Configure a bare minimal production system regardless of its purpose. It depends on more specific cfnetwork, cfauth and cffirehol modules.
What it does:
- Whatever cfnetwork does
- Whatever cfauth does
- Whatever cffirehol does
- Setups APT for Debian and Ubuntu
- Setups timezone
- Setups hostname based on certname
- Adds firewall rules as required
- Setups special location/pool facts for hiera lookup (see cfsystem::hierapool below)
- Setups email system
- Setups NTP daemon and command line client for large gap sync
- Setup all locales and the default locale (configurable)
- Manages /etc/profile.d/ & adds allowed bin paths to sudo search_paths
- Installs many handy system tools which almost any admin would expect
- Forces noop scheduler on SSDs and virtual devices (in guests)
- Forces custom I/O scheduler for real spinning HDDs (deadline by default)
- Adds custom rc.local commands, if needed
- Adds cron job to check if running kernel version matches the latest installed (reboot reminder)
- Auto-detect hardware nodes with IPMI
- Install generic IPMI tools
- Install Dell-specific tools
- Other vendors - TODO
- Ruby framework for other cf* modules
- The following helper scripts are installed
cf_clear_email_queue
- clear all emails in exim queuecf_clear_frozen_emails
- clear only frozen emails in exim queuecf_send_test_email
- send test email to admin addresscf_kernel_version_check
- check if kernel version mismatch the latest installed onecf_auto_block_scheduler
- setup auto-detected I/O scheduler per block devicecf_apt_key_updater <key_id>
- run GPG key re-import, if expiredcf_ntpdate
- run pre-configured ntpdate
- Public API for Puppet parser:
Cfsystem::CpuWeight
- cgroup CPU weightCfsystem::IoWeight
- cgroup I/O weightCfsystem::Keytype
- ssh key typesCfsystem::Rsabit
- RSA key bitscfsystem::query
- caching wrapper aroundpuppetdb_query
(cached per catalog)cfsystem::stable_sort(arg)
- deep sort of Hash/Array to avoid isomorphic configuration "change"cfsystem::add_group($user, $group) >> Resource
- make sure user is part of the groupcfsystem::gen_key(name, params, forced_key)
- generate or save persistent SSH keycfsystem::gen_pass(name, length, forced_pass)
- generate or save persistent passwordcfsystem::gen_port(name, forced_port)
- allocate or save persistent network portcfsystem::pretty_json(data)
- return pretty formatted JSON stringcf_notify
- replacement of standard notify to avoid refresh side-effects
- Example configuration
- Free & Commercial support: [email protected]
Up to date installation instructions are available in Puppet Forge: https://forge.puppet.com/codingfuture/cfsystem
Please use librarian-puppet or cfpuppetserver module to deal with dependencies.
There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.
Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.
cfnetwork::describe_services:
puppet:
server: 'tcp/8140'
smtp:
server: 'tcp/25'
cfsmtp:
server:
- 'tcp/25' # smtp
- 'tcp/465' # smtps
- 'tcp/587' # submission
# if $cfsystem::add_repo_cacher
'apcng':
server: 'tcp/3142'
# if $cfsystem::repo_proxy
'aptproxy':
server: "tcp/${proxy_port}"
cfnetwork::service_ports:
# foreach $cfsystem::email::listen_ifaces
"${listen_ifaces}:smtp:cfsystem": {}
'local:smtp:cfsystem': {}
# if $cfsystem::add_ntp_server
"${cfsystem::service_face}:ntp": {}
# if $cfsystem::add_repo_cacher
"${cfsystem::service_face}:apcng:cfsystem": {}
# if ${cfsystem::service_face} not in ['any', 'local']
'local:apcng:cfsystem': {}
cfnetwork::client_ports:
'any:puppet:cfsystem':
user: 'root'
'local:smtp:cfsystem': {}
# if $smarthost = undef then dst filtering is disabled
'any:cfsmtp:cfsystem':
user => ['root', 'Debian-exim'],
dst => $smarthost
'any:ntp:cfsystem':
user => ['root', 'ntpd'],
# if $cfsystem::add_repo_cacher
'any:http:apcng':
user: 'apt-cacher-ng'
# if $cfsystem::add_repo_cacher
'any:https:apcng':
user: 'apt-cacher-ng'
# if $cfsystem::repo_proxy
'any:aptproxy:cfsystem':
dst: $proxy_host
user: 'root'
# if not $cfsystem::repo_proxy
'any:http:cfsystem':
user: 'root'
# if not $cfsystem::repo_proxy
'any:https:cfsystem':
user: 'root'
allow_nfs = false
- purge RPC packages unless trueadmin_email = undef
- email address to use forroot
and as the default sinkrepo_proxy = undef
- if set, use the config as HTTP/HTTPS proxy for package retrieval.host
- IP or hostnameport
- TCP port
add_repo_cacher = false
- if true, install apt-cacher-ng and accept clients on$service_face
service_face = 'any'
- interface to accept client for NTP and HTTP proxy, if enabled separatelyntp_servers = [ '0.pool.ntp.org', '1.pool.ntp.org', '2.pool.ntp.org', '3.pool.ntp.org' ]
- upstream NTP serveradd_ntp_server = false
- if true, accept NTP service clients on$service_face
Enum['ntp', 'openntpd', 'chrony', 'systemd'] $ntpd_type = 'systemd'
- NTP implementation to usetimezone = 'Etc/UTC'
- setup system timezoneapt_purge
- passed to apt::purge, purge all sources and preferences by defaultapt_update
- passed to apt::update, update daily with 300 second timeout by defaultapt_pin = 1001
- default priority (>=1001 - force downgrades to make the system consistent)apt_backports_pin = 600
- default priority (>=1001 - force downgrades to make the system consistent)real_hdd_scheduler
- default scheduler for not SSD and not virtualized HDDsrc_local
- list of additional commands to add to /etc/rc.local (SSD and virtual is always 'noop')puppet_host = "puppet.${::trusted['domain']}"
- Puppet Server hostnamepuppet_cahost = $puppet_host
- Puppet CA hostnamepuppet_env = $::environment
- Puppet environmentpuppet_use_dns_srv = false
- enable support DNS SRV records instead of hostnamesmcollective = false
- controls if mcollective service is enabledlocale = 'en_US.UTF-8'
- default system localereserve_ram
= 64 - amount of ram to reserve for system in automatic calculations$key_server = 'hkp://pgp.mit.edu:80'
- default PGP key server$random_feed = true
- enable random entropy generating daemon$add_handy_tools = true
- install additional tools$puppet_backup_age = '1d'
- how long to keep local puppet filebucket backups
Setup /etc/profile.d/ & /etc/sudoers.d/ entries for trusted global bin paths. It should not be configured by user. It's API for other modules.
bin_dir
- absolute path to directory for global search path
Automatically including by cfsystem
. This values are useful in hiera.yaml configuration
to setup hierarchy based on location and tenant/server pool in it. Example:
---
:backends:
- yaml
:hierarchy:
- "%{::trusted.domain}/%{::trusted.hostname}"
- "%{::trusted.domain}"
- "%{::cf_location}/%{::cf_location_pool}"
- "%{::cf_location}"
- common
:merge_behavior: deeper
:yaml:
:datadir:
location = undef
- if set, saved into/etc/cflocation
pool = undef
- if set, aved into/etc/cflocationpool
Setup email server for outgoing emails. Please not that this configuration is not intended to accept internet traffic.
smarthost = undef
- if set, use as smarthost to relay outgoing emails throughsmarthost_login = undef
- if set, use as login on smarthostsmarthost_password = undef
- if set, use as password on smarthost (plain text)relay_nets = <private subnets>
- allowed clients for SMTP relay, if relay is enabled with$listen_ifaces
listen_ifaces = undef
- list of interface (cfnetwork::iface
names), besideslo
to listen for SMTP client relaydisable_ipv6 = true
- if true, IPv6 supports gets disabled (most likely you need it disabled for SMTP)
Setup sysctl entries.
vm_swappiness = 1
- 0-100 (%) minimize swap activity by defaultvm_mmax_map_count = 262144
- increased by default
Debian-specific configuration.
apt_url = 'http://deb.debian.org/debian'
- APT base URL for Debian repossecurity_apt_url = 'http://security.debian.org/'
- APT base URL for Debian security reporelease
= 'jessie' - Debian release name to configure
Ubuntu-specific configuration.
apt_url = 'mirror://mirrors.ubuntu.com/mirrors.txt'
- APT base URL for Ubuntu reposrelease = 'wily'
- Ubuntu release name to configure
package = $title
- package to configure & installensure = present
- passed topackage ensure
config = []
- config entries fordebconf-set-selections
Configure APT key & add automatic update of expired keys
id
- PGP key IDextra_opts = {}
- any additional options forapt::key
A special helper to create entries in user ~/.env files
user
- previously defined user{ $user: home => 'path'} ($home must be explicitly set)variable
- variable namevalue
- valueenv_file = '.env'
- name of .env file relative to $home
Make actual Puppet PKI (CA, CRL, client cert and private key) data available to specific user. By default the data is copied under ~/pki/puppet/.
user = $title
- local user to usecopy_key = true
- if true then private keys of local machine are copied as wellpki_dir = undef
- override the default destination folder
Setup haproxy package. No configuration. Used by other modules
$disable_standard = true
- controls if default HAProxy service must be disabled
Setup random entropy generating tools
$type = 'haveged'
- tools type$threshold = 2048
- minimal random entropy level
Create a basic ~/.ssh/
directory for unattended user account.
$user = $title
- system user with 'home' parameter
This feature is trade-off between SSH setup in cluster and security. This functionality creates a single SSH client key and shares across all nodes in cluster. It helps to get rid of puppet facts processing for target-generated secrets.
Besides shared private key, another problem is clear-text private key getting into puppet catalog (which should be secured as well).
$namespace
- cluster namespace, e.g. 'cfdb'$cluster
- cluster identifier$is_primary
- controls if a new key can be generated$peer_ipset
- name of pre-defined cfnetwork::ipset$user
- system user with 'home' parameter$group = $user
- the user's group$key_type = 'ed25519'
- SSH key type$key_bits = 2048
- SSH key bits (for RSA)
Generic class for HardWare Management
Enum['none', 'auto', 'generic', 'dell', 'smc'] $type = 'auto'
- select type of HW vendor, if auto-detection fails.
Just a placeholder for generic IPMI system.
Support for Dell PowerEdge family.
$community_repo = 'http://linux.dell.com/repo/community'
Placeholder for SuperMicro support. Not implemented yet.
Setup latest pip for Python 2&3 into /usr/local.
Mostly for internal purposes to declare items for cfmetrics monitoring.
The standard notify
type has a side effect - it generates refresh event
what may harm automation which expects 0 exit code on no resource changes.
Therefore, this drop-in replacement has been provided.
message = $title
- message to showloglevel = info
- log level to use for the message
Helper type to create cfsystem-integrated services.
Helper type to create cfsystem-integrated cron-like services.