[Pkg-puppet-devel] Starting puppet agent by default
Russ Allbery
rra at debian.org
Mon Aug 5 22:03:39 UTC 2013
Stig Sandbeck Mathisen <ssm at debian.org> writes:
> Configure puppet to only query the local node?
> * Change the server= in puppet.conf to "localhost"? Is there still a
> risk of unintended autoconfiguration, particularly if the host is ?
> * Configure puppet to only query a non-existant node?
> Change to a default of "puppet.example.org"?
I think we should consider shipping a default puppet.conf that sets the
Puppet master and Puppet CA to something like:
put-your-puppet-master-here.invalid
(.invalid was reserved by RFC 2606.)
This doesn't completely close the vulnerability if an attacker is in
control of DNS resolution, but it makes it quite a bit harder, and I don't
think it's sane to just assume that a host named "puppet" in the local
domain is a Puppet master.
The biggest drawback to doing this is if puppet.conf is a conffile, in
which case this will cause conflict resultions each time it's changed in
the package. I think it currently is, at least in wheezy.
> I _think_ I like running "puppet agent --disable" in puppet.postinst
> best of these alternatives. Enabling the puppet agent on a node would be
> to run "puppet agent --enable". Short, and to the point.
Maybe do both of those things?
It really seems odd to me to make assumptions about the DNS space of the
local network, even if we ship it disabled by default.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-puppet-devel
mailing list