c760d1ea62021b9e4824069f1a9833f8482539cc
[cacert-infradocs.git] / docs / systems / puppet.rst
1 .. index::
2 single: Systems; Puppet
3
4 ======
5 Puppet
6 ======
7
8 Purpose
9 =======
10
11 This system acts as `Puppet`_ master for infrastructure systems.
12
13 .. _Puppet: https://docs.puppet.com/puppet/
14
15 Application Links
16 -----------------
17
18 This system has no publicly visible URLs.
19
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +---------------+---------------------+
36 | Application | Administrator(s) |
37 +===============+=====================+
38 | Puppet server | :ref:`people_jandd` |
39 +---------------+---------------------+
40 | PuppetDB | :ref:`people_jandd` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * puppet-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 * None
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: None
66 :IP Intranet: None
67 :IP Internal: :ip:v4:`10.0.0.200`
68 :IPv6: :ip:v6:`2001:7b8:616:162:2::200`
69 :MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; Puppet
80
81 .. todo:: setup DNS records (in infra.cacert.org zone)
82
83 .. seealso::
84
85 See :wiki:`SystemAdministration/Procedures/DNSChanges`
86
87 Operating System
88 ----------------
89
90 .. index::
91 single: Debian GNU/Linux; Stretch
92 single: Debian GNU/Linux; 9.4
93
94 * Debian GNU/Linux 9.4
95
96 Applicable Documentation
97 ------------------------
98
99 This is it :-)
100
101 Services
102 ========
103
104 Listening services
105 ------------------
106
107 +----------+-----------+-----------+------------------------------------------+
108 | Port | Service | Origin | Purpose |
109 +==========+===========+===========+==========================================+
110 | 22/tcp | ssh | ANY | admin console access |
111 +----------+-----------+-----------+------------------------------------------+
112 | 25/tcp | smtp | local | mail delivery to local MTA |
113 +----------+-----------+-----------+------------------------------------------+
114 | 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
115 +----------+-----------+-----------+------------------------------------------+
116 | 8140/tcp | puppet | internal | Puppet master |
117 +----------+-----------+-----------+------------------------------------------+
118 | 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
119 +----------+-----------+-----------+------------------------------------------+
120 | 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
121 +----------+-----------+-----------+------------------------------------------+
122
123 Running services
124 ----------------
125
126 .. index::
127 single: Exim
128 single: PostgreSQL
129 single: Puppet agent
130 single: Puppet server
131 single: Puppetdb
132 single: cron
133 single: openssh
134 single: rsyslog
135
136 +--------------------+--------------------+----------------------------------------+
137 | Service | Usage | Start mechanism |
138 +====================+====================+========================================+
139 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
140 | | remote | |
141 | | administration | |
142 +--------------------+--------------------+----------------------------------------+
143 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
144 +--------------------+--------------------+----------------------------------------+
145 | rsyslog | syslog daemon | init script |
146 | | | :file:`/etc/init.d/syslog` |
147 +--------------------+--------------------+----------------------------------------+
148 | PostgreSQL | PostgreSQL | init script |
149 | | database server | :file:`/etc/init.d/postgresql` |
150 | | for PuppetDB | |
151 +--------------------+--------------------+----------------------------------------+
152 | Exim | SMTP server for | init script |
153 | | local mail | :file:`/etc/init.d/exim4` |
154 | | submission | |
155 +--------------------+--------------------+----------------------------------------+
156 | Puppet server | Puppet master for | init script |
157 | | infrastructure | :file:`/etc/init.d/puppetserver` |
158 | | systems | |
159 +--------------------+--------------------+----------------------------------------+
160 | Puppet agent | local Puppet agent | init script |
161 | | | :file:`/etc/init.d/puppet` |
162 +--------------------+--------------------+----------------------------------------+
163 | Puppet DB | PuppetDB for | init script |
164 | | querying Puppet | :file:`/etc/init.d/puppetdb` |
165 | | facts and nodes | |
166 | | and resources | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 +-------------+----------+-------------------+
173 | RDBMS | Name | Used for |
174 +=============+==========+===================+
175 | PostgreSQL | puppetdb | PuppetDB database |
176 +-------------+----------+-------------------+
177
178 Connected Systems
179 -----------------
180
181 * :doc:`jenkins`
182 * :doc:`motion`
183 * :doc:`proxyin`
184 * :doc:`proxyout`
185 * :doc:`svn`
186 * :doc:`translations`
187
188 Outbound network connections
189 ----------------------------
190
191 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
192 * :doc:`emailout` as SMTP relay
193 * :doc:`proxyout` as HTTP proxy for APT
194 * forgeapi.puppet.com for Puppet forge access
195 * rubygems.org for Puppet specific Ruby gems
196
197 Security
198 ========
199
200 .. sshkeys::
201 :RSA: SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
202 :ECDSA: SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
203 :ED25519: SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
204
205 Non-distribution packages and modifications
206 -------------------------------------------
207
208 The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
209 are installed from the official Puppet APT repository because the versions
210 in Debian are too old to use modern Puppet features.
211
212 Some rubygems are installed via the puppet specific ruby gem binary to support
213 advanced Puppet functionality like hiera-eyaml.
214
215 All puppet related code is installed in the Puppet specific /opt/puppetlabs
216 tree.
217
218
219 Risk assessments on critical packages
220 -------------------------------------
221
222 The system uses third party packages with a good security track record and
223 regular updates. The attack surface is small due to the tightly restricted
224 access to the system.
225
226
227 Critical Configuration items
228 ============================
229
230 Keys and X.509 certificates
231 ---------------------------
232
233 Puppet comes with its own inbuilt special purpose CA that is used to sign the
234 Puppet server and Puppet DB certificates as well as the certificates of all
235 trusted Puppet agents.
236
237 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
238 puppet itself.
239
240
241 Eyaml private key
242 -----------------
243
244 All sensitive data like passwords in Hiera data is encrypted using the public
245 key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
246 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
247 private key is stored in
248 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
249
250
251 hiera configuration
252 -------------------
253
254 Puppet uses Hiera for hierarchical information retrieval. The global hiera
255 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
256 defines the hierarchy lookup as well as the eyaml key locations.
257
258
259 puppet configuration
260 --------------------
261
262 All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
263 specific puppet code is taken from the `CAcert puppet Git repository
264 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
265 :file:`/etc/puppetlabs/code/environments/production/` directory. Required
266 Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
267
268 The puppet code should follow best practices like the Roles and profiles
269 pattern (see references below) and code/data separation via Hiera.
270
271
272 Tasks
273 =====
274
275 Planned
276 -------
277
278 * migrate as many systems as possible to use Puppet for a more
279 reproducible/auditable system setup
280 * automate updates of the Puppet code from Git
281
282 .. todo:: implement Webhook on the puppet machine that triggers git pull and r10k run
283
284 Changes
285 =======
286
287 System Future
288 -------------
289
290 * Improve setup, use more widely
291
292 Additional documentation
293 ========================
294
295 .. seealso::
296
297 * :wiki:`Exim4Configuration`
298
299 References
300 ----------
301
302 * https://docs.puppet.com/puppet/
303 * https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
304 * https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html