You can put a puppet server in the DMZ that you deploy puppet manifest
changes to via SSH, then only allow 8140 access to the dmz boxes. I
would say shipping catalogs out there is sort of overkill. You can also
make this master use a separate CA, etc. I think a few simple measures
like this would make it as secure as trying to do some esoteric
'ultra-secure' techniques.
On 02/11/2011 01:25 AM, John Warburton wrote:
Curse GW Bush and his 'Axis of Evil' - my google searches are
contaminated with hits to Korea, and other such fun...
Does anyone have any experiences with puppet in the DMZ they can share?
At my puppet master training (Hi Hunter), it was mentioned some people
compile their catalogs inside, then ship them out to servers in the
DMZ to be applied.
I understand that fine, but we use facts quite a bit to get state
information, so the traditional part of the client server/model where
facts are shipped back from the client to the puppet server is missing.
How do people get around the "common" rule that DMZ servers should not
initiate network connections back to the internal network? Should we
have a puppet server in the DMZ?
Thanks
John
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
