On 12/22/2011 02:01 AM, Mark Burgess wrote: > In Puppet, hosts get their view of the world pushed from the "facter" > which runs on the Puppetmaster, according to my understanding, and so > they must trust the central point to a much higher degree. Thus the > poison is sort of poured down their throats without question. This is > because there is some kind of push-me-pull-you thing going on there with > the information. That also means there is a lot of traffic on the net > and a net failure breaks the system.
My understanding is that facter runs on the client, when the client phones home the server uses the facts provided by the client to produce a catalog from the policy and sends the catalog back to the client. The node then applies the catalog and reports back to the puppet master. http://puppetlabs.com/wp-content/uploads/2011/09/PL_dataflow_550px.png So since the catalog is compiled by the puppet master, the node has no choice in the matter, it just gets to hand over some information (facts from facter, which can be used to influence the policy, but the node has no decision making capability) so the puppet-master can make the decisions build a catalog and hand it back. Pete, you might want to go watch/listen to the "CFEngine in a day" videos that you can find on the CFEngine website, you have to register (free) to get to them. It might help you understand some of the thought process behind CFEngine. In the end, as Mark said either tool could be compromised and used to hijack your infrastructure. But it also gives you the ability to manage more machines than just logging in directly. Not to mention the self documenting nature of any config management system which alone can be worth its weight in gold. -- Nick Anderson <[email protected]> _______________________________________________ Help-cfengine mailing list [email protected] https://cfengine.org/mailman/listinfo/help-cfengine
