Ask Your Question

How do I automatically build a docker image configured by puppet?

asked 2016-06-30 13:04:41 -0600

haloflightleader gravatar image

Hello Everyone,

How do I automatically build a docker image configured by Puppet? I'm using puppet 3.8. Let me explain.

I want to automatically build docker containers configured by Puppet. I have already built the Dockerfile. It has

FROM centos:6

RUN install-puppet-agent

RUN talk-to-puppet-mothership

So, when I run docker build -t latest --no-cache -f ./Dockerfile ., it runs fine the first time. My puppet server is configured with autosign = true. Here's what happens, it downloads centos:6 and it instantiates a container with some hostname. The hostname is always the same.

The problem arises when I have to run the docker build a second time. Suddenly, I have a container with the same hostname, but its fingerprint doesn't match so the puppet run fails.

How can I do this? Am I approaching this wrong? My first time with Docker.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2016-07-01 03:17:49 -0600

amirb gravatar image

updated 2016-07-01 03:20:08 -0600

Plant the puppet client certificate that was generated on the first run in all subsequent build of the docker image. I'ts located in /var/lib/puppet/ssl. So your Dockerfile would look something like this:

FROM centos:6

RUN install-puppet-agent

ADD puppet_client_cer.tar.gz /var/lib/puppet/ssl

RUN talk-to-puppet-mothership

edit flag offensive delete link more


AHA! That is EFFING BRILLIANT! Why didn't I think of that?

haloflightleader gravatar imagehaloflightleader ( 2016-07-01 04:15:21 -0600 )edit

That requires you to always keep the cert around, which may make parallel build slaves difficult. You can also remove the /var/lib/puppet/ask directory at build time, then cleanup the PM cert if you are only using puppet for the building, not running of the container. Also, look to

DarylW gravatar imageDarylW ( 2016-07-01 08:07:33 -0600 )edit

Agreed. I would much prefer an ability to disable this cert handshake between client and master. My environment is elastic and the hostname by nature of being in AWS is random that becomes a natural barrier to the problem.

haloflightleader gravatar imagehaloflightleader ( 2016-07-01 10:57:06 -0600 )edit

As I mentioned, the best bet may be to give the build server a cert that allows it to connect to the master and remove the cert, but this will add lots of create/remove entries in your puppetmaster logs. The only other suggestion I would have is to install it with puppet apply instead

DarylW gravatar imageDarylW ( 2016-07-02 23:37:40 -0600 )edit

answered 2016-07-02 20:56:59 -0600

Nizen gravatar image

updated 2016-07-05 14:01:30 -0600

We work around this by naming the cert the hostname + UUID and then specifying the name in the puppet.conf.

If you use uuidgen to generate the UUID, and then append that to the hostname.cert, and then echo that into the puppet.conf to specify the cert name, it should solve your problems.

edit flag offensive delete link more

answered 2016-07-05 12:44:39 -0600

haloflightleader gravatar image

updated 2016-07-05 12:45:37 -0600

My objective is to automate the build of a docker container wherein the container is configured by puppet. At first, I thought docker build was the answer. However, I ran into the limitations described above. Given those limitations, it was suggested that I preserve the cert. That would have worked, but that would have been a hack and would have presented other problems in the future. What I really needed was a way to randomize the hostname. However, there was no direct way of randomizing the hostname without being hacky yet again.

I tried Packer as suggested in this thread and that solved the problem. In the background, it does not run a docker build. Instead, it does a docker run, then at the end it does a docker commit and if you read the packer docs you'll find all the things you need. That's what I'm doing now.

edit flag offensive delete link more


I edited my original response to give a more depth explanation of how we overcome this.

Nizen gravatar imageNizen ( 2016-07-05 14:03:01 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-06-30 13:04:41 -0600

Seen: 316 times

Last updated: Jul 05 '16