On Mon, Jun 4, 2012 at 10:56 PM, Jeff McCune <j...@puppetlabs.com> wrote:
> On Sun, Jun 3, 2012 at 11:48 PM, ankush grover <ankushcen...@gmail.com> wrote:
>> My approach will be like this
>>
>> generate uuid through uuidgen command and put that in certname under 
>> puppet.conf
>> start the puppet client
>> on the server allow autosigning of the client machines and a default policy
>>
>> The issue with this approach is if the puppet agent is not working
>> properly on a host it is difficult to know that exact host without
>> doing ssh onto the server and also, to apply different policies for a
>> particular host.
>>
>> Using nodename as unique will be problem with Onapp cloud as the end
>> user will be setting the hostname and which might not be unique.
>
> What you can do in this instance is set both certname and
> node_name_value in puppet.conf.  For the rest of this description
> node_name_fact also works, the only difference is that the value is
> pulled out of Facter instead of being a static string in puppet.conf.
>
> The downside is that you need to map the certname to the nodename in
> auth.conf on the master.
>
> # Agent puppet.conf
> [main]
> certname = B72008C3-708C-460B-80F5-38C221F7A479
> node_name_value = jeff.uuid
>
> # Master auth.conf
> # (Put this entry _above_ the existing entry for catalog requests
> since Puppet stops searching auth rules when it finds the first match.
>
> # Allow laptop nodes (UUID based dynamic hostnames, sort of like the cloud.
> # This entry must come before the default catalog entry.
> path ~ ^/catalog/([^/]+).uuid$
> method find
> allow B72008C3-708C-460B-80F5-38C221F7A479
>
With 100 of nodes this might not be practical (without manual
intervention) or not without doing ssh onto the master.

> # allow nodes to retrieve their own catalog (ie their configuration)
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
>
>
>>
>> On Fri, Jun 1, 2012 at 10:01 PM, Jeff McCune <j...@puppetlabs.com> wrote:
>>> On Fri, Jun 1, 2012 at 1:39 AM, Brian Gupta <brian.gu...@brandorr.com>
>>> wrote:
>>>>
>>>> To be clear, unique hostnames are not a must. Unique certnames are,
>>>> which by default are based on hostnames, but they don't have to be.
>>>> You can programmatically generate those using something like UUID
>>>> (Which is what Foreman uses for cloud provisioning). See the following
>>>> for more info on UUIDs:
>>>> http://en.wikipedia.org/wiki/Universally_unique_identifier
>>>
>>>
>>> Actually, it's the other way around.  Unique node names are a must, unique
>>> cert names are not.
>>>
>>> You can use the same certificate for multiple nodes if you wish, though this
>>> configuration carries a higher security risk than unique cert names.
>>>
>>> You can re-use the same cert name with something like this:
>>>
>>> # puppet.conf
>>> [agent]
>>> certname = shared.cert
>>> node_name_fact = fqdn
>>>
>>> -Jeff
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> puppet-users+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to