Puppet actually lends itself pretty well to multi-master environments, with caveats. The main one? Lots of parts of Puppet like to be centralized. The certificate authority, the inventory and dashboard/report services, filebucketing and stored configs - all of them are at their best in (or simply require) a setup where there's just one place for them to talk to.
It's quite workable, though, to get a lot of those moving parts working in a multi-master environment, if you're ok with the graceful loss of some of the functionality when you've lost your primary site.
Let's start with the base functionality to get a node reporting to a master:
Modules and Manifests
This part's simple. Version control them. If it's a distributed version control system, then just centralize and sync, and alter your push/pull flow as needed in the failover site. If it's Subversion, then you'll probably want to svnsync
the repo to your failover site.
Certificate Authority
One option here is to simply sync the certificate authority files between the masters, so that all share the same root cert and are capable of signing certificates. This has always struck me as "doing it wrong";
- Should one master really see its own cert presented in client auth for an incoming connection from another master as valid?
- Will that reliably work for the inventory service, dashboard, etc?
- How do you add additional valid DNS alt names down the road?
I can't honestly say that I've done thorough testing of this option, since it seems horrible. However, it seems that Puppet Labs are not looking to encourage this option, per the note here.
So, what that leaves is to have a central CA master. All trust relationships remain working when the CA is down since all clients and other masters cache the CA certificate and the CRL (though they don't refresh the CRL as often as they should), but you'll be unable to sign new certificates until you get the primary site back up or restore the CA master from backups at the failover site.
You'll pick one master to act as CA, and have all other masters disable it:
[main]
ca_server = puppet-ca.example.com
[master]
ca = false
Then, you'll want that central system to get all of the certificate related traffic. There are a few options for this;
- Use the new
SRV
record support in 3.0 to point all agent nodes to the right place for the CA - _x-puppet-ca._tcp.example.com
- Set up the
ca_server
config option in the puppet.conf
of all agents
Proxy all traffic for CA-related requests from agents on to the correct master. For instance, if you're running all your masters in Apache via Passenger, then configure this on the non-CAs:
SSLProxyEngine On
# Proxy on to the CA.
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppet-ca.example.com:8140/$1
# Caveat: /certificate_revocation_list requires authentication by default,
# which will be lost when proxying. You'll want to alter your CA's auth.conf
# to allow those requests from any device; the CRL isn't sensitive.
And, that should do it.
Before we move on to the ancillary services, a side note;
DNS Names for Master Certificates
I think this right here is the most compelling reason to move to 3.0. Say you want to point a node at "any ol' working master".
Under 2.7, you'd need a generic DNS name like puppet.example.com
, and all of the masters need this in their certificate. That means setting dns_alt_names
in their config, re-issuing the cert that they had before they were configured as a master, re-issuing the cert again when you need to add a new DNS name to the list (like if you wanted multiple DNS names to have agents prefer masters in their site).. ugly.
With 3.0, you can use SRV
records. Give all your clients this;
[main]
use_srv_records = true
srv_domain = example.com
Then, no special certs needed for the masters - just add a new record to your SRV
RR at _x-puppet._tcp.example.com
and you're set, it's a live master in the group. Better yet, you can easily make the master selection logic more sophisticated; "any ol' working master, but prefer the one in your site" by setting up different sets of SRV
records for different sites; no dns_alt_names
needed.
Reports / Dashboard
This one works out best centralized, but if you can live without it when your primary site's down, then no problem. Just configure all of your masters with the correct place to put the reports..
[master]
reports = http
reporturl = https://puppetdash.example.com/reports/upload
..and you're all set. Failure to upload a report is non-fatal for the configuration run; it'll just be lost if the dashboard server's toast.
Fact Inventory
Another nice thing to have glued into your dashboard is the inventory service. With the facts_terminus
set to rest
as recommended in the documentation, this'll actually break configuration runs when the central inventory service is down. The trick here is to use the inventory_service
terminus on the non-central masters, which allows for graceful failure..
facts_terminus = inventory_service
inventory_server = puppet-ca.example.com
inventory_port = 8140
Have your central inventory server set to store the inventory data through either ActiveRecord or PuppetDB, and it should keep up to date whenever the service is available.
So - if you're ok with being down to a pretty barebones config management environment where you can't even use the CA to sign a new node's cert until it's restored, then this can work just fine - though it'd be really nice if some of these components were a bit more friendly to being distributed.