ug, can't type.
I tried to say that I am _now_ thinking of using the fqdn name switch,
but a I look into it more, I think the --certname switch will work.
here's my plan: I will have a launchd job run a script every hour. The
script will simply do something like this (this is logical, so ignore
syntax):
MAC_UID=`facter | grep sp_serial_number | awk '{print $3}'`
if MAC_UID = '' then
MAC_UID = `facter | grep 'macaddress =>' | awk '{print $3}'`
end if
if MAC_UID = '' then
# ug, not sure
end if
MAC_UID = lowercase(MAC_UID) + '.lanl.gov'
puppetd -o --certname=${MAC_UID}
I'll probably write the MAC_UID to nvram as a cache for speed.
I figure this should be pretty unique. As machines start to report in
I will see those with MAC addresses as host IDs, and I can send a tech
out to fix the machine by burning in the correct serial number.
As for cleaning the certs from the server after a machine rebuild, I'm
going to write use the idea presented earlier for a web CGI and give
apache sudo rights to puppetca. We already have an in-house program we
use to secure and configure the Mac, so I will add a menu item to that
to "Clean the Puppet Certificate".
This plan will probably only work on Mac, but for now, that is my
scope. Once we start running on linux and solaris I will need to
revisit this issue. Hopefully there is a FACT for serial number for
those OSs too.
Even though I didn't start this discussion, I thank all those that
contributed to this discussion. I know there were a lot of posts about
it, so if you didn't care, sorry.
---
Thanks,
Allan Marcus
505-667-5666
On Jul 8, 2009, at 6:04 PM, Allan Marcus wrote:
>
> Sorry, i didn't mean the db for store configs. My issue with use FQDN
> is for machines that use dhcp and might not have the same host name,
> and when building a machine behind a router, in which case more than
> one machine might have the same host name.
>
> I'm not thinking of using the --fqdn switch (if I cannot use a fact in
> the certname directive of puppet.conf) to uniquely ID a machine. Still
> have the issue of cleaning the cert on server though.
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
> On Jul 8, 2009, at 5:54 PM, Allan Marcus wrote:
>
>> the more I think about it, the more I am convinced that using the
>> Mac's serial number is the least worst option for cert name. There is
>> still the issue of the machine being reimaged that would require the
>> cert to be cleaned on the server, but using the serial number would
>> allow the host name to change and not screw up the store config DB.
>>
>> ---
>> Thanks,
>>
>> Allan Marcus
>> 505-667-5666
>>
>>
>>
>> On Jul 8, 2009, at 2:18 PM, Kurt Engle wrote:
>>
>>> So are you wanting the cert cleaning and creation to happen
>>> everytime a client contacts the puppetmaster?
>>>
>>> What I am looking for is a script that will run on a newly imaged
>>> client that run at bootup before the puppetd process is started.
>>> That script would delete any cert on the puppetmaster and then the
>>> script would delete itself on the client. The issue that I am having
>>> is with clients that have been using puppet but are then 're-
>>> imaged'. Once a device is running puppet, it works fine unless it is
>>> re-imaged.
>>>
>>> This seems like a more elegant solution in my environment than
>>> trying to do this on the puppet server side of things. Besides,
>>> doesn't the client need to us its cert to talk to the server in the
>>> first place? If that cert is 'bad' then how would it talk to the
>>> puppetmaster server and have the server delete its bad key?
>>>
>>> Now, anybody have any good resources for writing startup scripts on
>>> a Mac client? I seem to be having problems getting a script that
>>> runs fine on the command line to work at startup.
>>>
>>> -kurt
>>>
>>> On Fri, Jul 3, 2009 at 6:12 AM, Gary Larizza <glari...@mac.com>
>>> wrote:
>>>
>>> I love where this thread is going, I too share in this problem.
>>>
>>> Kurt: Puppet is still being run on the client because the client is
>>> using a cached config (am I right on this guys?).
>>>
>>> I love the scripted ssh key, but ALSO love the PHP script that could
>>> be CURL-ed from the client. Will a PHP script be able to capture
>>> the
>>> hostname of a connecting client? From there, the php script could
>>> call puppetca to clean the cert and create a new one...would this be
>>> cleaner than bundling a cert with your base-image? Unfortunately,
>>> I'm
>>> not that versed in PHP to hash a script out from scratch. Does
>>> anyone
>>> have a rough outline that we could steal?
>>>
>>> -Gary
>>>
>>>
>>>
>>>>
>>
>>
>>>
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
