| [2010/06/21 00:39:21] @ Log started by gepetto | ||
| [2010/06/21 00:39:21] @ Quit: rcrowley: Quit: rcrowley | ||
| [2010/06/21 01:14:44] @ isolderj joined channel #puppet-dev | ||
| [2010/06/21 01:14:52] <isolderj> hello guys | ||
| [2010/06/21 01:15:07] <isolderj> I am trying to install foreman with puppet | ||
| [2010/06/21 01:15:14] <isolderj> but i am getting an error | ||
| [2010/06/21 01:16:44] <isolderj> is there anyone that can maybe help me | ||
| [2010/06/21 01:33:34] @ isolderj left channel #puppet-dev () | ||
| [2010/06/21 02:39:45] @ Quit: eric0: Ping timeout: 258 seconds | ||
| [2010/06/21 02:40:01] @ eric0 joined channel #puppet-dev | ||
| [2010/06/21 06:56:56] @ Quit: fsweetser: Remote host closed the connection | ||
| [2010/06/21 06:57:09] @ notbrien joined channel #puppet-dev | ||
| [2010/06/21 07:02:12] @ fsweetser joined channel #puppet-dev | ||
| [2010/06/21 07:35:49] @ rcrowley joined channel #puppet-dev | ||
| [2010/06/21 08:03:26] @ jhelwig_ joined channel #puppet-dev | ||
| [2010/06/21 08:04:28] @ Quit: jhelwig: Ping timeout: 265 seconds | ||
| [2010/06/21 08:07:24] @ jhelwig_ is now known as jhelwig | ||
| [2010/06/21 08:49:59] @ ona_matt joined channel #puppet-dev | ||
| [2010/06/21 10:31:57] @ lak joined channel #puppet-dev | ||
| [2010/06/21 11:07:37] @ plathrop-away is now known as plathrop | ||
| [2010/06/21 11:51:12] @ lak_ joined channel #puppet-dev | ||
| [2010/06/21 11:51:28] @ Quit: lak: Ping timeout: 245 seconds | ||
| [2010/06/21 11:51:28] @ lak_ is now known as lak | ||
| [2010/06/21 12:07:28] @ skvidal joined channel #puppet-dev | ||
| [2010/06/21 12:07:47] <skvidal> hi all - quick question about auth'ing of hosts | ||
| [2010/06/21 12:07:53] <skvidal> if a host has a valid, signed cert | ||
| [2010/06/21 12:08:06] <skvidal> is there any way to restrict which files it can access? | ||
| [2010/06/21 12:08:47] <skvidal> it would be nice to say "these are the set of files in this hosts manifest/profile and it can see nothing else" | ||
| [2010/06/21 12:09:06] <skvidal> and my normal searches are turning up bupkus on this | ||
| [2010/06/21 12:13:29] <tmz> skvidal: I /think/ you can do that with auth.conf now, maybe even via the older fileserver.conf too. Maybe that help you find the right info, unless/until someone else chimes in with a better or more specific answer. | ||
| [2010/06/21 12:13:41] <skvidal> tmz: thx | ||
| [2010/06/21 12:15:40] <skvidal> I see | ||
| [2010/06/21 12:16:01] <skvidal> so - the auth.conf and fileserver.conf docs make it out to be a fair bit like apache allow/denys | ||
| [2010/06/21 12:16:16] <skvidal> I don't see a way to say | ||
| [2010/06/21 12:16:49] <skvidal> look at all the files referred to by this manifest and that's all the client can see | ||
| [2010/06/21 12:17:19] <fsweetser> skvidal: there's no guaranteed way to list all files referenced by a given host | ||
| [2010/06/21 12:17:36] <fsweetser> it may depend on unknowns like facter values, generate() calls, etc | ||
| [2010/06/21 12:17:41] <skvidal> fsweetser: right - so restricting to each host is a problem | ||
| [2010/06/21 12:18:03] <fsweetser> yep, if you need things locked down that tight | ||
| [2010/06/21 12:18:04] <skvidal> so just to be clear and I'm not trying to be alarmist | ||
| [2010/06/21 12:18:13] <fsweetser> my first thought would be to limit things on a per-module basis | ||
| [2010/06/21 12:18:15] <skvidal> but if I have an org with a few hundred hosts | ||
| [2010/06/21 12:18:18] <fsweetser> (haven't tried, though) | ||
| [2010/06/21 12:18:24] <skvidal> and one of them is owned | ||
| [2010/06/21 12:18:34] <skvidal> then that host can grab ALL of my puppet data for every other host | ||
| [2010/06/21 12:18:50] <fsweetser> I honestly don't know | ||
| [2010/06/21 12:19:29] <fsweetser> none of the major devs seem to be online at the moment, so you might have better luck bringing this up in email | ||
| [2010/06/21 12:20:49] <skvidal> nod | ||
| [2010/06/21 12:20:50] <skvidal> will do | ||
| [2010/06/21 12:20:56] <skvidal> thx | ||
| [2010/06/21 12:36:47] @ plathrop is now known as plathrop-away | ||
| [2010/06/21 12:41:57] @ plathrop-away is now known as plathrop | ||
| [2010/06/21 12:47:05] @ Quit: lak: Quit: lak | ||
| [2010/06/21 13:57:30] @ lak joined channel #puppet-dev | ||
| [2010/06/21 14:24:57] <nasrat> skvidal: it should only grab its compiled catalog | ||
| [2010/06/21 14:25:11] <skvidal> nasrat: not asking about _should_ | ||
| [2010/06/21 14:25:17] <skvidal> I'm asking about if it is ABLE to do more | ||
| [2010/06/21 14:25:31] <skvidal> ie: someone intentionally wishes to grab all the puppet configs | ||
| [2010/06/21 14:25:35] <skvidal> it sure seems like they can | ||
| [2010/06/21 14:25:41] <nasrat> no | ||
| [2010/06/21 14:25:45] <skvidal> they can't? | ||
| [2010/06/21 14:26:03] <nasrat> IIRC we only send out the catalog for the cert to the host | ||
| [2010/06/21 14:26:18] <skvidal> but the host can ask for any file it wants | ||
| [2010/06/21 14:26:29] @ Quit: lak: Quit: lak | ||
| [2010/06/21 14:26:36] <nasrat> are you talking about files or manifests | ||
| [2010/06/21 14:26:47] <nasrat> I'd have to check for the fileserver | ||
| [2010/06/21 14:26:47] <skvidal> I'm actually talking about both | ||
| [2010/06/21 14:26:58] <nasrat> but for the configurations that should be locked down in the current impl | ||
| [2010/06/21 14:27:23] <nasrat> I tend to avoid the fileserving using packages, etc | ||
| [2010/06/21 14:27:55] <nasrat> ppl will likely be at velocity over the next few days | ||
| [2010/06/21 14:29:00] <nasrat> skvidal: although if you want a full analysis of risk you might need to spend some time | ||
| [2010/06/21 14:29:18] <nasrat> as IIRC clients can state what environment they are in so you could get leakage there depending on your setup | ||
| [2010/06/21 14:29:20] <skvidal> velocity? | ||
| [2010/06/21 14:29:42] <nasrat> http://en.oreilly.com/velocity2010 | ||
| [2010/06/21 14:29:45] <skvidal> ah | ||
| [2010/06/21 14:29:55] <skvidal> gotcha | ||
| [2010/06/21 14:29:57] <skvidal> no problem | ||
| [2010/06/21 14:30:27] <nasrat> also if you have autosign * setup then you're also in a lose situation | ||
| [2010/06/21 14:33:11] <nasrat> anyway it's zZz time here | ||
| [2010/06/21 14:33:20] <nasrat> will catch up with you later | ||
| [2010/06/21 14:45:22] @ lak joined channel #puppet-dev | ||
| [2010/06/21 14:54:55] @ Quit: lak: Quit: lak | ||
| [2010/06/21 15:22:59] @ Quit: notbrien: Quit: notbrien | ||
| [2010/06/21 15:26:10] @ Quit: stevenjenkins: Ping timeout: 264 seconds | ||
| [2010/06/21 15:30:25] <ReinH> skvidal: reading backlog... could you summarize your question? | ||
| [2010/06/21 15:32:00] <ReinH> skvidal: so you're asking: "If a client is rooted, can it request arbitrary catalogs, facts or files from the puppetmaster?" | ||
| [2010/06/21 15:38:01] <skvidal> ReinH: yep | ||
| [2010/06/21 15:38:21] <ReinH> skvidal: I believe the answer is no but I'm requesting backup from the other core devs | ||
| [2010/06/21 15:38:48] <ReinH> obviously "believe" isn't good enough for security concerns. | ||
| [2010/06/21 15:38:49] <skvidal> it looks like 'files' is yes | ||
| [2010/06/21 15:38:54] <plathrop> It depends how you set up your auth.conf | ||
| [2010/06/21 15:39:15] <skvidal> you can restrict per ip the requests you can make to files | ||
| [2010/06/21 15:39:46] <skvidal> but I can't see any way to say: files in this path can only be accessed by the following cert serials | ||
| [2010/06/21 15:39:58] <plathrop> oh, hrm, you are probably right | ||
| [2010/06/21 15:42:14] <skvidal> so you'd need multiple puppetmasters/fileservers if you need to restrict access like that | ||
| [2010/06/21 15:43:35] <plathrop> That is probably worth a feature request | ||
| [2010/06/21 15:46:30] <ReinH> skvidal: I'm talking to Teyo about this | ||
| [2010/06/21 15:46:33] <ReinH> please watch this space ;) | ||
| [2010/06/21 15:47:36] <skvidal> okie | ||
| [2010/06/21 15:47:46] <skvidal> I go in and out - but my proxy stays around | ||
| [2010/06/21 15:47:53] <skvidal> so I see things w/my nick mentioned | ||
| [2010/06/21 15:47:55] <skvidal> thank you | ||
| [2010/06/21 15:48:12] @ lak joined channel #puppet-dev | ||
| [2010/06/21 15:52:49] <ReinH> skvidal: ditto, no worries | ||
| [2010/06/21 15:54:37] <ReinH> skvidal: This wiki page may address your question http://projects.puppetlabs.com/projects/puppet/wiki/File_Serving_Configuration | ||
| [2010/06/21 15:54:47] <ReinH> skvidal: it talks about file serving security | ||
| [2010/06/21 15:55:07] <ReinH> skvidal: please let me know if you're unsatisfied with ^^ | ||
| [2010/06/21 15:55:33] <ReinH> we're always interested in uncovering and fixing security concerns | ||
| [2010/06/21 16:01:04] <ReinH> I will be watching this space as well ;) | ||
| [2010/06/21 16:14:58] <ReinH> skvidal: I also had this directly from the horse's mouth: https://gist.github.com/5a67019ed70084204943 | ||
| [2010/06/21 16:15:02] <ReinH> and by horse, I mean lak | ||
| [2010/06/21 16:15:52] <lak> skvidal: i'm happy to work with you on other ways around this, too, and note that you can use apache et al to serve files, which gives you arbitrary security options | ||
| [2010/06/21 16:19:22] <ReinH> skvidal: I'll hand you off to lak and good luck :) | ||
| [2010/06/21 16:28:25] @ quit (okay bye) | ||
| [2010/06/21 16:28:34] @ Joined channel #puppet-dev | ||
| [2010/06/21 16:28:34] @ Topic is "http://projects.reductivelabs.com" | ||
| [2010/06/21 16:28:34] @ Topic set by ReinH!~reinh@li14-106.members.linode.com on Wed Mar 17 16:29:02 -0700 2010 | ||
| [2010/06/21 16:28:37] @ Mode +cnt by kornbluth.freenode.net | ||
| [2010/06/21 16:28:44] @ stahnma_ joined channel #puppet-dev | ||
| [2010/06/21 16:29:45] @ Quit: rcrowley: *.net *.split | ||
| [2010/06/21 16:29:46] @ Quit: stahnma: *.net *.split | ||
| [2010/06/21 16:30:42] @ stahnma_ is now known as stahnma | ||
| [2010/06/21 16:36:27] @ rcrowley joined channel #puppet-dev | ||
| [2010/06/21 16:41:01] @ ricky joined channel #puppet-dev | ||
| [2010/06/21 16:54:25] @ Quit: lak: Quit: lak | ||
| [2010/06/21 18:15:02] @ Quit: stahnma: Read error: Connection reset by peer | ||
| [2010/06/21 19:11:52] @ plathrop is now known as plathrop-away | ||
| [2010/06/21 21:15:44] @ lak joined channel #puppet-dev | ||
| [2010/06/21 21:28:01] @ Quit: lak: Quit: lak | ||
| [2010/06/21 22:04:32] @ lak joined channel #puppet-dev | ||
| [2010/06/21 22:23:05] @ Quit: rcrowley: Quit: rcrowley | ||
| [2010/06/21 22:34:15] @ Quit: lak: Quit: lak | ||
| [2010/06/21 22:42:39] @ github joined channel #puppet-dev | ||
| [2010/06/21 22:42:39] <github> puppet: 0.25.x James Turnbull * 705cfe1 (1 files in 1 dirs): Documentation fixes - http://bit.ly/cLIaOo | ||
| [2010/06/21 22:42:39] @ github left channel #puppet-dev () | ||
| [2010/06/21 22:46:42] @ github joined channel #puppet-dev | ||
| [2010/06/21 22:46:42] <github> puppet: 0.25.x James Turnbull * 23431da (1 files in 1 dirs): Fixed mcx documentation error - http://bit.ly/cGWCll | ||
| [2010/06/21 22:46:43] @ github left channel #puppet-dev () | ||
| [2010/06/21 22:51:35] @ github joined channel #puppet-dev | ||
| [2010/06/21 22:51:35] <github> puppet: 0.25.x James Turnbull * 069bf1b (1 files in 1 dirs): Fixed require warning documentation - http://bit.ly/a43plJ | ||
| [2010/06/21 22:51:35] @ github left channel #puppet-dev () | ||
| [2010/06/21 23:43:18] <blkperl> so im starting to confuse myself can someone clarify the difference between a newparam and a newproperty? | ||
| [2010/06/21 23:44:24] <blkperl> oh figured it out :) | ||
| [2010/06/21 23:44:34] <blkperl> properties are the changable bits | ||
| [2010/06/21 23:45:09] <blkperl> paramaters affect how the resource behaves |
Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!