Puppet users - Jun 2008 - Anybody testing puppet with Amazon ECC machines?

Hi there,

Has anybody tested their puppet manifests using Amazon ECC machines?   
I have a real-enough server accessible to the internet, but I don''t  
have the client machines to test with.  Or the space to make any.

Before I embark on this, does anybody have any advice?

Thanks.

Julian

-- 
Julian Simpson
I blog about building and deploying software => http://www.build- 
doctor.com
http://feeds.feedburner.com/TheBuildDoctor


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yeah, we do this.

Basically, my recommendation is to run your puppetmaster outside of
EC2, on a simple VPS slice or similar.  Make sure it''s set to not
auto-sign certificates, and let the Puppet clients connect up to it.
Then manually approve the certificates.

You''ll need an external node tool, a-la iClassify, or roll your own.
If you roll your own, you could make it an easy wrapper around the ec2
commands themselves.. you know what instances are running.

One thing you need to do is swap the amazon supplied hostname (which
resolves internally only) to the external hostname.  You can do this
with an easy lookup on the internal web service.

When nodes go away, delete the certificates, since they might come
back with the same hostname.

Make sure you apply any elastic IP addresses *before* puppet runs.

That''s all I''ve got for now. :)

Adam

On Fri, Jun 27, 2008 at 5:32 AM, Julian Simpson <simpsonjulian@gmail.com>
wrote:
> Hi there,
> Has anybody tested their puppet manifests using Amazon ECC machines?  I
have
> a real-enough server accessible to the internet, but I don''t have
the client
> machines to test with.  Or the space to make any.
> Before I embark on this, does anybody have any advice?
> Thanks.
> Julian
>
> --
> Julian Simpson
> I blog about building and deploying software =>
http://www.build-doctor.com
> http://feeds.feedburner.com/TheBuildDoctor
>
> >
>


-- 
HJK Solutions - We Launch Startups - http://www.hjksolutions.com
Adam Jacob, Senior Partner
T: (206) 508-4759 E: adam@hjksolutions.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I''ve been working on a project in ec2 recently and have been thinking
about this a little bit also

theoretical question:

How challenging would it be to get the puppetmaster to apply a
separate default set of manifests before a node is fully authorized?

So you could get a flow along the lines of:
* New node comes up in ec2
* Check in with puppet, cert is not signed (or signed in such a way
that it is "untrusted"), "unverified" manifest is applied to
do very
basic non synsitive things
* External node tool (i-classify, whatever) is used to add a fact,
external resource, whatever to the new node in the puppetmaster''s db
* Next check in node uses fact, external resource, ... in the
unverified manifest (e.g. sets a new host name, applies an elastic ip,
...)
* Next check in node creates and submits new cert (assuming a new
hostname was applied)
* External node tool can now verify hostname and such and sign the new
cert, authorize the client

Does this sound reasonable?

Obviously this would require code changes, I''m just not sure if
it''s
even feasible in the current implementation.  Assuming things keep
moving on my project I know I will be using puppet in ec2, so I would
be more than willing to write the code (finally contribute something
:-)).

These are very preliminary ideas so I may be completely glossing over
major issues, but sense ec2 came up figured I''d see what other
thought.

Right now I''m just using capistrano with deprec, and I already know it
won''t be enough for the kind of dynamic environment I want.

Thanks
Brian

On Fri, Jun 27, 2008 at 4:47 PM, Adam Jacob <adam@hjksolutions.com>
wrote:
>
> Yeah, we do this.
>
> Basically, my recommendation is to run your puppetmaster outside of
> EC2, on a simple VPS slice or similar.  Make sure it''s set to not
> auto-sign certificates, and let the Puppet clients connect up to it.
> Then manually approve the certificates.
>
> You''ll need an external node tool, a-la iClassify, or roll your
own.
> If you roll your own, you could make it an easy wrapper around the ec2
> commands themselves.. you know what instances are running.
>
> One thing you need to do is swap the amazon supplied hostname (which
> resolves internally only) to the external hostname.  You can do this
> with an easy lookup on the internal web service.
>
> When nodes go away, delete the certificates, since they might come
> back with the same hostname.
>
> Make sure you apply any elastic IP addresses *before* puppet runs.
>
> That''s all I''ve got for now. :)
>
> Adam
>
> On Fri, Jun 27, 2008 at 5:32 AM, Julian Simpson
<simpsonjulian@gmail.com> wrote:
>> Hi there,
>> Has anybody tested their puppet manifests using Amazon ECC machines?  I
have
>> a real-enough server accessible to the internet, but I don''t
have the client
>> machines to test with.  Or the space to make any.
>> Before I embark on this, does anybody have any advice?
>> Thanks.
>> Julian
>>
>> --
>> Julian Simpson
>> I blog about building and deploying software =>
http://www.build-doctor.com
>> http://feeds.feedburner.com/TheBuildDoctor
>>
>> >
>>
>
>
>
> --
> HJK Solutions - We Launch Startups - http://www.hjksolutions.com
> Adam Jacob, Senior Partner
> T: (206) 508-4759 E: adam@hjksolutions.com
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Brian Finney wrote:
> I''ve been working on a project in ec2 recently and have been
thinking
> about this a little bit also
> 
> theoretical question:
> 
> How challenging would it be to get the puppetmaster to apply a
> separate default set of manifests before a node is fully authorized?
> 
> Does this sound reasonable?
Can you elbaorate on why you want to do this?  What is the difference
between your untrusted host and your trusted host?  I don''t quite get
the approach or the what the advantage is here.

Regards

James Turnbull

-- 
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

Originally I was making the differentiation based on the assumption
that you wouldn''t know if a random host connecting to your
puppetmaster can be trusted until a persons looks at it.  This is also
assuming that your using an external server to manage ec2 nodes and
thus can''t block unknown hosts with a firewall.
However, sense you got me to think about it, the puppetmaster box
would have access to ec2 in order to list your servers and thus could
verify a host by querying ec2.  Based on this the only thing that
would be needed is a hook in the signing process to ask an external
tool if a given host can be trusted, or a process looping over
puppetca.

Awesome, that makes things better

Thanks
Brian

On Fri, Jun 27, 2008 at 8:52 PM, James Turnbull <james@lovedthanlost.net>
wrote:
> Brian Finney wrote:
>> I''ve been working on a project in ec2 recently and have been
thinking
>> about this a little bit also
>>
>> theoretical question:
>>
>> How challenging would it be to get the puppetmaster to apply a
>> separate default set of manifests before a node is fully authorized?
>>
>> Does this sound reasonable?
>
> Can you elbaorate on why you want to do this?  What is the difference
> between your untrusted host and your trusted host?  I don''t quite
get
> the approach or the what the advantage is here.
>
> Regards
>
> James Turnbull
>
> --
> Author of:
> * Pulling Strings with Puppet
> (http://www.amazon.com/gp/product/1590599780/)
> * Pro Nagios 2.0
> (http://www.amazon.com/gp/product/1590596099/)
> * Hardening Linux
> (http://www.amazon.com/gp/product/1590594444/)
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Just write some code to pass in the certs in the Amazon userdata and  
extract it at boot time.


Randy Bias, chief tactician, neoTactics, Inc.
(877) NEO-TKTX, randyb@neotactics.com


On Jun 27, 2008, at 11:17 PM, Brian Finney wrote:
> Based on this the only thing that
> would be needed is a hook in the signing process to ask an external
> tool if a given host can be trusted, or a process looping over
> puppetca.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---