Ask Your Question

Using puppet on Vagrant

asked 2015-09-28 15:54:39 -0600

Noodles gravatar image

I have a puppet master which manages a bunch of our servers. I'm trying to setup some Vagrant boxes for development, but I'm trying to do this without having to worry about signing certs on the master. What's the best way to get a regular puppet setup to work in a masterless setup for vagrant? I want to make it easy for developers to spin up a new server without having to worry about getting me to sign their certs.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2015-09-29 03:22:28 -0600

i do this for testing and its pretty cool. in general you could do two things I can think of:

if new boxes use an autosig.rb (have a google for autosign in puppet) - you could base this on automatic signing for a subnet or some regex (e.g. I do it based on hostname)

if as more likely you're rebuilding boxes with the same name then look at just automatically addiing the cert on the vagrant client each time.

edit flag offensive delete link more

answered 2015-09-29 23:10:46 -0600

DarylW gravatar image

Hi Noodles,

I would think that you can just configure the modulepath in vagrant to point to a populated modules directory (either constructed with r10k or puppet-librarian, or if you have a monolithic modules repo). You should be able to create a nodes.pp that is specific to the vagrant environment, and apply it with 'puppet apply'.

Another option is to have a multi-host vagrant setup. A really good example is at elasticdog/puppet-sandbox. They hard-code all of the networking information in the hosts file via a 'provision' set of modules that is used to bootstrap the vagrant config. Once it is up and running, you can put whatever modules you want in the repo's modules directory, and they will be available from the master to any of the nodes you configure.

Hope that helps!

edit flag offensive delete link more

answered 2015-10-01 04:55:58 -0600

jorhett gravatar image

If you want your developers to share the master, it can often be easiest to give them sudo access to sign certificates, or a web interface to view their cert details and sign them. Easy peasy.

Be careful with the sudo definition. This is good:

%dev ALL=(ALL) puppet cert list, puppet cert sign

...but you won't be happy if they can run

sudo puppet cert clean --all
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-09-28 15:54:39 -0600

Seen: 380 times

Last updated: Oct 01 '15