On May 31, 2010, at 1:20 PM, Matt Juszczak wrote: >> You should just be able to get the certificate signed on one of them and >> then put the whole /var/lib/puppet directory in the image. Remember that >> with this method, any computer that can access the PXE server can pretend to >> be one of those servers to the puppetmaster. >> >> It'll also be annoying to set different configurations on those servers >> because they have the same cert name. I don't know if this is a problem. > > Why not just not launch puppet in the PXE image, but add it to /etc/rc.conf > and/or /sbin/chkconfig, so when the PXE image servers boot for the first > time, they'll generate a certificate request and you can just sign it on the > puppetmaster? > > I would keep individual certificate signing as a manual process - it's your > final checkpoint to make sure the server really is who you think it is :)
These servers only exist in RAM, so when they shutdown, all data is lost. Julien also said that there's over a hundred of them. If you are manually signing every time they reboot, you probably won't be diligent enough to catch an impostor that can use the PXE server. At that point, you might as well just put the cert in the PXE image. I don't like my solution, but I think it's better than manual signing unless you have persistent storage on the puppet clients. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
