Absolutely. Here is my startup script that sets the hostname of the computer each time it starts up:
scutil --set HostName `system_profiler SPHardwareDataType | grep "Serial Number:" | cut -d':' -f2 | tr "[:upper:]" "[:lower:]"` scutil --set ComputerName `system_profiler SPHardwareDataType | grep "Serial Number:" | cut -d':' -f2 | tr "[:upper:]" "[:lower:]"` scutil --set LocalHostName `system_profiler SPHardwareDataType | grep "Serial Number:" | cut -d':' -f2 | tr "[:upper:]" "[:lower:]"` -kurt On Fri, Jul 10, 2009 at 7:55 AM, Nigel Kersten <nig...@google.com> wrote: > > On Fri, Jul 10, 2009 at 7:32 AM, Kurt Engle<kurt.en...@gmail.com> wrote: > > This is fantastic. I think something like this will be very useful in > > managing a large number of Macintosh clients. It is certainly the help > and > > outcome that I was looking for when I started this thread. A big "Thank > You" > > to Allan and everyone else that contributed. > > > > I took a little different but similar approach. I may adapt my approach > to > > mimic Allan's as time permits. But... here is what I came up with. > > > > 1) A launchd job to run puppet every hour passing the $HOSTNAME as a > > certname arg. > > 2) If the machine is re-imaged at any time, a startup job is installed > that > > uses ssh to contact the puppetmaster and delete the cert that corresponds > to > > the machine's $HOSTNAME. Then the startup job deletes itself. So the job > is > > only run once on a newly imaged machine. > > > > i) The machine's hostname is its serial number as determined by facter. > > This is somewhat off-topic, but you shouldn't override $HOSTNAME on OS X. > > You should instead set ComputerName/LocalHostName in SystemConfiguration, > ie > > scutil --set ComputerName foo > scutil --set LocalHostName foo > scutil --get ComputerName > scutil --get LocalHostName > > etc. > > > > > > > -kurt > > > > On Thu, Jul 9, 2009 at 6:12 PM, Allan Marcus <al...@lanl.gov> wrote: > >> > >> Putting it all together, here's what I have for cert management on Macs. > >> > >> 1) A launchd job to launch puppet every hour > >> 2) a script on the client to determine a unique attribute of the Mac > >> and use it for cert name > >> 3) a CGI on the server to clean a cert if the machine was re-imaged > >> 3a) note: alter /etc/sudoers on the server to allow the cgi to run > >> puppetca > >> > >> Testing is rather easy. Runt he puppetd.sh script on the client (as > >> root). Delete the /etc/puppet/ssl dir then run again. The system > >> should clean the cert on the server > >> > >> > >> > >> (1) This plist file should be in /Library/LaunchDaemons/ > >> <?xml version="1.0" encoding="UTF-8"?> > >> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" > >> "http://www.apple.com/DTDs/PropertyList-1.0.dtd > >> "> > >> <plist version="1.0"> > >> <dict> > >> <key>Label</key> > >> <string>com.mycompany.puppetd</string> > >> <key>ProgramArguments</key> > >> <array> > >> <string>/usr/bin/puppetd.sh</string> > >> </array> > >> <key>QueueDirectories</key> > >> <array/> > >> <key>StartInterval</key> > >> <integer>3600</integer> > >> <key>WatchPaths</key> > >> <array/> > >> </dict> > >> </plist> > >> > >> > >> (2) /usr/bin/puppet.sh and chmod 700 and chown root:wheel > >> #!/bin/sh > >> # puppetd.sh script > >> # Script to run puppet and use the "correct" certname > >> # we need the certname to be unique, so hostname is not great > >> > >> # by Allan Marcus of LANL > >> > >> # Version History > >> # 2009-07-08: initial version > >> > >> # this script is run from a launchd job > >> > >> # this suffix is added to the value to make it look like a FQDN. > >> # This allows for auto sign to work on the server with a simply wildcard > >> SUFFIX=mycompany.com > >> > >> # this is the server to sent a puppetca clean to > >> SERVER=www.mycompany.com > >> > >> > >> # --------------- > >> > >> # see if the MAC_UID is in nvram already > >> MAC_UID=`nvram MAC_UID 2>/dev/null | awk '{print $2}'` > >> if [ -z "$MAC_UID" ]; then > >> # flag that nothing is in nvram yet > >> NVRAM="no" > >> fi > >> > >> # get the serial number for this Mac > >> if [ -z "$MAC_UID" ]; then > >> MAC_UID=`facter | grep sp_serial_number | awk '{print $3}'` > >> fi > >> > >> # if the MAC_UID is still null > >> # get the primary MAC address > >> if [ -z "$MAC_UID" ]; then > >> MAC_UID=`facter | grep 'macaddress =>' | awk '{print $3}'` > >> fi > >> > >> # if all the above fails, get the hostname > >> if [ -z "$MAC_UID" ]; then > >> MAC_UID=`hostname` > >> fi > >> > >> # assuming we have something, write it to nvram > >> # getting it from nvram is much faster and is limited to this > >> # specific computer > >> if [ '$NVRAM' == 'no' ]; then > >> # cert names must be lowercase > >> MAC_UID=`echo $MAC_UID | tr "[:upper:]" "[:lower:]"` > >> MAC_UID=${MAC_UID}.${SUFFIX} > >> nvram MAC_UID=${MAC_UID} > >> fi > >> > >> RESULTS=`puppetd -o --no-daemonize -v --certname=$MAC_UID 2>&1` > >> RESULTS=`echo $RESULTS | grep 'Certificate request does not match > >> existing certificate'` > >> > >> if [ -z "$RESULTS" ]; then > >> exit 0 > >> else > >> # curl call to a CGI to clean the cert > >> curl "http://${SERVER}/cgi-bin/cleanCert.rb?certname=${MAC_UID}"; > >> fi > >> > >> ### end puppetd.sh script #### > >> > >> (3) On the server in the CGI directory. On a Mac server you also need > >> to allow CGI's in server admin. > >> #!/usr/bin/ruby > >> > >> # clearCert.rb > >> # cgi to clean a cert > >> > >> class Puppetca > >> # removes old certificate if it exists > >> # parameter is the certname to use > >> # need to allow the _www user to use sudo with the puppetca > command > >> # added using visudo > >> # _www ALL = NOPASSWD: /usr/bin/puppetca, !/usr/bin/puppetca > -- > >> clean --all > >> def self.clean certname, addr > >> command = "/usr/bin/sudo /usr/bin/puppetca --clean > >> #{certname}" > >> # for some reason the "system" command causes Mac apache > to > >> crash > >> # when used here > >> %x{#{command}} > >> %x{"logger #{addr} cleaned #{certname}"} > >> return true > >> end > >> end > >> > >> =begin > >> CGI starts here > >> =end > >> > >> # get the value of the passed param in the URL Query_string > >> require 'cgi' > >> cgi=CGI.new > >> certname = cgi["certname"] > >> > >> # define the characters that are allow to avoid an injection attack > >> # 0-9, a-z, period, dash, and colon are allowed. All else is not > >> pattern = /[^a-z0-9.\-:]/ > >> # determine if any other characters are in the certname > >> reject = (certname =~ pattern) ? 1 : 0 > >> > >> if ((reject == 0) && Puppetca.clean(certname, ENV['REMOTE_ADDR'])) > >> cgi.out("status" => "OK", "connection" => "close") {"OK > #{certname} > >> cleaned\n"} > >> else > >> cgi.out("status" => "BAD_REQUEST", "connection" => "close") {"Not > >> Processed: #{certname}\n"} > >> end > >> > >> > > > > > > > > > > > > > -- > Nigel Kersten > nig...@google.com > System Administrator > Google, Inc. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
