Deployment Option for Linux Systems Based on Puppet 4. Part II: Access and Standard Environment (cfauth + cfsystem)
- cfauth - configures SSH service, admin account,
sudo
, superuser password- cfsystem - configuration: APT, time zone, system mail, time synchronization, extended list of standard packages
- All modules are integrated with the cfnetwork network filter module and do not require additional settings.
This pair of modules serves to automate standard actions that need to be carried out on virtually any deployed system.
cfauth
modulessh_access
sudo
commands/opt/puppetlabs/puppet/bin/puppet agent --test
/usr/bin/apt-get update
/usr/bin/apt-get dist-upgrade
/usr/bin/apt-get autoremove *
DEBIAN_FRONTEND
sudo
password for all commands - conveniently and relatively safely for a large number of machines in the DMZcfauth::admin_auth_keys
- mandatory list of public SSH keys in the format ssh_authorized_keyuser
parameter is already settype = 'ssh-rsa'
- defaultadmin_user = 'adminaccess'
is the name of the administrator account. It is advisable to change and not use the standard.admin_password = undef
- if specified, sets the hashed password for root
users and $admin_user
mkpasswd -m sha-512
to generate a password.admin_hosts = undef
- passed as src
for the cfnetwork::service_port
filter. Highly recommended.sudo_no_password_all = false
- if true
, then allows the user $admin_user
to run all commands via sudo
without a passwordsudo_no_password_commands = undef
- an additional list of sudo
commands that $admin_user
can execute without a password. For cases where it is inappropriate to allow all commands.sudo_env_keep = []
- additional environment variables that are allowed to leave for sudo
sshd_ports = 22
- the list of default SSH ports. Automatically creates a cfssh
service via cfnetwork::describe_services
sshd_config_template = 'cfauth/sshd_config.epp'
- ability to override the standard template for generating the OpenSSH configuration filecfsystem
moduleThis module is focused not only on separate systems, but also on the ability to provide standard services within the DMZ in order to limit admissible outgoing connections and maintain ethical network standards - do not break a team of dozens of systems into external services.
hostname
to certname
is for preventionSMTP
settingscfnetwork
APIcf_location
and cf_location_pool
special facts that are convenient to use in the Hiera configuration.cfsystem
classAll nested classes are added automatically.
allow_nfs = false
- if not allowed, then cut out the default RPC & NFSadmin_email = undef
- email address for system notificationsrepo_proxy = undef
- set HTTP / HTTPS proxy server for downloading system packageshost
- IP or nameport
- TCP portadd_repo_cacher = false
- set a proxy server accepting clients on $service_face
service_face = 'any'
- the cfnetwork::iface
interface on which to listen to clients if services are enabledntp_servers = [ 'pool.ntp.org' ]
- list of NTP servers to synchronizeadd_ntp_server = false
- install an NTP server that accepts clients on $service_face
timezone = 'Etc/UTC'
- time zoneapt_purge
- passed to apt::purge
, removes all unmanaged settings of repositories and package preferencesapt_update
is passed to apt::update
. By default, daily with a timeout of 300 seconds.apt_pin = 1001
- priority for standard packages. Additional repositories are added as $ apt_pin + 1 (1001> = forced downgrade)apt_backports_pin = 600
- if you do not install> = $ apt_pin> 1000, then the packages will automatically roll back to the old version (so by default, due to limited support for security updates )real_hdd_scheduler = 'deadline'
is the default hard disk I / O scheduler. For SSD and virtualok always noop.rc_local = undef
- additional list of commands for /etc/rc.localpuppet_host = "puppet.${::trusted['domain']}"
- address of Puppet Serverpuppet_cahost = $puppet_host
- address Puppet CApuppet_env = $::environment
- the current environment (usually production
)puppet_use_dns_srv = false
- does DNS SRV use records to detect $puppet_host
and $puppet_cahost
locale = 'en_US.UTF-8'
is the default localecfsystem::hierapool
Installing and maintaining facts that are handy for setting up a hierarchy in hiera.yaml.
cf_location
is essentially the associative name of the physical data center. On this basis, it is convenient to set the addresses of the APT package repository, etc.cf_location_pool
is a specific group of servers; it implies a separate DMZ group at a specific location.Example:
--- :backends: - yaml :hierarchy: - "%{::trusted.domain}/%{::trusted.hostname}" - "%{::trusted.domain}" - "%{::cf_location}/%{::cf_location_pool}" - "%{::cf_location}" - common :merge_behavior: deeper :yaml: :datadir:
Options:
location = undef
- saves to /etc/cflocation
, if specifiedpool = undef
- saves to /etc/cflocationpool
if specifiedcfsystem::email
Configure sending system notifications.
smarthost = undef
- installs smarthost for SMTPsmarthost_login = undef
- login for smarthost if necessarysmarthost_password = undef
- password for smarthost if necessaryrelay_nets = <private subnets>
list of networks that are allowed to send messages through this system (does not include by itself)listen_ifaces = undef
- a list of cfnetwork::iface
interfaces on which to listen to clients for sending emailsdisable_ipv6 = true
— disable IPv6 — goes straight to the Exim4 config.cfsystem::sysctl
vm_swappiness = 1
- 0-100 (%), reduces the use of swap to the minimum by default.This functionality is not yet complete and is likely to expand.
cfsystem::debian
Specific to Debian:
apt_url = 'http://httpredir.debian.org/debian'
- Base Address for APTsecurity_apt_url = 'http://security.debian.org/'
- Base address for Debian Security APTrelease
= 'jessie' - release namecfsystem::ubuntu
Specific to Ubuntu:
apt_url = 'mirror://mirrors.ubuntu.com/mirrors.txt'
- Base address for APTrelease = 'wily'
- release namecfsystem::debian::debconf
A wrapper around the standard package
type, but with support for ideologically correct Debian Config configuration.
package = $title
- the name of the package, right in the package
ensure = present
- right in the package
config = []
- configuration options for debconf-set-selections
The full deployment of infrastructure in Vagrant can be found here .
--- classes: - cfsystem # `cf_location` `cf_location_pool` # , cfsystem::hierapool::location: 'somelocation' cfsystem::hierapool::pool: 'somepool' cfauth::admin_user: vagrant # mkpasswd -m sha-512: 'vagrant' cfauth::admin_password: '$6$W32Psa5h$l7iIrVFdG.6SRta86n1GlDcMBapDP3fpzLD4F2Vkz2xTfd2GFg34h5CEBH3JifiVRszumAteGDLXZEbp2bx3Z0' cfauth::sudo_no_password_all: true cfauth::admin_auth_keys: data_test: key: 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiruOsKA2xTeITRnmLlWph1xNdyoX7cufWU48737E8KQSltRZEeyyLKKPR0L+XTwrvpIhwymikP+7K77KMF8yEg9f98FaYtxGdEvPqGVO7Dezdg3eQmQzYce0/wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ==' options: - 'from="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"' # IP cfauth::admin_hosts: - '10.0.0.0/8' - '192.168.0.0/16' - '172.16.0.0/12' # APT , NTP SMTP Smarthost cfsystem::repo_proxy: host: maint.example.com port: 3142 cfsystem::ntp_servers: 'maint.example.com' cfsystem::email::smarthost: 'maint.example.com' # 'maint.example.com' #=================================================== cfsystem::add_repo_cacher: true cfsystem::add_ntp_server: true cfsystem::ntp_servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org cfsystem::email::smarthost: cfsystem::email::listen_ifaces: 'main'
/ wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ ==' --- classes: - cfsystem # `cf_location` `cf_location_pool` # , cfsystem::hierapool::location: 'somelocation' cfsystem::hierapool::pool: 'somepool' cfauth::admin_user: vagrant # mkpasswd -m sha-512: 'vagrant' cfauth::admin_password: '$6$W32Psa5h$l7iIrVFdG.6SRta86n1GlDcMBapDP3fpzLD4F2Vkz2xTfd2GFg34h5CEBH3JifiVRszumAteGDLXZEbp2bx3Z0' cfauth::sudo_no_password_all: true cfauth::admin_auth_keys: data_test: key: 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiruOsKA2xTeITRnmLlWph1xNdyoX7cufWU48737E8KQSltRZEeyyLKKPR0L+XTwrvpIhwymikP+7K77KMF8yEg9f98FaYtxGdEvPqGVO7Dezdg3eQmQzYce0/wlgLXn0GJa2TcrG7lvSnHkCjbOV5lRWP5vY92skYQHhuwtMgtQ==' options: - 'from="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"' # IP cfauth::admin_hosts: - '10.0.0.0/8' - '192.168.0.0/16' - '172.16.0.0/12' # APT , NTP SMTP Smarthost cfsystem::repo_proxy: host: maint.example.com port: 3142 cfsystem::ntp_servers: 'maint.example.com' cfsystem::email::smarthost: 'maint.example.com' # 'maint.example.com' #=================================================== cfsystem::add_repo_cacher: true cfsystem::add_ntp_server: true cfsystem::ntp_servers: - 0.debian.pool.ntp.org - 1.debian.pool.ntp.org - 2.debian.pool.ntp.org - 3.debian.pool.ntp.org cfsystem::email::smarthost: cfsystem::email::listen_ifaces: 'main'
UPD 2016-02-18:
UPD 2016-03-12:
sudo
Source: https://habr.com/ru/post/277309/
All Articles