Opened 6 months ago

Last modified 5 months ago

#29796 closed defect

synchronize puppet and LDAP hosts — at Initial Version

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We have hosts that are in Puppet and not in LDAP and vice versa. Every host in LDAP should be in Puppet and vice versa.

This is the current diff:

$ diff puppet ldap 

That is, right now, we have the following hosts in LDAP but not in Puppet:


The following is in Puppet, but not LDAP:


The two lists (puppet and ldap) were obtain using the following commands:

ssh -t 'sudo -u postgres psql puppetdb -P pager=off -A -t -c "SELECT c.certname FROM certnames c WHERE c.deactivated IS NULL"' | tee puppet
tail -n +2 puppet | sort | sponge puppet
ssh 'ldapsearch -h -x -ZZ -b dc=torproject,dc=org -LLL "hostname=*" hostname | awk "\$1 == \"hostname:\" {print \$2}" | sort' > ldap

... as detailed in the new Puppet docs.

I'm not exactly sure how to resolve this. When weasel saw a previous version of this list, he said:

12:30:00 <weasel> from a quick glance, all but the arm hosts can go.
12:30:06 <weasel> best to double-check with ldap.
12:30:19 <weasel> if they are not in ldap, and they haven't done a puppet run in a while, they should be removed from puppet also.
12:30:45 <weasel> gillii and geyeri are the old CRM hosts.  I think linus wants to kill them soon but maybe keep them around (and offline) for now.

According to nagios, hyalinum has not checked into Puppet since 2018-02-12T08:53:13.339Z, over a month ago. So presumably that should be removed from puppet, and we should double-check the retirement procedure to see if it was completed correctly.

The hosts in LDAP and not in Puppet should probably be added to puppet, carefully (--noop is your friend) to see if it breaks anything.

In the future, we might want to add a Nagios check on the Puppet server to make sure this is synchronized.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.