ReleaseEngineering/PuppetAgain/HowTo/Remove a Puppetmaster

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

To retire a puppetmaster from the cluster, you will need to:

  • make sure hosts don't use it as a server anymore:
    • remove it from the $puppet_servers in the org config
    • change any 'puppet' or 'repos' CNAMEs pointing to the server to point to another
    • While you're there, remove the node definition for the host, as well as any entries in `modules/ssh/templates/known_hosts.erb`
  • If you're using multiple A records to achieve redundancy for apt, remove the server's address from the list
  • for any active hosts which have certificates signed by the server's CA cert, re-issue a certificate from a different master
    • look for in-use hosts under /var/lib/puppetmaster/ssl/git/agent-certs/$master
    • on each such host, run PUPPET_SERVER=$some_other_master ./puppetize.sh
    • you can verify the issuing master with openssl x509 -in /var/lib/puppet/ssl/certs/$(facter fqdn).pem -noout -text | grep Issuer
  • shut down the master
  • revoke the server's CA certificate with the root certificate and re-generate the root CRL
  • update the certs in git:
    • remove the server's CA cert and CRL from /var/lib/puppetmaster/ssl/git/ca-certs
    • update the root certificate's CRL in /var/lib/puppetmaster/ssl/git/ca-certs/root.crl
    • remove any now-dangling links in /var/lib/puppetmaster/ssl/git/certdir
    • remove the directories for the deleted server under agent-certs and revocation-requests
    • commit these changes *as puppetsync, not root*; the commit will get distributed to other masters in due time
Retrieved from "https://wiki.mozilla.org/index.php?title=ReleaseEngineering/PuppetAgain/HowTo/Remove_a_Puppetmaster&oldid=996715"