Speaking in security terms, could be masterless puppet configuration less secure? I mean, the puppet code is in *all* the clients. On the other hand, the puppet code is only in the master, which I think is more secure (you can isolate it on a restricted VLAN, private network, etc). If the security of one client is vulnerated the hacker gets nothing, otherwise he would be able to read the whole puppet code.
El viernes, 23 de agosto de 2013 18:51:07 UTC+2, Martin Langhoff escribió: > > On Fri, Aug 23, 2013 at 12:03 PM, Paul Archer <geek...@gmail.com<javascript:> > > wrote: > >> I'm thinking about setting up a master in the colo with a slaved master >> at each site, >> > > I would strongly recommend using "master-less" recipes, which are actually > "a git repository as a master, and cronjobs running puppet apply as client". > > On that track, I have recently implemented just that, rolling out to 4 > sites totalling a couple thousand client nodes. I have posted on this list > about my glue / tools, which I am publishing at > http://repo.or.cz/w/puppet-git.git . They allow you to feed the reports > to a puppet dashboard (something that you usually lose in "master-less" > setups. > > An addition to puppet-git being triggered via cron, I have a configuration > that sets up an incrond rule, so if we need an immediate rollout, touching > a file in a magic directory triggers the clients to update their config > right now. > > My puppet-git is good, I recommend it :-) -- but YMMV on that. But using > git as a master is, IMHO, best practice at scale. > > cheers, > > > > m > -- > martin....@gmail.com <javascript:> > - ask interesting questions > - don't get distracted with shiny stuff - working code first > ~ http://docs.moodle.org/en/User:Martin_Langhoff > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
