On Mon, Sep 16, 2013 at 8:11 PM, huang ming <huangming...@gmail.com> wrote:
>
> I want the puppetmaster can sign the manifest. avoid some guys publish
> dangerous manifest to agent. like exec{"foo": command=>"rm / -rf";}
>
> there is a software named samhain. it's a integrity checker and host
> intrusion detection system . when compile the source code of the software,
> you can configure a cert with it.
> when the software running. it's only read the cert signed configure file.
>
> any way, agent use https connect master . the ssl connect just let the
> connecting is safe, but not the manifest code .
>
If you're distributing manifests, then you're exposing all of the manifest
data to the node instead of just the information that pertains to the node.
However you can also use your puppet master in an offline mode, the way
you're using that networkless PC. You can collect the facts from your nodes
and copy them to a networkless puppet master. From there you compile node
catalogs, and then sign _those_. Then you can copy those catalogs and
signatures back to your rsync server, and you have all the perks of using a
puppet master but you don't have to worry about exposing your manifests.
--
Adrien Thebo | Puppet Labs
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-dev.
For more options, visit https://groups.google.com/groups/opt_out.
