Ask Your Question

How can I convert a puppet client into a master?

asked 2012-12-17 18:50:03 -0600

Dawn gravatar image

Is there an easy way to convert a puppet client into being a puppet master?

Here's the scenario. I'm using puppet to configure all my systems, and would like it to be able to deploy a new puppet master as well. We have systems worldwide so having local puppet masters is very desirable for fault tolerance. So Kickstart (via cobbler) installs a puppet client during the initial system installation, then puppet installs everything else. And I've written a puppet-server module to attempt to deploy the puppet-server package, but I end up getting into certificate problems every time ... (more)

edit retag flag offensive close merge delete


Helpful tip: You can get quick karma points by summarizing the answers posted here :)!msg/puppet-users/5coT4bOFReU/VR0FzMXrsPkJ

Dawn gravatar imageDawn ( 2012-12-17 19:38:42 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2013-02-27 04:41:50 -0600

Daenney gravatar image

updated 2013-03-09 17:13:46 -0600

It depends a bit what you want... If you want multiple Puppet Masters but want every client to be able to checkin to any master you can use round-robin DNS or SRV records or traditional load balancing to distribute the agents across your masters. You'll need to centralize your Certificate Authority though. There's a small guide about it here.

If however there's a single master per location that only manages that location (so completely self-contained) it should be a bit easier. The 'best' way I've found to do that is:

  • find "$(puppet agent --configprint ssldir)" -type ...
edit flag offensive delete link more

answered 2012-12-18 14:24:37 -0600

llowder gravatar image

In addition to cleaning the certs, you also need to make sure that your puppet.conf gets updated to include an appropriate [master] section, and any clients that are supposed to connect to this master has it's [main] or [agent] sections updated to include a 'server=' line that corresponds to the new local master.

For that initial agent run when linking to the new master, you may want to include the --waitforcert 60 option

You can find a summary of the configuration options at a full list of all the configuration options at

edit flag offensive delete link more

answered 2013-05-07 18:35:22 -0600

updated 2013-05-07 19:12:03 -0600

llowder gravatar image

Separate the master(s) from the CA ? ie have a dedicated CA (just taking care of the signing)

See also the Centralize the Certificate Authority documentation.

That way the puppet master class should be sufficient to get a master running, close nodes can use automatically on their next puppet run.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2012-12-17 18:50:03 -0600

Seen: 397 times

Last updated: May 07 '13