[nycbug-talk] Do you guys/gals _____ify your _____ boxes?

Matt Juszczak matt at atopia.net
Wed May 20 02:24:24 EDT 2009


> If you have a master puppet server, it makes sense that all the 
> configuration you do to the box is done via puppet.
>
> If you master puppet server dies, it will allow you to say this is the 
> new master puppet server and have the box back online in a matter of 
> minutes.

Perhaps I'm not far enough along in the puppet configuration, but all I'm 
using puppet for is to manage certain configuration files.  I'm still 
installing packages manually and setting up boxes manually.  Once the 
boxes are setup, I tell puppet to push config files to the boxes, such as 
/usr/local/etc, etc.  Still a tedious task to setup boxes, but once they 
are up, easily changeable.

> If someone changes something on your mater puppet server, its better to 
> have puppet discover and change it back and alert you instead of 
> discovering the change weeks later.

OK.  So puppetify the master puppet server.  That's fine.  But if you only 
have one or two people that have access to the puppet server, chances are 
it isn't going to have problems.

> As for LDAP, I prefer to configure every machine to first auth against 
> the primary ldap server, the slave ldap sever and then files. You keep 
> root and system level accounts in /etc/passwd and user accounts are 
> stored in ldap. This allows you to login to the box if you break 
> something but keeps the auth subsystem of each server consistent

I do this, too.  IN fact, it's the same setup 100% that I'm using.  Are 
there people that don't keep root and system accounts in /etc/passwd? 
That's dumb in my opinion.

If I take the LDAP servers down, authentication still works, but I 
actually do files FIRST and then LDAP, since no accounts on the boxes 
exist in LDAP, and vice versa.

So you're saying if I'm using that setup, it's okay to do it to the LDAP 
boxes too?



More information about the talk mailing list