Re: Bootstrapping

[Jamie Wilkinson]

This one time, at band camp, Luke A. Kanies wrote:
>Anyone else have any stories of how they bootstrap their cfengine clients?
>How do you solve the above problems?  I hope to incorporate some different
>ideas and solutions into my article, so give me anything you think
>cfengine newbies should know about.

I'm currently using Red Hat's kickstart to bootstrap my servers, and
I've tied in the cfengine bootstrap to that.

At the end of the kickstart, the %pre section installs a homegrown
cfengine RPM, and writes a default update.conf.  The update.conf
contains enough to specify server, domain, and trust levels.

The procedure mostly goes like this:

* set up DNS for the new server
* modify cfservd.conf in subversion, adding the TrustKeysFrom variable
  in the right place.  roll that out to the server.
* kickstart
* after cfengine has finished, remove the TrustKeysFrom and roll that
  out again.

So there's a window of trust for one IP only, which is taken fairly
quickly; it isn't ideal but it works.

The newly copied update.conf has some more secure settings, e.g. no
trustkey, so the bootstrapping update.conf only exists during kickstart.

-- 
jaq@spacepants.org                           http://spacepants.org/jaq.gpg