-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adrian LIkins wrote: > Certmaster > - we need a trigger that indicates "the minion is up, has it's cert, and > is ready to be talked to". The current post > sign trigger actually runs after the cert is signed, but before it picks > it up. > A couple of approaches to fixing that: 1) hook around the xmlrpc > dispatcher in the certmater server code, and > do something after the minion picks up it's cert 2) add another step in > the minion/certmaster communication, > an "I'm alive" call. We could run the post-pickup trigger then. We could > also maybe check the certs against the > certmaster on every funcd startup, so we could handle cases like old > minion certs that currently are hard to > detect. Agreed, I am going to investigate this. No preference either way right now, each has it's advantages and disadvantages. This is related to the m2m stuff below (syncing certs between minions)... > Any other bugs/features that are good targets for the next release? I hope to have a minion-to-minion patch posted to the list shortly. Hopefully by the end of the day but maybe not until early next week. Be on the look out. In the mean time I'll give a quick overview of the changes coming: - - New script, certmaster-sync, which copies all known minion certificates to all known minions, in the 'peerroot' (see below). Also locates stale certificates on the minions and removes them (cleaned hosts, generally). This will be linked into the triggers for post-sign and post-clean. Whenever the new trigger above is complete, we will use that in place of post-sign. Currently it is buggy in that the most recently-signed client does not get synced because of the triggers getting run before it's actually able to fetch it's certificate. - - New config variables for certmaster: - - sync_certs; disabled by default. Controls whether or not certmaster-sync will run or not. - - peering; default to True, enables whether or not peer certificates should be synced to a particular minion. - - peerroot; default to /var/lib/certmaster/peers This is the directory in which to keep peer certificates. - - Added some methods to the minion module 'certmastermod' to facilitate gathering information and copying certificates around. - - Tweaked the overlord Client class slightly to look into 'peerroot' for minions in the event that 'peering' is enabled. - -- John Eckersberg IT Engineering Support Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm6sPMACgkQdxt4pd4ztYtzzgCgtSndA7uEhMy0fFPQXVTbFjVa 91MAn1T1DvSq6/6dSIRypl+kALmvovih =jUPV -----END PGP SIGNATURE----- _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
