not entirely image-based, when new server was booted for the first time: 1. it made http call to puppetmaster with it's hostname to do puppet cert clean <hostname> 2. do puppet run 3. made HTTP call to do puppet cert sign
It was kind of autosign + in case of CERT already existed it was removed and re-generated sure security is poor in this approach, but it can be limited to only build vlan. Andrey On 9 January 2014 15:12, Pablo Fernandez <[email protected]> wrote: > I understand your point. I guess the SSL layer will render the request as > illegitimate, but even if it doesn't, it may be playing with fire :) > > Thanks all for your thoughts, let me then present this as a generic > question: did anybody try puppet on image-based systems? It would be > wonderful to get some first-hand hints. > > Thanks again! > BR/Pablo > > > > On 01/09/2014 04:05 PM, jcbollinger wrote: > > > > On Thursday, January 9, 2014 6:40:42 AM UTC-6, [email protected] wrote: >> >> Thanks for your suggestions, >> >> Running masterless is a bit too exotic, since we would like to use all >> those nice features that make a Puppet installation complete: specially >> hiera searches and PuppetDB. Modules, too, should be compatible with other >> clusters, so no big deviations can occur. >> >> Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have >> just checked myself if autosign works if the same node was already >> registered in the CA... but according to the documentation it does not look >> like it, not to mention the security issues that come with it. >> >> Does the certificate name need to match the fqdn for puppet to allow >> connections? >> >> > > I'm not certain, but even if not, what you propose is dangerous. The > master uses the certificate presented by the agent not just to authorize > the agent, but also to *identify* it. If all your nodes present the same > certificate to the master, then they all claim to be the same machine, > which is a lie. I don't foresee any specific failure scenarios associated > with that, but it is unwise to mess with the system's underlying > assumptions in such a way. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3c8f53f8-09a2-4bd8-8fa8-1986efdafeb3%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/52CEBC6A.3070403%40cscs.ch. > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACzr%3DFcMAcV6BN0ntV2K4ABPQgQco57-XJRyqdbcM7y571F_7A%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
