-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/23/2010 10:07 AM, Phillip B Oldham wrote: > So, am I correct in thinking then that the following workflow *can't* > be done with puppet? > > 1) The EC2 instance starts up, and the puppet client on the instance > connects to the puppet master. > 2) The puppet client receives the EC2 authentication credentials (env > vars, certs, etc) from the master. > 3) The master tells the client which EBS volums to attach at which > mount points. > 4) The client uses the authentication credentials to execute the EC2 > commands to attach the volumes. > 5) The client then removes the EC2 creds (unset env vars, rm certs, > etc) for security.
I didn't closely follow the thread, but I see no reason why not: 1) 1.1) you upload an image with the infos to connect your instances to your master 1.2) master gets an autosigned entry for every instance you fire up 2) 2.1) your modules contain a fact to decide whether your volume is setup correctly or not 2.2) if it is not setup correctly it includes a class to setup the volume 2.3) the master provides within that class the credentials (ie. via extlookup) 3) 3.1) the master provides that info within the previously outlined class 4) 4.1) the client applies the included class which does that. 5) 5.1) additionally you would include a class which cleans up everything _after_ the setup, this means that: 5.2) if the fact tells you to apply the "settingup"-class this cleanup class would require the "settingup"-class 5.3) for security reasons if the fact says that everything is setup you include only the "cleanup" class, so that you are sure that you won't have any leftovers around. it's quite straight forward. What are the tricks? * write a custom fact to signal whether the volume is correctly setup or not * write 2 classes, where one setup things and the other one does the cleanup * depend the cleanup stuff on the setup class _if_ the fact is set to setup sounds feasible, not? cheers pete PS: I assume there are also other ways, would be interesting to hear how other people solve that problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRb5UACgkQbwltcAfKi3/lVQCdFOcORgnSmqr2B9Z1oR+bIdJf BDkAn0jYyceWLQuh3FLzbqWmdzARflfg =Vy/N -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
