Hi, due to our company security policy, we cannot allow the agents in the DMZ to pull the config catalog from the puppet master, that sits behind the firewall. Is there a possibility that the master pushes the configs to the agents instead of the agents pulling it? thanks, ALex. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/qA9kiBG6txMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Goethals
2012-Sep-10 10:35 UTC
Re: [Puppet Users] push config to agent behind firewall
# puppet kick http://docs.puppetlabs.com/man/kick.html Regards, Stefan. On Mon, Sep 10, 2012 at 11:30 AM, Alex Greif <alex@greifdesign.net> wrote:> Hi, > due to our company security policy, we cannot allow the agents in the DMZ > to pull the config catalog from the puppet master, that sits behind the > firewall. > Is there a possibility that the master pushes the configs to the agents > instead of the agents pulling it? > > thanks, > ALex. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/qA9kiBG6txMJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote:> > # puppet kick > > http://docs.puppetlabs.com/man/kick.html >Puppet kick does not solve the problem, as it only signals the agent to perform a normal run (involving requesting a catalog from the server, which must be avoided). One possible solution would involve pushing the manifests out to the DMZ, and having machines there periodically run "puppet apply". That''s not going to be satisfactory, however, if the needed manifests (which are not necessarily all manifests for the organization) include anything that must not be exposed in the DMZ. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Or you could run a second puppetmaster in your DMZ and just push the configs to it in some tricky way when they need updating. Well that''s my plan for a new setup we have planned that requires a similar security setup. On 10 September 2012 23:55, jcbollinger <John.Bollinger@stjude.org> wrote:> > > On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote: >> >> # puppet kick >> >> http://docs.puppetlabs.com/man/kick.html > > > > Puppet kick does not solve the problem, as it only signals the agent to > perform a normal run (involving requesting a catalog from the server, which > must be avoided). > > One possible solution would involve pushing the manifests out to the DMZ, > and having machines there periodically run "puppet apply". That''s not going > to be satisfactory, however, if the needed manifests (which are not > necessarily all manifests for the organization) include anything that must > not be exposed in the DMZ. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yes, that is a good idea. with git we can push the repository to the master in the DMZ. should be quite simple and secure. On Tuesday, September 11, 2012 5:02:37 AM UTC+2, Pete wrote:> > Or you could run a second puppetmaster in your DMZ and just push the > configs to it in some tricky way when they need updating. > Well that''s my plan for a new setup we have planned that requires a > similar security setup. > > On 10 September 2012 23:55, jcbollinger <John.Bo...@stjude.org<javascript:>> > wrote: > > > > > > On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote: > >> > >> # puppet kick > >> > >> http://docs.puppetlabs.com/man/kick.html > > > > > > > > Puppet kick does not solve the problem, as it only signals the agent to > > perform a normal run (involving requesting a catalog from the server, > which > > must be avoided). > > > > One possible solution would involve pushing the manifests out to the > DMZ, > > and having machines there periodically run "puppet apply". That''s not > going > > to be satisfactory, however, if the needed manifests (which are not > > necessarily all manifests for the organization) include anything that > must > > not be exposed in the DMZ. > > > > > > John > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To view this discussion on the web visit > > https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J. > > > > To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > > To unsubscribe from this group, send email to > > puppet-users...@googlegroups.com <javascript:>. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VvKWdKUfZFMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11 September 2012 17:10, Alex Greif <alex@greifdesign.net> wrote:> Yes, that is a good idea. > with git we can push the repository to the master in the DMZ. > should be quite simple and secure.Your welcome. :) Let me know how it goes.> On Tuesday, September 11, 2012 5:02:37 AM UTC+2, Pete wrote: >> >> Or you could run a second puppetmaster in your DMZ and just push the >> configs to it in some tricky way when they need updating. >> Well that''s my plan for a new setup we have planned that requires a >> similar security setup. >> >> On 10 September 2012 23:55, jcbollinger <John.Bo...@stjude.org> wrote: >> > >> > >> > On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote: >> >> >> >> # puppet kick >> >> >> >> http://docs.puppetlabs.com/man/kick.html >> > >> > >> > >> > Puppet kick does not solve the problem, as it only signals the agent to >> > perform a normal run (involving requesting a catalog from the server, >> > which >> > must be avoided). >> > >> > One possible solution would involve pushing the manifests out to the >> > DMZ, >> > and having machines there periodically run "puppet apply". That''s not >> > going >> > to be satisfactory, however, if the needed manifests (which are not >> > necessarily all manifests for the organization) include anything that >> > must >> > not be exposed in the DMZ. >> > >> > >> > John >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J. >> > >> > To post to this group, send email to puppet...@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users...@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/VvKWdKUfZFMJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.