networks with puppet building dynamic · goal piggy jim kermit postfix bind func gonzo who is the...
TRANSCRIPT
![Page 2: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/2.jpg)
latest slides
https://github.com/uphillian/puppetconf2013
latest code
http://goo.gl/nR9rti
![Page 3: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/3.jpg)
Me
![Page 4: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/4.jpg)
About this talk...
node1 node2 node3 node4
![Page 5: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/5.jpg)
About this talk...
node1 node2 node3 node4
![Page 6: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/6.jpg)
production
node1 node2 node3 node4
![Page 7: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/7.jpg)
production
node1 node2 node4
development
node3
![Page 8: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/8.jpg)
goal
piggy
jim
kermit postfix
bind
func
![Page 9: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/9.jpg)
goal
piggy
jim
kermitpostfix
bind
func
gonzo
Who is the mailserver?
puppet
I know I know I know, it’s kermit
![Page 10: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/10.jpg)
Outline
● postfix○ augeas○ exported resources○ tags
● dns○ concat○ custom facts○ firewall
● questions● references
● bonus○ func
■ exported resources● firewall● exec
![Page 11: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/11.jpg)
postfix
augeasexported resources
tags
![Page 12: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/12.jpg)
augeas
● manipulate specific parts of a file● files as objects● type in puppet
By jmv
![Page 13: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/13.jpg)
augeas
http://augeas.net/tour.html
http://projects.puppetlabs.com/projects/1/wiki/puppet_augeas
default=0timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Springdale Linux (2.6.32-358.6.2.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.6.2.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root
rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.6.2.el6.x86_64.imgtitle Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
default=0
title Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
![Page 14: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/14.jpg)
augeas
default=0timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Springdale Linux (2.6.32-358.6.2.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.6.2.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root
rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.6.2.el6.x86_64.imgtitle Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
default=0
title Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
[user@host] $ augtoolaugtool> set /files/etc/grub.conf/default 1
augtool> rm /files/etc/grub.conf/title[2]
rm : /files/etc/grub.conf/title[2] 18
augtool> save
Saved 1 file(s)
![Page 15: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/15.jpg)
augeas
default=0timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Springdale Linux (2.6.32-358.6.2.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.6.2.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root
rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.6.2.el6.x86_64.imgtitle Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
default=0
title Springdale-PUIAS Linux (2.6.32-358.el6.x86_64)root (hd0,0)kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.el6.x86_64.img
default=1timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle Springdale Linux (2.6.32-358.6.2.el6.x86_64)
root (hd0,0)kernel /vmlinuz-2.6.32-358.6.2.el6.x86_64 ro root=/dev/mapper/vg_jim-lv_root
rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_jim/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_jim/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-358.6.2.el6.x86_64.img
![Page 16: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/16.jpg)
augeas
[user@host] $ augtoolaugtool> set /files/etc/grub.conf/default 1
augtool> rm /files/etc/grub.conf/title[2]
rm : /files/etc/grub.conf/title[2] 18
augtool> save
Saved 1 file(s)augeas { ‘remove second entry, set default’: context => ‘/files/etc/grub.conf’, changes => [ ‘set default 1’, ‘rm title[2]’ ],}
![Page 17: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/17.jpg)
exported resources
http://docs.puppetlabs.com/guides/exported_resources.html
http://docs.puppetlabs.com/puppet/2.7/reference/lang_exported.html
storeconfigs
resource
node
facts @@resource
node
catalog
catalog
@@resource
![Page 18: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/18.jpg)
exported resources
● any class/type can be exported● classic example ssh keys
class ssh { @@sshkey { $hostname: type => dsa, key => $sshdsakey } Sshkey <<| |>>}
![Page 19: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/19.jpg)
tags
storeconfigsfile
file {'/some/file':
tag => 'needthislater'
} storeconfigs
needthislater
file
file {'/some/file':
}
http://projects.puppetlabs.com/projects/1/wiki/Using_Tags
![Page 20: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/20.jpg)
postfix
● only accepts mail from puppet nodes● update itself
● augeas● exported_resources● tags
![Page 21: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/21.jpg)
postfix
access.conf
<ipaddress> OK<ipaddress> RELAY
![Page 22: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/22.jpg)
postfix
client
class postfix::client { # this is a client of the master, set our config file to use the master # add our name to the access list on the master
}
@@augeas {"access by $::hostname": context => "/files/etc/postfix/access", changes => [ "ins 0 after *[last()]", "set 0/pattern $::ipaddress", "set 0/action OK", ], onlyif => "match *[ pattern = '$::ipaddress'] size == 0",
tag => 'postfix_access', }
storeconfigs
augeas
![Page 23: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/23.jpg)
postfix
master
class postfix::master {
exec { 'postfix rebuild access': path => '/bin:/usr/bin', command => '/usr/sbin/postmap /etc/postfix/access', refreshonly => true, }}
Augeas <<| tag == 'postfix_access' |>> { notify => Exec['postfix rebuild access'] }
storeconfigs
augeas
![Page 24: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/24.jpg)
postfix
piggy
jim
kermit
postfix::master
storeconfigspostfix::client
![Page 25: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/25.jpg)
postfix
piggy
jim
kermitpostfix::master
postfix::client
postfix::client
storeconfigs
augeas
augeas augeasaugeas
augeasaugeas
![Page 26: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/26.jpg)
dns
concatcustom facts
firewallexported resources
tags
![Page 27: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/27.jpg)
concat
https://github.com/ripienaar/puppet-concathttps://github.com/puppetlabs/puppetlabs-concat
![Page 28: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/28.jpg)
concat
concat::fragment{"motd_local":
target => ‘/etc/motd’,
ensure => "/etc/motd.local",
order => 15
}
/etc/motd.localThe Number 6.
The Number 6.
motd_headerMessage of the Day Brought to you by
Message of the Day Brought to you byconcat{ ’/etc/motd/’: owner => root, group => root, mode => '0644',}
concat::fragment{"motd_header": target => ‘/etc/motd’, content => "Message of the Day Brought to you by\n", order => 01,}
/etc/motdMessage of the Day Brought to you byThe Number 6.
![Page 29: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/29.jpg)
http://docs.puppetlabs.com/guides/custom_facts.html
modules/four/lib/facter/four.rb
Facter.add("four") do setcode do 2+2 endend
[root@jim ~]# puppet agent -t --pluginsync
info: Loading facts in /var/lib/puppet/lib/facter/four.rb
[root@jim ~]# facter -p four
4
custom facts
![Page 30: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/30.jpg)
firewall module
https://github.com/puppetlabs/puppetlabs-firewall
● handles iptables● defines type firewall● very cool
![Page 31: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/31.jpg)
class base::firewall { resources { "firewall": purge => true } Firewall { before => Class['base::firewall::post'], require => Class['base::firewall::pre'], } class { ['base::firewall::pre', 'base::firewall::post']: }}
firewall module
iptables
base::firewall::pre
base::firewall::post
anything else
![Page 32: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/32.jpg)
firewall module
class base::firewall::pre { Firewall { require => undef, } firewall { '000 INPUT allow related and established': proto => 'all', action => accept, state => ['RELATED', 'ESTABLISHED'], } firewall { '001 accept all icmp': proto => 'icmp', action => 'accept', } firewall { '002 accept all to lo interface': proto => 'all', iniface => 'lo', action => 'accept', } firewall { '003 INPUT allow SSH': action => accept, proto => 'tcp', dport => '22' }}
![Page 33: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/33.jpg)
firewall module
class base::firewall::post { firewall { '998 drop all': proto => 'all', action => 'drop', before => undef, }}
![Page 34: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/34.jpg)
firewall module
why?
(assuming you are doing host based firewalls)
● automatically add exceptions● automatically allow inbound for services on this node● automatically allow inbound from services on another node
never assume
![Page 35: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/35.jpg)
hieracommon
kernel
osfamilyRedHat
osfamilySLES
arch
i386arch
x86_64
osfamily
RedHat
http://docs.puppetlabs.com/hiera/1/index.html
![Page 36: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/36.jpg)
dns/resolv
jim
piggy
kermit
hensonzone
![Page 37: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/37.jpg)
dns/resolv
/etc/resolv.conf
search hensonnameserver XXX.XXX.XXX.XXX
hierasearch
hensondev.henson
prod.henson
PuppetDB
storeconfigs
concat
![Page 38: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/38.jpg)
dns/resolv
● bind○ /etc/named.conf○ /var/named/zone.*○ /var/named/reverse.*
● resolver○ /etc/resolv.conf
● firewall○ allow 53(domain) inbound
![Page 39: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/39.jpg)
zone (fact)
production development
![Page 40: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/40.jpg)
zone
● define custom fact based on ip address of the node
# zone.rb# Set a fact for the zonerequire('ipaddr')ip = IPAddr.new(Facter.value('ipaddress'))# use CIDR for zoneszones = { 'prod' => IPAddr.new('192.168.120.0/23'), 'dev' => IPAddr.new('192.168.122.0/23'), 'sbx' => IPAddr.new('192.160.124.0/23'), }# default to undefined for nowzone = 'undef'# loop through the zones, using ipaddr's built in include? function# to see if the ipaddress is in the zone.for z in zones.keys do if zones[z].include?(ip) zone = z endend# return the net_zone to facterFacter.add("zone") do setcode do zone endend
![Page 41: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/41.jpg)
zone
piggy
gonzo
ipaddress192.168.122.26
zone.rb
zonedev
ipaddress192.168.120.45
zoneprod
![Page 42: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/42.jpg)
zone
hiera.yaml:hierarchy: - zones/%{zone} - environments/%{environment} - global
![Page 43: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/43.jpg)
zones/dev.yaml
---dns::search: "dev.henson henson corp.henson"
zones/prod.yaml
---dns::search: "corp.henson henson"
![Page 44: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/44.jpg)
cidr/reverse
require 'ipaddr'
require 'puppet/util/ipcidr'
def reverse(dev)
ip = IPAddr.new(Facter.value("network_#{dev}"))
nm = Puppet::Util::IPCidr.new(Facter.value("network_#{dev}")).mask(Facter.value("netmask_#
{dev}"))
cidr = nm.cidr
# set fact for network in reverse vvv.www.uuu.in-addr.arpa
Facter.add("reverse_#{dev}") do
setcode do ip.reverse.to_s[2..-1] end
end
# set fact for network in cidr notation
Facter.add("network_cidr_#{dev}") do
setcode do cidr end
end
end
# loop through the interfaces, defining the two facts for each
interfaces = Facter.value('interfaces').split(',')
interfaces.each do
|eth| reverse(eth)
end
![Page 45: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/45.jpg)
network_cidr_ethX
reverse_ethX
piggy
gonzo
network_eth0192.168.122.0
reverse.rb
reverse_eth0122.168.192.in-addr.arpa
netmask_eth0255.255.255.0
network_cidr_eth0192.168.122.0/24 network_eth0
192.168.120.0
reverse_eth0120.168.192.in-addr.arpa
netmask_eth0255.255.254.0
network_cidr_eth0192.168.120.0/23
![Page 46: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/46.jpg)
named.conf.erb
options {
listen-on port 53 { 127.0.0.1; <%= @ipaddress_eth0 -%>;};
…
allow-query { localhost; <%- interfaces.split(',').each do |eth| if has_variable?
("network_cidr_#{eth}") then -%><%= scope.lookupvar("network_cidr_#{eth}") -%>;<%- end end -%> };
…
};
zone "<%= @zone -%>.henson" IN {
type master;
file "zone.<%= @zone -%>.henson";
allow-update { none; };
};
zone "<%= @reverse_eth0 -%>" {
type master;
file "reverse.<%= @reverse_eth0 -%>";
};
network_cidr_eth0192.168.120.0/23
reverse_eth0120.168.192.in-addr.arpa
zoneprod
gonzo
ipaddress192.168.120.45
![Page 47: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/47.jpg)
named.conf.erb
options {
listen-on port 53 { 127.0.0.1; <%= @ipaddress_eth0 -%>;};
…
allow-query { localhost; <%- interfaces.split(',').each do |eth| if has_variable?
("network_cidr_#{eth}") then -%><%= scope.lookupvar("network_cidr_#{eth}") -%>;<%- end end -%> };
…
};
zone "<%= @zone -%>.henson" IN {
type master;
file "zone.<%= @zone -%>.henson";
allow-update { none; };
};
zone "<%= @reverse_eth0 -%>" {
type master;
file "reverse.<%= @reverse_eth0 -%>";
};
network_cidr_eth0192.168.120.0/23
reverse_eth0120.168.192.in-addr.arpa
zoneprod
/etc/named.confoptions { listen-on port 53 { 127.0.0.1; 192.168.120.45;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.120.0/23;127.0.0.0/8; }; recursion yes; …};
zone "prod.henson" IN { type master; file "zone.prod.henson"; allow-update { none; };};
zone "120.168.192.in-addr.arpa" { type master; file "reverse.120.168.192.in-addr.arpa";};
![Page 48: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/48.jpg)
resolv.conf
class dns::client {
# pull settings from hiera, sensible defaults
$domain = hiera('dns::domain','henson')
$search = hiera('dns::search','henson')
# include definition of concat for /etc/resolv.conf
include dns::resolv
# search the local search value
concat::fragment{'resolv.conf search':
target => '/etc/resolv.conf',
content => "search $search\n",
order => 07,}
# pull in any nameservers
Concat::Fragment <<| tag == 'resolv.conf' and tag == "$::zone" |>>
...
}
class dns::resolv {
concat {'/etc/resolv.conf':
mode => 0644,
}
}
# export ourselves as a dnsserver
@@concat::fragment {"resolv.conf nameserver $::hostname":
target => '/etc/resolv.conf',
content => "nameserver $::ipaddress\n",
order => 10,
tag => ['resolv.conf',"$::zone"],
}
![Page 49: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/49.jpg)
resolv.confgonzo
prod.yaml
search corp.henson henson
gonzo
nameserver 192.168.120.45
![Page 50: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/50.jpg)
zone (named)
class dns::client {
...
@@concat::fragment {"zone henson $::hostname":
target => '/var/named/zone.henson',
content => "$::hostname A $::ipaddress\n",
order => 10,
tag => ['zone','henson'],}
$lastoctet = regsubst($::ipaddress_eth0,'^([0-9]+)[.]([0-9]+)[.]([0-9]+)[.]([0-9]+)$','\4')
@@concat::fragment {"zone reverse $::reverse_eth0 $::hostname":
target => "/var/named/reverse.$::reverse_eth0",
content => "$lastoctet PTR $::fqdn\n",
order => 10,
tag => ['zone','henson'],}
}
class dns::server {
# include zone.henson from everyone else.
include dns::zones
Concat::Fragment <<| tag == 'zone' and tag == 'henson' |>>
}
![Page 51: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/51.jpg)
zone (named)
class dns::client {
...
@@concat::fragment {"zone henson $::hostname":
target => '/var/named/zone.henson',
content => "$::hostname A $::ipaddress\n",
order => 10,
tag => ['zone','henson'],}
$lastoctet = regsubst($::ipaddress_eth0,'^([0-9]+)[.]([0-9]+)[.]([0-9]+)[.]([0-9]+)$','\4')
@@concat::fragment {"zone reverse $::reverse_eth0 $::hostname":
target => "/var/named/reverse.$::reverse_eth0",
content => "$lastoctet PTR $::fqdn\n",
order => 10,
tag => ['zone','henson'],}
}
kermitipaddress192.168.122.25
hostnamekermit
class dns::server {
# include zone.henson from everyone else.
include dns::zones
Concat::Fragment <<| tag == 'zone' and tag == 'henson' |>>
}
class dns::zones {
concat {'/var/named/zone.henson':
mode => 0644,
notify => Exec['named reload'],
}
concat::fragment {'zone.henson header':
target => '/var/named/zone.henson',
source => "puppet:///modules/dns/$::zone/zone.henson",
order => 01,
}
concat {'/var/named/reverse.120.168.192.in-addr.arpa':
mode => 0644,
notify => Exec['named reload'],
}
concat::fragment {'reverse.120.168.192.in-addr.arpa header':
target => '/var/named/reverse.120.168.192.in-addr.arpa',
source => 'puppet:///modules/dns/reverse/reverse.120.168.192.in-addr.arpa',
order => 01,
}
...
}
![Page 52: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/52.jpg)
zone (named)
class dns::client {
...
@@concat::fragment {"zone henson $::hostname":
target => '/var/named/zone.henson',
content => "$::hostname A $::ipaddress\n",
order => 10,
tag => ['zone','henson'],}
$lastoctet = regsubst($::ipaddress_eth0,'^([0-9]+)[.]([0-9]+)[.]([0-9]+)[.]([0-9]+)$','\4')
@@concat::fragment {"zone reverse $::reverse_eth0 $::hostname":
target => "/var/named/reverse.$::reverse_eth0",
content => "$lastoctet PTR $::fqdn\n",
order => 10,
tag => ['zone','henson'],}
}
kermitipaddress192.168.122.25
hostnamekermit
class dns::server {
# include zone.henson from everyone else.
include dns::zones
Concat::Fragment <<| tag == 'zone' and tag == 'henson' |>>
}
![Page 53: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/53.jpg)
zone (named)gonzo
$ORIGIN henson.$TTL 1D@ IN SOA root hostmaster ( 2013060102 ; serial 8H ; refresh 4H ; retry 4W ; expire 1D ) ; minimum NS jim MX 10 jim; ; just in case someone asks for localhost.hensonlocalhost A 127.0.0.1; CNAMESpuppet CNAME jimjim A 192.168.122.24; exported resources below this point
gonzo A 192.168.120.45
jim A 192.168.122.24
piggy A 192.168.122.26
![Page 54: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/54.jpg)
zone (named)gonzo
$ORIGIN 120.168.192.in-addr.arpa.
$TTL 1D
@ IN SOA jim.prod.henson. hostmaster.prod.henson. (
2013060101 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
; define the authoritative name server
NS jim.prod.henson.
; static
2 PTR jim.prod.henson.
; exported resources below this point
45 PTR gonzo.prod.henson
![Page 55: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/55.jpg)
dns/summary
● making a new nameserver is as simple as assigning a role to a node○ installs packages○ configures firewall○ updates resolv.conf for every node in that zone
● each new node that gets added to puppet adds itself to the appropriate zone file○ any changes cause a reload
big idea
● nothing is hard coded● puppet defines the infrastructure
![Page 56: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/56.jpg)
Questions
thank you
![Page 57: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/57.jpg)
AlexAndreBob
ChrisJeff
Lando(n)NateShawnStevenStuart
Thanks
JoskoBen
Theresa
![Page 58: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/58.jpg)
references/resourcestools
○ http://augeas.net/tour.html○ http://projects.puppetlabs.com/projects/1/wiki/puppet_augeas○ https://github.com/puppetlabs/puppetlabs-firewall○ https://github.com/puppetlabs/puppetlabs-concat
resources
○ http://docs.puppetlabs.com/guides/custom_facts.html○ http://docs.puppetlabs.com/guides/exported_resources.html○ http://docs.puppetlabs.com/puppet/2.7/reference/lang_exported.html○ http://projects.puppetlabs.com/projects/1/wiki/Using_Tags
examples
○ https://github.com/uphillian/puppetconf2013/○ https://fedorahosted.org/func/
![Page 59: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/59.jpg)
bonus
![Page 60: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/60.jpg)
func
exported firewall and exec rules
![Page 61: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/61.jpg)
func
https://fedorahosted.org/func/
● exported resources● firewall
![Page 62: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/62.jpg)
func
certmaster minion51234
51235
minion.conf[main]certmaster = ?
minion.conf[main]minion_name = ?
sign certificate
![Page 63: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/63.jpg)
func
certmaster minion51234
51235
minion.conf[main]certmaster = ?
minion.conf[main]minion_name = ?
sign certificate
minion.conf[main]certmaster = jim
● hard code everything● push configs with files● manually sign● autosign
![Page 64: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/64.jpg)
func
class func1::minion { package {'func': } service {'funcd': require => Package['func']' } file { '/etc/certmaster/minion.conf': source => 'puppet:///func1/etc/certmaster/minion.conf' mode => 644, owner => 0, group => 0 } firewall {'51234 ACCEPT func from jim': action => 'accept', source => '192.168.122.24', dport => 51234 } }
/etc/certmaster/minion.conf# configuration for minions
[main]certmaster = jimcertmaster_port = 51235log_level = DEBUGcert_dir = /etc/pki/certmaster
ipaddress of jim
![Page 65: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/65.jpg)
func (exported resources)
certmasterhostA
minionhostB
51234
51235
sign certificate
forhostB
● dynamically define roles● push configs with templates● export firewall rules● export exec to sign
![Page 66: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/66.jpg)
func (exported resources)
class func2::master {
@@firewall { "51234 ACCEPT func from funcmaster $::hostname":
action => 'accept',
source => "$::ipaddress",
dport => '51234',
tag => 'func_master',
}
Firewall <<| tag == 'certmaster_minion' |>>
# export the config file with our name to the minions
@@file {'/etc/certmaster/minion.conf':
mode => 644,
content => template('func2/etc/certmaster/minion.conf.erb'),
tag => 'func_master'
}
package { 'certmaster': }
service { 'certmaster': require => Package['certmaster'] }
}
/etc/certmaster/minion.conf.erb# configuration for minions
[main]certmaster = <%= @fqdn %>certmaster_port = 51235log_level = DEBUGcert_dir = /etc/pki/certmaster
![Page 67: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/67.jpg)
func (exported resources)
class func2::minion { #allow connections from the func master
Firewall <<| tag == 'func_master' |>>
#allow connections from us to the certmaster
@@firewall {"51235 ACCEPT certmaster from $::hostname":
action => 'accept',
source => "$::ipaddress",
dport => '51235',
tag => 'certmaster_minion',
}
package {'func': }
service {'funcd': require => Package['func'] }
File <<| tag == func_master |>>
}
/etc/certmaster/minion.conf.erb# configuration for minions
[main]certmaster = piggycertmaster_port = 51235log_level = DEBUGcert_dir = /etc/pki/certmaster
![Page 68: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/68.jpg)
func (exported resources)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.122.26 0.0.0.0/0 multiport dports 51234 /* 51234 ACCEPT func from funcmaster piggy */
ACCEPT tcp -- 192.168.122.27 0.0.0.0/0 multiport dports 51235 /* 51235 ACCEPT certmaster from gonzo */
ACCEPT tcp -- 192.168.122.24 0.0.0.0/0 multiport dports 51235 /* 51235 ACCEPT certmaster from jim */
ACCEPT tcp -- 192.168.122.25 0.0.0.0/0 multiport dports 51235 /* 51235 ACCEPT certmaster from kermit */
ACCEPT tcp -- 192.168.122.26 0.0.0.0/0 multiport dports 51235 /* 51235 ACCEPT certmaster from piggy */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
class func2::master {
@@firewall { "51234 ACCEPT func from funcmaster $::hostname":
action => 'accept',
source => "$::ipaddress",
dport => '51234',
tag => 'func_master',
}
...
}
class func2::minion {
@@firewall {"51235 ACCEPT certmaster from $::hostname":
action => 'accept',
source => "$::ipaddress",
dport => '51235',
tag => 'certmaster_minion',
}
}
![Page 69: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/69.jpg)
firewall + exported resources
● clusterallow all traffic from cluster members
● amandaallow backup servers move/change
● nagiosonly allow your nagios to connect
![Page 70: networks with puppet Building dynamic · goal piggy jim kermit postfix bind func gonzo Who is the mailserver? puppet I know I know I know, it’s kermit](https://reader035.vdocuments.us/reader035/viewer/2022062607/60433793641bc44ab73ba89b/html5/thumbnails/70.jpg)
func (exported resources)
class func2::minion {...@@exec {"sign certificate for $::fqdn":
command => "certmaster-ca --sign $::fqdn",
path => '/usr/bin:/bin',
creates => "/var/lib/certmaster/certmaster/certs/${::fqdn}.cert",
tag => 'certmaster_sign_minion',
}
...
}class func2::master {
...
# sign minion keys
Exec <<| tag == 'certmaster_sign_minion' |>>
…}