On 08/24/2013 04:13 PM, Martin Langhoff wrote:
On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira wrote:

Speaking in security terms, could be masterless puppet configuration
less secure? I mean, the puppet code is in *all* the clients. On the
other hand, the puppet code is only in the master, which I think is
more secure (you can isolate it on a restricted VLAN, private
network, etc). If the security of one client is vulnerated the
hacker gets nothing, otherwise he would be able to read the whole
puppet code.

The difference is minimal. The master will happily serve any config to
any host. The puppet server relies on the self-reported hostname, so a
compromised host can go "fishing" for configurations.
Only if you use autosign option. After the certificate is signed, agents
report certname and not hostname. In that regard, puppet master is safer
option, but also less scalable.

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 8 of 17 | next ›
Discussion Overview
grouppuppet-users @
postedAug 23, '13 at 4:03p
activeAug 30, '13 at 1:28p



site design / logo © 2021 Grokbase