chef - [chef] Re: Re: Re: Re: Chef and information security between nodes

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Re: Chef and information security between nodes

From: AJ Christensen < >
To:
Subject: [chef] Re: Re: Re: Re: Chef and information security between nodes
Date: Thu, 26 Apr 2012 09:36:51 +1200

I would only recommend this style of installation to advanced Chef
operators. Generally such a requirement is driven by a strange
business requirement. Even when unavoidable, one should strive to make
the code simple enough, not contain proprietary/personal information,
that it could work on any of the installations -- without compromising
any details. Expose the personal/proprietary information at another
level, e.g. data bags. Hella yak shave.

Only one of *many* Hosted Chef clients I've worked with has actually
needed this *and* over time the number of individual orgs/chef servers
were reduced -- as complexity was abstracted and proprietary/personal
data stored in alternate means (generally, heavily encrypted, with
Escrow, time linked access to decryption -- most cases S3).

multiple orgs = multiple Hosted Chef platform organizations. The
equivalent of multiple single-tenant Chef server installation, which
one set of credentials (per operator) linked to each.

As has been mentioned, you could host your own, and re-use some
components (rabbit, couch.. maybe not indexer/solr?) if all you
require is client/server segregation and you do not want to use the
Hosted Chef Platform. The hassle of keeping all of the
servers/organizations up to date is no easy feat. And you have to
scale those components to handle for N Chef Server installations with
X nodes each at a convergence rate of Y :)

If you don't trust your configuration management system (and any
humans that have access to it on a node) then perhaps I'd suggest
investigating compartmentalizing and restricting the use of your
configuration management system, instead of allowing willy nilly human
operations on managed systems.

Hell, don't even put humans on 'em.

Cheers,

--AJ

On 26 April 2012 08:52,
< >
wrote:
> Hello Ranjib Dey,
>
> Do you have a blog or some document describing in more details the "maintain
> multiple chef api server , solr instances , but you can re-use the couch db
> or
> rabbitmq server" please ?
>
> For example, do you have multiple couch db on a single couch db server, or
> is
> it possible to have everything in one couch db ?
>
> Sorry, I'm still new into Chef and your architecture looks interesting but
> is
> not clear to me.
>
> Thanks in advance for your answer.
>
> Best regards,
> Christophe

[chef] Re: Re: Re: Chef and information security between nodes, cl.subscription, 04/25/2012
- [chef] Re: Re: Re: Re: Chef and information security between nodes, AJ Christensen, 04/25/2012