At Mon, 8 Mar 2010 18:20:13 +1000, Ashley Wright wrote: > > Hi, > > I am attempting to get Minion To Minion working on a small cluster. But > am not having any luck. I did have it working once before, but then we > rebuilt the machines and I forgot to save what I had done. > > I am not getting any errors just: > [wright4@leo-boot func]$ func "*.portal" ping > [ ok ... ] leo-d.portal > [ ok ... ] leo-a.portal > [ ok ... ] leo-e.portal > [ ok ... ] leo-b.portal > [ ok ... ] leo-c.portal > [ ok ... ] leo-head.portal > > [root@leo-head func]# func "*.portal" ping > [ FAILED ] leo-e.portal > [ FAILED ] leo-a.portal > [ FAILED ] leo-d.portal > [ FAILED ] leo-head.portal > [ FAILED ] leo-c.portal > [ FAILED ] leo-b.portal > > leo-boot is my overlord, everything works fine from there. leo-head is > one of my minions. All other nodes should have identical config. > > I have set (just lines I have changed): > [wright4@leo-boot ~]$ cat /etc/certmaster/certmaster.conf > autosign = yes > sync_certs = True > peering = False > > [root@leo-head ~]# cat /etc/certmaster/certmaster.conf > sync_certs = False > peering=True > > [root@leo-head ~]# cat /etc/func/minion.conf > log_level = DEBUG > acl_dir = /etc/func/minion-acl.d > > [root@leo-head ~]# cat /etc/func/minion-acl.d/portal.acl > *.portal* = * > > [root@leo-head ~]# ls /var/lib/certmaster/peers/ > leo-a.portal.cert leo-b.portal.cert leo-d.portal.cert > leo-head.portal.cert > leo-boot.cert leo-c.portal.cert leo-e.portal.cert > > > If anyone has any ideas, or information on where the func client logs (I > can only find the funcd logs) I would appreciate it. > > Thanks, > Ashley More than likely the certmaster daemon has started itself on leo.head and generated a CA. The minion-to-minion code will always use its local CA certificate if it is present and will only fall back to using it's "peering" certificate (e.g. the certificate issued from the real overlord) if the CA is missing. Seth's recent work to integrate puppet certificates should also help with this; one can explicitly set which certificate/key to use instead of relying on this logic. In any case, if you have a directory /etc/pki/certmaster/ca/ on leo-head that is a problem. You can safely remote it (and chkconfig certmaster off so it doesn't come back) and hopefully everything will start working again. Let me know if that helps. - John _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
