I'm trying to make a manifest to auto setup Puppet High Availability, but it is the chicken-egg issue here. As for your secondary/tertiary/etc puppetmasters, you need to copy the private key and certificate used by your puppet1 server in order for it to accept the requests coming from puppet.yourcompanydomain.com or whatever you choose there.
Also you need to maintain the /var/lib/puppet/ssl/ca in sync between all puppetmasters so you can easily failover if puppet1 is down to any other. Since Puppet is about automation, when I mentioned something easier to setup I was expecting a puppet module to implement it, not manual changes. As the implementation is not very straightforward it is not easy to automate it IMHO. On Fri, May 10, 2013 at 10:52 AM, Ramin K <ramin-l...@badapple.net> wrote: > On 5/9/2013 1:51 PM, Martin Langhoff wrote: > >> On Thu, May 9, 2013 at 2:31 PM, Ramin K <ramin-l...@badapple.net> wrote: >> >>> Hubris, today thy name is Martin. :-) >>> >> >> Fair enough. I am happy about the tool I am writing (almost finished!) >> but, as the followup post makes clear, it isn't about the designe of >> ppg. It is about the design of git. >> > > This is where I think we diverge. :-) As someone with a fair > amount of operational experience it's not about the design of git, it's > about the implementation created on top of git. Or Puppet. > > > I'd argue that people have stressed about DNS availability for just >>> under three decades and that we are currently enjoying the fruits of that >>> labor. Personally, I have yet to work at a company where DNS has not >>> caused >>> a significant outage. >>> >> >> I am really surprised at your statement. Of course mishaps can happen, >> or someone can mess up configuration DNS royally. But setting up a >> primary and secondary setup is trivial. >> >> SMTP and LDAP are also examples where resilience was baked into the >> design. With those two, the quality of implementation, and >> complications in setup make for a lot more breakage. >> >> Compare to HTTP, databases etc where there's a whole industry of tools >> to make things somewhat reliable. >> >> Maybe we are talking about different things. >> > > Not different things, but perspectives. > > I'd agree that your simple primary/secondary name server is easy > to setup and it'll probably work just fine. However it supports a very > limited number of use cases and traffic levels. > > My experience with DNS and administrating it in various > incarnations since the bad old days of Bind 4 informs me that it can be > incredibly fragile. It is only the implementation of the current DNS system > that is reasonably resilient or at least able to localize failure. > Certainly some designs and technology are better than others, but > implementation always matters. > > The same goes for just about system/protocol you'd care to name. > > > Your ppg tooling does look interesting, but there is a large trade >>> off in functionality >>> >> >> What is the loss of functionality you see? Anything that you use in >> practice? >> >> (Reading here https://groups.google.com/**forum/?fromgroups=#!topic/** >> puppet-users/7ZpAMrMb2NQ<https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/7ZpAMrMb2NQ> >> I can't spot anything major, but I may be missing something...) >> >> cheers, >> m >> > > Masterless Puppet with git as a distribution method does have some > things going for it as a design. You are giving up things like collected > resources and standard reporting which may or may not matter you. > Additionally you're building a distribution system of some sort even if > it's just git and ssh where you'd need to decide how to deal with the > failure of the parts. > > In any case I'd like to see more discussion on highly available > Puppet regardless of way it's implemented. > > Ramin > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/** > topic/puppet-users/**Ze5QFJ95y3E/unsubscribe?hl=en<https://groups.google.com/d/topic/puppet-users/Ze5QFJ95y3E/unsubscribe?hl=en> > . > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@**googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at > http://groups.google.com/**group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> > . > For more options, visit > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> > . > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
