On Mon, Jun 4, 2012 at 10:17 PM, ankush grover <ankushcen...@gmail.com> wrote:
> On Mon, Jun 4, 2012 at 10:56 PM, Jeff McCune <j...@puppetlabs.com> wrote:
>> On Sun, Jun 3, 2012 at 11:48 PM, ankush grover <ankushcen...@gmail.com>
>> wrote:
>>> My approach will be like this
>>>
>>> generate uuid through uuidgen command and put that in certname under
>>> puppet.conf
>>> start the puppet client
>>> on the server allow autosigning of the client machines and a default policy
>>>
>>> The issue with this approach is if the puppet agent is not working
>>> properly on a host it is difficult to know that exact host without
>>> doing ssh onto the server and also, to apply different policies for a
>>> particular host.
>>>
>>> Using nodename as unique will be problem with Onapp cloud as the end
>>> user will be setting the hostname and which might not be unique.
>>
>> What you can do in this instance is set both certname and
>> node_name_value in puppet.conf. For the rest of this description
>> node_name_fact also works, the only difference is that the value is
>> pulled out of Facter instead of being a static string in puppet.conf.
>>
>> The downside is that you need to map the certname to the nodename in
>> auth.conf on the master.
>>
>> # Agent puppet.conf
>> [main]
>> certname = B72008C3-708C-460B-80F5-38C221F7A479
>> node_name_value = jeff.uuid
>>
>> # Master auth.conf
>> # (Put this entry _above_ the existing entry for catalog requests
>> since Puppet stops searching auth rules when it finds the first match.
>>
>> # Allow laptop nodes (UUID based dynamic hostnames, sort of like the cloud.
>> # This entry must come before the default catalog entry.
>> path ~ ^/catalog/([^/]+).uuid$
>> method find
>> allow B72008C3-708C-460B-80F5-38C221F7A479
>>
> With 100 of nodes this might not be practical (without manual
> intervention) or not without doing ssh onto the master.
You're right, explicitly adding the UUID isn't practical for large
numbers of nodes. It's more suited to a monitoring system.
For arbitrary numbers of agents you could tweak the catalog
regular expression allow rule to match a portion of the cert name.
# puppet.conf on the agent
[main]
certname = jeff.uuid.ec7f5196-7f63-5f73-f18d-ca69afc5c24d
node_name_value = jeff.uuid
# auth.conf on the master (This requires Puppet 2.7.1 or later since
# it uses a regexp allow)
path ~ ^/catalog/([^/]+).uuid$
method find
allow /^$1\.uuid.*/
path ~ ^/catalog/([^/]+)$
method find
allow $1
Here's puppet generating a new key and getting a catalog on the first
run with autosign turned on:
root@pe-centos6:~/conf# puppet agent --confdir /tmp/jeff --test
info: Creating a new SSL key for jeff.uuid.ec7f5196-7f63-5f73-f18d-ca69afc5c24d
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for
jeff.uuid.ec7f5196-7f63-5f73-f18d-ca69afc5c24d
info: Certificate Request fingerprint (md5):
E4:A9:CD:19:15:2F:EC:E0:4C:C7:16:85:E3:8C:00:12
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for jeff.uuid.ec7f5196-7f63-5f73-f18d-ca69afc5c24d
info: Caching certificate_revocation_list for ca
info: Caching catalog for jeff.uuid
info: Applying configuration version '1338877114'
info: Creating state file /tmp/jeff/var/state/state.yaml
notice: Finished catalog run in 0.02 seconds
We have the ability to generate a unique certificate CN that works for
a single node and use it to get a catalog with a single run.
The two remaining hurdles are signing the certificate request and writing
the configuration file. We can insecurely work around the CSR issue
today with autosign. We're working to make this easier while
maintaining security with the sites project Daniel Sauble emailed the
list about recently.
The second problem is writing to the configuration file. What do you
think a puppet subcommand should look like that helps automate this?
Maybe something like:
puppet config write --section main \
certname=$(hostname).uuid.$(ruby -rubygems -e '\
require "guid"; puts Guid.new; \
')
puppet config write --section main \
node_name_value=$(hostname).uuid
-Jeff
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
