On Jun 1, 2010, at 1:28 AM, julien wrote: > Thanks for your quick answers. > > You got the point, when the servers reboot they get back to their > original state. > > I will try to integrate a certificate in the image. The servers are > not meant to restart very often but when they do, they would need to > be updated by puppet right away. > I guess puppet won't let me do this because the hostname will change > and I think it's tied to the certificate. > > Perhaps the principle of disk images at boot time is not very > compatible with puppet "spirit". After all I could configure the image > correctly and just deploy it. But I would like to use puppet to > "enforce" my configuration principles in case of human errors, bugs, > etc...
You say you want puppet to "just work" when you restart. There's two real options: A) Put the certificate in the image. B) Setup auto-sign *) Technically you could also launch a script from the client computer that executes puppetca on the server, but that's like "B" but even worse. A gives you less flexibility because every client has the same name, but more security because only computers with access to the PXE server can get the certificate. B gives you more flexibility because you can tell the computers apart because each has a different cert name, but now any computer that can connect to the puppet master can impersonate a client. If you pick A, anyone with access to the PXE server and the puppetmaster can impersonate any client and get all the client's configuration that's pushed with puppet. If you pick B, anyone with access to the puppetmaster can impersonate any client and get all the client's configuration that's pushed with puppet. Ask yourself: *) Do you trust the clients? *) Do you trust the network they are on? *) What information does the puppetmaster give out, and does is matter if other computers on the local network get it? > > On May 31, 10:34 pm, Matt Juszczak <m...@atopia.net> wrote: >>> These servers only exist in RAM, so when they shutdown, all data is >>> lost. Julien also said that there's over a hundred of them. If you are >>> manually signing every time they reboot, you probably won't be diligent >>> enough to catch an impostor that can use the PXE server. At that point, >>> you might as well just put the cert in the PXE image. I don't like my >>> solution, but I think it's better than manual signing unless you have >>> persistent storage on the puppet clients. >> >> Ah, I missed the dynamic part. I agree, manually signing hundreds of >> servers would be annoying. Unless you scripted it and had it email you >> when it signed a cert... at least you'd have some sort of trail. If you >> get an email at 2 AM in the morning that a new server cert was signed... >> well, that may not be a good thing :) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
