[Pkg-puppet-devel] Starting puppet agent by default

[Stig Sandbeck Mathisen]

Russ Allbery <rra at debian.org> writes:

> There was a specific reason why this wasn't done. Originally (I
> haven't checked if this was still the case), the upstream software
> came configured to use a default Puppet master of "puppet" in the
> local domain.

This is still the case. The presence of avahi probably does not help.
Hi, I'm "puppet" (actually, "Hi, I'm puppet.local", but still…)

> I think there needs to be some human verification that the Puppet
> master is actually the one that you want to be talking to before the
> Puppet client is willing to start modifying your system based on
> random things handed to it over the network.

So what I should be asking instead, is: "How do we get consistency
across sysvinit, systemd, upstart, and whatever will save us from those
(and their discussions on debian-devel)?"

Configure init not to run puppet?

 * a "check script" to be used from the init script / systemd unit /
   upstart config?
   "/usr/share/puppet/should-puppet-run-at-all-do-you-think".

   Puts the burden on configuration of the init scripts, adds redundant
   complexity.

Configure puppet to not run?

 * Require a change in puppet.conf for puppet to run?

 * Run "puppet agent --disable" on install? The lockfile is stored to
   /var/lib/puppet/state, which is persistent, and "puppet agent
   --enable" is the way to unlock it.

Configure puppet to only query the local node?

 * Change the server= in puppet.conf to "localhost"? Is there still a
   risk of unintended autoconfiguration, particularly if the host is ?

 * Configure puppet to only query a non-existant node? 

   Change to a default of "puppet.example.org"?


I _think_ I like running "puppet agent --disable" in puppet.postinst
best of these alternatives. Enabling the puppet agent on a node would be
to run "puppet agent --enable". Short, and to the point.

Anything else we could be doing?

-- 
Stig Sandbeck Mathisen