[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: will cfengine work if the "master" is behind a firewall?
|
From: |
Matthew Palmer |
|
Subject: |
Re: will cfengine work if the "master" is behind a firewall? |
|
Date: |
Wed, 23 Nov 2005 08:39:48 +1100 |
|
User-agent: |
Mutt/1.5.9i |
On Tue, Nov 22, 2005 at 12:59:01PM +0100, Tomasz Chmielewski wrote:
> I'm new to cfengine and I'm just starting to read about it.
>
> I have a "master" server thet can connect to the other servers using
> SSH, but "slaves" can't connect to the master.
>
> Will I still be able to use cfengine? After reading the docs, I'm still
> not sure if I can:
>
> - use SSH *only* (no NFS etc.) for cfengine
> - if one-way SSH (from master to slave) will be enough
You can do it, but it's no longer a client "pull" system (as has already
been mentioned). I've implemented the same process -- I just run cfagent
through ssh, and set up a tunnel from the client back to the server over
SSH, and tell the client to talk to cfservd on 127.0.0.1. The SSH tunnel
ensures that when the client is "talking to itself", it's actually talking
to the master server. Some care is needed with the keys, but it's not brain
surgery if you read and understand the relevant parts of the cfengine
reference manual.
- Matt