whole configuration
  5. test, fix problems in config (via puppet), re-test, and so on...
  6. manually stop puppet
  7. set up new network configuration for the datacenter network
  8. move the machine to DC
  9. turn it on
  10. puppet should automatically start and keep on doing its job

The process is supported by detecting the environment in puppet's manifests (eg. based on subnet, like they do at Wikimedia) and modify configuration as needed (eg. resolv.conf contents appropriate for each network). Each node's certname will never change for the whole system life cycle.

Is there any problem with this approach? Could it be improved?

linux

1 Answers

  1. Best Answer

    I agree that forcing the certificate name will make things easier. However, the hostname command itself can behave very inconsistently when it comes to determining the --fqdn (it resolves the IP for the hostname, then looks up the reverse name of that IP; all of these can be configured in /etc/hosts of course).

    If you configure the system's hostname to be the FQDN, as opposed to just the short name, then puppet will not try to do any funny name lookups. It will just use that string as it is, splitting it into a hostname and domain at the first dot, and fqdn to be the whole thing. This is something you may also want to consider.

    • 2