Re: Func 0.27 + Puppet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2011 Apr 27, at 8:33 AM, seth vidal wrote:

> On Tue, 2011-04-26 at 21:29 +0200, Jan-Frode Myklebust wrote:
>> On 2011-04-26, Norvell, Preston <Preston.Norvell@xxxxxxxxxxxxxxxxxxxx> wrote:
>>> Reading through it, I have a couple comments:
>>> - I have found no need to modify anything in /etc/certmaster on either the overlords or minions
>> 
>> I use the EPEL packages, and they have certmaster=certmaster in 
>> /etc/certmaster/minion.conf, and then the minions fails to start.

Interesting.  We'll be switching to the epel-testing modules here shortly, so I'll keep this in mind.  With 0.27 from rf, though I've not touched anything in the /etc/certmaster dir and we don't have a 'certmaster' defined in any of our dns zones.

>> 
>>> - Depending on where you get your RPM (I get mine currently from
>>> RPMForge), it may want to install/run certmaster by default.  It should
>>> be disabled.
>> 
>> Oh.. I hadn´t noticed. Thanks!
>> 
>> IMHO that´s a bug in the packaging... skvidal ?
>> 
>>> - There is a nascent puppet module to manage minion and overlord configurations here: http://forge.puppetlabs.com/rodjek/func.  I used it as the beginning of my work and hope to push the changes back up stream to the author.  It might be good to let folks know it exists.
>> 
>> I wrote my own yesterday ->
>> 
>> 	http://blag.tanso.net/2011/04/13-puppet-as-certmaster-for-func/
>> 
>>> - I found that I needed to create an acl file in /etc/minion-acl.d with the hostname-certhash of the overlord/puppetmaster on each minion, because rather than defaulting to "*" it defaults to "foo" (literally) for the acl.
>> 
>> I didn´t need that. My minion-acl.d/ is empty, and I can access the minions
>> from the overlord. Hmm.. guess I need to understand the access control
>> model of func better..
>> 
>> 
> 
> the acls are for minion-to-minion. so you can say 'this minion can run
> these modules/methods on this other minion'

If that's true then perhaps there is/was an oddity with 0.27.  I've setup three environments at work so far, and none of them have worked without an acl file in there; the overlord/puppetmasters are all rejected because the default "*" has perms only to the "foo" (again, literally...) function.  Since we'll be switching to epel-testing and their 0.28 rpm shortly, we'll see if that demonstrably changes.

> 
> -sv

--
Preston M Norvell <preston.norvell@xxxxxxxxxxxxxxxxxxxx>
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone:  (866) SERIALS (737-4257) ext 1094



_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list



[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux