in spite of this not actually being a "push" mechanism if it walks like a
duck. it would be nice if the documentation and previous discussions on this
were more clear or even better if it's not a "push" then the it should be
"redefined" within puppet world. IMHO

On Tue, Feb 15, 2011 at 4:07 PM, Daniel Pittman <dan...@puppetlabs.com>wrote:

> Other people answered other parts of this, but to be totally clear:
>
> 'puppet kick' is *NOT* a push mechanism for puppet.  It is a mechanism
> to trigger the regular, pull-based, puppet run on a specific machine.
>
> In the bigger picture I would strongly suggest you just open the
> single port used for puppet management from the DMZ to the secure
> network, and allow that (and only that) exception.  Alternately,
> establish a second puppet master in the DMZ for use there, and feed it
> catalogs from the same VCS that the internal one uses.
>
> (Personally, I would suggest that opening the port is less security
> auditing overhead than an entire puppet master out in the DMZ, but
> YM(and auditors)MV.)
>
> Daniel
>
> On Tue, Feb 15, 2011 at 13:04, James Louis <jgloui...@gmail.com> wrote:
> > My experience is having "listen = true" in the puppet conf and starting
> the
> > client with --no-client does prevent the puppet pull. This works for me
> so
> > that I can issue a puppet kick on the server to only serve changes when I
> > want to.
> >
> > On Tue, Feb 15, 2011 at 2:54 PM, Nan Liu <n...@puppetlabs.com> wrote:
> >>
> >> On Tue, Feb 15, 2011 at 11:21 AM, Kristopher <asciid...@gmail.com>
> wrote:
> >> > I would like to confirm that the following is not possible:
> >> > I have servers I would like to manage via puppet in my DMZ, I have my
> >> > puppet server in the trusted zone of my network. Due to this
> >> > arrangement (which cannot be changed due to other services running on
> >> > the puppet master) puppet clients cannot initiate a connection with
> >> > the puppet master. So I would like to use puppet on a purely push
> >> > basis using puppet kick.
> >> >
> >> > So I handled the cert signing out of band for a client and set up the
> >> > namespaceauth.conf. The problem is that when I start the client with
> --
> >> > no-client and --listen it still tries to connect to the puppet server,
> >> > which fails because of the firewall rules. In addition when I asked on
> >> > #puppet I was informed that puppet kick just tells the client to phone
> >> > home by creating a new connection to request its configs.
> >> >
> >> > From all this I came to conclusion that puppet cannot be used on a
> >> > purely push basis, is this true?  If it is true is it likely to change
> >> > at any point?
> >>
> >> If you do not want the puppet agent to initiate any network connection
> >> to the puppet master, compile the catalog on the master, ship the
> >> catalog and dependent files to the agent, then apply the catalog on
> >> the agent.
> >>
> >> Thanks,
> >>
> >> Nan
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscr...@googlegroups.com.
> >> For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
> >>
> >
> >
> >
> > --
> > To be is to do = Immanuel Kant
> > To do is to be = Descartes.
> > Do be do be do = Frank Sinatra
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
>
>
> --
> ⎋ Puppet Labs Developer – http://puppetlabs.com
> ✉ Daniel Pittman <dan...@puppetlabs.com>
> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
> ♲ Made with 100 percent post-consumer electrons
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>


-- 
To be is to do = Immanuel Kant
To do is to be = Descartes.
Do be do be do = Frank Sinatra

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to