I see what you are saying. We are going with a plan to authorize an opening in the firewall for just the instance of the kick. As any changes to our production environment require a change request one would have to be created to allow the ports to be opened just for the kick.
On Tue, Feb 15, 2011 at 9:22 PM, Patrick <kc7...@gmail.com> wrote: > I think you're saying that it's close enough that it shouldn't matter. In > the context of this thread, there's a huge difference though. If the puppet > client is in a DMZ, (and can't connect to the puppetmaster) it needs the > catalog to be pushed to the client. Not just the server telling the client > to pull the config, because the client can't connect to the server since the > client is locked in the DMZ. > > On Feb 15, 2011, at 5:37 PM, James Louis wrote: > > in spite of this not actually being a "push" mechanism if it walks like a > duck. it would be nice if the documentation and previous discussions on this > were more clear or even better if it's not a "push" then the it should be > "redefined" within puppet world. IMHO > > On Tue, Feb 15, 2011 at 4:07 PM, Daniel Pittman <dan...@puppetlabs.com>wrote: > >> Other people answered other parts of this, but to be totally clear: >> >> 'puppet kick' is *NOT* a push mechanism for puppet. It is a mechanism >> to trigger the regular, pull-based, puppet run on a specific machine. >> >> In the bigger picture I would strongly suggest you just open the >> single port used for puppet management from the DMZ to the secure >> network, and allow that (and only that) exception. Alternately, >> establish a second puppet master in the DMZ for use there, and feed it >> catalogs from the same VCS that the internal one uses. >> >> (Personally, I would suggest that opening the port is less security >> auditing overhead than an entire puppet master out in the DMZ, but >> YM(and auditors)MV.) >> >> Daniel >> >> On Tue, Feb 15, 2011 at 13:04, James Louis <jgloui...@gmail.com> wrote: >> > My experience is having "listen = true" in the puppet conf and starting >> the >> > client with --no-client does prevent the puppet pull. This works for me >> so >> > that I can issue a puppet kick on the server to only serve changes when >> I >> > want to. >> > >> > On Tue, Feb 15, 2011 at 2:54 PM, Nan Liu <n...@puppetlabs.com> wrote: >> >> >> >> On Tue, Feb 15, 2011 at 11:21 AM, Kristopher <asciid...@gmail.com> >> wrote: >> >> > I would like to confirm that the following is not possible: >> >> > I have servers I would like to manage via puppet in my DMZ, I have my >> >> > puppet server in the trusted zone of my network. Due to this >> >> > arrangement (which cannot be changed due to other services running on >> >> > the puppet master) puppet clients cannot initiate a connection with >> >> > the puppet master. So I would like to use puppet on a purely push >> >> > basis using puppet kick. >> >> > >> >> > So I handled the cert signing out of band for a client and set up the >> >> > namespaceauth.conf. The problem is that when I start the client with >> -- >> >> > no-client and --listen it still tries to connect to the puppet >> server, >> >> > which fails because of the firewall rules. In addition when I asked >> on >> >> > #puppet I was informed that puppet kick just tells the client to >> phone >> >> > home by creating a new connection to request its configs. >> >> > >> >> > From all this I came to conclusion that puppet cannot be used on a >> >> > purely push basis, is this true? If it is true is it likely to >> change >> >> > at any point? >> >> >> >> If you do not want the puppet agent to initiate any network connection >> >> to the puppet master, compile the catalog on the master, ship the >> >> catalog and dependent files to the agent, then apply the catalog on >> >> the agent. >> >> >> >> Thanks, >> >> >> >> Nan >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Puppet Users" group. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users+unsubscr...@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> > >> > >> > >> > -- >> > To be is to do = Immanuel Kant >> > To do is to be = Descartes. >> > Do be do be do = Frank Sinatra >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users+unsubscr...@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> > >> >> >> >> -- >> ⎋ Puppet Labs Developer – http://puppetlabs.com >> ✉ Daniel Pittman <dan...@puppetlabs.com> >> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 >> ♲ Made with 100 percent post-consumer electrons >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > > > -- > To be is to do = Immanuel Kant > To do is to be = Descartes. > Do be do be do = Frank Sinatra > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- To be is to do = Immanuel Kant To do is to be = Descartes. Do be do be do = Frank Sinatra -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
