Thanks... I got a few private responses as well that all seemed to be in-line with what I figured we needed to do. Its entirely reasonable for us to have our clients 'curl ...' out to some endpoint to remove themselves at shutdown time. The concern I have is that I'd like to keep our clients from being able to do any other damage to the PuppetDB database while they're at it. We obviously want to use the Puppet CertName Whitelist in PuppetDB so that only our Puppet servers can send reports/connect to PuppetDB, and none of our clients can.
So that said ... I think I may end up going the 'CGI script' route. We already have what we call a 'cert-api' endpoint on our Puppet servers that allows our puppet clients to re-up their SSL certs every 15 days (we expire them very quickly). Its not unreasonable to add functionality to this endpoint allowing a client to request that its own node be destroyed. That said, I have one question. We don't match our puppet 'node_name' to our puppet 'cert_name's. That is, our certnames are real FQDNs ... but our node names are kind of a combination of an arbitrary node name (like "web_server") and the certname. They look something like this "web_proxy_thingy|my.fqdn.her.com". In an ideal world, I would be able to tell PuppetDB that the true identifier that I care about is the 'certname' not the 'nodename'. That said, I think in our case we're going to have to do some hackery to figure this out. Thanks again for the suggestions though. On Thursday, December 11, 2014 1:04:59 AM UTC-8, Martin Alfke wrote: > > Hi Matt, > On 09 Dec 2014, at 19:58, Matt Wise <ma...@nextdoor.com <javascript:>> > wrote: > > > We boot up/shut-down 50-100 hosts a day on average... we're exploring > PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to > be purged based on some checkin time. Is there any way to have our hosts > send a signal through the puppet-masters (or directly to puppetdb?) to > purge themselves when they're being terminated? > > You can use the puppetdb rest api: > https://docs.puppetlabs.com/puppetdb/2.2/api/index.html > > In my actual project we disable hosts via VM management system using this > API. > Works like a charm. > > hth, > > Martin > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6b368c6b-3e35-47a1-87f2-f28850e53370%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
