On 27 September 2012 17:24, Alex Harvey <alexharv...@gmail.com> wrote: > > > On Thursday, September 27, 2012 9:13:32 AM UTC+10, Pete wrote: >> >> Another option would be to put all your puppet code into a git repo >> and setup each master to pull from a central repo over ssh. >> That _Should_ be secure enough. >> >> I am also curious why you need this sort of setup. >> Is it for PCI compliance or something similar? > > > Yeah, that's my plan B. > > As I mentioned I am working in a large organisation and the security people > have a lot of power. A Puppet Master can in principle do a lot of damage > because you are effectively "root everywhere at once". So it's simply > unlikely that our security people are going to let a single Puppet Master be > in control of all these subnets, and the point where it is going to get > rejected is if I ask for every host on subnet A to be allowed to talk to the > Puppet Master that lives on subnet Z. Whether this is a good or bad > security policy could be debated but it's not up to me.
Yeah I can understand that. I guess being the only guy in the shop means I get to approve all the security as well. You could involve the security people in the approval process and change management process for your modules. Keeping them involved is the best way. That way they also have input into the process and point out anything that doesn't fit within the security policies for your organisation. I am actually using puppet to apply the security policies so that may be something you could consider (yeah I intent to publish my modules when I am happy with them) > An alternative is to have a central repo server as suggested here. I could > have independent Puppet Masters on all the subnets and that would probably > satisfy the security requirement. The trouble is I would then lose the > ability to have a global view of everything. Thus, if I wanted, say, a > report of all hosts I manage with a special configuration of some service, > I'll have to log into all the Puppet Masters individually to get this > information - or write a script to somehow extract it from the git repo. So > I will have lost one of the key benefits of Puppet. You could setup puppet to manage the git repo for your modules and manifests :) You could use tags to version the modules and include that as part of the change management process. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/huzW1IAfegEJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
