[Puppet Users] Best practices for infrastructure

2013-08-23 Thread Paul Archer
I'm new to puppet, fixin' to (in Texas parlance) setup a largish installation, and want to make sure I get things right the first time. I have a colo plus several satellite locations, with many more on the way. I'll be using open-source Puppet, as we have way too many nodes to manage (potential

Re: [Puppet Users] Best practices for infrastructure

2013-08-23 Thread Martin Langhoff
On Fri, Aug 23, 2013 at 12:03 PM, Paul Archer wrote: > I'm thinking about setting up a master in the colo with a slaved master at > each site, > I would strongly recommend using "master-less" recipes, which are actually "a git repository as a master, and cronjobs running puppet apply as client".

Re: [Puppet Users] Best practices for infrastructure

2013-08-23 Thread Dan White
hink the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) - Original Message - From: "Paul Archer" To: puppet-users@googlegroups.com Sent: Friday, August 23, 2013 12:03:41 PM

Re: [Puppet Users] Best practices for infrastructure

2013-08-24 Thread Félix Barbeira
Speaking in security terms, could be masterless puppet configuration less secure? I mean, the puppet code is in *all* the clients. On the other hand, the puppet code is only in the master, which I think is more secure (you can isolate it on a restricted VLAN, private network, etc). If the securi

Re: [Puppet Users] Best practices for infrastructure

2013-08-24 Thread Martin Langhoff
On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira wrote: > Speaking in security terms, could be masterless puppet configuration less > secure? I mean, the puppet code is in *all* the clients. On the other hand, > the puppet code is only in the master, which I think is more secure (you > can isolate

Re: [Puppet Users] Best practices for infrastructure

2013-08-24 Thread Jakov Sosic
On 08/24/2013 04:13 PM, Martin Langhoff wrote: > On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira > wrote: > > Speaking in security terms, could be masterless puppet configuration > less secure? I mean, the puppet code is in *all* the clients. On the > other

Re: [Puppet Users] Best practices for infrastructure

2013-08-25 Thread Martin Langhoff
On Sat, Aug 24, 2013 at 5:18 PM, Jakov Sosic wrote: > Only if you use autosign option. After the certificate is signed, agents > report certname and not hostname. Well-behaved clients report certname. A malicious client could use one cert, but report a different name. AIUI the puppet master check

Re: [Puppet Users] Best practices for infrastructure

2013-08-25 Thread Gabriel Filion
On 23/08/13 12:51 PM, Martin Langhoff wrote: > On Fri, Aug 23, 2013 at 12:03 PM, Paul Archer > wrote: > > I'm thinking about setting up a master in the colo with a slaved > master at each site, > > > I would strongly recommend using "master-less" recipes, whi

Re: [Puppet Users] Best practices for infrastructure

2013-08-25 Thread Jakov Sosic
On 08/25/2013 02:17 PM, Martin Langhoff wrote: On Sat, Aug 24, 2013 at 5:18 PM, Jakov Sosic wrote: Only if you use autosign option. After the certificate is signed, agents report certname and not hostname. Well-behaved clients report certname. A malicious client could use one cert, but report

Re: [Puppet Users] Best practices for infrastructure

2013-08-27 Thread jcbollinger
On Sunday, August 25, 2013 7:17:21 AM UTC-5, Martin Langhoff wrote: > > On Sat, Aug 24, 2013 at 5:18 PM, Jakov Sosic > > wrote: > > Only if you use autosign option. After the certificate is signed, agents > > report certname and not hostname. > > Well-behaved clients report certname. A malici

Re: [Puppet Users] Best practices for infrastructure

2013-08-27 Thread Martin Langhoff
On Tue, Aug 27, 2013 at 2:41 PM, jcbollinger wrote: > The client can provide a $::hostname fact that is different from the > certname it presents, but that is perfectly valid and expected under some > circumstances. It is possible that a client doing so is thereby able to > exploit weaknesses in

Re: [Puppet Users] Best practices for infrastructure

2013-08-28 Thread jcbollinger
On Tuesday, August 27, 2013 1:47:02 PM UTC-5, Martin Langhoff wrote: > > On Tue, Aug 27, 2013 at 2:41 PM, jcbollinger > > > wrote: > > The client can provide a $::hostname fact that is different from the > > certname it presents, but that is perfectly valid and expected under > some > > cir

Re: [Puppet Users] Best practices for infrastructure

2013-08-28 Thread Martin Langhoff
On Wed, Aug 28, 2013 at 9:31 AM, jcbollinger wrote: > If the objective is to render it into a small number of words, Just to double-check my understanding is right. If the client-reported $::hostname does not match the certname, _and_ I am only using 'node "fqdn"' entries in my Puppet manifests,

Re: [Puppet Users] Best practices for infrastructure

2013-08-29 Thread jcbollinger
On Wednesday, August 28, 2013 12:00:21 PM UTC-5, Martin Langhoff wrote: > > On Wed, Aug 28, 2013 at 9:31 AM, jcbollinger > > > wrote: > > If the objective is to render it into a small number of words, > > Just to double-check my understanding is right. If the client-reported > $::hostname do

Re: [Puppet Users] Best practices for infrastructure

2013-08-30 Thread Martin Langhoff
On Thu, Aug 29, 2013 at 9:02 AM, jcbollinger wrote: > The master will always choose the node block to use based on the client's > SSL certname (spelled $::clientcert in Puppet DSL). Oh, that is considerably safer than what I feared. Thanks for the clarification. My comments earlier in this threa