From 5bb66599408ff248cdec7903c3bd9544ab6e0e35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 25 Sep 2013 10:36:43 +0300 Subject: [PATCH 1/6] puppet: Added new host specific file share where puppet has write acccess. --- puppet/files/fileserver.conf | 4 ++++ puppet/manifests/init.pp | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/puppet/files/fileserver.conf b/puppet/files/fileserver.conf index 0f2ba5e..e8518ce 100644 --- a/puppet/files/fileserver.conf +++ b/puppet/files/fileserver.conf @@ -5,3 +5,7 @@ [private] path /srv/puppet/files/private/%H allow * + +[generated] + path /srv/puppet/files/generated/%H + allow * diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp index 4a55dec..7d1d04e 100644 --- a/puppet/manifests/init.pp +++ b/puppet/manifests/init.pp @@ -361,13 +361,14 @@ class puppet::server::common inherits puppet::client { } file { [ "/srv/puppet/bucket", - "/srv/puppet/reports", ]: + "/srv/puppet/reports", + "/srv/puppet/files/generated", ]: ensure => directory, mode => "0750", owner => $user, group => $group, seltype => $seltype, - require => File["/srv/puppet"], + require => [ File["/srv/puppet"], File["/srv/puppet/files"], ], } file { [ "/srv/puppet/files", "/srv/puppet/files/common", From 67e91bb8b523a0dddf0c94b4a983eedbeba21c68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 25 Sep 2013 12:08:21 +0300 Subject: [PATCH 2/6] util: Added whitespace removal to base64 function output. --- util/lib/puppet/parser/functions/base64.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/lib/puppet/parser/functions/base64.rb b/util/lib/puppet/parser/functions/base64.rb index e5d99a5..154c137 100644 --- a/util/lib/puppet/parser/functions/base64.rb +++ b/util/lib/puppet/parser/functions/base64.rb @@ -3,6 +3,6 @@ require 'base64' module Puppet::Parser::Functions newfunction(:base64, :type => :rvalue) do |args| - Base64.encode64(args[0]) + Base64.encode64(args[0]).strip end end From f0199bfcbdc88060ad13b1b4c82d5d8ee40aada6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 25 Sep 2013 12:13:05 +0300 Subject: [PATCH 3/6] kerberos: Refactored kerberos keytab generation to use fileshare instead of templates. --- .../parser/functions/keytab_generate.rb | 66 +++++++++++++++++++ kerberos/manifests/init.pp | 16 +++-- kerberos/templates/keytab.erb | 62 ----------------- 3 files changed, 76 insertions(+), 68 deletions(-) create mode 100644 kerberos/lib/puppet/parser/functions/keytab_generate.rb delete mode 100644 kerberos/templates/keytab.erb diff --git a/kerberos/lib/puppet/parser/functions/keytab_generate.rb b/kerberos/lib/puppet/parser/functions/keytab_generate.rb new file mode 100644 index 0000000..922fc11 --- /dev/null +++ b/kerberos/lib/puppet/parser/functions/keytab_generate.rb @@ -0,0 +1,66 @@ + +require 'base64' +require 'expect' +require 'tempfile' + + +module Puppet::Parser::Functions + newfunction(:keytab_generate) do |args| + name = args[0] + principals = args[1] + + # get output file name + outfile = File.join('/srv/puppet/files/generated', + lookupvar('homename'), Base64.encode64(name)).strip + begin + Dir.mkdir(File.dirname(outfile)) + rescue + nil + end + + # check if we have cached keytab up to date + cached = true + if File.exists?(outfile) + if not check_keytab(outfile, principals) + cached = false + File.unlink(outfile) + end + else + cached = false + end + + # create new keytab if cache is not up to date + if not cached + cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2', + lookupvar('kerberos_user'), outfile, principals.join(' ')) + output = '' + IO.popen(cmd, mode='r') { |f| + output = f.read + } + if not File.exists?(outfile) + raise 'Failed to create keytab ' + name + ' error was: ' + output + elsif not check_keytab(outfile, principals) + raise 'Invalid keytab ' + name + ' created' + end + end + end + +end + + +# function to check if keytab contains required principals +def check_keytab(keytab, principals) + entries = [] + IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f| + f.readlines.each do |l| + next unless l =~ /[ ]+\d+ .*/ + entries << l.split()[1] + end + } + principals.each do |p| + if not entries.include?(p) + return false + end + end + return true +end diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp index ef4f033..7a2fccb 100644 --- a/kerberos/manifests/init.pp +++ b/kerberos/manifests/init.pp @@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server { # principals => [ "host/testhost.foo.sh@FOO.SH" ], # } # -define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") { +define kerberos::keytab($principals=[], $ensure=present, $owner="root", + $group="", $mode="0600") { case $group { "": { @@ -258,12 +259,15 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g } } + keytab_generate($name, $principals) + $source = base64($name) + file { $name: - ensure => $ensure, - content => template("kerberos/keytab.erb"), - mode => $mode, - owner => $owner, - group => $real_group, + ensure => $ensure, + source => "puppet:///generated/${source}", + mode => $mode, + owner => $owner, + group => $real_group, } } diff --git a/kerberos/templates/keytab.erb b/kerberos/templates/keytab.erb deleted file mode 100644 index 12fd8d3..0000000 --- a/kerberos/templates/keytab.erb +++ /dev/null @@ -1,62 +0,0 @@ -<% - -require 'digest/md5' -require 'expect' -require 'tempfile' - - -config = {} -config['cachedir'] = '/var/cache/puppet' -config['kadmin'] = '/usr/bin/kadmin' -config['klist'] = '/usr/bin/klist' - - -# set global vars -cachefile = File.join(config['cachedir'], - homename + '.' + Digest::MD5.hexdigest(name)) - -# function to check if keytab contains required principals -def check_keytab(config, keytab, principals) - entries = [] - IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f| - f.readlines.each do |l| - next unless l =~ /[ ]+\d+ .*/ - entries << l.split()[1] - end - } - principals.each do |p| - if not entries.include?(p) - return false - end - end - return true -end - - -# check if we have cached keytab up to date -cached = true -if File.exists?(cachefile) - if not check_keytab(config, cachefile, principals) - cached = false - File.unlink(cachefile) - end -else - cached = false -end - -# create new keytab if cache is not up to date -if not cached - cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"', - config['kadmin'], kerberos_user, cachefile, principals.join(' ')) - output = `#{cmd} 2>&1` - if not File.exists?(cachefile) - raise 'Failed to create keytab ' + name + ' error was: ' + output - elsif not check_keytab(config, cachefile, principals) - raise 'Invalid keytab ' + name + ' created' - end -end - -# read keytab into memory -data = File.open(cachefile).read - --%><%= data -%> From c106c541036aead97b86264770ea6e63bfc1134f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Sat, 28 Sep 2013 12:29:34 +0300 Subject: [PATCH 4/6] puppet: Fixed puppet agent service for Fedora 19. --- puppet/manifests/init.pp | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp index 7d1d04e..6aeefae 100644 --- a/puppet/manifests/init.pp +++ b/puppet/manifests/init.pp @@ -111,6 +111,20 @@ class puppet::client { notify => Service["puppet"], } } + "fedora": { + service { "puppet": + name => $::operatingsystemrelease ? { + /^1[0-8]/ => "puppet", + default => "puppetagent", + }, + enable => true, + restart => $::puppetversion ? { + /^[0-2]\./ => "pkill -HUP puppetd", + default => "pkill -HUP -f '/usr/bin/puppet agent'", + }, + subscribe => File["/etc/puppet/puppet.conf"], + } + } default: { service { "puppet": ensure => running, From e56702c0d0503e961ecb2e8e6336011199377a6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Sat, 28 Sep 2013 12:30:10 +0300 Subject: [PATCH 5/6] puppet: Fixes for puppetmaster SELinux contexts. --- puppet/manifests/init.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp index 6aeefae..b361557 100644 --- a/puppet/manifests/init.pp +++ b/puppet/manifests/init.pp @@ -352,10 +352,14 @@ class puppet::server::common inherits puppet::client { seltype => "usr_t", require => File[$puppet_datadir], } - selinux::manage_fcontext { "/srv/puppet(/.*)?": + selinux::manage_fcontext { "/srv/puppet": type => "usr_t", before => File["/srv/puppet"], } + selinux::manage_fcontext { "/srv/puppet/.*": + type => $seltype, + before => File["/srv/puppet"], + } } else { file { "/srv/puppet": ensure => directory, From 6980e8275b8d1e1c315e816dd6e8a613141adb6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 1 Oct 2013 12:02:37 +0300 Subject: [PATCH 6/6] cups: Changed cups::server to use template file as config. --- cups/files/cupsd.conf | 88 ---------------------- cups/manifests/init.pp | 48 ++++++++++-- cups/templates/cupsd.conf.erb | 135 ++++++++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+), 94 deletions(-) delete mode 100644 cups/files/cupsd.conf create mode 100644 cups/templates/cupsd.conf.erb diff --git a/cups/files/cupsd.conf b/cups/files/cupsd.conf deleted file mode 100644 index 184549a..0000000 --- a/cups/files/cupsd.conf +++ /dev/null @@ -1,88 +0,0 @@ -# -# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $" -# -# Sample configuration file for the Common UNIX Printing System (CUPS) -# scheduler. See "man cupsd.conf" for a complete description of this -# file. -# -MaxLogSize 2000000000 - -# Log general information in error_log - change "info" to "debug" for -# troubleshooting... -LogLevel info - -# Administrator user group... -SystemGroup sys root sysadm - -# Disable preserving jobs -PreserveJobFiles Off -PreserveJobHistory Off - -# Only listen for connections from the local machine. -Listen *:631 -Listen /var/run/cups/cups.sock - -# Show shared printers on the local network. -Browsing On -BrowseOrder allow,deny -# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.) -BrowseAllow @LOCAL - -# Default authentication type, when authentication is required... -DefaultAuthType Basic - -# Restrict access to the server... - - Order allow,deny - Allow @LOCAL - - -# Restrict access to the admin pages... - - Encryption Required - Order allow,deny - - -# Restrict access to configuration files... - - AuthType Default - Require user @SYSTEM - Order allow,deny - - -# Set the default printer/job policies... - - # Job-related operations must be done by the owner or an administrator... - - Require user @OWNER @SYSTEM - Order deny,allow - - - # All administration operations require an administrator to authenticate... - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - # All printer operations require a printer operator to authenticate... - - AuthType Default - Require user @SYSTEM - Order deny,allow - - - # Only the owner or an administrator can cancel or authenticate a job... - - Require user @OWNER @SYSTEM - Order deny,allow - - - - Order deny,allow - - - -# -# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $". -# diff --git a/cups/manifests/init.pp b/cups/manifests/init.pp index 444a2b6..59b21ac 100644 --- a/cups/manifests/init.pp +++ b/cups/manifests/init.pp @@ -55,20 +55,56 @@ class cups::client { # Install cups server # -class cups::server inherits cups::client { +# === Parameters: +# +# $admin_group: +# Group name which is allowed to modify printers. +# +# $manager_group: +# Group name which is allowed to remove jobs from print +# queues. +# +# $ssl_cert: +# Path to SSL certificate. Defaults to auto generated +# certificate. +# +# $ssl_key: +# Path to SSL key. Defaults to auto generated key. +# +class cups::server($admin_group=undef, $manager_group=undef, + $ssl_cert=undef, $ssl_key=undef) inherits cups::client { + + require ssl package { [ "ghostscript", "system-config-printer" ]: ensure => installed, } + if $ssl_key and $ssl_cert { + file { "${ssl::private}/cups.key": + ensure => present, + source => $ssl_key, + mode => "0600", + owner => "root", + group => "root", + notify => Service["cups"], + } + file { "${ssl::certs}/cups.crt": + ensure => present, + source => $ssl_cert, + mode => "0644", + owner => "root", + group => "root", + notify => Service["cups"], + } + } + file { "/etc/cups/cupsd.conf": ensure => present, - source => [ "puppet:///files/cups/cupsd.conf.${::homename}", - "puppet:///files/cups/cupsd.conf", - "puppet:///modules/cups/cupsd.conf", ], + content => template("cups/cupsd.conf.erb"), mode => "0640", - owner => root, - group => lp, + owner => "root", + group => "lp", require => Package["cups"], notify => Service["cups"], } diff --git a/cups/templates/cupsd.conf.erb b/cups/templates/cupsd.conf.erb new file mode 100644 index 0000000..438e027 --- /dev/null +++ b/cups/templates/cupsd.conf.erb @@ -0,0 +1,135 @@ +MaxLogSize 0 +# +# "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $" +# +# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a +# complete description of this file. +# + +<% if @ssl_cert and @ssl_key -%> +# SSL support +ServerCertificate <%= scope.lookupvar('ssl::certs') %>/cups.crt +ServerKey <%= scope.lookupvar('ssl::private') %>/cups.key + +<% end -%> +# Do not preserve history +PreserveJobFiles Off +PreserveJobHistory Off + +# Log general information in error_log - change "warn" to "debug" +# for troubleshooting... +LogLevel info +AccessLog syslog +ErrorLog syslog + +# Administrator user group... +SystemGroup sys root <% if @admin_group %><%= @admin_group %><% end %> + +# Listen all interfaces for connections. +ServerAlias * +Listen *:631 +Listen /var/run/cups/cups.sock + +# Show shared printers on the local network. +Browsing On +BrowseOrder allow,deny +BrowseAllow @LOCAL +BrowseLocalProtocols CUPS dnssd + +# Default authentication type, when authentication is required... +DefaultAuthType Basic + +# Restrict access to the server... + + Order allow,deny + Allow from @LOCAL + + +# Restrict access to the admin pages... + + Order allow,deny + + +# Restrict access to configuration files... + + AuthType Default + Require user @SYSTEM + Order allow,deny + + +# Set the default printer/job policies... + + # Job-related operations must be done by the owner or an administrator... + + Require user @OWNER @SYSTEM + Order deny,allow + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + + + # Only the owner or an administrator can cancel or authenticate a job... + + Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %> + Order deny,allow + + + + Order deny,allow + + + +# Set the authenticated printer/job policies... + + # Job-related operations must be done by the owner or an administrator... + + AuthType Default + Order deny,allow + + + + AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + + + # All administration operations require an administrator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + + + # All printer operations require a printer operator to authenticate... + + AuthType Default + Require user @SYSTEM + Order deny,allow + + + # Only the owner or an administrator can cancel or authenticate a job... + + AuthType Default + Require user @OWNER @SYSTEM <% if @manager_group %>@<%= @manager_group %><% end %> + Order deny,allow + + + + Order deny,allow + + + +# +# End of "$Id: cupsd.conf.in 8805 2009-08-31 16:34:06Z mike $". +#