On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira <fbarbe...@gmail.com> wrote:
> Speaking in security terms, could be masterless puppet configuration less > secure? I mean, the puppet code is in *all* the clients. On the other hand, > the puppet code is only in the master, which I think is more secure (you > can isolate it on a restricted VLAN, private network, etc). If the security > of one client is vulnerated the hacker gets nothing, otherwise he would be > able to read the whole puppet code. > The difference is minimal. The master will happily serve any config to any host. The puppet server relies on the self-reported hostname, so a compromised host can go "fishing" for configurations. In my git-as-a-master configurations I use ssh to connect to the master. Yes, all hosts using the same master see the "full" set of configs. If I ever have a clearly separate security domain of sorts, plan would be to set up a separate git master. I think that makes sense too with a puppet master. cheers, m -- martin.langh...@gmail.com - ask interesting questions - don't get distracted with shiny stuff - working code first ~ http://docs.moodle.org/en/User:Martin_Langhoff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
