On Mon, Jun 4, 2012 at 10:56 PM, Jeff McCune <j...@puppetlabs.com> wrote: > On Sun, Jun 3, 2012 at 11:48 PM, ankush grover <ankushcen...@gmail.com> wrote: >> My approach will be like this >> >> generate uuid through uuidgen command and put that in certname under >> puppet.conf >> start the puppet client >> on the server allow autosigning of the client machines and a default policy >> >> The issue with this approach is if the puppet agent is not working >> properly on a host it is difficult to know that exact host without >> doing ssh onto the server and also, to apply different policies for a >> particular host. >> >> Using nodename as unique will be problem with Onapp cloud as the end >> user will be setting the hostname and which might not be unique. > > What you can do in this instance is set both certname and > node_name_value in puppet.conf. For the rest of this description > node_name_fact also works, the only difference is that the value is > pulled out of Facter instead of being a static string in puppet.conf. > > The downside is that you need to map the certname to the nodename in > auth.conf on the master. > > # Agent puppet.conf > [main] > certname = B72008C3-708C-460B-80F5-38C221F7A479 > node_name_value = jeff.uuid > > # Master auth.conf > # (Put this entry _above_ the existing entry for catalog requests > since Puppet stops searching auth rules when it finds the first match. > > # Allow laptop nodes (UUID based dynamic hostnames, sort of like the cloud. > # This entry must come before the default catalog entry. > path ~ ^/catalog/([^/]+).uuid$ > method find > allow B72008C3-708C-460B-80F5-38C221F7A479 > With 100 of nodes this might not be practical (without manual intervention) or not without doing ssh onto the master.
> # allow nodes to retrieve their own catalog (ie their configuration) > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > >> >> On Fri, Jun 1, 2012 at 10:01 PM, Jeff McCune <j...@puppetlabs.com> wrote: >>> On Fri, Jun 1, 2012 at 1:39 AM, Brian Gupta <brian.gu...@brandorr.com> >>> wrote: >>>> >>>> To be clear, unique hostnames are not a must. Unique certnames are, >>>> which by default are based on hostnames, but they don't have to be. >>>> You can programmatically generate those using something like UUID >>>> (Which is what Foreman uses for cloud provisioning). See the following >>>> for more info on UUIDs: >>>> http://en.wikipedia.org/wiki/Universally_unique_identifier >>> >>> >>> Actually, it's the other way around. Unique node names are a must, unique >>> cert names are not. >>> >>> You can use the same certificate for multiple nodes if you wish, though this >>> configuration carries a higher security risk than unique cert names. >>> >>> You can re-use the same cert name with something like this: >>> >>> # puppet.conf >>> [agent] >>> certname = shared.cert >>> node_name_fact = fqdn >>> >>> -Jeff >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
