[Pkg-puppet-devel] Initializating puppet master ssl files

Mathias Gug mathiaz at ubuntu.com
Tue Aug 3 04:19:23 UTC 2010 

Hi Nigel,

Excerpts from Nigel Kersten's message of Mon Aug 02 23:00:08 -0400 2010:
> On Mon, Aug 2, 2010 at 7:41 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
> >
> >
> > One of the issue I've run is in setting up the ssl files to work with
> > mod_ssl - which needs to happen before apache2 is started. The [upstream
> > documentation][1] suggest that puppetmasterd should be run once before
> > apache2 is started.
> >
> > [1]: http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
> >
> > That leads to the following *ugly* code in
> > puppetmaster-passenger.postinst:
> >
> >    # Setup passenger configuration
> >    if [ "$2" = "" ]; then
> >        # Start the puppetmaster once to generate the certificates
> >        puppetmasterd
> >        sleep 1
> >        [ -e "/var/run/puppet/master.pid" ] && kill $(cat /var/run/puppet/master.pid)
> >        # Setup apache2 configuration files
> >        APACHE2_SITE_FILE="/etc/apache2/sites-available/puppetmaster"
> >        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
> >            cp /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl "${APACHE2_SITE_FILE}"
> >            # Fix path to SSL certs and private key
> >            HOSTNAME="$(hostname -f)"
> >            [ "${HOSTNAME}" != "" ] && sed -i  "s/@@FQDN@@/${HOSTNAME}/g" "${APACHE2_SITE_FILE}"
> >        fi
> >        a2enmod ssl
> >        a2ensite puppetmaster
> >        if [ -x "/etc/init.d/apache2" ]; then
> >            if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
> >                invoke-rc.d apache2 force-reload || exit $?
> >            else
> >                /etc/init.d/apache2 force-reload || exit $?
> >            fi
> >        fi
> >    fi
> >
> >
> > I've filed a feature request [2] to provide an init command to decouple
> > generating the ssl configuration files from running the daemon. Do you
> > have any other suggestions?
> 
> Is the hostname always correct here? ie if the server has been started
> with a different certname? If they do differ, should we grab the
> relevant name via puppetmasterd --configprint ? Should you do the same
> for the pidfiles?
>

\o/ - thanks for pointing out --configprint. I've updated the postinst
script to it:

    sed -r -i "s|(SSLCertificateFile\s+).+$|\1$(puppetmasterd --configprint hostcert)|" "${APACHE2_SITE_FILE}"


> Why sleep 1? What are we waiting for at that point?

We're waiting for all the ssl files to be generated by the puppetmaster
daemon. It may take some time depending on the entropy on the system. So
sleep 1 is just a guess... :/ And it also needs to be killed as apache2
is going to run on the same port.

Is there an option that would just return once the initial configuration
(ssl files + ??) is done by puppetmaster? If so I can close the upstream
bug [2].

[2]: http://projects.puppetlabs.com/issues/4440

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

More information about the Pkg-puppet-devel mailing list