On 01/09/2014 10:12 AM, Pablo Fernandez wrote:
I understand your point. I guess the SSL layer will render the request
as illegitimate, but even if it doesn't, it may be playing with fire :)
No, actually it doesn't verify certname against fqdn or any such, so
technically you could bake in a single cert for an image. It's a bad
idea because the Puppet master is supposed to know the state of a node,
and it can't in that case (facts associated with the node like fqdn and
ip and mac addresses will be constantly churning).
I use Puppet on image-based systems. As part of the sysprep step (making
the image generic for future spawning), I go and delete ssl certs from
either /var/lib/puppet/ssl or the Windows equivalent. I make sure the
agent is configured to hit the correct puppet master on first run,
although I don't personally autosign.
With 3.4's autosign hooks, you can presumably configured a shared key
between your puppet master and baked images such that a node signals
that it should be issued a certificate on provision.
Jeff
Thanks all for your thoughts, let me then present this as a generic
question: did anybody try puppet on image-based systems? It would be
wonderful to get some first-hand hints.
Thanks again!
BR/Pablo
On 01/09/2014 04:05 PM, jcbollinger wrote:
On Thursday, January 9, 2014 6:40:42 AM UTC-6, pablo.f...@cscs.ch wrote:
Thanks for your suggestions,
Running masterless is a bit too exotic, since we would like to
use all those nice features that make a Puppet installation
complete: specially hiera searches and PuppetDB. Modules, too,
should be compatible with other clusters, so no big deviations
can occur.
Enabling auto-sign, as Jose Luis suggested, may be a possibility.
I have just checked myself if autosign works if the same node was
already registered in the CA... but according to the
documentation it does not look like it, not to mention the
security issues that come with it.
Does the certificate name need to match the fqdn for puppet to
allow connections?
I'm not certain, but even if not, what you propose is dangerous. The
master uses the certificate presented by the agent not just to
authorize the agent, but also to /identify/ it. If all your nodes
present the same certificate to the master, then they all claim to be
the same machine, which is a lie. I don't foresee any specific
failure scenarios associated with that, but it is unwise to mess with
the system's underlying assumptions in such a way.
John
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52CF2955.2000306%40bericotechnologies.com.
For more options, visit https://groups.google.com/groups/opt_out.