On 10/21/2011 02:21 AM Jon Davis wrote: > Basically, I have a LOT of boxes and I was hoping to avoid having them all > VPN'ing in simply to pull config.
So that's why I was talking about only connecting your gateways together without placing all your boxes into the same VPN network. Maybe you want consider installing one master per site. You could let them join a fully autonomous meshed VPN network by using e.g. tinc VPN. This would reduce the overhead produced by network or appliance administration. Certainly, this depends on the number of external sites you're actually dealing with... > As for the paranoid piece. They wouldn't be able to pull anything without > being signed already (right?), so unless they intercepted the connection at > my datacenter they wouldn't be able to find out. Or maybe I dont > understand what is publicly accessible on Puppet server. Well, you're right, since nobody would be able to access the application logic of the puppetmaster, without mutually authenticating itself by using a valid client certificate (transport layer). Basically I was talking of exposing node connections to the puppetmaster to external transport networks. This might reveal interesting information on your environment to third party (like the number of connections, the sync interval but even the number of hosts and ip addresses involved [...]). Jan
signature.asc
Description: OpenPGP digital signature
