ReleaseEngineering/PuppetAgain/HowTo/Remove a Puppetmaster
From MozillaWiki
< ReleaseEngineering | PuppetAgain | HowTo
To retire a puppetmaster from the cluster, you will need to:
- make sure hosts don't use it as a server anymore:
- remove it from the $puppet_servers in the org config
- change any 'puppet' or 'repos' CNAMEs pointing to the server to point to another
- While you're there, remove the node definition for the host, as well as any entries in `modules/ssh/templates/known_hosts.erb`
- If you're using multiple A records to achieve redundancy for apt, remove the server's address from the list
- for any active hosts which have certificates signed by the server's CA cert, re-issue a certificate from a different master
- look for in-use hosts under /var/lib/puppetmaster/ssl/git/agent-certs/$master
- on each such host, run PUPPET_SERVER=$some_other_master ./puppetize.sh
- you can verify the issuing master with openssl x509 -in /var/lib/puppet/ssl/certs/$(facter fqdn).pem -noout -text | grep Issuer
- shut down the master
- revoke the server's CA certificate with the root certificate and re-generate the root CRL
- update the certs in git:
- remove the server's CA cert and CRL from /var/lib/puppetmaster/ssl/git/ca-certs
- update the root certificate's CRL in /var/lib/puppetmaster/ssl/git/ca-certs/root.crl
- remove any now-dangling links in /var/lib/puppetmaster/ssl/git/certdir
- remove the directories for the deleted server under agent-certs and revocation-requests
- commit these changes *as puppetsync, not root*; the commit will get distributed to other masters in due time