Puppet Parameterized Class example with ssh

By | 24/11/2013

I am writing this post as part of a course called Linuxin keskitetty hallinta (Linux centralized management) held by Tero Karvinen terokarvinen.com/2013/aikataulu-%E2%80%93-linuxin-keskitetty-hallinta-%E2%80%93-ict4tn011-4-syksylla-2013

I am using 32-bit Xubuntu 12.04 LTS Fresh install.

The tasks of today’s assignment:

Study:

Write:

  • An example application of class parameters in puppet

To make the example as simple as possible I decided to go with a class that adds up two given parameters:

As before I created the necessary folders to get things started:

$ mkdir puppet
$ cd puppet/
$ mkdir -p modules/addition/manifests
$ mkdir modules/addition/templates

I put the parameters in the class’ name so that they could be changed when applying, they have default values of 1 and 2 so I don’t have to give them a value when applying if I don’t want to.

$ nano modules/addition/manifests/init.pp

class addition($calculateNumber1=1, $calculateNumber2=2){
     file {'/tmp/calculating':
          content => template("addition/calculate.erb"),
     }
}

the template will count the values together and save the value 3 (with default). the “.to_i” is to make sure that they are treated as integers and not strings (count them as: 1+2=3, not to show them side by side: 1+2=12)

$ nano modules/addition/templates/calculate.erb

<%= @calculateNumber1.to_i + @calculateNumber2.to_i %>

The default:

$ puppet apply --modulepath modules/ -e 'class {"addition":}'

$ cat /tmp/calculating

3

Own values:

$ puppet apply --modulepath modules/ -e 'class {"addition":calculateNumber1=>10, calculateNumber2=>20}'

$ cat /tmp/calculating

30

As a more practical example I will change my ssh server’s port with a parameter:

$ mkdir -p modules/ssh/manifests
$ mkdir modules/ssh/templates

I made slight changes to the original sshd_config:

Original:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

$ nano modules/ssh/templates/sshd_config.erb

I changed the row which determines the used port

From:

# What ports, IPs and protocols we listen for
Port 22

to:

# What ports, IPs and protocols we listen for
Port <%= @port %>

the complete changed config erb without commented lines for simplicity:

Port <%= @port %>
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

On to the manifest:

$ nano modules/ssh/manifests/init.pp

class ssh($port=22){

	package {"openssh-server":
		ensure => "latest",
	}

	file {'/etc/ssh/sshd_config':
		require => Package['openssh-server'],
		content => template('ssh/sshd_config.erb'),
		notify => Service["ssh"],
	}

	service { 'ssh':
		ensure => 'running',
		enable => 'true',
		require => Package["openssh-server"],

		hasstatus => 'false',
		status => "/etc/init.d/ssh status|grep running",
	}
}

I set the port a default value of 22 if I don’t happen to give it another one when applying with puppet. Our course’s teacher Tero had a fix (from “hasstatus” onward) for the problem of ssh not restarting after changes (the port number) that would require one. If I have understood correctly this has been fixed in ubuntu’s version 13.10.

Testing without changes to port:

$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":}'

$ ssh [email protected]
Connects fine.

[email protected]'s password:

Let’s see some changes:

$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":port=>2020}'

And test again:

$ ssh [email protected]

ssh: connect to host localhost port 22: Connection refused

and with the new port:
$ ssh [email protected] -p 2020
Connecting works again.

[email protected]'s password:

To change the port back I ran puppet apply with default settings:

$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":}'

Sources I used

http://terokarvinen.com/2013/ssh-server-puppet-module-for-ubuntu-12-04

Special thanks to Soivi for debugging my code!

One thought on “Puppet Parameterized Class example with ssh

Leave a Reply

Your email address will not be published. Required fields are marked *