----- "Michael DeHaan" <mich...@puppetlabs.com> wrote: > Nice idea....I like that. > > I had toyed with adding such an autosign-simulating feature to > Cobbler that ohad mentioned (but different*), but I don't see how that > provides any greater security, as once you have > automated provisioning via TFTP (it's an open protocol by design), > it's really a moot point to claim you're layering extra security on > top. Also Anaconda doesn't support > access control around accessing kickstarts. > > * = rather than enabling autosign, the system would note what hosts > just started kickstart, and let cobblerd sign that specific host once > it shows up in 'puppetca', polling periodically, until the host > indicates it reaches 'kickstart done' status, or after 30 minutes, whichever > is > sooner. That way there's no need to enable autosign, but it's > effectively the same thing. The system could also remove > certificates for hosts that we being reinstalled if kicked off from a secure > interface (can't really trust PXE and HTTP requests).
My machines install mcollective at install time with just a 'provisioning' agent. I can then: - discover machines ready for provisioning without first needing to put them in a inventory db etc - revoke any old certs on ca's matching the new host - install puppet, put it in the bootstrap environment - trigger a puppet run that request a cert - go and sign the cert on whatever master has it- I have many masters all more or less islands, machines just talk to their nearest. - do another puppet run till bootstrapping is done - put the machine in the production environment from where it will do normal puppet runs. So I retain the security of not having auto sign enabled and can easily drive a machine through the whole process on demand. Easy to integrate into web ui's etc. -- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
