2009/5/1 Michael DeHaan <[email protected]> > Fabien Dupont wrote: > > > > > > 2009/5/1 Michael DeHaan <[email protected] <mailto:[email protected]>> > > > > Fabien Dupont wrote: > > > > > > > > > 2009/5/1 Michael DeHaan <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > > Christian Horn wrote: > > > > On Fri, May 01, 2009 at 08:15:16PM +0200, Fabien Dupont > wrote: > > > > > > > >> Wouldn't it be possible to have Cobbler manage Puppet's host > > > certificates > > > >> the way it manages DHCP and DNS. > > > >> > > > > > > > > Nice idea! > > > > > > > > > > > >> As far as the Puppet instance is on the > > > >> same server it wouldn't be difficult to call puppetca and we > > > could think of > > > >> downloading certificates from Cobbler SVC during > installation > > > time through a > > > >> snippet. > > > >> > > > > > > > > I wouldnt want the cert including the needed private key > > beeing > > > trans- > > > > ferred over the net in the clear. > > > > Letting cobbler doing the signing of the cert (with > > accompanying > > > > private key beeing only on the newly deployed box) sounds > > fine thou. > > > > > > > > A bit better than autosigning since cobbler will only sign > the > > > > certs of cobbler-deployed boxen and not some rogue new box > > on the > > > > network. > > > > > > > > > > > > Christian > > > > _______________________________________________ > > > > cobbler mailing list > > > > [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > https://fedorahosted.org/mailman/listinfo/cobbler > > > > > > > > > > If I understand this correctly, this would be something like > > having > > > cobblerd periodically check puppetca to see if any hostnames > > it new > > > about where in the list? > > > > > > > > > I'm not sure I understand your statement, so I'll explain mine > > further. > > > > > > I thought about create puppet certificates when creating system in > > > cobbler through 'cobbler system add'. I thought about an option in > > > 'cobbler system', thinking of something like this : > > > > > > cobbler system add --name=somesrv --profile=someprofile > > > --enable-puppet=1 --mgmt-classes=class1,class2 > > > > > > The option --enable-puppet would mean to things : > > > 1. if certificates are not already present, cobbler would generate > > > them through puppetca at 'cobbler sync' > > > 2. a snippet would install puppet and download the certificates > > (over > > > HTTPS as stated in a previous email) > > > > > > This way, cobblerd would check only on 'cobbler sync'. > > > > I think we'd still want to use puppet's CSR system and more likely > > just > > have cobbler call puppetca to sign the systems in the cobbler db. > > (Perhaps any with any mgmt_classes assigned). > > > > I think this could be implemented as a seperate script using the > > Cobbler > > API without having to be in Cobbler's core as some admins may > > still want > > to do manual signing. > > > > > > I see your point : keeping Cobbler and other tools separated to keep > > it simple. Thus a ks_meta with snippet could do the trick for the > > certificate download at install time. Is there a way cobbler can > > trigger a program after an operation such as 'cobbler system add' ? > > Yes! Cobbler triggers can either be written as scripts in > /var/lib/cobbler/triggers or Python modules in cobbler/modules > (site-packages). I recommend the python way for performance reasons -- > you'll get cobbler's native API handle with no load penalty -- (you > can't do XMLRPC from triggers and you'll need /an/ API to do what you > need to do). Poke around there and you'll see other triggers you can > use as a starting point. > > If you just check for the presence of "mgmt_classes" (if it's defined) > you shouldn't even need to set an extra flag to look for. >
Thanks. I'll give it a try. Will be a concrete way to start programming with Python ;) > > I mean that after an operation, cobbler would call this program which > > would do anything imaginable (including using cobbler api). This could > > be a great way to extend cobbler quite easily without adding features > > to the core. But maybe it already exists and I don't know it. > > Yup :) > > > > > > > > > > > > --Michael > > > > > > _______________________________________________ > > cobbler mailing list > > [email protected] <mailto: > [email protected]> > > https://fedorahosted.org/mailman/listinfo/cobbler > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > cobbler mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/cobbler > > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
_______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
