[Pkg-puppet-devel] Initializating puppet master ssl files

Nigel Kersten nigel at explanatorygap.net
Tue Aug 3 03:00:08 UTC 2010 

On Mon, Aug 2, 2010 at 7:41 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
> Hi,
>
> I've got a working prototype of a puppetmaster-passenger package that
> will install passenger and configure puppetmaster to be run by
> passenger.
>
> One of the issue I've run is in setting up the ssl files to work with
> mod_ssl - which needs to happen before apache2 is started. The [upstream
> documentation][1] suggest that puppetmasterd should be run once before
> apache2 is started.
>
> [1]: http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
>
> That leads to the following *ugly* code in
> puppetmaster-passenger.postinst:
>
>    # Setup passenger configuration
>    if [ "$2" = "" ]; then
>        # Start the puppetmaster once to generate the certificates
>        puppetmasterd
>        sleep 1
>        [ -e "/var/run/puppet/master.pid" ] && kill $(cat /var/run/puppet/master.pid)
>        # Setup apache2 configuration files
>        APACHE2_SITE_FILE="/etc/apache2/sites-available/puppetmaster"
>        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
>            cp /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl "${APACHE2_SITE_FILE}"
>            # Fix path to SSL certs and private key
>            HOSTNAME="$(hostname -f)"
>            [ "${HOSTNAME}" != "" ] && sed -i  "s/@@FQDN@@/${HOSTNAME}/g" "${APACHE2_SITE_FILE}"
>        fi
>        a2enmod ssl
>        a2ensite puppetmaster
>        if [ -x "/etc/init.d/apache2" ]; then
>            if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
>                invoke-rc.d apache2 force-reload || exit $?
>            else
>                /etc/init.d/apache2 force-reload || exit $?
>            fi
>        fi
>    fi
>
>
> I've filed a feature request [2] to provide an init command to decouple
> generating the ssl configuration files from running the daemon. Do you
> have any other suggestions?

Is the hostname always correct here? ie if the server has been started
with a different certname? If they do differ, should we grab the
relevant name via puppetmasterd --configprint ? Should you do the same
for the pidfiles?

Why sleep 1? What are we waiting for at that point?

More information about the Pkg-puppet-devel mailing list