I need to use puppet over internet for a distributed scenario. I will have 100 pops, with around 5 servers per pop. I will use cloud, VPS and other kind of services, so my servers will change all the time and number of server propably increase and decrease shortly. I already see puppet in actions on scenarios like that used some companys, but i dont know how they do it. My question is: How they secure puppet? Docs say to dont expose puppet master server/ service direct on internet. But in this case firewall/filter acsl can''t be used. Whats the best practice on this cases? greetings Sky -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 23 February 2011 22:08, Sky <skyshade@gmail.com> wrote:> I need to use puppet over internet for a distributed scenario. I will > have 100 pops, with around 5 servers per pop. I will use cloud, VPS > and other kind of services, so my servers will change all the time and > number of server propably increase and decrease shortly. I already > see puppet in actions on scenarios like that used some companys, but i > dont know how they do it. My question is: > > How they secure puppet? Docs say to dont expose puppet master server/ > service direct on internet. But in this case firewall/filter acsl > can''t be used. > > Whats the best practice on this cases? > > greetings > SkyExposing non-webrick (unsure about webrick) over the net e.g. mongrel behind apache should be as fine as your standard web application. Communication between the master and nodes is secured also. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks for your fast reply Adam, I belive that is the way, but I wanted to see what you guys are doing. Let''s see if we are both right. If someone else share more cases/ option about it. greetings On Feb 23, 7:14 pm, Adam Gibbins <a...@adamgibbins.com> wrote:> On 23 February 2011 22:08, Sky <skysh...@gmail.com> wrote: > > > I need to use puppet over internet for a distributed scenario. I will > > have 100 pops, with around 5 servers per pop. I will use cloud, VPS > > and other kind of services, so my servers will change all the time and > > number of server propably increase and decrease shortly. I already > > see puppet in actions on scenarios like that used some companys, but i > > dont know how they do it. My question is: > > > How they secure puppet? Docs say to dont expose puppet master server/ > > service direct on internet. But in this case firewall/filter acsl > > can''t be used. > > > Whats the best practice on this cases? > > > greetings > > Sky > > Exposing non-webrick (unsure about webrick) over the net e.g. mongrel > behind apache should be as fine as your standard web application. > Communication between the master and nodes is secured also.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
R.I.Pienaar
2011-Feb-23 22:28 UTC
Re: [Puppet Users] Re: Puppet master exposed on internet
----- Original Message -----> Thanks for your fast reply Adam, > > I belive that is the way, but I wanted to see what you guys are > doing. > Let''s see if we are both right. If someone else share more cases/ > option about it. > greetingsI dont believe a formal security audit of the code was done so in my case where I am also on the internet I ensure I only allow my IPs can talk to it. Other than that I trust the openssl libs it use.> > > On Feb 23, 7:14 pm, Adam Gibbins <a...@adamgibbins.com> wrote: > > On 23 February 2011 22:08, Sky <skysh...@gmail.com> wrote: > > > > > I need to use puppet over internet for a distributed scenario. I > > > will > > > have 100 pops, with around 5 servers per pop. I will use cloud, > > > VPS > > > and other kind of services, so my servers will change all the > > > time and > > > number of server propably increase and decrease shortly. I > > > already > > > see puppet in actions on scenarios like that used some companys, > > > but i > > > dont know how they do it. My question is: > > > > > How they secure puppet? Docs say to dont expose puppet master > > > server/ > > > service direct on internet. But in this case firewall/filter acsl > > > can''t be used. > > > > > Whats the best practice on this cases? > > > > > greetings > > > Sky > > > > Exposing non-webrick (unsure about webrick) over the net e.g. > > mongrel > > behind apache should be as fine as your standard web application. > > Communication between the master and nodes is secured also. > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.