Ask Your Question
0

one puppet master with two addresses because of NAT - puppet agent times out

asked 2017-06-15 17:48:09 -0600

nomad gravatar image

updated 2017-06-16 09:50:17 -0600

I inherited a network that has a firewall-with-NAT in the middle of it. The puppet master is behind that firewall, on a 10.x.x.x address. Hosts inside that firewall are able to find the puppet master just fine.

However, hosts outside the firewall need to use the non-NAT address for routing, obviously. When I put two A records in DNS (one for the 10.x.y.z address and one for the routable 128.x.y.z address) the puppet agents outside the firewall sit and spin until they time out. When I hard-code the single 128.x.y.z address in /etc/hosts on the client puppet agent runs complete without problems.

(with an entry in /etc/hosts):

-bash-4.2$ getent hosts puppet
128.X.Y.Z puppet.[redacted] puppet
-bash-4.2$ sudo /opt/puppetlabs/bin/puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for external.[redacted]
Info: Applying configuration version '1497563758'
[...]

(with regular DNS):

-bash-4.2$ getent hosts puppet
10.X.Y.Z  puppet.[redacted]
128.X.Y.Z puppet.[redacted]
-bash-4.2$ sudo /opt/puppetlabs/bin/puppet agent -t 
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: execution expired
Info: Retrieving pluginfacts
Info: Retrieving plugin
[...]

or, alternatively:

-bash-4.2$ sudo /opt/puppetlabs/bin/puppet agent -t 
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': execution expired
[...]

Any pointers on how to fix this would be greatly appreciated.

nomad

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-06-18 06:23:07 -0600

greynolds gravatar image

I'm not sure of your network topology? I 'm not sure of the ownership or permissions' you have to the external network. However, if you are using enterprise puppet, you simply need to build a compiler from your puppet master with 2 network cards. On the compiler, you will face the public with one of the network cards, and the other will talk with the puppet master. You will point your agents to your compiler. Not the puppet master. The compiler will add the correct certificate information from your puppetmaster. The puppetmaster only responsibility at this point is to become your ca and host your packages if you want to handle your packages from it.

from the agent: curl -k https://compileryour-domain:8140/pack... | sudo bash -> will install your agent....

Be sure you are routing on the server between the two network cards!

Here is how to add the compiler https://docs.puppet.com/pe/latest/ins...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2017-06-15 17:48:09 -0600

Seen: 52 times

Last updated: Jun 18