Puppet users - Dec 2012 - Remote Network Device management...

Afternoon all

We are starting to look at using Puppet Network device support in anger, 
and one of the potential issues that has been raised is around cross-site 
access... 

Currently, we have one Puppet master server, which is hosted in location C. 
This server is able to access and manage the appropriate network devices in 
location C. 

However there are other devices in locations A and B which we want to be 
able to manage through Puppet. However some potential concerns have been 
raised around allowing the puppet master server blanket access to locations 
A & B... 

Is it possible therefore to run the network devices in effectively a 
''proxy'' mode. That is, we create/nominate a suitable node in
locations A
and B which would be able to manage network devices in their respective 
locations, and these nodes then talk back to the Puppet master. 

Does this sound sensible? 

Any other considerations/ideas as to how the above can achieve?

Cheers in advance for any responses. 

Regards
Gavin 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 21 December 2012 02:40, Gavin Williams <fatmcgav@gmail.com> wrote:
> Afternoon all
>
> We are starting to look at using Puppet Network device support in anger,
> and one of the potential issues that has been raised is around cross-site
> access...
>
> Currently, we have one Puppet master server, which is hosted in location
> C.
> This server is able to access and manage the appropriate network devices
> in location C.
>
> However there are other devices in locations A and B which we want to be
> able to manage through Puppet. However some potential concerns have been
> raised around allowing the puppet master server blanket access to locations
> A & B...
>
> Is it possible therefore to run the network devices in effectively a
> ''proxy'' mode. That is, we create/nominate a suitable node
in locations A
> and B which would be able to manage network devices in their respective
> locations, and these nodes then talk back to the Puppet master.
>
> Does this sound sensible?
>
> Any other considerations/ideas as to how the above can achieve?
>
I have no idea how you are achieving the network device configuration but a
setting up a VPN between the master and locations b and c seems like the
best way to do it.
That would give you centralised management and security as well.
I would suggest using some kind of ssl wrapped vpn like openvpn or ipsec or
something like that.

I did find this module on puppet forge for managing openvpn
https://forge.puppetlabs.com/luxflux/openvpn

Hope that helps.

Pete.

> Cheers in advance for any responses.
>
> Regards
> Gavin
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Peter

Cheers for the response.

Network device management is being achieved using Puppet''s new
''Network
Device'' support as part of 3.0...

Site to site connectivity isn''t an issue, as we''ve got a
100Mbps MPLS link
between all 3... However it was more about security and the practicality of
allowing the Puppet master effectively unlimited access to all sites...

Cheers
Gavin


On 21 December 2012 01:07, Peter Brown <rendhalver@gmail.com> wrote:
> On 21 December 2012 02:40, Gavin Williams <fatmcgav@gmail.com> wrote:
>
>> Afternoon all
>>
>> We are starting to look at using Puppet Network device support in
anger,
>> and one of the potential issues that has been raised is around
cross-site
>> access...
>>
>> Currently, we have one Puppet master server, which is hosted in
location
>> C.
>> This server is able to access and manage the appropriate network
devices
>> in location C.
>>
>> However there are other devices in locations A and B which we want to
be
>> able to manage through Puppet. However some potential concerns have
been
>> raised around allowing the puppet master server blanket access to
locations
>> A & B...
>>
>> Is it possible therefore to run the network devices in effectively a
>> ''proxy'' mode. That is, we create/nominate a suitable
node in locations A
>> and B which would be able to manage network devices in their respective
>> locations, and these nodes then talk back to the Puppet master.
>>
>> Does this sound sensible?
>>
>> Any other considerations/ideas as to how the above can achieve?
>>
>
> I have no idea how you are achieving the network device configuration but
> a setting up a VPN between the master and locations b and c seems like the
> best way to do it.
> That would give you centralised management and security as well.
> I would suggest using some kind of ssl wrapped vpn like openvpn or ipsec
> or something like that.
>
> I did find this module on puppet forge for managing openvpn
> https://forge.puppetlabs.com/luxflux/openvpn
>
> Hope that helps.
>
> Pete.
>
>
>> Cheers in advance for any responses.
>>
>> Regards
>> Gavin
>>
>>  --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

What about running a satellite puppet master at each site?

On 12/21/2012 03:57 AM, fatmcgav wrote:
> Peter
>
> Cheers for the response.
>
> Network device management is being achieved using Puppet''s new
''Network
> Device'' support as part of 3.0...
>
> Site to site connectivity isn''t an issue, as we''ve got a
100Mbps MPLS link
> between all 3... However it was more about security and the practicality of
> allowing the Puppet master effectively unlimited access to all sites...
>
> Cheers
> Gavin
>
>
> On 21 December 2012 01:07, Peter Brown <rendhalver@gmail.com> wrote:
>
>> On 21 December 2012 02:40, Gavin Williams <fatmcgav@gmail.com>
wrote:
>>
>>> Afternoon all
>>>
>>> We are starting to look at using Puppet Network device support in
anger,
>>> and one of the potential issues that has been raised is around
cross-site
>>> access...
>>>
>>> Currently, we have one Puppet master server, which is hosted in
location
>>> C.
>>> This server is able to access and manage the appropriate network
devices
>>> in location C.
>>>
>>> However there are other devices in locations A and B which we want
to be
>>> able to manage through Puppet. However some potential concerns have
been
>>> raised around allowing the puppet master server blanket access to
locations
>>> A & B...
>>>
>>> Is it possible therefore to run the network devices in effectively
a
>>> ''proxy'' mode. That is, we create/nominate a
suitable node in locations A
>>> and B which would be able to manage network devices in their
respective
>>> locations, and these nodes then talk back to the Puppet master.
>>>
>>> Does this sound sensible?
>>>
>>> Any other considerations/ideas as to how the above can achieve?
>>>
>> I have no idea how you are achieving the network device configuration
but
>> a setting up a VPN between the master and locations b and c seems like
the
>> best way to do it.
>> That would give you centralised management and security as well.
>> I would suggest using some kind of ssl wrapped vpn like openvpn or
ipsec
>> or something like that.
>>
>> I did find this module on puppet forge for managing openvpn
>> https://forge.puppetlabs.com/luxflux/openvpn
>>
>> Hope that helps.
>>
>> Pete.
>>
>>
>>> Cheers in advance for any responses.
>>>
>>> Regards
>>> Gavin
>>>
>>>   --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> puppet-users+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>   --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

That sounds ideal... Might make sense with general node performance etc 
aswell... 

Any examples on how to do that? 

Cheers
Gavin 

On Friday, 21 December 2012 15:17:47 UTC, Jason Edgecombe
wrote:
>
> What about running a satellite puppet master at each site? 
>
> On 12/21/2012 03:57 AM, fatmcgav wrote: 
> > Peter 
> > 
> > Cheers for the response. 
> > 
> > Network device management is being achieved using Puppet''s
new ''Network
> > Device'' support as part of 3.0... 
> > 
> > Site to site connectivity isn''t an issue, as we''ve
got a 100Mbps MPLS
> link 
> > between all 3... However it was more about security and the
practicality
> of 
> > allowing the Puppet master effectively unlimited access to all
sites...
> > 
> > Cheers 
> > Gavin 
> > 
> > 
> > On 21 December 2012 01:07, Peter Brown <rendh...@gmail.com
<javascript:>>
> wrote: 
> > 
> >> On 21 December 2012 02:40, Gavin Williams
<fatm...@gmail.com<javascript:>>
> wrote: 
> >> 
> >>> Afternoon all 
> >>> 
> >>> We are starting to look at using Puppet Network device support
in
> anger, 
> >>> and one of the potential issues that has been raised is around
> cross-site 
> >>> access... 
> >>> 
> >>> Currently, we have one Puppet master server, which is hosted
in
> location 
> >>> C. 
> >>> This server is able to access and manage the appropriate
network
> devices 
> >>> in location C. 
> >>> 
> >>> However there are other devices in locations A and B which we
want to
> be 
> >>> able to manage through Puppet. However some potential concerns
have
> been 
> >>> raised around allowing the puppet master server blanket access
to
> locations 
> >>> A & B... 
> >>> 
> >>> Is it possible therefore to run the network devices in
effectively a
> >>> ''proxy'' mode. That is, we create/nominate a
suitable node in locations
> A 
> >>> and B which would be able to manage network devices in their 
> respective 
> >>> locations, and these nodes then talk back to the Puppet
master.
> >>> 
> >>> Does this sound sensible? 
> >>> 
> >>> Any other considerations/ideas as to how the above can
achieve?
> >>> 
> >> I have no idea how you are achieving the network device
configuration
> but 
> >> a setting up a VPN between the master and locations b and c seems
like
> the 
> >> best way to do it. 
> >> That would give you centralised management and security as well. 
> >> I would suggest using some kind of ssl wrapped vpn like openvpn or
> ipsec 
> >> or something like that. 
> >> 
> >> I did find this module on puppet forge for managing openvpn 
> >> https://forge.puppetlabs.com/luxflux/openvpn 
> >> 
> >> Hope that helps. 
> >> 
> >> Pete. 
> >> 
> >> 
> >>> Cheers in advance for any responses. 
> >>> 
> >>> Regards 
> >>> Gavin 
> >>> 
> >>>   -- 
> >>> You received this message because you are subscribed to the
Google
> Groups 
> >>> "Puppet Users" group. 
> >>> To view this discussion on the web visit 
> >>> https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ. 
> >>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> >>> To unsubscribe from this group, send email to 
> >>> puppet-users...@googlegroups.com <javascript:>. 
> >>> For more options, visit this group at 
> >>> http://groups.google.com/group/puppet-users?hl=en. 
> >>> 
> >>   -- 
> >> You received this message because you are subscribed to the Google
> Groups 
> >> "Puppet Users" group. 
> >> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> >> To unsubscribe from this group, send email to 
> >> puppet-users...@googlegroups.com <javascript:>. 
> >> For more options, visit this group at 
> >> http://groups.google.com/group/puppet-users?hl=en. 
> >> 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/3LbpzFbk2yUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Here is a document for running multiple puppet masters:
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html

Have you confirmed that the network device management only runs from the 
puppet master? As I understand most of the puppet
actions are performed by the puppet agent, which runs on all machines, 
including the pupper master. The puppet master compiles manifests, 
handles certificates, serves files and receives reports. The rest 
usually happens on the agent side.

Jason

On 12/21/2012 10:20 AM, Gavin Williams wrote:
> That sounds ideal... Might make sense with general node performance etc
> aswell...
>
> Any examples on how to do that?
>
> Cheers
> Gavin
>
> On Friday, 21 December 2012 15:17:47 UTC, Jason Edgecombe wrote:
>> What about running a satellite puppet master at each site?
>>
>> On 12/21/2012 03:57 AM, fatmcgav wrote:
>>> Peter
>>>
>>> Cheers for the response.
>>>
>>> Network device management is being achieved using Puppet''s
new ''Network
>>> Device'' support as part of 3.0...
>>>
>>> Site to site connectivity isn''t an issue, as
we''ve got a 100Mbps MPLS
>> link
>>> between all 3... However it was more about security and the
practicality
>> of
>>> allowing the Puppet master effectively unlimited access to all
sites...
>>>
>>> Cheers
>>> Gavin
>>>
>>>
>>> On 21 December 2012 01:07, Peter Brown <rendh...@gmail.com
<javascript:>>
>> wrote:
>>>> On 21 December 2012 02:40, Gavin Williams
<fatm...@gmail.com<javascript:>>
>> wrote:
>>>>> Afternoon all
>>>>>
>>>>> We are starting to look at using Puppet Network device
support in
>> anger,
>>>>> and one of the potential issues that has been raised is
around
>> cross-site
>>>>> access...
>>>>>
>>>>> Currently, we have one Puppet master server, which is
hosted in
>> location
>>>>> C.
>>>>> This server is able to access and manage the appropriate
network
>> devices
>>>>> in location C.
>>>>>
>>>>> However there are other devices in locations A and B which
we want to
>> be
>>>>> able to manage through Puppet. However some potential
concerns have
>> been
>>>>> raised around allowing the puppet master server blanket
access to
>> locations
>>>>> A & B...
>>>>>
>>>>> Is it possible therefore to run the network devices in
effectively a
>>>>> ''proxy'' mode. That is, we create/nominate
a suitable node in locations
>> A
>>>>> and B which would be able to manage network devices in
their
>> respective
>>>>> locations, and these nodes then talk back to the Puppet
master.
>>>>>
>>>>> Does this sound sensible?
>>>>>
>>>>> Any other considerations/ideas as to how the above can
achieve?
>>>>>
>>>> I have no idea how you are achieving the network device
configuration
>> but
>>>> a setting up a VPN between the master and locations b and c
seems like
>> the
>>>> best way to do it.
>>>> That would give you centralised management and security as
well.
>>>> I would suggest using some kind of ssl wrapped vpn like openvpn
or
>> ipsec
>>>> or something like that.
>>>>
>>>> I did find this module on puppet forge for managing openvpn
>>>> https://forge.puppetlabs.com/luxflux/openvpn
>>>>
>>>> Hope that helps.
>>>>
>>>> Pete.
>>>>
>>>>
>>>>> Cheers in advance for any responses.
>>>>>
>>>>> Regards
>>>>> Gavin
>>>>>
>>>>>    --
>>>>> You received this message because you are subscribed to the
Google
>> Groups
>>>>> "Puppet Users" group.
>>>>> To view this discussion on the web visit
>>>>>
https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
>>>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>>>>> To unsubscribe from this group, send email to
>>>>> puppet-users...@googlegroups.com <javascript:>.
>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>>
>>>>    --
>>>> You received this message because you are subscribed to the
Google
>> Groups
>>>> "Puppet Users" group.
>>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>>>> To unsubscribe from this group, send email to
>>>> puppet-users...@googlegroups.com <javascript:>.
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Jason

Cheers for that link.

The ''*puppet device*'' command certainly exists on all puppet
nodes.
What I''m not sure of is whether there is anything else that it needs to
function?

Otherwise, it would be just as easy to nominate a node within each location
that has got puppet installed, and use them as the network device
management nodes...
One thing I can think of is what happens to the ''network
device''
configuration if that node fails... Could I re-create everything on another
node? Think the SSL certs are stored locally on the node, etc...

Cheers
Gavin

On Friday, 21 December 2012 16:12:48 UTC, Jason Edgecombe
wrote:
>
> Here is a document for running multiple puppet masters: 
> http://docs.puppetlabs.com/guides/scaling_multiple_masters.html 
>
> Have you confirmed that the network device management only runs from the 
> puppet master? As I understand most of the puppet 
> actions are performed by the puppet agent, which runs on all machines, 
> including the pupper master. The puppet master compiles manifests, 
> handles certificates, serves files and receives reports. The rest 
> usually happens on the agent side. 
>
> Jason 
>
> On 12/21/2012 10:20 AM, Gavin Williams wrote: 
> > That sounds ideal... Might make sense with general node performance
etc
> > aswell... 
> > 
> > Any examples on how to do that? 
> > 
> > Cheers 
> > Gavin 
> > 
> > On Friday, 21 December 2012 15:17:47 UTC, Jason Edgecombe wrote: 
> >> What about running a satellite puppet master at each site? 
> >> 
> >> On 12/21/2012 03:57 AM, fatmcgav wrote: 
> >>> Peter 
> >>> 
> >>> Cheers for the response. 
> >>> 
> >>> Network device management is being achieved using
Puppet''s new
> ''Network 
> >>> Device'' support as part of 3.0... 
> >>> 
> >>> Site to site connectivity isn''t an issue, as
we''ve got a 100Mbps MPLS
> >> link 
> >>> between all 3... However it was more about security and the 
> practicality 
> >> of 
> >>> allowing the Puppet master effectively unlimited access to all
> sites... 
> >>> 
> >>> Cheers 
> >>> Gavin 
> >>> 
> >>> 
> >>> On 21 December 2012 01:07, Peter Brown
<rendh...@gmail.com<javascript:>>
> >> wrote: 
> >>>> On 21 December 2012 02:40, Gavin Williams
<fatm...@gmail.com<javascript:>>
>
> >> wrote: 
> >>>>> Afternoon all 
> >>>>> 
> >>>>> We are starting to look at using Puppet Network device
support in
> >> anger, 
> >>>>> and one of the potential issues that has been raised
is around
> >> cross-site 
> >>>>> access... 
> >>>>> 
> >>>>> Currently, we have one Puppet master server, which is
hosted in
> >> location 
> >>>>> C. 
> >>>>> This server is able to access and manage the
appropriate network
> >> devices 
> >>>>> in location C. 
> >>>>> 
> >>>>> However there are other devices in locations A and B
which we want
> to 
> >> be 
> >>>>> able to manage through Puppet. However some potential
concerns have
> >> been 
> >>>>> raised around allowing the puppet master server
blanket access to
> >> locations 
> >>>>> A & B... 
> >>>>> 
> >>>>> Is it possible therefore to run the network devices in
effectively a
> >>>>> ''proxy'' mode. That is, we
create/nominate a suitable node in
> locations 
> >> A 
> >>>>> and B which would be able to manage network devices in
their
> >> respective 
> >>>>> locations, and these nodes then talk back to the
Puppet master.
> >>>>> 
> >>>>> Does this sound sensible? 
> >>>>> 
> >>>>> Any other considerations/ideas as to how the above can
achieve?
> >>>>> 
> >>>> I have no idea how you are achieving the network device
configuration
> >> but 
> >>>> a setting up a VPN between the master and locations b and
c seems
> like 
> >> the 
> >>>> best way to do it. 
> >>>> That would give you centralised management and security as
well.
> >>>> I would suggest using some kind of ssl wrapped vpn like
openvpn or
> >> ipsec 
> >>>> or something like that. 
> >>>> 
> >>>> I did find this module on puppet forge for managing
openvpn
> >>>> https://forge.puppetlabs.com/luxflux/openvpn 
> >>>> 
> >>>> Hope that helps. 
> >>>> 
> >>>> Pete. 
> >>>> 
> >>>> 
> >>>>> Cheers in advance for any responses. 
> >>>>> 
> >>>>> Regards 
> >>>>> Gavin 
> >>>>> 
> >>>>>    -- 
> >>>>> You received this message because you are subscribed
to the Google
> >> Groups 
> >>>>> "Puppet Users" group. 
> >>>>> To view this discussion on the web visit 
> >>>>>
https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
> >>>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> >>>>> To unsubscribe from this group, send email to 
> >>>>> puppet-users...@googlegroups.com <javascript:>. 
> >>>>> For more options, visit this group at 
> >>>>> http://groups.google.com/group/puppet-users?hl=en. 
> >>>>> 
> >>>>    -- 
> >>>> You received this message because you are subscribed to
the Google
> >> Groups 
> >>>> "Puppet Users" group. 
> >>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> >>>> To unsubscribe from this group, send email to 
> >>>> puppet-users...@googlegroups.com <javascript:>. 
> >>>> For more options, visit this group at 
> >>>> http://groups.google.com/group/puppet-users?hl=en. 
> >>>> 
> >> 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/5pDpi1wgOXcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

You''re welcome.

I''m still a puppet n00b, so I don''t have an answer to your all
of your
questions. I''m using my experience with other tools and patterns to
give
guidance. It''s on my to-do list to migrate from cfengine to puppet.

I recognize the pattern that you want. You have a role or task that must 
be done, and it doesn''t matter who does it, but it should only done by 
one node at a time. I have similar needs and I take the easy way out by 
assigning a static host to do this. I''ve read about others who use 
Apache''s zookeeper or the noah tool as a global lock to ensure that the
task is done by one and only one worker. I plan to look into this once I 
have more puppet infrastructure in place.

Sincerely,
Jason
On 12/21/2012 11:49 AM, Gavin Williams wrote:
> Jason
>
> Cheers for that link.
>
> The ''*puppet device*'' command certainly exists on all
puppet nodes.
> What I''m not sure of is whether there is anything else that it
needs to
> function?
>
> Otherwise, it would be just as easy to nominate a node within each location
> that has got puppet installed, and use them as the network device
> management nodes...
> One thing I can think of is what happens to the ''network
device''
> configuration if that node fails... Could I re-create everything on another
> node? Think the SSL certs are stored locally on the node, etc...
>
> Cheers
> Gavin
>
> On Friday, 21 December 2012 16:12:48 UTC, Jason Edgecombe wrote:
>> Here is a document for running multiple puppet masters:
>> http://docs.puppetlabs.com/guides/scaling_multiple_masters.html
>>
>> Have you confirmed that the network device management only runs from
the
>> puppet master? As I understand most of the puppet
>> actions are performed by the puppet agent, which runs on all machines,
>> including the pupper master. The puppet master compiles manifests,
>> handles certificates, serves files and receives reports. The rest
>> usually happens on the agent side.
>>
>> Jason
>>
>> On 12/21/2012 10:20 AM, Gavin Williams wrote:
>>> That sounds ideal... Might make sense with general node performance
etc
>>> aswell...
>>>
>>> Any examples on how to do that?
>>>
>>> Cheers
>>> Gavin
>>>
>>> On Friday, 21 December 2012 15:17:47 UTC, Jason Edgecombe wrote:
>>>> What about running a satellite puppet master at each site?
>>>>
>>>> On 12/21/2012 03:57 AM, fatmcgav wrote:
>>>>> Peter
>>>>>
>>>>> Cheers for the response.
>>>>>
>>>>> Network device management is being achieved using
Puppet''s new
>> ''Network
>>>>> Device'' support as part of 3.0...
>>>>>
>>>>> Site to site connectivity isn''t an issue, as
we''ve got a 100Mbps MPLS
>>>> link
>>>>> between all 3... However it was more about security and the
>> practicality
>>>> of
>>>>> allowing the Puppet master effectively unlimited access to
all
>> sites...
>>>>> Cheers
>>>>> Gavin
>>>>>
>>>>>
>>>>> On 21 December 2012 01:07, Peter Brown
<rendh...@gmail.com<javascript:>>
>>>> wrote:
>>>>>> On 21 December 2012 02:40, Gavin Williams
<fatm...@gmail.com<javascript:>>
>>>> wrote:
>>>>>>> Afternoon all
>>>>>>>
>>>>>>> We are starting to look at using Puppet Network
device support in
>>>> anger,
>>>>>>> and one of the potential issues that has been
raised is around
>>>> cross-site
>>>>>>> access...
>>>>>>>
>>>>>>> Currently, we have one Puppet master server, which
is hosted in
>>>> location
>>>>>>> C.
>>>>>>> This server is able to access and manage the
appropriate network
>>>> devices
>>>>>>> in location C.
>>>>>>>
>>>>>>> However there are other devices in locations A and
B which we want
>> to
>>>> be
>>>>>>> able to manage through Puppet. However some
potential concerns have
>>>> been
>>>>>>> raised around allowing the puppet master server
blanket access to
>>>> locations
>>>>>>> A & B...
>>>>>>>
>>>>>>> Is it possible therefore to run the network devices
in effectively a
>>>>>>> ''proxy'' mode. That is, we
create/nominate a suitable node in
>> locations
>>>> A
>>>>>>> and B which would be able to manage network devices
in their
>>>> respective
>>>>>>> locations, and these nodes then talk back to the
Puppet master.
>>>>>>>
>>>>>>> Does this sound sensible?
>>>>>>>
>>>>>>> Any other considerations/ideas as to how the above
can achieve?
>>>>>>>
>>>>>> I have no idea how you are achieving the network device
configuration
>>>> but
>>>>>> a setting up a VPN between the master and locations b
and c seems
>> like
>>>> the
>>>>>> best way to do it.
>>>>>> That would give you centralised management and security
as well.
>>>>>> I would suggest using some kind of ssl wrapped vpn like
openvpn or
>>>> ipsec
>>>>>> or something like that.
>>>>>>
>>>>>> I did find this module on puppet forge for managing
openvpn
>>>>>> https://forge.puppetlabs.com/luxflux/openvpn
>>>>>>
>>>>>> Hope that helps.
>>>>>>
>>>>>> Pete.
>>>>>>
>>>>>>
>>>>>>> Cheers in advance for any responses.
>>>>>>>
>>>>>>> Regards
>>>>>>> Gavin
>>>>>>>
>>>>>>>     --
>>>>>>> You received this message because you are
subscribed to the Google
>>>> Groups
>>>>>>> "Puppet Users" group.
>>>>>>> To view this discussion on the web visit
>>>>>>>
https://groups.google.com/d/msg/puppet-users/-/WQ3ut4DOK9sJ.
>>>>>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>>>>>>> To unsubscribe from this group, send email to
>>>>>>> puppet-users...@googlegroups.com
<javascript:>.
>>>>>>> For more options, visit this group at
>>>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>>>>
>>>>>>     --
>>>>>> You received this message because you are subscribed to
the Google
>>>> Groups
>>>>>> "Puppet Users" group.
>>>>>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>>>>>> To unsubscribe from this group, send email to
>>>>>> puppet-users...@googlegroups.com <javascript:>.
>>>>>> For more options, visit this group at
>>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.