If you're using Red Hat/Fedora flavors of Linux, you can use Kanarip's
Repository to get mod_passenger and other rubygem rpm repackagings -
http://www.kanarip.com/custom/
On 3/15/10 6:14 PM, Christopher Johnston wrote:
Yes, I am aware that by going with mongrel/passenger as it will be
handled by mod_ssl. I setup mongrel in my lab today, didn't take much
to get going (puppet wiki was VERY helpful). Unfortunately passenger
doesn't look to be packaged up other then in a gem (didn't investigate
further then a quick check).
I am not sure option 1) would be the best thing for me to use
considering I have very diverse environment that scales out to quite a
few datacenters. That seems like it would be a single point of
failure for me in the event the SSL server cannot be reached (network
outage, power, etc). I run a stateless environment that has a pretty
big production dependency on puppet.
I think I may look into option 2) with a CA chain hierarchy (using the
wiki centralised puppet infrastructure setup on the wiki). More to
come tomorrow if I get stuck!
-Chris
On Mon, Mar 15, 2010 at 11:26 AM, Ohad Levy <[email protected]
<mailto:[email protected]>> wrote:
ssl has nothing to do with mongrel or passenger, as ssl is handled
in apache (or ngnix).
as far as it goes for SSL, you have two options:
1. a single CA
2. CA chain hierarchy.
the first option is simple, one of your puppetmasters will be your
CA, and every sign will run on it, you would require it for any
new certs that are introduced to your setup.
the second option works as well, and is described at
http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalability
under Centralised_Puppet_Infrastructure
if you can afford using a single machine for signing your certs, I
would recommend you going to option 1 (as someone using option 2
for a few years now).
Cheers,
Ohad
On Mon, Mar 15, 2010 at 11:10 PM, Christopher Johnston
<[email protected] <mailto:[email protected]>> wrote:
I will keep that in mind, ideally I would like to keep SSL in
place for security purposes I was really looking for a quick
hack/slash to disable SSL for the time being just to get past
some auth issues.
Longer term though from a scalability POV, I will in the end
have over 24-30 puppetmasters across my environment in various
datacenters so SSL management, redundancy and performance are
some big concerns.
What is the preferred approach to handling this? Seems
mongrel is the preferred setup? or passenger?
-Chris
On Sun, Mar 14, 2010 at 8:16 PM, Trevor Vaughan
<[email protected] <mailto:[email protected]>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you front Puppet with Apache per the Mongrel
instructions and set the
SSLCipherSuite to 'NULL' in Apache, then it will turn off
all encryption.
Trevor
On 03/12/2010 05:57 PM, Dan Bode wrote:
>
>
> On Fri, Mar 12, 2010 at 2:53 PM, Christopher Johnston
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
wrote:
>
> Is there a way to disable SSL all together for testing?
>
>
> I would use the puppet executable for
testing/evaluation. It removes the
> need to even have a server.
>
>
> -Chris
>
> --
> You received this message because you are subscribed
to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to
[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>.
> To unsubscribe from this group, send email to
> [email protected]
<mailto:puppet-users%[email protected]>
> <mailto:puppet-users%[email protected]
<mailto:puppet-users%[email protected]>>.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
> You received this message because you are subscribed to
the Google
> Groups "Puppet Users" group.
> To post to this group, send email to
[email protected]
<mailto:[email protected]>.
> To unsubscribe from this group, send email to
> [email protected]
<mailto:puppet-users%[email protected]>.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: [email protected] <mailto:[email protected]>
phone: 410-541-ONYX (6699)
- -- This account not approved for unencrypted sensitive
information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkudfGEACgkQyWMIJmxwHpRC1ACg2Bz+PgFGW5JAXb5xL1TG7eHD
6FUAnigOX+2aMYlenFxSDnNAPvfqlDD7
=qTaN
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to
the Google Groups "Puppet Users" group.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:puppet-users%[email protected]>.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:puppet-users%[email protected]>.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To unsubscribe from this group, send email to
[email protected]
<mailto:puppet-users%[email protected]>.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
