Nigel Kersten wrote:
On Thu, Feb 24, 2011 at 1:29 PM, Thomas Bellman <bell...@nsc.liu.se> wrote:
I think not using 'source => "puppet:///..."' references, but instead
using 'content => file(...)' or 'content => template(...)' everywhere,
would do the trick.
Except you end up shipping the file contents *every* time in the
catalog. This kind of sucks.
Well, you got to pick your poison: either that, or risk a (possibly
compromised and malicious) client managing to trick the master into
giving out information from an environment that client should not
get information from.
Except if you have custom facts that differ between environments,
or custom type providers that differ between environments. Then
you are screwed.
No you're not? If you're using modules properly with environments, the
facts/types/providers are all pluginsync'd from the lib/ subdirectory
contents of all the modules in your environment.
Of all the modules in the environment the *client* asks for. Not
the environment the external node classifier says the client should
be provided from. The master does not run the classifier when the
client requests to download plugins, and thus cannot override the
environment the client specifies.
Or are the file requests for downloading plugins different from
other file requests, so they *do* trigger the external classifier?
I'll admit that I haven't actually tested this or looked at what
the code does in this case, but I haven't gotten the impression
it *is* run in that case.
The facts have no bearing on specifying content instead of source.
Exactly. Using content=> instead of source=> is not a workaround
for bug 3910 when dealing with per-environment plugins. So if you
*do* have different plugins in different environments, and those
contain secrets the wrong client must not know, then I believe you
*are* screwed, because I don't think there is any workaround for
that. (Except actually fixing bug 3910 properly, by running the
external node classifier for each and every client request...)
Am I missing something?
/Bellman
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
