Ask Your Question

Is it possible to manage clients by pushing content from PE server?

asked 2013-03-01 18:35:22 -0600

updated 2013-03-01 18:46:48 -0600

Hi All,

Things to take into consideration with this question:

  • We use Puppet Enterprise

  • We have higher security networks and lower security networks.

  • Our policy is that communications between high security to low security networks can only be initiated from the high side.

We have isolated clients on lower security networks that cannot be managed by a puppet server in those networks. These client systems perform specific functions where they have network adapters on the lower security network, but these adapters do not allow for any systems in the lower security network to interact with them.

Is it possible for ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2013-03-02 13:19:26 -0600

Ancillas gravatar image

updated 2013-03-02 13:23:31 -0600

I don't think so. The client agent pushes its facts up to the master, and requests a catalog. As far as I know, this is part of the core architecture.

I'm not a Puppet developer, so hopefully someone involved with the project knows something that I don't.


Could you try running puppet in masterless mode? If you restricted access to the directory on each server with the manifests, you could maintain your security controls, and eliminate traffic to the master.

You'll lose access to many features including filebucket and the dashboard reports. If you can ... (more)

edit flag offensive delete link more



Thanks, yeah, we had thought about using serverless agents, but instead decided to deploy a few more PE servers and lump clients together where it makes sense.

ITBlogger gravatar imageITBlogger ( 2013-03-04 12:14:03 -0600 )edit

Thanks for sharing. Out of curiosity, do your masters share a single CA, or is each master its own CA, with no overlap between certificates?

Ancillas gravatar imageAncillas ( 2013-03-04 12:40:46 -0600 )edit

answered 2013-08-28 16:07:44 -0600

Hi there...Sorry for the delayed answer, didn't realize that you asked a question until just now.

Our masters each have their own CA and there's no overlap in certificates. All modules are the same though. Managed through a single git repo and changes to modules are pushed to each PE server using rsync. Works very well.

edit flag offensive delete link more


Thanks a lot for taking the time to follow up (especially after so long!) :). Glad things are working well for you.

Ancillas gravatar imageAncillas ( 2013-08-29 14:27:35 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2013-03-01 18:35:22 -0600

Seen: 1,306 times

Last updated: Aug 28 '13