How to manage size of inventory.txt?

What are the ways I can manage the size of the inventory.txt file? I sign and destroy a large number of certs for rapidly created and destroyed nodes every day and when systems are destroyed I remove the signed certificate. However, the serial number and tracking information for the issued certificate still exists in the inventory.txt despite the fact the signed certificate no longer exists. This means that over time this file grows exponentially in size.

How is this file created? If I remove it will Puppet Server regenerate it with only the still-valid certificates on the number request? Would it be recommended that when I remove a certificate I remove the corresponding line in inventory.txt? If it will not regenerate the inventory.txt on the next signing, could I simply restart the Puppet Server process to do the same thing?

Background: without getting too heavily into the specifics of my setup I investigated doing Certificate Revocation Lists with puppet cert clean but it seems a little unwieldy since I would then simply have an ever-expanding CRL and the same problem. If managing the inventory.txt is not an option I can look into this again but after quite a bit of discussion my setup is unusual enough that it's not likely a viable option.

Update: I've discovered the puppet cert reinventory command might be what I need, but it specifically references the Puppet Master. I don't have a Master, but I am running Puppet Server. If this indeed would rebuild the inventory.txt, does the puppetserver need to be restarted or does that only apply to puppetmaster?

edit retag close merge delete

Sort by » oldest newest most voted

Puppet Server and the various 'puppet cert' tools (like 'puppet cert generate') from the command line create the inventory.txt file.

The only time Puppet Server interacts with the inventory.txt file is just after its Certificate Authority service has generated a new certificate. Puppet Server just writes a new entry onto the end of the file for that certificate - with the serial number, validity dates, and Common Name in the certificate subject.

If you remove the inventory.txt file, Puppet Server does not rebuild the inventory.txt file from the content of any certificates which still remain on disk. Puppet Server will just recreate the file and write a new entry into it for a new certificate that it would generate.

'puppet cert reinventory' might be useful for you in that it will rebuild the contents of the inventory.txt file from the certificates that are currently on disk. If you don't need to preserve the full audit trail for certificates that have been previously cleaned out from the CA, this would help reduce the size of the file.

Keep in mind that you might run into race conditions which corrupt the file if you try to remove or alter the contents of the inventory.txt file at the same time that Puppet Server might be trying to create or append a new entry to the inventory.txt file.

more