Puppet users - Oct 2010 - alternate hostnames, keys, and certs

I''d like to extend my use of puppet to manage my desktop/notebook macs.

As others have noted, the hostname of the mobile machines tends to change
frequently, so basing the node name (in my site.pp) and the corresponding cert
and private key names seems to be an issue.

I seem to recall somewhat talking about this at Puppet Camp last week…..

Generally my signing strategy is always to generate new certs and private keys
on the puppetmaster, and install them on the client machine as part of the
initial install (hopefully automated).

Can I generate a cert based on the macaddress of the new machine?

I tried this, and puppetca --generate made the certs and key without
complaining.

Presumably I can install these on my client machine.

If so, would I then run puppetd with a the --fqdn argument, and give the mac
address there?

And what would the name of this machine be in a node specification in the
manifest?

I put 
	node ''00:1f:5b:f8:23:f8'' { } 

in my manifest, and it was very unhappy.

Any advice about how I can accomplish what I am trying to do?

Thanks,

Don



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Oct 14, 2010, at 10:23 PM, Don Jackson wrote:
> 
> I''d like to extend my use of puppet to manage my desktop/notebook
macs.
> 
> As others have noted, the hostname of the mobile machines tends to change
frequently, so basing the node name (in my site.pp) and the corresponding cert
and private key names seems to be an issue.
> 
> I seem to recall somewhat talking about this at Puppet Camp last week…..
> 
> Generally my signing strategy is always to generate new certs and private
keys on the puppetmaster, and install them on the client machine as part of the
initial install (hopefully automated).
> 
> Can I generate a cert based on the macaddress of the new machine?
> 
> I tried this, and puppetca --generate made the certs and key without
complaining.
> 
> Presumably I can install these on my client machine.
> 
> If so, would I then run puppetd with a the --fqdn argument, and give the
mac address there?
> 
> And what would the name of this machine be in a node specification in the
manifest?
> 
> I put 
> 	node ''00:1f:5b:f8:23:f8'' { } 
> 
> in my manifest, and it was very unhappy.
> 
> Any advice about how I can accomplish what I am trying to do?
> 
> Thanks,
> 
> Don
If it''s not too late, I would:
*) Pick something that can be a valid part of a domain name.
*) Put something at the beginning to help keep things simple.  

So instead that name it would be this or similar:
macaddress-00-1f-5b-f8-23-f8

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Oct 14, 2010 at 10:23 PM, Don Jackson
<puppet-users@clark-communications.com> wrote:
>
> I''d like to extend my use of puppet to manage my desktop/notebook
macs.
>
> As others have noted, the hostname of the mobile machines tends to change
frequently, so basing the node name (in my site.pp) and the corresponding cert
and private key names seems to be an issue.
>
> I seem to recall somewhat talking about this at Puppet Camp last week…..
>
> Generally my signing strategy is always to generate new certs and private
keys on the puppetmaster, and install them on the client machine as part of the
initial install (hopefully automated).
>
> Can I generate a cert based on the macaddress of the new machine?
You''re better off using UUIDs in my opinion.

man uuidgen

> I tried this, and puppetca --generate made the certs and key without
complaining.
>
> Presumably I can install these on my client machine.
>
> If so, would I then run puppetd with a the --fqdn argument, and give the
mac address there?
no, you want to use ''certname'', not fqdn.


>
> And what would the name of this machine be in a node specification in the
manifest?
>
> I put
>        node ''00:1f:5b:f8:23:f8'' { }
>
> in my manifest, and it was very unhappy.
>
> Any advice about how I can accomplish what I am trying to do?
>
> Thanks,
>
> Don
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>


-- 
nigel

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Oct 15, 2010 at 11:57 AM, Nigel Kersten <nigelk@google.com>
wrote:
> On Thu, Oct 14, 2010 at 10:23 PM, Don Jackson
> <puppet-users@clark-communications.com> wrote:
>>
>> I''d like to extend my use of puppet to manage my
desktop/notebook macs.
>>
>> As others have noted, the hostname of the mobile machines tends to
change frequently, so basing the node name (in my site.pp) and the corresponding
cert and private key names seems to be an issue.
>>
>> I seem to recall somewhat talking about this at Puppet Camp last
week…..
>>
>> Generally my signing strategy is always to generate new certs and
private keys on the puppetmaster, and install them on the client machine as part
of the initial install (hopefully automated).
>>
>> Can I generate a cert based on the macaddress of the new machine?
>
> You''re better off using UUIDs in my opinion.
>
> man uuidgen
I should have also mentioned that for Mac clients, there''s a system
hardware UUID that persists across reinstalls, and that may be useful.

system_profiler SPHardwareDataType

or

facter sp_platform_uuid

This is the same UUID used to composite ByHost preferences on OS X,
and any recent vintage Mac should have it.
>
>
>> I tried this, and puppetca --generate made the certs and key without
complaining.
>>
>> Presumably I can install these on my client machine.
>>
>> If so, would I then run puppetd with a the --fqdn argument, and give
the mac address there?
>
> no, you want to use ''certname'', not fqdn.
>
>
>
>>
>> And what would the name of this machine be in a node specification in
the manifest?
>>
>> I put
>>        node ''00:1f:5b:f8:23:f8'' { }
>>
>> in my manifest, and it was very unhappy.
>>
>> Any advice about how I can accomplish what I am trying to do?
>>
>> Thanks,
>>
>> Don
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
>
>
> --
> nigel
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

A bit of followup here:

I changed my approach to build a more acceptable certname that would be
acceptable as a hostname, using code like this:

MACADDR=`facter macaddress_en0 | tr "[:upper:]" "[:lower:]"
| sed ''s/://g'' `
MACADDRHOSTNAME="macaddr-${MACADDR}"

This results in something like this:

macaddr-001f5bf823f8

I generated the private key and signed cert on my puppetmaster, copied to a
client, and on the client, I did something like this:

puppetd --hostprivkey=/etc/puppet/ssl/private_keys/macaddr-001f5bf823f8.pem
--hostcert=/etc/puppet/ssl/certs/macaddr-001f5bf823f8.pem
--certname=macaddr-001f5bf823f8

So, things seem to be working the way I want now.  Thanks to everyone for their
advice, particularly Nigel and Patrick.

Now that I have this working, I am thinking I would prefer to use this method
for all my machines.  In my environment, any machine may have different host
names over the course of its useful life, including servers.
The FQDN is just another configurable state.  Why have the puppet cert related
to the FQDN?  When new hardware arrives, log it in my configuration management
DB by one its MAC addresses,
drive generation of puppet cert on that, and blast/install/configure away.  This
seems like a significant improvement to me.

Don


On Oct 15, 2010, at 1:48 PM, Nigel Kersten wrote:
> On Fri, Oct 15, 2010 at 11:57 AM, Nigel Kersten <nigelk@google.com>
wrote:
>> On Thu, Oct 14, 2010 at 10:23 PM, Don Jackson
>> <puppet-users@clark-communications.com> wrote:
>>> 
>>> I''d like to extend my use of puppet to manage my
desktop/notebook macs.
>>> 
>>> As others have noted, the hostname of the mobile machines tends to
change frequently, so basing the node name (in my site.pp) and the corresponding
cert and private key names seems to be an issue.
>>> 
>>> I seem to recall somewhat talking about this at Puppet Camp last
week…..
>>> 
>>> Generally my signing strategy is always to generate new certs and
private keys on the puppetmaster, and install them on the client machine as part
of the initial install (hopefully automated).
>>> 
>>> Can I generate a cert based on the macaddress of the new machine?
>> 
>> You''re better off using UUIDs in my opinion.
>> 
>> man uuidgen
> 
> I should have also mentioned that for Mac clients, there''s a
system
> hardware UUID that persists across reinstalls, and that may be useful.
> 
> system_profiler SPHardwareDataType
> 
> or
> 
> facter sp_platform_uuid
> 
> This is the same UUID used to composite ByHost preferences on OS X,
> and any recent vintage Mac should have it.
> 
>> 
>> 
>>> I tried this, and puppetca --generate made the certs and key
without complaining.
>>> 
>>> Presumably I can install these on my client machine.
>>> 
>>> If so, would I then run puppetd with a the --fqdn argument, and
give the mac address there?
>> 
>> no, you want to use ''certname'', not fqdn.
>> 
>> 
>> 
>>> 
>>> And what would the name of this machine be in a node specification
in the manifest?
>>> 
>>> I put
>>>        node ''00:1f:5b:f8:23:f8'' { }
>>> 
>>> in my manifest, and it was very unhappy.
>>> 
>>> Any advice about how I can accomplish what I am trying to do?
>>> 
>>> Thanks,
>>> 
>>> Don
>>> 
>>> 
>>> 
>>> --
>>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>> 
>>> 
>> 
>> 
>> 
>> --
>> nigel
>> 
>> --
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>> 
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Oct 16, 2010, at 9:00 AM, Don Jackson wrote:
> 
> A bit of followup here:
> 
> I changed my approach to build a more acceptable certname that would be
acceptable as a hostname, using code like this:
> 
> MACADDR=`facter macaddress_en0 | tr "[:upper:]"
"[:lower:]" | sed ''s/://g'' `
> MACADDRHOSTNAME="macaddr-${MACADDR}"
> 
> This results in something like this:
> 
> macaddr-001f5bf823f8
> 
> I generated the private key and signed cert on my puppetmaster, copied to a
client, and on the client, I did something like this:
> 
> puppetd --hostprivkey=/etc/puppet/ssl/private_keys/macaddr-001f5bf823f8.pem
--hostcert=/etc/puppet/ssl/certs/macaddr-001f5bf823f8.pem
--certname=macaddr-001f5bf823f8
> 
> So, things seem to be working the way I want now.  Thanks to everyone for
their advice, particularly Nigel and Patrick.
> 
> Now that I have this working, I am thinking I would prefer to use this
method for all my machines.  In my environment, any machine may have different
host names over the course of its useful life, including servers.
> The FQDN is just another configurable state.  Why have the puppet cert
related to the FQDN?  When new hardware arrives, log it in my configuration
management DB by one its MAC addresses,
> drive generation of puppet cert on that, and blast/install/configure away. 
This seems like a significant improvement to me.
It''s often best to use hostname if you can, because you often want to
setup DNS.  DNS gives you a lot of advantages.  For one thing, you can find (and
ssh) into a node if you know the hostname.

This assumes that computers don''t move between (internal) domains. 
That is true with most desktops and many laptops that use VPN.

I was admit that it''s is not always feasible.

> On Oct 15, 2010, at 1:48 PM, Nigel Kersten wrote:
> 
>> On Fri, Oct 15, 2010 at 11:57 AM, Nigel Kersten
<nigelk@google.com> wrote:
>>> On Thu, Oct 14, 2010 at 10:23 PM, Don Jackson
>>> <puppet-users@clark-communications.com> wrote:
>>>> 
>>>> I''d like to extend my use of puppet to manage my
desktop/notebook macs.
>>>> 
>>>> As others have noted, the hostname of the mobile machines tends
to change frequently, so basing the node name (in my site.pp) and the
corresponding cert and private key names seems to be an issue.
>>>> 
>>>> I seem to recall somewhat talking about this at Puppet Camp
last week…..
>>>> 
>>>> Generally my signing strategy is always to generate new certs
and private keys on the puppetmaster, and install them on the client machine as
part of the initial install (hopefully automated).
>>>> 
>>>> Can I generate a cert based on the macaddress of the new
machine?
>>> 
>>> You''re better off using UUIDs in my opinion.
>>> 
>>> man uuidgen
>> 
>> I should have also mentioned that for Mac clients, there''s a
system
>> hardware UUID that persists across reinstalls, and that may be useful.
>> 
>> system_profiler SPHardwareDataType
>> 
>> or
>> 
>> facter sp_platform_uuid
>> 
>> This is the same UUID used to composite ByHost preferences on OS X,
>> and any recent vintage Mac should have it.
>> 
>>> 
>>> 
>>>> I tried this, and puppetca --generate made the certs and key
without complaining.
>>>> 
>>>> Presumably I can install these on my client machine.
>>>> 
>>>> If so, would I then run puppetd with a the --fqdn argument, and
give the mac address there?
>>> 
>>> no, you want to use ''certname'', not fqdn.
>>> 
>>> 
>>> 
>>>> 
>>>> And what would the name of this machine be in a node
specification in the manifest?
>>>> 
>>>> I put
>>>>        node ''00:1f:5b:f8:23:f8'' { }
>>>> 
>>>> in my manifest, and it was very unhappy.
>>>> 
>>>> Any advice about how I can accomplish what I am trying to do?
>>>> 
>>>> Thanks,
>>>> 
>>>> Don
>>>> 
>>>> 
>>>> 
>>>> --
>>>> You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
>>>> To post to this group, send email to
puppet-users@googlegroups.com.
>>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>>>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> nigel
>>> 
>>> --
>>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>> 
>>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.