Update Debian release information
[cacert-infradocs.git] / docs / systems / puppet.rst
1 .. index::
2 single: Systems; Puppet
3
4 ======
5 Puppet
6 ======
7
8 Purpose
9 =======
10
11 This system acts as `Puppet`_ master for infrastructure systems.
12
13 .. _Puppet: https://docs.puppet.com/puppet/
14
15 Application Links
16 -----------------
17
18 This system has no publicly visible URLs.
19
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +---------------+---------------------+
36 | Application | Administrator(s) |
37 +===============+=====================+
38 | Puppet server | :ref:`people_jandd` |
39 +---------------+---------------------+
40 | PuppetDB | :ref:`people_jandd` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * puppet-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 * None
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: None
66 :IP Intranet: None
67 :IP Internal: :ip:v4:`10.0.0.200`
68 :IPv6: :ip:v6:`2001:7b8:616:162:2::200`
69 :MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; Puppet
80
81 .. todo:: setup DNS records (in infra.cacert.org zone)
82
83 .. seealso::
84
85 See :wiki:`SystemAdministration/Procedures/DNSChanges`
86
87 Operating System
88 ----------------
89
90 .. index::
91 single: Debian GNU/Linux; Jessie
92 single: Debian GNU/Linux; 8.8
93
94 * Debian GNU/Linux 8.8
95
96 Applicable Documentation
97 ------------------------
98
99 This is it :-)
100
101 Services
102 ========
103
104 Listening services
105 ------------------
106
107 +----------+-----------+-----------+------------------------------------------+
108 | Port | Service | Origin | Purpose |
109 +==========+===========+===========+==========================================+
110 | 22/tcp | ssh | ANY | admin console access |
111 +----------+-----------+-----------+------------------------------------------+
112 | 25/tcp | smtp | local | mail delivery to local MTA |
113 +----------+-----------+-----------+------------------------------------------+
114 | 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
115 +----------+-----------+-----------+------------------------------------------+
116 | 8140/tcp | puppet | internal | Puppet master |
117 +----------+-----------+-----------+------------------------------------------+
118 | 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
119 +----------+-----------+-----------+------------------------------------------+
120 | 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
121 +----------+-----------+-----------+------------------------------------------+
122
123 Running services
124 ----------------
125
126 .. index::
127 single: Exim
128 single: PostgreSQL
129 single: Puppet agent
130 single: Puppet server
131 single: Puppetdb
132 single: cron
133 single: openssh
134 single: rsyslogd
135
136 +--------------------+--------------------+----------------------------------------+
137 | Service | Usage | Start mechanism |
138 +====================+====================+========================================+
139 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
140 | | remote | |
141 | | administration | |
142 +--------------------+--------------------+----------------------------------------+
143 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
144 +--------------------+--------------------+----------------------------------------+
145 | rsyslog | syslog daemon | init script |
146 | | | :file:`/etc/init.d/syslog` |
147 +--------------------+--------------------+----------------------------------------+
148 | PostgreSQL | PostgreSQL | init script |
149 | | database server | :file:`/etc/init.d/postgresql` |
150 | | for PuppetDB | |
151 +--------------------+--------------------+----------------------------------------+
152 | Exim | SMTP server for | init script |
153 | | local mail | :file:`/etc/init.d/exim4` |
154 | | submission | |
155 +--------------------+--------------------+----------------------------------------+
156 | Puppet server | Puppet master for | init script |
157 | | infrastructure | :file:`/etc/init.d/puppetserver` |
158 | | systems | |
159 +--------------------+--------------------+----------------------------------------+
160 | Puppet agent | local Puppet agent | init script |
161 | | | :file:`/etc/init.d/puppet` |
162 +--------------------+--------------------+----------------------------------------+
163 | Puppet DB | PuppetDB for | init script |
164 | | querying Puppet | :file:`/etc/init.d/puppetdb` |
165 | | facts and nodes | |
166 | | and resources | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 +-------------+----------+-------------------+
173 | RDBMS | Name | Used for |
174 +=============+==========+===================+
175 | PostgreSQL | puppetdb | PuppetDB database |
176 +-------------+----------+-------------------+
177
178 Connected Systems
179 -----------------
180
181 * :doc:`svn`
182
183 Outbound network connections
184 ----------------------------
185
186 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
187 * :doc:`emailout` as SMTP relay
188 * ftp.nl.debian.org as Debian mirror
189 * security.debian.org for Debian security updates
190 * apt.puppetlabs.com as Debian repository for puppet packages
191 * forgeapi.puppet.com for Puppet forge access
192 * rubygems.org for Puppet specific Ruby gems
193
194 Security
195 ========
196
197 .. sshkeys::
198 :RSA: 5b:50:09:cf:e8:46:a4:a7:d8:00:85:3d:ec:85:b0:9d
199 :DSA: fb:6f:e4:96:62:09:8c:08:a8:d6:9b:d5:08:d2:e9:ad
200 :ECDSA: 71:44:f9:39:ef:0c:f8:1c:ae:05:8d:a1:07:05:69:f7
201 :ED25519: c5:84:7a:dd:40:a9:2d:67:57:a0:0b:dc:60:3d:cc:22
202
203
204 Non-distribution packages and modifications
205 -------------------------------------------
206
207 The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
208 are installed from the official Puppet APT repository because the versions
209 in Debian are too old to use modern Puppet features.
210
211 Some rubygems are installed via the puppet specific ruby gem binary to support
212 advanced Puppet functionality like hiera-eyaml.
213
214 All puppet related code is installed in the Puppet specific /opt/puppetlabs
215 tree.
216
217
218 Risk assessments on critical packages
219 -------------------------------------
220
221 The system uses third party packages with a good security track record and
222 regular updates. The attack surface is small due to the tightly restricted
223 access to the system.
224
225
226 Critical Configuration items
227 ============================
228
229 Keys and X.509 certificates
230 ---------------------------
231
232 Puppet comes with its own inbuilt special purpose CA that is used to sign the
233 Puppet server and Puppet DB certificates as well as the certificates of all
234 trusted Puppet agents.
235
236 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
237 puppet itself.
238
239
240 Eyaml private key
241 -----------------
242
243 All sensitive data like passwords in Hiera data is encrypted using the public
244 key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
245 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
246 private key is stored in
247 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
248
249
250 hiera configuration
251 -------------------
252
253 Puppet uses Hiera for hierarchical information retrieval. The global hiera
254 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
255 defines the hierarchy lookup as well as the eyaml key locations.
256
257
258 puppet configuration
259 --------------------
260
261 All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
262 specific puppet code is taken from the `CAcert puppet Git repository
263 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
264 :file:`/etc/puppetlabs/code/environments/production/` directory. Required
265 Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
266
267 The puppet code should follow best practices like the Roles and profiles
268 pattern (see references below) and code/data separation via Hiera.
269
270
271 Tasks
272 =====
273
274 Planned
275 -------
276
277 * migrate as many systems as possible to use Puppet for a more
278 reproducible/auditable system setup
279 * automate updates of the Puppet code from Git
280
281 .. todo:: implement Webhook on the puppet machine that triggers git pull and r10k run
282
283 Changes
284 =======
285
286 System Future
287 -------------
288
289 * Improve setup, use more widely
290
291 Additional documentation
292 ========================
293
294 .. seealso::
295
296 * :wiki:`Exim4Configuration`
297
298 References
299 ----------
300
301 * https://docs.puppet.com/puppet/
302 * https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
303 * https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html