I'm new to the group and I'm trying to do something a little different here.
Puppet Master: CentOS 6.3 running puppet-server-2.7.14-2.1
Clients: CentOS 6.3 (puppet-2.6.17-2.el6.noarch) & SLES 11.2(puppet
I am trying to configure puppet in a very dynamic way. Nodes are not
defined in nodes.conf and each client is configured soley by facts that
define the role of the node.
Certificate autosigning is turned on.
I am trying to automate the rollout of 50k clients. The clients will not
have DNS entries available at the time puppet first runs, but will have
DNS sometime an hour or so later.
During the build process the client picks a psuedo random hostname to
register to puppet with.
I am trying to figure out a solution that would be totally programatic for
registration/re-registration and be tolerant to client hostname changes.
- If the client ssl cert is removed from the puppet master (and
puppetmasterd is restarted), the client must "rm -rf /var/lib/puppet" and
re-run to get a valid cert
- if /var/lib/puppet is removed and the ssl certificate still lives on
the puppet master the client cannot re-register until the cert is removed
from the master
Essentially I will never be using jabber or remote commands so I don't
really care what the systems are called, if one stops working I will just
replace it with a fresh working build.
I need each system to be able to register/re-register no matter if an entry
exists on the puppet master or the local private key gets wiped out. This
would be so I can guarantee that the puppet agent will continue to run if
its hostname changes, or the local caches need to be wiped programatically
to fix a stuck puppet run.
I'm sure this issue has come up before but I can't find anything useful on
google results. I understand that these requirements are in place for
security reasons, but that is not as much of a concern in this particular
implementation (thing 50k dumb nodes that perform simple tasks). I would
prefer a more secure method, but it doesn't seem that puppet is tolerant to
dynamic nodes that might move around (regularly).
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To post to this group, send email to email@example.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.