Thanks, all! I took highlights from all your posts and came up with the following solution:
I wrote a relatively simple shell script that users of the VM image will run at launch to set up their VMs. It does the following: 1) requires them to enter a domain userId 2) formulates a certname using their ID concatenated with "-dev-vm" 3) passes that formulated certname as an environment variable that facter can read (later via augeas to set the certname in the VM's puppet config) 4) calls the puppet agent --onetime -w... <blah> command to request a cert 5) waits for me to approve the cert on the master 6) uses regex in the nodes.pp file to look for a hostname containing "-dev-vm", then applies that machine's class 7) uses the passed in certname to populate (via augeas) the vm's /etc/puppet/puppet.conf certname I also set up a script on the master to send and respond to Jabber messages whenever a new cert request came in, so I can simply respond to the message with "approve" or "deny" the cert request without having to SSH to the master just to approve certs! It works pretty slick! I knew asking the experts would lead me to a good solution! You all rock and I owe you all a beer! Thanks again! Randy On Tuesday, July 15, 2014 3:09:57 PM UTC-4, randal cobb wrote: > > Hello, all... > > I have a scenario where all of our developers (spread geographically > around the world) use a VMWare or VirtualBox VM on their local desktop to > develop portions of a single product. I've seemed to inherit this > nightmare of a process and believe I can make it much simpler, quicker, and > cleaner using Puppet. Currently, they have to download an 80Gb VM image > from a single server in the US; so, because of the massive size of the VM, > most developers never upgrade their VMs to the latest image. I know that > Puppet can fix this for me, but I have a few questions I'm hoping y'all can > help answer (I've used puppet for a few months to manage some > infrastructure servers, so concepts aren't alien to me). Here are my > questions: > > Supposed I have 200 different machines (VMs) sitting on each developer's > desktop (rather in their VMware hypervisor)... > 1) can they all have the same certname, so I only have to maintain a > single node.pp manifest? > 2) If so, how are SSL certs maintained, given there would be 200 different > VMs trying to use the same set of certs. Or, does that even matter from a > node perspective? > 3) If not, do I REALLY have to maintain 200 different manifests; all > identical to each other? > > I've been able to put together a single node.pp file that sets up > everything for them, so they only download a 2.8Gb bare VM image and puppet > does the rest. But, when firing up subsequent VMs, of course the client > gets all confused because the generated certs don't match up. > > Any suggestions for a better solution, or workaround to this one? (I've > thought about using NAT and a fixed MAC address, but with so many > developers out there, I'm sure some will re-create MAC addresses at some > point during their initial setup, or change their networking type for the > VM and start flooding the network with duplicated mac errors). > > I'm sure I'm not the first person who's wanted to do something like this, > so I turn to the seasoned puppet veterans for guidance! I HAVE googled > for solutions, but I may just not be using the right terminology to search > with; because I keep coming up blank on how best to tackle this. > > Thanks in advance! > Randy > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a1c925a0-81c7-407d-a460-d1f17ec8af97%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
