|
|
Install this file as puppet_certificate_rebuild.rb
Edit the constants to reflect your environment
Install Capistrano with "gem install capistrano"
Run this with:
cap -f puppet_certificate_rebuild.rb -S master=fqdn_of_puppetmaster -S clients=fqdn1,fqdn2,fqdn3 rebuild_certs
If you want to run as a user other than yourself:
cap -f puppet_certificate_rebuild.rb -S user=root -S master=fqdn_of_puppetmaster -S clients=fqdn1,fqdn2,fqdn3 rebuild_certs
That's it.
I take no blame if this blows your world to pieces, but it works for us.
---- puppet_certificate_rebuild.rb
# Set this to true if you are autosigning your certificates
AUTOSIGN = false
# Set this to the commands you need to run to stop your puppetmasterd
PUPPETMASTERD_STOP = [
"/etc/init.d/puppetmasterd stop",
"/etc/init.d/mongrel-puppetmasterd stop",
]
# Set this to the commands you need to start your puppetmasterd
PUPPETMASTERD_START = [
"env SVWAIT=30 /etc/init.d/mongrel-puppetmasterd start",
"env SVWAIT=30 /etc/init.d/puppetmasterd start",
]
# Set this to the commands you need to stop puppetd on the clients
PUPPETD_STOP = [ "/etc/init.d/puppetd stop" ]
# Set this to the commands you need to start puppetd on the clients
PUPPETD_START = [ "/etc/init.d/puppetd start" ]
# Set this to the location of your puppet SSL directories
PUPPET_SSL_LOCATION = "/etc/puppet/ssl"
# Set this to the URL of your iclassify server, if you have one
ICLASSIFY_SERVER = "https://iclassify.sfo.trusera.com"
has_iclassify = false
begin
require '/srv/icagent/lib/iclassify'
has_iclassify = true
rescue
end
default_run_options[:pty] = true
if has_iclassify
set(:query, ENV["QUERY"]) if ENV.has_key?("QUERY")
set(:query) do
Capistrano::CLI.ui.ask "iClassify Query: "
end unless exists?(:query)
set(:password, ENV["PASSWORD"]) if ENV.has_key?("PASSWORD")
set(:ic_user, ENV["USER"]) unless exists?(:ic_user)
if ENV.has_key?('IC_SERVER')
set(:ic_server, ENV["IC_SERVER"])
else
set(:ic_server, ICLASSIFY_SERVER)
end
ic = IClassify::Client.new(ic_server, ic_user, password)
ic_nodes = ic.search(query, [ 'fqdn' ])
ic_nodes.each do |node|
role :clients, node.attrib?('fqdn')
end
else
set(:clients) do
Capistrano::CLI.ui.ask "Comma Seperated list of Clients to clean: "
end unless exists?(:clients)
clients.split(",").each do |c|
role :clients, c
end
end
# State which system the Puppet Master is
set(:master) do
Capistrano::CLI.ui.ask "Puppet Master FQDN:"
end unless exists?(:master)
role :master, master
default_run_options[:pty] = true
task :stop_puppetmasterd, :roles => :master do
run_command(PUPPETMASTERD_STOP)
end
task :start_puppetmasterd, :roles => :master do
run_command(PUPPETMASTERD_START)
end
task :stop_puppetd do
run_command(PUPPETD_STOP)
end
task :start_puppetd do
run_command(PUPPETD_START)
end
task :rm_certs do
sudo("rm -rf #{PUPPET_SSL_LOCATION}")
end
# Oh, what a dirty, dirty thing this is.
# If you are running mongrel, though, your puppetmasterd will never re-generate your certs
# So this is going to do the right thing for you
# Please forgive me.
task :generate_ca_cert, :roles => :master do
sudo("puppetmasterd --daemonize")
logger.info("Waiting 30 seconds for the Puppetmaster to start and generate CA")
sleep 30
sudo("killall -9 puppetmasterd")
end
task :generate_certs, :roles => :clients do
run(%{ruby -e 'i = rand(60); puts "Sleeping " + i.to_s; sleep i'})
sudo("sh -c 'puppetd --onetime --debug --ignorecache --no-daemonize --server #{master}; exit 0'")
end
task :sign_all, :roles => :master do
sudo("puppetca --sign --all") if AUTOSIGN != true
end
task :rebuild_certs do
logger.info("Stopping Puppetmasterd")
stop_puppetmasterd
logger.info("Stopping Puppetd")
stop_puppetd
logger.info("Removing Certificates")
rm_certs
logger.info("Regenerating CA Certificates")
generate_ca_cert
logger.info("Starting Puppetmasterd")
start_puppetmasterd
logger.info("Running puppetd to generate certificates")
generate_certs
logger.info("Signing all waiting requests")
sign_all
logger.info("Starting Puppetd")
start_puppetd
logger.info("Certificates regenerated!")
end
def run_command(const)
const.each do |cmd|
sudo(cmd)
end
end
|
Pastie
