On Thursday, September 27, 2012 9:13:32 AM UTC+10, Pete wrote: > > Another option would be to put all your puppet code into a git repo > and setup each master to pull from a central repo over ssh. > That _Should_ be secure enough. > > I am also curious why you need this sort of setup. > Is it for PCI compliance or something similar? >
Yeah, that's my plan B. As I mentioned I am working in a large organisation and the security people have a lot of power. A Puppet Master can in principle do a lot of damage because you are effectively "root everywhere at once". So it's simply unlikely that our security people are going to let a single Puppet Master be in control of all these subnets, and the point where it is going to get rejected is if I ask for every host on subnet A to be allowed to talk to the Puppet Master that lives on subnet Z. Whether this is a good or bad security policy could be debated but it's not up to me. An alternative is to have a central repo server as suggested here. I could have independent Puppet Masters on all the subnets and that would probably satisfy the security requirement. The trouble is I would then lose the ability to have a global view of everything. Thus, if I wanted, say, a report of all hosts I manage with a special configuration of some service, I'll have to log into all the Puppet Masters individually to get this information - or write a script to somehow extract it from the git repo. So I will have lost one of the key benefits of Puppet. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/huzW1IAfegEJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
