On Wednesday, 18 September 2019 05:12:49 UTC+1, chris wrote: > > Hi Luke, > > That's very interesting; thanks. > > We do have 2 non-CA puppetmasters in each DC, so you are saying that > client servers will continue to be able to call in, but we won't be able to > setup any new ones? >
Yes, and to make doubly sure I just shut down my own CA / Signing Master, and an Agent in a satellite DC was able to check in with the local Compiling Master fine (because the Agent already has a Puppet cert). I find DNS SRV records useful for managing this: https://puppet.com/docs/puppetserver/5.1/scaling_puppet_server.html#using-dns-srv-records Obviously this approach won't work if you're spinning up many short lived VMs or disposable infrastructure. We do only have one puppetdb & foreman in the main DC. > PuppetDB is a different matter... In theory an Agent should be able to run without it, except for if the Compiling Master needs to go to PuppetDB to realise any exported resources. From memory the Agents will complain about pushing their Facts into PuppetDB, but this itself does not stop the run - I have seen catalog compilations work with PuppetDB offline, but it wasn't perfect. Last time I tried PuppetDB maintenance in hours the after-affects annoyed all of my team, so I didn't have the luxury of finding out exactly what was reliant on PuppetDB, nor what config options I could use to lessen the impact. Since we use exported resources a lot and these are stored in PuppetDB, it makes sense that any catalog reliant on realising exported resources would fail. Intermediate Certs looks a bit fiddly but might be an option. > Just to clarify, using these would mean we could also standup new > client-servers in the other DCs if the main DC goes down? > No, if you've got one CA / Signing Master, any new agent (fresh install) would send it's CA signing requests to your Signing Master, also sometimes called a Master of Masters. If you had a critical need you could turn one of your existing masters in a DC into a CA, and then fix up the certs later - basically destroy and re-add all the Agents once the main DC was back online. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/324d63e0-aa81-4729-bebf-416619dfaecc%40googlegroups.com.
