summaryrefslogtreecommitdiff
path: root/docs/systems/puppet.rst
blob: 699ce527f74b50053ead97d1bd3b75704198d382 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
.. index::
   single: Systems; Puppet

======
Puppet
======

Purpose
=======

This system acts as `Puppet`_ master for infrastructure systems.

.. _Puppet: https://docs.puppet.com/puppet/

Application Links
-----------------

This system has no publicly visible URLs.


Administration
==============

System Administration
---------------------

* Primary: :ref:`people_jandd`
* Secondary: None

.. todo:: find an additional admin

Application Administration
--------------------------

+---------------+---------------------+
| Application   | Administrator(s)    |
+===============+=====================+
| Puppet server | :ref:`people_jandd` |
+---------------+---------------------+
| PuppetDB      | :ref:`people_jandd` |
+---------------+---------------------+

Contact
-------

* puppet-admin@cacert.org

Additional People
-----------------

* None

Basics
======

Physical Location
-----------------

This system is located in an :term:`LXC` container on physical machine
:doc:`infra02`.

Logical Location
----------------

:IP Internet: None
:IP Intranet: None
:IP Internal: :ip:v4:`10.0.0.200`
:IPv6:        :ip:v6:`2001:7b8:616:162:2::200`
:MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)

.. seealso::

   See :doc:`../network`

.. index::
   single: Monitoring; Puppet

Monitoring
----------

:internal checks: :monitor:`puppet.infra.cacert.org`

DNS
---

.. index::
   single: DNS records; Puppet

.. todo:: setup DNS records (in infra.cacert.org zone)

.. seealso::

   See :wiki:`SystemAdministration/Procedures/DNSChanges`

Operating System
----------------

.. index::
   single: Debian GNU/Linux; Stretch
   single: Debian GNU/Linux; 9.4

* Debian GNU/Linux 9.4

Applicable Documentation
------------------------

This is it :-)

Services
========

Listening services
------------------

+----------+-----------+-----------+------------------------------------------+
| Port     | Service   | Origin    | Purpose                                  |
+==========+===========+===========+==========================================+
| 22/tcp   | ssh       | ANY       | admin console access                     |
+----------+-----------+-----------+------------------------------------------+
| 25/tcp   | smtp      | local     | mail delivery to local MTA               |
+----------+-----------+-----------+------------------------------------------+
| 5432/tcp | pgsql     | local     | PostgreSQL database for PuppetDB         |
+----------+-----------+-----------+------------------------------------------+
| 8000/tcp | git-hook  | internal  | HTTP endpoint for git-pull-hook          |
+----------+-----------+-----------+------------------------------------------+
| 8140/tcp | puppet    | internal  | Puppet master                            |
+----------+-----------+-----------+------------------------------------------+
| 8080/tcp | puppetdb  | local     | HTTP endpoint for local PuppetDB queries |
+----------+-----------+-----------+------------------------------------------+
| 8081/tcp | puppetdb  | internal  | HTTPS endpoint for PuppetDB              |
+----------+-----------+-----------+------------------------------------------+

Running services
----------------

.. index::
   single: cron
   single: exim
   single: git-pull-hook
   single: openssh
   single: postgresql
   single: puppet agent
   single: puppet server
   single: puppetdb
   single: rsyslog

+--------------------+--------------------+----------------------------------------+
| Service            | Usage              | Start mechanism                        |
+====================+====================+========================================+
| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
+--------------------+--------------------+----------------------------------------+
| Exim               | SMTP server for    | init script                            |
|                    | local mail         | :file:`/etc/init.d/exim4`              |
|                    | submission         |                                        |
+--------------------+--------------------+----------------------------------------+
| git-pull-hook      | Custom Python3     | init script                            |
|                    | hook to pull git   | :file:`/etc/init.d/git-pull-hook`      |
|                    | changes from the   |                                        |
|                    | cacert-puppet      |                                        |
|                    | repository         |                                        |
+--------------------+--------------------+----------------------------------------+
| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
|                    | remote             |                                        |
|                    | administration     |                                        |
+--------------------+--------------------+----------------------------------------+
| PostgreSQL         | PostgreSQL         | init script                            |
|                    | database server    | :file:`/etc/init.d/postgresql`         |
|                    | for PuppetDB       |                                        |
+--------------------+--------------------+----------------------------------------+
| Puppet server      | Puppet master for  | init script                            |
|                    | infrastructure     | :file:`/etc/init.d/puppetserver`       |
|                    | systems            |                                        |
+--------------------+--------------------+----------------------------------------+
| Puppet agent       | local Puppet agent | init script                            |
|                    |                    | :file:`/etc/init.d/puppet`             |
+--------------------+--------------------+----------------------------------------+
| PuppetDB           | PuppetDB for       | init script                            |
|                    | querying Puppet    | :file:`/etc/init.d/puppetdb`           |
|                    | facts and nodes    |                                        |
|                    | and resources      |                                        |
+--------------------+--------------------+----------------------------------------+
| rsyslog            | syslog daemon      | init script                            |
|                    |                    | :file:`/etc/init.d/syslog`             |
+--------------------+--------------------+----------------------------------------+

Databases
---------

+-------------+----------+-------------------+
| RDBMS       | Name     | Used for          |
+=============+==========+===================+
| PostgreSQL  | puppetdb | PuppetDB database |
+-------------+----------+-------------------+

Connected Systems
-----------------

* :doc:`bugs`
* :doc:`emailout`
* :doc:`ircserver`
* :doc:`issue`
* :doc:`jenkins`
* :doc:`monitor`
* :doc:`motion`
* :doc:`proxyin`
* :doc:`proxyout`
* :doc:`svn`
* :doc:`translations`
* :doc:`web`
* :doc:`webstatic`
* :doc:`git` for triggering the git-pull-hook on newly pushed commits to the
  cacert-puppet repository

Outbound network connections
----------------------------

* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`git` to fetch new commits from the cacert-puppet repository
* :doc:`proxyout` as HTTP proxy for APT
* forgeapi.puppet.com for Puppet forge access
* rubygems.org for Puppet specific Ruby gems

Security
========

.. sshkeys::
   :RSA:     SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
   :ECDSA:   SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
   :ED25519: SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d

Non-distribution packages and modifications
-------------------------------------------

The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
are installed from the official Puppet APT repository because the versions
in Debian are too old to use modern Puppet features.

Some rubygems are installed via the puppet specific ruby gem binary to support
advanced Puppet functionality like hiera-eyaml.

All puppet related code is installed in the Puppet specific /opt/puppetlabs
tree.

Risk assessments on critical packages
-------------------------------------

The system uses third party packages with a good security track record and
regular updates. The attack surface is small due to the tightly restricted
access to the system.

Critical Configuration items
============================

Keys and X.509 certificates
---------------------------

Puppet comes with its own inbuilt special purpose CA that is used to sign the
Puppet server and Puppet DB certificates as well as the certificates of all
trusted Puppet agents.

The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
puppet itself.

Eyaml private key
-----------------

All sensitive data like passwords in Hiera data is encrypted using the public
key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
private key is stored in
:file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.

hiera configuration
-------------------

Puppet uses Hiera for hierarchical information retrieval. The global hiera
configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
defines the hierarchy lookup as well as the eyaml key locations.

puppet configuration
--------------------

All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
specific puppet code is taken from the `CAcert puppet Git repository
<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
:file:`/etc/puppetlabs/code/environments/production/` directory. Required
Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.

The puppet code should follow best practices like the Roles and profiles
pattern (see references below) and code/data separation via Hiera.

Updates to the cacert-puppet repository trigger a web hook listening on tcp
port 8000 that automatically updates the production environment directory.

Tasks
=====

.. todo:: add a section to describe how to add a system for puppet management

Changes
=======

Planned
-------

* migrate as many systems as possible to use Puppet for a more
  reproducible/auditable system setup

System Future
-------------

* Improve setup, use more widely

Additional documentation
========================

.. seealso::

   * :wiki:`Exim4Configuration`

References
----------

* https://docs.puppet.com/puppet/
* https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
* https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html