Hiera, OSSEC and per-node stuff?
43 views
Skip to first unread message
Jakov Sosic
Aug 22, 2012, 3:47:57 PM8/22/12
to puppet...@googlegroups.com
Hi.
I have an interesting use case.
OSSEC is security tool based on server-client architecture. Server
generates keys for agents, and every agent has different key.
Now I want to distribute these keys via puppet. I've come accross hiera
and installed it, and it works superbly, but how to store per-node key
in hiera?
This is my idea:
hiera,yaml:
---
:hierarchy:
- ossec/%{hostname}
- %{operatingsystem}
- common
:backends:
- yaml
:yaml:
:datadir: '/etc/puppet/hieradata'
And now in /etc/puppet/hieradata/ossec I have a bunch of hostname.yaml
files, and all of them has something like this:
---
ossec_client_key: 'blablabla'
ossec_id: '2031'
Is this the right approach? It sure works :)
--
Jakov Sosic
www.srce.unizg.hr
I have an interesting use case.
OSSEC is security tool based on server-client architecture. Server
generates keys for agents, and every agent has different key.
Now I want to distribute these keys via puppet. I've come accross hiera
and installed it, and it works superbly, but how to store per-node key
in hiera?
This is my idea:
hiera,yaml:
---
:hierarchy:
- ossec/%{hostname}
- %{operatingsystem}
- common
:backends:
- yaml
:yaml:
:datadir: '/etc/puppet/hieradata'
And now in /etc/puppet/hieradata/ossec I have a bunch of hostname.yaml
files, and all of them has something like this:
---
ossec_client_key: 'blablabla'
ossec_id: '2031'
Is this the right approach? It sure works :)
--
Jakov Sosic
www.srce.unizg.hr
jcbollinger
Aug 27, 2012, 2:45:16 PM8/27/12
to puppet...@googlegroups.com
"Right" is a tricky word, but I'm happy to say that your approach is "reasonable", "good", "acceptable", and perhaps even "standard". There is at least one hiera-based alternative that I would describe with many of the same terms, but why mess with success?
John
Jakov Sosic
Aug 28, 2012, 1:42:38 PM8/28/12
to puppet...@googlegroups.com
On 08/27/2012 08:45 PM, jcbollinger wrote:
> "Right" is a tricky word, but I'm happy to say that your approach is
> "reasonable", "good", "acceptable", and perhaps even "standard". There
> is at least one hiera-based alternative that I would describe with many
> of the same terms, but why mess with success?
Well this is my first hiera rollout, so I just wanted to be sure I'm
> "Right" is a tricky word, but I'm happy to say that your approach is
> "reasonable", "good", "acceptable", and perhaps even "standard". There
> is at least one hiera-based alternative that I would describe with many
> of the same terms, but why mess with success?
using it as reasonable as possible :)
You are welcome to pinpoint another example of similar config offcourse.
Anyway thank you for your response.
Reply all
Reply to author
Forward
0 new messages