On Sat, Mar 6, 2021 at 3:18 AM Bart-Jan Vrielink <[email protected]> wrote:
> /etc/puppetlabs/puppetserver/ca is not a volume listed in the > docker-compose file. Unless that directory is symlinked to somewhere under > /etc/puppetlabs/puppet/, > that directory would get lost whenever the container gets updated. Not a > good thing for certificates... > Yeah, that sounds terrible.... I took that to the team that owns our docker images. They seemed swamped but suggested a path forward, so I gave it a shot in this PR: https://github.com/puppetlabs/puppetserver/pull/2505. Feel free to contribute to the approach there if you want, otherwise I'll reply to this thread when it's sorted out. > -----Original message----- > *From:* Justin Stoller <[email protected]> > *Sent:* Friday 5th March 2021 20:35 > *To:* [email protected] > *Subject:* Re: [Puppet Users] Puppetserver ca migrate > > > > On Thu, Mar 4, 2021 at 11:44 PM Bart-Jan Vrielink <[email protected]> > wrote: > >> Hello, >> >> >> It would be nice if Puppet's Pupperware is also updated for this new CA >> location... >> > > Is it not? I don't actually work on that team, but I pulled the latest > puppet/puppetserver image and saw this in the log: > pupperware (master<>) :: docker run -it puppet/puppetserver > > Running /docker-entrypoint.d/10-analytics.sh > > (/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled; > skipping metric submission > Running /docker-entrypoint.d/20-use-templates-initially.sh > > Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems > Running /docker-entrypoint.d/30-set-permissions.sh > Running /docker-entrypoint.d/40-update-puppetdb-conf.sh > Running /docker-entrypoint.d/50-set-certname.sh > Running /docker-entrypoint.d/55-set-masterport.sh > Running /docker-entrypoint.d/60-setup-autosign.sh > Running /docker-entrypoint.d/70-set-dns-alt-names.sh > Running /docker-entrypoint.d/80-ca.sh > Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca > Running /docker-entrypoint.d/85-setup-storeconfigs.sh > Running /docker-entrypoint.d/90-log-config.sh > System configuration values: > .... > > That "Generation succeeded. Find your files in > /etc/puppetlabs/puppetserver/ca" line should be coming from the > "puppetserver ca" cli generating the CA files in the new location.... > > >> >> >> -----Original message----- >> *From:* Justin Stoller <[email protected]> >> *Sent:* Thursday 4th March 2021 18:11 >> *To:* [email protected] >> *Subject:* Re: [Puppet Users] Puppetserver ca migrate >> >> Hi! >> >> If you've mounted external volumes for your cadir like: >> >> --mount source=ca-volume,destination=/etc/puppetlabs/puppet/ssl/ca >> >> You should instead mount the destination as >> /etc/puppetlabs/puppetserver/ca >> >> If you have a Dockerfile that pre-populates your cadir you'll need to >> update your script to the destination above. >> >> Also, make sure your build process is running puppetserver ca setup as >> part of the process (that should ensure new installs have the right >> directory structure). >> >> If you're using this container as a lightweight vm and you've upgraded >> your server inside it, you'll need to somehow override the entrypoint to be >> a shell for you to work in (but you should look into using the container as >> an ephemeral thing with persistent mounts to save data between containers). >> >> If you're using this in a dev setup and are fine with your certs not >> persisting outside the life of the container you can effectively ignore the >> warning for now (but hopefully one of the ideas above will help you find >> the root cause of it). >> >> >> Also, you're the second person to mention having to pass the --config >> flag. That should only be necessary if you have a custom puppet.conf for >> some advanced purposes. I'm wondering if it was the help output to the CA >> tool that led you in that direction? I could see the current text being >> confusing, just wondering if we should change: >> >> > Use the currently configured puppet.conf file in your installation, or >> supply one using the `--config` flag. >> >> to something like >> >> > Uses the default puppet.conf in your installation, override by >> supplying the --config flag. >> >> ? >> >> >> Hope that helps, >> Justin >> >> >> >> >> On Thu, Mar 4, 2021 at 8:05 AM Gwen Clayde <[email protected]> wrote: >> >>> Hi, >>> >>> I want to solve this issue " The cadir is currently configured to be >>> inside the /etc/puppetlabs/puppet/ssl directory" >>> >>> The first step is : >>> puppetserver ca migrate --config >>> >>> After this , I got this message : "Puppetserver service is running. >>> Please stop it before attempting to run this command" >>> >>> i use puppet inside a docker container, if i stop it , i couldn't >>> execute the command of the first step. >>> >>> Is there another way to solve this problem? >>> >>> Thanks. >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUKBsBfQ1FQ5sP5n%2BsM9RBqW7uMkB_3f%2BhFVPi9J-72%3DQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUKBsBfQ1FQ5sP5n%2BsM9RBqW7uMkB_3f%2BhFVPi9J-72%3DQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/zarafa.6041e157.124f.16489cbc0b82ef82%40anjie.dontpanic.nl >> <https://groups.google.com/d/msgid/puppet-users/zarafa.6041e157.124f.16489cbc0b82ef82%40anjie.dontpanic.nl?utm_medium=email&utm_source=footer> >> . >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVTC6gB11yoKx_NHMNcitpnWdY_hbiBRLw8Go6gnz0D8A%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVTC6gB11yoKx_NHMNcitpnWdY_hbiBRLw8Go6gnz0D8A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/zarafa.604364d3.71ed.3de2ca93778f6c69%40anjie.dontpanic.nl > <https://groups.google.com/d/msgid/puppet-users/zarafa.604364d3.71ed.3de2ca93778f6c69%40anjie.dontpanic.nl?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqX8cJFdMhd-Y4sNmjgMEgqJFTQmA4PA2_UP1B2ywti4Nw%40mail.gmail.com.
