The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Feature #15740

Add answer-file only option for specifying Console and Puppet master IP address to use.

Added by Eli Stair over 1 year ago. Updated over 1 year ago.

Status:InvestigatingStart date:07/30/2012
Priority:NormalDue date:
Assignee:Moses Mendoza% Done:

0%

Category:-
Target version:-
Keywords: Affected URL:
Branch: Affected PE version:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the ENTERPRISE project on JIRA using the button below:


Description

The only configuration that can be derived from running ‘puppet-enterprise-installer’ is one in which 443/tcp, or the value specified for ‘q_puppet_enterpriseconsole_httpd_port’, is used to listen on for ALL IP addresses in the system. This is unviable for installation (and would seem to be unsafe to change, and be clobbered during an upgrade) where PE is install on a system with any other services. This is immediately an issue with the Apache config embedded, but additionally prevents assignment on any specific interfaces within the running system.

In my case, I have a multi-purpose monitoring/automation system at each site which runs a number of services which must coexist (if the services are to be used). Currently I’ve noticed that the first problem is one of the Apache config for the puppet dashboard clobbers all IP addresses (‘Listen’ and ‘VirtualHost’ directives without a bounding IP address before the colon), but this same issue would similarly prevent us from running the PE stack on a physical interface or alias, both in use within our company.

This can be easily rectified by adding a configurable-prompt to specify a specific IP to bind to (for all services), which would impact both the Apache configuration, as well as all other services which are installed to complete the PE stack. The immediate example is where the dashboard file gets configured thusly:

# (output) FILE: /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf
Listen 1443
<VirtualHost *:1443>


# (input) FILE: erb/puppetdashboard.conf.erb
<%# Answer Variable => Ruby Variable Translation -%>
<%
@console_port = ENV["q_puppet_enterpriseconsole_httpd_port"]
@console_host = (ENV["t_puppet_enterpriseconsole_httpd_vhost"].nil? ? "*" : ENV["t_puppet_enterpriseconsole_httpd_vhost"])
-%>
Listen <%= @console_port -%>
<VirtualHost <%= @console_host -%>:<%= @console_port -%>>

The value of the port defaults to 443, unless specified as ‘q_puppet_enterpriseconsole_httpd_port’ and ‘q_puppet_enterpriseconsole_httpd_port’ in an answer file, around line 2727 in ‘puppet-enterprise-installer’. If you add another value like ‘q_puppet_enterpriseconsole_bind_address’ and added a default value for your ERB building of the templates, we would end up with an install which can be safely used alongside other services, and on systems where “all” is not a safe or valid address to use for any of the services.

History

#1 Updated by Nigel Kersten over 1 year ago

Eli, would you be satisfied if we only supported this in the answer file, but didn’t support it as a question for the installer?

We’re trying to work out whether that’s a viable approach for people who need that extra level of customization, as we believe a significant subset of users don’t need to customize this, and we’re trying to provide a simple interactive install process.

#2 Updated by Eli Stair over 1 year ago

Yes that would be absolutely fine. I’d be perfectly happy without the installer script altogether if docs pointed at how to do an install without it :)

I definitely sympathize with the desire to keep the up-front prompting to a minimum, which should probably support the basics, and an extended set to allow use in more “robust” environments that requires RTFM by the user.

Cheers,

/eli

#3 Updated by Nigel Kersten over 1 year ago

  • Subject changed from Add new 'puppet-enterprise-installer' ERB option to support specifying IP address used for Puppet Enterprise services to Add answer-file only option for specifying Console and Puppet master IP address to use.
  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Moses Mendoza
  • Priority changed from Urgent to Normal

Excellent, thanks for being understanding Eli.

Moses, this looks like it would be reasonably trivial to implement as an answer-file only option?

#4 Updated by Nigel Kersten over 1 year ago

Ah, an additional question… I assume you’d want this for the ActiveMQ setup as well for MCollective?

#5 Updated by Eli Stair over 1 year ago

I’m unfamiliar as yet with all the sub-components of the PE install, but this would need to apply to anything installed which sets up a socket listener, so as to allow full functionality on a designated IP/interface.

#6 Updated by Moses Mendoza over 1 year ago

I’m not certain of the scope of implementing this because the complexity increases with the number of services considered. I agree that honoring an answer value for the Console and Puppet Master listening addresses appears trivial – the erb files that lay down the configs for each are easy targets. I’m less familiar with the mechanisms that define network awareness for some of the other services. For example we don’t currently provide an interface for specifying the mcollective stomp listening port (hardcoded to 61613). That may be turn into a bigger project. However, I’m glad to put the console/master on my list and go from there, if we deem that a sufficient starting point.

#7 Updated by Eli Stair over 1 year ago

That sounds like a great starting point. If I can get a viable installation that works, I can contribute back any necessary facilitating changes once I better understand how things operate and are laid-down at installation time.

#8 Updated by Moses Mendoza over 1 year ago

  • Status changed from Needs More Information to Investigating

Hi Eli,

Would being able to specify a hostname to listen on (that has already been tied to a different IP) be a suitable solution?

#9 Updated by Eli Stair over 1 year ago

I’m not sure I see how that would effectively allow solving the problem, since that would actually add complexity (requiring nsswitch resolution of hostname to an IP). Just specifying the IP address would seem to be the most direct route. I do see the correlation you may be getting at with the alternate-names specified for the CA functionality, but still think listen-by-IP is the only unambiguous way to do this.

Thanks,

/eli

From: “tickets@puppetlabs.comtickets@puppetlabs.com” <tickets@puppetlabs.comtickets@puppetlabs.com> Date: Wednesday, August 15, 2012 11:57 AM To: “nigel@puppetlabs.comnigel@puppetlabs.com” <nigel@puppetlabs.comnigel@puppetlabs.com>, “james@lovedthanlost.netjames@lovedthanlost.net” <james@lovedthanlost.netjames@lovedthanlost.net>, “ken@puppetlabs.comken@puppetlabs.com” <ken@puppetlabs.comken@puppetlabs.com>, “stahnma@puppetlabs.comstahnma@puppetlabs.com” <stahnma@puppetlabs.comstahnma@puppetlabs.com>, “adrien@puppetlabs.comadrien@puppetlabs.com” <adrien@puppetlabs.comadrien@puppetlabs.com>, “matthaus@puppetlabs.commatthaus@puppetlabs.com” <matthaus@puppetlabs.commatthaus@puppetlabs.com>, “f.meester@amaziqsource.comf.meester@amaziqsource.com” <f.meester@amaziqsource.comf.meester@amaziqsource.com>, “moses@puppetlabs.commoses@puppetlabs.com” <moses@puppetlabs.commoses@puppetlabs.com>, Eli Stair <eli.stair@experticity.comeli.stair@experticity.com> Subject: [Puppet Enterprise (Public) – Feature #15740] (Investigating) Add answer-file only option for specifying Console and Puppet master IP address to use.

Issue #15740 has been updated by Moses Mendoza.

  • Status changed from Needs More Information to Investigating

Hi Eli,

Would being able to specify a hostname to listen on (that has already been tied to a different IP) be a suitable solution?


Feature #15740: Add answer-file only option for specifying Console and Puppet master IP address to use.https://projects.puppetlabs.com/issues/15740#change-69133

  • Author: Eli Stair
  • Status: Investigating
  • Priority: Normal
  • Assignee: Moses Mendoza
  • Category:
  • Target version:
  • Keywords:
  • Branch:
  • Affected URL:
  • Affected PE version:

The only configuration that can be derived from running ‘puppet-enterprise-installer’ is one in which 443/tcp, or the value specified for ‘q_puppet_enterpriseconsole_httpd_port’, is used to listen on for ALL IP addresses in the system. This is unviable for installation (and would seem to be unsafe to change, and be clobbered during an upgrade) where PE is install on a system with any other services. This is immediately an issue with the Apache config embedded, but additionally prevents assignment on any specific interfaces within the running system.

In my case, I have a multi-purpose monitoring/automation system at each site which runs a number of services which must coexist (if the services are to be used). Currently I’ve noticed that the first problem is one of the Apache config for the puppet dashboard clobbers all IP addresses (‘Listen’ and ‘VirtualHost’ directives without a bounding IP address before the colon), but this same issue would similarly prevent us from running the PE stack on a physical interface or alias, both in use within our company.

This can be easily rectified by adding a configurable-prompt to specify a specific IP to bind to (for all services), which would impact both the Apache configuration, as well as all other services which are installed to complete the PE stack. The immediate example is where the dashboard file gets configured thusly:

(output) FILE: /etc/puppetlabs/httpd/conf.d/puppetdashboard.confListen 1443

(input) FILE: erb/puppetdashboard.conf.erb

<%# Answer Variable => Ruby Variable Translation –%> <% @console_port = ENV[“q_puppet_enterpriseconsole_httpd_port”] @console_host = (ENV[“t_puppet_enterpriseconsole_httpd_vhost”].nil? ? “*” : ENV[“t_puppet_enterpriseconsole_httpd_vhost”]) –%> Listen <%= @console_port –%> :<%= @console_port –%>>

The value of the port defaults to 443, unless specified as ‘q_puppet_enterpriseconsole_httpd_port’ and ‘q_puppet_enterpriseconsole_httpd_port’ in an answer file, around line 2727 in ‘puppet-enterprise-installer’. If you add another value like ‘q_puppet_enterpriseconsole_bind_address’ and added a default value for your ERB building of the templates, we would end up with an install which can be safely used alongside other services, and on systems where “all” is not a safe or valid address to use for any of the services.


You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account

Also available in: Atom PDF