Hi, On Feb 11, 2011, at 07:25, John Warburton wrote:
> Does anyone have any experiences with puppet in the DMZ they can share? > > At my puppet master training (Hi Hunter), it was mentioned some people > compile their catalogs inside, then ship them out to servers in the DMZ to be > applied. > > I understand that fine, but we use facts quite a bit to get state > information, so the traditional part of the client server/model where facts > are shipped back from the client to the puppet server is missing. > > How do people get around the "common" rule that DMZ servers should not > initiate network connections back to the internal network? Should we have a > puppet server in the DMZ? > Another approach is to use SSH tunnels. Use autossh to initiate SSH connections from your puppetmaster to each client. The SSH tunnels open port 8140 on localhost on the client, allowing puppet on the client to tunnel back to the master. Not the most efficient approach, but easier to implement than a slave master. I have about 50 DMZ clients running this way. The gist of the autossh startup would be something like this monitorport=20000 foreach clientname in $DMZclients; do /usr/bin/autossh -M $monitorport -f -R localhost:8140:localhost:8140 -N -n -x $clientname monitorport=`expr $monitorport + 10` done Pointing your clients at localhost:8140 can be done in either puppet.conf or by adding an entry to /etc/hosts. Cheers, -Thorsten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
