Exec on a node causing action on another node?
31 views
Skip to first unread message
Erling Ringen Elvsrud
Feb 27, 2015, 1:51:46 AM2/27/15
to puppet...@googlegroups.com
Hi
I try to solve the following case:
I have a bash script, cert_check.sh which is used to check Jboss certificates.
The script returns 0 if certs are still valid, 1 if they are about to expire and 2 if they
are already expired.
The script should be executed on all jboss nodes which is possible with a simple exec.
If the script returns 1 or 2 I would like another exec to be executed on a
different node, possibly the puppetmaster.
That exec will perform a REST API call to a server with curl (probably another exec in Puppet).
That call will generate a new certificate and copy it back to the node with an expired/about to expire certificate.
Initially I was considering to just perform the call directly from each node
(exec with an unless attribute), but that is not ideal with respect to security
as the username/password for the REST API should not be visible on all nodes,
and firewall openings to the host handling the certificate generating / copying
must be added for all networks with jboss-servers.
Do you think it is possible to handle this with Puppet?
Thanks,
Erling
I try to solve the following case:
I have a bash script, cert_check.sh which is used to check Jboss certificates.
The script returns 0 if certs are still valid, 1 if they are about to expire and 2 if they
are already expired.
The script should be executed on all jboss nodes which is possible with a simple exec.
If the script returns 1 or 2 I would like another exec to be executed on a
different node, possibly the puppetmaster.
That exec will perform a REST API call to a server with curl (probably another exec in Puppet).
That call will generate a new certificate and copy it back to the node with an expired/about to expire certificate.
Initially I was considering to just perform the call directly from each node
(exec with an unless attribute), but that is not ideal with respect to security
as the username/password for the REST API should not be visible on all nodes,
and firewall openings to the host handling the certificate generating / copying
must be added for all networks with jboss-servers.
Do you think it is possible to handle this with Puppet?
Thanks,
Erling
Felix Frank
Feb 27, 2015, 11:12:42 AM2/27/15
to puppet...@googlegroups.com
On 02/27/2015 07:51 AM, Erling Ringen Elvsrud wrote:
>
> Do you think it is possible to handle this with Puppet?
Yes, but not relying on exec as heavily as you imply.
>
> Do you think it is possible to handle this with Puppet?
Your first step should be a custom fact that reports the state of the
certificate.
The manifest for the node examines the fact value and can decide to
*export* an exec resource to whomever is expected to take action.
Just so we're clear, if this is meant to refresh *puppet* certificates,
then you are likely running in futile circles, or opening yourself up to
grave security implications.
HTH,
Felix
Reply all
Reply to author
Forward
0 new messages