Puppet – Node Name Dependent on Reverse DNS

puppet

I seem to be running into a little bit of a problem understanding how to get this to work. I have a new server I'm building sitting behind the office NAT at work, its reverse dns maps to office.mydomain.com, but I want the machine to be ns2.mydomain.com for the sake of puppet.

nodes.pp snippet:

node 'ns2.mydomain.com' inherits basenode {
  info('ns2.mydomain.com')
}

node 'office.mydomain.com' inherits basenode {
  info('office.mydomain.com')
}

And my 'puppet.conf' on the client:

[main]
#was node_name=ns2.mydomain.com
#was fqdn=ns2.mydomain.com
certname=ns2.mydomain.com
node_name=cert

My syslog on the server reports:

Sep 16 22:59:12 support puppetmasterd[2800]: Host is missing hostname and/or domain: office.mydomain.com
Sep 16 22:59:12 support puppetmasterd[2800]: (Scope(Node[office.mydomain.com])) office.mydomain.com
Sep 16 22:59:12 support puppetmasterd[2800]: Compiled catalog for office.mydomain.com in 0.03 seconds
Sep 16 22:59:12 support puppetmasterd[2800]: Caching catalog for ns2.mydomain.com

How can I make it grab the config for ns2.mydomain.com without doing something like this:

node 'ns2.mydomain.com' inherits basenode {
  info('ns2.mydomain.com')
}

node 'office.mydomain.com' inherits 'ns2.mydomain.com' {
  info('office.mydomain.com')
}

UPDATE: This problem seems to be causing other issues as well. For instance if I info("$fqdn") while the machine is sitting behind office.mydomain.com the fqdn fact is empty, as well as the $operatingsystem. Its almost like the facts aren't being discovered properly. Is there perhaps a NAT issue? Are there any suggestions for tracking down this cause of this problem?

Best Answer

Aaah, Puppet hostname detection. What a nightmare...

By default, what name will be used to find which node definition to use is based on the contents of the fqdn fact. What that actually maps to is dependent on a few different things, and yes, reverse DNS is one of them -- and it's preferred over the machine's own hostname!

However, this name (usually) only applies at certificate generation time. You're actually misusing the node_name variable -- it should be set to one of 'cert' or 'facter'. The fqdn parameter is also deprecated.

What you actually want to do is set the certname parameter on the client to the node name you want to use, and then set node_name to cert (or just leave it out, since cert is the default). This will take the node name from the CN of the certificate that the client presents, and the certname parameter makes sure that's set to something reasonable rather than whatever facter decides to come up with on it's own. Unfortunately, since you've already got "wrong" certs created, you'll need to regenerate those certs (rm -rf /var/lib/puppet/ssl on the client and re-run Puppet) after you've setup the config, so that the right certs get created and used.

If this all sounds a little complicated, you're right -- it is. Welcome to Puppet.

Related Topic