I''d like to generate config files containing passwords. One (obvious)
way to do this would be:
$password = ''big_secret''
file {
''/the/config.file'':
content => template(''config.file.erb'');
}
# config.file.erb has a `password = <%= password %>` line
The problem with this is, that I''d have to store the password on the
puppetmaster. I''d like to be able, to store passwords only on the
clients and generate config files with these passwords. This is what
I came up with:
http://well.done.hu/temp/password_on_client.pp
Do you have any better idea? This method just feels too messy -- I
have to define 4 additional resources to get the config generated.
I''m sure some of you came across this problem too.
TIA,
Gabor
On Apr 20, 2007, at 4:46 AM, Veszi Gabor wrote:> > The problem with this is, that I''d have to store the password on the > puppetmaster. I''d like to be able, to store passwords only on the > clients and generate config files with these passwords. This is what > I came up with: > > http://well.done.hu/temp/password_on_client.pp > > Do you have any better idea? This method just feels too messy -- I > have to define 4 additional resources to get the config generated. > I''m sure some of you came across this problem too.Puppet is heavily geared towards no client-only information when you use puppetmasterd, so I can''t think of a better way to do what you want. Why do you want the passwords only on the client? -- I have learned to use the word ''impossible'' with the greatest caution. -- Wernher von Braun --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 2007.04.20., at 16:40, Luke Kanies wrote:> Why do you want the passwords only on the client?I have the manifests in an SVN repository which is checked out on my iBook. If someone steals my iBook and gets into my system, she could see the passwords in the manifests. I know I could edit the files on the server and never worry about my iBook, but I live my life in TextMate. :) Thanks for your answer! Gabor
On Apr 20, 2007, at 9:49 AM, Veszi Gabor wrote:> > I have the manifests in an SVN repository which is checked out on my > iBook. If someone steals my iBook and gets into my system, she could > see the passwords in the manifests. > > I know I could edit the files on the server and never worry about my > iBook, but I live my life in TextMate. :)Ah; so your real need is not to have the passwords in SVN, rather than not having them on the client. That''s easy: Just create a script that you run with the ''generate'' function (new in 0.22.3, I think). It will generate your passwords for you, probably caching them on the server, such that the client gets the right password but they''re only ever stored on the server and never make it into SVN or onto your laptop. Make sense? -- Due to circumstances beyond your control, you are master of your fate and captain of your soul. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com