On Sun, Jun 3, 2012 at 11:48 PM, ankush grover <ankushcen...@gmail.com> wrote: > My approach will be like this > > generate uuid through uuidgen command and put that in certname under > puppet.conf > start the puppet client > on the server allow autosigning of the client machines and a default policy > > The issue with this approach is if the puppet agent is not working > properly on a host it is difficult to know that exact host without > doing ssh onto the server and also, to apply different policies for a > particular host. > > Using nodename as unique will be problem with Onapp cloud as the end > user will be setting the hostname and which might not be unique.
What you can do in this instance is set both certname and node_name_value in puppet.conf. For the rest of this description node_name_fact also works, the only difference is that the value is pulled out of Facter instead of being a static string in puppet.conf. The downside is that you need to map the certname to the nodename in auth.conf on the master. # Agent puppet.conf [main] certname = B72008C3-708C-460B-80F5-38C221F7A479 node_name_value = jeff.uuid # Master auth.conf # (Put this entry _above_ the existing entry for catalog requests since Puppet stops searching auth rules when it finds the first match. # Allow laptop nodes (UUID based dynamic hostnames, sort of like the cloud. # This entry must come before the default catalog entry. path ~ ^/catalog/([^/]+).uuid$ method find allow B72008C3-708C-460B-80F5-38C221F7A479 # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 > > On Fri, Jun 1, 2012 at 10:01 PM, Jeff McCune <j...@puppetlabs.com> wrote: >> On Fri, Jun 1, 2012 at 1:39 AM, Brian Gupta <brian.gu...@brandorr.com> >> wrote: >>> >>> To be clear, unique hostnames are not a must. Unique certnames are, >>> which by default are based on hostnames, but they don't have to be. >>> You can programmatically generate those using something like UUID >>> (Which is what Foreman uses for cloud provisioning). See the following >>> for more info on UUIDs: >>> http://en.wikipedia.org/wiki/Universally_unique_identifier >> >> >> Actually, it's the other way around. Â Unique node names are a must, unique >> cert names are not. >> >> You can use the same certificate for multiple nodes if you wish, though this >> configuration carries a higher security risk than unique cert names. >> >> You can re-use the same cert name with something like this: >> >> # puppet.conf >> [agent] >> certname = shared.cert >> node_name_fact = fqdn >> >> -Jeff >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
