[Labs-announce] role::puppet::self, dns and cert changes

Andrew Bogott abogott at wikimedia.org
Tue Jun 2 16:15:07 UTC 2015 

If you are only a user of tool labs, you can ignore this email.

If you manage labs instances but they do not use role::puppet::self, you 
can ignore this email.

If you manage labs instances and you use role::puppet::self but each 
instance is stand-alone and you don't set the $puppetmaster variable, 
you can ignore this email.



Ok!  If anyone is still here, here's the deal.  On Monday, your instance 
domains are going to change.  A couple of days after that, the names of 
all your puppet and salt certs are going to also change.  This will 
break puppet on a bunch of your instances.  To avoid that, you'll need 
to take the following steps:


1.  Update your puppet repo.  You ought to be doing this regularly 
anyway, but in case you aren't, here are instructions: 
https://wikitech.wikimedia.org/wiki/Help:Self-hosted_puppetmaster#FAQ

2. If your $puppetmaster setting is a fqdn, change it to a simple 
instance name.  For example, you would change 
'project-puppetmaster.eqiad.wmflabs' to 'project-puppetmaster'.  The two 
are currently equivalent in puppet anyway, so the change should be a no-op.

**  Thursday, June 4th: Andrew merges a patch that bans fqdn 
puppetmaster names. ** [1]

3.  (optional) if you want to get a head-start, remove the 
use_dnsmasq=true setting from your instances and go to step 4.

** Monday, June 8th:  Andrew removes use_dnsmasq everywhere. Surprise, 
your puppetmaster just changed its name from <host>.eqiad.wmflabs to 
<host>.<project>.eqiad.wmflabs

4. On all puppet clients, edit /etc/puppet/puppet.conf and change the 
puppetmaster name by inserting the project name before .eqiad.wmflabs.

5.  On the puppetmaster, sign all the new cert requests that rolled in 
as a result of step 4.  Do the same for salt, if needed.

** Thursday, June 11th:  Andrew merges a patch that changes cert names, 
again. ** [2]

6.  Update your puppet repo again, as per step 1.

7.  On puppetmaster, once again sign all new cert requests.  Do the same 
for salt, if needed.


Sorry about all the steps -- role::puppetmaster::self is a hack and you 
always have to pay interest on your hacks.  Feel free to respond to this 
email or ping me on IRC if you require additional info about this.



[1] https://gerrit.wikimedia.org/r/#/c/215333/

[2] https://gerrit.wikimedia.org/r/#/c/202924/  <- that gets us cert 
names that are actually human readable.

More information about the Labs-announce mailing list