Hi all, I''m trying to work out the best way to ensure that my systems run puppet at first boot without having to run puppetca --sign or have wildcards in my auth file. All nodes are stored in an external database so what I want to tell puppet is "if it''s in the database, authenticate it, othwise ignore it". Is this possible using the "external-node" classifier? Thanks in advance, Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matthew Macdonald-Wallace <mattmacwall@gmail.com> writes:> I''m trying to work out the best way to ensure that my systems run puppet at > first boot without having to run puppetca --sign or have wildcards in my > auth file.Use autosign, which will tell the puppet master to sign the certificate request without needing human intervention. That gives you the instant-on facility for the system. http://projects.puppetlabs.com/projects/puppet/wiki/Certificates_And_Security As noted there, autosign.conf is read every time a signature is requested, so you could easily couple that with your ...> All nodes are stored in an external database so what I want to tell puppet > is "if it''s in the database, authenticate it, othwise ignore it". Is this > possible using the "external-node" classifier?... external database so it could automatically be generated from that external data source. Alternately, you can pre-generate the certificates for your clients and install them as part of whatever bootstrap process you are using; see the "Master-Side Client Certificate Generation" of that same document. Regards, Daniel -- ✣ Daniel Pittman ✉ daniel@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alternatively to using auto-sign, you can do server-side cert generation with puppetca -g, then figure a good secure way to transfer that stuff during OS install. On 11/14/2010 01:09 PM, Matthew Macdonald-Wallace wrote:> Hi all, > > I''m trying to work out the best way to ensure that my systems run puppet at > first boot without having to run puppetca --sign or have wildcards in my > auth file. > > All nodes are stored in an external database so what I want to tell puppet > is "if it''s in the database, authenticate it, othwise ignore it". Is this > possible using the "external-node" classifier? > > Thanks in advance, > > Matt >- -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L''ennui est contre-révolutionnaire -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJM4LXdAAoJEFKvc4++22tcPjkP/1F4WraUcgvq2V6L9ZnafZij LV2WrA0ogZGWTdmpOuSCkUFSj9HOex29vPE7rIA4DMPs0wXOXj/ETVPhq2KLUbnR +YwPj7y6jFCrQ63fSOTGpsgfBSnqgplSnXqi9Lc6Gg89SAtzARsrhUjb6rjSDb1e ATB62IJt1pJQVqtFo+/J9PMC3Me6QWAdLJwZIauERgIpnTjws/0bGc+yhZYHP1xn mEusS6gvyNxny/SirZq6H/x8FiMud6bOj+8gUM8lcl+XgJaDKCW08TZVMqvgQmZT U82B9jW8dodFj8Zg6pguVJZ6mTIfjKvdS/51RsAxChnMLrc+y5sW5veeO27odcGd ScVPa8TCmP24xoxWgNY7KQB+t2sSXBPueYczzCpPzmmlXKB16aSIAL4cgc51wUBn WnwJNce51qJVpbABxEF4HwQEAdpgW40UJJ3Eq8fvdhJdbTJ6RR3Cvs91xsrgmiWk X6XbdqqRRnfmXiB+PKP/YnihECdfYVEZslNWoEVWXC8NTwHsoIs+C6uGIKwge92d Qns9pboOvImbvgWLuLYsSYxSdCOPWfTypQKJUqUtbLU7OMcZS9OopeiKMRWMkFR6 BfzSs8KEIQSoslKTtr0BICy81zG1qOiUBu+PpAMwJpzYy84sNoanU3eEp2BQwQST xr2nx5oQt++50KrUOHPj =ftkI -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, Such a mechanizim is already available via foreman[1], where it handles the autosign file for you, upon a provisioning request, it would enable the machine (assuming its allowed to be built) and disable it once puppet has run on the client. If you don''t want to use the full blown foreman just for this small job, I''ve also written a rest api for puppet actions that can be used exactly for that. Ohad [1] - http://theforeman.org On Sun, Nov 14, 2010 at 8:09 PM, Matthew Macdonald-Wallace < mattmacwall@gmail.com> wrote:> Hi all, > > I''m trying to work out the best way to ensure that my systems run puppet at > first boot without having to run puppetca --sign or have wildcards in my > auth file. > > All nodes are stored in an external database so what I want to tell puppet > is "if it''s in the database, authenticate it, othwise ignore it". Is this > possible using the "external-node" classifier? > > Thanks in advance, > > Matt > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.