On 27.09.2012 09:24, Alex Harvey wrote:
On Thursday, September 27, 2012 9:13:32 AM UTC+10, Pete wrote:
Another option would be to put all your puppet code into a git repo
and setup each master to pull from a central repo over ssh.
That _Should_ be secure enough.
I am also curious why you need this sort of setup.
Is it for PCI compliance or something similar?
Yeah, that's my plan B.
As I mentioned I am working in a large organisation and the security
people have a lot of power. A Puppet Master can in principle do a lot
of damage because you are effectively "root everywhere at once". So
it's simply unlikely that our security people are going to let a single
Puppet Master be in control of all these subnets, and the point where it
is going to get rejected is if I ask for every host on subnet A to be
allowed to talk to the Puppet Master that lives on subnet Z. Whether
this is a good or bad security policy could be debated but it's not up
to me.
An alternative is to have a central repo server as suggested here. I
could have independent Puppet Masters on all the subnets and that would
probably satisfy the security requirement. The trouble is I would then
lose the ability to have a global view of everything. Thus, if I
wanted, say, a report of all hosts I manage with a special configuration
of some service, I'll have to log into all the Puppet Masters
individually to get this information - or write a script to somehow
extract it from the git repo. So I will have lost one of the key
benefits of Puppet.
Thanks for clarifying the situation. In this case, emphasizing the
separation of configuration and reporting seems to be necessary.
On the part of the configuration, you'll have a "hole" regardless of
whether you connect to a central master or you clone from a central
repository. In the latter case you could add a verification step on
signed git tags, but that still is only as secure as you private key.
Paranoia can make you do strange things.
On the part of the reporting, you can post the reports from each
puppetmaster to a central dashboard/puppetdb instance and have that
write-only. That again can be made arbitrarily separated by writing out
the reports on the master into a file and sneaker-netting that over to
the reporting server.
Best Regards, David
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
