ReleaseEngineering/PuppetAgain/HowTo/Remove a Puppetmaster

From MozillaWiki
< ReleaseEngineering‎ | PuppetAgain‎ | HowTo
Revision as of 16:36, 11 July 2014 by Djmitche (talk | contribs) (Created page with "To retire a puppetmaster from the cluster, you will need to: * make sure hosts don't use it as a server anymore: ** remove it from the $puppet_servers in the org config ** cha...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

To retire a puppetmaster from the cluster, you will need to:

  • make sure hosts don't use it as a server anymore:
    • remove it from the $puppet_servers in the org config
    • change any 'puppet' or 'repos' CNAMEs pointing to the server to point to another
  • for any active hosts which have certificates signed by the server's CA cert, re-issue a certificate from a different master
    • look for in-use hosts under /var/lib/puppetmaster/ssl/git/agent-certs/$master
    • on each such host, run PUPPET_SERVER=$some_other_master ./puppetize.sh
    • you can verify the issuing master with grep Issuer
  • shut down the master
  • revoke the server's CA certificate with the root certificate and re-generate the root CRL
  • update the certs in git:
    • remove the server's CA cert and CRL from /var/lib/puppetmaster/ssl/git/ca-certs
    • update the root certificate's CRL in /var/lib/puppetmaster/ssl/git/ca-certs/root.crl
    • remove any now-dangling links in /var/lib/puppetmaster/ssl/git/certdir