FAQ

On 08/24/2013 04:13 PM, Martin Langhoff wrote:
On Sat, Aug 24, 2013 at 6:33 AM, Félix Barbeira wrote:

Speaking in security terms, could be masterless puppet configuration
less secure? I mean, the puppet code is in *all* the clients. On the
other hand, the puppet code is only in the master, which I think is
more secure (you can isolate it on a restricted VLAN, private
network, etc). If the security of one client is vulnerated the
hacker gets nothing, otherwise he would be able to read the whole
puppet code.


The difference is minimal. The master will happily serve any config to
any host. The puppet server relies on the self-reported hostname, so a
compromised host can go "fishing" for configurations.
Only if you use autosign option. After the certificate is signed, agents
report certname and not hostname. In that regard, puppet master is safer
option, but also less scalable.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 8 of 17 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedAug 23, '13 at 4:03p
activeAug 30, '13 at 1:28p
posts17
users8
websitepuppetlabs.com

People

Translate

site design / logo © 2021 Grokbase