Hi Thomas On Nov 10, 12:44 pm, Thomas Bendler <[email protected]> wrote: > Hi Chris, > > 2010/11/10 Chris <[email protected]> > > > [...] > > file{"/path/to/foo.key": source=>"puppet:///keys/foo.key"} , because > > any valid puppet client could access foo.key. > > [...] > > you are not sticked to the puppet file server, you can also use something > like this: > > file { > "/path/to/file": > source => "/nfs/$host/file"; > > } > > Make an export for each connected server and restrict access to this one. > Put all private files on the NFS server and you're done. >
Yes, except that approach suffers from the same administrative problems as using puppet:/// and auth.conf. HTTPS certs aren't specific to hosts. If I have 20 servers all requiring foo.key (because they all have the foo-application class in their manifest), then either I have to copy foo.key into 20 different directories, or else have one export with 20 allowed hosts. And every time I add the foo- application class to another host, I need to remember to also expose the key to that host. With large numbers of keys and hosts, and moderate levels of churn, this becomes difficult to manage and prone to errors. The puppetmaster "knows" which hosts are allowed foo.key - i.e. all the hosts which include the foo-application class. It seems wrong that I should have to manually duplicate that information somewhere else, be it in an NFS exports list or an auth.conf file. I suppose I could do something hacky with storeconfigs to update the exports on the NFS server when a new host is brought online - but it doesn't seem like a very nice solution. It would lead to the first puppet run failing because the exports weren't yet updated, for one thing. Thanks! Chris > Kind regards, Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
