Issue #2045 has been updated by Daniel Pittman.
Godefroid Chapelle wrote: > One of my customers is exactly in the situation described : clients in a DMZ > that cannot connect to the management segment where my customer would like to > setup the puppetmaster. > > IOW, we currently have to setup the puppetmaster in the DMZ. > > Are there chances that work on this issue will happen ? There is absolutely a chance of this; one of the things that we are doing as part of the [Open Source Roadmap][roadmap] is building out features like the static compiler, and working on changing the flow of traffic and messages to help implement new patterns of data flow over the infrastructure. None of it is likely to be delivered in a "push button" fashion in the short term, though: there is a lot of change required to get to a world where we can use a poll model from the master to fetch facts, or a push model to send catalogs. Ultimately, it isn't all that high a priority, either - almost every risk that opening the port to the master exposes is also exposed by having the master reach out and contact the client. There is little or no change in actual risk to the model proposed. [roadmap]: https://projects.puppetlabs.com/projects/puppet/wiki/Road_map ---------------------------------------- Feature #2045: 'Push' functionality in puppetmaster to clients https://projects.puppetlabs.com/issues/2045#change-56640 Author: Paul Wayper Status: Accepted Priority: Normal Assignee: Category: network Target version: Affected Puppet version: 0.24.7 Keywords: push firewall network Branch: In addition to the client puppetd connecting to the puppetmaster and pulling configuration from it, the puppetmaster should also be able to configure clients in 'push' mode where it initiates the connection to the remote client. This feature solves the problem where the puppetmaster, on the inside of a restrictive firewall, is managing clients that are in the DMZ of or outside the firewall. In this configuration, the remote puppet client is not able to start a connection to the puppetmaster, but the puppetmaster is capable of starting a connection to the client. It is preferable in most situations to keep the firewall as closed as possible, and in some network configurations there may be multiple firewalls, load balancers and other devices not in the puppet sysadmin's control that make it difficult to start a connection from the external machine in to the puppetmaster. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
