On Oct 25, 2010, at 7:45 PM, Daneil Goodman wrote:
> Hi all,
>
> I am trying to use @@sshkey{...} and Sshkey <<| |>> to share host keys
> between compute nodes. It does work! But there is a weird issue. The same
> host key entry of each node will add into ssh_known_host again after
> restarted puppet each time. I only need one entry for each node in
> ssh_known_hosts. What should I do? Here is the code:
>
> class ssh {
> @@sshkey { "$hostname":
> key => $sshrsakey,
> type => ssh-rsa,
> name => ["$hostname,","$hostname.$domain,","$ipaddress"],
> }
> Sshkey <<| |>>
> }
>
> Even if enforced to remove /etc/ssh/ssh_known_hosts before collection using
> the following modified code, the result is same.
>
> class ssh {
> file { "/etc/ssh/ssh_known_hosts":
> ensure => absent
> }
>
> @@sshkey { "$hostname":
> key => $sshrsakey,
> type => ssh-rsa,
> name => ["$hostname,","$hostname.$domain,","$ipaddress"],
> require => File["/etc/ssh/ssh_known_hosts"]
> }
> Sshkey <<| |>>
> }
>
> The default mode of ssh_known_hosts created by the above code is 600. I tried
> to change it to 644 using the following code:
>
> class ssh {
> file { "/etc/ssh/ssh_known_hosts":
> ensure => absent
> }
>
> @@sshkey { "$hostname":
> key => $sshrsakey,
> type => ssh-rsa,
> name => ["$hostname,","$hostname.$domain,","$ipaddress"],
> require => File["/etc/ssh/ssh_known_hosts"]
> }
> Sshkey <<| |>>
>
> File <| title == "/etc/ssh/ssh_known_hosts" |> {
> mode => 644
> }
> }
>
> But it is still 600.
>
> How can I limit to only one host key entry for each node in ssh_known_hosts
> and change its mode to 644?
I don't know how to fix your first problem, but I can help you with the second.
If you create two resources for the same file, puppet fill fail with an error
message (by design). This means that Sshkey isn't using the file resource to
manage the file. That means that override is doing nothing or, most likely,
setting the permissions for the file you are declaring absent.
In your example, you could fix the permission problem by doing this(Untested
code, use at your own risk):
class ssh {
#Create an empty file
file { "/etc/ssh/ssh_known_hosts":
ensure => present,
mode => 644,
content = "",
}
@@sshkey { "$hostname":
key => $sshrsakey,
type => ssh-rsa,
name => ["$hostname,","$hostname.$domain,","$ipaddress"],
require => File["/etc/ssh/ssh_known_hosts"]
}
Sshkey <<| |>>
}
This is the code that I use for ssh keys. You might want to try it. Note the
assumption about which ethernet interface is being used:
@@sshkey { "${fqdn}":
type => rsa,
key => $sshrsakey,
host_aliases => [
$ipaddress_eth0,
],
}
Sshkey <<| |>>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
