Puppet users - Dec 2011 - a tips , run puppet in client mode in big datacenter

hi,all
         this is a tips, when you run puppet in a big data center. you
need run more than one puppet master. this is a trouble. and if the
puppet master hacked by hacker. all client will be in danger.

         but run puppet in client mode , can resolve this two problem.
the first . client just download the puppet manifest from a ftp or
http server with ssl connect. so ,just only one simple puppet manifest
distribute server. the second . use the gpg sign the puppet manifest.
so the client only run the manifest when the  puppet manifest''s sign
is right. and the client will import the gpg public key.

if you have some problem ,please ask me.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On 12/09/2011 07:58 AM, huangmingyou@gmail.com wrote:
> hi,all
>          this is a tips, when you run puppet in a big data center. you
> need run more than one puppet master. this is a trouble. and if the
Yes, scaling is not trivial.
> puppet master hacked by hacker. all client will be in danger.
how is this not true for your file servers?
>          but run puppet in client mode , can resolve this two problem.
> the first . client just download the puppet manifest from a ftp or
> http server with ssl connect. so ,just only one simple puppet manifest
> distribute server. the second . use the gpg sign the puppet manifest.
Puppet usually authenticates both master and agent, so there is no added
security in throwing GPG at it.
The catalogue isn''t getting any more encrypted or signed than the
regular puppet master does.
> so the client only run the manifest when the  puppet manifest''s
sign
> is right. and the client will import the gpg public key.
Again, this is not different from puppet''s usual MO.

As for the matter of scaling - what you''re describing is essentially
masterless operation, which is known to have a number of benefits and
some drawbacks.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 11-12-13 07:36 AM, Felix Frank wrote:
> Puppet usually authenticates both master and agent, so there is no added
> security in throwing GPG at it.
> The catalogue isn''t getting any more encrypted or signed than the
> regular puppet master does.
actually, the benefit could be that the GPG key, being off of the puppet
master, ensures an external validation of the catalog content.

but for the rest, it sounds like it''s just a manual deconstruction of
the puppetmaster-puppetclient model..

-- 
Gabriel Filion

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.