On 08/24/2013 04:13 PM, Martin Langhoff wrote: > On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira <[email protected] > <mailto:[email protected]>> wrote: > > Speaking in security terms, could be masterless puppet configuration > less secure? I mean, the puppet code is in *all* the clients. On the > other hand, the puppet code is only in the master, which I think is > more secure (you can isolate it on a restricted VLAN, private > network, etc). If the security of one client is vulnerated the > hacker gets nothing, otherwise he would be able to read the whole > puppet code. > > > The difference is minimal. The master will happily serve any config to > any host. The puppet server relies on the self-reported hostname, so a > compromised host can go "fishing" for configurations.
Only if you use autosign option. After the certificate is signed, agents report certname and not hostname. In that regard, puppet master is safer option, but also less scalable. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
