I have a numer of hosts in different locations I want to manage with puppet. Can I set up my Puppet server to be publicly accessible, or is this a horribly bad idea likely to end with a destroyed server? -- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In theory, as long as you are NOT auto-signing certificate requests, this is exactly what the puppet server was designed for. However, you should note that the server is likely to suffer lots of random probing and may be susceptible to performance problems. On Oct 20, 2011, at 3:13 PM, Jon Davis wrote:> I have a numer of hosts in different locations I want to manage with puppet. Can I set up my Puppet server to be publicly accessible, or is this a horribly bad idea likely to end with a destroyed server? > > -- > Jon > [[User:ShakataGaNai]] / KJ6FNQ > http://snowulf.com/ > http://www.linkedin.com/in/shakataganai > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi John, On 10/21/2011 12:13 AM Jon Davis wrote:> I have a numer of hosts in different locations I want to manage with > puppet. Can I set up my Puppet server to be publicly accessible, or is > this a horribly bad idea likely to end with a destroyed server?what about establishing a VPN connection between your remote gateways instead of making your puppetmaster available to the outside world? As long as you don''t need native throughput you should be fine using IPSEC. <paranoid> This way you would also take care of DDoS attacks while preventing any sort of profiling based on made connections to the puppetmaster. So basically nobody would know about the total number of hosts which might be keeping in sync with your site manifest ;) </paranoid> - Jan
Basically, I have a LOT of boxes and I was hoping to avoid having them all VPN''ing in simply to pull config. As for the paranoid piece. They wouldn''t be able to pull anything without being signed already (right?), so unless they intercepted the connection at my datacenter they wouldn''t be able to find out. Or maybe I dont understand what is publicly accessible on Puppet server. On Thu, Oct 20, 2011 at 16:53, Jan <jan@agetty.de> wrote:> Hi John, > > On 10/21/2011 12:13 AM Jon Davis wrote: > > I have a numer of hosts in different locations I want to manage with > > puppet. Can I set up my Puppet server to be publicly accessible, or is > > this a horribly bad idea likely to end with a destroyed server? > > what about establishing a VPN connection between your remote gateways > instead of making your puppetmaster available to the outside world? As long > as you don''t need native throughput you should be fine using IPSEC. > > <paranoid> > This way you would also take care of DDoS attacks while preventing any sort > of profiling based on made connections to the puppetmaster. So basically > nobody would know about the total number of hosts which might be keeping in > sync with your site manifest ;) > </paranoid> > > - Jan > >-- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 10/21/2011 02:21 AM Jon Davis wrote:> Basically, I have a LOT of boxes and I was hoping to avoid having them all > VPN''ing in simply to pull config.So that''s why I was talking about only connecting your gateways together without placing all your boxes into the same VPN network. Maybe you want consider installing one master per site. You could let them join a fully autonomous meshed VPN network by using e.g. tinc VPN. This would reduce the overhead produced by network or appliance administration. Certainly, this depends on the number of external sites you''re actually dealing with...> As for the paranoid piece. They wouldn''t be able to pull anything without > being signed already (right?), so unless they intercepted the connection at > my datacenter they wouldn''t be able to find out. Or maybe I dont > understand what is publicly accessible on Puppet server.Well, you''re right, since nobody would be able to access the application logic of the puppetmaster, without mutually authenticating itself by using a valid client certificate (transport layer). Basically I was talking of exposing node connections to the puppetmaster to external transport networks. This might reveal interesting information on your environment to third party (like the number of connections, the sync interval but even the number of hosts and ip addresses involved [...]). Jan
2011/10/21 Brian Gallew <geek@gallew.org>> In theory, as long as you are NOT auto-signing certificate requests, this > is exactly what the puppet server was designed for. However, you should > note that the server is likely to suffer lots of random probing and may be > susceptible to performance problems. > [...] >Set up a firewall and restrict the IPs that can access Puppet. Regards, Thomas -- Linux ... enjoy the ride! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.