[Pkg-puppet-devel] Initializating puppet master ssl files

Nigel Kersten nigel at explanatorygap.net
Tue Aug 3 17:33:48 UTC 2010


On Mon, Aug 2, 2010 at 9:19 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
> Hi Nigel,
>
> Excerpts from Nigel Kersten's message of Mon Aug 02 23:00:08 -0400 2010:
>> On Mon, Aug 2, 2010 at 7:41 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
>> >
>> >
>> > One of the issue I've run is in setting up the ssl files to work with
>> > mod_ssl - which needs to happen before apache2 is started. The [upstream
>> > documentation][1] suggest that puppetmasterd should be run once before
>> > apache2 is started.
>> >
>> > [1]: http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
>> >
>> > That leads to the following *ugly* code in
>> > puppetmaster-passenger.postinst:
>> >
>> >    # Setup passenger configuration
>> >    if [ "$2" = "" ]; then
>> >        # Start the puppetmaster once to generate the certificates
>> >        puppetmasterd
>> >        sleep 1
>> >        [ -e "/var/run/puppet/master.pid" ] && kill $(cat /var/run/puppet/master.pid)
>> >        # Setup apache2 configuration files
>> >        APACHE2_SITE_FILE="/etc/apache2/sites-available/puppetmaster"
>> >        if  [ ! -e "${APACHE2_SITE_FILE}" ]; then
>> >            cp /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl "${APACHE2_SITE_FILE}"
>> >            # Fix path to SSL certs and private key
>> >            HOSTNAME="$(hostname -f)"
>> >            [ "${HOSTNAME}" != "" ] && sed -i  "s/@@FQDN@@/${HOSTNAME}/g" "${APACHE2_SITE_FILE}"
>> >        fi
>> >        a2enmod ssl
>> >        a2ensite puppetmaster
>> >        if [ -x "/etc/init.d/apache2" ]; then
>> >            if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
>> >                invoke-rc.d apache2 force-reload || exit $?
>> >            else
>> >                /etc/init.d/apache2 force-reload || exit $?
>> >            fi
>> >        fi
>> >    fi
>> >
>> >
>> > I've filed a feature request [2] to provide an init command to decouple
>> > generating the ssl configuration files from running the daemon. Do you
>> > have any other suggestions?
>>
>> Is the hostname always correct here? ie if the server has been started
>> with a different certname? If they do differ, should we grab the
>> relevant name via puppetmasterd --configprint ? Should you do the same
>> for the pidfiles?
>>
>
> \o/ - thanks for pointing out --configprint. I've updated the postinst
> script to it:
>
>    sed -r -i "s|(SSLCertificateFile\s+).+$|\1$(puppetmasterd --configprint hostcert)|" "${APACHE2_SITE_FILE}"

configprint is awesome :)

What about the pid files? People do change the vardir sometimes.

>
>
>> Why sleep 1? What are we waiting for at that point?
>
> We're waiting for all the ssl files to be generated by the puppetmaster
> daemon. It may take some time depending on the entropy on the system. So
> sleep 1 is just a guess... :/ And it also needs to be killed as apache2
> is going to run on the same port.
>
> Is there an option that would just return once the initial configuration
> (ssl files + ??) is done by puppetmaster? If so I can close the upstream
> bug [2].
>
> [2]: http://projects.puppetlabs.com/issues/4440

hrm. Really it kind of sounds like we want the equivalent of --onetime
for the puppetmasterd process? It might be worth trying that with
2.6.x HEAD, as I recently checked in a change to allow the
specification of onetime = true in puppet.conf, and it may possibly
work with puppetmasterd as well...

Otherwise I don't think there is a feature like this, but it's well
worth having.

/me watches bug report.



More information about the Pkg-puppet-devel mailing list