On Tue, 2006-09-26 at 09:48 +0100, Mark McLoughlin wrote: > On Wed, 2006-09-13 at 12:25 -0600, Jeffrey Law wrote: > > > Per earlier discussions, we want to be including the puppet CA's > > certificate as part of the readonly nfs filesystem we use to boot > > new clients. > > > > The canonical location of that certificate is > > > > /var/lib/puppet/ssl/certs/ca.pem > > > > Unfortunately, that's also were the client's certificate is > > supposed to be stored, using the client's fqdm. > > > > Because the client is going to store its cert using a filename > > which we can't reasonably include in the readonly image, we > > can't create a bind mount for just the client's cert. > > Why wouldn't this work? > > /etc/rwtab: > > files /var/lib/puppet/ssl/certs > > $STATE_MOUNT/files > > /var/lib/puppet/ssl/certs/$(hostname).cert Interesting. Though I think you'd need something like touch /var/lib/puppet/ssl/certs/$(hostname).cert To execute between the time we set up the bind mounts specified by rwtab and those specified by the $STATE_MOUNT/files. Otherwise there's no mount point for the bind mount of the client's cert. I'm not sure that's going to buy us anything over just copying the CA's cert into the persistent store. Either way we've got an "odd" step (either the touch of the client's cert or a copy of the CA's cert) jeff