Puppet users - May 2007 - Tunnelling Puppet over SSH

I work at a large financial institution (AXA) and we have a large number
of DMZs for our partner and internet-facing servers.  

The only access to the various DMZs is via SSH and no DMZ-initiated
connections are allowed back to the internal network.  I''d consider
putting a Puppet server in the DMZ but no communication is allowed
between DMZs either.

Has anyone tried tunnelling Puppet over SSH?  We use this with no
problems for collecting performance data with Munin but I''d like to
hear
if anyone has tried this with Puppet.

James

*********************************************************************************
Important Note
This email (including any attachments) contains information which is 
confidential and may be subject to legal privilege.  If you are not 
the intended recipient you must not use, distribute or copy this 
email.  If you have received this email in error please notify the 
sender immediately and delete this email. Any views expressed in this 
email are not necessarily the views of AXA-Tech Australia.   Thank you.
**********************************************************************************

HARRIS Jimmy (AXA-Tech-AU) wrote:
> I work at a large financial institution (AXA) and we have a large number
> of DMZs for our partner and internet-facing servers.  
> 
> The only access to the various DMZs is via SSH and no DMZ-initiated
> connections are allowed back to the internal network.  I''d
consider
> putting a Puppet server in the DMZ but no communication is allowed
> between DMZs either.
> 
> Has anyone tried tunnelling Puppet over SSH?  We use this with no
> problems for collecting performance data with Munin but I''d like
to hear
> if anyone has tried this with Puppet.
> 
> James
James,

I haven''t tried SSH myself, but there shouldn''t be any issues
with the
protocol layer itself.

I''ve setup a similar situation with multiple master servers running on
different ports...

You may run into issues with the filenames of certificates that puppet
creates, but they should be fairly easy to fix.

Another problem is that there is currently no way to easily say "Pull
files from the same master server you got your configuration from."  So,
you''re manifest will probably have puppet://some.server.com
URL''s in it,
but you''ll connect with puppetd --server localhost.

I get around this now by defining custom facts which you could then
embed in your definitions:

In the client environment:
  export FACTER_MASTERPORT=8171
  export FACTER_MASTERHOST=localhost

Then, facter will have $masterport and $masterhost as facts, which you
could use in the source attribute of your file resources.

For example:

file { /etc/syslog.conf:
  source => puppet://$masterhost:$masterport/dist/$name
}

Hope this helps,
-- 
Jeff McCune
The Ohio State University
Department of Mathematics
Systems Manager


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users