FAQ
Hi,
due to our company security policy, we cannot allow the agents in the DMZ
to pull the config catalog from the puppet master, that sits behind the
firewall.
Is there a possibility that the master pushes the configs to the agents
instead of the agents pulling it?

thanks,
ALex.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/qA9kiBG6txMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Stefan Goethals at Sep 10, 2012 at 10:43 am
    # puppet kick

    http://docs.puppetlabs.com/man/kick.html

    Regards,

    Stefan.
    On Mon, Sep 10, 2012 at 11:30 AM, Alex Greif wrote:

    Hi,
    due to our company security policy, we cannot allow the agents in the DMZ
    to pull the config catalog from the puppet master, that sits behind the
    firewall.
    Is there a possibility that the master pushes the configs to the agents
    instead of the agents pulling it?

    thanks,
    ALex.

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/qA9kiBG6txMJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Sep 10, 2012 at 1:55 pm

    On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote:
    # puppet kick

    http://docs.puppetlabs.com/man/kick.html

    Puppet kick does not solve the problem, as it only signals the agent to
    perform a normal run (involving requesting a catalog from the server, which
    must be avoided).

    One possible solution would involve pushing the manifests out to the DMZ,
    and having machines there periodically run "puppet apply". That's not
    going to be satisfactory, however, if the needed manifests (which are not
    necessarily all manifests for the organization) include anything that must
    not be exposed in the DMZ.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Peter Brown at Sep 11, 2012 at 3:02 am
    Or you could run a second puppetmaster in your DMZ and just push the
    configs to it in some tricky way when they need updating.
    Well that's my plan for a new setup we have planned that requires a
    similar security setup.
    On 10 September 2012 23:55, jcbollinger wrote:

    On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote:

    # puppet kick

    http://docs.puppetlabs.com/man/kick.html


    Puppet kick does not solve the problem, as it only signals the agent to
    perform a normal run (involving requesting a catalog from the server, which
    must be avoided).

    One possible solution would involve pushing the manifests out to the DMZ,
    and having machines there periodically run "puppet apply". That's not going
    to be satisfactory, however, if the needed manifests (which are not
    necessarily all manifests for the organization) include anything that must
    not be exposed in the DMZ.


    John

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J.

    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Alex Greif at Sep 11, 2012 at 7:16 am
    Yes, that is a good idea.
    with git we can push the repository to the master in the DMZ.
    should be quite simple and secure.

    On Tuesday, September 11, 2012 5:02:37 AM UTC+2, Pete wrote:

    Or you could run a second puppetmaster in your DMZ and just push the
    configs to it in some tricky way when they need updating.
    Well that's my plan for a new setup we have planned that requires a
    similar security setup.
    On 10 September 2012 23:55, jcbollinger wrote:

    On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote:

    # puppet kick

    http://docs.puppetlabs.com/man/kick.html


    Puppet kick does not solve the problem, as it only signals the agent to
    perform a normal run (involving requesting a catalog from the server, which
    must be avoided).

    One possible solution would involve pushing the manifests out to the DMZ,
    and having machines there periodically run "puppet apply". That's not going
    to be satisfactory, however, if the needed manifests (which are not
    necessarily all manifests for the organization) include anything that must
    not be exposed in the DMZ.


    John

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J.

    To post to this group, send email to puppet...@googlegroups.com<javascript:>.
    To unsubscribe from this group, send email to
    puppet-users...@googlegroups.com <javascript:>.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VvKWdKUfZFMJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Peter Brown at Sep 12, 2012 at 12:06 am

    On 11 September 2012 17:10, Alex Greif wrote:
    Yes, that is a good idea.
    with git we can push the repository to the master in the DMZ.
    should be quite simple and secure.
    Your welcome. :)
    Let me know how it goes.
    On Tuesday, September 11, 2012 5:02:37 AM UTC+2, Pete wrote:

    Or you could run a second puppetmaster in your DMZ and just push the
    configs to it in some tricky way when they need updating.
    Well that's my plan for a new setup we have planned that requires a
    similar security setup.
    On 10 September 2012 23:55, jcbollinger wrote:

    On Monday, September 10, 2012 5:35:30 AM UTC-5, Stefan Goethals wrote:

    # puppet kick

    http://docs.puppetlabs.com/man/kick.html


    Puppet kick does not solve the problem, as it only signals the agent to
    perform a normal run (involving requesting a catalog from the server,
    which
    must be avoided).

    One possible solution would involve pushing the manifests out to the
    DMZ,
    and having machines there periodically run "puppet apply". That's not
    going
    to be satisfactory, however, if the needed manifests (which are not
    necessarily all manifests for the organization) include anything that
    must
    not be exposed in the DMZ.


    John

    --
    You received this message because you are subscribed to the Google
    Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/iftjhXX2-U8J.

    To post to this group, send email to puppet...@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users...@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/VvKWdKUfZFMJ.

    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedSep 10, '12 at 9:57a
activeSep 12, '12 at 12:06a
posts6
users4
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase