Pastie now auto-senses if line-wrap is a bad or good idea. Feedback?
## mark a section (Learn more)
Install this file as puppet_certificate_rebuild.rb Edit the constants to reflect your environment Install Capistrano with "gem install capistrano" Run this with: cap -f puppet_certificate_rebuild.rb -S master=fqdn_of_puppetmaster -S clients=fqdn1,fqdn2,fqdn3 rebuild_certs If you want to run as a user other than yourself: cap -f puppet_certificate_rebuild.rb -S user=root -S master=fqdn_of_puppetmaster -S clients=fqdn1,fqdn2,fqdn3 rebuild_certs That's it. I take no blame if this blows your world to pieces, but it works for us. ---- puppet_certificate_rebuild.rb # Set this to true if you are autosigning your certificates AUTOSIGN = false # Set this to the commands you need to run to stop your puppetmasterd PUPPETMASTERD_STOP = [ "/etc/init.d/puppetmasterd stop", "/etc/init.d/mongrel-puppetmasterd stop", ] # Set this to the commands you need to start your puppetmasterd PUPPETMASTERD_START = [ "env SVWAIT=30 /etc/init.d/mongrel-puppetmasterd start", "env SVWAIT=30 /etc/init.d/puppetmasterd start", ] # Set this to the commands you need to stop puppetd on the clients PUPPETD_STOP = [ "/etc/init.d/puppetd stop" ] # Set this to the commands you need to start puppetd on the clients PUPPETD_START = [ "/etc/init.d/puppetd start" ] # Set this to the location of your puppet SSL directories PUPPET_SSL_LOCATION = "/etc/puppet/ssl" # Set this to the URL of your iclassify server, if you have one ICLASSIFY_SERVER = "https://iclassify.sfo.trusera.com" has_iclassify = false begin require '/srv/icagent/lib/iclassify' has_iclassify = true rescue end default_run_options[:pty] = true if has_iclassify set(:query, ENV["QUERY"]) if ENV.has_key?("QUERY") set(:query) do Capistrano::CLI.ui.ask "iClassify Query: " end unless exists?(:query) set(:password, ENV["PASSWORD"]) if ENV.has_key?("PASSWORD") set(:ic_user, ENV["USER"]) unless exists?(:ic_user) if ENV.has_key?('IC_SERVER') set(:ic_server, ENV["IC_SERVER"]) else set(:ic_server, ICLASSIFY_SERVER) end ic = IClassify::Client.new(ic_server, ic_user, password) ic_nodes = ic.search(query, [ 'fqdn' ]) ic_nodes.each do |node| role :clients, node.attrib?('fqdn') end else set(:clients) do Capistrano::CLI.ui.ask "Comma Seperated list of Clients to clean: " end unless exists?(:clients) clients.split(",").each do |c| role :clients, c end end # State which system the Puppet Master is set(:master) do Capistrano::CLI.ui.ask "Puppet Master FQDN:" end unless exists?(:master) role :master, master default_run_options[:pty] = true task :stop_puppetmasterd, :roles => :master do run_command(PUPPETMASTERD_STOP) end task :start_puppetmasterd, :roles => :master do run_command(PUPPETMASTERD_START) end task :stop_puppetd do run_command(PUPPETD_STOP) end task :start_puppetd do run_command(PUPPETD_START) end task :rm_certs do sudo("rm -rf #{PUPPET_SSL_LOCATION}") end # Oh, what a dirty, dirty thing this is. # If you are running mongrel, though, your puppetmasterd will never re-generate your certs # So this is going to do the right thing for you # Please forgive me. task :generate_ca_cert, :roles => :master do sudo("puppetmasterd --daemonize") logger.info("Waiting 30 seconds for the Puppetmaster to start and generate CA") sleep 30 sudo("killall -9 puppetmasterd") end task :generate_certs, :roles => :clients do run(%{ruby -e 'i = rand(60); puts "Sleeping " + i.to_s; sleep i'}) sudo("sh -c 'puppetd --onetime --debug --ignorecache --no-daemonize --server #{master}; exit 0'") end task :sign_all, :roles => :master do sudo("puppetca --sign --all") if AUTOSIGN != true end task :rebuild_certs do logger.info("Stopping Puppetmasterd") stop_puppetmasterd logger.info("Stopping Puppetd") stop_puppetd logger.info("Removing Certificates") rm_certs logger.info("Regenerating CA Certificates") generate_ca_cert logger.info("Starting Puppetmasterd") start_puppetmasterd logger.info("Running puppetd to generate certificates") generate_certs logger.info("Signing all waiting requests") sign_all logger.info("Starting Puppetd") start_puppetd logger.info("Certificates regenerated!") end def run_command(const) const.each do |cmd| sudo(cmd) end end
This paste will be private.
From the Design Piracy series on my blog:
Pastie << self Blog
