2009/5/1 Michael DeHaan <[email protected]> > Christian Horn wrote: > > On Fri, May 01, 2009 at 08:15:16PM +0200, Fabien Dupont wrote: > > > >> Wouldn't it be possible to have Cobbler manage Puppet's host > certificates > >> the way it manages DHCP and DNS. > >> > > > > Nice idea! > > > > > >> As far as the Puppet instance is on the > >> same server it wouldn't be difficult to call puppetca and we could think > of > >> downloading certificates from Cobbler SVC during installation time > through a > >> snippet. > >> > > > > I wouldnt want the cert including the needed private key beeing trans- > > ferred over the net in the clear. > > Letting cobbler doing the signing of the cert (with accompanying > > private key beeing only on the newly deployed box) sounds fine thou. > > > > A bit better than autosigning since cobbler will only sign the > > certs of cobbler-deployed boxen and not some rogue new box on the > > network. > > > > > > Christian > > _______________________________________________ > > cobbler mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/cobbler > > > > If I understand this correctly, this would be something like having > cobblerd periodically check puppetca to see if any hostnames it new > about where in the list?
I'm not sure I understand your statement, so I'll explain mine further. I thought about create puppet certificates when creating system in cobbler through 'cobbler system add'. I thought about an option in 'cobbler system', thinking of something like this : cobbler system add --name=somesrv --profile=someprofile --enable-puppet=1 --mgmt-classes=class1,class2 The option --enable-puppet would mean to things : 1. if certificates are not already present, cobbler would generate them through puppetca at 'cobbler sync' 2. a snippet would install puppet and download the certificates (over HTTPS as stated in a previous email) This way, cobblerd would check only on 'cobbler sync'. I'm not sure this is a good job for cobblerd (we don't even do this for > Func), but it could be done pretty easily as a Cobbler-XMLRPC-API using > script, I think, that you could put on cron. > > --Michael > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
_______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
