in spite of this not actually being a "push" mechanism if it walks like a duck. it would be nice if the documentation and previous discussions on this were more clear or even better if it's not a "push" then the it should be "redefined" within puppet world. IMHO
On Tue, Feb 15, 2011 at 4:07 PM, Daniel Pittman <dan...@puppetlabs.com>wrote: > Other people answered other parts of this, but to be totally clear: > > 'puppet kick' is *NOT* a push mechanism for puppet. It is a mechanism > to trigger the regular, pull-based, puppet run on a specific machine. > > In the bigger picture I would strongly suggest you just open the > single port used for puppet management from the DMZ to the secure > network, and allow that (and only that) exception. Alternately, > establish a second puppet master in the DMZ for use there, and feed it > catalogs from the same VCS that the internal one uses. > > (Personally, I would suggest that opening the port is less security > auditing overhead than an entire puppet master out in the DMZ, but > YM(and auditors)MV.) > > Daniel > > On Tue, Feb 15, 2011 at 13:04, James Louis <jgloui...@gmail.com> wrote: > > My experience is having "listen = true" in the puppet conf and starting > the > > client with --no-client does prevent the puppet pull. This works for me > so > > that I can issue a puppet kick on the server to only serve changes when I > > want to. > > > > On Tue, Feb 15, 2011 at 2:54 PM, Nan Liu <n...@puppetlabs.com> wrote: > >> > >> On Tue, Feb 15, 2011 at 11:21 AM, Kristopher <asciid...@gmail.com> > wrote: > >> > I would like to confirm that the following is not possible: > >> > I have servers I would like to manage via puppet in my DMZ, I have my > >> > puppet server in the trusted zone of my network. Due to this > >> > arrangement (which cannot be changed due to other services running on > >> > the puppet master) puppet clients cannot initiate a connection with > >> > the puppet master. So I would like to use puppet on a purely push > >> > basis using puppet kick. > >> > > >> > So I handled the cert signing out of band for a client and set up the > >> > namespaceauth.conf. The problem is that when I start the client with > -- > >> > no-client and --listen it still tries to connect to the puppet server, > >> > which fails because of the firewall rules. In addition when I asked on > >> > #puppet I was informed that puppet kick just tells the client to phone > >> > home by creating a new connection to request its configs. > >> > > >> > From all this I came to conclusion that puppet cannot be used on a > >> > purely push basis, is this true? If it is true is it likely to change > >> > at any point? > >> > >> If you do not want the puppet agent to initiate any network connection > >> to the puppet master, compile the catalog on the master, ship the > >> catalog and dependent files to the agent, then apply the catalog on > >> the agent. > >> > >> Thanks, > >> > >> Nan > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > > > > > -- > > To be is to do = Immanuel Kant > > To do is to be = Descartes. > > Do be do be do = Frank Sinatra > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > ⎋ Puppet Labs Developer – http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- To be is to do = Immanuel Kant To do is to be = Descartes. Do be do be do = Frank Sinatra -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
