valentino
2010-Jan-28 13:54 UTC
[Puppet Users] How to execute an arbitrary script when a puppetclient ask for a manifest?
Hi, I would like to use Puppet in the cloud (think gogrid) to configure stem images. Virtual machines are created/destroyed on the fly under control of a load monitor. For this reason we cannot sign manually new Puppet clients, instead, we must use Puppet''s autosign feature. At the moment, Puppet just permits to filter client manifest requests with some regex over the hostname of the client. This is not enough, to be sure that the puppet client is a trusted one, we need some further checks (we need to do some queries to the cloud API). How can we have some custom script (shell or ruby) executed each time a puppet client asks for a manifest? Thanks, Valentino -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2010-Jan-29 02:37 UTC
Re: [Puppet Users] How to execute an arbitrary script when a puppetclient ask for a manifest?
On Thu, Jan 28, 2010 at 9:54 PM, valentino <miazzo.valentino@googlemail.com>wrote:> Hi, > I would like to use Puppet in the cloud (think gogrid) to configure > stem images. > Virtual machines are created/destroyed on the fly under control of a > load monitor. >cant it also add remove entries in autosign? in my opinion, you need to enable the cert part (autosign or auto generate) at the location where the new hosts are defined. For this reason we cannot sign manually new Puppet clients, instead,> we must use Puppet''s autosign feature. > > At the moment, Puppet just permits to filter client manifest requests > with some regex over the hostname of the client. > This is not enough, to be sure that the puppet client is a trusted > one, we need some further checks (we need to do some queries to the > cloud API). >> How can we have some custom script (shell or ruby) executed each time > a puppet client asks for a manifest? >as far as I''m aware, there is no way to know if a client has triggered a request - the other alternatives I could think of: 1. parse the puppet logs and enable the machines if they request a certificate 2. have another script which enables hosts for autosign which runs before the first puppet run 3. run puppetca --list in cron and sign new hosts if they match your regexp (which is more or less like #1). in anycase, best option is to have a custom script enabling the autosign upon the machine creation. I''ve created a ruby lib handling this kind of stuff, and its part of foreman, I can give you more info if you are interested. cheers, Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
valentino
2010-Jan-29 14:12 UTC
[Puppet Users] Re: How to execute an arbitrary script when a puppetclient ask for a manifest?
Thank you Ohad, you are right, we can obtain the wanted behavior without any sort of callback. Using solution 3 we can have a cron job that run puppetca --list and for each entry it query the cloud API to perform extra checks. If the checks are OK, it does puppetca --sign . Puppet client is configured with waitforcert to few seconds. Solution 3 seem the most viable. - no web service - doesn''t require to create a web service on the puppet master to handle ''check requests'' coming from puppet clients (solution 2) - no Ruby coding - we have experience with C/C++/Java. Ruby is something really new to us. I didn''t know about Foreman, quite impressive. It would be great to have provisioning extended to support common cloud APIs (EC2, rackspace, gogrid, etc...). Bye, Valentino -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.