[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootstrapping

From: Jamie Wilkinson
Subject: Re: Bootstrapping
Date: Fri, 20 Feb 2004 09:09:41 +1100
User-agent: Mutt/

This one time, at band camp, Luke A. Kanies wrote:
>Anyone else have any stories of how they bootstrap their cfengine clients?
>How do you solve the above problems?  I hope to incorporate some different
>ideas and solutions into my article, so give me anything you think
>cfengine newbies should know about.

I'm currently using Red Hat's kickstart to bootstrap my servers, and
I've tied in the cfengine bootstrap to that.

At the end of the kickstart, the %pre section installs a homegrown
cfengine RPM, and writes a default update.conf.  The update.conf
contains enough to specify server, domain, and trust levels.

The procedure mostly goes like this:

* set up DNS for the new server
* modify cfservd.conf in subversion, adding the TrustKeysFrom variable
  in the right place.  roll that out to the server.
* kickstart
* after cfengine has finished, remove the TrustKeysFrom and roll that
  out again.

So there's a window of trust for one IP only, which is taken fairly
quickly; it isn't ideal but it works.

The newly copied update.conf has some more secure settings, e.g. no
trustkey, so the bootstrapping update.conf only exists during kickstart.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]