puppetmaster behind firewall

puppet puppetmaster
8,977

Solution 1

This is one of the joys of working for a large corporation. You may be a sysadmin for one of many small departments and not part of the I.T. department at all. You ring up the centralised help desk that supports all 10,000 desktop workers:

You: Hi, I'd like to request a modification to the office primary inbound firewall to allow 192.0.2.0/24 to access 10.0.5.0/24 on port 8140.
Them: Is it a PC or a Mac?
You: What? No, I'm requesting a firewall modification for the entire office. There's nothing wrong with my computer.
Them: OK, what I want you to do is go to the "Start" menu and <click>...

Get to know the managers of the I.T. department. Get to know the guys who work in the NOC. Actually walk down there, introduce yourself and have a chat with them. Getting things done in a large corporate is all about who you know and how much they like you.

Now, the next time you need something like this done, don't ring corporate I.T. - Call direct to the deputy I.T. director or the head of NetOps.

IT Director: Hey Brooks, what can I do for you today?
You: I'm setting up a shared Puppet for our production and dev servers and I need the Puppet clients in production to talk to the Puppet master in the office.
IT Director: OK, just send and email with the IP address details to John in the NOC and I'll approve the request when it comes through. By the way, how did your game go on the weekend?

Note that the above conversation is not the one you are going to have tomorrow. It's the one you will have in three months time when every competent sysadmin and IT manager knows your name. Tomorrow is starting to get to know these guys.

While you're working on your people skills, is it a requirement that the Puppet master be inside your office?

Why not put it in the same place as the clients? That would solve your problem and most likely other problems such as latency and dropped connections.

Solution 2

We had a similar issue with our infrastructure, our solution was to open an SSH tunnel. You would open the tunnel through your localbox for example.

ssh -L 8140:localhost:8140 $puppetmaster

ssh -R 8140:localhost:80 $host

It was a while ago, but if memory serves that should help.

Checkout this article on SSH Tunnelling.

Solution 3

You can run puppetmaster on 443. If you want to run the master on both 8140 and 443, and this is a Linux server, a nice option is to use iptables.

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8140

On the agent, set masterport=443 in puppet.conf.

Share:
8,977

Related videos on Youtube

brooks94
Author by

brooks94

Updated on September 18, 2022

Comments

  • brooks94
    brooks94 almost 2 years

    I'm trying to run puppet on some servers outside my corporate firewall, with the puppetmaster inside the firewall. It's going to be extremely difficult--if not impossible--to convince corporate IT to open port 8140 for me, so what are my options to get it working?

    • Michael Hampton
      Michael Hampton over 11 years
      You have a perfectly valid business justification here, so there's no good reason why they shouldn't open the port for you. There may, however, be a lot of very bad reasons...
  • brooks94
    brooks94 over 11 years
    So the second one seemed to work. However, in order to get it to work, I set the "server" value in the agent config file to be "localhost". I was then able to connect and sign the cert, but then when it tried to apply the default configuration, it failed with "Could not send report: Server hostname 'localhost' did not match server certificate; expected one of ...". It's confused because the name that my puppet master reports does not match that of my "server" attribute. Thoughts?
  • nicoX
    nicoX almost 9 years
    You need to regenerate the certs, since you changed the name.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Puppet error : Could not create master.pid
How can I fix invalid parameter errors in puppet manifests?
Foreman displays a server as "out of sync", what could be the reason and what is the right way to troubleshoot such an issue?
Puppet:Could not find default node or by name with node test2
Puppet: How to fix "Invalid resource type file_line"?
Puppet not applying config but returns without error
Puppet agent -t results in error: Failed to generate additional resources using 'eval_generate:
Puppet gives SSL error because master is not running?
Setting up puppetmaster: hostname was not match with the server certificate
Puppet server hostname does not match certificate - can't authenticate. How to disable puppet authentication?