Autosign will be not enough, since if server has already signed - it will show cert mismatch.
you can trigger cert clean every time you reimage server. On 9 Jan 2014 12:40, "Pablo Fernandez" <[email protected]> wrote: > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use all > those nice features that make a Puppet installation complete: specially > hiera searches and PuppetDB. Modules, too, should be compatible with other > clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have > just checked myself if autosign works if the same node was already > registered in the CA... but according to the documentation it does not look > like it, not to mention the security issues that come with it. > > Does the certificate name need to match the fqdn for puppet to allow > connections? > > Thanks! > BR/Pablo > > > On 01/09/2014 12:16 PM, Andrey Kozichev wrote: > > Maybe look into running masterless to avoid problems with certs. Just run > puppet apply on the new server. > On 9 Jan 2014 09:42, "Pablo Fernandez" <[email protected]> wrote: > >> Dear all, >> >> We are thinking about the possibility of using Puppet in an image-based >> cluster. The compute nodes would boot and load the whole image to a >> ramdisk, where r/w access is granted afterwards. >> >> Our idea is to have a sample compute node running puppet where to create >> the image from, and periodically extract a new image from it. Nodes that >> reboot, simply take that image, change the hostname and IP addresses, >> and little more (typical in image-based systems). The nice thing about >> this is that, since the source image is from a puppetized host, its >> clones will be as well! So changes in the puppet configuration will be >> applied immediately to the nodes. >> >> Does it sound right? I currently foresee a problem with the puppet node >> certificates: is it possible to use a generic certificate, to enable >> trust between puppet server and clients, but having each node a >> different fqdn and be treated by puppet as different hosts (including >> PuppetDB entries)? I saw different facts for each: ::clientcert and >> ::fqdn, that gave me hopes. >> Besides that, do you see any other problem with this type of deployment? >> Does anybody have experience with something similar? >> >> Thanks! >> BR/Pablo >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/52CE6F14.7060508%40cscs.ch >> . >> For more options, visit https://groups.google.com/groups/opt_out. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CACzr%3DFc4fKWeGA%3Dz%2B0taUdCognf7mjoReqCTj-WHm7mvachBvQ%40mail.gmail.com > . > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/52CE98CA.3070206%40cscs.ch. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFdUOgayb1U9-j0G%3DEHfRuamCqGTtBNBvq9e015ZHAg-og%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
