Simple Way to Remove Puppet Cert during build

One of the build systems I have been spending a lot of time working with is Cobbler. No, Cobbler is not that tasty dessert either. It an installation server that started out at Red Hat and has since been Open Sourced. You can learn more about it at the Cobbler Home Page. It can make a system install very quick and easy, and can be used to install operating systems other than just Red Hat Linux. We use it to do FreeBSD, VMWare, and a few others.

Cobbler relies on templated kickstart scripts to ease the burden of building lots and lots of boxes. Kickstart scripts are instructions that the operating system installers use to configure the systems in a particular manner. They can do amazingly complex tasks like determining the right sector to start a partition on, to setting a root password. It is only natural to have Puppet be one of the tasks that cobbler completes during build.

Easy Stuff

Getting Puppet installed on the system is the easy stuff. All you have to do is point the machine to the correct repository and install the puppet agent. It will grab all the necessary RPMs and install any dependencies that are needed. That can be done during the %POST_INSTALL section of the build or adding it as a package that is installed with everything else. One then ensures that the puppet server is correctly set in the puppet.conf file and you are set.

Harder Stuff

The more difficult part comes when you are continuously building new systems. While adding a new server that has never been created before is simple (if setting autosigning to true), what happens when you want to re-provision a server. That is you want to reinstall the operating system using the same hostname that you did previously. That is where the trouble begins. You can manually go to the puppet master and revoke and remove the certificate by hand. That may work for one or two servers, but not for 10’s or even 100’s of servers at a time, or automatically during a continuous integration workflow. There has to be a better way.. and there is

Pretty simple solution

The solution is actually pretty simple. During every build, simply use the hostname that is being set to always attempt to revoke and delete the certificate. You attempt to do this for every server during every build. It does not matter if the server has never been built before. This ensures that the certificate is removed and the server can successfully grab the necessary information from the puppet master.

The Code Snippet

The way I do this in the build system is that I created a snippet within cobbler. I then add the snippet to every kickstart that I plan on using. The code snippet looks like this:

curl -k -X PUT -H "Content-Type: text/pson" --data '{"desired_state":"revoked"}' https://PUPPETMASTER:PORT/production/certificate_status/$(hostname)

    curl -k -X DELETE -H "Accept: pson" https://PUPPETMASTER:PORT/production/certificate_status/$(hostname)

This code makes two calls. The first is to revoke the certificate and the second is to actually delete it from the server. You simply can not make a delete call, as you will receive an error and the certificate will still be there on the server. Be sure to place this snippet closer to the top of your %POST_INSTALL portion of the build. It should come before you do any other puppet tasks.

So, go try out cobbler, add this snippet to your builds to make sure that your certificates have been deleted from your hosts. This will allow you to get hosts connected to Puppet up and running much quicker.

  • Randy Zagar

    The puppet auth.conf file needs to allow client access to /certificate_status. This is my preferred configuration, others I’ve found use “allow *” which would allow any client to revoke arbitrary client certificates

    # allow nodes to revoke their own certificate
    path ~ ^/certificate_status/([^/]+)$
    auth any
    method find, save, destroy
    allow $1