• Choose a category
• All
• Classic-Fiction

The --disable and --enable options allow you to turn on and off the Puppet client. The --disable option sets a lock file that prevents the Puppet client from running. The same lock file is set by the Puppet client when running as a daemon to prevent the client from running twice. The --enable option removes the lock file and allows the client to run again on its normal schedule, by default checking half-hourly.

The --test option applies a number of common testing options including verbose logging, running in the foreground, and exits after running the configuration once (the - - onetime option). The --debug and --verbose options enable debug and verbose output from the daemon, and the -- logdest option allows you to specify where log data will be outputted: console, file, or syslog. The option defaults to syslog output. The last two options, --help and --version, print the help text and the version information, respectively.

There are also some options that you can specify in the configuration file to configure the puppetd daemon. You can see some of the available options in Table 2-12.

The server option is the configuration file equivalent of the command-line --server option and allows you to specify the Puppet master server to connect to; it defaults to puppet. The runinterval option controls how often configuration is applied to the Puppet node. It is from this option that Puppet gets the default half-hourly application of configuration. The option is in seconds and defaults to 1800 seconds.

The puppetdlockfile option specifies the location of the lock file used by the --disable option to control the running of the Puppet client. The option defaults to $statedir/puppetdlock. The puppetdport option controls what port the client daemon binds to; by default this is 8139.

Configuring puppetca

The puppetca binary's primary purpose is to control and interact with the puppetmasterd's built-in Certificate Authority. Its principal purpose, if you don't use the automatic signing of certificates (which is turned off by default), is to sign incoming requests from Puppet clients to authenticate new nodes.

Caution - As discussed, autosigning of certificates is dangerous, as anyone can authenticate to your Puppet master. If you want to autosign certificates, use per-host authentication to only authenticate those hosts you identify. See http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurityfor more details.

We've already seen puppetca's primary function when we connected our first node to Puppet, listing and signing the certificate requests of new nodes using the --list and --sign options.

You can specify more than one node on the command line, and you can also sign all outstanding certificate requests by specifying the all keyword like so:

You can also see some other useful command-line flags in Table 2-13.

The --revoke option revokes a client's certificate. You can specify a decimal number, the certificate's hexadecimal code, or the hostname of the client node. The certificate is added to Puppet's Certificate Revocation List (CRL). You can specify the CRL using the cacrl option in the puppetmasterd namespace. The master daemon needs to be restarted to update the CRL with the revoked certificate.

The --clean option removes all files related to a particular node from the Puppet Certificate Authority. The option is most useful for rebuilding nodes. It removes traces of the old certificate and allows you to submit a new certificate signing request from the client.

The --generate option generates a certificate and key pair for the node or nodes specified on the command line.

You can also control a variety of certificate and SSL-related configuration options such as the key, the naming and location of certificates on both the master and the node, and a variety of other options. You can see these options at http://www.reductivelabs.com/trac/puppet/wiki/ConfigurationReference.

Tip - In the future, you may also be able