Puppet

# The Manifest

Let's talk some code:

    # This is an example proposed Puppet Common Module for SSH

    #

    # Usage Requirements:

    # 1) Set $server in site.pp

    #    Allows for a different fileserver than the real puppetmaster

    # 2) Set $os to $operatingsystem

    #    Saves typing, purely cosmetic

    # 3) Set $osver to $operatingsystemrelease or $lsbdistrelease

    #    $operatingsystemrelease is not available on all platforms

    #

    class ssh {

        # Distribution independent packages

        # See also our Operating System specific sub-classes

        @package { [

                "openssh-clients",

                "openssh-server",

                "denyhosts"

            ]:

            ensure => installed

        }

        # Virtual Resources get defined before we include $operatingsystem specific

        # classes, so that there is at least something to add and/or override.

        # 

        # Additionally, this way we can realize() in sub-classes as much as we want

        # to, and not concern ourselves with duplicate type definitions

        #

        @file { "/etc/denyhosts.conf":

            notify => Service["denyhosts"],

            require => Package["denyhosts"],

            source => [

                "puppet://$server/private/$domain/denyhosts/denyhosts.conf",

                "puppet://$server/files/denyhosts/denyhosts.conf",

                "puppet://$server/denyhosts/denyhosts.conf"

            ]

        }

        @file { "/etc/ssh/ssh_config":

            owner => "root",

            mode => 644,

            require => Package["openssh-clients"],

            source => [

                #

                # See rationale for an explanation on this list of sources

                # http://reductivelabs.com/trac/puppet/wiki/PuppetCommonModules/SSH

                #

                "puppet://$server/private/$domain/ssh/$os/$osver/ssh_config.$hostname",

                "puppet://$server/private/$domain/ssh/$os/$osver/ssh_config",

                "puppet://$server/private/$domain/ssh/$os/ssh_config.$hostname",

                "puppet://$server/private/$domain/ssh/$os/ssh_config",

                "puppet://$server/private/$domain/ssh/ssh_config.$hostname",

                "puppet://$server/private/$domain/ssh/ssh_config",

                "puppet://$server/files/ssh/$os/$osver/ssh_config.$hostname",

                "puppet://$server/files/ssh/$os/$osver/ssh_config",

                "puppet://$server/files/ssh/$os/ssh_config.$hostname",

                "puppet://$server/files/ssh/$os/ssh_config",

                "puppet://$server/files/ssh/ssh_config.$hostname",

                "puppet://$server/files/ssh/ssh_config",

                "puppet://$server/ssh/$os/$osver/ssh_config",

                "puppet://$server/ssh/$os/ssh_config",

                "puppet://$server/ssh/ssh_config"

            ],

            sourceselect => first

        }

        @file { "/etc/ssh/sshd_config":

            owner => "root",

            mode => 644,

            notify => Service["openssh-server"],

            require => Package["openssh-server"],

            source => [

                #

                # See rationale for an explanation on this list of sources

                # http://reductivelabs.com/trac/puppet/wiki/PuppetCommonModules/SSH

                #

                "puppet://$server/private/$domain/ssh/$os/$osver/sshd_config.$hostname",

                "puppet://$server/private/$domain/ssh/$os/$osver/sshd_config",

                "puppet://$server/private/$domain/ssh/$os/sshd_config.$hostname",

                "puppet://$server/private/$domain/ssh/$os/sshd_config",

                "puppet://$server/private/$domain/ssh/sshd_config.$hostname",

                "puppet://$server/private/$domain/ssh/sshd_config",

                "puppet://$server/files/ssh/$os/$osver/sshd_config.$hostname",

                "puppet://$server/files/ssh/$os/$osver/sshd_config",

                "puppet://$server/files/ssh/$os/sshd_config.$hostname",

                "puppet://$server/files/ssh/$os/sshd_config",

                "puppet://$server/files/ssh/sshd_config.$hostname",

                "puppet://$server/files/ssh/sshd_config",

                "puppet://$server/ssh/$os/$osver/sshd_config",

                "puppet://$server/ssh/$os/sshd_config",

                "puppet://$server/ssh/sshd_config"

            ],

            sourceselect => first

        }

        @service { "openssh-server":

            enable => true,

            ensure => running,

            require => [

                File["/etc/ssh/sshd_config"],

                Package["openssh-server"]

            ]

        }

        # Include operatingsystem specific subclass

        include ssh::$operatingsystem

        class client inherits ssh {

            realize(Package["openssh-clients"])

        }

        class server inherits ssh {

            realize(Package["openssh-server"])

            class noclient inherits server {

                # To create a server that cannot ssh out.

                # Note that this removes packages depending on

                # openssh-clients as well.

                Package["openssh-clients"] {

                    ensure => absent

                }

                realize(Package["openssh-clients"])

            }

            class denyhosts inherits server {

                # Let the server deny hosts

                realize(

                    File["/etc/denyhosts.conf"],

                    Package["denyhosts"],

                    Package["openssh-server"]

                )

                service { "denyhosts":

                    enable => true,

                    ensure => running,

                    require => [

                        File["/etc/denyhosts.conf"],

                        Package["denyhosts"]

                    ]

                }

            }

        }

        class Debian inherits ssh {

            File["/etc/ssh/ssh_config"] {

                group => "root"

            }

            Package["openssh-clients"] {

                name => "openssh-client"

            }

            Service["openssh-server"] {

                name => "ssh",

                pattern => "sshd"

            }

        }

        class Fedora inherits ssh {

            File["/etc/ssh/ssh_config"] {

                group => "root"

            }

            Service["openssh-server"] {

                name => "sshd",

                hasrestart => true,

                hasstatus => true,

                restart => "/etc/init.d/sshd restart",

                status => "/etc/init.d/sshd status"

            }

        }

        class RedHat inherits Fedora {

        }

        class CentOS inherits RedHat {

        }

        class Darwin inherits ssh {

            Package["openssh-clients"] {

                source => "http://server/foo"

            }

            File["/etc/denyhosts.conf"] {

                group => "wheel"

            }

            File["/etc/ssh/ssh_config"] {

                group => "wheel",

                path => "/etc/ssh_config"

            }

            File["/etc/ssh/sshd_config"] {

                group => "wheel",

                path => "/etc/sshd_config"

            }

        }

    }

Hope you liked it ;-)

# Rationale

Here's a little rationale on the things you just read and probably

had some questions about.

## Yuk, this is one large file

1.  It fits better on a wiki page ;-)

2.  Red Hat / CentOS has puppet-0.24.4 and does not do the import

    magic. It could do the imports, but it requires import statements

    per file (not exactly making the module any more portable).

## Virtual Resource in top class

Defining the resources shared over multiple of the ssh sub-classes

as a virtual resource in the top-class allows us to override

parameters in operating system specific sub-classes, as well as

realize() the virtual resources more then once, not only throughout

the module, but also when required by other modules (can't come up

with an appropriate example).

## Operating system specific classes

The operating system specific sub-classes you see in the module are

meant to provide the most flexible and efficient operating system

specific attributes to resources (especially the virtual resources

defined at the beginning).

## Huge list of possible sources

The huge list of possible sources is something I've worked out over

several customers.

### $server

Setting $server in site.pp for example allows you to use a server

other then your puppetmaster as a dedicated fileserver.

### $os ?? $osver ??

A very, very nasty example is using "UsePAM yes" in

/etc/ssh/sshd\_config on Red Hat Enterprise Linux 3 machines ^1^.

The SSH server won't stop working (e.g. not error out with Syntax

Error Messages), but remote access over SSH is impossible. This

introduced the requirement of being able to have Operating System

($os) and Operating System version ($osver) specific files. It is

not required to maintain the trees, but the module obviously needs

to provide the best default for every operating system and

operating system version that has these kind of exceptions.

Using $os is far from required; these are variables that have been

assigned in site.pp because I'm a lazy guy and dislike typing

$operatingsystem twice.

Using $osver however is something that surfaced when it seemed

$operatingsystemrelease was not available on Fedora / Red Hat /

CentOS boxes. Instead, I'm using $lsbdistrelease (and sometimes a

custom fact such as $operatingsystemmajorrelease). However, using

$operatingsystemrelease and/or $lsbdistrelease isn't very efficient

(again the typing comes to mind), so I assign these facts to the

$osver variable.

### $domain ??

When merging organizations, working with the legacy (non-managed)

domain from the merger requires you to specify some kind of level

of distinction between organizations. I've chosen to use the domain

name space, which also allows me to run these domain specific trees

from separate Source Control Management systems, and thus separate

access control.

I needed to use a fact here, since that is defined before a

manifest is parsed, and you cannot override a fact. So far for the

domain specific tree.

### Then why files/ ??

The merger continues (or you had none to begin with), and the

files/ fileserver mount allows you to source the file in a

puppetmaster global sense, without modifying the module. Modifying

the module means committing, possibly pushing (but not likely) the

changes somewhere, and resolving potential conflicts afterwards.

### Module default

The module default should be similar to the default configuration

on a distribution, or the best overall default if that is something

that can ever be agreed upon.

### Using the $hostname

Using the hostname, you are able to provide specific configuration

on a per host basis, or on a per group of hosts basis. If some of

the SSH server you have in your organization require only users in

the group wheel to be able to login (for example), then create a

file called sshd\_config.wheel-only and create a symbolic link

sshd\_config.$hostname => sshd\_config.wheel-only.

Possible improvement: Using the $fqdn of a machine instead might

work better in some cases.

Another option is to specify variables throughout the manifests,

which is practically never going to end given the amount of

tweakable settings per application, and is no more efficient then

creating the symbolic link.

^1\ yes,\ rebuilding\ the\ ruby\ stack\ is\ included\ to\ make\ RHEL3\ machines\ do\ puppet^