[chef] Re: Re: Registering client when old client exists.

[John Hanks < >]

On Sun, Jun 27, 2010 at 10:21 PM, Daniel DeLeo 
<
 >
 wrote:
> You're getting a 403 forbidden error when the client attempts to
> re-register, yes? This happens because the validation client is no
> longer an admin, but a much lesser privileged entity. You could
> probably get the old behavior back by creating an admin client (via
> `knife client create`) and using that instead of the stock validation
> client. If you do that, though, your entire infrastructure is at risk
> should the alt-validator's private key be compromised.

I believe the error is a 409 but am not connected well enough to
verify that at the moment. I'm not as concerned about security because
the entire infrastructure is in a secured area so I'll try the admin
client approach and let you know if that fixes it.

> I'd recommend you investigate some means of giving your nodes unique
> names. If you configure the node_name in client.rb before the node has
> ever registered, you can set any name you want. For example, you could
> name the node as the FQDN plus the boot time with something like this:
>
>  node_name(`hostname -f`.strip + IO.read('/proc/stat')[/^btime ([\d]+$)/,1])

This seems like it'd solve my client creation problem, but then I'd
have a lot of stale clients around (nodes sometimes reboot frequently
to change OS or role). I'm not sure whether that'd cause any issues
with chef, but it'd violate my cleanliness is next to godliness rule
and require yet another process to periodically clean up lingering
bits. I'm hoping to keep the entire structure as simple as possible
with no more moving parts than are necessary.

Thanks for your help,

jbh