On Wed, 2006-09-13 at 12:25 -0600, Jeffrey Law wrote: > Per earlier discussions, we want to be including the puppet CA's > certificate as part of the readonly nfs filesystem we use to boot > new clients. > > The canonical location of that certificate is > > /var/lib/puppet/ssl/certs/ca.pem > > Unfortunately, that's also were the client's certificate is > supposed to be stored, using the client's fqdm. > > Because the client is going to store its cert using a filename > which we can't reasonably include in the readonly image, we > can't create a bind mount for just the client's cert. Why wouldn't this work? /etc/rwtab: files /var/lib/puppet/ssl/certs $STATE_MOUNT/files /var/lib/puppet/ssl/certs/$(hostname).cert Cheers, Mark.