Hello,
"swamped" is also part of my job description. Thank you for creating the PR. I will monitor this PR and if possible contribute to it. -----Original message----- From: Justin Stoller <jus...@puppet.com> Sent: Thursday 11th March 2021 22:10 To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Puppetserver ca migrate On Sat, Mar 6, 2021 at 3:18 AM Bart-Jan Vrielink <bart...@vrielink.net <mailto:bart...@vrielink.net> > wrote: /etc/puppetlabs/puppetserver/ca is not a volume listed in the docker-compose file. Unless that directory is symlinked to somewhere under /etc/puppetlabs/puppet/, that directory would get lost whenever the container gets updated. Not a good thing for certificates... Yeah, that sounds terrible.... I took that to the team that owns our docker images. They seemed swamped but suggested a path forward, so I gave it a shot in this PR: https://github.com/puppetlabs/puppetserver/pull/2505. Feel free to contribute to the approach there if you want, otherwise I'll reply to this thread when it's sorted out. -----Original message----- From: Justin Stoller <jus...@puppet.com <mailto:jus...@puppet.com> > Sent: Friday 5th March 2021 20:35 To: puppet-users@googlegroups.com <mailto:puppet-users@googlegroups.com> Subject: Re: [Puppet Users] Puppetserver ca migrate On Thu, Mar 4, 2021 at 11:44 PM Bart-Jan Vrielink <bart...@vrielink.net <mailto:bart...@vrielink.net> > wrote: Hello, It would be nice if Puppet's Pupperware is also updated for this new CA location... Is it not? I don't actually work on that team, but I pulled the latest puppet/puppetserver image and saw this in the log: pupperware (master<>) :: docker run -it puppet/puppetserver Running /docker-entrypoint.d/10-analytics.sh (/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled; skipping metric submission Running /docker-entrypoint.d/20-use-templates-initially.sh Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems Running /docker-entrypoint.d/30-set-permissions.sh Running /docker-entrypoint.d/40-update-puppetdb-conf.sh Running /docker-entrypoint.d/50-set-certname.sh Running /docker-entrypoint.d/55-set-masterport.sh Running /docker-entrypoint.d/60-setup-autosign.sh Running /docker-entrypoint.d/70-set-dns-alt-names.sh Running /docker-entrypoint.d/80-ca.sh Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca Running /docker-entrypoint.d/85-setup-storeconfigs.sh Running /docker-entrypoint.d/90-log-config.sh System configuration values: .... That "Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca" line should be coming from the "puppetserver ca" cli generating the CA files in the new location.... -----Original message----- From: Justin Stoller <jus...@puppet.com <mailto:jus...@puppet.com> > Sent: Thursday 4th March 2021 18:11 To: puppet-users@googlegroups.com <mailto:puppet-users@googlegroups.com> Subject: Re: [Puppet Users] Puppetserver ca migrate Hi! If you've mounted external volumes for your cadir like: --mount source=ca-volume,destination=/etc/puppetlabs/puppet/ssl/ca You should instead mount the destination as /etc/puppetlabs/puppetserver/ca If you have a Dockerfile that pre-populates your cadir you'll need to update your script to the destination above. Also, make sure your build process is running puppetserver ca setup as part of the process (that should ensure new installs have the right directory structure). If you're using this container as a lightweight vm and you've upgraded your server inside it, you'll need to somehow override the entrypoint to be a shell for you to work in (but you should look into using the container as an ephemeral thing with persistent mounts to save data between containers). If you're using this in a dev setup and are fine with your certs not persisting outside the life of the container you can effectively ignore the warning for now (but hopefully one of the ideas above will help you find the root cause of it). Also, you're the second person to mention having to pass the --config flag. That should only be necessary if you have a custom puppet.conf for some advanced purposes. I'm wondering if it was the help output to the CA tool that led you in that direction? I could see the current text being confusing, just wondering if we should change: > Use the currently configured puppet.conf file in your installation, or supply > one using the `--config` flag. to something like > Uses the default puppet.conf in your installation, override by supplying the > --config flag. ? Hope that helps, Justin On Thu, Mar 4, 2021 at 8:05 AM Gwen Clayde <mifoun...@gmail.com <mailto:mifoun...@gmail.com> > wrote: Hi, I want to solve this issue " The cadir is currently configured to be inside the /etc/puppetlabs/puppet/ssl directory" The first step is : puppetserver ca migrate --config After this , I got this message : "Puppetserver service is running. Please stop it before attempting to run this command" i use puppet inside a docker container, if i stop it , i couldn't execute the command of the first step. Is there another way to solve this problem? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUKBsBfQ1FQ5sP5n%2BsM9RBqW7uMkB_3f%2BhFVPi9J-72%3DQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.6041e157.124f.16489cbc0b82ef82%40anjie.dontpanic.nl. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVTC6gB11yoKx_NHMNcitpnWdY_hbiBRLw8Go6gnz0D8A%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.604364d3.71ed.3de2ca93778f6c69%40anjie.dontpanic.nl. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqX8cJFdMhd-Y4sNmjgMEgqJFTQmA4PA2_UP1B2ywti4Nw%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.605079e9.272f.0fa59e0d633fe460%40anjie.dontpanic.nl.
