Re: [Puppet Users] Re: authenticating new nodes that are created by provisioning
On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger t...@pobox.com wrote: Oded wrote: Never tried it myself but I think you can create the certificate as a part of the provisioning process, and then somehow place it in the new server. http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates Without reading the link to see if it's similar to what I do, I have a script I run on the puppet master to pre-generate certificates and package them as rpm's. These then go into a repository which the install is setup to use and the certificate package is installed by kickstart. The package, if you're curious is at: http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm It's not polished in any way. It's one of those works for me, someday I should finish and improve it things. But I prefer this to enabling autosign. Nice ideaI like that. I had toyed with adding such an autosign-simulating feature to Cobbler that ohad mentioned (but different*), but I don't see how that provides any greater security, as once you have automated provisioning via TFTP (it's an open protocol by design), it's really a moot point to claim you're layering extra security on top.Also Anaconda doesn't support access control around accessing kickstarts. * = rather than enabling autosign, the system would note what hosts just started kickstart, and let cobblerd sign that specific host once it shows up in 'puppetca', polling periodically, until the host indicates it reaches 'kickstart done' status, or after 30 minutes, whichever is sooner. That way there's no need to enable autosign, but it's effectively the same thing.The system could also remove certificates for hosts that we being reinstalled if kicked off from a secure interface (can't really trust PXE and HTTP requests). --Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: authenticating new nodes that are created by provisioning
just for completion, autosign is enabled only once a kickstart/preseed etc file has been requested by the predefined ip address (or mac) in foreman. I agree that signing the clients without autosign is a good alternative, but i'm not sure if trusting your fqdn is any different to trusting your ip / mac address. when choosing to reinstall a host, foreman will clean the cert (again only once the kickstart file has been requested, so you could schedule reinstalls). and when deleting a host, the certificate will be revoked. Ohad On Mon, Jun 7, 2010 at 9:00 PM, Michael DeHaan mich...@puppetlabs.comwrote: On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger t...@pobox.com wrote: Oded wrote: Never tried it myself but I think you can create the certificate as a part of the provisioning process, and then somehow place it in the new server. http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates Without reading the link to see if it's similar to what I do, I have a script I run on the puppet master to pre-generate certificates and package them as rpm's. These then go into a repository which the install is setup to use and the certificate package is installed by kickstart. The package, if you're curious is at: http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm It's not polished in any way. It's one of those works for me, someday I should finish and improve it things. But I prefer this to enabling autosign. Nice ideaI like that. I had toyed with adding such an autosign-simulating feature to Cobbler that ohad mentioned (but different*), but I don't see how that provides any greater security, as once you have automated provisioning via TFTP (it's an open protocol by design), it's really a moot point to claim you're layering extra security on top.Also Anaconda doesn't support access control around accessing kickstarts. * = rather than enabling autosign, the system would note what hosts just started kickstart, and let cobblerd sign that specific host once it shows up in 'puppetca', polling periodically, until the host indicates it reaches 'kickstart done' status, or after 30 minutes, whichever is sooner. That way there's no need to enable autosign, but it's effectively the same thing.The system could also remove certificates for hosts that we being reinstalled if kicked off from a secure interface (can't really trust PXE and HTTP requests). --Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: authenticating new nodes that are created by provisioning
- Michael DeHaan mich...@puppetlabs.com wrote: Nice ideaI like that. I had toyed with adding such an autosign-simulating feature to Cobbler that ohad mentioned (but different*), but I don't see how that provides any greater security, as once you have automated provisioning via TFTP (it's an open protocol by design), it's really a moot point to claim you're layering extra security on top.Also Anaconda doesn't support access control around accessing kickstarts. * = rather than enabling autosign, the system would note what hosts just started kickstart, and let cobblerd sign that specific host once it shows up in 'puppetca', polling periodically, until the host indicates it reaches 'kickstart done' status, or after 30 minutes, whichever is sooner. That way there's no need to enable autosign, but it's effectively the same thing.The system could also remove certificates for hosts that we being reinstalled if kicked off from a secure interface (can't really trust PXE and HTTP requests). My machines install mcollective at install time with just a 'provisioning' agent. I can then: - discover machines ready for provisioning without first needing to put them in a inventory db etc - revoke any old certs on ca's matching the new host - install puppet, put it in the bootstrap environment - trigger a puppet run that request a cert - go and sign the cert on whatever master has it- I have many masters all more or less islands, machines just talk to their nearest. - do another puppet run till bootstrapping is done - put the machine in the production environment from where it will do normal puppet runs. So I retain the security of not having auto sign enabled and can easily drive a machine through the whole process on demand. Easy to integrate into web ui's etc. -- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: authenticating new nodes that are created by provisioning
Never tried it myself but I think you can create the certificate as a part of the provisioning process, and then somehow place it in the new server. http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates On Jun 3, 7:42 am, Matthew Delves m.del...@ballarat.edu.au wrote: Hey Folks, I'm looking at doing automated provisioning of new servers and am trying to integrate puppet into this process. What I'm wondering though is what the best process for securely registering a new node is. At the moment the first time puppet is run I have to then accept the certificate on the puppetmaster and then run puppet again. What I would like to do is accept the certificate automatically, though am hesitant to do so as then anyone could just register against the puppetmaster. Is there a way to do this securely? Thanks, Matt. -- - Matthew Delves System Administrator Information Systems Networks Infrastructure University of Ballarat ph: 03 5327 9732 email: m.del...@ballarat.edu.au -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.