Deployment Option for Linux Systems Based on Puppet 4. Part II: Access and Standard Environment (cfauth + cfsystem)

In short:

1. cfauth - configures SSH service, admin account, sudo , superuser password
2. cfsystem - configuration: APT, time zone, system mail, time synchronization, extended list of standard packages
3. All modules are integrated with the cfnetwork network filter module and do not require additional settings.

Thematic cycle:

• Part I: network and network filter (cfnetwork + cffirehol)
• Part II: Access and Standard Environment (cfauth + cfsystem)
• Part III: Install Puppet Server (cfpuppetserver)
• Part IV: Centralized Management (cftotalcontrol)
• Part V: Databases (cfdb)
• Part VI: Topical Blacklists and Secure Knock

This pair of modules serves to automate standard actions that need to be carried out on virtually any deployed system.

cfauth module

goals

• Clean OpenSSH config and leave only the most necessary
  
  • Access only by public key
  • Disabling the receiving of client’s DNS servers - both automatically and with additional brakes (not always)
  • Turning off OpenSSH and Debian banners
  • Enable aggressive SSH KeepAlive
• Allow SSH access only for users of the special group ssh_access
• Set superuser password in encrypted form
• Creating a separate user for SSH access
  
  • Permit sudo commands
  • By default, without a password (simplifies the administration of a large number of systems):
    
    • /opt/puppetlabs/puppet/bin/puppet agent --test
    • /usr/bin/apt-get update
    • /usr/bin/apt-get dist-upgrade
    • /usr/bin/apt-get autoremove *
  • The default allowed environment settings are:
    
    • DEBIAN_FRONTEND
  • It is acceptable to disable the sudo password for all commands - conveniently and relatively safely for a large number of machines in the DMZ

configuration

• cfauth::admin_auth_keys - mandatory list of public SSH keys in the format ssh_authorized_key
  
  • user parameter is already set
  • type = 'ssh-rsa' - default
• admin_user = 'adminaccess' is the name of the administrator account. It is advisable to change and not use the standard.
• admin_password = undef - if specified, sets the hashed password for root users and $admin_user
  It is recommended to use mkpasswd -m sha-512 to generate a password.
• admin_hosts = undef - passed as src for the cfnetwork::service_port filter. Highly recommended.
• sudo_no_password_all = false - if true , then allows the user $admin_user to run all commands via sudo without a password
• sudo_no_password_commands = undef - an additional list of sudo commands that $admin_user can execute without a password. For cases where it is inappropriate to allow all commands.
• sudo_env_keep = [] - additional environment variables that are allowed to leave for sudo
• sshd_ports = 22 - the list of default SSH ports. Automatically creates a cfssh service via cfnetwork::describe_services
• sshd_config_template = 'cfauth/sshd_config.epp' - ability to override the standard template for generating the OpenSSH configuration file

cfsystem module

This module is focused not only on separate systems, but also on the ability to provide standard services within the DMZ in order to limit admissible outgoing connections and maintain ethical network standards - do not break a team of dozens of systems into external services.

goals

• Setting hostname to certname is for prevention
• Set APT settings for a specific release of Debian or Ubuntu
  
  • By default, APT pinning is installed 1001 for basic packages, which forcibly installs actual packages even if a rollback to older versions is required (relevant if testing or unstable packages were accidentally installed)
  • If necessary, configure a caching proxy server
    
    • It is advisable only when deploying more than one system in one place
    • Apt-cacher-ng is used
    • It can be used as a simple HTTP / HTTPS proxy for downloading other updates to the infrastructure without the need to allow outgoing connections to the outside world. For obvious reasons, HTTPS is not cached.
• Sets the time zone.
  Recommendation: the taste and color, but UTC by default solves many problems - I speak both as an admin and as a developer.
• Sets up constant time synchronization.
  
  • If necessary, allow other machines to use this system as a time reference.
• Set SMTP settings
  
  • If necessary, specify a smarthost with a login and password.
  • If necessary, allow other local machines to centrally send their system messages.
    Note: this is convenient from the point of view of network security, storing smarthost access or the correct DNS settings, etc.
• Install all necessary network filter rules via the cfnetwork API
• Install a wide variety of administrative tools available to the administrator, which are not included in the standard list of utilities, including: etckeeper, curl, htop, tree, ethtool, iftop, netcat, netstat-nat, conntrack, telnet, screen, apticron, chkrootkit, rkhunter , debsums, etc. (not full and will be expanded, it is possible to add a configuration option)
• Install and retrieve cf_location and cf_location_pool special facts that are convenient to use in the Hiera configuration.
• Setting standard system parameters
• Forcing the installation of a noop I / O scheduler for SSDs and virtual disks (on guest systems)
• Ability to add arbitrary commands to /etc/rc.local
• Set all possible locales and select one standard (default is en_US.UTF-8)
• Daily check of the need to reboot if the kernel version does not match the newest installed one
• Forced client update puppet.conf
• A set of helper scripts installed under / opt / codingfuture / bin and added to the Shell and Csh path:
  
  • cf_clear_email_queue - remove all messages from the system queue for sending
  • cf_clear_frozen_emails - remove only frozen messages from the send queue
  • cf_send_test_email - send test emails to admin address
  • cf_kernel_version_check - check the discrepancy between the running kernel version and the latest installed one

cfsystem class

All nested classes are added automatically.

• allow_nfs = false - if not allowed, then cut out the default RPC & NFS
• admin_email = undef - email address for system notifications
• repo_proxy = undef - set HTTP / HTTPS proxy server for downloading system packages
  
  • host - IP or name
  • port - TCP port
• add_repo_cacher = false - set a proxy server accepting clients on $service_face
• service_face = 'any' - the cfnetwork::iface interface on which to listen to clients if services are enabled
• ntp_servers = [ 'pool.ntp.org' ] - list of NTP servers to synchronize
• add_ntp_server = false - install an NTP server that accepts clients on $service_face
• timezone = 'Etc/UTC' - time zone
• apt_purge - passed to apt::purge , removes all unmanaged settings of repositories and package preferences
• apt_update is passed to apt::update . By default, daily with a timeout of 300 seconds.
• apt_pin = 1001 - priority for standard packages. Additional repositories are added as $ apt_pin + 1 (1001> = forced downgrade)
• apt_backports_pin = 600 - if you do not install> = $ apt_pin> 1000, then the packages will automatically roll back to the old version (so by default, due to limited support for security updates )
• real_hdd_scheduler = 'deadline' is the default hard disk I / O scheduler. For SSD and virtualok always noop.
• rc_local = undef - additional list of commands for /etc/rc.local
• puppet_host = "puppet.${::trusted['domain']}" - address of Puppet Server
• puppet_cahost = $puppet_host - address Puppet CA
• puppet_env = $::environment - the current environment (usually production )
• puppet_use_dns_srv = false - does DNS SRV use records to detect $puppet_host and $puppet_cahost
• locale = 'en_US.UTF-8' is the default locale

class cfsystem::hierapool

Installing and maintaining facts that are handy for setting up a hierarchy in hiera.yaml.

• cf_location is essentially the associative name of the physical data center. On this basis, it is convenient to set the addresses of the APT package repository, etc.
• cf_location_pool is a specific group of servers; it implies a separate DMZ group at a specific location.

Example:

 --- :backends: - yaml :hierarchy: - "%{::trusted.domain}/%{::trusted.hostname}" - "%{::trusted.domain}" - "%{::cf_location}/%{::cf_location_pool}" - "%{::cf_location}" - common :merge_behavior: deeper :yaml: :datadir: 

Options:

• location = undef - saves to /etc/cflocation , if specified
• pool = undef - saves to /etc/cflocationpool if specified

class cfsystem::email

Configure sending system notifications.

• smarthost = undef - installs smarthost for SMTP
• smarthost_login = undef - login for smarthost if necessary
• smarthost_password = undef - password for smarthost if necessary
• relay_nets = <private subnets> list of networks that are allowed to send messages through this system (does not include by itself)
• listen_ifaces = undef - a list of cfnetwork::iface interfaces on which to listen to clients for sending emails
• disable_ipv6 = true — disable IPv6 — goes straight to the Exim4 config.
  Note: Using IPv6 for SMTP is still a bad idea.

class cfsystem::sysctl

• vm_swappiness = 1 - 0-100 (%), reduces the use of swap to the minimum by default.

This functionality is not yet complete and is likely to expand.

class cfsystem::debian

Specific to Debian:

• apt_url = 'http://httpredir.debian.org/debian' - Base Address for APT
  Attention: problems with apt-cacher-ng were noticed - it is better to specify fixed if used for infrastructure
• security_apt_url = 'http://security.debian.org/' - Base address for Debian Security APT
• release = 'jessie' - release name

class cfsystem::ubuntu

Specific to Ubuntu:

• apt_url = 'mirror://mirrors.ubuntu.com/mirrors.txt' - Base address for APT
• release = 'wily' - release name

type cfsystem::debian::debconf

A wrapper around the standard package type, but with support for ideologically correct Debian Config configuration.

• package = $title - the name of the package, right in the package
• ensure = present - right in the package
• config = [] - configuration options for debconf-set-selections

Living example

The full deployment of infrastructure in Vagrant can be found here .

Hiera settings

 --- classes: - cfsystem #       `cf_location`  `cf_location_pool`    # ,       cfsystem::hierapool::location: 'somelocation' cfsystem::hierapool::pool: 'somepool' cfauth::admin_user: vagrant # mkpasswd -m sha-512: 'vagrant' cfauth::admin_password: '$6$W32Psa5h$l7iIrVFdG.6SRta86n1GlDcMBapDP3fpzLD4F2Vkz2xTfd2GFg34h5CEBH3JifiVRszumAteGDLXZEbp2bx3Z0' cfauth::sudo_no_password_all: true cfauth::admin_auth_keys: data_test: key: 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiruOsKA2xTeITRnmLlWph1xNdyoX7cufWU48737E8KQSltRZEeyyLKKPR0L+XTwrvpIhwymikP+7K77KMF8yEg9f98FaYtxGdEvPqGVO7Dezdg3eQmQzYce0/wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ==' options: - 'from="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"' #        IP cfauth::admin_hosts: - '10.0.0.0/8' - '192.168.0.0/16' - '172.16.0.0/12' #  APT , NTP  SMTP Smarthost    cfsystem::repo_proxy: host: maint.example.com port: 3142 cfsystem::ntp_servers: 'maint.example.com' cfsystem::email::smarthost: 'maint.example.com' #       'maint.example.com' #=================================================== cfsystem::add_repo_cacher: true cfsystem::add_ntp_server: true cfsystem::ntp_servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org cfsystem::email::smarthost: cfsystem::email::listen_ifaces: 'main' / wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ ==' --- classes: - cfsystem #       `cf_location`  `cf_location_pool`    # ,       cfsystem::hierapool::location: 'somelocation' cfsystem::hierapool::pool: 'somepool' cfauth::admin_user: vagrant # mkpasswd -m sha-512: 'vagrant' cfauth::admin_password: '$6$W32Psa5h$l7iIrVFdG.6SRta86n1GlDcMBapDP3fpzLD4F2Vkz2xTfd2GFg34h5CEBH3JifiVRszumAteGDLXZEbp2bx3Z0' cfauth::sudo_no_password_all: true cfauth::admin_auth_keys: data_test: key: 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiruOsKA2xTeITRnmLlWph1xNdyoX7cufWU48737E8KQSltRZEeyyLKKPR0L+XTwrvpIhwymikP+7K77KMF8yEg9f98FaYtxGdEvPqGVO7Dezdg3eQmQzYce0/wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ==' options: - 'from="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"' #        IP cfauth::admin_hosts: - '10.0.0.0/8' - '192.168.0.0/16' - '172.16.0.0/12' #  APT , NTP  SMTP Smarthost    cfsystem::repo_proxy: host: maint.example.com port: 3142 cfsystem::ntp_servers: 'maint.example.com' cfsystem::email::smarthost: 'maint.example.com' #       'maint.example.com' #=================================================== cfsystem::add_repo_cacher: true cfsystem::add_ntp_server: true cfsystem::ntp_servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org cfsystem::email::smarthost: cfsystem::email::listen_ifaces: 'main' 

UPD 2016-02-18:

• Added description of auto configuration of disk I / O scheduler
• Support for arbitrary commands in /etc/rc.local

UPD 2016-03-12:

• Office apt pinning
• Locale management
• Check for a reboot if the kernel version does not match the newest installed one
• A set of previously not documented support scripts for Exim
• Puppet Agent Configuration Options
• Type cfsystem :: debian :: debconf
• Added support for variable environments for sudo