AnsweredAssumed Answered

RSA 10.4- Puppet and NAT'ed IP..

Question asked by akK9JNBsR9GgjAuGPlN6hHzzwqL4VSJksLHcVvRlXPk= on Dec 29, 2014
Latest reply on Dec 29, 2014 by akK9JNBsR9GgjAuGPlN6hHzzwqL4VSJksLHcVvRlXPk=

Like • Show 0 Likes0
Comment • 3

Hi,

I have the following architecture (10.4.0.2 from 10.3.4):

One Security Analytics appliance
One hybrid appliance (log collector / decoder / concentrator)
One Remote Log collector VM) on a customer site
- Its IP is NAT'ed from the Security Analytics Appliance
- The IP of the Security Analytics appliance is NAT'ed from this Log collector

The provisioning of the Remote Log collector fails because the IP of the SA is not the NAT'ed IP in /etc/mcollective/server.cfg and this configuration file is always override by the puppet agent.

How override the sa_server value on the Security Analytics(Puppet Master) for this Log Collector ?

(I guess that's in the mongodb node definition..)

No one else has this question

Outcomes

3 Replies

Mudit Dec 29, 2014 9:30 AM
Mark Correct
Correct Answer
1: Manually change the IP address in csr_attributes.yaml file.
2: Change the value for sa server IP parameter to actual IP in following file on SA server:
/etc/puppet/modules/mcollective/templates/server.erb
change the value for plugin.rabbitmq.pool.1.host = <actual IP> instead of parameter and save the file.,
This is the file that gets deployed.
Now once you change this, actual SA IP that should be used will get deployed instead of NAT'ed IP.
Like • Show 0 Likes0
Actions
- akK9JNBsR9GgjAuGPlN6hHzzwqL4VSJksLHcVvRlXPk= @ Mudit on Dec 29, 2014 9:51 AM
  Mark Correct
  Correct Answer
  Hi Mudit Pandey,
  
  Thanks for the quick reply
  1: Manually change the IP address in csr_attributes.yaml file.
  Already done.
  2: Change the value for sa server IP parameter to actual IP in following file on SA server:
  /etc/puppet/modules/mcollective/templates/server.erb
  change the value for plugin.rabbitmq.pool.1.host = <actual IP> instead of parameter and save the file.,
  In my real production architecture, I have multiple Remote Log Collectors with different NAT and some Remote Log Collectors without NAT. So, this solution doesn't scale.
  
  I think it's better to override the value of sa_server in the "puppet way".
  
  According to the configuration of the puppet master in /etc/puppet/puppet.conf, nodes definition are store in the internal MongoDB(TokuMX) database.
  
  # mongo > use puppet > db.nodes.find({query:{node:"UUID"}}).pretty() { "_id" : ObjectId("ObjectID"), "node" : "", "classes" : { "base" : "" }, "enviroment" : "" }
  IMHO, I should add the value sa_server to the node configuration to override the global configuration. Something like this :
  >db.nodes.update( { {node:"UUID"} {"sa_server":"NAT'ed IP"} }) > db.nodes.find({query:{node:"UUID"}}).pretty() { "_id" : ObjectId("ObjectID"), "node" : "", "classes" : { "base" : "" }, "enviroment" : "", "sa_server":"NAT'ed IP" }
  
  Please advise
  Like • Show 0 Likes0
  Actions
  - akK9JNBsR9GgjAuGPlN6hHzzwqL4VSJksLHcVvRlXPk= @ akK9JNBsR9GgjAuGPlN6hHzzwqL4VSJksLHcVvRlXPk= on Dec 29, 2014 10:20 AM
    Mark Correct
    Correct Answer
    Hi Mudit Pandey,
    
    Another possibility: as the hostname puppetmaster.local defined in /etc/hosts always resolve to the good IP address, should I replace <%= @sa_server %> by puppetmaster.local in the following templates :
    
    /etc/puppet/modules/yumconfig/templates/rsa.erb
    /etc/puppet/modules/mcollective-client/templates/client.erb
    ?
    Like • Show 0 Likes0
    Actions

RSA 10.4- Puppet and NAT'ed IP..

Outcomes

Related Content

Recommended Content