On Tue, 2010-03-09 at 00:16 +1000, John Eckersberg wrote:
> At Mon, 8 Mar 2010 18:20:13 +1000,
> Ashley Wright wrote:
> >
> > Hi,
> >
> > I am attempting to get Minion To Minion working on a small cluster. But
> > am not having any luck. I did have it working once before, but then we
> > rebuilt the machines and I forgot to save what I had done.
> >
> > I am not getting any errors just:
> > [wright4@leo-boot func]$ func "*.portal" ping
> > [ ok ... ] leo-d.portal
> > [ ok ... ] leo-a.portal
> > [ ok ... ] leo-e.portal
> > [ ok ... ] leo-b.portal
> > [ ok ... ] leo-c.portal
> > [ ok ... ] leo-head.portal
> >
> > [root@leo-head func]# func "*.portal" ping
> > [ FAILED ] leo-e.portal
> > [ FAILED ] leo-a.portal
> > [ FAILED ] leo-d.portal
> > [ FAILED ] leo-head.portal
> > [ FAILED ] leo-c.portal
> > [ FAILED ] leo-b.portal
> >
> > leo-boot is my overlord, everything works fine from there. leo-head is
> > one of my minions. All other nodes should have identical config.
> >
> > I have set (just lines I have changed):
> > [wright4@leo-boot ~]$ cat /etc/certmaster/certmaster.conf
> > autosign = yes
> > sync_certs = True
> > peering = False
> >
> > [root@leo-head ~]# cat /etc/certmaster/certmaster.conf
> > sync_certs = False
> > peering=True
> >
> > [root@leo-head ~]# cat /etc/func/minion.conf
> > log_level = DEBUG
> > acl_dir = /etc/func/minion-acl.d
> >
> > [root@leo-head ~]# cat /etc/func/minion-acl.d/portal.acl
> > *.portal* = *
> >
> > [root@leo-head ~]# ls /var/lib/certmaster/peers/
> > leo-a.portal.cert leo-b.portal.cert leo-d.portal.cert
> > leo-head.portal.cert
> > leo-boot.cert leo-c.portal.cert leo-e.portal.cert
> >
> >
> > If anyone has any ideas, or information on where the func client logs (I
> > can only find the funcd logs) I would appreciate it.
> >
> > Thanks,
> > Ashley
>
> More than likely the certmaster daemon has started itself on leo.head
> and generated a CA. The minion-to-minion code will always use its
> local CA certificate if it is present and will only fall back to using
> it's "peering" certificate (e.g. the certificate issued from the real
> overlord) if the CA is missing. Seth's recent work to integrate
> puppet certificates should also help with this; one can explicitly set
> which certificate/key to use instead of relying on this logic.
>
> In any case, if you have a directory /etc/pki/certmaster/ca/ on
> leo-head that is a problem. You can safely remote it (and chkconfig
> certmaster off so it doesn't come back) and hopefully everything will
> start working again.
>
> Let me know if that helps.
>
> - John
Thanks John,
That was the problem, certmaster was auto starting on the minions, and
did have a ca cert. Thought it was something simple I had missed.
I chkconfig certmaster off, and rm /etc/pki/certmaster/ca, and it is
working again now.
Cheers,
Ashley
--
Ashley Wright
HPC and Research Support Group
Queensland University of Technology (QUT)
Ph: (07) 3138 1813
Mobile: (04) 0531 3124
QUT: #66866
Email: a2.wright@xxxxxxxxxx
Postal:
HPC and Research Support Group,
Block V, Level 7, Room V718,
Gardens Point Campus,
Queensland University of Technology,
GPO Box 2434,
Brisbane Qld 4001
Google Calendar: http://c.ashes.name/
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
