Hi All,
Recently my company has started hosting more random services in public
clouds to reduce costs, etc, etc. We use Puppet on our in-house servers
to varying degrees, in-house meaning physically located in our offices
or in secure data centres. We want the same level of management for our
cloud servers, more so now that their aren't many of them. I've been
tossing around pros and cons to various methods and I'd like opinions on
what everyone else does. So here's what methods I see as doable and the
problems I have with them.
First and favourite is to put a mirror Puppet Master out on the Internet
with all our modules and manifests. Our cloud servers are "just in
another data centre", which is a nice way of thinking of them. We can
re-use a lot of our existing modules for these servers. My biggest
problem with this is, and maybe I'm too paranoid, is that our internal
modules and manifests are a map to how our systems are configured -
possible versions of software, user accounts, maybe some ugly hard coded
passwords in some config files here and there. If someone got into the
cloud hosted Puppet Master, they've got a lot of information on what
we're doing.
The best counter I have to this is to use Hiera to get sensitive
information out of modules, smart and secure module design, and ... for
me to get over it: we only have a very small public IP footprint, you'd
have to crack the cloud hosted Puppet Master to read the modules and
manifests, the "sensitive material" problem is probably not as big as
you're making it out to be, Luke, your cloud servers are as secure as
you make them.
Another option is to allow the Internet to access our internal Puppet
Master. Immediately solves the problem of not hosting our modules and
manifests off site, so I feel warmer and fuzzier. Puts the security
focus on Puppet itself, and it's cert based security - if you manage to
impersonate a Puppet agent you could potentially discover a lot. Could
go further and manage per IP firewall rules but that will get annoying.
I could push pre compiled catalogs to external servers. It's a little
bit more fiddly to get the facts down from the cloud server and push up
the manifest file but it wouldn't be too difficult to automate. Biggest
problem is we make a lot of use of the Puppet file server (puppet:///)
and we would need to allow Internet access to this for a lot of our
modules to work, or we'd need to rewrite them. The configuration and
definition of nodes is entirely internal so no xenophobic worries about
having our system configuration out on the big bad Internet.
We could have a completely separate set of modules and manifests for our
cloud servers. It would be bit of work, but not as bad as you'd think as
a lot of modules could simply be copied from the internal set and some
would never be used externally so aren't applicable. My biggest problem
is this creates a massive internal-external divide that could stifle the
use of cloud technologies to replace internal services.
I'd be very interested in knowing what other people are doing in similar
situations.
Thanks,
-Luke
--
Luke Bigum
Information Systems
luke.bi...@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may not be disclosed or
used by any person other than the addressee, nor may it be copied in any way.
If you are not a named recipient please notify the sender immediately and
delete any copies of this message. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden. Any view or
opinions presented are solely those of the author and do not necessarily
represent those of the company.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.