Re: [Puppet Users] puppet master on the internet
585 views
Skip to first unread message
Peter Brown
Apr 28, 2013, 7:42:32 PM4/28/13
to puppet-users
On 28 April 2013 19:48, Alberto Besana <alberto...@gmail.com> wrote:
We're about to run a bunch (< 50) machines scattered around a (physical) town and using a machine with a public IP to recover logs and report. We can not change this setting: it's a kind of experiment and it will last few weeks.Have anyone experience about safety issues trying to run a puppet master on a machine using a public IP?For the log-report part we use ssh to connect to the server and the idea is to use puppet agent to perform maintenance and tuning.
Hi,
I run my puppet master on a public ip.
I manage servers in remote datacentres as well as a bunch of virtual machines in the office.
What do you mean by safety issues?
Do you mean security?
All communication between the node and the master is secured with ssl certificates.
A node can't communicate with the puppet master without a signed certificate.
Hope that helps.
Thank you!Alberto--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Klavs Klavsen
Apr 29, 2013, 2:24:35 AM4/29/13
to puppet...@googlegroups.com
Well - as everything else - there can be security issues, where the SSL cert check won't help you: https://puppetlabs.com/security/cve/cve-2013-1640/
So you should definetely be careful - Puppet is very young, compared to apache, openssh and others that have been internetfacing for many, many years (and had their share of security bugs).
I'd probably filter access to puppet, based on ip-ranges - just to heavily lessen the potential attacking base :)
So you should definetely be careful - Puppet is very young, compared to apache, openssh and others that have been internetfacing for many, many years (and had their share of security bugs).
I'd probably filter access to puppet, based on ip-ranges - just to heavily lessen the potential attacking base :)
Martijn
May 2, 2013, 8:06:47 AM5/2/13
to puppet...@googlegroups.com
Op maandag 29 april 2013 08:24:35 UTC+2 schreef Klavs Klavsen het volgende:
Exactly. That's what we do with our public-facing puppet master. We explicitly allow agent IP's through the firewall to the master. The master also collects reports from agents in puppet-dashboard and facts and catalog are stored in PuppetDB.
Regards, Martijn
I'd probably filter access to puppet, based on ip-ranges - just to heavily lessen the potential attacking base :)
Exactly. That's what we do with our public-facing puppet master. We explicitly allow agent IP's through the firewall to the master. The master also collects reports from agents in puppet-dashboard and facts and catalog are stored in PuppetDB.
Regards, Martijn
Reply all
Reply to author
Forward
0 new messages