On May 10, 2011, at 3:46 AM, Felix Frank wrote: > On 05/10/2011 02:30 AM, Patrick wrote: >> >> On May 9, 2011, at 9:37 AM, Ohad Levy wrote: >> >>> >>> >>> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7...@gmail.com >>> <mailto:kc7...@gmail.com>> wrote: >>> >>> >>> On May 9, 2011, at 9:10 AM, Ohad Levy wrote: >>> >>>> >>>> >>>> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi <antonym...@yahoo.com >>>> <mailto:antonym...@yahoo.com>> wrote: >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Ohad Levy <ohadl...@gmail.com >>>> <mailto:ohadl...@gmail.com>> >>>> *To:* puppet-users@googlegroups.com >>>> <mailto:puppet-users@googlegroups.com> >>>> *Sent:* Fri, 15 April, 2011 19:42:10 >>>> *Subject:* Re: [Puppet Users] multimaster architecture with >>>> central report server >>>> >>>> >>>> >>>> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi >>>> <antonym...@yahoo.com <mailto:antonym...@yahoo.com>> wrote: >>>> >>>> Hi, >>>> >>>> is there a way how to instruct the master to forward the >>>> obtained reports to another master server so we can have >>>> one central report server that would be receiving all >>>> reports from other masters in individual collocations? >>>> the report_server works fine for the master itself but >>>> not for the forwarded reports. >>>> >>>> If you use a tool such as foreman or dashboard, you can >>>> simply forward the reports to it. >>>> >>>> AM: not that simply - how about security? the puppet 8140 >>>> traffic is encrypted and mutually authenticated between the >>>> agent and master the puppet dashboard - how will you achieve >>>> the mutual X509 based authentication between the master and >>>> remote dashboard? >>>> >>>> simply ensure that https is turned on and ssl verify mode is >>>> enforced? >>>> or if you dont have common ca between all of your masters, just >>>> turn on ssl, and filter down the allowed hosts to send reports >>>> (i.e only your puppet masters can communicate with foreman/dashboard. >>> >>> Last I checked, puppet can't send reports to an https server. >>> Only to a http server. Has this changed? >>> >>> not if you use something like: >>> https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb >> >> That's better than what I've seen, still, it looks like he client isn't >> verifying the server's certificate, and the client's not sending one >> either, meaning many of the benefits of SSL are gone. Do you know of a >> way (with code or a link to the right API) that would help with either >> of those? > > You might be able to deploy stunnel on your master and each of your > clients. It supports certificate validation for both client and server. > > The puppet client would use localhost as report server, the structure being: > > puppet client > | > | (connect to localhost via HTTP) > | > stunnel on client (accept unencrypted) > | > | (encrypted, authenticated tunnel = HTTPS) > | > stunnel on master (accept encrypted) > | > | (connect to localhost via HTTP) > | > puppetmaster (accept unencrypted) > > If you have multiple clients in a trusted LAN segment, they can even > share a single client-side stunnel (which listens for connections from > the LAN).
It's not that bad. Only the other puppetmasters need the tunnel. The clients should NOT have permission to use it. This isn't quite what I want since it assumes all traffic on 127.0.0.1 is trusted, but better than the alternative. Thanks for the help. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
