If you want the least amount of headache at the cost of security, here
is a sanitised extract from my kickstarts:
#LB: attempt to revoke and delete the certificate for this hostname, this
should stop us having
#to manually clean off every cert.
curl -k -X PUT -H "Content-Type: text/pson" --data
'{"desired_state":"revoked"}' https://puppet:8140/production/certificate_status/$HOSTNAME
curl -k -X DELETE -H "Accept: pson"
https://puppet:8140/production/certificate_status/$HOSTNAME
#LB: run Puppet, our hostname should be set correctly by now
puppet agent --test --pluginsync --report --environment testing
You will need this in auth.conf on your master:
#allow hosts to delete their own certificates
#path /certificate_status/([^/]+)$
path ~ /certificate_status/([^/]+)$
auth any
allow $1
Hope that helps,
-Luke
On 17/09/12 19:16, Douglas Garstang wrote:
I probably should have been clearer with my question. I was more
interested in how people are managing certificates? Even if you use
autosign, you still need to clean certificates manually.
Doug.
On Mon, Sep 17, 2012 at 6:25 AM, Keiran Sweet <kei...@gmail.com> wrote:
Hi There,
I manage a relatively large RHEL environment, we handle provisioning as
follows:
- PXE + Kickstart to bootstrap and install the base OS + Puppet client onto
the platform, be it VMWare or bare metal
- Kickstart post scripts put a basic puppet configuration file in place on
the host, and a number of the values for things such as environment and
puppetmaster come from Foreman's Macro's, this allows values in the ENC to
flow into the kickstart files before your first puppet run.
We then run in the %post section of the kickstart file the following:
- A Puppet run that bootstraps the puppet client using tags ie, --tags
puppet::client
- A full puppet run via puppet agent -tov which applys the SOE to the
platform
That provides on first boot a fully configured RHEL server that includes all
our additional software and customisations in about 3-5 minutes (not
including POST)
In regards to certs, we have a relatively open autosign.conf on our build
networks, so we can provision servers , physical or virtual quite quickly by
just hitting F12 for a network boot. I am sure there are some cleaner/more
secure things we can do provisioning wise, however these have been slightly
hindered by the RHN Satellite server i've been slowly pulling out of the
environment at the same time, as it had the potential to break things if i
wasnt careful.
ENC wise, I can't recommend Foreman enough, version 1.x is just brilliant,
you can see the macros it can provide here:
http://theforeman.org/projects/foreman/wiki/TemplateWriting
Hope this helps,
K
On Sunday, September 16, 2012 7:22:03 AM UTC+1, Douglas wrote:
I'm wondering what people are doing systems provisioning with, ie the
process that gets puppet installed onto a system, running for the
first time, and also the handling of certificate signing and so forth.
I don't see this topic discussed much.
The mc-provision tools at
https://github.com/ripienaar/mcollective-server-provisioner don't seem
to be actively developed anymore, or at least I wasn't able to find
enough documentation to be able to effectively make use of it.
Doug
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/NrKmbHHiaq8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Luke Bigum
Senior Systems Engineer
Information Systems
Ph: +44 (0) 20 3192 2520
luke.bi...@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you
fully understand the risks involved. The information in this email is not
directed at residents of the United States of America or any other
jurisdiction where trading in CFDs and/or FX is restricted or prohibited
by local laws or regulations.
The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied in
any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.
LMAX operates a multilateral trading facility. Authorised and regulated
by the Financial Services Authority (firm registration number 509778) and
is registered in England and Wales (number 06505809).
Our registered address is Yellow Building, 1A Nicholas Road, London, W11
4AN.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
