Re: Minor issue with distributing the puppet CA cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-09-26 at 09:48 +0100, Mark McLoughlin wrote:
> On Wed, 2006-09-13 at 12:25 -0600, Jeffrey Law wrote:
> 
> > Per earlier discussions, we want to be including the puppet CA's
> > certificate as part of the readonly nfs filesystem we use to boot
> > new clients.
> > 
> > The canonical location of that certificate is
> > 
> >   /var/lib/puppet/ssl/certs/ca.pem
> > 
> > Unfortunately, that's also were the client's certificate is 
> > supposed to be stored, using the client's fqdm.
> > 
> > Because the client is going to store its cert using a filename
> > which we can't reasonably include in the readonly image, we
> > can't create a bind mount for just the client's cert.
> 
> 	Why wouldn't this work?
> 
>   /etc/rwtab:
> 
>     files /var/lib/puppet/ssl/certs
> 
>   $STATE_MOUNT/files
> 
>     /var/lib/puppet/ssl/certs/$(hostname).cert
Interesting.  Though I think you'd need something like

touch /var/lib/puppet/ssl/certs/$(hostname).cert

To execute between the time we set up the bind mounts specified by
rwtab and those specified by the $STATE_MOUNT/files.  Otherwise 
there's no mount point for the bind mount of the client's cert.

I'm not sure that's going to buy us anything over just copying the
CA's cert into the persistent store.  Either way we've got an "odd"
step (either the touch of the client's cert or a copy of the CA's cert)

jeff


[Index of Archives]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux