Puppet users - Apr 2011 - multimaster architecture with central report server

Hi,

is there a way how to instruct the master to forward the obtained reports to 
another master server so we can have one central report server that would be 
receiving all reports from other masters in individual collocations? the 
report_server works fine for the master itself but not for the forwarded 
reports.

I am looking for something similar to the central inventory server as it works 
greatly for facts but for reports as well.

anyone?

thanks, Antony

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

https://github.com/puppetlabs/puppet-dashboard

Check under the "Reporting section", it shows you how to do it for
0.25* and
2.6.*
-Jason

On Fri, Apr 15, 2011 at 4:44 AM, Antony Mayi <antonymayi@yahoo.com> wrote:
> Hi,
>
> is there a way how to instruct the master to forward the obtained reports
> to another master server so we can have one central report server that
would
> be receiving all reports from other masters in individual collocations? the
> report_server works fine for the master itself but not for the forwarded
> reports.
>
> I am looking for something similar to the central inventory server as it
> works greatly for facts but for reports as well.
>
> anyone?
>
> thanks, Antony
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi <antonymayi@yahoo.com> wrote:
> Hi,
>
> is there a way how to instruct the master to forward the obtained reports
> to another master server so we can have one central report server that
would
> be receiving all reports from other masters in individual collocations? the
> report_server works fine for the master itself but not for the forwarded
> reports.
>
> If you use a tool such as foreman or dashboard, you can simply forward the
reports to it.

additionally, afair, you could simply define the report server on the
clients and forward to any master.

> I am looking for something similar to the central inventory server as it
> works greatly for facts but for reports as well.
>
that is built into foreman since almost two years now.

Ohad
>
> anyone?
>
> thanks, Antony
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

________________________________
From: Ohad Levy <ohadlevy@gmail.com>
To: puppet-users@googlegroups.com
Sent: Fri, 15 April, 2011 19:42:10
Subject: Re: [Puppet Users] multimaster architecture with central report server





On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi <antonymayi@yahoo.com> wrote:

Hi,
>
>
>is there a way how to instruct the master to forward the obtained reports to
>another master server so we can have one central report server that would be
>receiving all reports from other masters in individual collocations? the 
>report_server works fine for the master itself but not for the forwarded 
>reports.
>
>
If you use a tool such as foreman or dashboard, you can simply forward the 
reports to it.

AM: not that simply - how about security? the puppet 8140 traffic is encrypted 
and mutually authenticated between the agent and master the puppet dashboard - 
how will you achieve the mutual X509 based authentication between the master and
remote dashboard?


additionally, afair, you could simply define the report server on the clients 
and forward to any master.

AM: not if the clients can talk only to the master and not to the remote 
dashboard

 
I am looking for something similar to the central inventory server as it works 
greatly for facts but for reports as well.
that is built into foreman since almost two years now. 

Ohad
>
>anyone?
>
>
>thanks, Antony
-- 
>You received this message because you are subscribed to the Google Groups 
>"Puppet Users" group.
>To post to this group, send email to puppet-users@googlegroups.com.
>To unsubscribe from this group, send email to 
>puppet-users+unsubscribe@googlegroups.com.
>For more options, visit this group at 
>http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, May 9, 2011 at 5:54 PM, Antony Mayi <antonymayi@yahoo.com> wrote:
>
>
> ------------------------------
> *From:* Ohad Levy <ohadlevy@gmail.com>
> *To:* puppet-users@googlegroups.com
> *Sent:* Fri, 15 April, 2011 19:42:10
> *Subject:* Re: [Puppet Users] multimaster architecture with central report
> server
>
>
>
> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi <antonymayi@yahoo.com>
wrote:
>
>> Hi,
>>
>> is there a way how to instruct the master to forward the obtained
reports
>> to another master server so we can have one central report server that
would
>> be receiving all reports from other masters in individual collocations?
the
>> report_server works fine for the master itself but not for the
forwarded
>> reports.
>>
>> If you use a tool such as foreman or dashboard, you can simply forward
the
> reports to it.
>
> AM: not that simply - how about security? the puppet 8140 traffic is
> encrypted and mutually authenticated between the agent and master the
puppet
> dashboard - how will you achieve the mutual X509 based authentication
> between the master and remote dashboard?
>
> simply ensure that https is turned on and ssl verify mode is enforced?
or if you dont have common ca between all of your masters, just turn on ssl,
and filter down the allowed hosts to send reports (i.e only your puppet
masters can communicate with foreman/dashboard.


> additionally, afair, you could simply define the report server on the
> clients and forward to any master.
>
> AM: not if the clients can talk only to the master and not to the remote
> dashboard
>
>
>> I am looking for something similar to the central inventory server as
it
>> works greatly for facts but for reports as well.
>>
> that is built into foreman since almost two years now.
>
> Ohad
>
>>
>> anyone?
>>
>> thanks, Antony
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
> 
> 
> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi <antonymayi@yahoo.com>
wrote:
> 
> 
> From: Ohad Levy <ohadlevy@gmail.com>
> To: puppet-users@googlegroups.com
> Sent: Fri, 15 April, 2011 19:42:10
> Subject: Re: [Puppet Users] multimaster architecture with central report
server
> 
> 
> 
> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi <antonymayi@yahoo.com>
wrote:
> Hi,
> 
> is there a way how to instruct the master to forward the obtained reports
to another master server so we can have one central report server that would be
receiving all reports from other masters in individual collocations? the
report_server works fine for the master itself but not for the forwarded
reports.
> 
> If you use a tool such as foreman or dashboard, you can simply forward the
reports to it.
> 
> AM: not that simply - how about security? the puppet 8140 traffic is
encrypted and mutually authenticated between the agent and master the puppet
dashboard - how will you achieve the mutual X509 based authentication between
the master and remote dashboard?
> 
> simply ensure that https is turned on and ssl verify mode is enforced?
> or if you dont have common ca between all of your masters, just turn on
ssl, and filter down the allowed hosts to send reports (i.e only your puppet
masters can communicate with foreman/dashboard.
Last I checked, puppet can''t send reports to an https server.  Only to
a http server.  Has this changed?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com> wrote:
>
> On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
>
>
>
> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi <antonymayi@yahoo.com>
wrote:
>
>>
>>
>> ------------------------------
>> *From:* Ohad Levy <ohadlevy@gmail.com>
>> *To:* puppet-users@googlegroups.com
>> *Sent:* Fri, 15 April, 2011 19:42:10
>> *Subject:* Re: [Puppet Users] multimaster architecture with central
>> report server
>>
>>
>>
>> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
<antonymayi@yahoo.com>wrote:
>>
>>> Hi,
>>>
>>> is there a way how to instruct the master to forward the obtained
reports
>>> to another master server so we can have one central report server
that would
>>> be receiving all reports from other masters in individual
collocations? the
>>> report_server works fine for the master itself but not for the
forwarded
>>> reports.
>>>
>>> If you use a tool such as foreman or dashboard, you can simply
forward
>> the reports to it.
>>
>> AM: not that simply - how about security? the puppet 8140 traffic is
>> encrypted and mutually authenticated between the agent and master the
puppet
>> dashboard - how will you achieve the mutual X509 based authentication
>> between the master and remote dashboard?
>>
>> simply ensure that https is turned on and ssl verify mode is enforced?
> or if you dont have common ca between all of your masters, just turn on
> ssl, and filter down the allowed hosts to send reports (i.e only your
puppet
> masters can communicate with foreman/dashboard.
>
>
> Last I checked, puppet can''t send reports to an https server. 
Only to a
> http server.  Has this changed?
>
not if you use something like:

https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb

Ohad
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 9, 2011, at 9:37 AM, Ohad Levy wrote:
> 
> 
> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com> wrote:
> 
> On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
> 
>> 
>> 
>> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi
<antonymayi@yahoo.com> wrote:
>> 
>> 
>> From: Ohad Levy <ohadlevy@gmail.com>
>> To: puppet-users@googlegroups.com
>> Sent: Fri, 15 April, 2011 19:42:10
>> Subject: Re: [Puppet Users] multimaster architecture with central
report server
>> 
>> 
>> 
>> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
<antonymayi@yahoo.com> wrote:
>> Hi,
>> 
>> is there a way how to instruct the master to forward the obtained
reports to another master server so we can have one central report server that
would be receiving all reports from other masters in individual collocations?
the report_server works fine for the master itself but not for the forwarded
reports.
>> 
>> If you use a tool such as foreman or dashboard, you can simply forward
the reports to it.
>> 
>> AM: not that simply - how about security? the puppet 8140 traffic is
encrypted and mutually authenticated between the agent and master the puppet
dashboard - how will you achieve the mutual X509 based authentication between
the master and remote dashboard?
>> 
>> simply ensure that https is turned on and ssl verify mode is enforced?
>> or if you dont have common ca between all of your masters, just turn on
ssl, and filter down the allowed hosts to send reports (i.e only your puppet
masters can communicate with foreman/dashboard.
> 
> Last I checked, puppet can''t send reports to an https server. 
Only to a http server.  Has this changed?
> not if you use something like:
> 
https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb
That''s better than what I''ve seen, still, it looks like he
client isn''t verifying the server''s certificate, and the
client''s not sending one either, meaning many of the benefits of SSL
are gone.  Do you know of a way (with code or a link to the right API) that
would help with either of those?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 05/10/2011 02:30 AM, Patrick wrote:
> 
> On May 9, 2011, at 9:37 AM, Ohad Levy wrote:
> 
>>
>>
>> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com
>> <mailto:kc7zzv@gmail.com>> wrote:
>>
>>
>>     On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
>>
>>>
>>>
>>>     On Mon, May 9, 2011 at 5:54 PM, Antony Mayi
<antonymayi@yahoo.com
>>>     <mailto:antonymayi@yahoo.com>> wrote:
>>>
>>>
>>>
>>>        
------------------------------------------------------------------------
>>>         *From:* Ohad Levy <ohadlevy@gmail.com
>>>         <mailto:ohadlevy@gmail.com>>
>>>         *To:* puppet-users@googlegroups.com
>>>         <mailto:puppet-users@googlegroups.com>
>>>         *Sent:* Fri, 15 April, 2011 19:42:10
>>>         *Subject:* Re: [Puppet Users] multimaster architecture with
>>>         central report server
>>>
>>>
>>>
>>>         On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
>>>         <antonymayi@yahoo.com
<mailto:antonymayi@yahoo.com>> wrote:
>>>
>>>             Hi,
>>>
>>>             is there a way how to instruct the master to forward
the
>>>             obtained reports to another master server so we can
have
>>>             one central report server that would be receiving all
>>>             reports from other masters in individual collocations?
>>>             the report_server works fine for the master itself but
>>>             not for the forwarded reports.
>>>
>>>         If you use a tool such as foreman or dashboard, you can
>>>         simply forward the reports to it.
>>>
>>>         AM: not that simply - how about security? the puppet 8140
>>>         traffic is encrypted and mutually authenticated between the
>>>         agent and master the puppet dashboard - how will you
achieve
>>>         the mutual X509 based authentication between the master and
>>>         remote dashboard?
>>>
>>>     simply ensure that https is turned on and ssl verify mode is
>>>     enforced?
>>>     or if you dont have common ca between all of your masters, just
>>>     turn on ssl, and filter down the allowed hosts to send reports
>>>     (i.e only your puppet masters can communicate with
foreman/dashboard.
>>
>>     Last I checked, puppet can''t send reports to an https
server.
>>      Only to a http server.  Has this changed?
>>
>> not if you use something like:
>> 
https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb
> 
> That''s better than what I''ve seen, still, it looks like
he client isn''t
> verifying the server''s certificate, and the client''s not
sending one
> either, meaning many of the benefits of SSL are gone.  Do you know of a
> way (with code or a link to the right API) that would help with either
> of those?
You might be able to deploy stunnel on your master and each of your
clients. It supports certificate validation for both client and server.

The puppet client would use localhost as report server, the structure being:

puppet client
    |
    |  (connect to localhost via HTTP)
    |
stunnel on client (accept unencrypted)
    |
    |  (encrypted, authenticated tunnel = HTTPS)
    |
stunnel on master (accept encrypted)
    |
    |  (connect to localhost via HTTP)
    |
puppetmaster (accept unencrypted)

If you have multiple clients in a trusted LAN segment, they can even
share a single client-side stunnel (which listens for connections from
the LAN).

Let me know if this helps.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 10, 2011, at 3:46 AM, Felix Frank wrote:
> On 05/10/2011 02:30 AM, Patrick wrote:
>> 
>> On May 9, 2011, at 9:37 AM, Ohad Levy wrote:
>> 
>>> 
>>> 
>>> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com
>>> <mailto:kc7zzv@gmail.com>> wrote:
>>> 
>>> 
>>>    On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
>>> 
>>>> 
>>>> 
>>>>    On Mon, May 9, 2011 at 5:54 PM, Antony Mayi
<antonymayi@yahoo.com
>>>>    <mailto:antonymayi@yahoo.com>> wrote:
>>>> 
>>>> 
>>>> 
>>>>       
------------------------------------------------------------------------
>>>>        *From:* Ohad Levy <ohadlevy@gmail.com
>>>>        <mailto:ohadlevy@gmail.com>>
>>>>        *To:* puppet-users@googlegroups.com
>>>>        <mailto:puppet-users@googlegroups.com>
>>>>        *Sent:* Fri, 15 April, 2011 19:42:10
>>>>        *Subject:* Re: [Puppet Users] multimaster architecture
with
>>>>        central report server
>>>> 
>>>> 
>>>> 
>>>>        On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
>>>>        <antonymayi@yahoo.com
<mailto:antonymayi@yahoo.com>> wrote:
>>>> 
>>>>            Hi,
>>>> 
>>>>            is there a way how to instruct the master to forward
the
>>>>            obtained reports to another master server so we can
have
>>>>            one central report server that would be receiving
all
>>>>            reports from other masters in individual
collocations?
>>>>            the report_server works fine for the master itself
but
>>>>            not for the forwarded reports.
>>>> 
>>>>        If you use a tool such as foreman or dashboard, you can
>>>>        simply forward the reports to it.
>>>> 
>>>>        AM: not that simply - how about security? the puppet
8140
>>>>        traffic is encrypted and mutually authenticated between
the
>>>>        agent and master the puppet dashboard - how will you
achieve
>>>>        the mutual X509 based authentication between the master
and
>>>>        remote dashboard?
>>>> 
>>>>    simply ensure that https is turned on and ssl verify mode is
>>>>    enforced?
>>>>    or if you dont have common ca between all of your masters,
just
>>>>    turn on ssl, and filter down the allowed hosts to send
reports
>>>>    (i.e only your puppet masters can communicate with
foreman/dashboard.
>>> 
>>>    Last I checked, puppet can''t send reports to an https
server.
>>>     Only to a http server.  Has this changed?
>>> 
>>> not if you use something like:
>>>
https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb
>> 
>> That''s better than what I''ve seen, still, it looks
like he client isn''t
>> verifying the server''s certificate, and the client''s
not sending one
>> either, meaning many of the benefits of SSL are gone.  Do you know of a
>> way (with code or a link to the right API) that would help with either
>> of those?
> 
> You might be able to deploy stunnel on your master and each of your
> clients. It supports certificate validation for both client and server.
> 
> The puppet client would use localhost as report server, the structure
being:
> 
> puppet client
>    |
>    |  (connect to localhost via HTTP)
>    |
> stunnel on client (accept unencrypted)
>    |
>    |  (encrypted, authenticated tunnel = HTTPS)
>    |
> stunnel on master (accept encrypted)
>    |
>    |  (connect to localhost via HTTP)
>    |
> puppetmaster (accept unencrypted)
> 
> If you have multiple clients in a trusted LAN segment, they can even
> share a single client-side stunnel (which listens for connections from
> the LAN).
It''s not that bad.  Only the other puppetmasters need the tunnel.  The
clients should NOT have permission to use it.  This isn''t quite what I
want since it assumes all traffic on 127.0.0.1 is trusted, but better than the
alternative.  Thanks for the help.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, May 10, 2011 at 3:30 AM, Patrick <kc7zzv@gmail.com> wrote:
>
> On May 9, 2011, at 9:37 AM, Ohad Levy wrote:
>
>
>
> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com> wrote:
>
>>
>> On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
>>
>>
>>
>> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi
<antonymayi@yahoo.com> wrote:
>>
>>>
>>>
>>> ------------------------------
>>> *From:* Ohad Levy <ohadlevy@gmail.com>
>>> *To:* puppet-users@googlegroups.com
>>> *Sent:* Fri, 15 April, 2011 19:42:10
>>> *Subject:* Re: [Puppet Users] multimaster architecture with central
>>> report server
>>>
>>>
>>>
>>> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
<antonymayi@yahoo.com>wrote:
>>>
>>>> Hi,
>>>>
>>>> is there a way how to instruct the master to forward the
obtained
>>>> reports to another master server so we can have one central
report server
>>>> that would be receiving all reports from other masters in
individual
>>>> collocations? the report_server works fine for the master
itself but not for
>>>> the forwarded reports.
>>>>
>>>> If you use a tool such as foreman or dashboard, you can simply
forward
>>> the reports to it.
>>>
>>> AM: not that simply - how about security? the puppet 8140 traffic
is
>>> encrypted and mutually authenticated between the agent and master
the puppet
>>> dashboard - how will you achieve the mutual X509 based
authentication
>>> between the master and remote dashboard?
>>>
>>> simply ensure that https is turned on and ssl verify mode is
enforced?
>> or if you dont have common ca between all of your masters, just turn on
>> ssl, and filter down the allowed hosts to send reports (i.e only your
puppet
>> masters can communicate with foreman/dashboard.
>>
>>
>> Last I checked, puppet can''t send reports to an https server. 
Only to a
>> http server.  Has this changed?
>>
> not if you use something like:
>
>
https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb
>
>
> That''s better than what I''ve seen, still, it looks like
he client isn''t
> verifying the server''s certificate, and the client''s not
sending one either,
> meaning many of the benefits of SSL are gone.  Do you know of a way (with
> code or a link to the right API) that would help with either of those?
>
>
in order to verify you need to:
1. enable verify mode
2. specify the certs to use
google replied with this example:
http://stackoverflow.com/questions/2507902/how-to-validate-ssl-certificate-chain-in-ruby-with-net-http

which doesnt seem like a lot of work to change the code i pasted above.

Ohad
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 10, 2011, at 12:14 PM, Ohad Levy wrote:
> 
> 
> On Tue, May 10, 2011 at 3:30 AM, Patrick <kc7zzv@gmail.com> wrote:
> 
> On May 9, 2011, at 9:37 AM, Ohad Levy wrote:
> 
>> 
>> 
>> On Mon, May 9, 2011 at 7:30 PM, Patrick <kc7zzv@gmail.com> wrote:
>> 
>> On May 9, 2011, at 9:10 AM, Ohad Levy wrote:
>> 
>>> 
>>> 
>>> On Mon, May 9, 2011 at 5:54 PM, Antony Mayi
<antonymayi@yahoo.com> wrote:
>>> 
>>> 
>>> From: Ohad Levy <ohadlevy@gmail.com>
>>> To: puppet-users@googlegroups.com
>>> Sent: Fri, 15 April, 2011 19:42:10
>>> Subject: Re: [Puppet Users] multimaster architecture with central
report server
>>> 
>>> 
>>> 
>>> On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi
<antonymayi@yahoo.com> wrote:
>>> Hi,
>>> 
>>> is there a way how to instruct the master to forward the obtained
reports to another master server so we can have one central report server that
would be receiving all reports from other masters in individual collocations?
the report_server works fine for the master itself but not for the forwarded
reports.
>>> 
>>> If you use a tool such as foreman or dashboard, you can simply
forward the reports to it.
>>> 
>>> AM: not that simply - how about security? the puppet 8140 traffic
is encrypted and mutually authenticated between the agent and master the puppet
dashboard - how will you achieve the mutual X509 based authentication between
the master and remote dashboard?
>>> 
>>> simply ensure that https is turned on and ssl verify mode is
enforced?
>>> or if you dont have common ca between all of your masters, just
turn on ssl, and filter down the allowed hosts to send reports (i.e only your
puppet masters can communicate with foreman/dashboard.
>> 
>> Last I checked, puppet can''t send reports to an https server. 
Only to a http server.  Has this changed?
>> not if you use something like:
>> 
https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb
> 
> That''s better than what I''ve seen, still, it looks like
he client isn''t verifying the server''s certificate, and the
client''s not sending one either, meaning many of the benefits of SSL
are gone.  Do you know of a way (with code or a link to the right API) that
would help with either of those?
> 
> 
> in order to verify you need to:
> 1. enable verify mode 
> 2. specify the certs to use
> google replied with this example:  
http://stackoverflow.com/questions/2507902/how-to-validate-ssl-certificate-chain-in-ruby-with-net-http
> 
> which doesnt seem like a lot of work to change the code i pasted above.
Considering my lack of Ruby knowledge that last email wasn''t very
helpful FOR ME for three reasons:
1) I thought you meant I should used the code verbatim.
2) When I tried Google I didn''t find anything which means I must have
been using the wrong keywords.
3) When I looked through the official Ruby docs, I got lost and
couldn''t figure out how the APIs worked.

With the addition of the link you just sent me I consider your advice very
helpful.  Thanks

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.