-
-
Save f33rx/178d5f879743901c325d41cc15824c5c to your computer and use it in GitHub Desktop.
Puppet master easy migration - from http://stuckinadoloop.wordpress.com/2012/02/16/automated-migration-of-systems-to-a-new-puppet-master-server/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Perform the Puppet master migration by changing the server value in | |
# puppet.conf | |
# and reset nodes certificates | |
# | |
class puppet::migrate ( $puppetmaster ) { | |
if $puppetmaster == undef { | |
fail('You must define the targeted Puppet master to perform the migration') | |
} | |
augeas { 'puppet.conf.migrate': | |
context => '/files/etc/puppet/puppet.conf/main', | |
changes => [ | |
"set server ${puppet::migrate::puppetmaster}", | |
] | |
} | |
# These next two objects handle migration to a new puppet master | |
# server - if the value of $puppetmaster is updated, the | |
# puppet-clear-certs.sh script is executed. | |
file { 'puppet-clear-certs.sh': | |
source => 'puppet:///modules/puppet/puppet-clear-certs.sh', | |
path => '/var/lib/puppet/lib/puppet-clear-certs.sh', | |
owner => 'root', | |
group => 'root', | |
mode => '0700', | |
} | |
exec {'/var/lib/puppet/lib/puppet-clear-certs.sh': | |
path => ['/usr/bin', '/bin', '/usr/sbin', '/sbin'], | |
require => [ | |
File ['puppet-clear-certs.sh'], | |
Augeas ['puppet.conf.migrate'], | |
], | |
unless => [ | |
"openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem | grep ${puppet::migrate::puppetmaster} >/dev/null 2>&1", | |
"openssl x509 -text -in /var/lib/puppet/ssl/certs/${::fqdn}.pem | grep ${puppet::migrate::puppetmaster} >/dev/null 2>&1", | |
] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Usage | |
node node-tomigrate.domain.com { | |
class {'puppet::migrate': | |
puppetmaster => 'new-puppet-master.domain.com', | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This script is a hack to remove SSL certificates from a puppet | |
# client to prepare it for migration to a new puppet master server | |
# after puppet has altered the puppet.conf file to point to the new | |
# puppet master server. | |
# | |
# Normally, if you subscribe the puppet service to the puppet.conf | |
# file, the puppet service will be restarted too soon, interrupting | |
# the current puppet run. Various attempts at using | |
# configure_delayed_restart among other things have not proven to be | |
# 100% effective. This script will watch the puppetdlock file, which | |
# can determine whether or not there is a run in progress. If there is | |
# a run in progress, we sleep for a second and then test again until | |
# the process is unlocked. Once unlocked, we can safely delete | |
# certificates and call a puppet restart. The checker process itself | |
# gets forked into the background. If it were not forked into the | |
# background, the puppet run would sit and wait for the process to | |
# return, or for the exec timeout, whichever came first. This would | |
# cause serious trouble if timeouts were disabled or very long periods | |
# of time. | |
# | |
# This script was inspired by this blog post by Ryan Uber: | |
# http://www.ryanuber.com/puppet-self-management.html | |
# | |
# Begin waiting for the current puppet run to finish, then restart. | |
/bin/sh -c " | |
until [ ! -f /var/lib/puppet/state/puppetdlock ] | |
do | |
sleep 1 | |
done | |
/sbin/service puppet stop | |
rm -f /var/lib/puppet/ssl/certs/* | |
rm -f /var/lib/puppet/ssl/certificate_requests/* | |
rm -r /var/lib/puppet/ssl/crl.pem | |
/sbin/service puppet start | |
" & | |
# Always return true, since this script just forks another process. | |
exit 0 | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment