Comments inline: On Tue, May 18, 2010 at 3:01 PM, Matt Juszczak <m...@atopia.net> wrote: > 4) Failover: What are people doing these days for puppet failover? My gut > says to keep the configs in SVN, and always have another host on stand by. > However, there's an issue with that: the puppet nodes wouldn't be able to > just be re-pointed, because the client SSL certificates would be validated > by the failover server (and therefore, there would be certificate validation > errors).
We set up a separate root CA and used it to sign certificates on our puppetmasters. The puppetmasters then act as intermediate CAs and any client can connect to any puppetmaster. We then threw the puppetmasters behind our load balancer. > 5) Puppetizing your puppet servers: I've already made the decision NOT to > LDAPify my LDAP servers (master and failover), as I wouldn't want LDAP to > fail and cause issues getting into the LDAP box. My gut has also told me > NOT to puppetize my puppet server (and just keep good backups); however, > what have others done? I've seen conflicting documentation and blog entries > on the subject. LDAP sucks a LOT when it breaks, and it seems to break a lot. The puppetmaster is much less volatile in my experience. I'm a big fan of puppetizing the puppetmaster; it makes it much easier when there's only a single process used for configuring servers. It hasn't caused any huge problems in our environment. Remember, if the puppetmasters is misconfigured badly enough that it isn't passing out configs, worst-case scenario is that you can't deploy new configs. Just log in to the puppetmaster and fix by hand. Whereas, with LDAP logins, worst case is you *can't* log in and fix (yikes!) --Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
