On Nov 10, 2010, at 6:52 AM, Chris wrote:
> Hi Thomas
>
> On Nov 10, 12:44 pm, Thomas Bendler <thomas.bend...@cimt.de> wrote:
>> Hi Chris,
>>
>> 2010/11/10 Chris <chrisma...@gmail.com>
>>
>>> [...]
>>> file{"/path/to/foo.key": source=>"puppet:///keys/foo.key"} , because
>>> any valid puppet client could access foo.key.
>>> [...]
>>
>> you are not sticked to the puppet file server, you can also use something
>> like this:
>>
>> file {
>> "/path/to/file":
>> source => "/nfs/$host/file";
>>
>> }
>>
>> Make an export for each connected server and restrict access to this one.
>> Put all private files on the NFS server and you're done.
>>
>
> Yes, except that approach suffers from the same administrative
> problems as using puppet:/// and auth.conf. HTTPS certs aren't
> specific to hosts. If I have 20 servers all requiring foo.key (because
> they all have the foo-application class in their manifest), then
> either I have to copy foo.key into 20 different directories, or else
> have one export with 20 allowed hosts. And every time I add the foo-
> application class to another host, I need to remember to also expose
> the key to that host. With large numbers of keys and hosts, and
> moderate levels of churn, this becomes difficult to manage and prone
> to errors.
>
> The puppetmaster "knows" which hosts are allowed foo.key - i.e. all
> the hosts which include the foo-application class. It seems wrong that
> I should have to manually duplicate that information somewhere else,
> be it in an NFS exports list or an auth.conf file.
>
> I suppose I could do something hacky with storeconfigs to update the
> exports on the NFS server when a new host is brought online - but it
> doesn't seem like a very nice solution. It would lead to the first
> puppet run failing because the exports weren't yet updated, for one
> thing.
The best solution I can come up with is creating a hack that uses a define and
a custom ruby function that will Base64Encode and then have the client
Base64Decide (using an exec or custom provider) on the other end. This comes
from something I'lm building, but probably won't be done for a long while.
This is pesudecode which is missing the encode function, decode function, and
some of the glew code.
class binary_embedded_file::setup
{
$temp = '/var/lib/puppet/binary_embedded_file'
file { '/var/lib/puppet/binary_embedded_file':
ensure => directory,
mode => 750,
owner => root,
group => root,
}
file { '/usr/local/bin/base64_decode':
ensure => present,
owner => root,
group => root,
mode => 755,
}
}
define binary_embedded_file($ensure = present,
$server_location = nil, $client_location = nil ) {
include binary_embedded_file::setup
#Syntax might be wrong
require( Class['binary_embedded_file::setup'] )
#Look at puppet_concat example for how to finish these
$client_temp_path =
$client_temp_path_converted =
file { "${name}":
ensure => $ensure,
#Add a mode, owner, and group variable
#This syntax might be wrong
source => $client_temp_path_converted
}
file { "${client_temp_path}":
ensure => $ensure,
content => Base64Encode(file($server_location)),
}
#There might be an unintended line wrap here
exec { '/usr/local/bin/base64_decode \"$client_temp_path\"
\"$client_temp_path_converted\"':
subscribe_only => true,
subscribe => File["${client_temp_path}"],
before => File["${name}"]
}
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
