4.11.11. HOWTO Change Puppet Masters¶
To point an agent to a new Puppet master, follow the steps in the sections below.
Note
All commands in this section should be run as the root
user.
4.11.11.1. On the Old Puppet Master¶
The following procedures will archive the agent’s artifacts from all environments, copy them to the new Puppet master, and clean out the agent’s Hiera data.
4.11.11.1.1. Archive the agent’s artifacts from all environments¶
1. Archive the agent’s artifacts from all SIMP Secondary Environments:
find /var/simp/environments -name "*<agent-fqdn>*" -exec tar --selinux --xattrs -rpvf <agent-fqdn>_transfer.tar {} \;
2. Archive the agent’s data from all SIMP Writable Environments:
find `puppet config --section master print vardir`/simp -name "*<agent-fqdn>*" -exec tar --selinux --xattrs -rpvf <agent-fqdn>_transfer.tar {} \;
- Archive the agent’s Hiera data from all Puppet Environments:
Warning
If you deploy your agents’ Hiera data from a Control Repository on the new Puppet master, ensure the agent’s Hiera data is in the relevant branches and skip this step.
find /etc/puppetlabs/code/environments/*/{data,hieradata} -name "<agent-hostname>.yaml" -exec tar --selinux --xattrs -rpvf <agent-hostname>_transfer.tar {} \; find /etc/puppetlabs/code/environments/*/{data,hieradata} -name "<agent-fqdn>.yaml" -exec tar --selinux --xattrs -rpvf <agent-hostname>_transfer.tar {} \;
- Copy <agent-hostname>_transfer.tar to the new Puppet master.
4.11.11.1.2. Remove agent-specific Hiera data from all environments¶
Warning
Skip this section if you deploy your agents’ Hiera data from a Control Repository
- Remove agent-specific Hiera data from all environments
find /etc/puppetlabs/code/environments -name "<agent-fqdn>.yaml" --delete
Note
You may have Hiera YAML files with the short name of the host still in place, but those are too dangerous to automatically delete since they may match multiple hosts.
- Reload the
puppetserver
process after removing the agent’s Hiera data:
puppetserver reload
4.11.11.2. On the New Puppet Master¶
Warning
This assumes that the new Puppet master is set up identically to the old
Puppet master. If it isn’t, you will need to verify that the artifacts in
the tar
file are correctly placed.
- Unpack the
<agent-hostname>_transfer.tar
archive onto the system:
tar --selinux --xattrs -C / -xvf <agent-hostname>_transfer.tar
- Reload the
puppetserver
process:
puppetserver reload
4.11.11.3. On The Agent¶
Important
Make sure you are running these commands on the agent. If you run them on the server, there is a very high risk they will make your Puppet infrastructure inoperable.
4.11.11.3.1. Remove the Agent Puppet Certificates¶
To remove all legacy SSL files, run:
rm -rf `puppet config --section agent ssldir
4.11.11.3.2. Update the Puppet Config¶
Update /etc/puppetlabs/puppet/puppet.conf
with the following changes:
server = new.puppet.master.fqdn
ca_server = new.puppet.master.fqdn
ca_port = 8141
4.11.11.3.3. Run Puppet¶
Assuming the new Puppet master has been set up to properly accept the
agent, execute a full Puppet run using puppet agent --test
.
On the puppet master you will need to sign off the certificate for the new client
using puppetserver ca cert sign <new client name
.
If everything was done properly, the agent will now be synchronized with the new Puppet master.
If you find issues, refer to the Setting up the Client and Troubleshooting Puppet Issues sections of the documentation, and ensure that the new Puppet master CA is set up properly to trust the Puppet agent.