I am writing this post as part of a course called Linuxin keskitetty hallinta (Linux centralized management) held by Tero Karvinen terokarvinen.com/2013/aikataulu-%E2%80%93-linuxin-keskitetty-hallinta-%E2%80%93-ict4tn011-4-syksylla-2013
I am using 32-bit Xubuntu 12.04 LTS Fresh install.
The tasks of today’s assignment:
Study:
Write:
- An example application of class parameters in puppet
To make the example as simple as possible I decided to go with a class that adds up two given parameters:
As before I created the necessary folders to get things started:
$ mkdir puppet
$ cd puppet/
$ mkdir -p modules/addition/manifests
$ mkdir modules/addition/templates
I put the parameters in the class’ name so that they could be changed when applying, they have default values of 1 and 2 so I don’t have to give them a value when applying if I don’t want to.
$ nano modules/addition/manifests/init.pp
class addition($calculateNumber1=1, $calculateNumber2=2){ file {'/tmp/calculating': content => template("addition/calculate.erb"), } }
the template will count the values together and save the value 3 (with default). the “.to_i” is to make sure that they are treated as integers and not strings (count them as: 1+2=3, not to show them side by side: 1+2=12)
$ nano modules/addition/templates/calculate.erb
<%= @calculateNumber1.to_i + @calculateNumber2.to_i %>
The default:
$ puppet apply --modulepath modules/ -e 'class {"addition":}'
$ cat /tmp/calculating
3
Own values:
$ puppet apply --modulepath modules/ -e 'class {"addition":calculateNumber1=>10, calculateNumber2=>20}'
$ cat /tmp/calculating
30
As a more practical example I will change my ssh server’s port with a parameter:
$ mkdir -p modules/ssh/manifests
$ mkdir modules/ssh/templates
I made slight changes to the original sshd_config:
Original:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
$ nano modules/ssh/templates/sshd_config.erb
I changed the row which determines the used port
From:
# What ports, IPs and protocols we listen for Port 22
to:
# What ports, IPs and protocols we listen for Port <%= @port %>
the complete changed config erb without commented lines for simplicity:
Port <%= @port %> Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes
On to the manifest:
$ nano modules/ssh/manifests/init.pp
class ssh($port=22){ package {"openssh-server": ensure => "latest", } file {'/etc/ssh/sshd_config': require => Package['openssh-server'], content => template('ssh/sshd_config.erb'), notify => Service["ssh"], } service { 'ssh': ensure => 'running', enable => 'true', require => Package["openssh-server"], hasstatus => 'false', status => "/etc/init.d/ssh status|grep running", } }
I set the port a default value of 22 if I don’t happen to give it another one when applying with puppet. Our course’s teacher Tero had a fix (from “hasstatus” onward) for the problem of ssh not restarting after changes (the port number) that would require one. If I have understood correctly this has been fixed in ubuntu’s version 13.10.
Testing without changes to port:
$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":}'
$ ssh [email protected]
Connects fine.
[email protected]'s password:
Let’s see some changes:
$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":port=>2020}'
And test again:
$ ssh [email protected]
ssh: connect to host localhost port 22: Connection refused
and with the new port:
$ ssh [email protected] -p 2020
Connecting works again.
[email protected]'s password:
To change the port back I ran puppet apply with default settings:
$ sudo puppet apply --modulepath modules/ -e 'class {"ssh":}'
Sources I used
http://terokarvinen.com/2013/ssh-server-puppet-module-for-ubuntu-12-04
Special thanks to Soivi for debugging my code!
this saved me few hours of time!