RHEL Kickstart and Puppet certificates
228 views
Skip to first unread message
Ano nym
Sep 12, 2012, 5:51:16 AM9/12/12
to puppet...@googlegroups.com
Hello everybody,
we´re using Red Hat Kickstarts for some systems. On every new kickstart we´ve to delete the client certificate first on the master.
Ist there a best practise to renew the certificate or delete it remotely on the master?
kind regards,
Ano
Ohad Levy
Sep 12, 2012, 6:11:27 AM9/12/12
to puppet...@googlegroups.com
if you use something like Foreman [1] it can do it automatically for you.
Ohad
kind regards,Ano--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
ew
Sep 12, 2012, 8:21:31 AM9/12/12
to puppet...@googlegroups.com
usually people have to follow company guidelines ... changing the deployment process maybe is not the answer Ano is looking for
BTW: we have the same issue ...
Matthew Burgess
Sep 12, 2012, 8:38:09 AM9/12/12
to puppet...@googlegroups.com
remove any reports, facts and anything else that puppet knows about
your old host.
Given that, I can't see any other possibility than changing your
provisioning process to have a 'puppet node clean' step *before*
re-provisioning your host.
Additionally, I'd give serious consideration to trying to automate the
regeneration of client certs. If someone else comes in to your
network, they could give their device the same hostname as an existing
puppet-managed host, then via this envisioned automated process, would
kick your existing host off, and connect themselves (this assumes you
have auto-signing configured).
Regards,
Matt.
Stuart Sears
Sep 12, 2012, 9:36:14 AM9/12/12
to puppet...@googlegroups.com
kickstart %pre and put them back afterwards.
Assuming the client will have the same name and puppet setup after
kickstart and you don't care about old reports, facts etc...
Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
Nielsen, Steve
Sep 12, 2012, 4:28:49 PM9/12/12
to puppet...@googlegroups.com
If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post.
We do this and it provides seamless rebuilds.
Thanks,
Steve
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
We do this and it provides seamless rebuilds.
Thanks,
Steve
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
Nielsen, Steve
Sep 12, 2012, 4:29:42 PM9/12/12
to Nielsen, Steve, puppet...@googlegroups.com
Just realized Stuart provided the same answer in an earlier post. Sorry for the duplicate suggestion :).
Steve
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
-----Original Message-----
From: Nielsen, Steve
Sent: Wednesday, September 12, 2012 3:29 PM
To: puppet...@googlegroups.com
Subject: RE: [Puppet Users] RHEL Kickstart and Puppet certificates
If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post.
We do this and it provides seamless rebuilds.
Thanks,
Steve
Steve
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
-----Original Message-----
From: Nielsen, Steve
Sent: Wednesday, September 12, 2012 3:29 PM
To: puppet...@googlegroups.com
Subject: RE: [Puppet Users] RHEL Kickstart and Puppet certificates
If the hostname stays the same for the rebuild then another possibility is to backup the puppet cert directory in the %pre of kickstart and then copy back into place in the %post.
We do this and it provides seamless rebuilds.
Thanks,
Steve
-----Original Message-----
From: puppet...@googlegroups.com [mailto:puppet...@googlegroups.com] On Behalf Of Matthew Burgess
Sent: Wednesday, September 12, 2012 7:38 AM
To: puppet...@googlegroups.com
Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates
From: puppet...@googlegroups.com [mailto:puppet...@googlegroups.com] On Behalf Of Matthew Burgess
Sent: Wednesday, September 12, 2012 7:38 AM
To: puppet...@googlegroups.com
Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates
James A. Peltier
Sep 13, 2012, 1:31:07 AM9/13/12
to puppet...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6U_6f-jW734J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
We manually sign the certificates and place them in a secure location that can downloaded as part of the post configuration of the host. We have automation to commission/decommission hosts which generates or removes the certificate server side.
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpel...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Success is to be measured not so much by the position that one has reached
in life but as by the obstacles they have overcome. - Booker T. Washington
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpel...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Success is to be measured not so much by the position that one has reached
in life but as by the obstacles they have overcome. - Booker T. Washington
Michael Stahnke
Sep 13, 2012, 1:33:19 AM9/13/12
to puppet...@googlegroups.com
I used to just institute policy that hostnames could not be re-used.
It had a few benefits beyond puppet, like application people not
hard-coding hostnames and using cnames as the maker intended.
Mike
It had a few benefits beyond puppet, like application people not
hard-coding hostnames and using cnames as the maker intended.
Mike
Ano nym
Sep 13, 2012, 4:07:03 AM9/13/12
to puppet...@googlegroups.com
Thank you everybody! :-)
That are many ways to solve the problem.
Nielsen, Steve
Sep 13, 2012, 9:58:27 AM9/13/12
to puppet...@googlegroups.com
Mike -
Just curious, what do you mean by "using cnames as the maker intended" ? Are you suggesting a CNAME per hostname mapping?
Thanks,
Just curious, what do you mean by "using cnames as the maker intended" ? Are you suggesting a CNAME per hostname mapping?
Thanks,
Steve
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
-----Original Message-----
From: puppet...@googlegroups.com [mailto:puppet...@googlegroups.com] On Behalf Of Michael Stahnke
Sent: Thursday, September 13, 2012 12:33 AM
To: puppet...@googlegroups.com
Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates
Steve Nielsen VP, Open Source Engineering | comScore, Inc.(NASDAQ:SCOR)
o +1 (312) 775-6473 | f +1 (312) 775-6495 | mailto:SNie...@comscore.com
.....................................................................................................
Introducing Mobile Metrix 2.0 - The next generation of mobile behavioral measurement
www.comscore.com/MobileMetrix
-----Original Message-----
From: puppet...@googlegroups.com [mailto:puppet...@googlegroups.com] On Behalf Of Michael Stahnke
Sent: Thursday, September 13, 2012 12:33 AM
To: puppet...@googlegroups.com
Subject: Re: [Puppet Users] RHEL Kickstart and Puppet certificates
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
David Schmitt
Sep 14, 2012, 3:08:42 AM9/14/12
to puppet...@googlegroups.com
I interpreted that as using hostnames as hardware names and cnames as
service names, pointing to the h/w the service is running on.
D.
service names, pointing to the h/w the service is running on.
D.
Reply all
Reply to author
Forward
0 new messages