We use something similar. All our servers have the UCE agent installed. So we can initiate a puppetd run via UCE when required for 1. Reporting 2. Urgent updates 3. Standard updates.
And UCE is ratified by our security bods. Sure UCE is clunky but you have to use the tools you've got. Geoff. On 3 Apr 2009, at 05:42, Ohad Levy <[email protected]> wrote: > > > On Thu, Apr 2, 2009 at 11:51 AM, chakkerz <[email protected]> wrote: > > > for hosts in `puppetca --list --all | grep ^+ | cut -d ' ' -f 2` > do > ssh $hosts sudo puppetd -vt > done > > sure, I know / do this, but I though that one of the goals of puppet > is to avoid ssh and a for loop.... > but seriously, what happens if ssh doesn't work? ( I mean, usually > you need push when something is broken) > > or you need to deploy something only on a subset of machines, > restart a service, or whatever? > > > but a push architecture is significantly more security vulnerable... > on the bright side though, if your central configuration host is > compromised, it being able to ssh to hosts is the least of your > worries (why attack individual hosts if you have the master key?) > why care about the master key when you can simply change the puppet > manifest ? ;) > > > Ohad > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
