I have a test area network that is not routed to the production network because of IP address space re-use between the two networks. I would like the puppetmaster to serve both the production and test area networks. The puppetmaster is on the production network. I understand the puppet to puppetmaster connect to be HTTP using SSL. Can I somehow setup the puppet clients to use an HTTP CONNECT command to tunnel through a squid proxy on the box that''s on both networks to talk with the puppet master? If not, if I setup the box on both networks as a proxy for puppetmaster in the sense that it would be if I were setting up Mongrel, does that affect the cert signing process when the client connects for the first time? -- David R. Sowder Linux Systems Administrator (Software Systems Specialist II) Office of Information Technology University of Texas at Arlington Work: 817-272-1081 davids@uta.edu http://www.uta.edu/ Personal: david@sowder.com http://david.sowder.com/
On Jun 20, 2007, at 3:24 PM, David Sowder wrote:> I have a test area network that is not routed to the production > network > because of IP address space re-use between the two networks. I would > like the puppetmaster to serve both the production and test area > networks. The puppetmaster is on the production network. I > understand > the puppet to puppetmaster connect to be HTTP using SSL.Yep.> Can I somehow setup the puppet clients to use an HTTP CONNECT > command to > tunnel through a squid proxy on the box that''s on both networks to > talk > with the puppet master?Um... I doubt it? I don''t really know much about http proxies.> If not, if I setup the box on both networks as a proxy for > puppetmaster > in the sense that it would be if I were setting up Mongrel, does that > affect the cert signing process when the client connects for the > first time?As long as your proxy can handle the ssl for you, or it''s between your SSL termination and the puppet master. For instance, you could set up an Apache server as the SSL end point, then have Apache talk to your http proxy and have your proxy talk to the puppet master instances (running Mongrel). I''m not all that much up on proxies, as I mentioned, but Puppet basically has two modes: Running with webrick, and thus must be an ssl endpoint, or running with mongrel, and thus expects a certain cgi parameter to be set. If you can meet either of those criteria, you should be fine. -- He is indebted to his memory for his jests and to his imagination for his facts. --Richard Brinsley Sheridan --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Luke Kanies wrote:> On Jun 20, 2007, at 3:24 PM, David Sowder wrote: >> Can I somehow setup the puppet clients to use an HTTP CONNECT >> command to >> tunnel through a squid proxy on the box that''s on both networks to >> talk >> with the puppet master? > > Um... I doubt it? I don''t really know much about http proxies.From what I had been able to gather from reading over the docs and searching the wiki before asking here, I thought that would be the answer. I''ve just taken a first crack at adding this functionality, which seems to work for me. Here''s the patch against the Subversion repository. Hopefully it''s not too ugly as this my first attempt at both Ruby and Puppet hacking. Index: network/xmlrpc/client.rb ==================================================================--- network/xmlrpc/client.rb (revision 2641) +++ network/xmlrpc/client.rb (working copy) @@ -99,7 +99,14 @@ hash[:Path] ||= "/RPC2" hash[:Server] ||= Puppet[:server] hash[:Port] ||= Puppet[:masterport] + hash[:HTTPProxyHost] ||= Puppet[:http_proxy_host] + hash[:HTTPProxyPort] ||= Puppet[:http_proxy_port] + if "none" == hash[:HTTPProxyHost] + hash[:HTTPProxyHost] = nil + hash[:HTTPProxyPort] = nil + end + @puppet_server = hash[:Server] @puppet_port = hash[:Port] @@ -107,8 +114,8 @@ hash[:Server], hash[:Path], hash[:Port], - nil, # proxy_host - nil, # proxy_port + hash[:HTTPProxyHost], # proxy_host + hash[:HTTPProxyPort], # proxy_port nil, # user nil, # password true, # use_ssl Index: configuration.rb ==================================================================--- configuration.rb (revision 2641) +++ configuration.rb (working copy) @@ -339,6 +339,11 @@ :mode => 0640, :desc => "Where the puppetd web server logs." }, + :http_proxy_host => ["none", + "The HTTP proxy host to use for outgoing connections. Note: You + may need to use a FQDN for the server hostname when using a proxy."], + :http_proxy_port => [3128, + "The HTTP proxy port to use for outgoing connections"], :server => ["puppet", "The server to which server puppetd should connect"], :ignoreschedules => [false,
On Jun 21, 2007, at 2:50 PM, David Sowder wrote:> From what I had been able to gather from reading over the docs and > searching the wiki before asking here, I thought that would be the > answer. I''ve just taken a first crack at adding this functionality, > which seems to work for me. Here''s the patch against the Subversion > repository. Hopefully it''s not too ugly as this my first attempt at > both Ruby and Puppet hacking.Can you file this as an enhancement request with the attached patch? Thanks. -- Hegel was right when he said that we learn from history that man can never learn anything from history. -- George Bernard Shaw --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Done. http://reductivelabs.com/trac/puppet/ticket/701 On 6/26/07, Luke Kanies <luke@madstop.com> wrote:> > On Jun 21, 2007, at 2:50 PM, David Sowder wrote: > > > From what I had been able to gather from reading over the docs and > > searching the wiki before asking here, I thought that would be the > > answer. I''ve just taken a first crack at adding this functionality, > > which seems to work for me. Here''s the patch against the Subversion > > repository. Hopefully it''s not too ugly as this my first attempt at > > both Ruby and Puppet hacking. > > Can you file this as an enhancement request with the attached patch? > > Thanks. > > -- > Hegel was right when he said that we learn from history that man can > never learn anything from history. -- George Bernard Shaw > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >-- David R. Sowder University of Texas at Arlington Department of Modern Languages Language Acquisition Center Supervisor Work: davids@uta.edu Personal: david@sowder.com Lists: davidrsowder@gmail.com http://david.sowder.com/ _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Maybe Matching Threads
- Set http_proxy environment variable for package install?
- Passing http_proxy_host option
- ActionWebService: XMLRPC Server Multicall possible?
- Dashboard - Unable to submit report to http://127.0.0.1:3000/reports/upload [301] Moved Permanently
- Terrible FPS on Lord of the Rings Online (LOTRO)