On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira <[email protected]> wrote:
> Speaking in security terms, could be masterless puppet configuration less > secure? I mean, the puppet code is in *all* the clients. On the other hand, > the puppet code is only in the master, which I think is more secure (you > can isolate it on a restricted VLAN, private network, etc). If the security > of one client is vulnerated the hacker gets nothing, otherwise he would be > able to read the whole puppet code. > The difference is minimal. The master will happily serve any config to any host. The puppet server relies on the self-reported hostname, so a compromised host can go "fishing" for configurations. In my git-as-a-master configurations I use ssh to connect to the master. Yes, all hosts using the same master see the "full" set of configs. If I ever have a clearly separate security domain of sorts, plan would be to set up a separate git master. I think that makes sense too with a puppet master. cheers, m -- [email protected] - ask interesting questions - don't get distracted with shiny stuff - working code first ~ http://docs.moodle.org/en/User:Martin_Langhoff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
