We''re about to run a bunch (< 50) machines scattered around a (physical) town and using a machine with a public IP to recover logs and report. We can not change this setting: it''s a kind of experiment and it will last few weeks. Have anyone experience about safety issues trying to run a puppet master on a machine using a public IP? For the log-report part we use ssh to connect to the server and the idea is to use puppet agent to perform maintenance and tuning. Thank you! Alberto -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
On 28 April 2013 19:48, Alberto Besana <alberto.besana@gmail.com> wrote:> We''re about to run a bunch (< 50) machines scattered around a (physical) > town and using a machine with a public IP to recover logs and report. We > can not change this setting: it''s a kind of experiment and it will last few > weeks. > > Have anyone experience about safety issues trying to run a puppet master > on a machine using a public IP? > For the log-report part we use ssh to connect to the server and the idea > is to use puppet agent to perform maintenance and tuning. >Hi, I run my puppet master on a public ip. I manage servers in remote datacentres as well as a bunch of virtual machines in the office. What do you mean by safety issues? Do you mean security? All communication between the node and the master is secured with ssl certificates. A node can''t communicate with the puppet master without a signed certificate. Hope that helps.> > Thank you! > > Alberto > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Well - as everything else - there can be security issues, where the SSL cert check won''t help you: https://puppetlabs.com/security/cve/cve-2013-1640/ So you should definetely be careful - Puppet is very young, compared to apache, openssh and others that have been internetfacing for many, many years (and had their share of security bugs). I''d probably filter access to puppet, based on ip-ranges - just to heavily lessen the potential attacking base :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Op maandag 29 april 2013 08:24:35 UTC+2 schreef Klavs Klavsen het volgende:> > I''d probably filter access to puppet, based on ip-ranges - just to heavily > lessen the potential attacking base :) >Exactly. That''s what we do with our public-facing puppet master. We explicitly allow agent IP''s through the firewall to the master. The master also collects reports from agents in puppet-dashboard and facts and catalog are stored in PuppetDB. Regards, Martijn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.