I am having some trouble finding out how to configure the puppet certificates. I will start with my use case: 1. New nodes are not connected to the DNS server, so they need to be able to access the puppet server using the IP address. I can manually create the key, but I was hoping that I can just configure puppet to do it. 2. I would like to be able to specify a few hostnames and have the existing certs cleaned without having to invoke puppetca --clean on the server. This will be the initial hostname provided by kickstart (before they get their real ones from puppet) If I cant make these config changes, then can I just disable the certs? Is there a way to allow for password or some other kind of auth? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Dan Bode wrote:> I am having some trouble finding out how to configure the puppet > certificates. I will start with my use case: > > 1. New nodes are not connected to the DNS server, so they need to be > able to access the puppet server using the IP address. I can manually > create the key, but I was hoping that I can just configure puppet to > do it. >Why not just include an entry in /etc/hosts for you puppetmaster as part of your kickstart image.> 2. I would like to be able to specify a few hostnames and have the > existing certs cleaned without having to invoke puppetca --clean on > the server. This will be the initial hostname provided by kickstart > (before they get their real ones from puppet) >Kickstart really handles assigning hostnames better than Puppet. The model we advocate is to get your host bootstrapped and identified and let puppet take over from there. That being said you should be able to generate a default cert and sign it with the CA. Then you can include that cert as part of your Kickstart profile. The newly kick started host should be able to contact the puppetmaster and pull down the configs assigned to your default Kickstart node name. Not sure why you would want to remove certs in this case, but you can generate and sign new certs on the puppetmaster by issuing a "puppetca --generate foobar.com" and remove a specific cert using "puppetca --clean foobar.com"> If I cant make these config changes, then can I just disable the > certs? Is there a way to allow for password or some other kind of auth? >Puppet only supports certificate authentication. You could copy all of your manifest to every host or mount them via networked filesystem during kickstart and then just run use the puppet binary locally on each system. Or similarly, just have a short puppet manifest included as part of kickstart and then use kickstart to execute the manifest. I am doing something similar to bootstrap/assign personality to virtual machines.> > >Cheers, Teyo -- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
thanks for the quick reply.
I was just trying to keep as few lines in the post section of the
kickstart config file as possible.
Using /etc/hosts is ok for the first part.
For the cert, I can generate the keys for the temporary hosts, then
assign them in the post section of kickstart
As for hostname management, we want one centralized place to make
configs. We dont want to have to make edits to both site.pp and
kickstart.cfg for every host deployment. So in kickstart, I want to do
something like the following (where workstation includes amongst other
things the dhcp class, which inherits the network class)
node "tmp-address" {
$my_ipaddr = "IPPADDR"
$my_hostname = "HOSTNAME"
include workstation
# include server
}
/etc/hosts works for this
On Sep 4, 5:51 pm, Teyo Tyree <t...@reductivelabs.com>
wrote:> Dan Bode wrote:
> > I am having some trouble finding out how to configure the puppet
> > certificates. I will start with my use case:
>
> > 1. New nodes are not connected to the DNS server, so they need to be
> > able to access the puppet server using the IP address. I can manually
> > create the key, but I was hoping that I can just configure puppet to
> > do it.
>
> Why not just include an entry in /etc/hosts for you puppetmaster as part
> of your kickstart image.> 2. I would like to be able to specify a few
hostnames and have the
> > existing certs cleaned without having to invoke puppetca --clean on
> > the server. This will be the initial hostname provided by kickstart
> > (before they get their real ones from puppet)
>
> Kickstart really handles assigning hostnames better than Puppet. The
> model we advocate is to get your host bootstrapped and identified and
> let puppet take over from there. That being said you should be able to
> generate a default cert and sign it with the CA. Then you can include
> that cert as part of your Kickstart profile. The newly kick started
> host should be able to contact the puppetmaster and pull down the
> configs assigned to your default Kickstart node name. Not sure why you
> would want to remove certs in this case, but you can generate and sign
> new certs on the puppetmaster by issuing a "puppetca --generate
> foobar.com" and remove a specific cert using "puppetca --clean
foobar.com"> If I cant make these config changes, then can I just
disable the
> > certs? Is there a way to allow for password or some other kind of
auth?
>
> Puppet only supports certificate authentication. You could copy all of
> your manifest to every host or mount them via networked filesystem
> during kickstart and then just run use the puppet binary locally on each
> system. Or similarly, just have a short puppet manifest included as
> part of kickstart and then use kickstart to execute the manifest. I am
> doing something similar to bootstrap/assign personality to virtual
machines.
>
> Cheers,
> Teyo
>
> --
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---