Alexandre Fouché
2011-Oct-19 09:06 UTC
[Puppet Users] How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
Hi, I am using the cloud provisioner to bootstrap some ec2 nodes, and these clients are signed using a randomly generated certname, which is put in /etc/puppet.conf at the bootstrap time (eg certname d7bcd693-73fd-495f-0876-ff91ea11111e). But my puppet code repo also manages the puppet.conf file, so the file will be overwritten on the client at the first puppet run. Nevertheless, i should not lose what was the original certname for this client, because i need to insert it in the puppet.conf.erb that will be pushed to this client, otherwise the puppetmaster will not recognize and allow this client anymore. I ran "facter" on the client, and the certname does not appear. I ran "puppet --genconfig |grep certname" and the certname does not appear either. I can not check the cert name in /var/lib/puppet/ssl/certs because the cert will appear after first puppet run. Is there a way to to know what certname is using a puppet client, and be able to use it in erb templates, or am using puppet and the cloud provisioner in a wrong way ? AF -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alexandre
2011-Oct-19 09:25 UTC
[Puppet Users] Re: How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
I created a feature request https://projects.puppetlabs.com/issues/10167 On 19 oct, 11:06, Alexandre Fouché <alexandre.fou...@gmail.com> wrote:> Hi, > > I am using the cloud provisioner to bootstrap some ec2 nodes, and these > clients are signed using a randomly generated certname, which is put in > /etc/puppet.conf at the bootstrap time (eg certname > d7bcd693-73fd-495f-0876-ff91ea11111e). > > But my puppet code repo also manages the puppet.conf file, so the file will > be overwritten on the client at the first puppet run. Nevertheless, i should > not lose what was the original certname for this client, because i need to > insert it in the puppet.conf.erb that will be pushed to this client, > otherwise the puppetmaster will not recognize and allow this client anymore. > > I ran "facter" on the client, and the certname does not appear. I ran > "puppet --genconfig |grep certname" and the certname does not appear either. > I can not check the cert name in /var/lib/puppet/ssl/certs because the cert > will appear after first puppet run. > > Is there a way to to know what certname is using a puppet client, and be > able to use it in erb templates, or am using puppet and the cloud > provisioner in a wrong way ? > > AF-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2011-Oct-19 12:36 UTC
Re: [Puppet Users] Re: How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
I am in an environment that has a development, QA, and production
sub-environments.
All machines are built in "dev" then moved to qa/prod as needed.
Because a machine''s IP and hostname changes in this move, I set up
certnames that are the machine''s MAC address.
I use cobbler to set up the machines and here''s some lines from the
snippet that implements it:
MACADDR=`facter macaddress | tr "[:upper:]" "[:lower:]" |
sed ''s/://g'' `
MACADDRHOSTNAME="macaddr${MACADDR}"
sed -i -e "/\[main\]/a\ \ \ \
certname=''${MACADDRHOSTNAME}''" /etc/puppet/puppet.conf
In addition, because my Puppet Master is also my Cobbler Server, I have the MAC
addresses of all configured machines available to me at the server.
I hope you find this info helpful.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Alexandre <alexandre.fouche@gmail.com>
wrote:> I created a feature request https://projects.puppetlabs.com/issues/10167
>
> On 19 oct, 11:06, Alexandre Fouché <alexandre.fou...@gmail.com>
wrote:
> > Hi,
> >
> > I am using the cloud provisioner to bootstrap some ec2 nodes, and
these
> > clients are signed using a randomly generated certname, which is put
in
> > /etc/puppet.conf at the bootstrap time (eg certname > >
d7bcd693-73fd-495f-0876-ff91ea11111e).
> >
> > But my puppet code repo also manages the puppet.conf file, so the file
will
> > be overwritten on the client at the first puppet run. Nevertheless, i
should
> > not lose what was the original certname for this client, because i
need to
> > insert it in the puppet.conf.erb that will be pushed to this client,
> > otherwise the puppetmaster will not recognize and allow this client
anymore.
> >
> > I ran "facter" on the client, and the certname does not
appear. I ran
> > "puppet --genconfig |grep certname" and the certname does
not appear either.
> > I can not check the cert name in /var/lib/puppet/ssl/certs because the
cert
> > will appear after first puppet run.
> >
> > Is there a way to to know what certname is using a puppet client, and
be
> > able to use it in erb templates, or am using puppet and the cloud
> > provisioner in a wrong way ?
> >
> > AF
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Oct-19 16:18 UTC
Re: [Puppet Users] How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
On Wed, Oct 19, 2011 at 2:06 AM, Alexandre Fouché < alexandre.fouche@gmail.com> wrote:> Hi, > > I am using the cloud provisioner to bootstrap some ec2 nodes, and these > clients are signed using a randomly generated certname, which is put in > /etc/puppet.conf at the bootstrap time (eg certname > d7bcd693-73fd-495f-0876-ff91ea11111e). > > But my puppet code repo also manages the puppet.conf file, so the file will > be overwritten on the client at the first puppet run. Nevertheless, i should > not lose what was the original certname for this client, because i need to > insert it in the puppet.conf.erb that will be pushed to this client, > otherwise the puppetmaster will not recognize and allow this client anymore. > > I ran "facter" on the client, and the certname does not appear. I ran > "puppet --genconfig |grep certname" and the certname does not appear either. > I can not check the cert name in /var/lib/puppet/ssl/certs because the cert > will appear after first puppet run. > > Is there a way to to know what certname is using a puppet client, and be > able to use it in erb templates, or am using puppet and the cloud > provisioner in a wrong way ? >http://docs.puppetlabs.com/guides/faq.html#are-there-variables-available-other-than-those-provided-by-facter $clientcert — Provided by the agent; contains the agent node’s certname. Added in Puppet 2.6.0.> > AF > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alexandre
2011-Oct-19 20:07 UTC
[Puppet Users] Re: How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
Great, i had not seen this one, thank you ! On 19 oct, 18:18, Nigel Kersten <ni...@puppetlabs.com> wrote:> On Wed, Oct 19, 2011 at 2:06 AM, Alexandre Fouché < > > > > > > > > > > alexandre.fou...@gmail.com> wrote: > > Hi, > > > I am using the cloud provisioner to bootstrap some ec2 nodes, and these > > clients are signed using a randomly generated certname, which is put in > > /etc/puppet.conf at the bootstrap time (eg certname > > d7bcd693-73fd-495f-0876-ff91ea11111e). > > > But my puppet code repo also manages the puppet.conf file, so the file will > > be overwritten on the client at the first puppet run. Nevertheless, i should > > not lose what was the original certname for this client, because i need to > > insert it in the puppet.conf.erb that will be pushed to this client, > > otherwise the puppetmaster will not recognize and allow this client anymore. > > > I ran "facter" on the client, and the certname does not appear. I ran > > "puppet --genconfig |grep certname" and the certname does not appear either. > > I can not check the cert name in /var/lib/puppet/ssl/certs because the cert > > will appear after first puppet run. > > > Is there a way to to know what certname is using a puppet client, and be > > able to use it in erb templates, or am using puppet and the cloud > > provisioner in a wrong way ? > > http://docs.puppetlabs.com/guides/faq.html#are-there-variables-availa... > > $clientcert — Provided by the agent; contains the agent node’s certname. > Added in Puppet 2.6.0. > > > > > AF > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > Nigel Kersten > Product Manager, Puppet Labs-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Oct-19 20:08 UTC
Re: [Puppet Users] Re: How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
On Wed, Oct 19, 2011 at 1:07 PM, Alexandre <alexandre.fouche@gmail.com>wrote:> Great, i had not seen this one, thank you ! > >It should be significantly easier to find out this info, it''s not you :) In an ideal world you could run a command as simple as "facter -p" to get access to all of these variables, but not all make sense within the context of Facter... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.