-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How sensitive is the information you're pushing out?
If it's not sensitive, I would list all valid hosts in autosign.conf and blow the certs away with a hourly cron job on the server. It seems silly, but it shouldn't add *too* much overhead in general. If your puppet server is also your tftp server, you could spawn a puppetca --clean <hostname> from the tftp logs but you have a potential race condition in that case. If they are all *truly* identical from a Puppet point of view, you could have an extremely long list of alternate DNS names in your pre-generated Puppet client cert and just use the same cert for everyone. I'm not sure what the limits are on this as I've never tried it for more than a dozen or so hostnames. Trevor On 06/01/2010 08:10 PM, Patrick wrote: > At this point you either need to: > *) Do something pretty complicated so the server gives diffierent mounts t > each computer, orwith different mounts > or > *) Give every machine access to all the other machine's certificates, and > store all the credentials for the NFS server in the PXE server where anyone > can get them. > > I have no idea how to do the first, and the second doesn't sound very good to > me. Also, you need to trust the local network anyway. After all, anyone on > that network can impersonate the DHCP and PXE server to hijack a PXE client. > > > On Jun 1, 2010, at 7:47 AM, Michael Dodwell wrote: > >> You say when a image is shutdown it reverts back to it's original >> state, but does that image/machine ever get reused? >> >> My point being if your going to reuse machines keeping individual >> certificates could be useful. To enable this you could just nfs mount >> a share that new certificates could be created in, and 'old' >> certificates could be loaded from. You should just have to mount /var/ >> lib/puppet/ssl/ and after creating the required sub-directories new >> machines will auto generate certificates and reused machines would use >> existing certificates. That way you should have some control over >> signing. >> >> --MD >> >> >> On May 31, 11:41 pm, julien <julien.de...@gmail.com> wrote: >>> Hi list, >>> >>> In our platform we have a lot of machines in which the system is a >>> single disk image loaded on RAM from PXE. >>> >>> The problem is quite simple : if I install puppetd on the image, I >>> will end up using the same certificate for 100 different servers with >>> different names (the hostname is setup at boot time from dhcp) and I >>> guess the puppetmaster won't allow that. >>> >>> In other words : what should I do to create a hundred nodes with the >>> same certificate ? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwFp8YACgkQyWMIJmxwHpSy2gCcCcgz+tvn+Ukgq8JsHiSjfU2v irkAoKwz74h3qPcVdJ4Vt3AST/PDs9F5 =HoxJ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<<attachment: tvaughan.vcf>>
