Thanks for all your suggestions! Restricting access to managed nodes using iptables occured to me after sending this post (stupid me). I think that does the trick. If not, I'll try Daniel's approach.
Samuli On 28 Mag, 06:25, Daniel Pittman <dan...@rimspace.net> wrote: > sasepp <samuli.seppa...@gmail.com> writes: > > I apologize if this issue has been discussed earlier. If so, please > > point me to relevant information. Anyways, here it goes... > > > I plan on deploying Puppet to manage several separate nodes, all of > > which are accessible directly from the Internet. The nodes are > > connected by a VPN (OpenVPN), so they're effectively on the same LAN. > > However, the VPN IP-addresses don't have corresponding DNS names. > > There's currently no internal DNS server I could add the VPN addresses > > to. > > > So, I've been considering three deployment alternatives (in order of > > preference): > > > 1) Make puppetmaster available directly on the Internet and let > > clients connect to it directly. There should be no DNS issues with > > this approach. > > > 2) Sync manifests/modules from a Git repository through the VPN tunnel > > and run puppet locally on each "client". DNS is a non-issue here. > > However, if any one node is compromised, the entire puppet manifest/ > > module catalog gets compromised, which makes me a little worried. > > I believe that pupptemaster can be asked to statically generate the catalog > for each host, and that you can pass that directly to puppet to run. > > That would reduce this problem from "sync all" to "sync this hosts data", and > make life less awful, probably. > > I have not used this facility, but you might find it worth investigating. > > Daniel > > -- > ✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707 > ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
