Puppet users - Jun 2010 - authenticating new nodes that are created by provisioning

Hey Folks,
I''m looking at doing automated provisioning of new servers and am
trying to integrate puppet into this process. What I''m wondering though
is what the best process for securely registering a new node is.

At the moment the first time puppet is run I have to then accept the certificate
on the puppetmaster and then run puppet again.

What I would like to do is accept the certificate automatically, though am
hesitant to do so as then anyone could just register against the puppetmaster.

Is there a way to do this securely?

Thanks,
Matt.
-- 

---------------------------------------------
Matthew Delves
System Administrator
Information Systems
Networks & Infrastructure
University of Ballarat
ph: 03 5327 9732
email: m.delves@ballarat.edu.au


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I''ve solved this problem using Foreman, which provides both the
kickstart /
preseed / jumpstart file, enable autosign, and disable autosign
automatically.

Foreman authenticate the hosts based on IP / MAC addresses(e,g ksmeta).

I guess you can do something similar during your provisioning phases.

Ohad

On Thu, Jun 3, 2010 at 12:42 PM, Matthew Delves
<m.delves@ballarat.edu.au>wrote:
> Hey Folks,
> I''m looking at doing automated provisioning of new servers and am
trying to
> integrate puppet into this process. What I''m wondering though is
what the
> best process for securely registering a new node is.
>
> At the moment the first time puppet is run I have to then accept the
> certificate on the puppetmaster and then run puppet again.
>
> What I would like to do is accept the certificate automatically, though am
> hesitant to do so as then anyone could just register against the
> puppetmaster.
>
> Is there a way to do this securely?
>
> Thanks,
> Matt.
> --
>
> ---------------------------------------------
> Matthew Delves
> System Administrator
> Information Systems
> Networks & Infrastructure
> University of Ballarat
> ph: 03 5327 9732
> email: m.delves@ballarat.edu.au
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

When we create a new node in the node classifier, we also update
.../etc/autosign.conf with the node name

John

On 3 June 2010 14:42, Matthew Delves <m.delves@ballarat.edu.au> wrote:
> Hey Folks,
> I''m looking at doing automated provisioning of new servers and am
trying to
> integrate puppet into this process. What I''m wondering though is
what the
> best process for securely registering a new node is.
>
> At the moment the first time puppet is run I have to then accept the
> certificate on the puppetmaster and then run puppet again.
>
> What I would like to do is accept the certificate automatically, though am
> hesitant to do so as then anyone could just register against the
> puppetmaster.
>
> Is there a way to do this securely?
>
> Thanks,
> Matt.
> --
>
> ---------------------------------------------
> Matthew Delves
> System Administrator
> Information Systems
> Networks & Infrastructure
> University of Ballarat
> ph: 03 5327 9732
> email: m.delves@ballarat.edu.au
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
John Warburton
Ph: 0417 299 600
Email: jwarburton@gmail.com

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Never tried it myself but I think you can create the certificate as a
part of the provisioning process, and then somehow place it in the new
server.
http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates

On Jun 3, 7:42 am, "Matthew Delves" <m.del...@ballarat.edu.au>
wrote:
> Hey Folks,
> I''m looking at doing automated provisioning of new servers and am
trying to integrate puppet into this process. What I''m wondering though
is what the best process for securely registering a new node is.
>
> At the moment the first time puppet is run I have to then accept the
certificate on the puppetmaster and then run puppet again.
>
> What I would like to do is accept the certificate automatically, though am
hesitant to do so as then anyone could just register against the puppetmaster.
>
> Is there a way to do this securely?
>
> Thanks,
> Matt.
> --
>
> ---------------------------------------------
> Matthew Delves
> System Administrator
> Information Systems
> Networks & Infrastructure
> University of Ballarat
> ph: 03 5327 9732
> email: m.del...@ballarat.edu.au
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oded wrote:
> Never tried it myself but I think you can create the certificate as
> a part of the provisioning process, and then somehow place it in the
> new server.
>
http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates
Without reading the link to see if it''s similar to what I do, I have a
script I run on the puppet master to pre-generate certificates and
package them as rpm''s.  These then go into a repository which the
install is setup to use and the certificate package is installed by
kickstart.

The package, if you''re curious is at:

http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm

It''s not polished in any way.  It''s one of those "works
for me,
someday I should finish and improve it" things.

But I prefer this to enabling autosign.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The man who can make hard things easy is the educator
    -- Ralph Waldo Emerson

Hello all,

I was just wondering: there''s a fileserver.conf inside /etc/puppet.  Do
nodes have access to the fileserver without having a signed cert?  So for 
instance, could a random box on my LAN access files on the puppetmaster 
fileserver without having a signed certificate if the IP address is listed 
in the fileserver.conf?

Thanks,

Matt

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger <tmz@pobox.com>
wrote:
> Oded wrote:
>> Never tried it myself but I think you can create the certificate as
>> a part of the provisioning process, and then somehow place it in the
>> new server.
>>
http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates
>
> Without reading the link to see if it''s similar to what I do, I
have a
> script I run on the puppet master to pre-generate certificates and
> package them as rpm''s.  These then go into a repository which the
> install is setup to use and the certificate package is installed by
> kickstart.
>
> The package, if you''re curious is at:
>
>
http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm
>
> It''s not polished in any way.  It''s one of those
"works for me,
> someday I should finish and improve it" things.
>
> But I prefer this to enabling autosign.
>
Nice idea....I like that.

I had toyed with adding such an autosign-simulating feature to Cobbler
that ohad mentioned (but different*), but I don''t see how that
provides any greater security, as once you have
automated provisioning via TFTP (it''s an open protocol by design),
it''s really a moot point to claim you''re layering extra
security on
top.    Also Anaconda doesn''t support
access control around accessing kickstarts.

* = rather than enabling autosign, the system would note what hosts
just started kickstart, and let cobblerd sign that specific host once
it shows up in ''puppetca'', polling periodically, until the
host
indicates
it reaches ''kickstart done'' status, or after 30 minutes,
whichever is
sooner.   That way there''s no need to enable autosign, but
it''s
effectively the same thing.    The system could also remove
certificates
for hosts that we being reinstalled if kicked off from a secure
interface (can''t really trust PXE and HTTP requests).

--Michael

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

just for completion, autosign is enabled only once a kickstart/preseed etc
file has been requested by the predefined ip address (or mac) in foreman.

I agree that signing the clients without autosign is a good alternative, but
i''m not sure if trusting your fqdn is any different to trusting your ip
/
mac address.

when choosing to reinstall a host, foreman will clean the cert (again only
once the kickstart file has been requested, so you could schedule
reinstalls).
and when deleting a host, the certificate will be revoked.

Ohad


On Mon, Jun 7, 2010 at 9:00 PM, Michael DeHaan
<michael@puppetlabs.com>wrote:
> On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger <tmz@pobox.com> wrote:
> > Oded wrote:
> >> Never tried it myself but I think you can create the certificate
as
> >> a part of the provisioning process, and then somehow place it in
the
> >> new server.
> >>
>
http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates
> >
> > Without reading the link to see if it''s similar to what I do,
I have a
> > script I run on the puppet master to pre-generate certificates and
> > package them as rpm''s.  These then go into a repository which
the
> > install is setup to use and the certificate package is installed by
> > kickstart.
> >
> > The package, if you''re curious is at:
> >
> >
>
http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm
> >
> > It''s not polished in any way.  It''s one of those
"works for me,
> > someday I should finish and improve it" things.
> >
> > But I prefer this to enabling autosign.
> >
>
> Nice idea....I like that.
>
> I had toyed with adding such an autosign-simulating feature to Cobbler
> that ohad mentioned (but different*), but I don''t see how that
> provides any greater security, as once you have
> automated provisioning via TFTP (it''s an open protocol by design),
> it''s really a moot point to claim you''re layering extra
security on
> top.    Also Anaconda doesn''t support
> access control around accessing kickstarts.
>
> * = rather than enabling autosign, the system would note what hosts
> just started kickstart, and let cobblerd sign that specific host once
> it shows up in ''puppetca'', polling periodically, until
the host
> indicates
> it reaches ''kickstart done'' status, or after 30 minutes,
whichever is
> sooner.   That way there''s no need to enable autosign, but
it''s
> effectively the same thing.    The system could also remove
> certificates
> for hosts that we being reinstalled if kicked off from a secure
> interface (can''t really trust PXE and HTTP requests).
>
> --Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- "Michael DeHaan" <michael@puppetlabs.com> wrote:
> Nice idea....I like that.
> 
> I had toyed with adding such an autosign-simulating feature to
> Cobbler that ohad mentioned (but different*), but I don''t see how
that
> provides any greater security, as once you have
> automated provisioning via TFTP (it''s an open protocol by design),
> it''s really a moot point to claim you''re layering extra
security on
> top.    Also Anaconda doesn''t support
> access control around accessing kickstarts.
> 
> * = rather than enabling autosign, the system would note what hosts
> just started kickstart, and let cobblerd sign that specific host once
> it shows up in ''puppetca'', polling periodically, until
the host
> indicates it reaches ''kickstart done'' status, or after 30
minutes, whichever is
> sooner.   That way there''s no need to enable autosign, but
it''s
> effectively the same thing.    The system could also remove
> certificates for hosts that we being reinstalled if kicked off from a
secure
> interface (can''t really trust PXE and HTTP requests).
My machines install mcollective at install time with just a
''provisioning'' agent.

I can then:

- discover machines ready for provisioning without first needing to put them in
a inventory db etc
- revoke any old certs on ca''s matching the new host
- install puppet, put it in the bootstrap environment
- trigger a puppet run that request a cert
- go and sign the cert on whatever master has it- I have many masters all more
or less islands, machines just talk to their nearest.
- do another puppet run till bootstrapping is done
- put the machine in the production environment from where it will do normal
puppet runs.

So I retain the security of not having auto sign enabled and can easily drive a
machine through the whole process on demand.

Easy to integrate into web ui''s etc.


-- 
R.I.Pienaar

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.