Puppet

Purpose

This system acts as Puppet master for infrastructure systems.

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

Puppet server

Jan Dittberner

PuppetDB

Jan Dittberner

Additional People

  • None

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

None

IP Intranet

None

IP Internal

10.0.0.200

IPv6

2001:7b8:616:162:2::200

MAC address

00:ff:f9:32:9d:2a (eth0)

See also

See Network

DNS

Todo

setup DNS records (in infra.cacert.org zone)

Operating System

  • Debian GNU/Linux 10.0

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

5432/tcp

pgsql

local

PostgreSQL database for PuppetDB

8000/tcp

git-hook

internal

HTTP endpoint for git-pull-hook

8140/tcp

puppet

internal

Puppet master

8080/tcp

puppetdb

local

HTTP endpoint for local PuppetDB queries

8081/tcp

puppetdb

internal

HTTPS endpoint for PuppetDB

Running services

Service

Usage

Start mechanism

cron

job scheduler

init script /etc/init.d/cron

Exim

SMTP server for local mail submission

init script /etc/init.d/exim4

git-pull-hook

Custom Python3 hook to pull git changes from the cacert-puppet repository

init script /etc/init.d/git-pull-hook

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

PostgreSQL

PostgreSQL database server for PuppetDB

init script /etc/init.d/postgresql

Puppet server

Puppet master for infrastructure systems

init script /etc/init.d/puppetserver

Puppet agent

local Puppet agent

init script /etc/init.d/puppet

PuppetDB

PuppetDB for querying Puppet facts and nodes and resources

init script /etc/init.d/puppetdb

rsyslog

syslog daemon

init script /etc/init.d/syslog

Databases

RDBMS

Name

Used for

PostgreSQL

puppetdb

PuppetDB database

Connected Systems

Outbound network connections

  • Infra02 as resolving nameserver

  • Emailout as SMTP relay

  • Git to fetch new commits from the cacert-puppet repository

  • Proxyout as HTTP proxy for APT

  • forgeapi.puppet.com for Puppet forge access

  • rubygems.org for Puppet specific Ruby gems

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM, MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5

DSA

-

ECDSA

SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o, MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15

ED25519

SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM, MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d

Non-distribution packages and modifications

The Puppet server, Puppet agent and PuppetDB packages and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Some rubygems are installed via the puppet specific ruby gem binary to support advanced Puppet functionality like hiera-eyaml.

All puppet related code is installed in the Puppet specific /opt/puppetlabs tree.

Risk assessments on critical packages

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system.

Critical Configuration items

Keys and X.509 certificates

Puppet comes with its own inbuilt special purpose CA that is used to sign the Puppet server and Puppet DB certificates as well as the certificates of all trusted Puppet agents.

The CA data is stored in /etc/puppetlabs/puppet/ssl and managed by puppet itself.

Eyaml private key

All sensitive data like passwords in Hiera data is encrypted using the public key in keys/public_key.pkcs7.pem in the CAcert puppet Git repository. The corresponding private key is stored in /etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem.

hiera configuration

Puppet uses Hiera for hierarchical information retrieval. The global hiera configuration is stored in /etc/puppetlabs/puppet/hiera.yaml and defines the hierarchy lookup as well as the eyaml key locations.

puppet configuration

All puppet configuration is stored in /etc/puppetlabs/. The CAcert specific puppet code is taken from the CAcert puppet Git repository and cloned to /etc/puppetlabs/code/environments/production/ directory. Required Puppet modules are installed by /opt/puppetlabs/puppet/bin/r10k.

The puppet code should follow best practices like the Roles and profiles pattern (see references below) and code/data separation via Hiera.

Updates to the cacert-puppet repository trigger a web hook listening on tcp port 8000 that automatically updates the production environment directory.

Tasks

Todo

add a section to describe how to add a system for puppet management

Changes

Planned

  • migrate as many systems as possible to use Puppet for a more reproducible/auditable system setup

System Future

  • Improve setup, use more widely