It appears that running a puppet server is essential. In his book "Pulling Strings with Puppet", James Turnbull says: "... the node will request whatever configuration is specified for that node. The master server will then compile and deliver that configuration." [p. 25] Our firewall environment is very restrictive, and there''s no way a server on our publicly accessible network will be allowed to initiate a connection to a puppet server on our internal network. (Of course, I could run the puppet server on the publicly accessible network, but you have no idea what a hassle that would be.) Since the configuration is compiled on the server, is it impossible to run puppet without allowing clients to initiate connection to the puppet server? BTW, this seems different from CfEngine. I believe compilation of the configuration occurs on the client, not the server, but I''m not sure. Any information or insight would be appreciated. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
you lose all the reporting functionality, but as long as you get all your puppet manifests and files accessible by the servers you want to run puppet on (rsync, nfs....whatever), you can just run puppet directly, although it now has to compile everything, even if its not needed, so its slower to run. - Mike On Thu, Aug 26, 2010 at 10:04 PM, bonobo <limnsnops@gmail.com> wrote:> It appears that running a puppet server is essential. In his book > "Pulling Strings with Puppet", James Turnbull says: > > "... the node will request whatever configuration is specified for > that node. The master server will then compile and deliver that > configuration." [p. 25] > > Our firewall environment is very restrictive, and there''s no way a > server on our publicly accessible network will be allowed to initiate > a connection to a puppet server on our internal network. (Of course, > I could run the puppet server on the publicly accessible network, but > you have no idea what a hassle that would be.) > > Since the configuration is compiled on the server, is it impossible to > run puppet without allowing clients to initiate connection to the > puppet server? > > BTW, this seems different from CfEngine. I believe compilation of the > configuration occurs on the client, not the server, but I''m not sure. > > Any information or insight would be appreciated. > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 2010-08-27 04:04, bonobo wrote:> It appears that running a puppet server is essential. In his book > "Pulling Strings with Puppet", James Turnbull says: > > "... the node will request whatever configuration is specified for > that node. The master server will then compile and deliver that > configuration." [p. 25]Running a Puppet server (puppetmasterd) is only essential if you are running Puppet in its client-server mode. You can also run Puppet in a stand-alone mode, using the ''puppet'' executable. However, then you need some other way of getting the manifests out to the machines, like having the manifests on an NFS server which the managed client mounts, or rsync:ing the manifests from cron, or doing a ''git fetch; git reset --hard origin'' from cron. I use standalone Puppet and distribute my manifests using NFS on two clusters I manage. Works like a charm. And I use standalone Puppet on my laptops as well, but there I do a manual ''git pull'' to get updated manifests to the machines (manual is OK in this case, since I only have a few laptops, and I''m the only one who touches those manifests, so I know when I have changed them). /Bellman -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thank you very much. That was very helpful. --Bonobo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Aug 26, 2010, at 10:04 PM, bonobo wrote:> It appears that running a puppet server is essential. In his book > "Pulling Strings with Puppet", James Turnbull says: > > "... the node will request whatever configuration is specified for > that node. The master server will then compile and deliver that > configuration." [p. 25] > > Our firewall environment is very restrictive, and there''s no way a > server on our publicly accessible network will be allowed to initiate > a connection to a puppet server on our internal network. (Of course, > I could run the puppet server on the publicly accessible network, but > you have no idea what a hassle that would be.) > > Since the configuration is compiled on the server, is it impossible to > run puppet without allowing clients to initiate connection to the > puppet server?We are running puppet in standalone mode on nodes in a setup that does not require punching holes in the firewall. We use rsync to push configuration information to nodes. Our Puppet configurations live on a server running gitosis. As changes are committed by sys admins, gitosis hook scripts move the data along and run rsync. ---------------------- Charles Yeomans Senior Software Engineer Dakim, Inc. charles@dakim.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Aug 27, 4:04 am, bonobo <limnsn...@gmail.com> wrote:> Our firewall environment is very restrictive, and there''s no way a > server on our publicly accessible network will be allowed to initiate > a connection to a puppet server on our internal network.Another option would be to replicate your puppetmaster into your other networks. We have a similar problem I intend to solve by adding a puppetmaster to my DMZ (without critical internal data, of course). cheers, Nikolay -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Aug 27, 2010 at 9:21 AM, Mike Devlin <mdevlin@aisle10.net> wrote:> you lose all the reporting functionality, but as long as you get all your > puppet manifests and files accessible by the servers you want to run puppet > on (rsync, nfs....whatever), you can just run puppet directly, although it > now has to compile everything, even if its not needed, so its slower to run. > >there is an additional bit of functionality that you lose in this setup, authentication/least access. In client server mode, the CA is required to sign the clients cert before that client can connect to the server. This ensures that: 1. Only an authorized client can connect to the puppetmaster and request a catalog. 2. The client only has access to the compiled catalog, not the source code. This means it only has access to the information it needs and nothing else.> - Mike > > > On Thu, Aug 26, 2010 at 10:04 PM, bonobo <limnsnops@gmail.com> wrote: > >> It appears that running a puppet server is essential. In his book >> "Pulling Strings with Puppet", James Turnbull says: >> >> "... the node will request whatever configuration is specified for >> that node. The master server will then compile and deliver that >> configuration." [p. 25] >> >> Our firewall environment is very restrictive, and there''s no way a >> server on our publicly accessible network will be allowed to initiate >> a connection to a puppet server on our internal network. (Of course, >> I could run the puppet server on the publicly accessible network, but >> you have no idea what a hassle that would be.) >> >> Since the configuration is compiled on the server, is it impossible to >> run puppet without allowing clients to initiate connection to the >> puppet server? >> >> BTW, this seems different from CfEngine. I believe compilation of the >> configuration occurs on the client, not the server, but I''m not sure. >> >> Any information or insight would be appreciated. >> >> Thanks >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Aug 27, 2010, at 11:33 AM, Dan Bode wrote:> > On Fri, Aug 27, 2010 at 9:21 AM, Mike Devlin <mdevlin@aisle10.net> wrote: > you lose all the reporting functionality, but as long as you get all your puppet manifests and files accessible by the servers you want to run puppet on (rsync, nfs....whatever), you can just run puppet directly, although it now has to compile everything, even if its not needed, so its slower to run. > > > there is an additional bit of functionality that you lose in this setup, authentication/least access. > > In client server mode, the CA is required to sign the clients cert before that client can connect to the server. This ensures that: > > 1. Only an authorized client can connect to the puppetmaster and request a catalog. > 2. The client only has access to the compiled catalog, not the source code. This means it only has access to the information it needs and nothing else.That''s almost true. The default access rules allow all authorized clients to access all files that are being served from "files" folders. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Aug 27, 2010 at 5:23 PM, Thomas Bellman <bellman@nsc.liu.se> wrote:> Running a Puppet server (puppetmasterd) is only essential if you > are running Puppet in its client-server mode. You can also run > Puppet in a stand-alone mode, using the ''puppet'' executable. > > However, then you need some other way of getting the manifests > out to the machines, like having the manifests on an NFS server > which the managed client mounts, or rsync:ing the manifests from > cron, or doing a ''git fetch; git reset --hard origin'' from cron.Stephen Nelson-Smith wrote an excellent piece on using Git to do just this: http://bitfieldconsulting.com/scaling-puppet-with-git Regards, John -- Bitfield Consulting: we make software that makes things work http://bitfieldconsulting.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.