ReleaseEngineering/PuppetAgain/HowTo/Remove a Puppetmaster

From MozillaWiki
Jump to: navigation, search

To retire a puppetmaster from the cluster, you will need to:

  • make sure hosts don't use it as a server anymore:
    • remove it from the $puppet_servers in the org config
    • change any 'puppet' or 'repos' CNAMEs pointing to the server to point to another
    • While you're there, remove the node definition for the host, as well as any entries in `modules/ssh/templates/known_hosts.erb`
  • If you're using multiple A records to achieve redundancy for apt, remove the server's address from the list
  • for any active hosts which have certificates signed by the server's CA cert, re-issue a certificate from a different master
    • look for in-use hosts under /var/lib/puppetmaster/ssl/git/agent-certs/$master
    • on each such host, run PUPPET_SERVER=$some_other_master ./puppetize.sh
    • you can verify the issuing master with openssl x509 -in /var/lib/puppet/ssl/certs/$(facter fqdn).pem -noout -text | grep Issuer
  • shut down the master
  • revoke the server's CA certificate with the root certificate and re-generate the root CRL
  • update the certs in git:
    • remove the server's CA cert and CRL from /var/lib/puppetmaster/ssl/git/ca-certs
    • update the root certificate's CRL in /var/lib/puppetmaster/ssl/git/ca-certs/root.crl
    • remove any now-dangling links in /var/lib/puppetmaster/ssl/git/certdir
    • remove the directories for the deleted server under agent-certs and revocation-requests
    • commit these changes *as puppetsync, not root*; the commit will get distributed to other masters in due time