On Oct 16, 2010, at 9:00 AM, Don Jackson wrote:
>
> A bit of followup here:
>
> I changed my approach to build a more acceptable certname that would be
> acceptable as a hostname, using code like this:
>
> MACADDR=`facter macaddress_en0 | tr "[:upper:]" "[:lower:]" | sed 's/://g' `
> MACADDRHOSTNAME="macaddr-${MACADDR}"
>
> This results in something like this:
>
> macaddr-001f5bf823f8
>
> I generated the private key and signed cert on my puppetmaster, copied to a
> client, and on the client, I did something like this:
>
> puppetd --hostprivkey=/etc/puppet/ssl/private_keys/macaddr-001f5bf823f8.pem
> --hostcert=/etc/puppet/ssl/certs/macaddr-001f5bf823f8.pem
> --certname=macaddr-001f5bf823f8
>
> So, things seem to be working the way I want now. Thanks to everyone for
> their advice, particularly Nigel and Patrick.
>
> Now that I have this working, I am thinking I would prefer to use this method
> for all my machines. In my environment, any machine may have different host
> names over the course of its useful life, including servers.
> The FQDN is just another configurable state. Why have the puppet cert
> related to the FQDN? When new hardware arrives, log it in my configuration
> management DB by one its MAC addresses,
> drive generation of puppet cert on that, and blast/install/configure away.
> This seems like a significant improvement to me.
It's often best to use hostname if you can, because you often want to setup
DNS. DNS gives you a lot of advantages. For one thing, you can find (and ssh)
into a node if you know the hostname.
This assumes that computers don't move between (internal) domains. That is
true with most desktops and many laptops that use VPN.
I was admit that it's is not always feasible.
> On Oct 15, 2010, at 1:48 PM, Nigel Kersten wrote:
>
>> On Fri, Oct 15, 2010 at 11:57 AM, Nigel Kersten <nig...@google.com> wrote:
>>> On Thu, Oct 14, 2010 at 10:23 PM, Don Jackson
>>> <puppet-us...@clark-communications.com> wrote:
>>>>
>>>> I'd like to extend my use of puppet to manage my desktop/notebook macs.
>>>>
>>>> As others have noted, the hostname of the mobile machines tends to change
>>>> frequently, so basing the node name (in my site.pp) and the corresponding
>>>> cert and private key names seems to be an issue.
>>>>
>>>> I seem to recall somewhat talking about this at Puppet Camp last week…..
>>>>
>>>> Generally my signing strategy is always to generate new certs and private
>>>> keys on the puppetmaster, and install them on the client machine as part
>>>> of the initial install (hopefully automated).
>>>>
>>>> Can I generate a cert based on the macaddress of the new machine?
>>>
>>> You're better off using UUIDs in my opinion.
>>>
>>> man uuidgen
>>
>> I should have also mentioned that for Mac clients, there's a system
>> hardware UUID that persists across reinstalls, and that may be useful.
>>
>> system_profiler SPHardwareDataType
>>
>> or
>>
>> facter sp_platform_uuid
>>
>> This is the same UUID used to composite ByHost preferences on OS X,
>> and any recent vintage Mac should have it.
>>
>>>
>>>
>>>> I tried this, and puppetca --generate made the certs and key without
>>>> complaining.
>>>>
>>>> Presumably I can install these on my client machine.
>>>>
>>>> If so, would I then run puppetd with a the --fqdn argument, and give the
>>>> mac address there?
>>>
>>> no, you want to use 'certname', not fqdn.
>>>
>>>
>>>
>>>>
>>>> And what would the name of this machine be in a node specification in the
>>>> manifest?
>>>>
>>>> I put
>>>> node '00:1f:5b:f8:23:f8' { }
>>>>
>>>> in my manifest, and it was very unhappy.
>>>>
>>>> Any advice about how I can accomplish what I am trying to do?
>>>>
>>>> Thanks,
>>>>
>>>> Don
>>>>
>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups
>>>> "Puppet Users" group.
>>>> To post to this group, send email to puppet-us...@googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>> puppet-users+unsubscr...@googlegroups.com.
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> nigel
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-us...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> puppet-users+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
