Julian Simpson
2008-Jun-27 12:32 UTC
[Puppet Users] Anybody testing puppet with Amazon ECC machines?
Hi there, Has anybody tested their puppet manifests using Amazon ECC machines? I have a real-enough server accessible to the internet, but I don''t have the client machines to test with. Or the space to make any. Before I embark on this, does anybody have any advice? Thanks. Julian -- Julian Simpson I blog about building and deploying software => http://www.build- doctor.com http://feeds.feedburner.com/TheBuildDoctor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Adam Jacob
2008-Jun-27 23:47 UTC
[Puppet Users] Re: Anybody testing puppet with Amazon ECC machines?
Yeah, we do this. Basically, my recommendation is to run your puppetmaster outside of EC2, on a simple VPS slice or similar. Make sure it''s set to not auto-sign certificates, and let the Puppet clients connect up to it. Then manually approve the certificates. You''ll need an external node tool, a-la iClassify, or roll your own. If you roll your own, you could make it an easy wrapper around the ec2 commands themselves.. you know what instances are running. One thing you need to do is swap the amazon supplied hostname (which resolves internally only) to the external hostname. You can do this with an easy lookup on the internal web service. When nodes go away, delete the certificates, since they might come back with the same hostname. Make sure you apply any elastic IP addresses *before* puppet runs. That''s all I''ve got for now. :) Adam On Fri, Jun 27, 2008 at 5:32 AM, Julian Simpson <simpsonjulian@gmail.com> wrote:> Hi there, > Has anybody tested their puppet manifests using Amazon ECC machines? I have > a real-enough server accessible to the internet, but I don''t have the client > machines to test with. Or the space to make any. > Before I embark on this, does anybody have any advice? > Thanks. > Julian > > -- > Julian Simpson > I blog about building and deploying software => http://www.build-doctor.com > http://feeds.feedburner.com/TheBuildDoctor > > > >-- HJK Solutions - We Launch Startups - http://www.hjksolutions.com Adam Jacob, Senior Partner T: (206) 508-4759 E: adam@hjksolutions.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brian Finney
2008-Jun-28 03:20 UTC
[Puppet Users] Re: Anybody testing puppet with Amazon ECC machines?
I''ve been working on a project in ec2 recently and have been thinking about this a little bit also theoretical question: How challenging would it be to get the puppetmaster to apply a separate default set of manifests before a node is fully authorized? So you could get a flow along the lines of: * New node comes up in ec2 * Check in with puppet, cert is not signed (or signed in such a way that it is "untrusted"), "unverified" manifest is applied to do very basic non synsitive things * External node tool (i-classify, whatever) is used to add a fact, external resource, whatever to the new node in the puppetmaster''s db * Next check in node uses fact, external resource, ... in the unverified manifest (e.g. sets a new host name, applies an elastic ip, ...) * Next check in node creates and submits new cert (assuming a new hostname was applied) * External node tool can now verify hostname and such and sign the new cert, authorize the client Does this sound reasonable? Obviously this would require code changes, I''m just not sure if it''s even feasible in the current implementation. Assuming things keep moving on my project I know I will be using puppet in ec2, so I would be more than willing to write the code (finally contribute something :-)). These are very preliminary ideas so I may be completely glossing over major issues, but sense ec2 came up figured I''d see what other thought. Right now I''m just using capistrano with deprec, and I already know it won''t be enough for the kind of dynamic environment I want. Thanks Brian On Fri, Jun 27, 2008 at 4:47 PM, Adam Jacob <adam@hjksolutions.com> wrote:> > Yeah, we do this. > > Basically, my recommendation is to run your puppetmaster outside of > EC2, on a simple VPS slice or similar. Make sure it''s set to not > auto-sign certificates, and let the Puppet clients connect up to it. > Then manually approve the certificates. > > You''ll need an external node tool, a-la iClassify, or roll your own. > If you roll your own, you could make it an easy wrapper around the ec2 > commands themselves.. you know what instances are running. > > One thing you need to do is swap the amazon supplied hostname (which > resolves internally only) to the external hostname. You can do this > with an easy lookup on the internal web service. > > When nodes go away, delete the certificates, since they might come > back with the same hostname. > > Make sure you apply any elastic IP addresses *before* puppet runs. > > That''s all I''ve got for now. :) > > Adam > > On Fri, Jun 27, 2008 at 5:32 AM, Julian Simpson <simpsonjulian@gmail.com> wrote: >> Hi there, >> Has anybody tested their puppet manifests using Amazon ECC machines? I have >> a real-enough server accessible to the internet, but I don''t have the client >> machines to test with. Or the space to make any. >> Before I embark on this, does anybody have any advice? >> Thanks. >> Julian >> >> -- >> Julian Simpson >> I blog about building and deploying software => http://www.build-doctor.com >> http://feeds.feedburner.com/TheBuildDoctor >> >> > >> > > > > -- > HJK Solutions - We Launch Startups - http://www.hjksolutions.com > Adam Jacob, Senior Partner > T: (206) 508-4759 E: adam@hjksolutions.com > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2008-Jun-28 03:52 UTC
[Puppet Users] Re: Anybody testing puppet with Amazon ECC machines?
Brian Finney wrote:> I''ve been working on a project in ec2 recently and have been thinking > about this a little bit also > > theoretical question: > > How challenging would it be to get the puppetmaster to apply a > separate default set of manifests before a node is fully authorized? > > Does this sound reasonable?Can you elbaorate on why you want to do this? What is the difference between your untrusted host and your trusted host? I don''t quite get the approach or the what the advantage is here. Regards James Turnbull -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
Brian Finney
2008-Jun-28 06:17 UTC
[Puppet Users] Re: Anybody testing puppet with Amazon ECC machines?
Originally I was making the differentiation based on the assumption that you wouldn''t know if a random host connecting to your puppetmaster can be trusted until a persons looks at it. This is also assuming that your using an external server to manage ec2 nodes and thus can''t block unknown hosts with a firewall. However, sense you got me to think about it, the puppetmaster box would have access to ec2 in order to list your servers and thus could verify a host by querying ec2. Based on this the only thing that would be needed is a hook in the signing process to ask an external tool if a given host can be trusted, or a process looping over puppetca. Awesome, that makes things better Thanks Brian On Fri, Jun 27, 2008 at 8:52 PM, James Turnbull <james@lovedthanlost.net> wrote:> Brian Finney wrote: >> I''ve been working on a project in ec2 recently and have been thinking >> about this a little bit also >> >> theoretical question: >> >> How challenging would it be to get the puppetmaster to apply a >> separate default set of manifests before a node is fully authorized? >> >> Does this sound reasonable? > > Can you elbaorate on why you want to do this? What is the difference > between your untrusted host and your trusted host? I don''t quite get > the approach or the what the advantage is here. > > Regards > > James Turnbull > > -- > Author of: > * Pulling Strings with Puppet > (http://www.amazon.com/gp/product/1590599780/) > * Pro Nagios 2.0 > (http://www.amazon.com/gp/product/1590596099/) > * Hardening Linux > (http://www.amazon.com/gp/product/1590594444/) > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Randy Bias
2008-Jun-30 03:24 UTC
[Puppet Users] Re: Anybody testing puppet with Amazon ECC machines?
Just write some code to pass in the certs in the Amazon userdata and extract it at boot time. Randy Bias, chief tactician, neoTactics, Inc. (877) NEO-TKTX, randyb@neotactics.com On Jun 27, 2008, at 11:17 PM, Brian Finney wrote:> Based on this the only thing that > would be needed is a hook in the signing process to ask an external > tool if a given host can be trusted, or a process looping over > puppetca.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---