On Thu, Dec 05, 2013 at 12:24:17 +0100, Lukas Zapletal wrote:
> A) uReports are collected by ABRT server deployed by the administrator.
> Upon receiving a report, the ABRT server notifies Foreman (or Foreman
> can periodically ask the ABRT server for new reports). Foreman
> communicates with ABRT server using some kind of REST API.
We have nice Puppet based installer, so this looks like viable option to
me as we can setup another component.
> B) uReports are collected by Foreman, or some kind of proxy written for
I prefer A, this is solely my opinion.
> While we could just add an item containing e.g. FQDN to the uReport,
> such information can be easily spoofed. Can we take advantage of the
> fact that there already exists authentication between the managed
> machines and Foreman (or Puppet?)?
Someone correct me if I am wrong, but we are deploying Puppet client
certificate during provisioning phase which is being signed by Puppet CA
authority. That means each Foreman-managed machine has a client
certificate which could be re-used for other things. It should not be
a problem to use Puppet CA to validate client certificates during ABRT
The key is to make sure ABRT server has access to the Puppet CA
certificate (and key).
I wonder if it would be possible to use these certificates without major
changes to Puppet. Or, whether the benefits of having authenticated
problem reports outweigh the risks of sharing the puppet certificates
with another component.
Thanks for the reply,