Dmitry V'yal <akam...@gmail.com> writes:
> Evan Hisey wrote:
>>> Regardless of if puppet is intended to manage multiple similar hosts, it is
>>> still useful when you have a smaller number of unique hosts.
>>>
>>> If every host is completely unique then you get one some benefits of puppet:
>>> * you have a single place to review your configuration
>>> * you can make changes without having to do it by hand
>>> * puppet checks nothing has changed, and puts it back if something has
>>>
>>> However, I bet that all your hosts are a *lot* more alike than you think:
>>> * you probably use the same web server (apache, or so), and *mostly* have
>>> it
>>> set up the same way on each machine, right?
>>> * you probably use the same MTA on most machines
>>> * you probably use the same log watching and checking stuff on 'em all
>>> * you probably have similar needs for installing PHP and some extra PHP
>>> modules, which are usually configured more or less the same.[1]
>>> * you probably do a bunch of "install mysql, configure like this" stuff the
>>> same on each host.
>>>
>>
>> You forgot a biggy bonus of puppet, no matter what size you support. I
>> have several small ( as in 1-3) groups of very different machines,
>> and with puppet I can rebuild them very quickly on when they need to
>> be replaced or upgraded. doing it by hand takes most of a day or 2.
>
> That's great! And what to do with various passwords, private keys and so on?
> Should I put them in manifest?
That is a hard call, and there is probably no single answer.
For what it is worth, we decided that this was an acceptable security risk in
some places (database passwords containing unclassified data only), and
unacceptable in others (SSL certificate private keys).
We presently distribute the later set, the keys, only through manual action,
although you can use puppet-specific restrictions to serve them up safely from
external files.
I hope to have some acceptable solution that keeps both my needs (no manual
setup) and the needs of our auditors (keep things secure) in balance, but
don't presently have one.
Daniel
--
✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
