On Thu, Feb 24, 2011 at 3:05 PM, Thomas Bellman <bell...@nsc.liu.se> wrote: > Nigel Kersten wrote: > >> On Thu, Feb 24, 2011 at 1:29 PM, Thomas Bellman <bell...@nsc.liu.se> >> wrote: > >>> I think not using 'source => "puppet:///..."' references, but instead >>> using 'content => file(...)' or 'content => template(...)' everywhere, >>> would do the trick. > >> Except you end up shipping the file contents *every* time in the >> catalog. This kind of sucks. > > Well, you got to pick your poison: either that, or risk a (possibly > compromised and malicious) client managing to trick the master into > giving out information from an environment that client should not > get information from.
Yep. The inefficiency in sending all files every time is why Luke's been working on the static compiler stuff, which is looking really quite awesome. >>> Except if you have custom facts that differ between environments, >>> or custom type providers that differ between environments. Then >>> you are screwed. > >> No you're not? If you're using modules properly with environments, the >> facts/types/providers are all pluginsync'd from the lib/ subdirectory >> contents of all the modules in your environment. > > Of all the modules in the environment the *client* asks for. Not > the environment the external node classifier says the client should > be provided from. The master does not run the classifier when the > client requests to download plugins, and thus cannot override the > environment the client specifies. Oh sure. I missed your context somehow. I currently consider it broken to even try setting the environment from the ENC. You have to rely upon the client. > Or are the file requests for downloading plugins different from > other file requests, so they *do* trigger the external classifier? > I'll admit that I haven't actually tested this or looked at what > the code does in this case, but I haven't gotten the impression > it *is* run in that case. > >> The facts have no bearing on specifying content instead of source. > > Exactly. Using content=> instead of source=> is not a workaround > for bug 3910 when dealing with per-environment plugins. So if you > *do* have different plugins in different environments, and those > contain secrets the wrong client must not know, then I believe you > *are* screwed, because I don't think there is any workaround for > that. (Except actually fixing bug 3910 properly, by running the > external node classifier for each and every client request...) > > Am I missing something? No, I think we were just talking about different aspects of this thread. Do you really have "secrets" in your plugins though? That feels like a design smell somehow. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
