Ask Your Question

Secure manifest/catalog on node?

asked 2014-10-06 12:55:45 -0600

Luke gravatar image

Is there any way to have puppet not cache or store the manifests/catalog on each node? e.g. If you go to /var/lib/puppet you can find parts of the puppet code used to manage the client. I would like to hide that or not cache that on the box.

Use scenario would be that I want to manage servers in other network/environments that I don't necessarily trust. So I don't want leave the puppet code lying around etc. Maybe encrypt the information some how?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2014-10-08 13:24:14 -0600

cbarbour gravatar image

You can disable catalog caching by setting catalog_cache_terminus="" in your node's puppet.conf file. I typically write a module that sets this parameter using ini_file, and removes any catalogs that might exist using a tidy resource. You may also want to check if your passwords are present in your run reports.

Keep in mind that this obfuscates your passwords, but does not truly protect them. The node could always modify puppet to extract the passwords or sniff the client/server communication. Best practice is to reduce or eliminate password reuse, and to try to avoid relying on the secrecy of your passwords for site security.

edit flag offensive delete link more

answered 2014-10-07 03:12:39 -0600

jonn gravatar image

I'm not sure there's a good way to do this. If the puppet agent has a valid certificate, it can download its catalog from the puppet master - it has to be able to download the catalog in order to apply it.

Even if the puppet agent were to try and obfuscate things, there would be nothing preventing someone from presenting that same certificate using some other tool (curl would do nicely) and downloading the catalog that way.

I guess you could protect the private key for the agent's certificate using a passphrase, but then you'd need to have some way to supply the passphrase to the agent on startup - not easy if you have lots of servers to manage.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-10-06 12:55:45 -0600

Seen: 231 times

Last updated: Oct 08 '14