Hello,
Is it possible to allow all hosts access to it's own ENC data using the
certificates? Something like puppet masters are allowed to do.
Best regards,
Cristian Falcas
If a host sends a GET to the puppetmaster, complete with its puppet
certificate, then the puppetmaster will respond with its ENC data retrieved
from Foreman.
I use this template, which returns a YAML blob that you can parse:
PUPPETMASTER=$(puppet agent --configprint server --config
/etc/puppet/puppet.conf)
CERTNAME=$(puppet config print certname)
CERTFILE=$(puppet config print hostcert)
PRIVKEY=$(puppet config print hostprivkey)
CACERT=$(puppet config print localcacert)
ENVIRONMENT=$(puppet config print environment)
curl -H "Accept: yaml"
https://:8140$PUPPETMASTER/$ENVIRONMENT/node/$CERTNAME
–cert $CERTFILE --key $PRIVKEY --cacert $CACERT
···
On Wednesday, August 13, 2014 10:14:02 AM UTC-4, Cristian Falcas wrote: > > Hello, > > Is it possible to allow all hosts access to it's own ENC data using the > certificates? Something like puppet masters are allowed to do. > > Best regards, > Cristian Falcas > >Forgot to mention that the puppetmaster's auth.conf file needs to have this
stanza to allow the api call:
allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
···
On Wednesday, August 13, 2014 11:00:49 AM UTC-4, Michael Griffin wrote: > > If a host sends a GET to the puppetmaster, complete with its puppet > certificate, then the puppetmaster will respond with its ENC data retrieved > from Foreman. > > I use this template, which returns a YAML blob that you can parse: > > PUPPETMASTER=$(puppet agent --configprint server --config > /etc/puppet/puppet.conf) > CERTNAME=$(puppet config print certname) > CERTFILE=$(puppet config print hostcert) > PRIVKEY=$(puppet config print hostprivkey) > CACERT=$(puppet config print localcacert) > ENVIRONMENT=$(puppet config print environment) > > curl -H "Accept: yaml" > https://$PUPPETMASTER:8140/$ENVIRONMENT/node/$CERTNAME \ > --cert $CERTFILE --key $PRIVKEY --cacert $CACERT > > On Wednesday, August 13, 2014 10:14:02 AM UTC-4, Cristian Falcas wrote: >> >> Hello, >> >> Is it possible to allow all hosts access to it's own ENC data using the >> certificates? Something like puppet masters are allowed to do. >> >> Best regards, >> Cristian Falcas >> >>Actually, this kind of information it will be too much for me. I wanted
just the ENC data.
My problem is that I moved to the new mcollective module, which writes the
facts.yaml file from cron from now on, so it doesn't have access to foreman
variables anymore.
I was thinking that maybe I could write a fact that connects to
https:///$FOREMAN_URL/hosts/$CERTNAME/externalNodes?name=$CERTNAME
and this way I will still have access to Organization/Location and any
other variable defined in foreman.
If I can't do it with foreman, I will take your advice and extract from the
facts what extra values I need.
Best regards,
Cristian Falcas
···
On Wed, Aug 13, 2014 at 6:04 PM, Michael Griffin wrote:Forgot to mention that the puppetmaster’s auth.conf file needs to have
this stanza to allow the api call:allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1On Wednesday, August 13, 2014 11:00:49 AM UTC-4, Michael Griffin wrote:
If a host sends a GET to the puppetmaster, complete with its puppet
certificate, then the puppetmaster will respond with its ENC data retrieved
from Foreman.I use this template, which returns a YAML blob that you can parse:
PUPPETMASTER=$(puppet agent --configprint server --config
/etc/puppet/puppet.conf)
CERTNAME=$(puppet config print certname)
CERTFILE=$(puppet config print hostcert)
PRIVKEY=$(puppet config print hostprivkey)
CACERT=$(puppet config print localcacert)
ENVIRONMENT=$(puppet config print environment)curl -H “Accept: yaml” https://:8140$PUPPETMASTER/$ENVIRONMENT/node/$CERTNAME
–cert $CERTFILE --key $PRIVKEY --cacert $CACERTOn Wednesday, August 13, 2014 10:14:02 AM UTC-4, Cristian Falcas wrote:
Hello,
Is it possible to allow all hosts access to it’s own ENC data using the
certificates? Something like puppet masters are allowed to do.Best regards,
Cristian Falcas–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Actually, since the data from puppet master is updated only after a puppet
run, I will write a fact file for facter during the puppet run. It's the
same thing.
I was hopping to get the values from foreman, since those are the real, in
puppet master the information could be stale if there was no puppet run.
···
On Wed, Aug 13, 2014 at 10:50 PM, Cristian Falcas wrote:Actually, this kind of information it will be too much for me. I wanted
just the ENC data.My problem is that I moved to the new mcollective module, which writes the
facts.yaml file from cron from now on, so it doesn’t have access to foreman
variables anymore.I was thinking that maybe I could write a fact that connects to
https:///$FOREMAN_URL/hosts/$CERTNAME/externalNodes?name=$CERTNAME
and this way I will still have access to Organization/Location and any
other variable defined in foreman.If I can’t do it with foreman, I will take your advice and extract from
the facts what extra values I need.Best regards,
Cristian FalcasOn Wed, Aug 13, 2014 at 6:04 PM, Michael Griffin mcgriffin@gmail.com > wrote:
Forgot to mention that the puppetmaster’s auth.conf file needs to have
this stanza to allow the api call:allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1On Wednesday, August 13, 2014 11:00:49 AM UTC-4, Michael Griffin wrote:
If a host sends a GET to the puppetmaster, complete with its puppet
certificate, then the puppetmaster will respond with its ENC data retrieved
from Foreman.I use this template, which returns a YAML blob that you can parse:
PUPPETMASTER=$(puppet agent --configprint server --config
/etc/puppet/puppet.conf)
CERTNAME=$(puppet config print certname)
CERTFILE=$(puppet config print hostcert)
PRIVKEY=$(puppet config print hostprivkey)
CACERT=$(puppet config print localcacert)
ENVIRONMENT=$(puppet config print environment)curl -H “Accept: yaml” https://:8140$PUPPETMASTER/$ENVIRONMENT/node/$CERTNAME
–cert $CERTFILE --key $PRIVKEY --cacert $CACERTOn Wednesday, August 13, 2014 10:14:02 AM UTC-4, Cristian Falcas wrote:
Hello,
Is it possible to allow all hosts access to it’s own ENC data using the
certificates? Something like puppet masters are allowed to do.Best regards,
Cristian Falcas–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
> Actually, since the data from puppet master is updated only after a puppet
> run, I will write a fact file for facter during the puppet run. It's the
> same thing.
>
> I was hopping to get the values from foreman, since those are the real, in
> puppet master the information could be stale if there was no puppet run.
>
You can get the values from foreman, but you would have to 'relax' the
security settings a bit.
you can change the 'restrict_registered_puppetmasters' to false under the
auth settings, which will allow your clients to fetch the enc data as is
(assuming you use a valid ssl cert, you can also remove the ssl
verification but i wont not recommend that).
Note, that atm, this will allow every puppet client to ask for every other
puppet enc data. if you wish to fetch only your own enc data, I would ask
you to apply for a new feature request.
hope this helps,
Ohad
···
On Thu, Aug 14, 2014 at 1:25 AM, Cristian Falcas wrote:On Wed, Aug 13, 2014 at 10:50 PM, Cristian Falcas <cristi.falcas@gmail.com > > wrote:
Actually, this kind of information it will be too much for me. I wanted
just the ENC data.My problem is that I moved to the new mcollective module, which writes
the facts.yaml file from cron from now on, so it doesn’t have access to
foreman variables anymore.I was thinking that maybe I could write a fact that connects to
https:///$FOREMAN_URL/hosts/$CERTNAME/externalNodes?name=$CERTNAME
and this way I will still have access to Organization/Location and any
other variable defined in foreman.If I can’t do it with foreman, I will take your advice and extract from
the facts what extra values I need.Best regards,
Cristian FalcasOn Wed, Aug 13, 2014 at 6:04 PM, Michael Griffin mcgriffin@gmail.com >> wrote:
Forgot to mention that the puppetmaster’s auth.conf file needs to have
this stanza to allow the api call:allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1On Wednesday, August 13, 2014 11:00:49 AM UTC-4, Michael Griffin wrote:
If a host sends a GET to the puppetmaster, complete with its puppet
certificate, then the puppetmaster will respond with its ENC data retrieved
from Foreman.I use this template, which returns a YAML blob that you can parse:
PUPPETMASTER=$(puppet agent --configprint server --config
/etc/puppet/puppet.conf)
CERTNAME=$(puppet config print certname)
CERTFILE=$(puppet config print hostcert)
PRIVKEY=$(puppet config print hostprivkey)
CACERT=$(puppet config print localcacert)
ENVIRONMENT=$(puppet config print environment)curl -H “Accept: yaml” https://:8140$PUPPETMASTER/$ENVIRONMENT/node/$CERTNAME
–cert $CERTFILE --key $PRIVKEY --cacert $CACERTOn Wednesday, August 13, 2014 10:14:02 AM UTC-4, Cristian Falcas wrote:
Hello,
Is it possible to allow all hosts access to it’s own ENC data using
the certificates? Something like puppet masters are allowed to do.Best regards,
Cristian Falcas–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Pretty much the same, but we have
Feature #5914: Allow a host to upload its own facts and reports - Support masterless Puppet - Foreman to request access to upload
facts/reports for masterless situations.
···
On 14/08/14 07:10, Ohad Levy wrote: > > > > On Thu, Aug 14, 2014 at 1:25 AM, Cristian Falcas > <cristi.falcas@gmail.com > wrote: > > Actually, since the data from puppet master is updated only after a > puppet run, I will write a fact file for facter during the puppet > run. It's the same thing. > > I was hopping to get the values from foreman, since those are the > real, in puppet master the information could be stale if there was > no puppet run. > > > You can get the values from foreman, but you would have to 'relax' the > security settings a bit. > > you can change the 'restrict_registered_puppetmasters' to false under > the auth settings, which will allow your clients to fetch the enc data > as is (assuming you use a valid ssl cert, you can also remove the ssl > verification but i wont not recommend that). > > Note, that atm, this will allow every puppet client to ask for every > other puppet enc data. if you wish to fetch only your own enc data, I > would ask you to apply for a new feature request.–
Dominic Cleal
Red Hat Engineering
Can I add a request for reading ENC data also on the same ticket, or should
I open a new one for this?
···
On Thu, Aug 14, 2014 at 12:05 PM, Dominic Cleal wrote:On 14/08/14 07:10, Ohad Levy wrote:
On Thu, Aug 14, 2014 at 1:25 AM, Cristian Falcas > > <cristi.falcas@gmail.com mailto:cristi.falcas@gmail.com> wrote:
Actually, since the data from puppet master is updated only after a puppet run, I will write a fact file for facter during the puppet run. It's the same thing. I was hopping to get the values from foreman, since those are the real, in puppet master the information could be stale if there was no puppet run.You can get the values from foreman, but you would have to ‘relax’ the
security settings a bit.you can change the ‘restrict_registered_puppetmasters’ to false under
the auth settings, which will allow your clients to fetch the enc data
as is (assuming you use a valid ssl cert, you can also remove the ssl
verification but i wont not recommend that).Note, that atm, this will allow every puppet client to ask for every
other puppet enc data. if you wish to fetch only your own enc data, I
would ask you to apply for a new feature request.Pretty much the same, but we have
Feature #5914: Allow a host to upload its own facts and reports - Support masterless Puppet - Foreman to request access to upload
facts/reports for masterless situations.–
Dominic Cleal
Red Hat Engineering–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Please do, I think it's all the same problem to fix.
···
On 14/08/14 10:24, Cristian Falcas wrote: > Can I add a request for reading ENC data also on the same ticket, or > should I open a new one for this?–
Dominic Cleal
Red Hat Engineering