Difference between revisions of "PuppetDemo"
CraigGrube (Talk | contribs) (→Requirements) |
CraigGrube (Talk | contribs) (→Packages) |
||
Line 85: | Line 85: | ||
kickstart install. The following packages are expected: | kickstart install. The following packages are expected: | ||
− | *puppet-policy.tar.gz - gzipped tarball of the puppet policy is | + | * [[PuppetDemoServerKickstart|| Server kickstart ]] file. |
+ | * [[PuppetDemoClientKickstart|| Client kickstart ]] file. | ||
+ | |||
+ | * puppet-policy.tar.gz - gzipped tarball of the puppet policy is | ||
downloaded to the server and defines the desired end state of | downloaded to the server and defines the desired end state of | ||
clients. | clients. | ||
− | *sefos-demo-policy-0.1-1.fc11.i386.rpm - RPM containing a small | + | * sefos-demo-policy-0.1-1.fc11.i386.rpm - RPM containing a small |
SELinux module required for some demo specific client configuration | SELinux module required for some demo specific client configuration | ||
to work properly. This package is only downloaded to clients. | to work properly. This package is only downloaded to clients. | ||
− | *selinux-policy-{ver}.noarch.rpm, selinux-policy-targeted-{ver}.noarch.rpm - | + | * selinux-policy-{ver}.noarch.rpm, selinux-policy-targeted-{ver}.noarch.rpm - |
SELinux policy RPMs including new policy to constrain the Puppet client | SELinux policy RPMs including new policy to constrain the Puppet client | ||
− | and server | + | and server. |
− | + | ||
− | + | ||
== Installation == | == Installation == |
Revision as of 22:31, 14 September 2009
Overview
This page describes a proposed demonstration showing how to manage systems running SELinux using Puppet, an open-source enterprise grade configuration management tool. The goals of the demonstration are to show that configuration management systems can conveniently manage multiple SELinux clients, provide examples for configuring SELinux clients, and develop policy to constrain the client and server.
The demonstration will use Puppet to bootstrap client systems to the desired server type and ensure that SELinux is properly configured to protect the services.
Components
The demonstration includes Fedora 11 kickstart files for the two main components: a Puppet server and a generic client. The example Puppet policy will transform two generic clients will be transformed into fully configured and functional servers with appropriate SELinux configurations once joined to the Puppet server.
While the number of clients is , the fully configured clients are intended to be similar to some of what might be found in an enterprise environment. Specifically, following successful configuration client will be turned into a web server or a mail server.
The web server will be configured as follows:
- Packages
- Install Apache and dependencies
- Users/Groups
- Add apache user with specific UID
- Add apache group with specific GID
- Apache Configuration
- Add of three virtual hosts (client1, client1a, client1b)
- Configure one of the virtual hosts to allow sharing of files from users's public_html directories
- SELinux Configuration
- Ensure updated files have the desired type
- Ensure httpd SELinux module is loaded
- Ensure httpd_enable_homedirs SELinux boolean is enabled
The email server will be configured as follows:
- Packages
- Remove default Exim package
- Install postfix
- Users/Groups
- Add postfix user with specific UID
- Add postfix group with specific GID
- Postfix Configuration
- Apply basic main.cf from template
- SELinux Configuration
- Apply desired file labels to updated files
- Ensure {module} is loaded
- Ensure allow_postfix_local_write_mail_spool SELinux boolean is on
Demo
Basic Infrastructure
Requirements
Working forward/reverse DNS is needed for OpenSSL certificates to work properly for client/server authentication and data encryption.
For the demo to work properly with no modifications to the puppet policy the DNS server should be able to resolve two client hostnames (client1, client2) as well as two CNAMES for client1 (client1a, client1b - because the default puppet policy will set up three Apache virtual hosts on client1.)
An example partial zone configuration for the demo could be:
puppetmaster A 192.168.1.174 client1 A 192.168.1.175 client2 A 192.168.1.176 client1a CNAME client1 client1b CNAME client1
The matching reverse zone configuration could be:
174 IN PTR puppetmaster.example.com. 175 IN PTR client1.example.com. 176 IN PTR client2.example.com.
PuppetDemoBootServer contains instructions for setting up a system to provide DHCP, DNS and HTTP services for initializing the demonstration.
Packages
The server and client automated installs expect certain packages to be present in /packages/ on a web server designated during the kickstart install. The following packages are expected:
- | Server kickstart file.
- | Client kickstart file.
- puppet-policy.tar.gz - gzipped tarball of the puppet policy is
downloaded to the server and defines the desired end state of clients.
- sefos-demo-policy-0.1-1.fc11.i386.rpm - RPM containing a small
SELinux module required for some demo specific client configuration to work properly. This package is only downloaded to clients.
- selinux-policy-{ver}.noarch.rpm, selinux-policy-targeted-{ver}.noarch.rpm -
SELinux policy RPMs including new policy to constrain the Puppet client and server.
Installation
Server Kickstart
Disk Partitioning
The default anaconda chosen disk partitioning scheme is used unless modified by person performing the installation. 1G+ of disk space is recommended.
Kernel Boot Options
Kernel boot options for server configuration are:
- se_dnsdomain - dns domain of server (assumes example.com if none provided)
- se_fqdn - fully qualified domain name of server (set to puppetmaster.${se_dnsdomain} if none provided)
- se_www - IP address or hostname of web server from which packages (selinux policy and puppet policy) should
be downloaded.
Network Configuration
By default DHCP is used for network address provisioning.
If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address and modify as needed.
Example
Client Kickstart
Disk Partitioning
The default anaconda chosen disk partitioning scheme is used unless modified during the installation. 1G+ of disk space is recommended.
Kernel Boot Options
Kernel boot options for client configuration are:
- se_dnsdomain - dns domain of client (assumes example.com if not provided))
- se_fqdn - fully qualified domain name of client (assumes client1.${se_dnsdomain} if none provided)
- se_pmaster - FQDN of puppetmaster server (assumes puppetmaster.${se_dnsdomain} if none provided)
- se_www - IP address or resolvable DNS name of web server from which packages can be downloaded.
Network Configuration
By default DHCP is used for network address provisioning.
If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address.
Example
To install client1 only se_www needs to be specified. To install client2 se_fqdn and se_www should be used.
Manual Post Installation Configuraton
During the kickstart of the server and one or more clients, the clients Puppet service will
contact the server and submit a certificate for signing. To list unsigned certificates on
the server run puppetca -l
. For each demo client run puppetca -s {hostname}
to sign the client certificates.
The clients will automatically download the signed certificate at the next update (approximately every
30 minutes) and will download and apply the configuration from the server. To force an immediate update
the puppet client service can be restarted with run_init service puppet restart