Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
Awesome!! So, just to wrap it up taking all your answers together, we have two options: - Individual certs using Puppet 3.4 policy based autosign feature (http://docs.puppetlabs.com/puppet/3/reference/ssl_autosign.html#policy-based-autosigning) and some custom puppet cert clean hn HTTP calls before running puppet upon reboot, or - Single cert for all, making puppet node_name to be taken from node's facter, this way: https://gist.github.com/ahpook/1182243 Thanks a lot to everybody, this was really useful for us! BR/Pablo On 01/09/2014 11:57 PM, Jeff Bachtel wrote: On 01/09/2014 10:12 AM, Pablo Fernandez wrote: I understand your point. I guess the SSL layer will render the request as illegitimate, but even if it doesn't, it may be playing with fire :) No, actually it doesn't verify certname against fqdn or any such, so technically you could bake in a single cert for an image. It's a bad idea because the Puppet master is supposed to know the state of a node, and it can't in that case (facts associated with the node like fqdn and ip and mac addresses will be constantly churning). I use Puppet on image-based systems. As part of the sysprep step (making the image generic for future spawning), I go and delete ssl certs from either /var/lib/puppet/ssl or the Windows equivalent. I make sure the agent is configured to hit the correct puppet master on first run, although I don't personally autosign. With 3.4's autosign hooks, you can presumably configured a shared key between your puppet master and baked images such that a node signals that it should be issued a certificate on provision. Jeff Thanks all for your thoughts, let me then present this as a generic question: did anybody try puppet on image-based systems? It would be wonderful to get some first-hand hints. Thanks again! BR/Pablo On 01/09/2014 04:05 PM, jcbollinger wrote: On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to /identify/ it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CF2955.2000306%40bericotechnologies.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CFBE93.7020907%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
Maybe look into running masterless to avoid problems with certs. Just run puppet apply on the new server. On 9 Jan 2014 09:42, Pablo Fernandez pablo.fernan...@cscs.ch wrote: Dear all, We are thinking about the possibility of using Puppet in an image-based cluster. The compute nodes would boot and load the whole image to a ramdisk, where r/w access is granted afterwards. Our idea is to have a sample compute node running puppet where to create the image from, and periodically extract a new image from it. Nodes that reboot, simply take that image, change the hostname and IP addresses, and little more (typical in image-based systems). The nice thing about this is that, since the source image is from a puppetized host, its clones will be as well! So changes in the puppet configuration will be applied immediately to the nodes. Does it sound right? I currently foresee a problem with the puppet node certificates: is it possible to use a generic certificate, to enable trust between puppet server and clients, but having each node a different fqdn and be treated by puppet as different hosts (including PuppetDB entries)? I saw different facts for each: ::clientcert and ::fqdn, that gave me hopes. Besides that, do you see any other problem with this type of deployment? Does anybody have experience with something similar? Thanks! BR/Pablo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CE6F14.7060508%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFc4fKWeGA%3Dz%2B0taUdCognf7mjoReqCTj-WHm7mvachBvQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? Thanks! BR/Pablo On 01/09/2014 12:16 PM, Andrey Kozichev wrote: Maybe look into running masterless to avoid problems with certs. Just run puppet apply on the new server. On 9 Jan 2014 09:42, Pablo Fernandez pablo.fernan...@cscs.ch mailto:pablo.fernan...@cscs.ch wrote: Dear all, We are thinking about the possibility of using Puppet in an image-based cluster. The compute nodes would boot and load the whole image to a ramdisk, where r/w access is granted afterwards. Our idea is to have a sample compute node running puppet where to create the image from, and periodically extract a new image from it. Nodes that reboot, simply take that image, change the hostname and IP addresses, and little more (typical in image-based systems). The nice thing about this is that, since the source image is from a puppetized host, its clones will be as well! So changes in the puppet configuration will be applied immediately to the nodes. Does it sound right? I currently foresee a problem with the puppet node certificates: is it possible to use a generic certificate, to enable trust between puppet server and clients, but having each node a different fqdn and be treated by puppet as different hosts (including PuppetDB entries)? I saw different facts for each: ::clientcert and ::fqdn, that gave me hopes. Besides that, do you see any other problem with this type of deployment? Does anybody have experience with something similar? Thanks! BR/Pablo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com mailto:puppet-users%2bunsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CE6F14.7060508%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFc4fKWeGA%3Dz%2B0taUdCognf7mjoReqCTj-WHm7mvachBvQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CE98CA.3070206%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
Autosign will be not enough, since if server has already signed - it will show cert mismatch. you can trigger cert clean every time you reimage server. On 9 Jan 2014 12:40, Pablo Fernandez pablo.fernan...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? Thanks! BR/Pablo On 01/09/2014 12:16 PM, Andrey Kozichev wrote: Maybe look into running masterless to avoid problems with certs. Just run puppet apply on the new server. On 9 Jan 2014 09:42, Pablo Fernandez pablo.fernan...@cscs.ch wrote: Dear all, We are thinking about the possibility of using Puppet in an image-based cluster. The compute nodes would boot and load the whole image to a ramdisk, where r/w access is granted afterwards. Our idea is to have a sample compute node running puppet where to create the image from, and periodically extract a new image from it. Nodes that reboot, simply take that image, change the hostname and IP addresses, and little more (typical in image-based systems). The nice thing about this is that, since the source image is from a puppetized host, its clones will be as well! So changes in the puppet configuration will be applied immediately to the nodes. Does it sound right? I currently foresee a problem with the puppet node certificates: is it possible to use a generic certificate, to enable trust between puppet server and clients, but having each node a different fqdn and be treated by puppet as different hosts (including PuppetDB entries)? I saw different facts for each: ::clientcert and ::fqdn, that gave me hopes. Besides that, do you see any other problem with this type of deployment? Does anybody have experience with something similar? Thanks! BR/Pablo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CE6F14.7060508%40cscs.ch . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFc4fKWeGA%3Dz%2B0taUdCognf7mjoReqCTj-WHm7mvachBvQ%40mail.gmail.com . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CE98CA.3070206%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFdUOgayb1U9-j0G%3DEHfRuamCqGTtBNBvq9e015ZHAg-og%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to *identify* it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
I understand your point. I guess the SSL layer will render the request as illegitimate, but even if it doesn't, it may be playing with fire :) Thanks all for your thoughts, let me then present this as a generic question: did anybody try puppet on image-based systems? It would be wonderful to get some first-hand hints. Thanks again! BR/Pablo On 01/09/2014 04:05 PM, jcbollinger wrote: On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to /identify/ it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
2014/1/9 jcbollinger john.bollin...@stjude.org: On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to identify it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. Hi Other Idea could be create the signed certificate on the masterserver and then copy it to the image using scp, libguestfs-tools, etc. You can have an idea looking the provisioningDO rakefile: https://github.com/juasiepo/provisioningDO/blob/master/rakefile Best regards -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 Web: http://www.elsotanillo.net Git: http://www.github.com/juasiepo GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CABS%3Dy9sEjpSyUCsNCQgebB0Br2OaFxLEGx%2BjbwqebY6%2Bf1mQ%2BQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
not entirely image-based, when new server was booted for the first time: 1. it made http call to puppetmaster with it's hostname to do puppet cert clean hostname 2. do puppet run 3. made HTTP call to do puppet cert sign It was kind of autosign + in case of CERT already existed it was removed and re-generated sure security is poor in this approach, but it can be limited to only build vlan. Andrey On 9 January 2014 15:12, Pablo Fernandez pablo.fernan...@cscs.ch wrote: I understand your point. I guess the SSL layer will render the request as illegitimate, but even if it doesn't, it may be playing with fire :) Thanks all for your thoughts, let me then present this as a generic question: did anybody try puppet on image-based systems? It would be wonderful to get some first-hand hints. Thanks again! BR/Pablo On 01/09/2014 04:05 PM, jcbollinger wrote: On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to *identify* it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFcMAcV6BN0ntV2K4ABPQgQco57-XJRyqdbcM7y571F_7A%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
On 01/09/2014 10:12 AM, Pablo Fernandez wrote: I understand your point. I guess the SSL layer will render the request as illegitimate, but even if it doesn't, it may be playing with fire :) No, actually it doesn't verify certname against fqdn or any such, so technically you could bake in a single cert for an image. It's a bad idea because the Puppet master is supposed to know the state of a node, and it can't in that case (facts associated with the node like fqdn and ip and mac addresses will be constantly churning). I use Puppet on image-based systems. As part of the sysprep step (making the image generic for future spawning), I go and delete ssl certs from either /var/lib/puppet/ssl or the Windows equivalent. I make sure the agent is configured to hit the correct puppet master on first run, although I don't personally autosign. With 3.4's autosign hooks, you can presumably configured a shared key between your puppet master and baked images such that a node signals that it should be issued a certificate on provision. Jeff Thanks all for your thoughts, let me then present this as a generic question: did anybody try puppet on image-based systems? It would be wonderful to get some first-hand hints. Thanks again! BR/Pablo On 01/09/2014 04:05 PM, jcbollinger wrote: On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. Does the certificate name need to match the fqdn for puppet to allow connections? I'm not certain, but even if not, what you propose is dangerous. The master uses the certificate presented by the agent not just to authorize the agent, but also to /identify/ it. If all your nodes present the same certificate to the master, then they all claim to be the same machine, which is a lie. I don't foresee any specific failure scenarios associated with that, but it is unwise to mess with the system's underlying assumptions in such a way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CF2955.2000306%40bericotechnologies.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
On Thursday, January 9, 2014 7:40:42 AM UTC-5, pablo.f...@cscs.ch wrote: Thanks for your suggestions, Running masterless is a bit too exotic, since we would like to use all those nice features that make a Puppet installation complete: specially hiera searches and PuppetDB. Modules, too, should be compatible with other clusters, so no big deviations can occur. Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have just checked myself if autosign works if the same node was already registered in the CA... but according to the documentation it does not look like it, not to mention the security issues that come with it. I have hundreds of systems built off a single image, and we use autosigning to do it. Puppet 3.4.0 introduced policy based autosigninghttp://docs.puppetlabs.com/puppet/3/reference/ssl_autosign.html#policy-based-autosigning. Our image has a file which contains extra information to add to the certificate signing request. One of these bits of information is a secret key. The puppet CA server then has a script which authorizes autosigning any requests which contain a valid secret key. -Patrick -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d87d9a3-5647-4a36-ad7e-a0d6fa66a8a2%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Single certificate, multiple nodes... or image-based systems
Maybe you could try something like this ? https://gist.github.com/ahpook/1182243 On 01/09/2014 10:42 AM, Pablo Fernandez wrote: Dear all, We are thinking about the possibility of using Puppet in an image-based cluster. The compute nodes would boot and load the whole image to a ramdisk, where r/w access is granted afterwards. Our idea is to have a sample compute node running puppet where to create the image from, and periodically extract a new image from it. Nodes that reboot, simply take that image, change the hostname and IP addresses, and little more (typical in image-based systems). The nice thing about this is that, since the source image is from a puppetized host, its clones will be as well! So changes in the puppet configuration will be applied immediately to the nodes. Does it sound right? I currently foresee a problem with the puppet node certificates: is it possible to use a generic certificate, to enable trust between puppet server and clients, but having each node a different fqdn and be treated by puppet as different hosts (including PuppetDB entries)? I saw different facts for each: ::clientcert and ::fqdn, that gave me hopes. Besides that, do you see any other problem with this type of deployment? Does anybody have experience with something similar? Thanks! BR/Pablo -- Johan De Wit Open Source Consultant Red Hat Certified Engineer (805008667232363) Puppet Certified Professional 2013 (PCP006) _ Open-Future Phone +32 (0)2/255 70 70 Zavelstraat 72 Fax +32 (0)2/255 70 71 3071 KORTENBERG Mobile+32 (0)474/42 40 73 BELGIUM http://www.open-future.be _ Next Events: Puppet Fundamentals Training | http://www.open-future.be/puppet-fundamentals-training-4-till-6th-february Puppet Intruction Course | http://www.open-future.be/puppet-introduction-course-7th-february Zabbix Certified Training | http://www.open-future.be/zabbix-certified-training-10-till-12th-february Zabbix for Large Environments Training | http://www.open-future.be/zabbix-large-environments-training-13-till-14th-february Subscribe to our newsletter | http://eepurl.com/BUG8H -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52CFA7EA.7010900%40open-future.be. For more options, visit https://groups.google.com/groups/opt_out.