Autosign will be not enough, since if server has already signed - it will
show cert mismatch.

you can trigger cert clean every time you reimage server.
 On 9 Jan 2014 12:40, "Pablo Fernandez" <[email protected]> wrote:

>  Thanks for your suggestions,
>
> Running masterless is a bit too exotic, since we would like to use all
> those nice features that make a Puppet installation complete: specially
> hiera searches and PuppetDB. Modules, too, should be compatible with other
> clusters, so no big deviations can occur.
>
> Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have
> just checked myself if autosign works if the same node was already
> registered in the CA... but according to the documentation it does not look
> like it, not to mention the security issues that come with it.
>
> Does the certificate name need to match the fqdn for puppet to allow
> connections?
>
> Thanks!
> BR/Pablo
>
>
> On 01/09/2014 12:16 PM, Andrey Kozichev wrote:
>
> Maybe look into running masterless to avoid problems with certs. Just run
> puppet apply on the new server.
> On 9 Jan 2014 09:42, "Pablo Fernandez" <[email protected]> wrote:
>
>> Dear all,
>>
>> We are thinking about the possibility of using Puppet in an image-based
>> cluster. The compute nodes would boot and load the whole image to a
>> ramdisk, where r/w access is granted afterwards.
>>
>> Our idea is to have a sample compute node running puppet where to create
>> the image from, and periodically extract a new image from it. Nodes that
>> reboot, simply take that image, change the hostname and IP addresses,
>> and little more (typical in image-based systems). The nice thing about
>> this is that, since the source image is from a puppetized host, its
>> clones will be as well! So changes in the puppet configuration will be
>> applied immediately to the nodes.
>>
>> Does it sound right? I currently foresee a problem with the puppet node
>> certificates: is it possible to use a generic certificate, to enable
>> trust between puppet server and clients, but having each node a
>> different fqdn and be treated by puppet as different hosts (including
>> PuppetDB entries)? I saw different facts for each: ::clientcert and
>> ::fqdn, that gave me hopes.
>> Besides that, do you see any other problem with this type of deployment?
>> Does anybody have experience with something similar?
>>
>> Thanks!
>> BR/Pablo
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/52CE6F14.7060508%40cscs.ch
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CACzr%3DFc4fKWeGA%3Dz%2B0taUdCognf7mjoReqCTj-WHm7mvachBvQ%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/52CE98CA.3070206%40cscs.ch.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACzr%3DFdUOgayb1U9-j0G%3DEHfRuamCqGTtBNBvq9e015ZHAg-og%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to