Allan, thanks for all your help and suggestions with Mac scripts. I am
getting closer to the configuration that I want. Thanks for the 'lingon'
suggestion, makes life easier.
I would like to force puppetd into using the hostname of the client device
when requesting a cert from the puppetmaster. Is there a puppet.conf
declaration that will grab the $HOSTNAME variable and us it within
puppet.conf? Or is there another way to make this happen?
I tried specifiying it on the command line: puppetd --certname=$HOSTNAME,
but puppetd complained bitterly.
Thanks,
-kurt
On Wed, Jul 8, 2009 at 6:28 PM, Allan Marcus <al...@lanl.gov> wrote:
>
> ug, can't type.
>
> I tried to say that I am _now_ thinking of using the fqdn name switch,
> but a I look into it more, I think the --certname switch will work.
>
> here's my plan: I will have a launchd job run a script every hour. The
> script will simply do something like this (this is logical, so ignore
> syntax):
>
> MAC_UID=`facter | grep sp_serial_number | awk '{print $3}'`
> if MAC_UID = '' then
> MAC_UID = `facter | grep 'macaddress =>' | awk '{print $3}'`
> end if
> if MAC_UID = '' then
> # ug, not sure
> end if
> MAC_UID = lowercase(MAC_UID) + '.lanl.gov'
> puppetd -o --certname=${MAC_UID}
>
> I'll probably write the MAC_UID to nvram as a cache for speed.
>
>
> I figure this should be pretty unique. As machines start to report in
> I will see those with MAC addresses as host IDs, and I can send a tech
> out to fix the machine by burning in the correct serial number.
>
> As for cleaning the certs from the server after a machine rebuild, I'm
> going to write use the idea presented earlier for a web CGI and give
> apache sudo rights to puppetca. We already have an in-house program we
> use to secure and configure the Mac, so I will add a menu item to that
> to "Clean the Puppet Certificate".
>
> This plan will probably only work on Mac, but for now, that is my
> scope. Once we start running on linux and solaris I will need to
> revisit this issue. Hopefully there is a FACT for serial number for
> those OSs too.
>
> Even though I didn't start this discussion, I thank all those that
> contributed to this discussion. I know there were a lot of posts about
> it, so if you didn't care, sorry.
>
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
> On Jul 8, 2009, at 6:04 PM, Allan Marcus wrote:
>
> >
> > Sorry, i didn't mean the db for store configs. My issue with use FQDN
> > is for machines that use dhcp and might not have the same host name,
> > and when building a machine behind a router, in which case more than
> > one machine might have the same host name.
> >
> > I'm not thinking of using the --fqdn switch (if I cannot use a fact in
> > the certname directive of puppet.conf) to uniquely ID a machine. Still
> > have the issue of cleaning the cert on server though.
> >
> > ---
> > Thanks,
> >
> > Allan Marcus
> > 505-667-5666
> >
> >
> >
> > On Jul 8, 2009, at 5:54 PM, Allan Marcus wrote:
> >
> >> the more I think about it, the more I am convinced that using the
> >> Mac's serial number is the least worst option for cert name. There is
> >> still the issue of the machine being reimaged that would require the
> >> cert to be cleaned on the server, but using the serial number would
> >> allow the host name to change and not screw up the store config DB.
> >>
> >> ---
> >> Thanks,
> >>
> >> Allan Marcus
> >> 505-667-5666
> >>
> >>
> >>
> >> On Jul 8, 2009, at 2:18 PM, Kurt Engle wrote:
> >>
> >>> So are you wanting the cert cleaning and creation to happen
> >>> everytime a client contacts the puppetmaster?
> >>>
> >>> What I am looking for is a script that will run on a newly imaged
> >>> client that run at bootup before the puppetd process is started.
> >>> That script would delete any cert on the puppetmaster and then the
> >>> script would delete itself on the client. The issue that I am having
> >>> is with clients that have been using puppet but are then 're-
> >>> imaged'. Once a device is running puppet, it works fine unless it is
> >>> re-imaged.
> >>>
> >>> This seems like a more elegant solution in my environment than
> >>> trying to do this on the puppet server side of things. Besides,
> >>> doesn't the client need to us its cert to talk to the server in the
> >>> first place? If that cert is 'bad' then how would it talk to the
> >>> puppetmaster server and have the server delete its bad key?
> >>>
> >>> Now, anybody have any good resources for writing startup scripts on
> >>> a Mac client? I seem to be having problems getting a script that
> >>> runs fine on the command line to work at startup.
> >>>
> >>> -kurt
> >>>
> >>> On Fri, Jul 3, 2009 at 6:12 AM, Gary Larizza <glari...@mac.com>
> >>> wrote:
> >>>
> >>> I love where this thread is going, I too share in this problem.
> >>>
> >>> Kurt: Puppet is still being run on the client because the client is
> >>> using a cached config (am I right on this guys?).
> >>>
> >>> I love the scripted ssh key, but ALSO love the PHP script that could
> >>> be CURL-ed from the client. Will a PHP script be able to capture
> >>> the
> >>> hostname of a connecting client? From there, the php script could
> >>> call puppetca to clean the cert and create a new one...would this be
> >>> cleaner than bundling a cert with your base-image? Unfortunately,
> >>> I'm
> >>> not that versed in PHP to hash a script out from scratch. Does
> >>> anyone
> >>> have a rough outline that we could steal?
> >>>
> >>> -Gary
> >>>
> >>>
> >>>
> >>>>
> >>
> >>
> >>>
> >
> >
> > >
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
