https://www.puppet.com/community logo
Join Slack
Powered by
# voxpupuli
  • v

    VoxBot

    04/17/2023, 1:58 PM
    Zhenech: o/
  • v

    VoxBot

    04/17/2023, 1:58 PM
    hey i'm wondering... i have a sensitive backup server that's hooked into puppet, but i'm worried that a full compromise of the rest of the infrastructure could also affect that very backup server
  • v

    VoxBot

    04/17/2023, 1:59 PM
    is there a way to do the equivalent of, say, puppet agent --test --noop && printf "does that look sane?" && read _ && puppet agent --test
  • v

    VoxBot

    04/17/2023, 1:59 PM
    i mean the above works, but has some TOCTOU issues
  • v

    VoxBot

    04/17/2023, 1:59 PM
    ideally, i'd love to have a manual run that requires me to approve all changes
  • v

    VoxBot

    04/17/2023, 2:00 PM
    has anyone worked on systems like this?
  • v

    VoxBot

    04/17/2023, 2:00 PM
    you mean instead of running agent in daemon/cron/whatever mode and auto-apply changes, it would do noop until you approve a certain set?
  • v

    VoxBot

    04/17/2023, 2:01 PM
    yeah
  • v

    VoxBot

    04/17/2023, 2:01 PM
    i was thinking of running a systemd timer hooked to a --noop unit that would trigger a warning when it actually proposes a change, requiring a manual run
  • y

    Yury Bushmelev

    04/17/2023, 2:02 PM
    maybe catalog differ is enough?
  • v

    VoxBot

    04/17/2023, 2:03 PM
    https://github.com/voxpupuli/puppet-catalog_diff ?
  • y

    Yury Bushmelev

    04/17/2023, 2:03 PM
    if so then you can build a CI/CD pipeline which diffs the catalog, put it as a comment and wait for manual approval
  • y

    Yury Bushmelev

    04/17/2023, 2:03 PM
    actually, in case of Jenkins it can even output the diff and wait for the approval in the pipeline run
  • v

    VoxBot

    04/17/2023, 2:04 PM
    right, but that still assumes the integrity of the whole stack
  • y

    Yury Bushmelev

    04/17/2023, 2:04 PM
    hmm.. that’s right
  • v

    VoxBot

    04/17/2023, 2:04 PM
    i think what i'd need is for the agent to fetch a catalog, then freeze that catalog, show me the plan, and then run it
  • v

    VoxBot

    04/17/2023, 2:05 PM
    i think the "freeze" part is what i'm missing... is there a way to pin a certain catalog version or something?
  • y

    Yury Bushmelev

    04/17/2023, 2:07 PM
    I think the only pinnable entity is an environment
  • v

    VoxBot

    04/17/2023, 2:07 PM
    yeah that doesn't do it
  • y

    Yury Bushmelev

    04/17/2023, 2:07 PM
    so I’d set noop by default then
  • v

    VoxBot

    04/17/2023, 2:07 PM
    i guess yeah i would need to accept the TOCTOU attack here
  • v

    VoxBot

    04/17/2023, 2:07 PM
    or maybe i could run the noop, then cut off the network?
  • y

    Yury Bushmelev

    04/17/2023, 2:08 PM
    you can use puppet bolt or choria to push approved changes manually
  • y

    Yury Bushmelev

    04/17/2023, 2:08 PM
    well.. choria is not really suitable here.. so puppet bolt
  • v

    VoxBot

    04/17/2023, 2:11 PM
    anarcat: a common pattern is to run in noop mode and trigger no-noop runs via CI/foreman
  • v

    VoxBot

    04/17/2023, 3:40 PM
    anarcat, fwiw, I think you can be owned by a noop run too if the attacker injects a custom fact that executes code
    🤔 1
  • v

    VoxBot

    04/17/2023, 3:40 PM
    (sorry for creating more nightmares)
  • v

    VoxBot

    04/17/2023, 3:40 PM
    ah
  • v

    VoxBot

    04/17/2023, 3:40 PM
    yes. of course.
  • v

    VoxBot

    04/17/2023, 3:40 PM
    well shit.
1...419420421...647Latest