Hi there!
I''m trying to use a default host entry as a catch-all for unconfigured
hosts, and I need to be able to read the client''s certificate CN to
use it in my monitoring system.
On these hosts I''m doing an unattended install with cobbler, in the
installation step I install puppet and configure it to run with the
option "--fqdn changeme-RANDOM_STRING"
Then I have this entry on my puppetmaster:
# Default
node "default" {
$admindomain = "default"
#$modularit_name = "$hostname"
$modularit_name = "$name"
include modularit
}
I need to setup the modularit_name variable to the
changeme-RANDOM_STRING y used in the command line.
It seems the --fqdn option only changes the name used for the
certificate and host entry lookup, but in the fqdn fact I still see
the clients hostname (uname -n)
In the above default entry, if I use $hostname I get the client
hostname (I don''t want to change the client''s hostname for
this to
work). If I use $name, y get "default".
I know I could write a custom fact to read the certificate CN, but is
there a puppet variable that contains the clients certificate name?
BTW, I also tried $certname, but it doesn''t exist.
I''m using version 0.24.8 on the puppetmaster and 0.24.4 (the ubuntu
package) on the client. Will it work with a newer version on the
client?
Salu2!
--
Miguel Armas <kuko@canarytek.com>
CanaryTek Consultoria y Sistemas SL
ModularIT http://www.modularit.org/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Hi, Why not use cobbler external nodes feature to avoid all of this all together ? sounds to me that you should provision your nodes when they have a purpose if they don''t have one, they should keep getting the default node. I assumed that you have a snippet in cobbler that defines the RANDOM_STRING, maybe you could use the same way to actuly let cobbler define the puppet classes that needs to be included. if its not possible with cobbler, you might take a look at http://theforeman.org as far for your question, I think you need a custom fact. cheers, Ohad On Tue, Dec 1, 2009 at 5:34 AM, Miguel Armas <kuko@canarytek.com> wrote:> Hi there! > I''m trying to use a default host entry as a catch-all for unconfigured > hosts, and I need to be able to read the client''s certificate CN to > use it in my monitoring system. > > On these hosts I''m doing an unattended install with cobbler, in the > installation step I install puppet and configure it to run with the > option "--fqdn changeme-RANDOM_STRING" > Then I have this entry on my puppetmaster: > > # Default > node "default" { > $admindomain = "default" > #$modularit_name = "$hostname" > $modularit_name = "$name" > include modularit > } > > I need to setup the modularit_name variable to the > changeme-RANDOM_STRING y used in the command line. > It seems the --fqdn option only changes the name used for the > certificate and host entry lookup, but in the fqdn fact I still see > the clients hostname (uname -n) > > In the above default entry, if I use $hostname I get the client > hostname (I don''t want to change the client''s hostname for this to > work). If I use $name, y get "default". > > I know I could write a custom fact to read the certificate CN, but is > there a puppet variable that contains the clients certificate name? > > BTW, I also tried $certname, but it doesn''t exist. > > I''m using version 0.24.8 on the puppetmaster and 0.24.4 (the ubuntu > package) on the client. Will it work with a newer version on the > client? > > Salu2! > -- > Miguel Armas <kuko@canarytek.com> > CanaryTek Consultoria y Sistemas SL > ModularIT http://www.modularit.org/ > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Miguel Armas
2009-Dec-01 20:23 UTC
Re: [Puppet Users] How to read client certificate''s CN
2009/12/1 Ohad Levy <ohadlevy@gmail.com>:> Hi, > > Why not use cobbler external nodes feature to avoid all of this all togetherBecause right now only some nodes will use cobbler, I already have>250 hosts and I don''t want to change all my setup> sounds to me that you should provision your nodes when they have a purpose > if they don''t have one, they should keep getting the default node.They get the default node, I just need to identify them using a unique name because I create entries in my monitoring system (and some other things that should be unique in exported resources) Basically I need this to setup a public remote installation system based on gPXE+Cobbler+Puppet. When a server runs gPXE it will boot remotelly from my server, I will provision the OS using Cobbler, it will install and setup Puppet, but when I run puppet, all clients use the "default" node and I have no way to distinguish them.> if its not possible with cobbler, you might take a look at > http://theforeman.orgHmmm... interesting is it a OS provisioning system tied to Puppet?> as far for your question, I think you need a custom fact.That''s what I thought, but it''s ugly. I''m reading the private_key file from /var/lib/puppet/state/{state,localconfig}.yaml and it works the first time, but if I run puppetd later with a different --fqdn it doesn''t change in those files. And I think it''s very uglly to read the --fqdn from "ps ax | grep puppetd" Salu2! -- Miguel Armas <kuko@canarytek.com> CanaryTek Consultoria y Sistemas SL ModularIT http://www.modularit.org/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2009-Dec-01 20:30 UTC
Re: [Puppet Users] How to read client certificate''s CN
On Tue, Dec 1, 2009 at 12:23 PM, Miguel Armas <kuko@canarytek.com> wrote:> 2009/12/1 Ohad Levy <ohadlevy@gmail.com>: >> Hi, >> >> Why not use cobbler external nodes feature to avoid all of this all together > > Because right now only some nodes will use cobbler, I already have >>250 hosts and I don''t want to change all my setup > >> sounds to me that you should provision your nodes when they have a purpose >> if they don''t have one, they should keep getting the default node. > > They get the default node, I just need to identify them using a unique > name because I create entries in my monitoring system (and some other > things that should be unique in exported resources) > > Basically I need this to setup a public remote installation system > based on gPXE+Cobbler+Puppet. When a server runs gPXE it will boot > remotelly from my server, I will provision the OS using Cobbler, it > will install and setup Puppet, but when I run puppet, all clients use > the "default" node and I have no way to distinguish them. > >> if its not possible with cobbler, you might take a look at >> http://theforeman.org > > Hmmm... interesting is it a OS provisioning system tied to Puppet? > >> as far for your question, I think you need a custom fact. > > That''s what I thought, but it''s ugly. I''m reading the private_key file > from /var/lib/puppet/state/{state,localconfig}.yaml and it works the > first time, but if I run puppetd later with a different --fqdn it > doesn''t change in those files. And I think it''s very uglly to read the > --fqdn from "ps ax | grep puppetd"We have a fact that essentially just does ''puppetd --configprint certname'' called ''puppet_certname''. I''d like to not have to do this, but forgot about this bit of hackery until you started this thread.> > Salu2! > -- > Miguel Armas <kuko@canarytek.com> > CanaryTek Consultoria y Sistemas SL > ModularIT http://www.modularit.org/ > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steven VanDevender
2009-Dec-01 21:14 UTC
Re: [Puppet Users] How to read client certificate''s CN
Miguel Armas writes:
> 2009/12/1 Ohad Levy <ohadlevy@gmail.com>:
> > Hi,
> >
> > Why not use cobbler external nodes feature to avoid all of this all
together
>
> Because right now only some nodes will use cobbler, I already have
> >250 hosts and I don''t want to change all my setup
We recently set up Cobbler but have only some of our hosts installed via
the Cobbler environment. The other hosts configured in Puppet still use
the somewhat old-fashioned nodes.pp and templates.pp setup, i.e. a
nodes.pp with lines like "node somehost inherits t_somehost {}" and a
templates.pp with "node t_somehost { include someclass }" entries.
Fortunately Puppet seems to be nice about merging information from both
Cobbler and nodes/templates, and for now I have a simple shell script as
a node classifier that pulls information from Cobbler. Currently we use
only the "Kickstart metadata" which Cobbler exports as Puppet variable
settings (of which we currently only use "environment=development" to
tag hosts that use the development environment), although eventually
I''d
like to migrate to specifying classes exported from the Cobbler
"Configuration management classes" field instead of using templates.
Our external node classifier looks like this. There are a few things
that might be worth noting:
* We didn''t want problems resulting from the Cobbler server being
unavailable, so it uses a short timeout for fetching data from Cobbler
and caches any information it gets, which is returned if the Cobbler
query fails.
* Just in case we wanted to locally override anything in Cobbler, it
will use a "hostname.local" file in preference to any data from
Cobbler.
#!/bin/sh
if [ "x" == "x$1" ]; then
echo "Usage: $0 <hostname>"
exit 1
fi
http_server=cobbler.uoregon.edu
cache=/var/lib/puppet_node_classifier
timeout=1 # seconds
cd $cache
# allow for local node information overriding Cobbler
if [ -f "$1".local ]
then
cat "$1".local
exit 0
fi
# try to look up node in Cobbler, with timeout
if curl --max-time $timeout
"http://$http_server/cblr/svc/op/puppet/hostname/$1" 2>/dev/null |
sed "s/@@http_server@@/$http_server/" >"$1".tmp
&& [ -s "$1".tmp ]
then
mv "$1".tmp "$1"
else
rm -f "$1".tmp
fi
if [ -f "$1" ]
then
cat "$1"
exit 0
else
exit 1
fi
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.