hi,guys
when you use the puppet manage all you production server. the
security of the puppet master is very very very very import.
because if the hacker control the puppet master server. the can control
you all servers. and can do anythings he want.
I think most company use a VPN network connect the puppet agent
and the puppet master. but , I think it's not enough safe.
if some one's work PC control by a hacker ,the hacker can into the vpn
network. or the hacker is some one that not allowed use the puppet master.
vpn is safe ,but not enough .
so, the puppet master need 3A. Authentication, Authorization, Accounting.
every body push the puppet manifest need 3A. and use cert to sign the
code.
the puppet master only allow signed manifest code.
In my environment, I not use puppet master. and the puppet agent download
the signed manifest from a rsync server. verify the manifest and run it. I
think it's safe than puppet master publish the code.
because I use a networkless pc to sign the code .then copy the code to the
rsync server.
so , the security risk move to all puppet agent. not the puppet master or
rsync server.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
