Ask Your Question
0

Why does Puppet require name resolution?

asked 2019-01-16 10:09:49 -0600

Jojor gravatar image

I'm trying to decide how can puppet work for us and there is something i don't understand. Why does Puppet require name resolution?

From what i read agents are usually identified by their certname, and agents know where to find their master with an URL on their config. So if i use a custom certname, independent of the FQDN, i shouldn't need to care about the names, and thus maintaining a DNS or hosts file just for this.

To give context i'm going to work with nodes that are behind a NAT so the puppet master can't reference directly to each machine with an IP to name it, or a static public IP may not be available either.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2019-01-17 14:36:32 -0600

LeroyT gravatar image

updated 2019-01-17 14:50:35 -0600

You don't even have to use a DNS name for the server but, if you use an IP address, the server's certificate must have the IP address as an alternate DNS name. I used "puppet cert -g {puppetmaster's FQDN} --dns_alt_names={puppetmaster's IP address},puppet" using information from https://groups.google.com/forum/#!msg... and (https://docs.puppet.com/pe/latest/tro... which unfortunately no longer exists but you might be able to locate an equivalent by searching for some of its terms. (Found a couple of references: https://puppet.com/docs/pe/2018.1/reg... and https://puppet.com/docs/pe/2017.3/reg...).

edit flag offensive delete link more
0

answered 2019-01-17 12:47:39 -0600

reesek gravatar image

updated 2019-01-17 12:49:38 -0600

Agents are identified by their certname, but they still need to know what to talk to. If a server is not specified within the main section of the puppet.conf file, like this:

[main]
server = puppetmaster01.mycompany.com
[agent]
certname = myservername01.mycompany.com

the agent, by default, will attempt to resolve the name "puppet", and attempt to connect to the resolution of that name over port 8140. If it (the name puppet) doesn't resolve, you'll get a Could not request certificate: getaddrinfo: Name or service not known.

edit flag offensive delete link more

Comments

Then everything should work as long as all agents can resolve the master's name that's on their config isn't it?

Jojor gravatar imageJojor ( 2019-01-17 12:59:14 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-01-16 10:09:49 -0600

Seen: 94 times

Last updated: Jan 17