[Pkg-puppet-devel] Starting puppet agent by default

Russ Allbery rra at debian.org
Tue Aug 6 01:08:58 UTC 2013


Stig Sandbeck Mathisen <ssm at debian.org> writes:

> Even when "disabled" with "puppet agent --disable", the puppet agent
> will create an SSL key, a certificate request, upload this to the
> configured (or default) puppet master, and retrieve the ca cert and the
> signed agent certificate.

> I've now pushed a few commits in the packaging repo where "puppet agent
> --disable" has been run. I changed it in the "puppet" package, which
> holds the "puppet agent" init script, systemd unit, and not much else.

> With what I pushed to the packaging repo now, it says:
>   
>   root at puppet-agent # puppet agent --test   
>   Notice: Skipping run of Puppet configuration client; administratively disabled (Reason: 'Disabled by default on new installations');
>   Use 'puppet agent --enable' to re-enable.

> …after signing the cert on the master. It's one step in a direction I
> hope is the right one.

Yeah, that definitely makes me a lot more comfortable.  It feels like that
stops short of doing any actual harm.

> A few more points to think about:

> * The puppet agent process may around until enabled, and possibly being
>   restarted by systemd a few times.

Can we disable the Puppet agent by creating the lock file in preinst
rather than using the official command-line method?  (We have code at
Stanford that manipulates the lock files directly because we do things
like include administrative comments in them.)

> * Running "puppet agent" may work when "puppet-common" is installed, and
>   then not work when installing "puppet" until someone runs "puppet
>   agent --enable".  Should the "--disable" be in "puppet-common", even
>   if this does not enable the puppet agent service?

Yes, I think so.

> * The set of puppet packages probably need renaming. The current set of
>   packages reflects how puppet looked at 0.25, and puppet has changed a
>   bit since that.

Agreed.  Maybe puppet-common => puppet-client and puppet => puppet-service?
(puppet-service isn't a great name, but I can't think of a better one
off-hand.)

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-puppet-devel mailing list