On Tue, Apr 26, 2011 at 12:39 PM, Matt Wise <[email protected]> wrote: > > > FWIW, its because we leverage puppet over the internet to manage cloud > systems that we really care about this. Had we just been managing internal > networked systems, this may not be such a big deal. The benefits here though > are pretty obvious I think... > > Hey Matt,
When we were looking to expand our Puppet installation to cover cloud based machines, we experimented with some things around this. When we sat down and discovered what it would take to get this to happen reliably and consistently we determined it would create too much complexity. To us, it just created a situation where there were too many things that could fail. We opted for a different kind of approach that distributes a copy of our Puppet repository to new instances and they configure themselves without using a centralized Puppetmaster. Our machines only get puppetized when they start up. Since we're deploying in the cloud we find it easier to just create a new machine with an upgraded configuration and then destroy the old one. We do have to be careful about controlling state on individual instances, but we are already doing this because we assume that any instance can disappear at anytime. It sounds like security is a big part of the reason you are looking to do this. In a Puppetmasterless environment like ours, we handle security by removing as much sensitive information from our Puppet repository as possible and restricting sensitive information in instance specific data. On top of this we can tell our instances to destroy as much of their local repository and instance specific data as possible when they are done being configured. This limits what an attacker can gain from one of our computers. I don't really have much to comment on adding custom data in the certs. It seems like it would add a lot of complexity that could bite you when you really need it to work. As someone that was in this same position before, I thought I would let you know how we solved the problem by changing the way we configured the machines. I put up a blog post<http://blog.controlgroup.com/2011/04/25/configuring-machines-in-the-cloud-our-approach/>about this the other day that may shed some more light on how we implemented this. If you do decide to go down the custom data in the certs path I would like to hear more about how you make that work. HTH, Dave * * *David Rocamora* | VP DevOps | *CONTROL GROUP* | 233 Broadway | 21st Floor | New York, NY 10279 | www.controlgroup.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
