How to know the generated certname used by a puppet client, for reuse within erb (because of cloud provisioner) ?
1,218 views
Skip to first unread message
Alexandre Fouché
Oct 19, 2011, 5:06:44 AM10/19/11
to puppet...@googlegroups.com
Hi,
I am using the cloud provisioner to bootstrap some ec2 nodes, and these clients are signed using a randomly generated certname, which is put in /etc/puppet.conf at the bootstrap time (eg certname = d7bcd693-73fd-495f-0876-ff91ea11111e).
But my puppet code repo also manages the puppet.conf file, so the file will be overwritten on the client at the first puppet run. Nevertheless, i should not lose what was the original certname for this client, because i need to insert it in the puppet.conf.erb that will be pushed to this client, otherwise the puppetmaster will not recognize and allow this client anymore.
I ran "facter" on the client, and the certname does not appear. I ran "puppet --genconfig |grep certname" and the certname does not appear either. I can not check the cert name in /var/lib/puppet/ssl/certs because the cert will appear after first puppet run.
Is there a way to to know what certname is using a puppet client, and be able to use it in erb templates, or am using puppet and the cloud provisioner in a wrong way ?
AF
I am using the cloud provisioner to bootstrap some ec2 nodes, and these clients are signed using a randomly generated certname, which is put in /etc/puppet.conf at the bootstrap time (eg certname = d7bcd693-73fd-495f-0876-ff91ea11111e).
But my puppet code repo also manages the puppet.conf file, so the file will be overwritten on the client at the first puppet run. Nevertheless, i should not lose what was the original certname for this client, because i need to insert it in the puppet.conf.erb that will be pushed to this client, otherwise the puppetmaster will not recognize and allow this client anymore.
I ran "facter" on the client, and the certname does not appear. I ran "puppet --genconfig |grep certname" and the certname does not appear either. I can not check the cert name in /var/lib/puppet/ssl/certs because the cert will appear after first puppet run.
Is there a way to to know what certname is using a puppet client, and be able to use it in erb templates, or am using puppet and the cloud provisioner in a wrong way ?
AF
Alexandre
Oct 19, 2011, 5:25:40 AM10/19/11
to Puppet Users
Dan White
Oct 19, 2011, 8:36:52 AM10/19/11
to puppet...@googlegroups.com
I am in an environment that has a development, QA, and production sub-environments.
All machines are built in "dev" then moved to qa/prod as needed.
Because a machine's IP and hostname changes in this move, I set up certnames that are the machine's MAC address.
All machines are built in "dev" then moved to qa/prod as needed.
Because a machine's IP and hostname changes in this move, I set up certnames that are the machine's MAC address.
I use cobbler to set up the machines and here's some lines from the snippet that implements it:
MACADDR=`facter macaddress | tr "[:upper:]" "[:lower:]" | sed 's/://g' `
MACADDRHOSTNAME="macaddr${MACADDR}"
sed -i -e "/\[main\]/a\ \ \ \ certname='${MACADDRHOSTNAME}'" /etc/puppet/puppet.conf
In addition, because my Puppet Master is also my Cobbler Server, I have the MAC addresses of all configured machines available to me at the server.
I hope you find this info helpful.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Nigel Kersten
Oct 19, 2011, 12:18:50 PM10/19/11
to puppet...@googlegroups.com
$clientcert — Provided by the agent; contains the agent node’s certname. Added in Puppet 2.6.0.
AF
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
Product Manager, Puppet Labs
Alexandre
Oct 19, 2011, 4:07:28 PM10/19/11
to Puppet Users
Great, i had not seen this one, thank you !
On 19 oct, 18:18, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Oct 19, 2011 at 2:06 AM, Alexandre Fouché <
>
>
>
>
>
>
>
>
>
> alexandre.fou...@gmail.com> wrote:
> > Hi,
>
> > I am using the cloud provisioner to bootstrap some ec2 nodes, and these
> > clients are signed using a randomly generated certname, which is put in
> > /etc/puppet.conf at the bootstrap time (eg certname =
> > d7bcd693-73fd-495f-0876-ff91ea11111e).
>
> > But my puppet code repo also manages the puppet.conf file, so the file will
> > be overwritten on the client at the first puppet run. Nevertheless, i should
> > not lose what was the original certname for this client, because i need to
> > insert it in the puppet.conf.erb that will be pushed to this client,
> > otherwise the puppetmaster will not recognize and allow this client anymore.
>
> > I ran "facter" on the client, and the certname does not appear. I ran
> > "puppet --genconfig |grep certname" and the certname does not appear either.
> > I can not check the cert name in /var/lib/puppet/ssl/certs because the cert
> > will appear after first puppet run.
>
> > Is there a way to to know what certname is using a puppet client, and be
> > able to use it in erb templates, or am using puppet and the cloud
> > provisioner in a wrong way ?
>
> http://docs.puppetlabs.com/guides/faq.html#are-there-variables-availa...
On 19 oct, 18:18, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Oct 19, 2011 at 2:06 AM, Alexandre Fouché <
>
>
>
>
>
>
>
>
>
> alexandre.fou...@gmail.com> wrote:
> > Hi,
>
> > I am using the cloud provisioner to bootstrap some ec2 nodes, and these
> > clients are signed using a randomly generated certname, which is put in
> > /etc/puppet.conf at the bootstrap time (eg certname =
> > d7bcd693-73fd-495f-0876-ff91ea11111e).
>
> > But my puppet code repo also manages the puppet.conf file, so the file will
> > be overwritten on the client at the first puppet run. Nevertheless, i should
> > not lose what was the original certname for this client, because i need to
> > insert it in the puppet.conf.erb that will be pushed to this client,
> > otherwise the puppetmaster will not recognize and allow this client anymore.
>
> > I ran "facter" on the client, and the certname does not appear. I ran
> > "puppet --genconfig |grep certname" and the certname does not appear either.
> > I can not check the cert name in /var/lib/puppet/ssl/certs because the cert
> > will appear after first puppet run.
>
> > Is there a way to to know what certname is using a puppet client, and be
> > able to use it in erb templates, or am using puppet and the cloud
> > provisioner in a wrong way ?
>
Nigel Kersten
Oct 19, 2011, 4:08:30 PM10/19/11
to puppet...@googlegroups.com
On Wed, Oct 19, 2011 at 1:07 PM, Alexandre <alexandr...@gmail.com> wrote:
Great, i had not seen this one, thank you !
It should be significantly easier to find out this info, it's not you :)
In an ideal world you could run a command as simple as "facter -p" to get access to all of these variables, but not all make sense within the context of Facter...
Reply all
Reply to author
Forward
0 new messages