2

I'm trying to run puppet on some servers outside my corporate firewall, with the puppetmaster inside the firewall. It's going to be extremely difficult--if not impossible--to convince corporate IT to open port 8140 for me, so what are my options to get it working?

brooks94
  • 167
  • 2
  • 5
  • 1
    You have a perfectly valid business justification here, so there's no _good_ reason why they shouldn't open the port for you. There may, however, be a lot of _very bad reasons_... – Michael Hampton Mar 17 '13 at 10:53

3 Answers3

10

This is one of the joys of working for a large corporation. You may be a sysadmin for one of many small departments and not part of the I.T. department at all. You ring up the centralised help desk that supports all 10,000 desktop workers:

You: Hi, I'd like to request a modification to the office primary inbound firewall to allow 192.0.2.0/24 to access 10.0.5.0/24 on port 8140.
Them: Is it a PC or a Mac?
You: What? No, I'm requesting a firewall modification for the entire office. There's nothing wrong with my computer.
Them: OK, what I want you to do is go to the "Start" menu and <click>...

Get to know the managers of the I.T. department. Get to know the guys who work in the NOC. Actually walk down there, introduce yourself and have a chat with them. Getting things done in a large corporate is all about who you know and how much they like you.

Now, the next time you need something like this done, don't ring corporate I.T. - Call direct to the deputy I.T. director or the head of NetOps.

IT Director: Hey Brooks, what can I do for you today?
You: I'm setting up a shared Puppet for our production and dev servers and I need the Puppet clients in production to talk to the Puppet master in the office.
IT Director: OK, just send and email with the IP address details to John in the NOC and I'll approve the request when it comes through. By the way, how did your game go on the weekend?

Note that the above conversation is not the one you are going to have tomorrow. It's the one you will have in three months time when every competent sysadmin and IT manager knows your name. Tomorrow is starting to get to know these guys.

While you're working on your people skills, is it a requirement that the Puppet master be inside your office?

Why not put it in the same place as the clients? That would solve your problem and most likely other problems such as latency and dropped connections.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
1

We had a similar issue with our infrastructure, our solution was to open an SSH tunnel. You would open the tunnel through your localbox for example.

ssh -L 8140:localhost:8140 $puppetmaster

ssh -R 8140:localhost:80 $host

It was a while ago, but if memory serves that should help.

Checkout this article on SSH Tunnelling.

Philip Kirkbride
  • 279
  • 2
  • 10
  • 30
ABOCCIA
  • 11
  • 4
  • So the second one seemed to work. However, in order to get it to work, I set the "server" value in the agent config file to be "localhost". I was then able to connect and sign the cert, but then when it tried to apply the default configuration, it failed with "Could not send report: Server hostname 'localhost' did not match server certificate; expected one of ...". It's confused because the name that my puppet master reports does not match that of my "server" attribute. Thoughts? – brooks94 Mar 18 '13 at 14:17
  • You need to regenerate the certs, since you changed the name. – nicoX Jul 27 '15 at 08:43
1

You can run puppetmaster on 443. If you want to run the master on both 8140 and 443, and this is a Linux server, a nice option is to use iptables.

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8140

On the agent, set masterport=443 in puppet.conf.

czervik
  • 241
  • 1
  • 3