Puppet

Purpose

This system acts as Puppet master for infrastructure systems.

Application Links

This system has no publicly visible URLs.

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Todo

find an additional admin

Application Administration

Application	Administrator(s)
Puppet server	Jan Dittberner
PuppetDB	Jan Dittberner

Contact

• puppet-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

None

IP Intranet:

None

IP Internal:

10.0.0.200

IPv6:

2001:7b8:616:162:2::200

MAC address:

00:ff:f9:32:9d:2a (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for puppet.infra.cacert.org

DNS

Name	Type	Content
puppet.infra.cacert.org.	IN A	10.0.0.200

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 11 Bullseye

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
5432/tcp	pgsql	local	PostgreSQL database for PuppetDB
5665/tcp	icinga2	monitor	remote monitoring service
8000/tcp	git-hook	internal	HTTP endpoint for git-pull-hook
8080/tcp	puppetdb	local	HTTP endpoint for local PuppetDB queries
8081/tcp	puppetdb	internal	HTTPS endpoint for PuppetDB
8140/tcp	puppet	internal	Puppet master

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
dbus	system message bus	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
git-pull-hook	Custom Python3 hook to pull git changes from the cacert-puppet repository	systemd unit git-pull-hook.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
PostgreSQL	PostgreSQL database server for PuppetDB	systemd unit postgresql.service
Puppet agent	local Puppet agent	systemd unit puppet.service
PuppetDB	PuppetDB for querying Puppet facts, nodes and resources	systemd unit puppetdb.service
Puppet server	Puppet master for infrastructure systems	systemd unit puppetserver.service
rsyslog	syslog daemon	init script /etc/init.d/syslog

Databases

RDBMS	Name	Used for
PostgreSQL	puppetdb	PuppetDB database

Connected Systems

• Blog

• Bugs

• Emailout

• Ircserver

• Issue

• Jenkins

• Monitor

• Motion

• Proxyin

• Proxyout

• Svn

• Translations

• Web

• Webstatic

• Wiki

• Git for triggering the git-pull-hook on newly pushed commits to the cacert-puppet repository

Outbound network connections

• Infra02 as resolving nameserver

• Emailout as SMTP relay

• Git to fetch new commits from the cacert-puppet repository

• Proxyout as HTTP proxy for APT

• forgeapi.puppet.com for Puppet forge access

• rubygems.org for Puppet specific Ruby gems

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM, MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
DSA	-
ECDSA	SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o, MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
ED25519	SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM, MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d

See also

SSH host key list

Non-distribution packages and modifications

The Puppet server, Puppet agent and PuppetDB packages and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Some rubygems are installed via the puppet specific ruby gem binary to support advanced Puppet functionality like hiera-eyaml.

All puppet related code is installed in the Puppet specific /opt/puppetlabs tree.

Risk assessments on critical packages

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system.

Critical Configuration items

Keys and X.509 certificates

Puppet comes with its own inbuilt special purpose CA that is used to sign the Puppet server and Puppet DB certificates as well as the certificates of all trusted Puppet agents.

The CA data is stored in /etc/puppetlabs/puppet/ssl and managed by puppet itself.

Eyaml private key

All sensitive data like passwords in Hiera data is encrypted using the public key in keys/public_key.pkcs7.pem in the CAcert puppet Git repository. The corresponding private key is stored in /etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem.

hiera configuration

Puppet uses Hiera for hierarchical information retrieval. The global hiera configuration is stored in /etc/puppetlabs/puppet/hiera.yaml and defines the hierarchy lookup as well as the eyaml key locations.

puppet configuration

All puppet configuration is stored in /etc/puppetlabs/. The CAcert specific puppet code is taken from the CAcert puppet Git repository and cloned to /etc/puppetlabs/code/environments/production/ directory. Required Puppet modules are installed by /opt/puppetlabs/puppet/bin/r10k.

The puppet code should follow best practices like the Roles and profiles pattern (see references below) and code/data separation via Hiera.

Updates to the cacert-puppet repository trigger a web hook listening on tcp port 8000 that automatically updates the production environment directory.

Tasks

Todo

add a section to describe how to add a system for puppet management

Changes

Planned

• migrate as many systems as possible to use Puppet for a more reproducible/auditable system setup

System Future

• Improve setup, use more widely

Additional documentation

See also

• Wiki page Exim4Configuration

References

• https://docs.puppet.com/puppet/

• https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml

• https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html