[Pkg-puppet-devel] Initializating puppet master ssl files
Nigel Kersten
nigel at explanatorygap.net
Tue Aug 3 17:33:48 UTC 2010
On Mon, Aug 2, 2010 at 9:19 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
> Hi Nigel,
>
> Excerpts from Nigel Kersten's message of Mon Aug 02 23:00:08 -0400 2010:
>> On Mon, Aug 2, 2010 at 7:41 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
>> >
>> >
>> > One of the issue I've run is in setting up the ssl files to work with
>> > mod_ssl - which needs to happen before apache2 is started. The [upstream
>> > documentation][1] suggest that puppetmasterd should be run once before
>> > apache2 is started.
>> >
>> > [1]: http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
>> >
>> > That leads to the following *ugly* code in
>> > puppetmaster-passenger.postinst:
>> >
>> > # Setup passenger configuration
>> > if [ "$2" = "" ]; then
>> > # Start the puppetmaster once to generate the certificates
>> > puppetmasterd
>> > sleep 1
>> > [ -e "/var/run/puppet/master.pid" ] && kill $(cat /var/run/puppet/master.pid)
>> > # Setup apache2 configuration files
>> > APACHE2_SITE_FILE="/etc/apache2/sites-available/puppetmaster"
>> > if [ ! -e "${APACHE2_SITE_FILE}" ]; then
>> > cp /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl "${APACHE2_SITE_FILE}"
>> > # Fix path to SSL certs and private key
>> > HOSTNAME="$(hostname -f)"
>> > [ "${HOSTNAME}" != "" ] && sed -i "s/@@FQDN@@/${HOSTNAME}/g" "${APACHE2_SITE_FILE}"
>> > fi
>> > a2enmod ssl
>> > a2ensite puppetmaster
>> > if [ -x "/etc/init.d/apache2" ]; then
>> > if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
>> > invoke-rc.d apache2 force-reload || exit $?
>> > else
>> > /etc/init.d/apache2 force-reload || exit $?
>> > fi
>> > fi
>> > fi
>> >
>> >
>> > I've filed a feature request [2] to provide an init command to decouple
>> > generating the ssl configuration files from running the daemon. Do you
>> > have any other suggestions?
>>
>> Is the hostname always correct here? ie if the server has been started
>> with a different certname? If they do differ, should we grab the
>> relevant name via puppetmasterd --configprint ? Should you do the same
>> for the pidfiles?
>>
>
> \o/ - thanks for pointing out --configprint. I've updated the postinst
> script to it:
>
> sed -r -i "s|(SSLCertificateFile\s+).+$|\1$(puppetmasterd --configprint hostcert)|" "${APACHE2_SITE_FILE}"
configprint is awesome :)
What about the pid files? People do change the vardir sometimes.
>
>
>> Why sleep 1? What are we waiting for at that point?
>
> We're waiting for all the ssl files to be generated by the puppetmaster
> daemon. It may take some time depending on the entropy on the system. So
> sleep 1 is just a guess... :/ And it also needs to be killed as apache2
> is going to run on the same port.
>
> Is there an option that would just return once the initial configuration
> (ssl files + ??) is done by puppetmaster? If so I can close the upstream
> bug [2].
>
> [2]: http://projects.puppetlabs.com/issues/4440
hrm. Really it kind of sounds like we want the equivalent of --onetime
for the puppetmasterd process? It might be worth trying that with
2.6.x HEAD, as I recently checked in a change to allow the
specification of onetime = true in puppet.conf, and it may possibly
work with puppetmasterd as well...
Otherwise I don't think there is a feature like this, but it's well
worth having.
/me watches bug report.
More information about the Pkg-puppet-devel
mailing list