There is nothing wrong with either approach you propose. We have three puppetmasters, all located at a single site, and serving nodes all over the world - we separate them based on whether the connecting puppet node is in dev/test/prod. Other people prefer to run a puppetmaster per geographic region. Other folk have lots of puppetmasters, some only managing one node!
The key thing is that it is vital that you store and manage your puppetmaster manifest tree in a version control system - treat it like any other code your company maintains. I'd recommend Git, but Subversion will also do the trick if you are more used to that. The puppetmaster is simply a service that serves up its particular view of your VCS, rather than being a central database itself.
With your content in a VCS, you can then deploy the required manifests/modules to the respective puppetmasters, and keep them in sync easily. The convention seems to be for folk have a git/svn repo/module per puppet module, though there is nothing stopping you from putting the whole tree under one repo/module.
My questions to you would be:
- How many nodes are in each deployment? If you're talking about 50+, then it would be worth having a local puppetmaster for sure.
- Do the deployments have any 3rd parties that use them in addition to your company? The puppetmaster needs to have very high security - consider it to be the keys to the door of all of your systems, and will contain very sensitive information.
- Similarly, for the deployment-based PMs, would you host them on their own server/VM, or would an existing machine need to be given the task? I highly recommend that the puppetmaster server has that role alone, for security.
- How do you expect EC2 to provide you with higher availability? From my understanding, EC2 instances are not HA, though it should be possible to run 2+ puppetmasters behind the AWS load balancer service.
- Are the deployments very different? Do you want to change them at different times of the day? Multiple puppetmasters gives you a finer level of control.
Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Best Answer
You can see that on the client node in the resources.txt file.
See: https://docs.puppetlabs.com/references/latest/configuration.html#resourcefile
It's located at
$statedir/resources.txt
so usually at/var/lib/puppet/state/resources.txt
or/opt/puppetlabs/puppet/cache/state/resources.txt