Puppet users - May 2010 - Puppetmaster directly on the Internet

Hi,

I apologize if this issue has been discussed earlier. If so, please
point me to relevant information. Anyways, here it goes...

I plan on deploying Puppet to manage several separate nodes, all of
which are accessible directly from the Internet. The nodes are
connected by a VPN (OpenVPN), so they''re effectively on the same LAN.
However, the VPN IP-addresses don''t have corresponding DNS names.
There''s currently no internal DNS server I could add the VPN addresses
to.

So, I''ve been considering three deployment alternatives (in order of
preference):

1) Make puppetmaster available directly on the Internet and let
clients connect to it directly. There should be no DNS issues with
this approach.

2) Sync manifests/modules from a Git repository through the VPN tunnel
and run puppet locally on each "client". DNS is a non-issue here.
However, if any one node is compromised, the entire puppet manifest/
module catalog gets compromised, which makes me a little worried.

3) Publish puppetmaster only on the VPN subnet. The VPN addresses
don''t have DNS names, but syncing /etc/hosts file could help
circumvent DNS/certificate issues.

Is puppetmaster secure enough to be published directly on the Internet
(1)? Or is it asking for trouble? If not, what do you think about
options 2 and 3? What other approaches could I take?

Samuli

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I would suggest to make your puppet master available on the net or via a
firewall forwarding, and then configure your puppetmaster/firewall to
only accept connections from those IPs that belong to your clients.

I assume your clients all have static IP''s otherwise you would not have
floated the internal DNS idea. This works very well for me for a number
of services that I have internally, like my email servers.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, May 27, 2010 at 10:33 AM, Gabriel - IP Guys
<Gabriel@impactteachers.com> wrote:
> I would suggest to make your puppet master available on the net or via a
> firewall forwarding, and then configure your puppetmaster/firewall to
> only accept connections from those IPs that belong to your clients.
>
> I assume your clients all have static IP''s otherwise you would not
have
> floated the internal DNS idea. This works very well for me for a number
> of services that I have internally, like my email servers.
Probably ok with firewalling.

I''d also make sure you turn autosign off, just in case, because
otherwise you run a risk of someone connecting
and getting the "default" configuration applied to them, even if they
don''t deserve access to those files.   Similar to the
"if one node compromised" issue.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

sasepp <samuli.seppanen@gmail.com> writes:
> I apologize if this issue has been discussed earlier. If so, please
> point me to relevant information. Anyways, here it goes...
>
> I plan on deploying Puppet to manage several separate nodes, all of
> which are accessible directly from the Internet. The nodes are
> connected by a VPN (OpenVPN), so they''re effectively on the same
LAN.
> However, the VPN IP-addresses don''t have corresponding DNS names.
> There''s currently no internal DNS server I could add the VPN
addresses
> to.
>
> So, I''ve been considering three deployment alternatives (in order
of
> preference):
>
> 1) Make puppetmaster available directly on the Internet and let
> clients connect to it directly. There should be no DNS issues with
> this approach.
>
> 2) Sync manifests/modules from a Git repository through the VPN tunnel
> and run puppet locally on each "client". DNS is a non-issue here.
> However, if any one node is compromised, the entire puppet manifest/
> module catalog gets compromised, which makes me a little worried.
I believe that pupptemaster can be asked to statically generate the catalog
for each host, and that you can pass that directly to puppet to run.

That would reduce this problem from "sync all" to "sync this
hosts data", and
make life less awful, probably.

I have not used this facility, but you might find it worth investigating.

        Daniel

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for all your suggestions! Restricting access to managed nodes
using iptables occured to me after sending this post (stupid me). I
think that does the trick. If not, I''ll try Daniel''s approach.

Samuli




On 28 Mag, 06:25, Daniel Pittman <dan...@rimspace.net>
wrote:
> sasepp <samuli.seppa...@gmail.com> writes:
> > I apologize if this issue has been discussed earlier. If so, please
> > point me to relevant information. Anyways, here it goes...
>
> > I plan on deploying Puppet to manage several separate nodes, all of
> > which are accessible directly from the Internet. The nodes are
> > connected by a VPN (OpenVPN), so they''re effectively on the
same LAN.
> > However, the VPN IP-addresses don''t have corresponding DNS
names.
> > There''s currently no internal DNS server I could add the VPN
addresses
> > to.
>
> > So, I''ve been considering three deployment alternatives (in
order of
> > preference):
>
> > 1) Make puppetmaster available directly on the Internet and let
> > clients connect to it directly. There should be no DNS issues with
> > this approach.
>
> > 2) Sync manifests/modules from a Git repository through the VPN tunnel
> > and run puppet locally on each "client". DNS is a non-issue
here.
> > However, if any one node is compromised, the entire puppet manifest/
> > module catalog gets compromised, which makes me a little worried.
>
> I believe that pupptemaster can be asked to statically generate the catalog
> for each host, and that you can pass that directly to puppet to run.
>
> That would reduce this problem from "sync all" to "sync this
hosts data", and
> make life less awful, probably.
>
> I have not used this facility, but you might find it worth investigating.
>
>         Daniel
>
> --
> ✣ Daniel Pittman            ✉ dan...@rimspace.net            ☎ +61 401 155
707
>                ♽ made with 100 percent post-consumer electrons
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.