On 2011 Apr 27, at 8:33 AM, seth vidal wrote: > On Tue, 2011-04-26 at 21:29 +0200, Jan-Frode Myklebust wrote: >> On 2011-04-26, Norvell, Preston <[email protected]> wrote: >>> Reading through it, I have a couple comments: >>> - I have found no need to modify anything in /etc/certmaster on either the >>> overlords or minions >> >> I use the EPEL packages, and they have certmaster=certmaster in >> /etc/certmaster/minion.conf, and then the minions fails to start.
Interesting. We'll be switching to the epel-testing modules here shortly, so I'll keep this in mind. With 0.27 from rf, though I've not touched anything in the /etc/certmaster dir and we don't have a 'certmaster' defined in any of our dns zones. >> >>> - Depending on where you get your RPM (I get mine currently from >>> RPMForge), it may want to install/run certmaster by default. It should >>> be disabled. >> >> Oh.. I hadn´t noticed. Thanks! >> >> IMHO that´s a bug in the packaging... skvidal ? >> >>> - There is a nascent puppet module to manage minion and overlord >>> configurations here: http://forge.puppetlabs.com/rodjek/func. I used it as >>> the beginning of my work and hope to push the changes back up stream to the >>> author. It might be good to let folks know it exists. >> >> I wrote my own yesterday -> >> >> http://blag.tanso.net/2011/04/13-puppet-as-certmaster-for-func/ >> >>> - I found that I needed to create an acl file in /etc/minion-acl.d with the >>> hostname-certhash of the overlord/puppetmaster on each minion, because >>> rather than defaulting to "*" it defaults to "foo" (literally) for the acl. >> >> I didn´t need that. My minion-acl.d/ is empty, and I can access the minions >> from the overlord. Hmm.. guess I need to understand the access control >> model of func better.. >> >> > > the acls are for minion-to-minion. so you can say 'this minion can run > these modules/methods on this other minion' If that's true then perhaps there is/was an oddity with 0.27. I've setup three environments at work so far, and none of them have worked without an acl file in there; the overlord/puppetmasters are all rejected because the default "*" has perms only to the "foo" (again, literally...) function. Since we'll be switching to epel-testing and their 0.28 rpm shortly, we'll see if that demonstrably changes. > > -sv -- Preston M Norvell <[email protected]> Systems/Network Engineer Serials Solutions <http://www.serialssolutions.com> Phone: (866) SERIALS (737-4257) ext 1094 _______________________________________________ Func-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/func-list
