sasepp <samuli.seppa...@gmail.com> writes:
> I apologize if this issue has been discussed earlier. If so, please
> point me to relevant information. Anyways, here it goes...
>
> I plan on deploying Puppet to manage several separate nodes, all of
> which are accessible directly from the Internet. The nodes are
> connected by a VPN (OpenVPN), so they're effectively on the same LAN.
> However, the VPN IP-addresses don't have corresponding DNS names.
> There's currently no internal DNS server I could add the VPN addresses
> to.
>
> So, I've been considering three deployment alternatives (in order of
> preference):
>
> 1) Make puppetmaster available directly on the Internet and let
> clients connect to it directly. There should be no DNS issues with
> this approach.
>
> 2) Sync manifests/modules from a Git repository through the VPN tunnel
> and run puppet locally on each "client". DNS is a non-issue here.
> However, if any one node is compromised, the entire puppet manifest/
> module catalog gets compromised, which makes me a little worried.
I believe that pupptemaster can be asked to statically generate the catalog
for each host, and that you can pass that directly to puppet to run.
That would reduce this problem from "sync all" to "sync this hosts data", and
make life less awful, probably.
I have not used this facility, but you might find it worth investigating.
Daniel
--
✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
