On Fri, Aug 27, 2010 at 9:21 AM, Mike Devlin <mdev...@aisle10.net> wrote:
> you lose all the reporting functionality, but as long as you get all your > puppet manifests and files accessible by the servers you want to run puppet > on (rsync, nfs....whatever), you can just run puppet directly, although it > now has to compile everything, even if its not needed, so its slower to run. > > there is an additional bit of functionality that you lose in this setup, authentication/least access. In client server mode, the CA is required to sign the clients cert before that client can connect to the server. This ensures that: 1. Only an authorized client can connect to the puppetmaster and request a catalog. 2. The client only has access to the compiled catalog, not the source code. This means it only has access to the information it needs and nothing else. > - Mike > > > On Thu, Aug 26, 2010 at 10:04 PM, bonobo <limnsn...@gmail.com> wrote: > >> It appears that running a puppet server is essential. In his book >> "Pulling Strings with Puppet", James Turnbull says: >> >> "... the node will request whatever configuration is specified for >> that node. The master server will then compile and deliver that >> configuration." [p. 25] >> >> Our firewall environment is very restrictive, and there's no way a >> server on our publicly accessible network will be allowed to initiate >> a connection to a puppet server on our internal network. (Of course, >> I could run the puppet server on the publicly accessible network, but >> you have no idea what a hassle that would be.) >> >> Since the configuration is compiled on the server, is it impossible to >> run puppet without allowing clients to initiate connection to the >> puppet server? >> >> BTW, this seems different from CfEngine. I believe compilation of the >> configuration occurs on the client, not the server, but I'm not sure. >> >> Any information or insight would be appreciated. >> >> Thanks >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
