Update admin information for bugs
[cacert-infradocs.git] / docs / systems / puppet.rst
1 .. index::
2 single: Systems; Puppet
3
4 ======
5 Puppet
6 ======
7
8 Purpose
9 =======
10
11 This system acts as `Puppet`_ master for infrastructure systems.
12
13 .. _Puppet: https://docs.puppet.com/puppet/
14
15 Application Links
16 -----------------
17
18 This system has no publicly visible URLs.
19
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +---------------+---------------------+
36 | Application | Administrator(s) |
37 +===============+=====================+
38 | Puppet server | :ref:`people_jandd` |
39 +---------------+---------------------+
40 | PuppetDB | :ref:`people_jandd` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * puppet-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 * None
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: None
66 :IP Intranet: None
67 :IP Internal: :ip:v4:`10.0.0.200`
68 :IPv6: :ip:v6:`2001:7b8:616:162:2::200`
69 :MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; Puppet
80
81 .. todo:: setup DNS records (in infra.cacert.org zone)
82
83 .. seealso::
84
85 See :wiki:`SystemAdministration/Procedures/DNSChanges`
86
87 Operating System
88 ----------------
89
90 .. index::
91 single: Debian GNU/Linux; Stretch
92 single: Debian GNU/Linux; 9.4
93
94 * Debian GNU/Linux 9.4
95
96 Applicable Documentation
97 ------------------------
98
99 This is it :-)
100
101 Services
102 ========
103
104 Listening services
105 ------------------
106
107 +----------+-----------+-----------+------------------------------------------+
108 | Port | Service | Origin | Purpose |
109 +==========+===========+===========+==========================================+
110 | 22/tcp | ssh | ANY | admin console access |
111 +----------+-----------+-----------+------------------------------------------+
112 | 25/tcp | smtp | local | mail delivery to local MTA |
113 +----------+-----------+-----------+------------------------------------------+
114 | 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
115 +----------+-----------+-----------+------------------------------------------+
116 | 8140/tcp | puppet | internal | Puppet master |
117 +----------+-----------+-----------+------------------------------------------+
118 | 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
119 +----------+-----------+-----------+------------------------------------------+
120 | 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
121 +----------+-----------+-----------+------------------------------------------+
122
123 Running services
124 ----------------
125
126 .. index::
127 single: cron
128 single: exim
129 single: openssh
130 single: postgresql
131 single: puppet agent
132 single: puppet server
133 single: puppetdb
134 single: rsyslog
135
136 +--------------------+--------------------+----------------------------------------+
137 | Service | Usage | Start mechanism |
138 +====================+====================+========================================+
139 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
140 +--------------------+--------------------+----------------------------------------+
141 | Exim | SMTP server for | init script |
142 | | local mail | :file:`/etc/init.d/exim4` |
143 | | submission | |
144 +--------------------+--------------------+----------------------------------------+
145 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
146 | | remote | |
147 | | administration | |
148 +--------------------+--------------------+----------------------------------------+
149 | PostgreSQL | PostgreSQL | init script |
150 | | database server | :file:`/etc/init.d/postgresql` |
151 | | for PuppetDB | |
152 +--------------------+--------------------+----------------------------------------+
153 | Puppet server | Puppet master for | init script |
154 | | infrastructure | :file:`/etc/init.d/puppetserver` |
155 | | systems | |
156 +--------------------+--------------------+----------------------------------------+
157 | Puppet agent | local Puppet agent | init script |
158 | | | :file:`/etc/init.d/puppet` |
159 +--------------------+--------------------+----------------------------------------+
160 | PuppetDB | PuppetDB for | init script |
161 | | querying Puppet | :file:`/etc/init.d/puppetdb` |
162 | | facts and nodes | |
163 | | and resources | |
164 +--------------------+--------------------+----------------------------------------+
165 | rsyslog | syslog daemon | init script |
166 | | | :file:`/etc/init.d/syslog` |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 +-------------+----------+-------------------+
173 | RDBMS | Name | Used for |
174 +=============+==========+===================+
175 | PostgreSQL | puppetdb | PuppetDB database |
176 +-------------+----------+-------------------+
177
178 Connected Systems
179 -----------------
180
181 * :doc:`bugs`
182 * :doc:`ircserver`
183 * :doc:`jenkins`
184 * :doc:`monitor`
185 * :doc:`motion`
186 * :doc:`proxyin`
187 * :doc:`proxyout`
188 * :doc:`svn`
189 * :doc:`translations`
190 * :doc:`web`
191 * :doc:`webstatic`
192
193 Outbound network connections
194 ----------------------------
195
196 * :doc:`infra02` as resolving nameserver
197 * :doc:`emailout` as SMTP relay
198 * :doc:`proxyout` as HTTP proxy for APT
199 * forgeapi.puppet.com for Puppet forge access
200 * rubygems.org for Puppet specific Ruby gems
201
202 Security
203 ========
204
205 .. sshkeys::
206 :RSA: SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
207 :ECDSA: SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
208 :ED25519: SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
209
210 Non-distribution packages and modifications
211 -------------------------------------------
212
213 The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
214 are installed from the official Puppet APT repository because the versions
215 in Debian are too old to use modern Puppet features.
216
217 Some rubygems are installed via the puppet specific ruby gem binary to support
218 advanced Puppet functionality like hiera-eyaml.
219
220 All puppet related code is installed in the Puppet specific /opt/puppetlabs
221 tree.
222
223 Risk assessments on critical packages
224 -------------------------------------
225
226 The system uses third party packages with a good security track record and
227 regular updates. The attack surface is small due to the tightly restricted
228 access to the system.
229
230 Critical Configuration items
231 ============================
232
233 Keys and X.509 certificates
234 ---------------------------
235
236 Puppet comes with its own inbuilt special purpose CA that is used to sign the
237 Puppet server and Puppet DB certificates as well as the certificates of all
238 trusted Puppet agents.
239
240 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
241 puppet itself.
242
243
244 Eyaml private key
245 -----------------
246
247 All sensitive data like passwords in Hiera data is encrypted using the public
248 key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
249 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
250 private key is stored in
251 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
252
253
254 hiera configuration
255 -------------------
256
257 Puppet uses Hiera for hierarchical information retrieval. The global hiera
258 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
259 defines the hierarchy lookup as well as the eyaml key locations.
260
261
262 puppet configuration
263 --------------------
264
265 All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
266 specific puppet code is taken from the `CAcert puppet Git repository
267 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
268 :file:`/etc/puppetlabs/code/environments/production/` directory. Required
269 Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
270
271 The puppet code should follow best practices like the Roles and profiles
272 pattern (see references below) and code/data separation via Hiera.
273
274
275 Tasks
276 =====
277
278 Planned
279 -------
280
281 * migrate as many systems as possible to use Puppet for a more
282 reproducible/auditable system setup
283 * automate updates of the Puppet code from Git
284
285 .. todo:: implement Webhook on the puppet machine that triggers git pull and r10k run
286
287 Changes
288 =======
289
290 System Future
291 -------------
292
293 * Improve setup, use more widely
294
295 Additional documentation
296 ========================
297
298 .. seealso::
299
300 * :wiki:`Exim4Configuration`
301
302 References
303 ----------
304
305 * https://docs.puppet.com/puppet/
306 * https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
307 * https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html