On Jun 1, 2010, at 5:37 PM, Trevor Vaughan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How sensitive is the information you're pushing out? > > If it's not sensitive, I would list all valid hosts in autosign.conf and > blow the certs away with a hourly cron job on the server. > > It seems silly, but it shouldn't add *too* much overhead in general. > > If your puppet server is also your tftp server, you could spawn a > puppetca --clean <hostname> from the tftp logs but you have a potential > race condition in that case. > > If they are all *truly* identical from a Puppet point of view, you could > have an extremely long list of alternate DNS names in your pre-generated > Puppet client cert and just use the same cert for everyone.
In my experience, after the certificate is on the client, the DNS name of the client doesn't matter. I think it's because puppet ignores the DNS name of the client and just uses the certificate name. > I'm not sure what the limits are on this as I've never tried it for more > than a dozen or so hostnames. > > Trevor > > On 06/01/2010 08:10 PM, Patrick wrote: >> At this point you either need to: >> *) Do something pretty complicated so the server gives diffierent mounts t >> each computer, orwith different mounts >> or >> *) Give every machine access to all the other machine's certificates, and >> store all the credentials for the NFS server in the PXE server where anyone >> can get them. >> >> I have no idea how to do the first, and the second doesn't sound very good >> to me. Also, you need to trust the local network anyway. After all, anyone >> on that network can impersonate the DHCP and PXE server to hijack a PXE >> client. >> >> >> On Jun 1, 2010, at 7:47 AM, Michael Dodwell wrote: >> >>> You say when a image is shutdown it reverts back to it's original >>> state, but does that image/machine ever get reused? >>> >>> My point being if your going to reuse machines keeping individual >>> certificates could be useful. To enable this you could just nfs mount >>> a share that new certificates could be created in, and 'old' >>> certificates could be loaded from. You should just have to mount /var/ >>> lib/puppet/ssl/ and after creating the required sub-directories new >>> machines will auto generate certificates and reused machines would use >>> existing certificates. That way you should have some control over >>> signing. >>> >>> --MD >>> >>> >>> On May 31, 11:41 pm, julien <julien.de...@gmail.com> wrote: >>>> Hi list, >>>> >>>> In our platform we have a lot of machines in which the system is a >>>> single disk image loaded on RAM from PXE. >>>> >>>> The problem is quite simple : if I install puppetd on the image, I >>>> will end up using the same certificate for 100 different servers with >>>> different names (the hostname is setup at boot time from dhcp) and I >>>> guess the puppetmaster won't allow that. >>>> >>>> In other words : what should I do to create a hundred nodes with the >>>> same certificate ? >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-us...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >> > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: tvaug...@onyxpoint.com > phone: 410-541-ONYX (6699) > pgp: 0x6C701E94 > > - -- This account not approved for unencrypted sensitive information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAkwFp8YACgkQyWMIJmxwHpSy2gCcCcgz+tvn+Ukgq8JsHiSjfU2v > irkAoKwz74h3qPcVdJ4Vt3AST/PDs9F5 > =HoxJ > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > <tvaughan.vcf> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
