On Tue, Jun 30, 2009 at 4:32 PM, Michael Semcheski<mhsemche...@gmail.com> wrote: > > On Tue, Jun 30, 2009 at 6:36 PM, Kurt Engle<kurt.en...@gmail.com> wrote: >> Our imaging process takes an OS base image with a few apps that include >> Puppet and Facter and installs it on the make. This over the network. When >> the Mac reboots it sets the hostname of the computer to the Mac's serial >> number and auto starts puppet. I do have my puppetmaster (CA) set to >> autosign certs iliminating my intervention. This process is working well. > > What if you add an ssh key to the base OS image, and a script to be > run that contacts the puppet server using the ssh key, and clears any > cert that may exist for that client. (It could also add the newly > created cert..) You can set the ssh server to recognize that when > that key (from the base image) is used, the only command that may be > run is /usr/sbin/puppetca. > > That way, when the machine is reimaged, after its first boot it takes > care of the certification issue. Then, once puppet is running on the > machine, you could have it remove the ssh key and the startup script.
I like this idea. You could even turn off autosign then. -- Nigel Kersten nig...@google.com System Administrator Google, Inc. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
