not entirely image-based, when new server was booted for the first time: 1. it made http call to puppetmaster with it's hostname to do puppet cert clean <hostname> 2. do puppet run 3. made HTTP call to do puppet cert sign
It was kind of autosign + in case of CERT already existed it was removed and re-generated sure security is poor in this approach, but it can be limited to only build vlan. Andrey On 9 January 2014 15:12, Pablo Fernandez <pablo.fernan...@cscs.ch> wrote: > I understand your point. I guess the SSL layer will render the request as > illegitimate, but even if it doesn't, it may be playing with fire :) > > Thanks all for your thoughts, let me then present this as a generic > question: did anybody try puppet on image-based systems? It would be > wonderful to get some first-hand hints. > > Thanks again! > BR/Pablo > > > > On 01/09/2014 04:05 PM, jcbollinger wrote: > > > > On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote: >> >> Thanks for your suggestions, >> >> Running masterless is a bit too exotic, since we would like to use all >> those nice features that make a Puppet installation complete: specially >> hiera searches and PuppetDB. Modules, too, should be compatible with other >> clusters, so no big deviations can occur. >> >> Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have >> just checked myself if autosign works if the same node was already >> registered in the CA... but according to the documentation it does not look >> like it, not to mention the security issues that come with it. >> >> Does the certificate name need to match the fqdn for puppet to allow >> connections? >> >> > > I'm not certain, but even if not, what you propose is dangerous. The > master uses the certificate presented by the agent not just to authorize > the agent, but also to *identify* it. If all your nodes present the same > certificate to the master, then they all claim to be the same machine, > which is a lie. I don't foresee any specific failure scenarios associated > with that, but it is unwise to mess with the system's underlying > assumptions in such a way. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFcMAcV6BN0ntV2K4ABPQgQco57-XJRyqdbcM7y571F_7A%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
