I'm going to admit I don't have the best setup here! :) There are things I want to do to improve what I have now, just need to get room on the plate to do it.
Right now my 'CA PM' is also a PM for the other PMs ... :-\ So my PMs that are behind HAproxy have a puppet::master class assigned to them and have their modules directory as a managed resource and are force to have in puppet.conf server='CA PM' instead of the VIP I used for everything else. This then gets updated from the 'CA PM'. Basically I deploy updates to a special dir on my 'CA PM' and then all my other PM will receive the updates from there. This works for us although like I said I want to make it better, doing what you assumed I am doing ... shared storage. But since we can only make changes with a CHG ticket I basically make the update and then force a puppet run on my PMs (remote execution) and everything is updated in like 5 minutes. This is done during a time when the rest of the environment is not accessing the PMs. But yes, the way I am doing it now could cause issues. If I updated on my CA PM and then didn't follow up on my other PMs they could get out of sync. Then when an agent is accessing the VIP it would go to perhaps an updated PM initially and throughout the puppet run go between different nodes, some potentially updated others not and could cause issues. The only other issue I've ran into is if apache on a PM restarts or a PM restarts while agents are accessing it sometimes I'll get failed runs. Out of 4800+ systems this usually amounts to like ~200 failures until the next batch of runs (every 30 minutes here) which clears it up (even if apache/node still down). I'm not sure if this is a limitation of something I am doing, or if its just to be expected. Before using haproxy I had a VIP in DNS that would round robin between systems. Doing that I would get like ~1000 failures under such a situation as DNS doesn't know when a node goes down, and that would continue until everything was back up. So since what I have isn't bullet proof I don't have anything documented ... but eventually ... :) Regards, Jake -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/NBICiQ3H0TwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
