I think you're saying that it's close enough that it shouldn't matter. In the context of this thread, there's a huge difference though. If the puppet client is in a DMZ, (and can't connect to the puppetmaster) it needs the catalog to be pushed to the client. Not just the server telling the client to pull the config, because the client can't connect to the server since the client is locked in the DMZ.
On Feb 15, 2011, at 5:37 PM, James Louis wrote: > in spite of this not actually being a "push" mechanism if it walks like a > duck. it would be nice if the documentation and previous discussions on this > were more clear or even better if it's not a "push" then the it should be > "redefined" within puppet world. IMHO > > On Tue, Feb 15, 2011 at 4:07 PM, Daniel Pittman <dan...@puppetlabs.com> wrote: > Other people answered other parts of this, but to be totally clear: > > 'puppet kick' is *NOT* a push mechanism for puppet. It is a mechanism > to trigger the regular, pull-based, puppet run on a specific machine. > > In the bigger picture I would strongly suggest you just open the > single port used for puppet management from the DMZ to the secure > network, and allow that (and only that) exception. Alternately, > establish a second puppet master in the DMZ for use there, and feed it > catalogs from the same VCS that the internal one uses. > > (Personally, I would suggest that opening the port is less security > auditing overhead than an entire puppet master out in the DMZ, but > YM(and auditors)MV.) > > Daniel > > On Tue, Feb 15, 2011 at 13:04, James Louis <jgloui...@gmail.com> wrote: > > My experience is having "listen = true" in the puppet conf and starting the > > client with --no-client does prevent the puppet pull. This works for me so > > that I can issue a puppet kick on the server to only serve changes when I > > want to. > > > > On Tue, Feb 15, 2011 at 2:54 PM, Nan Liu <n...@puppetlabs.com> wrote: > >> > >> On Tue, Feb 15, 2011 at 11:21 AM, Kristopher <asciid...@gmail.com> wrote: > >> > I would like to confirm that the following is not possible: > >> > I have servers I would like to manage via puppet in my DMZ, I have my > >> > puppet server in the trusted zone of my network. Due to this > >> > arrangement (which cannot be changed due to other services running on > >> > the puppet master) puppet clients cannot initiate a connection with > >> > the puppet master. So I would like to use puppet on a purely push > >> > basis using puppet kick. > >> > > >> > So I handled the cert signing out of band for a client and set up the > >> > namespaceauth.conf. The problem is that when I start the client with -- > >> > no-client and --listen it still tries to connect to the puppet server, > >> > which fails because of the firewall rules. In addition when I asked on > >> > #puppet I was informed that puppet kick just tells the client to phone > >> > home by creating a new connection to request its configs. > >> > > >> > From all this I came to conclusion that puppet cannot be used on a > >> > purely push basis, is this true? If it is true is it likely to change > >> > at any point? > >> > >> If you do not want the puppet agent to initiate any network connection > >> to the puppet master, compile the catalog on the master, ship the > >> catalog and dependent files to the agent, then apply the catalog on > >> the agent. > >> > >> Thanks, > >> > >> Nan > >> > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > > > > > > > > -- > > To be is to do = Immanuel Kant > > To do is to be = Descartes. > > Do be do be do = Frank Sinatra > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > ⎋ Puppet Labs Developer – http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > > -- > To be is to do = Immanuel Kant > To do is to be = Descartes. > Do be do be do = Frank Sinatra > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
