The same would apply to customised facts used to provide information to puppet master to compile the catalog
If the facts can be change the surely this would alter the build My customised facts are stored in a root owned file that - i guess for security you could as well audit that file or lock it down using selinux preventing even root from changing it (though selinux enabled be an administrative burden for some) My point is that customised facts via export variables or a puppet fact plugin can be changed On Mar 13, 7:55 am, Jan Ivar Beddari <[email protected]> wrote: > On 02. mars 2012 14:15, Daysmen wrote: > > > Hi Folks > > > To begin with i am looking to deploy a completely new puppet config > > based on the truth module > >https://github.com/jordansissel/puppet-examples/tree/master/nodeless-... > > Just a general comment of nodeless Puppet and the truth-enforcer design: > It is a great solution if you know what you are doing. > > First, you must really consider what and where is your source of truth, > security wise. If not you could end up with root at any server in the > design being able to override its truth to be whatever it wants to. If > that is ok with you, then please go ahead. > > Our Puppet installation is multi-everything, platforms, roles, admins, > organizational units and so on. A model where each node possibly could > decide and/or override its truth would not work for us. > > --http://www.uib.no/personer/Jan.Ivar.Beddari -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
