On Nov 5, 2008, at 1:07 AM, David Schmitt wrote: > >> Should we, like we've done with filebuckets and yaml dirs, have >> separate SSL directories for client and server? This is somewhat >> problematic, in that we'd need to duplicate the host cert in both >> locations, and really, the server host cert is the only cert that >> would be in the server-side cert collection (since the CA is its own >> collection). >> >> Or should we just special-case it all the time in the server, making >> sure the cert exists and is read in before we chuser? > > Over the time I've got the feeling that the puppetmaster uses puppet > resources to configure various aspects of its environment on startup > (like creating directories). Couldn't this be made into an explicit > "puppetmaster manifest" that is executed when starting the > puppetmaster > before chusering? > > I'd think that having an explicit puppetmaster.pp lying around > somewhere > should make it easier to avoid breaking this, as contrasted to > burying > in code somewhere.
Well, the information isn't buried in code -- it's all in data. The defaults specified in defaults.rb are used to figure out what's done, and that file is nearly all data. In fact, if you run puppet -- genmanifest, you can create that theoretical puppetmaster.pp, so they're essentially equivalent. The Settings class has a 'use' method that allows code to specify that it uses a collection of settings, and thus any related directories should be created. The problem is that there is often an ordering problem when this is done. However, after scanning that file for how many directories we could ever need to create, I realize it's only 25. It might make sense to just make all of these directories every time on the server, and, really, it's probably safe to make all of them except the :ca directories on the client. Or, really, I guess what makes sense is to just have each executable maintain a static list of the sections it will use, so we can be sure they're all created right away. That doesn't really solve the final problem I had, though -- the server has to read in the SSL information before it chusers. That one, I'm a bit stumped on, still. -- An ounce of action is worth a ton of theory. --Friedrich Engels --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
