From b8eff9242cb84cf18bb8975cb24e2dd451bbd819 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 8 Feb 2018 15:16:14 -0600 Subject: [PATCH 001/134] removed sizing for puppet master --- Puppetfile | 6 +++--- hieradata/virtual/virtualbox.yaml | 22 ---------------------- 2 files changed, 3 insertions(+), 25 deletions(-) diff --git a/Puppetfile b/Puppetfile index e3711bcdc..0421b7764 100644 --- a/Puppetfile +++ b/Puppetfile @@ -12,9 +12,9 @@ mod "npwalker/pe_metric_curl_cron_jobs", '4.0.0' # Modules from Github using various references # Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#examples # update the tag to the most current release when implementing -#mod 'pe_code_manager_webhook', -# :git => 'https://github.com/npwalker/pe_code_manager_webhook', -# :ref => '9e167154b146901d7cfd3e67dc70e984796da03f' +mod 'pe_code_manager_webhook', + :git => 'https://github.com/npwalker/pe_code_manager_webhook', + :ref => '8d3003a38371328bcabea695dd40f16b1e90e827' mod 'gms', :git => 'https://github.com/abrader/abrader-gms', diff --git a/hieradata/virtual/virtualbox.yaml b/hieradata/virtual/virtualbox.yaml index 236ff7b05..5fb040941 100644 --- a/hieradata/virtual/virtualbox.yaml +++ b/hieradata/virtual/virtualbox.yaml @@ -5,25 +5,3 @@ #Allow access to the puppetdb performance dashboard from non-localhost #This is insecure and also allows access to all API endpoints without verification puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' -puppet_enterprise::profile::amq::broker::heap_mb: '96' -puppet_enterprise::profile::master::java_args: - Xmx: '192m' - Xms: '128m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::puppetdb::java_args: - Xmx: '128m' - Xms: '96m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::console::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' -puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only -puppet_enterprise::profile::console::delayed_job_workers: 1 -#shared_buffers takes affect during install but is not managed after -puppet_enterprise::profile::database::shared_buffers: '4MB' -#2015.3.2 and above -puppet_enterprise::profile::orchestrator::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' From e3a6fcbb830ca8dbcf455e0138d3dd17ac9d09c8 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 8 Feb 2018 15:42:21 -0600 Subject: [PATCH 002/134] added sizes back --- hieradata/virtual/virtualbox.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/hieradata/virtual/virtualbox.yaml b/hieradata/virtual/virtualbox.yaml index 5fb040941..ed3676c75 100644 --- a/hieradata/virtual/virtualbox.yaml +++ b/hieradata/virtual/virtualbox.yaml @@ -5,3 +5,26 @@ #Allow access to the puppetdb performance dashboard from non-localhost #This is insecure and also allows access to all API endpoints without verification puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' +puppet_enterprise::profile::amq::broker::heap_mb: '96' +puppet_enterprise::profile::master::java_args: + Xmx: '192m' + Xms: '128m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::puppetdb::java_args: + Xmx: '128m' + Xms: '96m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::console::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' +puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only +puppet_enterprise::profile::console::delayed_job_workers: 1 +#shared_buffers takes affect during install but is not managed after +puppet_enterprise::profile::database::shared_buffers: '4MB' +#2015.3.2 and above +puppet_enterprise::profile::orchestrator::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' + From 08749f362708e0cbe19bd0f0a44d539e3c41afec Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 17 Dec 2018 08:22:17 -0600 Subject: [PATCH 003/134] Adding some example code This commit has examples for: roles profiles onceover gitlab-ci.yml --- .gitattributes | 5 + .gitignore | 29 ++- .gitlab-ci.yml | 41 ++++ .pdkignore | 24 +++ .rspec | 2 + .rubocop.yml | 122 ++++++++++++ .travis.yml | 47 +++++ .yardopts | 1 + Gemfile | 74 +++++++ Puppetfile | 41 ++-- README-control_repo.md | 119 +++++++++++ Rakefile | 76 ++++++++ appveyor.yml | 64 ++++++ data/common.yaml | 18 ++ data/nodes/example-puppet-master.yaml | 8 + data/os/RedHat.yaml | 3 + data/os/Solaris.yaml | 3 + data/os/windows.yaml | 4 + data/virtual/virtualbox.yaml | 35 ++++ hiera.yaml | 56 ++++++ keys/private_key.pkcs7.pem | 27 +++ keys/public_key.pkcs7.pem | 18 ++ metadata.json | 72 +++++++ scripts/code_manager_config_version.rb | 2 +- scripts/config_version.rb | 15 +- site/README.md | 27 +++ site/profile/README.md | 38 ++++ site/profile/functions/data.pp | 8 + site/profile/lib/facter/app_tier_subnet.rb | 26 +++ site/profile/lib/facter/datacenter.rb | 26 +++ .../profile/manifests/app/f5/load_balancer.pp | 113 +++++++++++ site/profile/manifests/app/fastb.pp | 20 ++ site/profile/manifests/app/icinga.pp | 11 ++ .../manifests/app/iis/default_app_pool.pp | 31 +++ site/profile/manifests/app/java.pp | 18 ++ .../profile/manifests/app/tomcat/webserver.pp | 15 ++ .../manifests/cloud/azure/deployhost.pp | 91 +++++++++ site/profile/manifests/cloud/azure/vm_test.pp | 19 ++ site/profile/manifests/os/archives.pp | 23 +++ site/profile/manifests/os/base.pp | 37 ++++ site/profile/manifests/os/dns_resolver.pp | 54 +++++ .../manifests/os/linux/ms_ca_root_cert.pp | 19 ++ site/profile/manifests/os/linux/security.pp | 28 +++ .../manifests/os/solaris/enable_ssh.pp | 22 +++ .../manifests/os/windows/disable_firewall.pp | 29 +++ .../manifests/os/windows/disable_ieesc.pp | 22 +++ .../manifests/os/windows/disable_ipv6.pp | 14 ++ .../manifests/os/windows/disable_uac.pp | 25 +++ .../os/windows/enable_remote_desktop.pp | 21 ++ site/profile/manifests/os/windows/security.pp | 13 ++ .../manifests/os/windows/winrm_ssl_config.pp | 33 ++++ site/role/README.md | 19 ++ site/role/manifests/fastb/monitor_svr.pp | 8 + site/role/manifests/fastb/web_be.pp | 8 + site/role/manifests/spider/web_be.pp | 8 + spec/acceptance/nodesets/onceover-nodes.yml | 41 ++++ spec/default_facts.yml | 7 + spec/factsets/README.md | 7 + spec/factsets/Windows_Server-2012r2-64.json | 164 ++++++++++++++++ spec/factsets/osx-10.13-x86_64.json | 184 ++++++++++++++++++ spec/hiera.yaml | 25 +++ spec/onceover.yaml | 58 ++++++ spec/pre_conditions/README.md | 24 +++ spec/spec_helper.rb | 44 +++++ 64 files changed, 2250 insertions(+), 36 deletions(-) create mode 100644 .gitattributes create mode 100644 .gitlab-ci.yml create mode 100644 .pdkignore create mode 100644 .rspec create mode 100644 .rubocop.yml create mode 100644 .travis.yml create mode 100644 .yardopts create mode 100644 Gemfile create mode 100644 README-control_repo.md create mode 100644 Rakefile create mode 100644 appveyor.yml create mode 100644 data/common.yaml create mode 100644 data/nodes/example-puppet-master.yaml create mode 100644 data/os/RedHat.yaml create mode 100644 data/os/Solaris.yaml create mode 100644 data/os/windows.yaml create mode 100644 data/virtual/virtualbox.yaml create mode 100644 hiera.yaml create mode 100644 keys/private_key.pkcs7.pem create mode 100644 keys/public_key.pkcs7.pem create mode 100644 metadata.json create mode 100644 site/README.md create mode 100644 site/profile/README.md create mode 100644 site/profile/functions/data.pp create mode 100644 site/profile/lib/facter/app_tier_subnet.rb create mode 100644 site/profile/lib/facter/datacenter.rb create mode 100644 site/profile/manifests/app/f5/load_balancer.pp create mode 100644 site/profile/manifests/app/fastb.pp create mode 100644 site/profile/manifests/app/icinga.pp create mode 100644 site/profile/manifests/app/iis/default_app_pool.pp create mode 100644 site/profile/manifests/app/java.pp create mode 100644 site/profile/manifests/app/tomcat/webserver.pp create mode 100644 site/profile/manifests/cloud/azure/deployhost.pp create mode 100644 site/profile/manifests/cloud/azure/vm_test.pp create mode 100644 site/profile/manifests/os/archives.pp create mode 100644 site/profile/manifests/os/base.pp create mode 100644 site/profile/manifests/os/dns_resolver.pp create mode 100644 site/profile/manifests/os/linux/ms_ca_root_cert.pp create mode 100644 site/profile/manifests/os/linux/security.pp create mode 100644 site/profile/manifests/os/solaris/enable_ssh.pp create mode 100644 site/profile/manifests/os/windows/disable_firewall.pp create mode 100644 site/profile/manifests/os/windows/disable_ieesc.pp create mode 100644 site/profile/manifests/os/windows/disable_ipv6.pp create mode 100644 site/profile/manifests/os/windows/disable_uac.pp create mode 100644 site/profile/manifests/os/windows/enable_remote_desktop.pp create mode 100644 site/profile/manifests/os/windows/security.pp create mode 100644 site/profile/manifests/os/windows/winrm_ssl_config.pp create mode 100644 site/role/README.md create mode 100644 site/role/manifests/fastb/monitor_svr.pp create mode 100644 site/role/manifests/fastb/web_be.pp create mode 100644 site/role/manifests/spider/web_be.pp create mode 100644 spec/acceptance/nodesets/onceover-nodes.yml create mode 100644 spec/default_facts.yml create mode 100644 spec/factsets/README.md create mode 100644 spec/factsets/Windows_Server-2012r2-64.json create mode 100644 spec/factsets/osx-10.13-x86_64.json create mode 100644 spec/hiera.yaml create mode 100644 spec/onceover.yaml create mode 100644 spec/pre_conditions/README.md create mode 100644 spec/spec_helper.rb diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..9032a014a --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf +*.epp eol=lf diff --git a/.gitignore b/.gitignore index 6dd2fdac1..72342857d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,25 @@ -hieradata/nodes/example-puppet-master.yaml -Gemfile.lock -_site/* -.onceover/* +.git/ +.*.sw[op] +.metadata +.onceover +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +/update_report.txt +.DS_Store diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..391651649 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,41 @@ +--- +stages: + - syntax + - unit + +cache: + paths: + - vendor/bundle + +before_script: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem --version + - bundle -v + - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) + +syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop-Ruby 2.4.4-Puppet ~> 5.5: + stage: syntax + image: ruby:2.4.4 + script: + - bundle exec rake syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop + variables: + PUPPET_GEM_VERSION: '~> 5.5' + +parallel_onceover-Ruby 2.4.4-Puppet ~> 5.5: + stage: unit + image: ruby:2.4.4 + script: + - bundle exec onceover run spec + variables: + PUPPET_GEM_VERSION: '~> 5.5' + +parallel_onceover-Ruby 2.1.9-Puppet ~> 4.0: + stage: unit + image: ruby:2.1.9 + script: + - bundle exec onceover run spec + variables: + PUPPET_GEM_VERSION: '~> 4.0' + diff --git a/.pdkignore b/.pdkignore new file mode 100644 index 000000000..650022e58 --- /dev/null +++ b/.pdkignore @@ -0,0 +1,24 @@ +.git/ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +/update_report.txt +.DS_Store diff --git a/.rspec b/.rspec new file mode 100644 index 000000000..16f9cdb01 --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 000000000..f5a6c2a41 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,122 @@ +--- +require: rubocop-rspec +AllCops: + DisplayCopNames: true + TargetRubyVersion: '2.1' + Include: + - "./**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - "**/Gemfile" + - "**/Rakefile" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" +Metrics/LineLength: + Description: People have wide screens, use them. + Max: 200 +GetText/DecorateString: + Description: We don't want to decorate test output. + Exclude: + - spec/* +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/Documentation: + Exclude: + - lib/puppet/parser/functions/**/* + - spec/**/* +Style/WordArray: + EnforcedStyle: brackets +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Layout/EndOfLine: + Enabled: false +Layout/IndentHeredoc: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/MessageExpectation: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/NestedGroups: + Enabled: false +Style/AsciiComments: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/SymbolProc: + Enabled: false diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000000000..6664271c2 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,47 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm -f Gemfile.lock + - gem update --system + - gem --version + - bundle -v +script: + - 'bundle exec rake $CHECK' +bundler_args: --without system_tests +rvm: + - 2.5.1 +env: + global: + - BEAKER_PUPPET_COLLECTION=puppet6 PUPPET_GEM_VERSION="~> 6.0" +matrix: + fast_finish: true + include: + - + env: CHECK="syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop" + - + env: CHECK=parallel_spec + - + env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec + rvm: 2.4.4 + - + env: PUPPET_GEM_VERSION="~> 4.0" CHECK=parallel_spec + rvm: 2.1.9 +branches: + only: + - master + - /^v\d/ +notifications: + email: false +deploy: + provider: puppetforge + user: puppet + password: + secure: "" + on: + tags: true + all_branches: true + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/.yardopts b/.yardopts new file mode 100644 index 000000000..29c933bcf --- /dev/null +++ b/.yardopts @@ -0,0 +1 @@ +--markup markdown diff --git a/Gemfile b/Gemfile new file mode 100644 index 000000000..992602822 --- /dev/null +++ b/Gemfile @@ -0,0 +1,74 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +def location_for(place_or_version, fake_version = nil) + git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} + file_url_regex = %r{\Afile:\/\/(?.*)} + + if place_or_version && (git_url = place_or_version.match(git_url_regex)) + [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact + elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) + ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] + else + [place_or_version, { require: false }] + end +end + +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + +group :development do + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.2', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "json", '<= 2.0.4', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.4.4') + gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "onceover" + gem "hiera-eyaml" +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +onceover_version = ENV['ONCEOVER_GEM_VERSION'] +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables + +gems['onceover'] = location_for(onceover_version) if onceover_version +gems['facter'] = location_for(facter_version) if facter_version +gems['hiera'] = location_for(hiera_version) if hiera_version + +if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)} + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['0.8.8', require: false] +end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/Puppetfile b/Puppetfile index e3711bcdc..180407b86 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,25 +1,24 @@ forge "http://forge.puppetlabs.com" -# Modules from the Puppet Forge -# Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#forge-1 -mod "puppetlabs/inifile", '1.6.0' -mod "puppetlabs/stdlib", '4.16.0' -mod "puppetlabs/concat", '2.2.1' -mod "puppet/hiera", '2.4.0' -mod "npwalker/pe_code_manager_webhook", '2.0.1' -mod "npwalker/pe_metric_curl_cron_jobs", '4.0.0' +mod "puppetlabs/inifile", '1.6.0' +mod 'puppetlabs-stdlib', '4.24.0' +mod 'puppetlabs-tomcat', '2.4.0' +mod 'puppetlabs/concat', '2.2.1' +mod 'puppetlabs-java', '3.2.0' +mod 'puppetlabs-chocolatey', '3.1.0' +mod 'puppetlabs-iis', '4.5.0' +mod 'puppet-archive', '3.2.1' +mod 'puppet-hiera', '3.3.4' +mod 'saz-ssh', '4.0.0' +mod 'saz-resolv_conf', '3.3.0' +mod 'icinga-icinga2', '1.3.7' -# Modules from Github using various references -# Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#examples -# update the tag to the most current release when implementing -#mod 'pe_code_manager_webhook', -# :git => 'https://github.com/npwalker/pe_code_manager_webhook', -# :ref => '9e167154b146901d7cfd3e67dc70e984796da03f' +mod 'puppetlabs-dsc', '1.7.0' +mod 'puppetlabs-reboot', '2.0.0' +mod 'puppetlabs-powershell', '2.2.0' +mod 'puppet-windows_env', '3.2.0' +mod 'cyberious-pget', '1.1.0' +mod 'cyberious-windows_java', '1.0.2' -mod 'gms', - :git => 'https://github.com/abrader/abrader-gms', - :ref => 'a5105e95cf0f8b84a143d7a69a83e3ff3d4e02fb' - -mod 'pltraining-rbac', - :git => 'https://github.com/puppetlabs/pltraining-rbac', - :ref => '9a823ff42810988f80a2b65738054a816620d972' +#mod 'tomcat', +# git: 'https://github.com/spidersddd/puppetlabs-tomcat' diff --git a/README-control_repo.md b/README-control_repo.md new file mode 100644 index 000000000..aaed15c43 --- /dev/null +++ b/README-control_repo.md @@ -0,0 +1,119 @@ +# A Puppet Control Repository + +* [What You Get From This control\-repo](#what-you-get-from-this-control-repo) +* [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) + * [GitLab](#gitlab) + * [Bitbucket/Stash](#bitbucketstash) + * [Github](#github) +* [Code Manager Setup](#code-manager-setup) + + +## What You Get From This control-repo + +This is a template [control repository](https://puppet.com/docs/pe/latest/code_management/control_repo.html) that has the minimum amount of scaffolding to make it easy to get started with [r10k](https://puppet.com/docs/pe/latest/code_management/r10k.html) or Puppet Enterprise's [Code Manager](https://puppet.com/docs/pe/latest/code_management/code_mgr.html). + +The important files and items in this template are as follows: + +* Basic example of roles and profiles. +* An example Puppetfile with various module references. +* An example Hiera configuration file and data directory with pre-created common.yaml and nodes directory. + * These match the default hierarchy that ships with PE. +* An [environment.conf](https://puppet.com/docs/puppet/5.3/config_file_environment.html) that correctly implements: + * A site directory for roles, profiles, and any custom modules for your organization. + * A config_version script. +* An example [config_version](https://puppet.com/docs/puppet/5.3/config_file_environment.html#configversion) script that outputs the git commit ID of the code that was used during a Puppet run. + +Here's a visual representation of the structure of this repository: + +``` +control-repo/ +├── data/ # Hiera data directory. +│   ├── nodes/ # Node-specific data goes here. +│   └── common.yaml # Common data goes here. +├── manifests/ +│   └── site.pp # The "main" manifest that contains a default node definition. +├── scripts/ +│   ├── code_manager_config_version.rb # A config_version script for Code Manager. +│   ├── config_version.rb # A config_version script for r10k. +│   └── config_version.sh # A wrapper that chooses the appropriate config_version script. +├── site/ # This directory contains site-specific modules and is added to $modulepath. +│   ├── profile/ # The profile module. +│   └── role/ # The role module. +├── LICENSE +├── Puppetfile # A list of external Puppet modules to deploy with an environment. +├── README.md +├── environment.conf # Environment-specific settings. Configures the moduelpath and config_version. +└── hiera.yaml # Hiera's configuration file. The Hiera hierarchy is defined here. +``` + +## Copy This Repo Into Your Own Git Server + +To get started with using the control-repo template in your own environment and git server, we've provided steps for the three most common servers we see: [GitLab](#gitlab), [BitBucket](#bitbucketstash), and [GitHub](#github). + +### GitLab + +1. Install GitLab. + * +1. After GitLab is installed you may sign in with the `root` user and password `5iveL!fe`. +1. Make a user for yourself. +1. Make an SSH key to link with your user. You’ll want to do this on the machine you intend to edit code from (most likely not your Puppet master, but your local workstation or laptop). + * + * +1. Create a group called `puppet` (this is case sensitive). + * +1. Add your user to the `puppet` group as well. +1. Create a project called `control-repo`, and set the Namespace to be the `puppet` group. +1. Clone this control repository to your laptop/workstation: + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote: + * `git remote remove origin` +1. Add your internal repository as the origin remote: + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +### Bitbucket/Stash + +1. Install Bitbucket + * +1. Make a `Project` called `puppet` (with a short name of `PUP`) +1. Create a repository called `control-repo` +1. Create a user called `r10k` with a password of `puppet`. + * Make the r10k user an admin of the `PUP` project. +1. Either use the admin user to test pushing code, or create a user for yourself and add your SSH key to that user. + * If making a user for yourself, give your user account read/write or admin privilege to the `PUP` project. +1. Clone this control repository to your laptop/workstation + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote + * `git remote remove origin` +1. Add your internal repository as the origin remote + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +### GitHub + +1. Prepare your local git client to authenticate with GitHub.com or a local GitHub Enterprise instance. + * + * +1. Create a repository called `control-repo` in your user account or organization. Ensure that "Initialize this repository with a README" is not selected. + * +1. Make a note of your repository URL (HTTPS or SSH, depending on your security configuration). +1. Clone this control repository to your laptop/workstation: + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote: + * `git remote remove origin` +1. Add your internal repository as the origin remote: + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +## Code Manager Setup + +If you use Puppet Enterprise and have not yet enabled and configured Code Manager, in addition to reading the official [documentation](https://puppet.com/docs/pe/latest/code_management/code_mgr.html) for enabling it, you may want to look at the Ramp-Up Program's control repository instead of this one. It's similar to this repo except that it has batteries includes, so to speak. There are pre-built profiles for configuring Code Manager, generating SSH keys, and setting up your Git server to work with Code Manager. + +* + diff --git a/Rakefile b/Rakefile new file mode 100644 index 000000000..a6b14c564 --- /dev/null +++ b/Rakefile @@ -0,0 +1,76 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-syntax/tasks/puppet-syntax' +require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? +require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any? +require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any? + +def changelog_user + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['author'] + raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator user:#{returnVal}" + returnVal +end + +def changelog_project + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['name'] + raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator project:#{returnVal}" + returnVal +end + +def changelog_future_release + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = JSON.load(File.read('metadata.json'))['version'] + raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator future_release:#{returnVal}" + returnVal +end + +PuppetLint.configuration.send('disable_relative') + +if Bundler.rubygems.find_name('github_changelog_generator').any? + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? + config.user = "#{changelog_user}" + config.project = "#{changelog_project}" + config.future_release = "#{changelog_future_release}" + config.exclude_labels = ['maintenance'] + config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." + config.add_pr_wo_labels = true + config.issues = false + config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM" + config.configure_sections = { + "Changed" => { + "prefix" => "### Changed", + "labels" => ["backwards-incompatible"], + }, + "Added" => { + "prefix" => "### Added", + "labels" => ["feature", "enhancement"], + }, + "Fixed" => { + "prefix" => "### Fixed", + "labels" => ["bugfix"], + }, + } + end +else + desc 'Generate a Changelog from GitHub' + task :changelog do + raise <= Gem::Version.new('2.2.2')" +EOM + end +end + diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 000000000..9ea31e3ea --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,64 @@ +--- +version: 1.1.x.{build} +branches: + only: + - master +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: + - SET + - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - + RUBY_VERSION: 24-x64 + CHECK: syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21-x64 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24-x64 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25-x64 + CHECK: parallel_spec +matrix: + fast_finish: true +install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 --without system_tests + - type Gemfile.lock +build: off +test_script: + - bundle exec puppet -V + - ruby -v + - gem -v + - bundle -v + - bundle exec rake %CHECK% + - bundle exec onceover run spec +notifications: + - provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 000000000..45b5f56b4 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,18 @@ +--- +message: "This node is using common data" + +#Enable code manager +puppet_enterprise::profile::master::code_manager_auto_configure: true +puppet_enterprise::master::code_manager::authenticate_webhook: false +puppet_enterprise::master::code_manager::manage_private_key: false +#pe-console-services tuning +#https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period +#disable classifier scheduled sync and rely on r10k postrun command to sync the classes +puppet_enterprise::profile::console::classifier_synchronization_period: 0 + +# example for deep lookup +# X11Forwarding will be overwritten by virtual/virtualbox to 'yes' +profile::os::linux::security::ssh_server_opts: + PasswordAuthentication: 'no' + SyslogFacility: 'AUTHPRIV' + X11Forwarding: 'no' diff --git a/data/nodes/example-puppet-master.yaml b/data/nodes/example-puppet-master.yaml new file mode 100644 index 000000000..584faacb6 --- /dev/null +++ b/data/nodes/example-puppet-master.yaml @@ -0,0 +1,8 @@ +--- +git_management_system: 'gitlab' +gms_server_url: 'https://gitlab-server' +gms_api_token: 'BDkZfWWnk4LVTLHdAywd' + +#setup r10k to update classes in the console after code deploy +pe_r10k::postrun: + - '/usr/local/bin/update-classes.sh' diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml new file mode 100644 index 000000000..b237a8d5f --- /dev/null +++ b/data/os/RedHat.yaml @@ -0,0 +1,3 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' diff --git a/data/os/Solaris.yaml b/data/os/Solaris.yaml new file mode 100644 index 000000000..b237a8d5f --- /dev/null +++ b/data/os/Solaris.yaml @@ -0,0 +1,3 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' diff --git a/data/os/windows.yaml b/data/os/windows.yaml new file mode 100644 index 000000000..11c76fcb3 --- /dev/null +++ b/data/os/windows.yaml @@ -0,0 +1,4 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35-windows-x64.zip' +profile::app::tomcat::webserver::tomcat_install_path: 'C:\Program Files\Tomcat' diff --git a/data/virtual/virtualbox.yaml b/data/virtual/virtualbox.yaml new file mode 100644 index 000000000..10e60502e --- /dev/null +++ b/data/virtual/virtualbox.yaml @@ -0,0 +1,35 @@ +#These setting are intended for low memory testing VMs +#Not intended for general usage +--- +#PE3.7+ +#Allow access to the puppetdb performance dashboard from non-localhost +#This is insecure and also allows access to all API endpoints without verification +puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' +puppet_enterprise::profile::amq::broker::heap_mb: '96' +puppet_enterprise::profile::master::java_args: + Xmx: '192m' + Xms: '128m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::puppetdb::java_args: + Xmx: '128m' + Xms: '96m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::console::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' +puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only +puppet_enterprise::profile::console::delayed_job_workers: 1 +#shared_buffers takes affect during install but is not managed after +puppet_enterprise::profile::database::shared_buffers: '4MB' +#2015.3.2 and above +puppet_enterprise::profile::orchestrator::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' + +profile::os::linux::security::ssh_server_opts: + Protocol: '2' + PasswordAuthentication: 'yes' + UsePAM: 'yes' + X11Forwarding: 'yes' diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 000000000..ef83aeec0 --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,56 @@ +--- +version: 5 +defaults: # Used for any hierarchy level that omits these keys. + datadir: data # This path is relative to hiera.yaml's directory. + data_hash: yaml_data # Use the built-in YAML backend. + +hierarchy: + - name: "Per-node data" # Human-readable name. + path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. + # ^^^ IMPORTANT: include the file extension! + - name: "Per-node secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "nodes/%{trusted.certname}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Per-datacenter business role data" # Uses trusted data extentions. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + - name: "Per-datacenter buiness role secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Role business data" + path: "role/%{trusted.extentions.pp_role}.yaml" + - name: "Role business secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "role/%{trusted.extentions.pp_role}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Per-OS defaults" + path: "os/%{facts.os.family}.yaml" + - name: "Per-OS defaults secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "os/%{facts.os.family}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Virtual defaults" # Used to configure PE master from within virtual + path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform + + - name: "Common data" + path: "common.yaml" + - name: "Common secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "common.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + diff --git a/keys/private_key.pkcs7.pem b/keys/private_key.pkcs7.pem new file mode 100644 index 000000000..f6182508f --- /dev/null +++ b/keys/private_key.pkcs7.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA9A+IuFu4HGKrRNBTsHADTKhDH7ZYXQCFYB/PeFj3kWpo9mZo +c26KIfvK6DXyaLATV3NStitLiAnAzVGIreeIdttlXm+hX+Ig1DeJrO+CZJxXXx+P +AfurpvsGaZMn46GvJfrh+h1dxYpX4UASpWIDIjoz16yHF1uVrd7yvoSM2znGNAHU +FFfdkT5qGLcOxe46iTlyK0gbtSUvT8arK1FKYiOjbyZ4RsOv5l0cvPY85HKKOc9p +t+f+vWzMuARh7HxcnKwA6FedLEBWQa1T2AxfRGBHK0pRj2sicaIxgnQXnKuuKBss +pLZSjIlTRSoH3Fdvqmk+FQJLPex//rXPiIyDYQIDAQABAoIBAQCrUcwzPY77vfdj +kqlsjPSD9wlHVYSppBf75diJLkp6dSvA6xofDVVBjbJdVqEXA6JQHM/OuI2IrO/+ +MGG1UXXlmRSLOekZmW5aCbJHBsmNPoHGcCy+w58207conPe/PlvoWTgPjlWouPf/ +Ui7EkQyKFjkWCDG8H7nuFzZmrj0CFSkzbZeaWFChQTgr9QGVKlW+iF4Upf7MK3i6 +xbHZCZpQJjZX7meGLo5I2mtJF0BQN+f7JQbsCqKLqYvcSpZXPfTg6Fhpt6mKdykq +y/N+CiVxLw2BmWd0pdiVWD/kTxW0DZ7Puby/Apx1UWPcydCy9WZYtalbbyVn1Plb ++AfzShwRAoGBAPqXapz1y8zATAyU4u44ar3yYo5ueWGhixxeZ1BiJ16yEpWwxqDl +G50JOO6y5Gcy/EbnOJ6ek7xvgBWMys1sOte5MtUIyo581/wkFgEnTaazTNWW+5ve +5jvh8f1r61IqFvMeK8aqL4jH2KbkH5KXN9pormGJgy7J3ssK0JaoB7cjAoGBAPlU +CITH9diJcNUmciJ/3o3VxqMdO5kwJb5px6JgqT7QrEu+v6WVwMz/D13xe0/gHY9d +Sju+1oD+uhQ+1/t17RcdI7CRzNVVlsORSW0feV1xPjAoHONrk3N8smDCM2tZJI1K +Ca771+cVb20EnMewxzUynbaK9aKiyLhDmM7FwIWrAoGAYsHxvlIQM21Fi1/R31hU +mO9BcCiRpaxoipGZ3dAQ+/zp3hyA6z/flg/gZBIUeadaTQcrBTgxuP2oWNXXxwV0 +WzgdlF+WlHkXFcOS+Hlo3N2k1jheiJtb2RW+rMUvRH5Z9Q5a6jx/50P7WiplVvxJ +gsXmk4ICNRpRt2tXsUgfYkkCgYEA1CL0sI02FwwxzZnNiJ8Fa+aVANnxiJBXvOBh +tD3MIp8Hyda9VxTIm2L03ziEc9y7Kez1KUphVhXlmy4xNEoM9Rqc8DHNd0JAaZtn +PwqFh8S/ZdfrZHB2X8+cMglqGI8bM3/oJ1MuSvaI/Nfs0VcO16t+Vv96qesZHvac +wGmvOcsCgYAruN9HJqbK7urAA1SaJ1mRlpf37YVzdH8Lsl+mr+BIAfalSabP120z +vE4TRvqREdrxNajiwSFjRMjl2hdx1s20fhcUYPrV+ubTxIYvJsxcSx/qyTxPC7jP +KBihxVxofJbr6DEzVFTSnQhYeoqtA5Rd0ILme82IlVhmZbXmZSIo2A== +-----END RSA PRIVATE KEY----- diff --git a/keys/public_key.pkcs7.pem b/keys/public_key.pkcs7.pem new file mode 100644 index 000000000..075f8e0cd --- /dev/null +++ b/keys/public_key.pkcs7.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAAMCAXDTE4MTIwNDE2MTAw +NVoYDzIwNjgxMTIxMTYxMDA1WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA9A+IuFu4HGKrRNBTsHADTKhDH7ZYXQCFYB/PeFj3kWpo9mZoc26KIfvK +6DXyaLATV3NStitLiAnAzVGIreeIdttlXm+hX+Ig1DeJrO+CZJxXXx+PAfurpvsG +aZMn46GvJfrh+h1dxYpX4UASpWIDIjoz16yHF1uVrd7yvoSM2znGNAHUFFfdkT5q +GLcOxe46iTlyK0gbtSUvT8arK1FKYiOjbyZ4RsOv5l0cvPY85HKKOc9pt+f+vWzM +uARh7HxcnKwA6FedLEBWQa1T2AxfRGBHK0pRj2sicaIxgnQXnKuuKBsspLZSjIlT +RSoH3Fdvqmk+FQJLPex//rXPiIyDYQIDAQABo1wwWjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBTe28JgTJmSHIg12fJfhr8O/j5wKDAoBgNVHSMEITAfgBTe28Jg +TJmSHIg12fJfhr8O/j5wKKEEpAIwAIIBATANBgkqhkiG9w0BAQUFAAOCAQEAmAf7 +fiVGzeVDf6sJto5urI89hNfXwTECOjw03oMifZPVicG0Yu2RarMsS4Kc0XTjXpxb +Jue+AH6wK34RYpPs71aGkkOhcxNuu0l35GV6aeVyUPRD7LIp5bCoW3wfLfhmTNXD +YR2ICdkOlgvaAStnezg1dkTWojxu07q0hVRVE3ij2/JLd/qe3oy6tDUaDwrNWTpk +Ty/pd8J9B8FpyJ2Z47Rr47XbRCJiJQW5U8INSgPHt3sfdDuTn5UcXeUO1TBeVLND +U1eZpMi+YXhALKHFCi/9Vx4o9AmSbGjs5lZT2KAWnhN+VwNayqJXIOHYO+PNt4c9 +PomXmMQZnY8jRaFdoQ== +-----END CERTIFICATE----- diff --git a/metadata.json b/metadata.json new file mode 100644 index 000000000..2095eb27e --- /dev/null +++ b/metadata.json @@ -0,0 +1,72 @@ +{ + "name": "spidersddd-puppet_control_starter", + "version": "0.1.0", + "author": "spidersddd", + "summary": "", + "license": "Apache-2.0", + "source": "", + "dependencies": [ + + ], + "operatingsystem_support": [ + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "8" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "16.04" + ] + }, + { + "operatingsystem": "windows", + "operatingsystemrelease": [ + "2008 R2", + "2012 R2", + "10" + ] + }, + { + "operatingsystem": "Solaris", + "operatingsystemrelease": [ + "11" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.10.0 < 7.0.0" + } + ], + "pdk-version": "1.8.0", + "template-url": "https://github.com/puppetlabs/pdk-templates", + "template-ref": "1.8.0-0-g0d9da00" +} \ No newline at end of file diff --git a/scripts/code_manager_config_version.rb b/scripts/code_manager_config_version.rb index 2c9cb62f5..28afda718 100755 --- a/scripts/code_manager_config_version.rb +++ b/scripts/code_manager_config_version.rb @@ -6,5 +6,5 @@ r10k_deploy_file_path = File.join(environmentpath, environment, '.r10k-deploy.json') -#output the sha1 from the control-repo +# output the sha1 from the control-repo puts JSON.parse(File.read(r10k_deploy_file_path))['signature'] diff --git a/scripts/config_version.rb b/scripts/config_version.rb index 3016a27b9..1d5c1f975 100755 --- a/scripts/config_version.rb +++ b/scripts/config_version.rb @@ -1,24 +1,19 @@ #!/usr/bin/env ruby begin require 'rugged' -rescue LoadError => e +rescue LoadError t = Time.new puts t.to_i else - environmentpath = ARGV[0] environment = ARGV[1] repo = Rugged::Repository.discover(File.join(environmentpath, environment)) - head = repo.head + head = repo.head - #sha1 hash of the newest commit + # sha1 hash of the newest commit head_sha = head.target_id - #the commit message associated the newest commit - commit = repo.lookup(head_sha) - - #add something to find the remote url - - puts head_sha + # add something to find the remote url + puts head_sha end diff --git a/site/README.md b/site/README.md new file mode 100644 index 000000000..3c07713a3 --- /dev/null +++ b/site/README.md @@ -0,0 +1,27 @@ +# Puppet Example Roles and Profiles + +These directories are example layout of Roles and Profiles practice. They have been constructed to represent current best practice and to support multiple operating systems. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Example requirements + +These examples have been constructed with the following requirements: + + - Modeling should support three operating systems + - Windows 2012R2 + - CentOS (6,7) + - Solaris 11.2 + - Two products should be represented + - Spider + - Windows product + - IIS Web service + - F5 loadbalancer + - SQL Database server + - Fastb + - Linux and Solaris product + - Tomcat web backend + - HAProxy loadbalancer + - MYSQL Database server + - These products are examples and will be deploying a `hello world` code base diff --git a/site/profile/README.md b/site/profile/README.md new file mode 100644 index 000000000..c135523a2 --- /dev/null +++ b/site/profile/README.md @@ -0,0 +1,38 @@ +# Puppet Example Profiles + +This directory is working example profiles for customers to use as well as model +future development after. They should follow best practice and model a multi OS +use case. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Organization and Namespaces + +Profile sprawl is a real concern. To prevent that, please try to follow a convention. + +Profiles should be organized in a hierarchical form with a few top-level categories that descend into more specific things. DO NOT just throw all your profiles at the root of the `manifests/` folder. Oh, and please use sub-folders for related profiles. + +### The OS folder + +`/manifests/os/` + + * This directory should contain profiles that manage items built-in to an operating system. For example, DNS, NTP, Users, firewall rules, etc.... + * If the thing being managed is "out of the box", it goes here. + +`/manifests/os//` + + * Profiles that are specific to built-in settings of one operating system go here. + * For example, `/manifests/os/windows/`, `/manifests/os/linux/`, or `/manifests/os/aix/`. + +### The App folder + +`/manifests/app/` + + * This directory should contain profiles to manage applications stacks. + * An "app" is anything that does **not** come out of the box or is **not** built-in to the operating system. + * Use simple and easy to understand sub folders that describe the type of application being managed. + * For example, `app/liferay.pp` is **bad**. While `app/cms/liferay.pp` is better as it groups it in the "CMS" category. + * Avoid ambiguous profile names. `profile::app::splunk::forwarder` is better than `profile::app::splunk`. + * Other examples: `/manifests/app/apache.pp`, `/manifests/app/sql/server.pp`, or `/manifests/app/f5/load_balancer.pp`. + diff --git a/site/profile/functions/data.pp b/site/profile/functions/data.pp new file mode 100644 index 000000000..9c39fb4c5 --- /dev/null +++ b/site/profile/functions/data.pp @@ -0,0 +1,8 @@ +function profile::data(){ + $base_params = { + + } + + $base_params +} + diff --git a/site/profile/lib/facter/app_tier_subnet.rb b/site/profile/lib/facter/app_tier_subnet.rb new file mode 100644 index 000000000..4b8c47f8a --- /dev/null +++ b/site/profile/lib/facter/app_tier_subnet.rb @@ -0,0 +1,26 @@ +# Accessible in puppet as $::app_tier_subnet +require 'ipaddr' +Facter.add(:app_tier_subnet) do + setcode do + # Mapping of vlans to ipaddresses + # NOTE: To extend this fact, modify this hash + vlan_segments = { + 'prod' => IPAddr.new('10.10.10/22'), + 'dev' => IPAddr.new('11.11.11/22'), + 'uat' => IPAddr.new('12.12.12/22'), + 'cloud' => IPAddr.new('13.13.13/24'), + } + segment_name = nil + + # Iterate through all segments and find the one that matches + vlan_segments.each do |segment, address| + if address.include?(Facter.value(:ipaddress)) + segment_name = segment + break + end + end + + # Return the name of the segment that matches + segment_name + end +end diff --git a/site/profile/lib/facter/datacenter.rb b/site/profile/lib/facter/datacenter.rb new file mode 100644 index 000000000..2c2d385f5 --- /dev/null +++ b/site/profile/lib/facter/datacenter.rb @@ -0,0 +1,26 @@ +Facter.add(:datacenter) do + setcode do + datacenters_map = { + 'lax' => ['lax', 'lax2', 'hq'], + 'dc' => ['dc', 'dc2', 'dc3', 'foo'], + 'london' => ['lon', 'uk', 'london', 'bar'], + } + + # Assume that all hostnames look like this: + # lax-prod-www-291 + # dc-dev-www-111 + # lon-prod-db-101 + # The 'datacenter' segment is the first part of a host name. + first_segment = Facter.value(:hostname).split('-')[0] + + datacenter = nil + + datacenters_map.each do |datacenter_name, datacenter_aliases| + if datacenter_aliases.include? first_segment + datacenter = datacenter_name + break + end + end + datacenter + end +end diff --git a/site/profile/manifests/app/f5/load_balancer.pp b/site/profile/manifests/app/f5/load_balancer.pp new file mode 100644 index 000000000..db620f6fe --- /dev/null +++ b/site/profile/manifests/app/f5/load_balancer.pp @@ -0,0 +1,113 @@ +# profile::app::f5::load_balancer +# +# @summary This is a defined-type profile that creates everything +# needed in an F5 to load-balance a set of servers. +# +# @example Declaring a set of load-balanced servers: +# +# profile::app::f5::load_balancer { 'Awesome WebApp': +# nodes => [ +# { name => 'web1', address => '10.1.1.11', port => '80' }, +# { name => 'web2', address => '10.1.1.12', port => '80' }, +# { name => 'web3', address => '10.1.1.13', port => '80' }, +# ], +# pool_name => 'web_pool', +# virtualserver_name => 'website.foo.net', +# destination_address => '10.1.1.10', +# } +# +# @param nodes An array of hashes, where each hash contains a 'name', 'address', 'port', and optional 'monitors' key. +# @param pool_name The name of the pool to create and manage. +# @param virtualserver_name The name of the virtualserver to create and mange. +# @param destination_address The IP address of the VIP destination. +# +define profile::app::f5::load_balancer ( + Array[Hash] $nodes, + String $pool_name, + String $virtualserver_name, + String $destination_address, + Optional[Array[String]] $irules = undef, + String $destination_mask = '255.255.255.255', + Array[String] $health_monitors = [ '/Common/tcp' ], + String $load_balancing_method = 'round-robin', + Enum['present','absent'] $ensure = 'present', + String $http_profile = '/Common/http', + String $service_port = '80', + String $source = '0.0.0.0', +) { + + $description = "Managed by Puppet: ${title}" + + $_pool_name = $pool_name ? { + /^\/Common\// => $pool_name, + default => "/Common/${pool_name}", + } + + $_virtualserver_name = $virtualserver_name ? { + /^\/Common\// => $virtualserver_name, + default => "/Common/${virtualserver_name}", + } + + # Iterate over each node and manage it. + $nodes.each |Hash $node| { + + # Check that all required node properties are defined. + ['name','address','port'].each |$property| { + if !(has_key($node, $property)) or ($node[$property] == undef) { + fail("${title}: Missing required node property '${property}'") + } + } + + # Use the ICMP monitor if none defined. + $_monitors = $node['monitors'] ? { + undef => [ '/Common/icmp' ], + default => $node['monitors'], + } + + f5_node { $node['name']: + ensure => $ensure, + address => $node['address'], + health_monitors => $_monitors, + availability_requirement => 'all', + description => $description, + before => [ + F5_pool[$_pool_name], + F5_virtualserver[$_virtualserver_name], + ], + } + + } + + # Generate the members parameter value to use in the f5_pool. + # We are creating an array of hashes with 'name' and 'port' keys. + $members = $nodes.map |Hash $node| { + { + 'name' => $node['name'], + 'port' => $node['port'], + } + } + + f5_pool { $_pool_name: + ensure => $ensure, + health_monitors => $health_monitors, + load_balancing_method => $load_balancing_method, + members => $members, + description => $description, + before => F5_virtualserver[$_virtualserver_name], + } + + f5_virtualserver { $_virtualserver_name: + ensure => $ensure, + provider => 'standard', + default_pool => $_pool_name, + destination_address => $destination_address, + destination_mask => $destination_mask, + http_profile => $http_profile, + service_port => $service_port, + irules => $irules, + source => $source, + description => $description, + require => F5_pool[$_pool_name], + } + +} diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp new file mode 100644 index 000000000..0941c53dd --- /dev/null +++ b/site/profile/manifests/app/fastb.pp @@ -0,0 +1,20 @@ +# This is a example profile to deploy fastb application software. +class profile::app::fastb ( + Stdlib::Httpsurl $download_url = 'https://tomcat.apache.org/tomcat-8.0-doc/appdev/sample/sample.war', + String $sha1_sum = '80f5053b166c69d81697ba21113c673f8372aca0', + Stdlib::Absolutepath $app_path = '/opt/tomcat', +) { + require profile::os::archives + $temp_dir = $profile::os::archives::temp_dir + + archive { "${temp_dir}/fastb_app.war": + ensure => present, + extract => true, + extract_path => $app_path, + source => $download_url, + checksum => $sha1_sum, + checksum_type => 'sha1', + creates => "${app_path}/fastb_app.war", + cleanup => true, + } +} diff --git a/site/profile/manifests/app/icinga.pp b/site/profile/manifests/app/icinga.pp new file mode 100644 index 000000000..4f3c5425b --- /dev/null +++ b/site/profile/manifests/app/icinga.pp @@ -0,0 +1,11 @@ +# A description of what this class does +# +# @summary A short summary of the purpose of this class +# +# @example +# include puppet_control_starter::profile::app::icinga +class profile::app::icinga { + class { '::icinga2': + manage_repo => false, + } +} diff --git a/site/profile/manifests/app/iis/default_app_pool.pp b/site/profile/manifests/app/iis/default_app_pool.pp new file mode 100644 index 000000000..932541df3 --- /dev/null +++ b/site/profile/manifests/app/iis/default_app_pool.pp @@ -0,0 +1,31 @@ +# example class of default IIS app pool +class profile::app::iis::default_app_pool ( + String $site_name = 'Default Web Site' +) { + $iis_features = ['Web-WebServer','Web-Scripting-Tools'] + + iis_feature { $iis_features: + ensure => 'present', + } + + # Delete the default website to prevent a port binding conflict. + iis_site {'Default Web Site': + ensure => absent, + require => Iis_feature['Web-WebServer'], + } + + iis_site { 'minimal': + ensure => 'started', + physicalpath => 'c:\\inetpub\\minimal', + applicationpool => 'DefaultAppPool', + require => [ + File['minimal'], + Iis_site[$site_name] + ], + } + + file { 'minimal': + ensure => 'directory', + path => 'c:\\inetpub\\minimal', + } +} diff --git a/site/profile/manifests/app/java.pp b/site/profile/manifests/app/java.pp new file mode 100644 index 000000000..1c87c7434 --- /dev/null +++ b/site/profile/manifests/app/java.pp @@ -0,0 +1,18 @@ +# This profile os to install an normalize java for +# agent hosts. +class profile::app::java { + case $facts['os']['family'] { + 'RedHat': { + require java + } + 'windows': { + require windows_java + } + 'Solaris': { + require java + } + default: { + fail("OS family ${facts['os']['family']} is not supported with ${title}.") + } + } +} diff --git a/site/profile/manifests/app/tomcat/webserver.pp b/site/profile/manifests/app/tomcat/webserver.pp new file mode 100644 index 000000000..df4c91686 --- /dev/null +++ b/site/profile/manifests/app/tomcat/webserver.pp @@ -0,0 +1,15 @@ +# This profile will install tomcat +class profile::app::tomcat::webserver ( + Optional[String] $download_url = undef, + Stdlib::Absolutepath $tomcat_install_path = '/opt/tomcat', +) { + require profile::app::java + + if $download_url { + tomcat::install { $tomcat_install_path: + source_url => $download_url, + } + } else { + fail("download_url not set for ${title}.") + } +} diff --git a/site/profile/manifests/cloud/azure/deployhost.pp b/site/profile/manifests/cloud/azure/deployhost.pp new file mode 100644 index 000000000..543e7fe06 --- /dev/null +++ b/site/profile/manifests/cloud/azure/deployhost.pp @@ -0,0 +1,91 @@ +## +# profile::cloud::azure::deployhost +# +# Builds a host used to interface with Azure (to be used by puppetlabs/azure module). +# Gems and packages are required to be installed into ruby packaged with Puppet Agent. +# Tested on CentOS and Windows 2012R2. +# +# Module requirements: +# * puppetlabs/hocon +# +# Other requirements: +# * Azure login (https://azure.microsoft.com/) +# * Azure Service Principal (SP) with permissions to create objects. +# +# @summary Micosoft Azure deployer proxy host. +# +# @param azure_packages Packages required for azure_gems on Linux. +# +# @param azure_gems Gems required. +# +# @param azure_config +# subscription_id: +# * Portal: Subscriptions -> $name -> Subscription ID +# * CLI 2.0: `az account list --output table` +# tenant_id: +# * Portal: Azure Active Directory -> Properties -> Directory ID +# * CLI 2.0: `az account show --output table` +# client_id: +# * Portal: Azure Active Directory -> App Registrations -> $name -> Application ID +# * CLI 2.0: `az ad app list` +# client_secret: Only displayed once upon creation of client_id. +# * Portal: Azure Active Directory -> App Registrations -> New application registration +# * CLI 2.0: `az ad sp create-for-rbac --name $sp_name` +# +class profile::cloud::azure::deployhost ( + Array $azure_packages = ['gcc-c++', 'zlib-devel'], + Hash $azure_gems = { + 'activesupport' => '4.2.9', + 'nokogiri' => '~>1.7.0', + 'azure' => '~>0.7.0', + 'azure-armrest' => '0.3.1', + 'azure_mgmt_compute' => '~>0.3.0', + 'azure_mgmt_storage' => '~>0.3.0', + 'azure_mgmt_resources' => '~>0.3.0', + 'azure_mgmt_network' => '~>0.3.0', + 'hocon' => '~>1.1.2', + 'retries' => 'latest', + }, + + Hash $azure_config = { + 'subscription_id' => undef, + 'tenant_id' => undef, + 'client_id' => undef, + 'client_secret' => undef, + } +) { + + ## + # Packges & Gems + # + if $facts['kernel'] == 'Linux' { + package { $azure_packages: + ensure => installed, + } + } + + $azure_gems.each | String $gem, String $version | { + package { $gem: + ensure => $version, + provider => 'puppet_gem', + } + } + + ## + # Configuration + # + $agent_confdir = $facts['os']['family'] ? { + 'windows' => 'C:/ProgramData/PuppetLabs/puppet/etc', + default => '/etc/puppetlabs/puppet', + } + + $azure_config.each | $i, $v | { + hocon_setting {"azure.conf-${i}": + ensure => present, + path => "${agent_confdir}/azure.conf", + setting => "azure.${i}", + value => $v, + } + } + +} diff --git a/site/profile/manifests/cloud/azure/vm_test.pp b/site/profile/manifests/cloud/azure/vm_test.pp new file mode 100644 index 000000000..2d1493884 --- /dev/null +++ b/site/profile/manifests/cloud/azure/vm_test.pp @@ -0,0 +1,19 @@ +## +# Create a VM in Azure using Resource Manager method. +# +# Caveats: +# * 'user' can not be "admin". +# * 'password' must be at least 12 characters. +# +class profile::cloud::azure::vm_test { + azure_vm { 'vm1': + ensure => present, + location => 'westus', + image => 'OpenLogic:CentOS:7.3:latest', + user => 'puppet', + password => '6Eji6PB9ErXJ7PrJtWQP', + size => 'Basic_A0', + resource_group => 'my-group', + } +} + diff --git a/site/profile/manifests/os/archives.pp b/site/profile/manifests/os/archives.pp new file mode 100644 index 000000000..765f09f32 --- /dev/null +++ b/site/profile/manifests/os/archives.pp @@ -0,0 +1,23 @@ +# This profile is to normalize archive for a site +# it will set temp dir and install dir for the build +class profile::os::archives ( + Optional[Stdlib::Absolutepath] $in_temp_path = undef +) { + include '::archive' + + if ! $in_temp_path { + case $facts['kernel'] { + 'Linux', 'Solaris': { + $temp_path = '/tmp' + } + 'windows': { + $temp_path = 'C:/Windows/Temp' + } + default: { + fail("OS ${facts['kernel']} is not supported with ${title}.") + } + } + } else { + $temp_path = $in_temp_path + } +} diff --git a/site/profile/manifests/os/base.pp b/site/profile/manifests/os/base.pp new file mode 100644 index 000000000..57b74e49a --- /dev/null +++ b/site/profile/manifests/os/base.pp @@ -0,0 +1,37 @@ +# This profile an example of base profile. +# It should support all site OS's and sould be enforced +# on all agent hosts. This is the minimum bar of site +# specific hosts. +class profile::os::base ( + Array[String[1]] $name_servers = [ '8.8.8.8', '8.8.4.4' ], + Array[String[1]] $search_path = [ 'localdomain', 'puppet.vm' ], +) { + # Profile to set a default base level of acceptable security and + # configuration for systems to be used within the company networks. + case $facts['os']['family'] { + 'RedHat': { + class { 'profile::os::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + #include 'profile::os::linux::security' + } + 'windows': { + class { 'profile::os::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + #include profile::os::windows::security + } + 'Solaris': { + class { 'profile::os::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + include profile::os::solaris::enable_ssh + } + default: { + fail("OS family ${facts['os']['family']} is not supported with ${title}.") + } + } +} diff --git a/site/profile/manifests/os/dns_resolver.pp b/site/profile/manifests/os/dns_resolver.pp new file mode 100644 index 000000000..946c879f7 --- /dev/null +++ b/site/profile/manifests/os/dns_resolver.pp @@ -0,0 +1,54 @@ +# @summary A DNS profile for *nix and Windows +# +# @description This profile abstracts away the configuration of DNS settings into +# 2 parameters, 'name_servers' and 'search_path'. +# +# @param name_servers An array of DNS name servers to use. +# @param search_path An array of domain suffixes to use in the DNS search path. +# +class profile::os::dns_resolver ( + Array[String[1]] $name_servers, + Array[String[1]] $search_path, +) { + + case $facts['kernel'] { + 'linux','aix': { + + # Use saz/resolv_conf Forge module + class { 'resolv_conf': + nameservers => $name_servers, + searchpath => $search_path, + } + + } + 'windows': { + + # Use the puppetlabs/dsc module + # Rather than set every interface, you could instead just set the primary + # by changing the dsc_interfacealias param to $facts['networking']['primary'] + # and removing the each loop. + #$facts['networking']['interfaces'].keys.each |$interface| { + # dsc_xdnsserveraddress { "Configure-DNS-${interface}-interface": + # ensure => present, + # dsc_address => $name_servers, + # dsc_interfacealias => $interface, + # dsc_addressfamily => 'IPv4', + # } + #} + dsc_xdnsserveraddress { 'Configure-DNS-primary-interface': + ensure => present, + dsc_address => $name_servers, + dsc_interfacealias => $facts['networking']['primary'], + dsc_addressfamily => 'IPv4', + } + dsc_xdnsclientglobalsetting { 'Configure-DNS-search-path': + ensure => present, + dsc_suffixsearchlist => $search_path, + dsc_issingleinstance => 'Yes' + } + + } + default: { notify { 'This profile does not support your OS': } } + } + +} diff --git a/site/profile/manifests/os/linux/ms_ca_root_cert.pp b/site/profile/manifests/os/linux/ms_ca_root_cert.pp new file mode 100644 index 000000000..a02a27ffa --- /dev/null +++ b/site/profile/manifests/os/linux/ms_ca_root_cert.pp @@ -0,0 +1,19 @@ +# Assuming you have the root CA cert stored on the master +# this declaration will allow you to push it around +# so a linux node can use it for web services +# and windows users will get internally trusted certs +# without needing to provision third party certs +class profile::os::linux::ms_ca_root_cert { + + file { '/etc/pki/tls/certs/msca.crt': + ensure => 'file', + source => 'puppet:///modules/profile/msca.crt', + } + + file { '/etc/pki/tls/certs/4adae044.0': + ensure => 'link', + target => '/etc/pki/tls/certs/msca.crt', + require => File['/etc/pki/tls/certs/msca.crt'], + } + +} diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp new file mode 100644 index 000000000..a6a14707c --- /dev/null +++ b/site/profile/manifests/os/linux/security.pp @@ -0,0 +1,28 @@ +# This profile is example of security configurations for +# site specific security settings. +class profile::os::linux::security ( + # This allows hiera to control if the saz/ssh::server class should be used + # on perspective agent hosts. Setting to false will mean the agents ssh server + # configuration will not be managed. If 'profile::os::linux::security::ssh_server' + # to change this behavior + Boolean $ssh_server = true +) { + if $ssh_server { + # This lookup allows the hash to be constructed over multiple hierarchies + # example is located in common.yaml and virtual/virtualbox.yaml + $ssh_server_opts = lookup( 'name' => 'profile::os::linux::security::ssh_server_opts', + { 'merge' => { + 'strategy' => 'deep', + 'default_value' => {} }, }) + + $ssh_client_opts = lookup( 'name' => 'profile::os::linux::security::ssh_client_opts', + { 'merge' => { + 'strategy' => 'deep', + 'default_value' => {} }, }) + + # Pass the found options to saz/ssh server class + class { 'ssh::server': + options => $ssh_server_opts, + } + } +} diff --git a/site/profile/manifests/os/solaris/enable_ssh.pp b/site/profile/manifests/os/solaris/enable_ssh.pp new file mode 100644 index 000000000..19960ff86 --- /dev/null +++ b/site/profile/manifests/os/solaris/enable_ssh.pp @@ -0,0 +1,22 @@ +# This class enables SSH and enables root login + +class profile::os::solaris::enable_ssh ( + String $permit_root_login = 'yes', +) { + + # Start up the service and enable it at boot time. + service { 'svc:/network/ssh:default': + ensure => running, + enable => true, + } + + # Manage whether root is allowed to login. (Default: yes) + file_line { 'permit root ssh': + ensure => present, + path => '/etc/ssh/sshd_config', + line => "PermitRootLogin ${permit_root_login}", + match => '^PermitRootLogin ', + notify => Service['svc:/network/ssh:default'], + } + +} diff --git a/site/profile/manifests/os/windows/disable_firewall.pp b/site/profile/manifests/os/windows/disable_firewall.pp new file mode 100644 index 000000000..ccd006350 --- /dev/null +++ b/site/profile/manifests/os/windows/disable_firewall.pp @@ -0,0 +1,29 @@ +# This profile disables all local firewalls on Windows nodes. +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_firewall { + + registry::value { 'Disable DomainProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + + registry::value { 'Disable PublicProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + + registry::value { 'Disable StandardProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/disable_ieesc.pp b/site/profile/manifests/os/windows/disable_ieesc.pp new file mode 100644 index 000000000..2399dda83 --- /dev/null +++ b/site/profile/manifests/os/windows/disable_ieesc.pp @@ -0,0 +1,22 @@ +# This will disable Internet Explorer Enhanced Security Configuration +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_ieesc { + + registry::value { 'Disable IE ESC for Administrators': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}', + value => 'IsInstalled', + data => '0', + type => 'dword', + } + + registry::value { 'Disable IE ESC for Users': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}', + value => 'IsInstalled', + data => '0', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/disable_ipv6.pp b/site/profile/manifests/os/windows/disable_ipv6.pp new file mode 100644 index 000000000..4d4ede92b --- /dev/null +++ b/site/profile/manifests/os/windows/disable_ipv6.pp @@ -0,0 +1,14 @@ +# This will turn off ipv6 for Windows nodes +# +# Requires puppetlabs/registry +# +class profile::os::windows::disable_ipv6 { + + registry::value { 'Disable IPv6': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters', + value => 'DisabledComponents', + data => '255', + type => 'dword', + } + +} diff --git a/site/profile/manifests/os/windows/disable_uac.pp b/site/profile/manifests/os/windows/disable_uac.pp new file mode 100644 index 000000000..84b1077ed --- /dev/null +++ b/site/profile/manifests/os/windows/disable_uac.pp @@ -0,0 +1,25 @@ +# This will disable UAC on Windows nodes. +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_uac { + + registry::value { 'Disable UAC': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', + value => 'EnableLUA', + data => '0', + type => 'dword', + } + + # Refer to the link below to determine what different values do. + # Valid data values are 0 - 5. + # https://msdn.microsoft.com/en-us/library/Cc232761.aspx + registry::value { 'Set UAC Consent Prompt Level': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', + value => 'ConsentPromptBehaviorAdmin', + data => '5', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/enable_remote_desktop.pp b/site/profile/manifests/os/windows/enable_remote_desktop.pp new file mode 100644 index 000000000..6c439f84c --- /dev/null +++ b/site/profile/manifests/os/windows/enable_remote_desktop.pp @@ -0,0 +1,21 @@ +# This profile will enable remote desktop connections +# +# Requires: puppetlabs/registry +# +class profile::os::windows::enable_remote_desktop { + + registry::value { 'Enable Terminal Services connections': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server', + value => 'fDenyTSConnections', + data => '0', + type => 'dword', + } + + registry::value { 'Enable TS Network Level Authentication': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', + value => 'SecurityLayer', + data => '1', + type => 'dword', + } + +} diff --git a/site/profile/manifests/os/windows/security.pp b/site/profile/manifests/os/windows/security.pp new file mode 100644 index 000000000..f81abe368 --- /dev/null +++ b/site/profile/manifests/os/windows/security.pp @@ -0,0 +1,13 @@ +# This profile is example of security configurations for +# site specific security settings. +class profile::os::windows::security ( + Boolean $disable_ipv6 = true, + Boolean $enable_rdesktop = false, +) { + if $disable_ipv6 { + include profiles::os::windows::disable_ipv6 + } + if $enable_rdesktop { + include profile::os::windows::enable_remote_desktop + } +} diff --git a/site/profile/manifests/os/windows/winrm_ssl_config.pp b/site/profile/manifests/os/windows/winrm_ssl_config.pp new file mode 100644 index 000000000..66c1c079f --- /dev/null +++ b/site/profile/manifests/os/windows/winrm_ssl_config.pp @@ -0,0 +1,33 @@ +# This profile configures winrm to use SSL, and uses +# an existing certificate already installed in the +# trusted store. +# +# This assumes a root CA has already been passed +# via GPO or the like. +# +# Required modules in Puppetfile format, versions current as of last update: +# mod 'puppet-windows_firewall', '2.0.0' +# mod 'puppetlabs-stdlib', '4.24.0' ( windows_firewall (>= 4.6.0 < 5.0.0)) +# mod 'puppetlabs-registry', '1.1.4' ( windows_firewall (>= 1.1.1 < 2.0.0)) +# mod 'liamjbennett-win_facts', '0.0.2' ( windows_firewall (>= 0.0.2 < 2.0.0)) +# mod 'nekototori-winrmssl', '0.1.0' +class profile::os::windows::winrm_ssl_config { + + winrmssl { 'example.com': + ensure => 'present', + issuer => 'CN=example.com, DC=example, DC=com', + } + + windows_firewall::exception { '$CLIENT_WINRM_SSL': + ensure => 'present', + direction => 'in', + action => 'Allow', + enabled => 'yes', + protocol => 'TCP', + local_port => '5986', + remote_port => 'any', + display_name => '$CLIENT_WINRM_SSL', + description => 'Inbound rule for secure remote management. [TCP 5986]', + } + +} diff --git a/site/role/README.md b/site/role/README.md new file mode 100644 index 000000000..dec49e2b8 --- /dev/null +++ b/site/role/README.md @@ -0,0 +1,19 @@ +# Puppet Example Roles + +This directory is working example roles for customers to use as well as model +future development after. They should follow best practice and model a multi OS +use case. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Organization and Namespaces + +Roles should be organized in a hierarchical form with product categories that descend into more specific things. DO NOT just throw all your roles at the root of the `manifests/` folder. Oh, and please use sub-folders for related roles. + +### The Product folders + +`/manifests//` + + * This directory should contain roles that manage nodes running specific product line functions. + * For example, `/manifests/fastb/web_be.pp` is `FastB product Web Back-end`. diff --git a/site/role/manifests/fastb/monitor_svr.pp b/site/role/manifests/fastb/monitor_svr.pp new file mode 100644 index 000000000..2ba3d06a3 --- /dev/null +++ b/site/role/manifests/fastb/monitor_svr.pp @@ -0,0 +1,8 @@ +# This is an example of a product called +# "Fast B" +# This is a monitoring server for that product. +class role::fastb::monitor_svr { + include profile::os::base + include profile::app::icinga + # include profile::app::fastb +} diff --git a/site/role/manifests/fastb/web_be.pp b/site/role/manifests/fastb/web_be.pp new file mode 100644 index 000000000..84cfa11be --- /dev/null +++ b/site/role/manifests/fastb/web_be.pp @@ -0,0 +1,8 @@ +# This is an example of a product called +# "Fast B" +# This is a web backend for that product. +class role::fastb::web_be { + include profile::os::base + # include profile::app::tomcat::webserver + # include profile::app::fastb +} diff --git a/site/role/manifests/spider/web_be.pp b/site/role/manifests/spider/web_be.pp new file mode 100644 index 000000000..29e8684e2 --- /dev/null +++ b/site/role/manifests/spider/web_be.pp @@ -0,0 +1,8 @@ +# This is an example of a product called +# "Fast B" +# This is a web backend for that product. +class role::spider::web_be { + include profile::os::base + include profile::app::iis::default_app_pool + # include profile::app::spider +} diff --git a/spec/acceptance/nodesets/onceover-nodes.yml b/spec/acceptance/nodesets/onceover-nodes.yml new file mode 100644 index 000000000..707300694 --- /dev/null +++ b/spec/acceptance/nodesets/onceover-nodes.yml @@ -0,0 +1,41 @@ +HOSTS: + centos6a: + roles: + - agent + type: aio + platform: el-6-64 + box: puppetlabs/centos-6.6-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-6.6-64-puppet + hypervisor: vagrant_virtualbox + CentOS-7.0-64: + roles: + - agent + type: aio + platform: el-7-64 + box: puppetlabs/centos-7.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-7.2-64-puppet + hypervisor: vagrant_virtualbox + centos7b: + roles: + - agent + type: aio + platform: el-7-64 + box: puppetlabs/centos-7.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-7.2-64-puppet + hypervisor: vagrant_virtualbox + ubuntu1404: + roles: + - agent + type: aio + platform: ubuntu-14.04-64 + box: puppetlabs/ubuntu-14.04-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/ubuntu-14.04-64-puppet + hypervisor: vagrant_virtualbox + debian82: + roles: + - agent + type: aio + platform: debian-8.2-64 + box: puppetlabs/debian-8.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/debian-8.2-64-puppet + hypervisor: vagrant_virtualbox diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 000000000..ea1e4808e --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,7 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/factsets/README.md b/spec/factsets/README.md new file mode 100644 index 000000000..dd72566c9 --- /dev/null +++ b/spec/factsets/README.md @@ -0,0 +1,7 @@ +# Factsets + +This directory is where we put any custom factsets that we want to use. They can be generated by running `puppet facts` on the target system. + +**Hot tip:** If you already have factsets in here when you run `onceover init` they will be picked up and added to the config file Automatically + +More info: https://github.com/dylanratcliffe/onceover#factsets diff --git a/spec/factsets/Windows_Server-2012r2-64.json b/spec/factsets/Windows_Server-2012r2-64.json new file mode 100644 index 000000000..63ed8d804 --- /dev/null +++ b/spec/factsets/Windows_Server-2012r2-64.json @@ -0,0 +1,164 @@ +{ + "name": "win-e5k8tm30719", + "values": { + "agent_specified_environment": "production", + "architecture": "x64", + "dhcp_servers": { + "Ethernet": "10.0.2.2", + "system": "10.0.2.2" + }, + "dmi": { + "manufacturer": "innotek GmbH", + "product": { + "name": "VirtualBox", + "serial_number": "0" + } + }, + "env_windows_installdir": "C:\\Program Files\\Puppet Labs\\Puppet", + "facterversion": "3.1.1", + "fqdn": "WIN-E5K8TM30719", + "hardwareisa": "x64", + "hardwaremodel": "x86_64", + "hostname": "WIN-E5K8TM30719", + "id": "WIN-E5K8TM30719\\vagrant", + "identity": { + "user": "WIN-E5K8TM30719\\vagrant" + }, + "interfaces": "Ethernet", + "ipaddress": "10.0.2.15", + "ipaddress6": "fe80::a180:36e0:3a6e:1005%12", + "ipaddress6_Ethernet": "fe80::a180:36e0:3a6e:1005%12", + "ipaddress_Ethernet": "10.0.2.15", + "is_virtual": true, + "kernel": "windows", + "kernelmajversion": "6.3", + "kernelrelease": "6.3.9600", + "kernelversion": "6.3.9600", + "macaddress": "08:00:27:81:38:FA", + "macaddress_Ethernet": "08:00:27:81:38:FA", + "manufacturer": "innotek GmbH", + "memory": { + "system": { + "available": "1.42 GiB", + "available_bytes": 1521610752, + "capacity": "29.13%", + "total": "2.00 GiB", + "total_bytes": 2147012608, + "used": "596.43 MiB", + "used_bytes": 625401856 + } + }, + "memoryfree": "1.42 GiB", + "memoryfree_mb": 1451.12109375, + "memorysize": "2.00 GiB", + "memorysize_mb": 2047.55078125, + "mtu_Ethernet": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "netmask6_Ethernet": "ffff:ffff:ffff:ffff::", + "netmask_Ethernet": "255.255.255.0", + "network": "10.0.2.0", + "network6": "fe80::%12", + "network6_Ethernet": "fe80::%12", + "network_Ethernet": "10.0.2.0", + "networking": { + "dhcp": "10.0.2.2", + "fqdn": "WIN-E5K8TM30719", + "hostname": "WIN-E5K8TM30719", + "interfaces": { + "Ethernet": { + "bindings": [ + { + "address": "10.0.2.15", + "netmask": "255.255.255.0", + "network": "10.0.2.0" + } + ], + "bindings6": [ + { + "address": "fe80::a180:36e0:3a6e:1005%12", + "netmask": "ffff:ffff:ffff:ffff::", + "network": "fe80::%12" + } + ], + "dhcp": "10.0.2.2", + "ip": "10.0.2.15", + "ip6": "fe80::a180:36e0:3a6e:1005%12", + "mac": "08:00:27:81:38:FA", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::%12" + } + }, + "ip": "10.0.2.15", + "ip6": "fe80::a180:36e0:3a6e:1005%12", + "mac": "08:00:27:81:38:FA", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::%12", + "primary": "Ethernet" + }, + "operatingsystem": "windows", + "operatingsystemmajrelease": "2012 R2", + "operatingsystemrelease": "2012 R2", + "os": { + "architecture": "x64", + "family": "windows", + "hardware": "x86_64", + "name": "windows", + "release": { + "full": "2012 R2", + "major": "2012 R2" + }, + "windows": { + "system32": "C:\\Windows\\system32" + } + }, + "osfamily": "windows", + "path": "C:/Program Files/Puppet Labs/Puppet/facter/bin;C:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\facter\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\hiera\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\mcollective\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\sys\\tools\\bin;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files (x86)\\Git\\cmd;C:\\Program Files (x86)\\Git\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin", + "physicalprocessorcount": 1, + "processor0": "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz", + "processorcount": 1, + "processors": { + "count": 1, + "isa": "x64", + "models": [ + "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz" + ], + "physicalcount": 1 + }, + "productname": "VirtualBox", + "puppetversion": "4.2.3", + "ruby": { + "platform": "x64-mingw32", + "sitedir": "C:/Program Files/Puppet Labs/Puppet/sys/ruby/lib/ruby/site_ruby/2.1.0", + "version": "2.1.7" + }, + "rubyplatform": "x64-mingw32", + "rubysitedir": "C:/Program Files/Puppet Labs/Puppet/sys/ruby/lib/ruby/site_ruby/2.1.0", + "rubyversion": "2.1.7", + "serialnumber": "0", + "system32": "C:\\Windows\\system32", + "system_uptime": { + "days": 0, + "hours": 0, + "seconds": 287, + "uptime": "0:04 hours" + }, + "timezone": "Coordinated Universal Time", + "uptime": "0:04 hours", + "uptime_days": 0, + "uptime_hours": 0, + "uptime_seconds": 287, + "virtual": "virtualbox", + "clientcert": "win-e5k8tm30719", + "clientversion": "4.2.3", + "clientnoop": false + }, + "timestamp": "2015-11-19T01:47:05.215450000+00:00", + "expiration": "2015-11-19T02:17:05.215450000+00:00" +} diff --git a/spec/factsets/osx-10.13-x86_64.json b/spec/factsets/osx-10.13-x86_64.json new file mode 100644 index 000000000..7a00e7941 --- /dev/null +++ b/spec/factsets/osx-10.13-x86_64.json @@ -0,0 +1,184 @@ +{ + "name": "something-c02nfmkgg3qh", + "values": { + "puppetversion": "6.0.4", + "agent_specified_environment": "production", + "puppet_inventory_metadata": { + "packages": { + "collection_enabled": false, + "last_collection_time": "0.0s" + } + }, + "platform_symlink_writable": true, + "pe_concat_basedir": "/Users/something/.puppetlabs/opt/puppet/cache/pe_concat", + "is_pe": false, + "puppet_files_dir_present": false, + "platform_tag": "osx-10.13-x86_64", + "aio_agent_build": "1.10.14", + "staging_http_get": "curl", + "aio_agent_version": "1.10.14", + "kernelversion": "17.7.0", + "uptime": "5:20 hours", + "kernelrelease": "17.7.0", + "uptime_seconds": 19255, + "path": "/usr/local/sbin:/Users/something/bin:/Library/Frameworks/Python.framework/Versions/2.7/bin:/usr/local/bin:/opt/local/bin:/opt/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/MacGPG2/bin:/opt/puppetlabs/bin:/usr/local/munki:/opt/puppetlabs/pdk/bin:/Users/something/.rvm/bin:/usr/local/Cellar/ec2-api-tools/1.7.1.0/bin", + "kernel": "Darwin", + "hostname": "something", + "productname": "MacBookPro11,1", + "operatingsystem": "Darwin", + "processors": { + "count": 4, + "speed": "2.6 GHz" + }, + "uptime_days": 0, + "kernelmajversion": "17.7", + "timezone": "CST", + "ps": "ps auxwww", + "virtual": "physical", + "is_virtual": false, + "architecture": "x86_64", + "hardwaremodel": "x86_64", + "os": { + "name": "Darwin", + "family": "Darwin", + "release": { + "major": "17", + "minor": "7", + "full": "17.7.0" + } + }, + "network_lo0": "127.0.0.0", + "network_en0": "192.168.1.0", + "network_vboxnet0": "10.20.1.0", + "rubysitedir": "/Library/Ruby/Site/2.3.0", + "sp_smc_version_system": "2.16f68", + "sp_boot_rom_version": "149.0.0.0.0", + "sp_cpu_type": "Intel Core i5", + "sp_current_processor_speed": "2.6 GHz", + "sp_l2_cache_core": "256 KB", + "sp_l3_cache": "3 MB", + "sp_machine_model": "MacBookPro11,1", + "sp_machine_name": "MacBook Pro", + "sp_number_processors": 2, + "sp_packages": 1, + "sp_physical_memory": "8 GB", + "sp_platform_uuid": "83B229EC-0FF7-589A-8239-C087E9DCE28C", + "sp_serial_number": "C02NFMKGG3QH", + "sp_boot_mode": "normal_boot", + "sp_boot_volume": "Macintosh HD", + "sp_kernel_version": "Darwin 17.7.0", + "sp_local_host_name": "Troys Macbook Pro (2)", + "sp_os_version": "macOS 10.13.6 (17G3025)", + "sp_secure_vm": "secure_vm_enabled", + "sp_system_integrity": "integrity_enabled", + "sp_uptime": "up 0:5:21:24", + "sp_user_name": "Troy E Klein (something)", + "macosx_productname": "Mac OS X", + "macosx_productversion": "10.13.6", + "macosx_buildversion": "17G3025", + "macosx_productversion_major": "10.13", + "macosx_productversion_minor": "6", + "operatingsystemmajrelease": "17", + "gid": "staff", + "hardwareisa": "i386", + "rubyversion": "2.3.7", + "processorcount": 4, + "system_uptime": { + "seconds": 19255, + "hours": 5, + "days": 0, + "uptime": "5:20 hours" + }, + "macaddress": "6c:40:08:8b:27:76", + "osfamily": "Darwin", + "id": "something", + "uptime_hours": 5, + "facterversion": "2.5.1", + "memorysize": "8.00 GB", + "memoryfree": "96.96 MB", + "swapsize": "1024.00 MB", + "swapfree": "980.00 MB", + "swapsize_mb": "1024.00", + "swapfree_mb": "980.00", + "memorysize_mb": "8192.00", + "memoryfree_mb": "96.96", + "swapencrypted": true, + "netmask": "255.255.255.0", + "domain": "something-C02NFMKGG3QH", + "interfaces": "lo0,gif0,stf0,XHC20,en1,en2,en0,p2p0,awdl0,bridge0,utun0,vboxnet0,vboxnet1,vboxnet10,vboxnet11,vboxnet12,vboxnet13,vboxnet14,vboxnet15,vboxnet16,vboxnet17,vboxnet18,vboxnet19,vboxnet2,vboxnet20,vboxnet3,vboxnet4,vboxnet5,vboxnet6,vboxnet7,vboxnet8,vboxnet9", + "ipaddress_lo0": "127.0.0.1", + "netmask_lo0": "255.0.0.0", + "mtu_lo0": 16384, + "mtu_gif0": 1280, + "mtu_stf0": 1280, + "mtu_xhc20": 0, + "macaddress_en1": "72:00:06:01:a0:10", + "mtu_en1": 1500, + "macaddress_en2": "72:00:06:01:a0:11", + "mtu_en2": 1500, + "ipaddress_en0": "192.168.1.31", + "macaddress_en0": "6c:40:08:8b:27:76", + "netmask_en0": "255.255.255.0", + "mtu_en0": 1500, + "macaddress_p2p0": "0e:40:08:8b:27:76", + "mtu_p2p0": 2304, + "macaddress_awdl0": "f6:a3:5b:2a:e2:8a", + "mtu_awdl0": 1484, + "macaddress_bridge0": "72:00:06:01:a0:10", + "mtu_bridge0": 1500, + "mtu_utun0": 2000, + "ipaddress_vboxnet0": "10.20.1.1", + "macaddress_vboxnet0": "0a:00:27:00:00:00", + "netmask_vboxnet0": "255.255.255.0", + "mtu_vboxnet0": 1500, + "macaddress_vboxnet1": "0a:00:27:00:00:01", + "mtu_vboxnet1": 1500, + "macaddress_vboxnet10": "0a:00:27:00:00:0a", + "mtu_vboxnet10": 1500, + "macaddress_vboxnet11": "0a:00:27:00:00:0b", + "mtu_vboxnet11": 1500, + "macaddress_vboxnet12": "0a:00:27:00:00:0c", + "mtu_vboxnet12": 1500, + "macaddress_vboxnet13": "0a:00:27:00:00:0d", + "mtu_vboxnet13": 1500, + "macaddress_vboxnet14": "0a:00:27:00:00:0e", + "mtu_vboxnet14": 1500, + "macaddress_vboxnet15": "0a:00:27:00:00:0f", + "mtu_vboxnet15": 1500, + "macaddress_vboxnet16": "0a:00:27:00:00:10", + "mtu_vboxnet16": 1500, + "macaddress_vboxnet17": "0a:00:27:00:00:11", + "mtu_vboxnet17": 1500, + "macaddress_vboxnet18": "0a:00:27:00:00:12", + "mtu_vboxnet18": 1500, + "macaddress_vboxnet19": "0a:00:27:00:00:13", + "mtu_vboxnet19": 1500, + "macaddress_vboxnet2": "0a:00:27:00:00:02", + "mtu_vboxnet2": 1500, + "macaddress_vboxnet20": "0a:00:27:00:00:14", + "mtu_vboxnet20": 1500, + "macaddress_vboxnet3": "0a:00:27:00:00:03", + "mtu_vboxnet3": 1500, + "macaddress_vboxnet4": "0a:00:27:00:00:04", + "mtu_vboxnet4": 1500, + "macaddress_vboxnet5": "0a:00:27:00:00:05", + "mtu_vboxnet5": 1500, + "macaddress_vboxnet6": "0a:00:27:00:00:06", + "mtu_vboxnet6": 1500, + "macaddress_vboxnet7": "0a:00:27:00:00:07", + "mtu_vboxnet7": 1500, + "macaddress_vboxnet8": "0a:00:27:00:00:08", + "mtu_vboxnet8": 1500, + "macaddress_vboxnet9": "0a:00:27:00:00:09", + "mtu_vboxnet9": 1500, + "fqdn": "something-C02NFMKGG3QH", + "operatingsystemrelease": "17.7.0", + "ipaddress": "192.168.1.31", + "rubyplatform": "universal.x86_64-darwin17", + "clientcert": "something-c02nfmkgg3qh", + "clientversion": "6.0.4", + "clientnoop": false + }, + "timestamp": "2018-12-03T14:16:56.056860000-06:00", + "expiration": "2018-12-03T14:46:56.057472000-06:00" +} diff --git a/spec/hiera.yaml b/spec/hiera.yaml new file mode 100644 index 000000000..82c645b33 --- /dev/null +++ b/spec/hiera.yaml @@ -0,0 +1,25 @@ +--- +version: 5 +defaults: # Used for any hierarchy level that omits these keys. + datadir: ../data # This path is relative to hiera.yaml's directory. + data_hash: yaml_data # Use the built-in YAML backend. + +hierarchy: + - name: "Per-node data" # Human-readable name. + path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. + # ^^^ IMPORTANT: include the file extension! + - name: "Per-datacenter business role data" # Uses trusted data extentions. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + + - name: "Role business data" + path: "role/%{trusted.extentions.pp_role}.yaml" + + - name: "Per-OS defaults" + path: "os/%{facts.os.family}.yaml" + + - name: "Virtual defaults" # Used to configure PE master from within virtual + path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform + + - name: "Common data" + path: "common.yaml" + diff --git a/spec/onceover.yaml b/spec/onceover.yaml new file mode 100644 index 000000000..3727b1f27 --- /dev/null +++ b/spec/onceover.yaml @@ -0,0 +1,58 @@ +# Classes to be tested +# test all roles in repo +classes: + - '/role::/' + - profile::os::base + +# Nodes to tests classes on, this refers to a 'factset' or 'nodeset' +# depending on weather you are running 'spec' or 'acceptance' tests +nodes: + - CentOS-7.0-64 + - CentOS-6.6-64 + - Windows_Server-2012r2-64 + - solaris-11.2-sparc-64 + +# You can group classes here to save typing +class_groups: + base: + - 'profile::os::base' + windows: + - '/role::spider/' + - 'profile::os::base' + linux: + - '/role::fastb/' + - profile::os::base + solaris: + - '/role::fastb::web/' +# You can group nodes here to save typing +# We have created a 'non_windows_nodes' group because we can't +# give you Windows vagrant boxes to test with because licensing, +# we can give you fact sets though so go crazy with spec testing! +node_groups: + windows_nodes: + - Windows_Server-2012r2-64 + linux_nodes: + - CentOS-7.0-64 + - CentOS-6.6-64 + solaris_nodes: + - solaris-11.2-sparc-64 + non_windows_nodes: + include: 'linux_nodes' + include: 'solaris_nodes' + exclude: 'windows_nodes' + +test_matrix: + - linux_nodes: + classes: 'linux' + tests: 'spec' + - windows_nodes: + classes: 'windows' + tests: 'spec' + - solaris_nodes: + classes: 'solaris' + tests: 'spec' + - non_windows_nodes: + classes: + - 'linux' + - 'solaris' + tests: 'acceptance' diff --git a/spec/pre_conditions/README.md b/spec/pre_conditions/README.md new file mode 100644 index 000000000..f0a81bf9c --- /dev/null +++ b/spec/pre_conditions/README.md @@ -0,0 +1,24 @@ +# Pre Conditions + +This folder should contain any \*.pp files that you want to be included in every test. + +A common use of this is defining resources that may not exist in the catalog when you are running tests. For example, if we are using a resource that tries to restart the `pe-puppetserver` service, unless it is compiled on a Puppet Maser the `pe-puppetserver` service will not exist and the catalog will fail to compile. To get around this we can create a .pp file and define the resource like so: + +``` puppet +# We are not going to actually have this service anywhere on our servers but +# our code needs to refresh it. This is to trick puppet into doing nothing +service { 'pe-puppetserver': + ensure => 'running', + enable => false, + hasrestart => false, # Force Puppet to use start and stop to restart + start => 'echo "Start"', # This will always exit 0 + stop => 'echo "Stop"', # This will also always exit 0 + hasstatus => false, # Force puppet to use our command for status + status => 'echo "Status"', # This will always exit 0 and therefore Puppet will think the service is running + provider => 'base', +} +``` + +This will mean that the `pe-puppetserver` service is in the catalog for spec testing and will even allow you to try to restart it during acceptance tests without the service actually being present. + +More info: https://github.com/dylanratcliffe/onceover#using-workarounds diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 000000000..35654b3d2 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,44 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_fact_files = [ + File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), + File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), +] + +default_fact_files.each do |f| + next unless File.exist?(f) && File.readable?(f) && File.size?(f) + + begin + default_facts.merge!(YAML.safe_load(File.read(f))) + rescue => e + RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" + end +end + +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + end +end + +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) + last_module.const_get(next_module, false) + end +end + +# 'spec_overrides' from sync.yml will appear below this line From f0629b1a072c6dd7affa9a26df4f4d438381e1fd Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 9 Jan 2019 05:57:23 -0600 Subject: [PATCH 004/134] clean up of some of the supporting tooling in the repo --- .gitlab-ci.yml | 10 +--------- scripts/config_version.sh | 7 +++++-- spec/onceover.yaml | 5 ++--- 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 391651649..4fae77578 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,8 +10,8 @@ cache: before_script: - bundle -v - rm Gemfile.lock || true - - gem update --system - gem --version + - gem update --system - bundle -v - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) @@ -31,11 +31,3 @@ parallel_onceover-Ruby 2.4.4-Puppet ~> 5.5: variables: PUPPET_GEM_VERSION: '~> 5.5' -parallel_onceover-Ruby 2.1.9-Puppet ~> 4.0: - stage: unit - image: ruby:2.1.9 - script: - - bundle exec onceover run spec - variables: - PUPPET_GEM_VERSION: '~> 4.0' - diff --git a/scripts/config_version.sh b/scripts/config_version.sh index bc7721354..07b3a0715 100755 --- a/scripts/config_version.sh +++ b/scripts/config_version.sh @@ -1,10 +1,13 @@ #!/bin/bash +master_name=$(facter hostname) if [ -e $1/$2/.r10k-deploy.json ] then - /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2 + hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2) + echo "${master_name}_${hash}" elif [ -e /opt/puppetlabs/server/pe_version ] then - /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2 + hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2) + echo "${master_name}_${hash}" else /usr/bin/git --version > /dev/null 2>&1 && /usr/bin/git --git-dir $1/$2/.git rev-parse HEAD || diff --git a/spec/onceover.yaml b/spec/onceover.yaml index 3727b1f27..793e1f8d1 100644 --- a/spec/onceover.yaml +++ b/spec/onceover.yaml @@ -20,10 +20,9 @@ class_groups: - '/role::spider/' - 'profile::os::base' linux: + - '/role::sup_svc/' - '/role::fastb/' - profile::os::base - solaris: - - '/role::fastb::web/' # You can group nodes here to save typing # We have created a 'non_windows_nodes' group because we can't # give you Windows vagrant boxes to test with because licensing, @@ -49,7 +48,7 @@ test_matrix: classes: 'windows' tests: 'spec' - solaris_nodes: - classes: 'solaris' + classes: 'base' tests: 'spec' - non_windows_nodes: classes: From f15ef889ee91d7d3b8bc6aa709d016ee5616d25f Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 9 Jan 2019 05:58:59 -0600 Subject: [PATCH 005/134] added example facts, profiles, and roles --- site/profile/lib/facter/app_tier_subnet.rb | 40 +++++++++------- site/profile/lib/facter/datacenter.rb | 1 + site/profile/manifests/app/fastb.pp | 46 +++++++++++++------ site/profile/manifests/os/archives.pp | 3 +- site/role/manifests/fastb/web_be.pp | 3 +- site/role/manifests/sup_svc/monitor/server.pp | 7 +++ 6 files changed, 66 insertions(+), 34 deletions(-) create mode 100644 site/role/manifests/sup_svc/monitor/server.pp diff --git a/site/profile/lib/facter/app_tier_subnet.rb b/site/profile/lib/facter/app_tier_subnet.rb index 4b8c47f8a..b8cff4d7d 100644 --- a/site/profile/lib/facter/app_tier_subnet.rb +++ b/site/profile/lib/facter/app_tier_subnet.rb @@ -2,25 +2,31 @@ require 'ipaddr' Facter.add(:app_tier_subnet) do setcode do - # Mapping of vlans to ipaddresses - # NOTE: To extend this fact, modify this hash - vlan_segments = { - 'prod' => IPAddr.new('10.10.10/22'), - 'dev' => IPAddr.new('11.11.11/22'), - 'uat' => IPAddr.new('12.12.12/22'), - 'cloud' => IPAddr.new('13.13.13/24'), - } - segment_name = nil + begin + # Set segment_name to nil + # If error occures the nil will be passed + segment_name = nil + # Mapping of vlans to ipaddresses + # NOTE: To extend this fact, modify this hash + vlan_segments = { + 'prod' => IPAddr.new('10.10.10/22'), + 'dev' => IPAddr.new('11.11.11/22'), + 'uat' => IPAddr.new('12.12.12/22'), + 'cloud' => IPAddr.new('13.13.13/24'), + } - # Iterate through all segments and find the one that matches - vlan_segments.each do |segment, address| - if address.include?(Facter.value(:ipaddress)) - segment_name = segment - break + # Iterate through all segments and find the one that matches + vlan_segments.each do |segment, address| + if address.include?(Facter.value(:ipaddress)) + segment_name = segment + break + end end - end - # Return the name of the segment that matches - segment_name + # Return the name of the segment that matches + segment_name + rescue + segment_name + end end end diff --git a/site/profile/lib/facter/datacenter.rb b/site/profile/lib/facter/datacenter.rb index 2c2d385f5..cad0d26da 100644 --- a/site/profile/lib/facter/datacenter.rb +++ b/site/profile/lib/facter/datacenter.rb @@ -4,6 +4,7 @@ 'lax' => ['lax', 'lax2', 'hq'], 'dc' => ['dc', 'dc2', 'dc3', 'foo'], 'london' => ['lon', 'uk', 'london', 'bar'], + 'none' => ['localhost', 'local'], } # Assume that all hostnames look like this: diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 0941c53dd..4b0c56483 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -1,20 +1,38 @@ # This is a example profile to deploy fastb application software. class profile::app::fastb ( - Stdlib::Httpsurl $download_url = 'https://tomcat.apache.org/tomcat-8.0-doc/appdev/sample/sample.war', - String $sha1_sum = '80f5053b166c69d81697ba21113c673f8372aca0', - Stdlib::Absolutepath $app_path = '/opt/tomcat', + Stdlib::Httpsurl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', + Stdlib::Absolutepath $app_path = '/opt/tomcat/fastb', ) { - require profile::os::archives - $temp_dir = $profile::os::archives::temp_dir + include profile::app::tomcat::webserver - archive { "${temp_dir}/fastb_app.war": - ensure => present, - extract => true, - extract_path => $app_path, - source => $download_url, - checksum => $sha1_sum, - checksum_type => 'sha1', - creates => "${app_path}/fastb_app.war", - cleanup => true, + tomcat::instance { 'tomcat8-fastb': + catalina_home => "${app_path}/..", + catalina_base => $app_path, } + + tomcat::war { "${app_path}/fastb_app.war": + catalina_base => $app_path, + war_source => $download_url, + } + + tomcat::instance { 'tomcat-second': + catalina_home => '/opt/tomcat', + catalina_base => '/opt/tomcat/second', + } + + # Change the default port of the second instance server and HTTP connector + tomcat::config::server { 'tomcat-second': + catalina_base => '/opt/tomcat/second', + port => '8006', + } + + tomcat::config::server::connector { 'tomcat-second-http': + catalina_base => '/opt/tomcat/second', + port => '8081', + protocol => 'HTTP/1.1', + additional_attributes => { + 'redirectPort' => '8443' + }, + } + } diff --git a/site/profile/manifests/os/archives.pp b/site/profile/manifests/os/archives.pp index 765f09f32..f82cb0c38 100644 --- a/site/profile/manifests/os/archives.pp +++ b/site/profile/manifests/os/archives.pp @@ -1,7 +1,7 @@ # This profile is to normalize archive for a site # it will set temp dir and install dir for the build class profile::os::archives ( - Optional[Stdlib::Absolutepath] $in_temp_path = undef + Optional[Stdlib::Absolutepath] $in_temp_path = undef, ) { include '::archive' @@ -20,4 +20,5 @@ } else { $temp_path = $in_temp_path } + } diff --git a/site/role/manifests/fastb/web_be.pp b/site/role/manifests/fastb/web_be.pp index 84cfa11be..48bef71b4 100644 --- a/site/role/manifests/fastb/web_be.pp +++ b/site/role/manifests/fastb/web_be.pp @@ -3,6 +3,5 @@ # This is a web backend for that product. class role::fastb::web_be { include profile::os::base - # include profile::app::tomcat::webserver - # include profile::app::fastb + include profile::app::fastb } diff --git a/site/role/manifests/sup_svc/monitor/server.pp b/site/role/manifests/sup_svc/monitor/server.pp new file mode 100644 index 000000000..545997031 --- /dev/null +++ b/site/role/manifests/sup_svc/monitor/server.pp @@ -0,0 +1,7 @@ +# This is an example of a product called +# "Fast B" +# This is a monitoring server for that product. +class role::sup_svc::monitor::server { + include profile::os::base + include profile::app::icinga +} From 919478d989f45633affd94223cf694125aa31a22 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 9 Jan 2019 06:45:37 -0600 Subject: [PATCH 006/134] starting travisci work --- .travis.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.travis.yml b/.travis.yml index 6664271c2..823525299 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,6 +9,7 @@ before_install: - gem update --system - gem --version - bundle -v + - bundle install --path vendor/bundle --jobs $(nproc) script: - 'bundle exec rake $CHECK' bundler_args: --without system_tests @@ -36,12 +37,3 @@ branches: - /^v\d/ notifications: email: false -deploy: - provider: puppetforge - user: puppet - password: - secure: "" - on: - tags: true - all_branches: true - condition: "$DEPLOY_TO_FORGE = yes" From 2f10b840251c922a0b8d04fde26d0ce1261ffa90 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 9 Jan 2019 07:01:43 -0600 Subject: [PATCH 007/134] added more travis ci --- .travis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.travis.yml b/.travis.yml index 823525299..cd1cea768 100644 --- a/.travis.yml +++ b/.travis.yml @@ -31,6 +31,11 @@ matrix: - env: PUPPET_GEM_VERSION="~> 4.0" CHECK=parallel_spec rvm: 2.1.9 + - + env: PUPPET_GEM_VERSION="~> 5.5" CHECK=parallel_onceover + script: + - bundle exec onceover run spec + rvm: 2.4.4 branches: only: - master From 06b7cfe15e093e82ee20ea2ad8c68f599a89b271 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 23 May 2019 13:06:30 -0500 Subject: [PATCH 008/134] example eyaml --- hieradata/common.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 57fc73757..d17f14cea 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -9,3 +9,5 @@ puppet_enterprise::master::code_manager::manage_private_key: false #https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period #disable classifier scheduled sync and rely on r10k postrun command to sync the classes puppet_enterprise::profile::console::classifier_synchronization_period: 0 + +thisis::a::string::key::example: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMgAU0j4Mz9+du7ORKOSe8jwI97V+CuMpdOdhqScSfWV1+7PyTh2EYJy3B7FaUXkK4x75Vbd1uFAo9mBm168JQkL4umNMvnO7vgm7agIcgE6CCJrQAV0aynQvzXWUFj0R3G++S1UpVkoB+ExlybcxX+IAiwct95j0Tayez0Xgx0eOn63mdSgwZu9jiMH09pSDlFFPHQwAycqUjTKJZull6KnNo4pusJjHON9V1oV+7vHe8d6ez6ELGJDtATKUHNIT1WEr+Jx18sYeF4ysT2tUB6lf+CgaVipbgcXtBJHKSkM6aQusPwEPReB9L7JNxw58E4z5XxMpuP9E0fx20iUspDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCN8Q9nzXUzp5LC2yYUR8JngBAxhfWp3d8obiBNpcueuCe4] \ No newline at end of file From 4416577be90f2b22f09ac64bd5cc5ba82d41d755 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 30 May 2019 12:58:29 -0500 Subject: [PATCH 009/134] cleanup old hieradata dir --- hieradata/common.yaml | 13 ---------- hieradata/nodes/example-puppet-master.yaml | 8 ------ hieradata/virtual/virtualbox.yaml | 29 ---------------------- site/profile/manifests/app/fastb.pp | 2 +- 4 files changed, 1 insertion(+), 51 deletions(-) delete mode 100644 hieradata/common.yaml delete mode 100644 hieradata/nodes/example-puppet-master.yaml delete mode 100644 hieradata/virtual/virtualbox.yaml diff --git a/hieradata/common.yaml b/hieradata/common.yaml deleted file mode 100644 index d17f14cea..000000000 --- a/hieradata/common.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -message: "This node is using common data" - -#Enable code manager -puppet_enterprise::profile::master::code_manager_auto_configure: true -puppet_enterprise::master::code_manager::authenticate_webhook: false -puppet_enterprise::master::code_manager::manage_private_key: false -#pe-console-services tuning -#https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period -#disable classifier scheduled sync and rely on r10k postrun command to sync the classes -puppet_enterprise::profile::console::classifier_synchronization_period: 0 - -thisis::a::string::key::example: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMgAU0j4Mz9+du7ORKOSe8jwI97V+CuMpdOdhqScSfWV1+7PyTh2EYJy3B7FaUXkK4x75Vbd1uFAo9mBm168JQkL4umNMvnO7vgm7agIcgE6CCJrQAV0aynQvzXWUFj0R3G++S1UpVkoB+ExlybcxX+IAiwct95j0Tayez0Xgx0eOn63mdSgwZu9jiMH09pSDlFFPHQwAycqUjTKJZull6KnNo4pusJjHON9V1oV+7vHe8d6ez6ELGJDtATKUHNIT1WEr+Jx18sYeF4ysT2tUB6lf+CgaVipbgcXtBJHKSkM6aQusPwEPReB9L7JNxw58E4z5XxMpuP9E0fx20iUspDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCN8Q9nzXUzp5LC2yYUR8JngBAxhfWp3d8obiBNpcueuCe4] \ No newline at end of file diff --git a/hieradata/nodes/example-puppet-master.yaml b/hieradata/nodes/example-puppet-master.yaml deleted file mode 100644 index 584faacb6..000000000 --- a/hieradata/nodes/example-puppet-master.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -git_management_system: 'gitlab' -gms_server_url: 'https://gitlab-server' -gms_api_token: 'BDkZfWWnk4LVTLHdAywd' - -#setup r10k to update classes in the console after code deploy -pe_r10k::postrun: - - '/usr/local/bin/update-classes.sh' diff --git a/hieradata/virtual/virtualbox.yaml b/hieradata/virtual/virtualbox.yaml deleted file mode 100644 index 236ff7b05..000000000 --- a/hieradata/virtual/virtualbox.yaml +++ /dev/null @@ -1,29 +0,0 @@ -#These setting are intended for low memory testing VMs -#Not intended for general usage ---- -#PE3.7+ -#Allow access to the puppetdb performance dashboard from non-localhost -#This is insecure and also allows access to all API endpoints without verification -puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' -puppet_enterprise::profile::amq::broker::heap_mb: '96' -puppet_enterprise::profile::master::java_args: - Xmx: '192m' - Xms: '128m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::puppetdb::java_args: - Xmx: '128m' - Xms: '96m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::console::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' -puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only -puppet_enterprise::profile::console::delayed_job_workers: 1 -#shared_buffers takes affect during install but is not managed after -puppet_enterprise::profile::database::shared_buffers: '4MB' -#2015.3.2 and above -puppet_enterprise::profile::orchestrator::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 4b0c56483..8509d5aeb 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -28,7 +28,7 @@ tomcat::config::server::connector { 'tomcat-second-http': catalina_base => '/opt/tomcat/second', - port => '8081', + port => '8081',, protocol => 'HTTP/1.1', additional_attributes => { 'redirectPort' => '8443' From 7e8925fd51bb6a00440fe7c3f81738af4345a2ae Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 31 May 2019 01:59:55 +0000 Subject: [PATCH 010/134] fix bug --- hieradata/virtual/virtualbox.yaml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 hieradata/virtual/virtualbox.yaml diff --git a/hieradata/virtual/virtualbox.yaml b/hieradata/virtual/virtualbox.yaml deleted file mode 100644 index 236ff7b05..000000000 --- a/hieradata/virtual/virtualbox.yaml +++ /dev/null @@ -1,29 +0,0 @@ -#These setting are intended for low memory testing VMs -#Not intended for general usage ---- -#PE3.7+ -#Allow access to the puppetdb performance dashboard from non-localhost -#This is insecure and also allows access to all API endpoints without verification -puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' -puppet_enterprise::profile::amq::broker::heap_mb: '96' -puppet_enterprise::profile::master::java_args: - Xmx: '192m' - Xms: '128m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::puppetdb::java_args: - Xmx: '128m' - Xms: '96m' - 'XX:+UseG1GC': '' -puppet_enterprise::profile::console::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' -puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only -puppet_enterprise::profile::console::delayed_job_workers: 1 -#shared_buffers takes affect during install but is not managed after -puppet_enterprise::profile::database::shared_buffers: '4MB' -#2015.3.2 and above -puppet_enterprise::profile::orchestrator::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:+UseG1GC': '' From 13f339785bc37caef9e89221ffe2e4a30175ac78 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 12 Jun 2019 09:36:15 -0500 Subject: [PATCH 011/134] added simple sql server profile examples --- .gitignore | 1 + site/profile/manifests/app/sql/sap_server.pp | 7 ++ site/profile/manifests/app/sql/server.pp | 76 ++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 site/profile/manifests/app/sql/sap_server.pp create mode 100644 site/profile/manifests/app/sql/server.pp diff --git a/.gitignore b/.gitignore index 72342857d..80399064f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .git/ +.vscode .*.sw[op] .metadata .onceover diff --git a/site/profile/manifests/app/sql/sap_server.pp b/site/profile/manifests/app/sql/sap_server.pp new file mode 100644 index 000000000..f3e85245c --- /dev/null +++ b/site/profile/manifests/app/sql/sap_server.pp @@ -0,0 +1,7 @@ +# This is the profile to use for SAP database servers +class profile::app::sql::sap_server { + class { 'profile::app::sql::common': + use_sql_as_security_mode => true, + sql_collation => 'SQL_Latin1_General_CP850_BIN2', + } +} diff --git a/site/profile/manifests/app/sql/server.pp b/site/profile/manifests/app/sql/server.pp new file mode 100644 index 000000000..c1af891a7 --- /dev/null +++ b/site/profile/manifests/app/sql/server.pp @@ -0,0 +1,76 @@ +# Class: profile::app::sql::server +# +# +class profile::app::sql::server ( +# Commented out due to mount not working +# Stdlib::Absolutepath $sql_iso_to_mount, + String[1] $sa_password, + Stdlib::Absolutepath $temp_db_location = 'D:\\TempDB', + Stdlib::Absolutepath $sql_source = 'K:\\', + String[1] $sql_version_fact = 'SQL_2017', + Boolean $use_sql_as_security_mode = false, + Array $sql_feature_array = [ 'Conn', 'BC', 'SDK' ], + Enum['SQL_Latin1_General_CP1_CI_AS', 'SQL_Latin1_General_CP850_BIN2'] $sql_collation = 'SQL_Latin1_General_CP1_CI_AS', +) { + # resources + file { $temp_db_location: + ensure => directory, + } + +# if $facts['sqlserver_instances'][$sql_version_fact].empty and $facts['sqlserver_features'][$sql_version_fact] != $sql_feature_array { +# class {'profile::tools::map_install_storage': +# iso_to_mount => $sql_iso_to_mount, +# before => [ Sqlserver_instance['MSSQLSERVER'],Sqlserver_features['Generic Features'] ], +# } +# } + + if $use_sql_as_security_mode { + sqlserver_instance { 'MSSQLSERVER': + source => $sql_source, + features => ['SQLEngine','FullText'], + security_mode => 'SQL', + sa_pwd => $sa_password, + sql_svc_account => 'SYSTEM', + install_switches => { + 'SQLTEMPDBDIR' => $temp_db_location, + 'SQLCOLLATION' => $sql_collation, + }, + agt_svc_account => 'SYSTEM', + sql_sysadmin_accounts => 'BUILTIN\Administrators', + require => File[$temp_db_location], + } + } else { + sqlserver_instance { 'MSSQLSERVER': + source => $sql_source, + features => ['SQLEngine','FullText'], + sql_svc_account => 'SYSTEM', + install_switches => { + 'SQLTEMPDBDIR' => $temp_db_location, + 'SQLCOLLATION' => $sql_collation, + }, + agt_svc_account => 'SYSTEM', + sql_sysadmin_accounts => 'BUILTIN\Administrators', + require => File[$temp_db_location], + } + } + + sqlserver_features { 'Generic Features': + source => $sql_source, + features => $sql_feature_array, + require => Sqlserver_instance['MSSQLSERVER'], + } + +# Resource to connect to the DB instance +sqlserver::config { 'MSSQLSERVER': + admin_login_type => 'WINDOWS_LOGIN' +} + +sqlserver::login {'sa': + instance => 'MSSQLSERVER', + disabled => true, + } + + reboot { 'reboot after sql installation change': + subscribe => [Sqlserver_instance['MSSQLSERVER'],Sqlserver_features['Generic Features']], + } +} From 84f68e12ae1c4348f644037de53a00d174490480 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 24 Jun 2019 17:30:13 -0500 Subject: [PATCH 012/134] restructure of files and Added more README.md file content to reflect what the concepts of Roles and Profile Examples are. --- .gitignore | 1 + README-control_repo.md | 4 +- README.md | 71 ++++++++----------- site/README.md | 19 ++--- site/profile/README.md | 27 +++++-- .../functions/bool2num_hash_recursive.pp | 45 ++++++++++++ site/profile/manifests/app/README.md | 10 +++ site/profile/manifests/app/fastb.pp | 4 +- site/profile/manifests/app/icinga.pp | 11 --- site/profile/manifests/app/icinga/server.pp | 13 ++++ site/profile/manifests/app/puppet/compiler.pp | 47 ++++++++++++ .../app/puppet/non_pe_infra_agent.pp[D | 13 ++++ site/profile/manifests/base.pp | 5 -- site/profile/manifests/example.pp | 3 - site/profile/manifests/os/README.md | 19 +++++ .../manifests/os/{base.pp => baseline.pp} | 11 +-- .../manifests/os/{ => baseline}/archives.pp | 2 +- .../os/{ => baseline}/dns_resolver.pp | 4 +- site/profile/manifests/puppetmaster.pp | 17 ----- site/role/README.md | 7 +- site/role/manifests/all_in_one_pe.pp | 7 -- site/role/manifests/database_server.pp | 7 -- site/role/manifests/example.pp | 3 - site/role/manifests/fastb/monitor_svr.pp | 8 --- site/role/manifests/fastb/web_be.pp | 2 +- site/role/manifests/spider/web_be.pp | 2 +- site/role/manifests/sup_svc/monitor/server.pp | 8 +-- .../role/manifests/sup_svc/puppet/compiler.pp | 4 ++ site/role/manifests/sup_svc/puppet/master.pp | 4 ++ site/role/manifests/webserver.pp | 7 -- spec/onceover.yaml | 8 +-- 31 files changed, 248 insertions(+), 145 deletions(-) create mode 100644 site/profile/functions/bool2num_hash_recursive.pp create mode 100644 site/profile/manifests/app/README.md delete mode 100644 site/profile/manifests/app/icinga.pp create mode 100644 site/profile/manifests/app/icinga/server.pp create mode 100644 site/profile/manifests/app/puppet/compiler.pp create mode 100644 site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D delete mode 100644 site/profile/manifests/base.pp delete mode 100644 site/profile/manifests/example.pp create mode 100644 site/profile/manifests/os/README.md rename site/profile/manifests/os/{base.pp => baseline.pp} (75%) rename site/profile/manifests/os/{ => baseline}/archives.pp (92%) rename site/profile/manifests/os/{ => baseline}/dns_resolver.pp (96%) delete mode 100644 site/profile/manifests/puppetmaster.pp delete mode 100644 site/role/manifests/all_in_one_pe.pp delete mode 100644 site/role/manifests/database_server.pp delete mode 100644 site/role/manifests/example.pp delete mode 100644 site/role/manifests/fastb/monitor_svr.pp create mode 100644 site/role/manifests/sup_svc/puppet/compiler.pp create mode 100644 site/role/manifests/sup_svc/puppet/master.pp delete mode 100644 site/role/manifests/webserver.pp diff --git a/.gitignore b/.gitignore index 72342857d..a8ca72977 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ .git/ .*.sw[op] .metadata +.vscode .onceover .yardoc .yardwarns diff --git a/README-control_repo.md b/README-control_repo.md index aaed15c43..62c56dd1c 100644 --- a/README-control_repo.md +++ b/README-control_repo.md @@ -20,8 +20,8 @@ The important files and items in this template are as follows: * These match the default hierarchy that ships with PE. * An [environment.conf](https://puppet.com/docs/puppet/5.3/config_file_environment.html) that correctly implements: * A site directory for roles, profiles, and any custom modules for your organization. - * A config_version script. -* An example [config_version](https://puppet.com/docs/puppet/5.3/config_file_environment.html#configversion) script that outputs the git commit ID of the code that was used during a Puppet run. + * A config\_version script. +* An example [config\_version](https://puppet.com/docs/puppet/5.3/config_file_environment.html#configversion) script that outputs the git commit ID of the code that was used during a Puppet run. Here's a visual representation of the structure of this repository: diff --git a/README.md b/README.md index d68a899bd..30a5a419a 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,8 @@ Table of contents * [Get the control\-repo deployed on your master](#get-the-control-repo-deployed-on-your-master) * [Setup a webhook in your Git server](#setup-a-webhook-in-your-git-server) * [Gitlab](#gitlab-1) - * [Test Code Manager](#test-code-manager) + * [Test and Troubleshoot Code Manager](#test-and-troubleshoot-code-manager) + * [Example Roles and Profiles primer](#example-roles-and-profiles-primer) # Join the #ramp-up channel on Puppet Community Slack @@ -22,7 +23,7 @@ Our [Puppet Community Slack](http://slack.puppet.com) is a great way to interact # Before starting -This control-repo and the steps below are intended to be used with a new installation of PE. +This control-repo and the steps below are intended to be used with a new installation of PE as well as example of a working control-repo architecture. **Warning:** When using an existing PE installation any existing code or modules in `/etc/puppetlabs/code` will be copied to a backup directory `/etc/puppetlabs/code_bak_` in order to allow deploying code from Code Manager. @@ -32,9 +33,8 @@ When you finish the instructions below, you will have the beginning of a best pr - A Git server - The ability to push code to your Git server and have it automatically deployed to your PE master - - A config_version script that outputs the most recent SHA of your code each time you run `puppet agent -t` + - A config\_version script that outputs the most recent SHA of your code each time you run `puppet agent -t` - Optimal tuning of PE settings for this configuration - - Working and example [roles and profiles](https://docs.puppet.com/pe/latest/puppet_assign_configurations.html#assigning-configuration-data-with-role-and-profile-modules) code # How to set it all up @@ -48,34 +48,34 @@ When you finish the instructions below, you will have the beginning of a best pr 2. After GitLab is installed, sign into the web UI with the user `root`. - The first time you visit the UI it will force you to enter a password for the `root` user. -2. In the GitLab UI, create a group called `puppet`. +3. In the GitLab UI, create a group called `puppet`. - http://doc.gitlab.com/ce/workflow/groups.html -3. In the GitLab UI, make yourself a user to edit and push code. +4. In the GitLab UI, make yourself a user to edit and push code. -4. From your laptop or development machine, make an SSH key and link it with your GitLab user. +5. From your laptop or development machine, make an SSH key and link it with your GitLab user. - Note: The SSH key allows your laptop to communicate with the GitLab server and push code. - https://help.github.com/articles/generating-ssh-keys/ - http://doc.gitlab.com/ce/ssh/README.html -7. In the GitLab UI, add your user to the `puppet` group. +6. In the GitLab UI, add your user to the `puppet` group. - You must give your user at least master permissions to complete the following steps. - Read more about permissions: - https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/permissions/permissions.md -8. In the GitLab UI, create a project called `control-repo` and set its Namespace to the `puppet` group. +7. In the GitLab UI, create a project called `control-repo` and set its Namespace to the `puppet` group. -10. On your laptop, clone this PuppetLabs-RampUpProgram control repo. +8. On your laptop, clone this PuppetLabs-RampUpProgram control repo. - `git clone https://github.com/PuppetLabs-RampUpProgram/control-repo.git` - `cd control-repo` -14. On your laptop, remove the origin remote. +9. On your laptop, remove the origin remote. - `git remote remove origin` -15. On your laptop, add your GitLab repo as the origin remote. +10. On your laptop, add your GitLab repo as the origin remote. - `git remote add origin ` -16. On your laptop, push the production branch of the repo from your machine up to your Git server. +11. On your laptop, push the production branch of the repo from your machine up to your Git server. - `git push origin production` ### Stash @@ -121,9 +121,10 @@ We will set up a deploy key in the Git server that will allow an SSH key we make - Paste in the public key from above 3. Login to the PE console 4. Navigate to the **Nodes > Classification** page + - Click on the **PE Infrastructure** group - Click on the **PE Master** group - - Click the **Classes** tab - - Add the `puppet_enterprise::profile::master` + - Click the **Configuration** tab + - In the `puppet_enterprise::profile::master` class parameters - Set the `r10k_remote` to the SSH URL from the front page of your GitLab repo - Set the `r10k_private_key` parameter to `/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa` - **Commit** your changes @@ -132,33 +133,12 @@ We will set up a deploy key in the Git server that will allow an SSH key we make ~~~ puppet agent -t - r10k deploy environment -pv + puppet access login -l + puppet code deploy production --wait puppet agent -t ~~~ -5. Navigate back to the **Nodes > Classification** page - - Near the top of the page select "add a group" - - Type `role::all_in_one_pe` for the group name - - Click the **Add Group** button - - Click the **add membership rules, classes and variables** link that appears - - Below **Pin specific nodes to the group** type your master's FQDN into the box - - Click **pin node** - - Select the **Classes** tab - - On the right hand side, click the **Refresh** link - - Wait for this to complete - - In the **add new classes** box type `role::all_in_one_pe` - - Click **add class** - - **Commit** your changes -8. On your Puppet master - - Run: - - ~~~ - puppet agent -t - echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt - puppet agent -t - ~~~ - -9. Code Manager is configured and has been used to deploy your code +6. Code Manager is configured and has been used to deploy your code ## Setup a webhook in your Git server @@ -178,7 +158,7 @@ Independent of which Git server you choose you will grab the webhook URL from yo - Since Code Manager uses a self-signed cert from the Puppet CA it is not generally trusted 3. After you created the webhook use "test webhook" or similar functionality to confirm it works -## Test Code Manager +## Test and Troubleshoot Code Manager One of the components setup by this control-repo is that when you "push" code to your Git server, the git server will inform the Puppet master to deploy the branch you just pushed. @@ -195,5 +175,14 @@ One of the components setup by this control-repo is that when you "push" code to 3. Allow the push to complete and then wait a few seconds for everything to sync over. - On your Puppet Master, `ls -l /etc/puppetlabs/code/environments/production`. - - Confirm test_file is present + - Confirm test\_file is present 4. In your first terminal window review the `puppetserver.log` to see the type of logging each sync will create. + +## Example Roles and Profiles primer + +The Roles and Profiles in this repo are usable examples. Some of the code has been commented out to protect the inocent but the examples sound. Please review the following README's for a more detailed description of the examples. + + * The role and profile patern (method for naming and suggestions for hierachy) are only examples and suggestions. + * Some of the Windows profiles may not totally work due to depencies. + * Software download locations + * Method for package install ie (chocolatey, or wmi, etc.) are not specified. diff --git a/site/README.md b/site/README.md index 3c07713a3..dd2658233 100644 --- a/site/README.md +++ b/site/README.md @@ -15,13 +15,16 @@ These examples have been constructed with the following requirements: - Solaris 11.2 - Two products should be represented - Spider - - Windows product - - IIS Web service - - F5 loadbalancer - - SQL Database server + - Windows systems hosting the product + - IIS Web service 'role::spiders::web_be' + - HAProxy loadbalancer 'role::spiders::balancer' + - SQL Database server 'role::spiders::database' - Fastb - - Linux and Solaris product - - Tomcat web backend - - HAProxy loadbalancer - - MYSQL Database server + - Linux and Solaris systmes hoting the product + - Tomcat web backend 'role::fastb::web_be' + - HAProxy loadbalancer 'role::fastb::balancer' + - MYSQL Database server 'role::fastb::database' - These products are examples and will be deploying a `hello world` code base + - Support services + - While products usually do not share hosts support services do + - Example of monitoring service 'role::sup\_svc::monitoring::server' diff --git a/site/profile/README.md b/site/profile/README.md index c135523a2..fe104ea73 100644 --- a/site/profile/README.md +++ b/site/profile/README.md @@ -15,19 +15,26 @@ Profiles should be organized in a hierarchical form with a few top-level categor ### The OS folder -`/manifests/os/` +`./manifests/os/` * This directory should contain profiles that manage items built-in to an operating system. For example, DNS, NTP, Users, firewall rules, etc.... * If the thing being managed is "out of the box", it goes here. -`/manifests/os//` +`./manifests/os/baseline.pp` + + * Profile that will wrap the OS level profiles + * Profile that build to support all business supported OS. + * Profile to implement the minimium base that security, product and sysadmins will allow on a company network. + * Profile built to install the base software for a company that is identified as site wide software, ie backup etc. + +`./manifests/os//` * Profiles that are specific to built-in settings of one operating system go here. - * For example, `/manifests/os/windows/`, `/manifests/os/linux/`, or `/manifests/os/aix/`. + * For example, `/manifests/os/windows/security.pp`, `/manifests/os/linux/firewall.pp`, or `/manifests/os/solaris/enable_ssh.pp`. ### The App folder -`/manifests/app/` +`./manifests/app//.pp` * This directory should contain profiles to manage applications stacks. * An "app" is anything that does **not** come out of the box or is **not** built-in to the operating system. @@ -36,3 +43,15 @@ Profiles should be organized in a hierarchical form with a few top-level categor * Avoid ambiguous profile names. `profile::app::splunk::forwarder` is better than `profile::app::splunk`. * Other examples: `/manifests/app/apache.pp`, `/manifests/app/sql/server.pp`, or `/manifests/app/f5/load_balancer.pp`. +`./manifests/cloud//.pp` + + * This directory is for profiles that will be used to implement cloud API services. + * This should be things like profiles to communicate to API's like Azure, Google Cloud, OpenStack, etc. + +`./lib/facter/` + + * This will be used a location to store site (company) specific facts not specific to a component module. + +`./functions/` + + * This directory is for site specific functions not related to modules. diff --git a/site/profile/functions/bool2num_hash_recursive.pp b/site/profile/functions/bool2num_hash_recursive.pp new file mode 100644 index 000000000..a3fb3be8b --- /dev/null +++ b/site/profile/functions/bool2num_hash_recursive.pp @@ -0,0 +1,45 @@ +# This functions converts the Boolean values of a Hash to Integers, +# either '0' or '1'. It does this recursively, decending as far as the +# language implemenation will allow. Note that Structs and Arrays will +# be ignored, even if they contain Hashes. +# +# @private +# +# @param arg [Hash] The hash on which to operate +# @return [Hash] +# +# @example Usage +# +# ```puppet +# Hash $foo = { +# bar => { 'a' => true, 'b' => 'b' }, +# baz => false, +# qux => [{ 'c' => true }, { 'd' => false }], +# } +# +# profile::bool2num_hash_recursive($foo) +# ``` +# +# The above would return: +# +# ```puppet +# { +# bar => { 'a' => 1, 'b' => 'b' }, +# baz => 0, +# qux => [{ 'c' => true }, { 'd' => false }], +# } +# ``` +# +function profile::bool2num_hash_recursive($arg) { + assert_type(Hash, $arg) + $arg.map |$key, $value| { + $return_value = $value ? { + Boolean => bool2num($value), + Hash => profile::bool2num_hash_recursive($value), + default => $value, + } + Hash({ $key => $return_value }) + }.reduce |$attrs_memo, $kv| { + merge($attrs_memo, $kv) + } +} diff --git a/site/profile/manifests/app/README.md b/site/profile/manifests/app/README.md new file mode 100644 index 000000000..630aa4a4e --- /dev/null +++ b/site/profile/manifests/app/README.md @@ -0,0 +1,10 @@ +### The App folder + +`./manifests/app//.pp` + + * This directory should contain profiles to manage applications stacks. + * An "app" is anything that does **not** come out of the box or is **not** built-in to the operating system. + * Use simple and easy to understand sub folders that describe the type of application being managed. + * For example, `app/liferay.pp` is **bad**. While `app/cms/liferay.pp` is better as it groups it in the "CMS" category. + * Avoid ambiguous profile names. `profile::app::splunk::forwarder` is better than `profile::app::splunk`. + * Other examples: `/manifests/app/apache.pp`, `/manifests/app/sql/server.pp`, or `/manifests/app/f5/load_balancer.pp`. diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 8509d5aeb..da56ca0db 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -1,6 +1,6 @@ # This is a example profile to deploy fastb application software. class profile::app::fastb ( - Stdlib::Httpsurl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', + Stdlib::HTTPSUrl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', Stdlib::Absolutepath $app_path = '/opt/tomcat/fastb', ) { include profile::app::tomcat::webserver @@ -28,7 +28,7 @@ tomcat::config::server::connector { 'tomcat-second-http': catalina_base => '/opt/tomcat/second', - port => '8081',, + port => '8081', protocol => 'HTTP/1.1', additional_attributes => { 'redirectPort' => '8443' diff --git a/site/profile/manifests/app/icinga.pp b/site/profile/manifests/app/icinga.pp deleted file mode 100644 index 4f3c5425b..000000000 --- a/site/profile/manifests/app/icinga.pp +++ /dev/null @@ -1,11 +0,0 @@ -# A description of what this class does -# -# @summary A short summary of the purpose of this class -# -# @example -# include puppet_control_starter::profile::app::icinga -class profile::app::icinga { - class { '::icinga2': - manage_repo => false, - } -} diff --git a/site/profile/manifests/app/icinga/server.pp b/site/profile/manifests/app/icinga/server.pp new file mode 100644 index 000000000..6d2ba6a08 --- /dev/null +++ b/site/profile/manifests/app/icinga/server.pp @@ -0,0 +1,13 @@ +# A description of what this class does +# +# @summary This class will install a icinga2 server +# +# @example +# include profile::app::icinga::server +class profile::app::icinga::server ( + Boolean $manage_repo = false, +) { + class { '::icinga2': + manage_repo => $manage_repo, + } +} diff --git a/site/profile/manifests/app/puppet/compiler.pp b/site/profile/manifests/app/puppet/compiler.pp new file mode 100644 index 000000000..1a8464a7a --- /dev/null +++ b/site/profile/manifests/app/puppet/compiler.pp @@ -0,0 +1,47 @@ +# class profile::app::puppet::compiler +# This profile has a chicken and egg complex +# The content of the keys cannot reside in hiera-eyaml until Primary Master has been configured. +class profile::app::puppet::compiler ( + String $ssh_private_key_content, + String $ssh_public_key_content, + String $eyaml_private_key_content, + String $eyaml_public_key_content, +) { + + file { [ '/etc/puppetlabs/puppet/eyaml', '/etc/puppetlabs/puppetserver/ssh/' ]: + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0750', + } + + file { '/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + content => $ssh_private_key_content, + } + + file { '/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa.pub': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + content => $ssh_public_key_content, + } + + file { '/etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0600', + content => $eyaml_private_key_content, + } + + file { '/etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0644', + content => $eyaml_public_key_content, + } +} diff --git a/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D new file mode 100644 index 000000000..9e9ce3cea --- /dev/null +++ b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D @@ -0,0 +1,13 @@ +# class to help manage server settings +class profile::app::puppet::non_pe_infra_agent ( + String $puppet_server = 'puppet.exampledomain.com', + Stdlib::Absolutepath $path_to_puppet_conf_dir = '/etc/puppetlabs/puppet', +) { + ini_setting { "puppet server setting": + ensure => present, + path => "${path_to_puppet_conf_dir}/puppet.conf", + section => 'main', + setting => 'server', + value => $puppet_server, + } +} diff --git a/site/profile/manifests/base.pp b/site/profile/manifests/base.pp deleted file mode 100644 index ae85e6550..000000000 --- a/site/profile/manifests/base.pp +++ /dev/null @@ -1,5 +0,0 @@ -class profile::base { - - #the base profile should include component modules that will be on all nodes - -} diff --git a/site/profile/manifests/example.pp b/site/profile/manifests/example.pp deleted file mode 100644 index 0b48c3a10..000000000 --- a/site/profile/manifests/example.pp +++ /dev/null @@ -1,3 +0,0 @@ -class profile::example { - -} diff --git a/site/profile/manifests/os/README.md b/site/profile/manifests/os/README.md new file mode 100644 index 000000000..3edf25691 --- /dev/null +++ b/site/profile/manifests/os/README.md @@ -0,0 +1,19 @@ +### The OS folder + +`./manifests/os/` + + * This directory should contain profiles that manage items built-in to an operating system. For example, DNS, NTP, Users, firewall rules, etc.... + * If the thing being managed is "out of the box", it goes here. + +`./manifests/os/baseline.pp` + + * Profile that will wrap the OS level profiles + * Profile that build to support all business supported OS. + * Profile to implement the minimium base that security, product and sysadmins will allow on a company network. + * Profile built to install the base software for a company that is identified as site wide software, ie backup etc. + +`./manifests/os//` + + * Profiles that are specific to built-in settings of one operating system go here. + * For example, `/manifests/os/windows/registry.pp`, `/manifests/os/linux/firewall.pp`, or `/manifests/os/solaris/enable_ssh.pp`. + diff --git a/site/profile/manifests/os/base.pp b/site/profile/manifests/os/baseline.pp similarity index 75% rename from site/profile/manifests/os/base.pp rename to site/profile/manifests/os/baseline.pp index 57b74e49a..046fc416f 100644 --- a/site/profile/manifests/os/base.pp +++ b/site/profile/manifests/os/baseline.pp @@ -2,7 +2,7 @@ # It should support all site OS's and sould be enforced # on all agent hosts. This is the minimum bar of site # specific hosts. -class profile::os::base ( +class profile::os::baseline ( Array[String[1]] $name_servers = [ '8.8.8.8', '8.8.4.4' ], Array[String[1]] $search_path = [ 'localdomain', 'puppet.vm' ], ) { @@ -10,21 +10,21 @@ # configuration for systems to be used within the company networks. case $facts['os']['family'] { 'RedHat': { - class { 'profile::os::dns_resolver': + class { 'profile::os::baseline::dns_resolver': name_servers => $name_servers, search_path => $search_path, } #include 'profile::os::linux::security' } 'windows': { - class { 'profile::os::dns_resolver': + class { 'profile::os::baseline::dns_resolver': name_servers => $name_servers, search_path => $search_path, } #include profile::os::windows::security } 'Solaris': { - class { 'profile::os::dns_resolver': + class { 'profile::os::baseline::dns_resolver': name_servers => $name_servers, search_path => $search_path, } @@ -34,4 +34,7 @@ fail("OS family ${facts['os']['family']} is not supported with ${title}.") } } + # Profile does the OS case statement + # Profile will normalize the 'temp' path for Linux, Solaris, and Windows + include profile::os::baseline::archive } diff --git a/site/profile/manifests/os/archives.pp b/site/profile/manifests/os/baseline/archives.pp similarity index 92% rename from site/profile/manifests/os/archives.pp rename to site/profile/manifests/os/baseline/archives.pp index f82cb0c38..9cddf685a 100644 --- a/site/profile/manifests/os/archives.pp +++ b/site/profile/manifests/os/baseline/archives.pp @@ -1,6 +1,6 @@ # This profile is to normalize archive for a site # it will set temp dir and install dir for the build -class profile::os::archives ( +class profile::os::baseline::archives ( Optional[Stdlib::Absolutepath] $in_temp_path = undef, ) { include '::archive' diff --git a/site/profile/manifests/os/dns_resolver.pp b/site/profile/manifests/os/baseline/dns_resolver.pp similarity index 96% rename from site/profile/manifests/os/dns_resolver.pp rename to site/profile/manifests/os/baseline/dns_resolver.pp index 946c879f7..30bdb0070 100644 --- a/site/profile/manifests/os/dns_resolver.pp +++ b/site/profile/manifests/os/baseline/dns_resolver.pp @@ -6,13 +6,13 @@ # @param name_servers An array of DNS name servers to use. # @param search_path An array of domain suffixes to use in the DNS search path. # -class profile::os::dns_resolver ( +class profile::os::baseline::dns_resolver ( Array[String[1]] $name_servers, Array[String[1]] $search_path, ) { case $facts['kernel'] { - 'linux','aix': { + 'linux','solaris': { # Use saz/resolv_conf Forge module class { 'resolv_conf': diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp deleted file mode 100644 index 9109c7d0a..000000000 --- a/site/profile/manifests/puppetmaster.pp +++ /dev/null @@ -1,17 +0,0 @@ -class profile::puppetmaster ( - $hiera_yaml = "${::settings::confdir}/hiera.yaml" -){ - - class { 'hiera': - hierarchy => [ - 'virtual/%{::virtual}', - 'nodes/%{::trusted.certname}', - 'common', - ], - hiera_yaml => $hiera_yaml, - datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', - owner => 'pe-puppet', - group => 'pe-puppet', - notify => Service['pe-puppetserver'], - } -} diff --git a/site/role/README.md b/site/role/README.md index dec49e2b8..5ebc365aa 100644 --- a/site/role/README.md +++ b/site/role/README.md @@ -9,11 +9,14 @@ we're gonna go ahead and say that anyway. ## Organization and Namespaces -Roles should be organized in a hierarchical form with product categories that descend into more specific things. DO NOT just throw all your roles at the root of the `manifests/` folder. Oh, and please use sub-folders for related roles. +Roles should be organized in a hierarchical form with product categories that descend into more specific services for the product. DO NOT just throw all your roles at the root of the `manifests/` folder. Oh, and please use sub-folders for related roles. ### The Product folders `/manifests//` * This directory should contain roles that manage nodes running specific product line functions. - * For example, `/manifests/fastb/web_be.pp` is `FastB product Web Back-end`. + * For example: + * `./manifests/fastb/web_be.pp` is `FastB product Web Backend`. + * `./manifests/spiders/database.pp` is `Spiders product SQL Database Backend`. + diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp deleted file mode 100644 index b6b883e80..000000000 --- a/site/role/manifests/all_in_one_pe.pp +++ /dev/null @@ -1,7 +0,0 @@ -class role::all_in_one_pe { - - include profile::puppetmaster - include pe_code_manager_webhook - include pe_metric_curl_cron_jobs - -} diff --git a/site/role/manifests/database_server.pp b/site/role/manifests/database_server.pp deleted file mode 100644 index aacc912b2..000000000 --- a/site/role/manifests/database_server.pp +++ /dev/null @@ -1,7 +0,0 @@ -class role::database_server { - - #This role would be made of all the profiles that need to be included to make a database server work - #All roles should include the base profile - include profile::base - -} diff --git a/site/role/manifests/example.pp b/site/role/manifests/example.pp deleted file mode 100644 index 2c1d2d724..000000000 --- a/site/role/manifests/example.pp +++ /dev/null @@ -1,3 +0,0 @@ -class role::example { - -} diff --git a/site/role/manifests/fastb/monitor_svr.pp b/site/role/manifests/fastb/monitor_svr.pp deleted file mode 100644 index 2ba3d06a3..000000000 --- a/site/role/manifests/fastb/monitor_svr.pp +++ /dev/null @@ -1,8 +0,0 @@ -# This is an example of a product called -# "Fast B" -# This is a monitoring server for that product. -class role::fastb::monitor_svr { - include profile::os::base - include profile::app::icinga - # include profile::app::fastb -} diff --git a/site/role/manifests/fastb/web_be.pp b/site/role/manifests/fastb/web_be.pp index 48bef71b4..5ba84dc88 100644 --- a/site/role/manifests/fastb/web_be.pp +++ b/site/role/manifests/fastb/web_be.pp @@ -2,6 +2,6 @@ # "Fast B" # This is a web backend for that product. class role::fastb::web_be { - include profile::os::base + include profile::os::baseline include profile::app::fastb } diff --git a/site/role/manifests/spider/web_be.pp b/site/role/manifests/spider/web_be.pp index 29e8684e2..1d7343e91 100644 --- a/site/role/manifests/spider/web_be.pp +++ b/site/role/manifests/spider/web_be.pp @@ -2,7 +2,7 @@ # "Fast B" # This is a web backend for that product. class role::spider::web_be { - include profile::os::base + include profile::os::baseline include profile::app::iis::default_app_pool # include profile::app::spider } diff --git a/site/role/manifests/sup_svc/monitor/server.pp b/site/role/manifests/sup_svc/monitor/server.pp index 545997031..0e41bea93 100644 --- a/site/role/manifests/sup_svc/monitor/server.pp +++ b/site/role/manifests/sup_svc/monitor/server.pp @@ -1,7 +1,5 @@ -# This is an example of a product called -# "Fast B" -# This is a monitoring server for that product. +# This is a monitoring server for that many products and services class role::sup_svc::monitor::server { - include profile::os::base - include profile::app::icinga + include profile::os::baseline + include profile::app::icinga::server } diff --git a/site/role/manifests/sup_svc/puppet/compiler.pp b/site/role/manifests/sup_svc/puppet/compiler.pp new file mode 100644 index 000000000..997369324 --- /dev/null +++ b/site/role/manifests/sup_svc/puppet/compiler.pp @@ -0,0 +1,4 @@ +# This is a role to add to the Puppet compiler group +class role::sup_svc::puppet::compiler { + include profile::os::baseline +} diff --git a/site/role/manifests/sup_svc/puppet/master.pp b/site/role/manifests/sup_svc/puppet/master.pp new file mode 100644 index 000000000..5de84cc24 --- /dev/null +++ b/site/role/manifests/sup_svc/puppet/master.pp @@ -0,0 +1,4 @@ +# This is a role to add to the Puppet Master. +class role::sup_svc::puppet::master { + # include profile::os::baseline +} diff --git a/site/role/manifests/webserver.pp b/site/role/manifests/webserver.pp deleted file mode 100644 index 314fa55f3..000000000 --- a/site/role/manifests/webserver.pp +++ /dev/null @@ -1,7 +0,0 @@ -class role::webserver { - - #This role would be made of all the profiles that need to be included to make a webserver work - #All roles should include the base profile - include profile::base - -} diff --git a/spec/onceover.yaml b/spec/onceover.yaml index 793e1f8d1..767c18653 100644 --- a/spec/onceover.yaml +++ b/spec/onceover.yaml @@ -2,7 +2,7 @@ # test all roles in repo classes: - '/role::/' - - profile::os::base + - profile::os::baseline # Nodes to tests classes on, this refers to a 'factset' or 'nodeset' # depending on weather you are running 'spec' or 'acceptance' tests @@ -15,14 +15,14 @@ nodes: # You can group classes here to save typing class_groups: base: - - 'profile::os::base' + - 'profile::os::baseline' windows: - '/role::spider/' - - 'profile::os::base' + - 'profile::os::baseline' linux: - '/role::sup_svc/' - '/role::fastb/' - - profile::os::base + - profile::os::baseline # You can group nodes here to save typing # We have created a 'non_windows_nodes' group because we can't # give you Windows vagrant boxes to test with because licensing, From 2c9696565b9b7a308f779fbe7f4529fa4fffc55b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 8 Aug 2019 05:45:27 -0600 Subject: [PATCH 013/134] test for the onceover job --- .gitattributes | 5 + .gitignore | 31 ++- .gitlab-ci.yml | 33 ++++ .pdkignore | 24 +++ .rspec | 2 + .rubocop.yml | 122 ++++++++++++ .travis.yml | 44 +++++ .yardopts | 1 + Gemfile | 74 +++++++ Puppetfile | 41 ++-- README-control_repo.md | 119 +++++++++++ README.md | 71 +++---- Rakefile | 76 ++++++++ appveyor.yml | 64 ++++++ data/common.yaml | 18 ++ data/nodes/example-puppet-master.yaml | 8 + data/os/RedHat.yaml | 3 + data/os/Solaris.yaml | 3 + data/os/windows.yaml | 4 + data/virtual/virtualbox.yaml | 35 ++++ hiera.yaml | 56 ++++++ keys/private_key.pkcs7.pem | 27 +++ keys/public_key.pkcs7.pem | 18 ++ metadata.json | 72 +++++++ scripts/code_manager_config_version.rb | 2 +- scripts/config_version.rb | 15 +- scripts/config_version.sh | 7 +- site/README.md | 37 ++++ site/profile/README.md | 57 ++++++ .../functions/bool2num_hash_recursive.pp | 45 +++++ site/profile/functions/data.pp | 8 + site/profile/lib/facter/app_tier_subnet.rb | 32 +++ site/profile/lib/facter/datacenter.rb | 27 +++ site/profile/manifests/app/README.md | 10 + .../profile/manifests/app/f5/load_balancer.pp | 113 +++++++++++ site/profile/manifests/app/fastb.pp | 38 ++++ site/profile/manifests/app/icinga/server.pp | 13 ++ .../manifests/app/iis/default_app_pool.pp | 31 +++ site/profile/manifests/app/java.pp | 18 ++ site/profile/manifests/app/puppet/compiler.pp | 47 +++++ .../app/puppet/non_pe_infra_agent.pp[D | 13 ++ site/profile/manifests/app/sql/sap_server.pp | 7 + site/profile/manifests/app/sql/server.pp | 76 ++++++++ .../profile/manifests/app/tomcat/webserver.pp | 15 ++ .../manifests/cloud/azure/deployhost.pp | 91 +++++++++ site/profile/manifests/cloud/azure/vm_test.pp | 19 ++ site/profile/manifests/os/README.md | 19 ++ site/profile/manifests/os/baseline.pp | 40 ++++ .../profile/manifests/os/baseline/archives.pp | 24 +++ .../manifests/os/baseline/dns_resolver.pp | 54 +++++ .../manifests/os/linux/ms_ca_root_cert.pp | 19 ++ site/profile/manifests/os/linux/security.pp | 28 +++ .../manifests/os/solaris/enable_ssh.pp | 22 +++ .../manifests/os/windows/disable_firewall.pp | 29 +++ .../manifests/os/windows/disable_ieesc.pp | 22 +++ .../manifests/os/windows/disable_ipv6.pp | 14 ++ .../manifests/os/windows/disable_uac.pp | 25 +++ .../os/windows/enable_remote_desktop.pp | 21 ++ site/profile/manifests/os/windows/security.pp | 13 ++ .../manifests/os/windows/winrm_ssl_config.pp | 33 ++++ site/role/README.md | 22 +++ site/role/manifests/fastb/web_be.pp | 7 + site/role/manifests/spider/web_be.pp | 8 + site/role/manifests/sup_svc/monitor/server.pp | 5 + .../role/manifests/sup_svc/puppet/compiler.pp | 4 + site/role/manifests/sup_svc/puppet/master.pp | 4 + spec/acceptance/nodesets/onceover-nodes.yml | 41 ++++ spec/default_facts.yml | 7 + spec/factsets/README.md | 7 + spec/factsets/Windows_Server-2012r2-64.json | 164 ++++++++++++++++ spec/factsets/osx-10.13-x86_64.json | 184 ++++++++++++++++++ spec/hiera.yaml | 25 +++ spec/onceover.yaml | 57 ++++++ spec/pre_conditions/README.md | 24 +++ spec/spec_helper.rb | 44 +++++ 75 files changed, 2559 insertions(+), 79 deletions(-) create mode 100644 .gitattributes create mode 100644 .gitlab-ci.yml create mode 100644 .pdkignore create mode 100644 .rspec create mode 100644 .rubocop.yml create mode 100644 .travis.yml create mode 100644 .yardopts create mode 100644 Gemfile create mode 100644 README-control_repo.md create mode 100644 Rakefile create mode 100644 appveyor.yml create mode 100644 data/common.yaml create mode 100644 data/nodes/example-puppet-master.yaml create mode 100644 data/os/RedHat.yaml create mode 100644 data/os/Solaris.yaml create mode 100644 data/os/windows.yaml create mode 100644 data/virtual/virtualbox.yaml create mode 100644 hiera.yaml create mode 100644 keys/private_key.pkcs7.pem create mode 100644 keys/public_key.pkcs7.pem create mode 100644 metadata.json create mode 100644 site/README.md create mode 100644 site/profile/README.md create mode 100644 site/profile/functions/bool2num_hash_recursive.pp create mode 100644 site/profile/functions/data.pp create mode 100644 site/profile/lib/facter/app_tier_subnet.rb create mode 100644 site/profile/lib/facter/datacenter.rb create mode 100644 site/profile/manifests/app/README.md create mode 100644 site/profile/manifests/app/f5/load_balancer.pp create mode 100644 site/profile/manifests/app/fastb.pp create mode 100644 site/profile/manifests/app/icinga/server.pp create mode 100644 site/profile/manifests/app/iis/default_app_pool.pp create mode 100644 site/profile/manifests/app/java.pp create mode 100644 site/profile/manifests/app/puppet/compiler.pp create mode 100644 site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D create mode 100644 site/profile/manifests/app/sql/sap_server.pp create mode 100644 site/profile/manifests/app/sql/server.pp create mode 100644 site/profile/manifests/app/tomcat/webserver.pp create mode 100644 site/profile/manifests/cloud/azure/deployhost.pp create mode 100644 site/profile/manifests/cloud/azure/vm_test.pp create mode 100644 site/profile/manifests/os/README.md create mode 100644 site/profile/manifests/os/baseline.pp create mode 100644 site/profile/manifests/os/baseline/archives.pp create mode 100644 site/profile/manifests/os/baseline/dns_resolver.pp create mode 100644 site/profile/manifests/os/linux/ms_ca_root_cert.pp create mode 100644 site/profile/manifests/os/linux/security.pp create mode 100644 site/profile/manifests/os/solaris/enable_ssh.pp create mode 100644 site/profile/manifests/os/windows/disable_firewall.pp create mode 100644 site/profile/manifests/os/windows/disable_ieesc.pp create mode 100644 site/profile/manifests/os/windows/disable_ipv6.pp create mode 100644 site/profile/manifests/os/windows/disable_uac.pp create mode 100644 site/profile/manifests/os/windows/enable_remote_desktop.pp create mode 100644 site/profile/manifests/os/windows/security.pp create mode 100644 site/profile/manifests/os/windows/winrm_ssl_config.pp create mode 100644 site/role/README.md create mode 100644 site/role/manifests/fastb/web_be.pp create mode 100644 site/role/manifests/spider/web_be.pp create mode 100644 site/role/manifests/sup_svc/monitor/server.pp create mode 100644 site/role/manifests/sup_svc/puppet/compiler.pp create mode 100644 site/role/manifests/sup_svc/puppet/master.pp create mode 100644 spec/acceptance/nodesets/onceover-nodes.yml create mode 100644 spec/default_facts.yml create mode 100644 spec/factsets/README.md create mode 100644 spec/factsets/Windows_Server-2012r2-64.json create mode 100644 spec/factsets/osx-10.13-x86_64.json create mode 100644 spec/hiera.yaml create mode 100644 spec/onceover.yaml create mode 100644 spec/pre_conditions/README.md create mode 100644 spec/spec_helper.rb diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..9032a014a --- /dev/null +++ b/.gitattributes @@ -0,0 +1,5 @@ +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf +*.epp eol=lf diff --git a/.gitignore b/.gitignore index 6dd2fdac1..bd9fa9206 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,27 @@ -hieradata/nodes/example-puppet-master.yaml -Gemfile.lock -_site/* -.onceover/* +.git/ +.vscode +.*.sw[op] +.metadata +.vscode +.onceover +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +/update_report.txt +.DS_Store diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..4fae77578 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,33 @@ +--- +stages: + - syntax + - unit + +cache: + paths: + - vendor/bundle + +before_script: + - bundle -v + - rm Gemfile.lock || true + - gem --version + - gem update --system + - bundle -v + - bundle install --without system_tests --path vendor/bundle --jobs $(nproc) + +syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop-Ruby 2.4.4-Puppet ~> 5.5: + stage: syntax + image: ruby:2.4.4 + script: + - bundle exec rake syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop + variables: + PUPPET_GEM_VERSION: '~> 5.5' + +parallel_onceover-Ruby 2.4.4-Puppet ~> 5.5: + stage: unit + image: ruby:2.4.4 + script: + - bundle exec onceover run spec + variables: + PUPPET_GEM_VERSION: '~> 5.5' + diff --git a/.pdkignore b/.pdkignore new file mode 100644 index 000000000..650022e58 --- /dev/null +++ b/.pdkignore @@ -0,0 +1,24 @@ +.git/ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +/update_report.txt +.DS_Store diff --git a/.rspec b/.rspec new file mode 100644 index 000000000..16f9cdb01 --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 000000000..f5a6c2a41 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,122 @@ +--- +require: rubocop-rspec +AllCops: + DisplayCopNames: true + TargetRubyVersion: '2.1' + Include: + - "./**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - "**/Gemfile" + - "**/Rakefile" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" +Metrics/LineLength: + Description: People have wide screens, use them. + Max: 200 +GetText/DecorateString: + Description: We don't want to decorate test output. + Exclude: + - spec/* +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/Documentation: + Exclude: + - lib/puppet/parser/functions/**/* + - spec/**/* +Style/WordArray: + EnforcedStyle: brackets +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Layout/EndOfLine: + Enabled: false +Layout/IndentHeredoc: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/MessageExpectation: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/NestedGroups: + Enabled: false +Style/AsciiComments: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/SymbolProc: + Enabled: false diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000000000..cd1cea768 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,44 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm -f Gemfile.lock + - gem update --system + - gem --version + - bundle -v + - bundle install --path vendor/bundle --jobs $(nproc) +script: + - 'bundle exec rake $CHECK' +bundler_args: --without system_tests +rvm: + - 2.5.1 +env: + global: + - BEAKER_PUPPET_COLLECTION=puppet6 PUPPET_GEM_VERSION="~> 6.0" +matrix: + fast_finish: true + include: + - + env: CHECK="syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop" + - + env: CHECK=parallel_spec + - + env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec + rvm: 2.4.4 + - + env: PUPPET_GEM_VERSION="~> 4.0" CHECK=parallel_spec + rvm: 2.1.9 + - + env: PUPPET_GEM_VERSION="~> 5.5" CHECK=parallel_onceover + script: + - bundle exec onceover run spec + rvm: 2.4.4 +branches: + only: + - master + - /^v\d/ +notifications: + email: false diff --git a/.yardopts b/.yardopts new file mode 100644 index 000000000..29c933bcf --- /dev/null +++ b/.yardopts @@ -0,0 +1 @@ +--markup markdown diff --git a/Gemfile b/Gemfile new file mode 100644 index 000000000..992602822 --- /dev/null +++ b/Gemfile @@ -0,0 +1,74 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +def location_for(place_or_version, fake_version = nil) + git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} + file_url_regex = %r{\Afile:\/\/(?.*)} + + if place_or_version && (git_url = place_or_version.match(git_url_regex)) + [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact + elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) + ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] + else + [place_or_version, { require: false }] + end +end + +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + +group :development do + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.2', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "json", '<= 2.0.4', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.4.4') + gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "onceover" + gem "hiera-eyaml" +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +onceover_version = ENV['ONCEOVER_GEM_VERSION'] +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables + +gems['onceover'] = location_for(onceover_version) if onceover_version +gems['facter'] = location_for(facter_version) if facter_version +gems['hiera'] = location_for(hiera_version) if hiera_version + +if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)} + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['0.8.8', require: false] +end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/Puppetfile b/Puppetfile index 0421b7764..180407b86 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,25 +1,24 @@ forge "http://forge.puppetlabs.com" -# Modules from the Puppet Forge -# Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#forge-1 -mod "puppetlabs/inifile", '1.6.0' -mod "puppetlabs/stdlib", '4.16.0' -mod "puppetlabs/concat", '2.2.1' -mod "puppet/hiera", '2.4.0' -mod "npwalker/pe_code_manager_webhook", '2.0.1' -mod "npwalker/pe_metric_curl_cron_jobs", '4.0.0' +mod "puppetlabs/inifile", '1.6.0' +mod 'puppetlabs-stdlib', '4.24.0' +mod 'puppetlabs-tomcat', '2.4.0' +mod 'puppetlabs/concat', '2.2.1' +mod 'puppetlabs-java', '3.2.0' +mod 'puppetlabs-chocolatey', '3.1.0' +mod 'puppetlabs-iis', '4.5.0' +mod 'puppet-archive', '3.2.1' +mod 'puppet-hiera', '3.3.4' +mod 'saz-ssh', '4.0.0' +mod 'saz-resolv_conf', '3.3.0' +mod 'icinga-icinga2', '1.3.7' -# Modules from Github using various references -# Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#examples -# update the tag to the most current release when implementing -mod 'pe_code_manager_webhook', - :git => 'https://github.com/npwalker/pe_code_manager_webhook', - :ref => '8d3003a38371328bcabea695dd40f16b1e90e827' +mod 'puppetlabs-dsc', '1.7.0' +mod 'puppetlabs-reboot', '2.0.0' +mod 'puppetlabs-powershell', '2.2.0' +mod 'puppet-windows_env', '3.2.0' +mod 'cyberious-pget', '1.1.0' +mod 'cyberious-windows_java', '1.0.2' -mod 'gms', - :git => 'https://github.com/abrader/abrader-gms', - :ref => 'a5105e95cf0f8b84a143d7a69a83e3ff3d4e02fb' - -mod 'pltraining-rbac', - :git => 'https://github.com/puppetlabs/pltraining-rbac', - :ref => '9a823ff42810988f80a2b65738054a816620d972' +#mod 'tomcat', +# git: 'https://github.com/spidersddd/puppetlabs-tomcat' diff --git a/README-control_repo.md b/README-control_repo.md new file mode 100644 index 000000000..62c56dd1c --- /dev/null +++ b/README-control_repo.md @@ -0,0 +1,119 @@ +# A Puppet Control Repository + +* [What You Get From This control\-repo](#what-you-get-from-this-control-repo) +* [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) + * [GitLab](#gitlab) + * [Bitbucket/Stash](#bitbucketstash) + * [Github](#github) +* [Code Manager Setup](#code-manager-setup) + + +## What You Get From This control-repo + +This is a template [control repository](https://puppet.com/docs/pe/latest/code_management/control_repo.html) that has the minimum amount of scaffolding to make it easy to get started with [r10k](https://puppet.com/docs/pe/latest/code_management/r10k.html) or Puppet Enterprise's [Code Manager](https://puppet.com/docs/pe/latest/code_management/code_mgr.html). + +The important files and items in this template are as follows: + +* Basic example of roles and profiles. +* An example Puppetfile with various module references. +* An example Hiera configuration file and data directory with pre-created common.yaml and nodes directory. + * These match the default hierarchy that ships with PE. +* An [environment.conf](https://puppet.com/docs/puppet/5.3/config_file_environment.html) that correctly implements: + * A site directory for roles, profiles, and any custom modules for your organization. + * A config\_version script. +* An example [config\_version](https://puppet.com/docs/puppet/5.3/config_file_environment.html#configversion) script that outputs the git commit ID of the code that was used during a Puppet run. + +Here's a visual representation of the structure of this repository: + +``` +control-repo/ +├── data/ # Hiera data directory. +│   ├── nodes/ # Node-specific data goes here. +│   └── common.yaml # Common data goes here. +├── manifests/ +│   └── site.pp # The "main" manifest that contains a default node definition. +├── scripts/ +│   ├── code_manager_config_version.rb # A config_version script for Code Manager. +│   ├── config_version.rb # A config_version script for r10k. +│   └── config_version.sh # A wrapper that chooses the appropriate config_version script. +├── site/ # This directory contains site-specific modules and is added to $modulepath. +│   ├── profile/ # The profile module. +│   └── role/ # The role module. +├── LICENSE +├── Puppetfile # A list of external Puppet modules to deploy with an environment. +├── README.md +├── environment.conf # Environment-specific settings. Configures the moduelpath and config_version. +└── hiera.yaml # Hiera's configuration file. The Hiera hierarchy is defined here. +``` + +## Copy This Repo Into Your Own Git Server + +To get started with using the control-repo template in your own environment and git server, we've provided steps for the three most common servers we see: [GitLab](#gitlab), [BitBucket](#bitbucketstash), and [GitHub](#github). + +### GitLab + +1. Install GitLab. + * +1. After GitLab is installed you may sign in with the `root` user and password `5iveL!fe`. +1. Make a user for yourself. +1. Make an SSH key to link with your user. You’ll want to do this on the machine you intend to edit code from (most likely not your Puppet master, but your local workstation or laptop). + * + * +1. Create a group called `puppet` (this is case sensitive). + * +1. Add your user to the `puppet` group as well. +1. Create a project called `control-repo`, and set the Namespace to be the `puppet` group. +1. Clone this control repository to your laptop/workstation: + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote: + * `git remote remove origin` +1. Add your internal repository as the origin remote: + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +### Bitbucket/Stash + +1. Install Bitbucket + * +1. Make a `Project` called `puppet` (with a short name of `PUP`) +1. Create a repository called `control-repo` +1. Create a user called `r10k` with a password of `puppet`. + * Make the r10k user an admin of the `PUP` project. +1. Either use the admin user to test pushing code, or create a user for yourself and add your SSH key to that user. + * If making a user for yourself, give your user account read/write or admin privilege to the `PUP` project. +1. Clone this control repository to your laptop/workstation + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote + * `git remote remove origin` +1. Add your internal repository as the origin remote + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +### GitHub + +1. Prepare your local git client to authenticate with GitHub.com or a local GitHub Enterprise instance. + * + * +1. Create a repository called `control-repo` in your user account or organization. Ensure that "Initialize this repository with a README" is not selected. + * +1. Make a note of your repository URL (HTTPS or SSH, depending on your security configuration). +1. Clone this control repository to your laptop/workstation: + * `git clone ` + * `cd control-repo` +1. Remove this repository as the origin remote: + * `git remote remove origin` +1. Add your internal repository as the origin remote: + * `git remote add origin ` +1. Push the production branch of the repository from your machine up to your git server + * `git push origin production` + +## Code Manager Setup + +If you use Puppet Enterprise and have not yet enabled and configured Code Manager, in addition to reading the official [documentation](https://puppet.com/docs/pe/latest/code_management/code_mgr.html) for enabling it, you may want to look at the Ramp-Up Program's control repository instead of this one. It's similar to this repo except that it has batteries includes, so to speak. There are pre-built profiles for configuring Code Manager, generating SSH keys, and setting up your Git server to work with Code Manager. + +* + diff --git a/README.md b/README.md index d68a899bd..30a5a419a 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,8 @@ Table of contents * [Get the control\-repo deployed on your master](#get-the-control-repo-deployed-on-your-master) * [Setup a webhook in your Git server](#setup-a-webhook-in-your-git-server) * [Gitlab](#gitlab-1) - * [Test Code Manager](#test-code-manager) + * [Test and Troubleshoot Code Manager](#test-and-troubleshoot-code-manager) + * [Example Roles and Profiles primer](#example-roles-and-profiles-primer) # Join the #ramp-up channel on Puppet Community Slack @@ -22,7 +23,7 @@ Our [Puppet Community Slack](http://slack.puppet.com) is a great way to interact # Before starting -This control-repo and the steps below are intended to be used with a new installation of PE. +This control-repo and the steps below are intended to be used with a new installation of PE as well as example of a working control-repo architecture. **Warning:** When using an existing PE installation any existing code or modules in `/etc/puppetlabs/code` will be copied to a backup directory `/etc/puppetlabs/code_bak_` in order to allow deploying code from Code Manager. @@ -32,9 +33,8 @@ When you finish the instructions below, you will have the beginning of a best pr - A Git server - The ability to push code to your Git server and have it automatically deployed to your PE master - - A config_version script that outputs the most recent SHA of your code each time you run `puppet agent -t` + - A config\_version script that outputs the most recent SHA of your code each time you run `puppet agent -t` - Optimal tuning of PE settings for this configuration - - Working and example [roles and profiles](https://docs.puppet.com/pe/latest/puppet_assign_configurations.html#assigning-configuration-data-with-role-and-profile-modules) code # How to set it all up @@ -48,34 +48,34 @@ When you finish the instructions below, you will have the beginning of a best pr 2. After GitLab is installed, sign into the web UI with the user `root`. - The first time you visit the UI it will force you to enter a password for the `root` user. -2. In the GitLab UI, create a group called `puppet`. +3. In the GitLab UI, create a group called `puppet`. - http://doc.gitlab.com/ce/workflow/groups.html -3. In the GitLab UI, make yourself a user to edit and push code. +4. In the GitLab UI, make yourself a user to edit and push code. -4. From your laptop or development machine, make an SSH key and link it with your GitLab user. +5. From your laptop or development machine, make an SSH key and link it with your GitLab user. - Note: The SSH key allows your laptop to communicate with the GitLab server and push code. - https://help.github.com/articles/generating-ssh-keys/ - http://doc.gitlab.com/ce/ssh/README.html -7. In the GitLab UI, add your user to the `puppet` group. +6. In the GitLab UI, add your user to the `puppet` group. - You must give your user at least master permissions to complete the following steps. - Read more about permissions: - https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/permissions/permissions.md -8. In the GitLab UI, create a project called `control-repo` and set its Namespace to the `puppet` group. +7. In the GitLab UI, create a project called `control-repo` and set its Namespace to the `puppet` group. -10. On your laptop, clone this PuppetLabs-RampUpProgram control repo. +8. On your laptop, clone this PuppetLabs-RampUpProgram control repo. - `git clone https://github.com/PuppetLabs-RampUpProgram/control-repo.git` - `cd control-repo` -14. On your laptop, remove the origin remote. +9. On your laptop, remove the origin remote. - `git remote remove origin` -15. On your laptop, add your GitLab repo as the origin remote. +10. On your laptop, add your GitLab repo as the origin remote. - `git remote add origin ` -16. On your laptop, push the production branch of the repo from your machine up to your Git server. +11. On your laptop, push the production branch of the repo from your machine up to your Git server. - `git push origin production` ### Stash @@ -121,9 +121,10 @@ We will set up a deploy key in the Git server that will allow an SSH key we make - Paste in the public key from above 3. Login to the PE console 4. Navigate to the **Nodes > Classification** page + - Click on the **PE Infrastructure** group - Click on the **PE Master** group - - Click the **Classes** tab - - Add the `puppet_enterprise::profile::master` + - Click the **Configuration** tab + - In the `puppet_enterprise::profile::master` class parameters - Set the `r10k_remote` to the SSH URL from the front page of your GitLab repo - Set the `r10k_private_key` parameter to `/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa` - **Commit** your changes @@ -132,33 +133,12 @@ We will set up a deploy key in the Git server that will allow an SSH key we make ~~~ puppet agent -t - r10k deploy environment -pv + puppet access login -l + puppet code deploy production --wait puppet agent -t ~~~ -5. Navigate back to the **Nodes > Classification** page - - Near the top of the page select "add a group" - - Type `role::all_in_one_pe` for the group name - - Click the **Add Group** button - - Click the **add membership rules, classes and variables** link that appears - - Below **Pin specific nodes to the group** type your master's FQDN into the box - - Click **pin node** - - Select the **Classes** tab - - On the right hand side, click the **Refresh** link - - Wait for this to complete - - In the **add new classes** box type `role::all_in_one_pe` - - Click **add class** - - **Commit** your changes -8. On your Puppet master - - Run: - - ~~~ - puppet agent -t - echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt - puppet agent -t - ~~~ - -9. Code Manager is configured and has been used to deploy your code +6. Code Manager is configured and has been used to deploy your code ## Setup a webhook in your Git server @@ -178,7 +158,7 @@ Independent of which Git server you choose you will grab the webhook URL from yo - Since Code Manager uses a self-signed cert from the Puppet CA it is not generally trusted 3. After you created the webhook use "test webhook" or similar functionality to confirm it works -## Test Code Manager +## Test and Troubleshoot Code Manager One of the components setup by this control-repo is that when you "push" code to your Git server, the git server will inform the Puppet master to deploy the branch you just pushed. @@ -195,5 +175,14 @@ One of the components setup by this control-repo is that when you "push" code to 3. Allow the push to complete and then wait a few seconds for everything to sync over. - On your Puppet Master, `ls -l /etc/puppetlabs/code/environments/production`. - - Confirm test_file is present + - Confirm test\_file is present 4. In your first terminal window review the `puppetserver.log` to see the type of logging each sync will create. + +## Example Roles and Profiles primer + +The Roles and Profiles in this repo are usable examples. Some of the code has been commented out to protect the inocent but the examples sound. Please review the following README's for a more detailed description of the examples. + + * The role and profile patern (method for naming and suggestions for hierachy) are only examples and suggestions. + * Some of the Windows profiles may not totally work due to depencies. + * Software download locations + * Method for package install ie (chocolatey, or wmi, etc.) are not specified. diff --git a/Rakefile b/Rakefile new file mode 100644 index 000000000..a6b14c564 --- /dev/null +++ b/Rakefile @@ -0,0 +1,76 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-syntax/tasks/puppet-syntax' +require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? +require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any? +require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any? + +def changelog_user + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['author'] + raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator user:#{returnVal}" + returnVal +end + +def changelog_project + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['name'] + raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator project:#{returnVal}" + returnVal +end + +def changelog_future_release + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = JSON.load(File.read('metadata.json'))['version'] + raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator future_release:#{returnVal}" + returnVal +end + +PuppetLint.configuration.send('disable_relative') + +if Bundler.rubygems.find_name('github_changelog_generator').any? + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? + config.user = "#{changelog_user}" + config.project = "#{changelog_project}" + config.future_release = "#{changelog_future_release}" + config.exclude_labels = ['maintenance'] + config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." + config.add_pr_wo_labels = true + config.issues = false + config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM" + config.configure_sections = { + "Changed" => { + "prefix" => "### Changed", + "labels" => ["backwards-incompatible"], + }, + "Added" => { + "prefix" => "### Added", + "labels" => ["feature", "enhancement"], + }, + "Fixed" => { + "prefix" => "### Fixed", + "labels" => ["bugfix"], + }, + } + end +else + desc 'Generate a Changelog from GitHub' + task :changelog do + raise <= Gem::Version.new('2.2.2')" +EOM + end +end + diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 000000000..9ea31e3ea --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,64 @@ +--- +version: 1.1.x.{build} +branches: + only: + - master +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: + - SET + - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - + RUBY_VERSION: 24-x64 + CHECK: syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 4.0 + RUBY_VERSION: 21-x64 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24-x64 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25-x64 + CHECK: parallel_spec +matrix: + fast_finish: true +install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 --without system_tests + - type Gemfile.lock +build: off +test_script: + - bundle exec puppet -V + - ruby -v + - gem -v + - bundle -v + - bundle exec rake %CHECK% + - bundle exec onceover run spec +notifications: + - provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 000000000..45b5f56b4 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,18 @@ +--- +message: "This node is using common data" + +#Enable code manager +puppet_enterprise::profile::master::code_manager_auto_configure: true +puppet_enterprise::master::code_manager::authenticate_webhook: false +puppet_enterprise::master::code_manager::manage_private_key: false +#pe-console-services tuning +#https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period +#disable classifier scheduled sync and rely on r10k postrun command to sync the classes +puppet_enterprise::profile::console::classifier_synchronization_period: 0 + +# example for deep lookup +# X11Forwarding will be overwritten by virtual/virtualbox to 'yes' +profile::os::linux::security::ssh_server_opts: + PasswordAuthentication: 'no' + SyslogFacility: 'AUTHPRIV' + X11Forwarding: 'no' diff --git a/data/nodes/example-puppet-master.yaml b/data/nodes/example-puppet-master.yaml new file mode 100644 index 000000000..584faacb6 --- /dev/null +++ b/data/nodes/example-puppet-master.yaml @@ -0,0 +1,8 @@ +--- +git_management_system: 'gitlab' +gms_server_url: 'https://gitlab-server' +gms_api_token: 'BDkZfWWnk4LVTLHdAywd' + +#setup r10k to update classes in the console after code deploy +pe_r10k::postrun: + - '/usr/local/bin/update-classes.sh' diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml new file mode 100644 index 000000000..b237a8d5f --- /dev/null +++ b/data/os/RedHat.yaml @@ -0,0 +1,3 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' diff --git a/data/os/Solaris.yaml b/data/os/Solaris.yaml new file mode 100644 index 000000000..b237a8d5f --- /dev/null +++ b/data/os/Solaris.yaml @@ -0,0 +1,3 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' diff --git a/data/os/windows.yaml b/data/os/windows.yaml new file mode 100644 index 000000000..11c76fcb3 --- /dev/null +++ b/data/os/windows.yaml @@ -0,0 +1,4 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35-windows-x64.zip' +profile::app::tomcat::webserver::tomcat_install_path: 'C:\Program Files\Tomcat' diff --git a/data/virtual/virtualbox.yaml b/data/virtual/virtualbox.yaml new file mode 100644 index 000000000..10e60502e --- /dev/null +++ b/data/virtual/virtualbox.yaml @@ -0,0 +1,35 @@ +#These setting are intended for low memory testing VMs +#Not intended for general usage +--- +#PE3.7+ +#Allow access to the puppetdb performance dashboard from non-localhost +#This is insecure and also allows access to all API endpoints without verification +puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' +puppet_enterprise::profile::amq::broker::heap_mb: '96' +puppet_enterprise::profile::master::java_args: + Xmx: '192m' + Xms: '128m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::puppetdb::java_args: + Xmx: '128m' + Xms: '96m' + 'XX:+UseG1GC': '' +puppet_enterprise::profile::console::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' +puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only +puppet_enterprise::profile::console::delayed_job_workers: 1 +#shared_buffers takes affect during install but is not managed after +puppet_enterprise::profile::database::shared_buffers: '4MB' +#2015.3.2 and above +puppet_enterprise::profile::orchestrator::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:+UseG1GC': '' + +profile::os::linux::security::ssh_server_opts: + Protocol: '2' + PasswordAuthentication: 'yes' + UsePAM: 'yes' + X11Forwarding: 'yes' diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 000000000..ef83aeec0 --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,56 @@ +--- +version: 5 +defaults: # Used for any hierarchy level that omits these keys. + datadir: data # This path is relative to hiera.yaml's directory. + data_hash: yaml_data # Use the built-in YAML backend. + +hierarchy: + - name: "Per-node data" # Human-readable name. + path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. + # ^^^ IMPORTANT: include the file extension! + - name: "Per-node secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "nodes/%{trusted.certname}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Per-datacenter business role data" # Uses trusted data extentions. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + - name: "Per-datacenter buiness role secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Role business data" + path: "role/%{trusted.extentions.pp_role}.yaml" + - name: "Role business secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "role/%{trusted.extentions.pp_role}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Per-OS defaults" + path: "os/%{facts.os.family}.yaml" + - name: "Per-OS defaults secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "os/%{facts.os.family}.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + + - name: "Virtual defaults" # Used to configure PE master from within virtual + path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform + + - name: "Common data" + path: "common.yaml" + - name: "Common secret data (encrypted)" # Using same file as unencrypted + lookup_key: eyaml_lookup_key # Uses non-default backend. + path: "common.yaml" + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem + diff --git a/keys/private_key.pkcs7.pem b/keys/private_key.pkcs7.pem new file mode 100644 index 000000000..f6182508f --- /dev/null +++ b/keys/private_key.pkcs7.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA9A+IuFu4HGKrRNBTsHADTKhDH7ZYXQCFYB/PeFj3kWpo9mZo +c26KIfvK6DXyaLATV3NStitLiAnAzVGIreeIdttlXm+hX+Ig1DeJrO+CZJxXXx+P +AfurpvsGaZMn46GvJfrh+h1dxYpX4UASpWIDIjoz16yHF1uVrd7yvoSM2znGNAHU +FFfdkT5qGLcOxe46iTlyK0gbtSUvT8arK1FKYiOjbyZ4RsOv5l0cvPY85HKKOc9p +t+f+vWzMuARh7HxcnKwA6FedLEBWQa1T2AxfRGBHK0pRj2sicaIxgnQXnKuuKBss +pLZSjIlTRSoH3Fdvqmk+FQJLPex//rXPiIyDYQIDAQABAoIBAQCrUcwzPY77vfdj +kqlsjPSD9wlHVYSppBf75diJLkp6dSvA6xofDVVBjbJdVqEXA6JQHM/OuI2IrO/+ +MGG1UXXlmRSLOekZmW5aCbJHBsmNPoHGcCy+w58207conPe/PlvoWTgPjlWouPf/ +Ui7EkQyKFjkWCDG8H7nuFzZmrj0CFSkzbZeaWFChQTgr9QGVKlW+iF4Upf7MK3i6 +xbHZCZpQJjZX7meGLo5I2mtJF0BQN+f7JQbsCqKLqYvcSpZXPfTg6Fhpt6mKdykq +y/N+CiVxLw2BmWd0pdiVWD/kTxW0DZ7Puby/Apx1UWPcydCy9WZYtalbbyVn1Plb ++AfzShwRAoGBAPqXapz1y8zATAyU4u44ar3yYo5ueWGhixxeZ1BiJ16yEpWwxqDl +G50JOO6y5Gcy/EbnOJ6ek7xvgBWMys1sOte5MtUIyo581/wkFgEnTaazTNWW+5ve +5jvh8f1r61IqFvMeK8aqL4jH2KbkH5KXN9pormGJgy7J3ssK0JaoB7cjAoGBAPlU +CITH9diJcNUmciJ/3o3VxqMdO5kwJb5px6JgqT7QrEu+v6WVwMz/D13xe0/gHY9d +Sju+1oD+uhQ+1/t17RcdI7CRzNVVlsORSW0feV1xPjAoHONrk3N8smDCM2tZJI1K +Ca771+cVb20EnMewxzUynbaK9aKiyLhDmM7FwIWrAoGAYsHxvlIQM21Fi1/R31hU +mO9BcCiRpaxoipGZ3dAQ+/zp3hyA6z/flg/gZBIUeadaTQcrBTgxuP2oWNXXxwV0 +WzgdlF+WlHkXFcOS+Hlo3N2k1jheiJtb2RW+rMUvRH5Z9Q5a6jx/50P7WiplVvxJ +gsXmk4ICNRpRt2tXsUgfYkkCgYEA1CL0sI02FwwxzZnNiJ8Fa+aVANnxiJBXvOBh +tD3MIp8Hyda9VxTIm2L03ziEc9y7Kez1KUphVhXlmy4xNEoM9Rqc8DHNd0JAaZtn +PwqFh8S/ZdfrZHB2X8+cMglqGI8bM3/oJ1MuSvaI/Nfs0VcO16t+Vv96qesZHvac +wGmvOcsCgYAruN9HJqbK7urAA1SaJ1mRlpf37YVzdH8Lsl+mr+BIAfalSabP120z +vE4TRvqREdrxNajiwSFjRMjl2hdx1s20fhcUYPrV+ubTxIYvJsxcSx/qyTxPC7jP +KBihxVxofJbr6DEzVFTSnQhYeoqtA5Rd0ILme82IlVhmZbXmZSIo2A== +-----END RSA PRIVATE KEY----- diff --git a/keys/public_key.pkcs7.pem b/keys/public_key.pkcs7.pem new file mode 100644 index 000000000..075f8e0cd --- /dev/null +++ b/keys/public_key.pkcs7.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAAMCAXDTE4MTIwNDE2MTAw +NVoYDzIwNjgxMTIxMTYxMDA1WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA9A+IuFu4HGKrRNBTsHADTKhDH7ZYXQCFYB/PeFj3kWpo9mZoc26KIfvK +6DXyaLATV3NStitLiAnAzVGIreeIdttlXm+hX+Ig1DeJrO+CZJxXXx+PAfurpvsG +aZMn46GvJfrh+h1dxYpX4UASpWIDIjoz16yHF1uVrd7yvoSM2znGNAHUFFfdkT5q +GLcOxe46iTlyK0gbtSUvT8arK1FKYiOjbyZ4RsOv5l0cvPY85HKKOc9pt+f+vWzM +uARh7HxcnKwA6FedLEBWQa1T2AxfRGBHK0pRj2sicaIxgnQXnKuuKBsspLZSjIlT +RSoH3Fdvqmk+FQJLPex//rXPiIyDYQIDAQABo1wwWjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBTe28JgTJmSHIg12fJfhr8O/j5wKDAoBgNVHSMEITAfgBTe28Jg +TJmSHIg12fJfhr8O/j5wKKEEpAIwAIIBATANBgkqhkiG9w0BAQUFAAOCAQEAmAf7 +fiVGzeVDf6sJto5urI89hNfXwTECOjw03oMifZPVicG0Yu2RarMsS4Kc0XTjXpxb +Jue+AH6wK34RYpPs71aGkkOhcxNuu0l35GV6aeVyUPRD7LIp5bCoW3wfLfhmTNXD +YR2ICdkOlgvaAStnezg1dkTWojxu07q0hVRVE3ij2/JLd/qe3oy6tDUaDwrNWTpk +Ty/pd8J9B8FpyJ2Z47Rr47XbRCJiJQW5U8INSgPHt3sfdDuTn5UcXeUO1TBeVLND +U1eZpMi+YXhALKHFCi/9Vx4o9AmSbGjs5lZT2KAWnhN+VwNayqJXIOHYO+PNt4c9 +PomXmMQZnY8jRaFdoQ== +-----END CERTIFICATE----- diff --git a/metadata.json b/metadata.json new file mode 100644 index 000000000..754139aa2 --- /dev/null +++ b/metadata.json @@ -0,0 +1,72 @@ +{ + "name": "spidersddd-puppet_control_starter", + "version": "0.1.0", + "author": "spidersddd", + "summary": "", + "license": "Apache-2.0", + "source": "", + "dependencies": [ + + ], + "operatingsystem_support": [ + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7" + ] + }, + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "8" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "16.04" + ] + }, + { + "operatingsystem": "windows", + "operatingsystemrelease": [ + "2008 R2", + "2012 R2", + "10" + ] + }, + { + "operatingsystem": "Solaris", + "operatingsystemrelease": [ + "11" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.10.0 < 7.0.0" + } + ], + "pdk-version": "1.8.0", + "template-url": "https://github.com/puppetlabs/pdk-templates", + "template-ref": "1.8.0-0-g0d9da00" +} diff --git a/scripts/code_manager_config_version.rb b/scripts/code_manager_config_version.rb index 2c9cb62f5..28afda718 100755 --- a/scripts/code_manager_config_version.rb +++ b/scripts/code_manager_config_version.rb @@ -6,5 +6,5 @@ r10k_deploy_file_path = File.join(environmentpath, environment, '.r10k-deploy.json') -#output the sha1 from the control-repo +# output the sha1 from the control-repo puts JSON.parse(File.read(r10k_deploy_file_path))['signature'] diff --git a/scripts/config_version.rb b/scripts/config_version.rb index 3016a27b9..1d5c1f975 100755 --- a/scripts/config_version.rb +++ b/scripts/config_version.rb @@ -1,24 +1,19 @@ #!/usr/bin/env ruby begin require 'rugged' -rescue LoadError => e +rescue LoadError t = Time.new puts t.to_i else - environmentpath = ARGV[0] environment = ARGV[1] repo = Rugged::Repository.discover(File.join(environmentpath, environment)) - head = repo.head + head = repo.head - #sha1 hash of the newest commit + # sha1 hash of the newest commit head_sha = head.target_id - #the commit message associated the newest commit - commit = repo.lookup(head_sha) - - #add something to find the remote url - - puts head_sha + # add something to find the remote url + puts head_sha end diff --git a/scripts/config_version.sh b/scripts/config_version.sh index bc7721354..07b3a0715 100755 --- a/scripts/config_version.sh +++ b/scripts/config_version.sh @@ -1,10 +1,13 @@ #!/bin/bash +master_name=$(facter hostname) if [ -e $1/$2/.r10k-deploy.json ] then - /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2 + hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2) + echo "${master_name}_${hash}" elif [ -e /opt/puppetlabs/server/pe_version ] then - /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2 + hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2) + echo "${master_name}_${hash}" else /usr/bin/git --version > /dev/null 2>&1 && /usr/bin/git --git-dir $1/$2/.git rev-parse HEAD || diff --git a/site/README.md b/site/README.md new file mode 100644 index 000000000..a6b73d2d9 --- /dev/null +++ b/site/README.md @@ -0,0 +1,37 @@ +# Puppet Example Roles and Profiles + +These directories are example layout of Roles and Profiles practice. They have been constructed to represent current best practice and to support multiple operating systems. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Example requirements + +These examples have been constructed with the following requirements: + +| Supported OS | Product Role | State | +|--------------------------|---------------------|-----| +| Win 2012r2 | role::spider::web_be | WIP | +| Win 2012r2 | role::spider::database | WIP | +| CentOS 7 | role::spider::balancer | WIP | + + + - Modeling should support three operating systems + - Windows 2012R2 + - CentOS (6,7) + - Solaris 11.2 + - Two products should be represented + - Spider + - Windows systems hosting the product + - IIS Web service 'role::spiders::web_be' + - HAProxy loadbalancer 'role::spiders::balancer' + - SQL Database server 'role::spiders::database' + - Fastb + - Linux and Solaris systmes hoting the product + - Tomcat web backend 'role::fastb::web_be' + - HAProxy loadbalancer 'role::fastb::balancer' + - MYSQL Database server 'role::fastb::database' + - These products are examples and will be deploying a `hello world` code base + - Support services + - While products usually do not share hosts support services do + - Example of monitoring service 'role::sup\_svc::monitoring::server' diff --git a/site/profile/README.md b/site/profile/README.md new file mode 100644 index 000000000..fe104ea73 --- /dev/null +++ b/site/profile/README.md @@ -0,0 +1,57 @@ +# Puppet Example Profiles + +This directory is working example profiles for customers to use as well as model +future development after. They should follow best practice and model a multi OS +use case. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Organization and Namespaces + +Profile sprawl is a real concern. To prevent that, please try to follow a convention. + +Profiles should be organized in a hierarchical form with a few top-level categories that descend into more specific things. DO NOT just throw all your profiles at the root of the `manifests/` folder. Oh, and please use sub-folders for related profiles. + +### The OS folder + +`./manifests/os/` + + * This directory should contain profiles that manage items built-in to an operating system. For example, DNS, NTP, Users, firewall rules, etc.... + * If the thing being managed is "out of the box", it goes here. + +`./manifests/os/baseline.pp` + + * Profile that will wrap the OS level profiles + * Profile that build to support all business supported OS. + * Profile to implement the minimium base that security, product and sysadmins will allow on a company network. + * Profile built to install the base software for a company that is identified as site wide software, ie backup etc. + +`./manifests/os//` + + * Profiles that are specific to built-in settings of one operating system go here. + * For example, `/manifests/os/windows/security.pp`, `/manifests/os/linux/firewall.pp`, or `/manifests/os/solaris/enable_ssh.pp`. + +### The App folder + +`./manifests/app//.pp` + + * This directory should contain profiles to manage applications stacks. + * An "app" is anything that does **not** come out of the box or is **not** built-in to the operating system. + * Use simple and easy to understand sub folders that describe the type of application being managed. + * For example, `app/liferay.pp` is **bad**. While `app/cms/liferay.pp` is better as it groups it in the "CMS" category. + * Avoid ambiguous profile names. `profile::app::splunk::forwarder` is better than `profile::app::splunk`. + * Other examples: `/manifests/app/apache.pp`, `/manifests/app/sql/server.pp`, or `/manifests/app/f5/load_balancer.pp`. + +`./manifests/cloud//.pp` + + * This directory is for profiles that will be used to implement cloud API services. + * This should be things like profiles to communicate to API's like Azure, Google Cloud, OpenStack, etc. + +`./lib/facter/` + + * This will be used a location to store site (company) specific facts not specific to a component module. + +`./functions/` + + * This directory is for site specific functions not related to modules. diff --git a/site/profile/functions/bool2num_hash_recursive.pp b/site/profile/functions/bool2num_hash_recursive.pp new file mode 100644 index 000000000..a3fb3be8b --- /dev/null +++ b/site/profile/functions/bool2num_hash_recursive.pp @@ -0,0 +1,45 @@ +# This functions converts the Boolean values of a Hash to Integers, +# either '0' or '1'. It does this recursively, decending as far as the +# language implemenation will allow. Note that Structs and Arrays will +# be ignored, even if they contain Hashes. +# +# @private +# +# @param arg [Hash] The hash on which to operate +# @return [Hash] +# +# @example Usage +# +# ```puppet +# Hash $foo = { +# bar => { 'a' => true, 'b' => 'b' }, +# baz => false, +# qux => [{ 'c' => true }, { 'd' => false }], +# } +# +# profile::bool2num_hash_recursive($foo) +# ``` +# +# The above would return: +# +# ```puppet +# { +# bar => { 'a' => 1, 'b' => 'b' }, +# baz => 0, +# qux => [{ 'c' => true }, { 'd' => false }], +# } +# ``` +# +function profile::bool2num_hash_recursive($arg) { + assert_type(Hash, $arg) + $arg.map |$key, $value| { + $return_value = $value ? { + Boolean => bool2num($value), + Hash => profile::bool2num_hash_recursive($value), + default => $value, + } + Hash({ $key => $return_value }) + }.reduce |$attrs_memo, $kv| { + merge($attrs_memo, $kv) + } +} diff --git a/site/profile/functions/data.pp b/site/profile/functions/data.pp new file mode 100644 index 000000000..9c39fb4c5 --- /dev/null +++ b/site/profile/functions/data.pp @@ -0,0 +1,8 @@ +function profile::data(){ + $base_params = { + + } + + $base_params +} + diff --git a/site/profile/lib/facter/app_tier_subnet.rb b/site/profile/lib/facter/app_tier_subnet.rb new file mode 100644 index 000000000..b8cff4d7d --- /dev/null +++ b/site/profile/lib/facter/app_tier_subnet.rb @@ -0,0 +1,32 @@ +# Accessible in puppet as $::app_tier_subnet +require 'ipaddr' +Facter.add(:app_tier_subnet) do + setcode do + begin + # Set segment_name to nil + # If error occures the nil will be passed + segment_name = nil + # Mapping of vlans to ipaddresses + # NOTE: To extend this fact, modify this hash + vlan_segments = { + 'prod' => IPAddr.new('10.10.10/22'), + 'dev' => IPAddr.new('11.11.11/22'), + 'uat' => IPAddr.new('12.12.12/22'), + 'cloud' => IPAddr.new('13.13.13/24'), + } + + # Iterate through all segments and find the one that matches + vlan_segments.each do |segment, address| + if address.include?(Facter.value(:ipaddress)) + segment_name = segment + break + end + end + + # Return the name of the segment that matches + segment_name + rescue + segment_name + end + end +end diff --git a/site/profile/lib/facter/datacenter.rb b/site/profile/lib/facter/datacenter.rb new file mode 100644 index 000000000..cad0d26da --- /dev/null +++ b/site/profile/lib/facter/datacenter.rb @@ -0,0 +1,27 @@ +Facter.add(:datacenter) do + setcode do + datacenters_map = { + 'lax' => ['lax', 'lax2', 'hq'], + 'dc' => ['dc', 'dc2', 'dc3', 'foo'], + 'london' => ['lon', 'uk', 'london', 'bar'], + 'none' => ['localhost', 'local'], + } + + # Assume that all hostnames look like this: + # lax-prod-www-291 + # dc-dev-www-111 + # lon-prod-db-101 + # The 'datacenter' segment is the first part of a host name. + first_segment = Facter.value(:hostname).split('-')[0] + + datacenter = nil + + datacenters_map.each do |datacenter_name, datacenter_aliases| + if datacenter_aliases.include? first_segment + datacenter = datacenter_name + break + end + end + datacenter + end +end diff --git a/site/profile/manifests/app/README.md b/site/profile/manifests/app/README.md new file mode 100644 index 000000000..630aa4a4e --- /dev/null +++ b/site/profile/manifests/app/README.md @@ -0,0 +1,10 @@ +### The App folder + +`./manifests/app//.pp` + + * This directory should contain profiles to manage applications stacks. + * An "app" is anything that does **not** come out of the box or is **not** built-in to the operating system. + * Use simple and easy to understand sub folders that describe the type of application being managed. + * For example, `app/liferay.pp` is **bad**. While `app/cms/liferay.pp` is better as it groups it in the "CMS" category. + * Avoid ambiguous profile names. `profile::app::splunk::forwarder` is better than `profile::app::splunk`. + * Other examples: `/manifests/app/apache.pp`, `/manifests/app/sql/server.pp`, or `/manifests/app/f5/load_balancer.pp`. diff --git a/site/profile/manifests/app/f5/load_balancer.pp b/site/profile/manifests/app/f5/load_balancer.pp new file mode 100644 index 000000000..db620f6fe --- /dev/null +++ b/site/profile/manifests/app/f5/load_balancer.pp @@ -0,0 +1,113 @@ +# profile::app::f5::load_balancer +# +# @summary This is a defined-type profile that creates everything +# needed in an F5 to load-balance a set of servers. +# +# @example Declaring a set of load-balanced servers: +# +# profile::app::f5::load_balancer { 'Awesome WebApp': +# nodes => [ +# { name => 'web1', address => '10.1.1.11', port => '80' }, +# { name => 'web2', address => '10.1.1.12', port => '80' }, +# { name => 'web3', address => '10.1.1.13', port => '80' }, +# ], +# pool_name => 'web_pool', +# virtualserver_name => 'website.foo.net', +# destination_address => '10.1.1.10', +# } +# +# @param nodes An array of hashes, where each hash contains a 'name', 'address', 'port', and optional 'monitors' key. +# @param pool_name The name of the pool to create and manage. +# @param virtualserver_name The name of the virtualserver to create and mange. +# @param destination_address The IP address of the VIP destination. +# +define profile::app::f5::load_balancer ( + Array[Hash] $nodes, + String $pool_name, + String $virtualserver_name, + String $destination_address, + Optional[Array[String]] $irules = undef, + String $destination_mask = '255.255.255.255', + Array[String] $health_monitors = [ '/Common/tcp' ], + String $load_balancing_method = 'round-robin', + Enum['present','absent'] $ensure = 'present', + String $http_profile = '/Common/http', + String $service_port = '80', + String $source = '0.0.0.0', +) { + + $description = "Managed by Puppet: ${title}" + + $_pool_name = $pool_name ? { + /^\/Common\// => $pool_name, + default => "/Common/${pool_name}", + } + + $_virtualserver_name = $virtualserver_name ? { + /^\/Common\// => $virtualserver_name, + default => "/Common/${virtualserver_name}", + } + + # Iterate over each node and manage it. + $nodes.each |Hash $node| { + + # Check that all required node properties are defined. + ['name','address','port'].each |$property| { + if !(has_key($node, $property)) or ($node[$property] == undef) { + fail("${title}: Missing required node property '${property}'") + } + } + + # Use the ICMP monitor if none defined. + $_monitors = $node['monitors'] ? { + undef => [ '/Common/icmp' ], + default => $node['monitors'], + } + + f5_node { $node['name']: + ensure => $ensure, + address => $node['address'], + health_monitors => $_monitors, + availability_requirement => 'all', + description => $description, + before => [ + F5_pool[$_pool_name], + F5_virtualserver[$_virtualserver_name], + ], + } + + } + + # Generate the members parameter value to use in the f5_pool. + # We are creating an array of hashes with 'name' and 'port' keys. + $members = $nodes.map |Hash $node| { + { + 'name' => $node['name'], + 'port' => $node['port'], + } + } + + f5_pool { $_pool_name: + ensure => $ensure, + health_monitors => $health_monitors, + load_balancing_method => $load_balancing_method, + members => $members, + description => $description, + before => F5_virtualserver[$_virtualserver_name], + } + + f5_virtualserver { $_virtualserver_name: + ensure => $ensure, + provider => 'standard', + default_pool => $_pool_name, + destination_address => $destination_address, + destination_mask => $destination_mask, + http_profile => $http_profile, + service_port => $service_port, + irules => $irules, + source => $source, + description => $description, + require => F5_pool[$_pool_name], + } + +} diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp new file mode 100644 index 000000000..da56ca0db --- /dev/null +++ b/site/profile/manifests/app/fastb.pp @@ -0,0 +1,38 @@ +# This is a example profile to deploy fastb application software. +class profile::app::fastb ( + Stdlib::HTTPSUrl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', + Stdlib::Absolutepath $app_path = '/opt/tomcat/fastb', +) { + include profile::app::tomcat::webserver + + tomcat::instance { 'tomcat8-fastb': + catalina_home => "${app_path}/..", + catalina_base => $app_path, + } + + tomcat::war { "${app_path}/fastb_app.war": + catalina_base => $app_path, + war_source => $download_url, + } + + tomcat::instance { 'tomcat-second': + catalina_home => '/opt/tomcat', + catalina_base => '/opt/tomcat/second', + } + + # Change the default port of the second instance server and HTTP connector + tomcat::config::server { 'tomcat-second': + catalina_base => '/opt/tomcat/second', + port => '8006', + } + + tomcat::config::server::connector { 'tomcat-second-http': + catalina_base => '/opt/tomcat/second', + port => '8081', + protocol => 'HTTP/1.1', + additional_attributes => { + 'redirectPort' => '8443' + }, + } + +} diff --git a/site/profile/manifests/app/icinga/server.pp b/site/profile/manifests/app/icinga/server.pp new file mode 100644 index 000000000..6d2ba6a08 --- /dev/null +++ b/site/profile/manifests/app/icinga/server.pp @@ -0,0 +1,13 @@ +# A description of what this class does +# +# @summary This class will install a icinga2 server +# +# @example +# include profile::app::icinga::server +class profile::app::icinga::server ( + Boolean $manage_repo = false, +) { + class { '::icinga2': + manage_repo => $manage_repo, + } +} diff --git a/site/profile/manifests/app/iis/default_app_pool.pp b/site/profile/manifests/app/iis/default_app_pool.pp new file mode 100644 index 000000000..932541df3 --- /dev/null +++ b/site/profile/manifests/app/iis/default_app_pool.pp @@ -0,0 +1,31 @@ +# example class of default IIS app pool +class profile::app::iis::default_app_pool ( + String $site_name = 'Default Web Site' +) { + $iis_features = ['Web-WebServer','Web-Scripting-Tools'] + + iis_feature { $iis_features: + ensure => 'present', + } + + # Delete the default website to prevent a port binding conflict. + iis_site {'Default Web Site': + ensure => absent, + require => Iis_feature['Web-WebServer'], + } + + iis_site { 'minimal': + ensure => 'started', + physicalpath => 'c:\\inetpub\\minimal', + applicationpool => 'DefaultAppPool', + require => [ + File['minimal'], + Iis_site[$site_name] + ], + } + + file { 'minimal': + ensure => 'directory', + path => 'c:\\inetpub\\minimal', + } +} diff --git a/site/profile/manifests/app/java.pp b/site/profile/manifests/app/java.pp new file mode 100644 index 000000000..1c87c7434 --- /dev/null +++ b/site/profile/manifests/app/java.pp @@ -0,0 +1,18 @@ +# This profile os to install an normalize java for +# agent hosts. +class profile::app::java { + case $facts['os']['family'] { + 'RedHat': { + require java + } + 'windows': { + require windows_java + } + 'Solaris': { + require java + } + default: { + fail("OS family ${facts['os']['family']} is not supported with ${title}.") + } + } +} diff --git a/site/profile/manifests/app/puppet/compiler.pp b/site/profile/manifests/app/puppet/compiler.pp new file mode 100644 index 000000000..1a8464a7a --- /dev/null +++ b/site/profile/manifests/app/puppet/compiler.pp @@ -0,0 +1,47 @@ +# class profile::app::puppet::compiler +# This profile has a chicken and egg complex +# The content of the keys cannot reside in hiera-eyaml until Primary Master has been configured. +class profile::app::puppet::compiler ( + String $ssh_private_key_content, + String $ssh_public_key_content, + String $eyaml_private_key_content, + String $eyaml_public_key_content, +) { + + file { [ '/etc/puppetlabs/puppet/eyaml', '/etc/puppetlabs/puppetserver/ssh/' ]: + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0750', + } + + file { '/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + content => $ssh_private_key_content, + } + + file { '/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa.pub': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + content => $ssh_public_key_content, + } + + file { '/etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0600', + content => $eyaml_private_key_content, + } + + file { '/etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem': + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + mode => '0644', + content => $eyaml_public_key_content, + } +} diff --git a/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D new file mode 100644 index 000000000..9e9ce3cea --- /dev/null +++ b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D @@ -0,0 +1,13 @@ +# class to help manage server settings +class profile::app::puppet::non_pe_infra_agent ( + String $puppet_server = 'puppet.exampledomain.com', + Stdlib::Absolutepath $path_to_puppet_conf_dir = '/etc/puppetlabs/puppet', +) { + ini_setting { "puppet server setting": + ensure => present, + path => "${path_to_puppet_conf_dir}/puppet.conf", + section => 'main', + setting => 'server', + value => $puppet_server, + } +} diff --git a/site/profile/manifests/app/sql/sap_server.pp b/site/profile/manifests/app/sql/sap_server.pp new file mode 100644 index 000000000..f3e85245c --- /dev/null +++ b/site/profile/manifests/app/sql/sap_server.pp @@ -0,0 +1,7 @@ +# This is the profile to use for SAP database servers +class profile::app::sql::sap_server { + class { 'profile::app::sql::common': + use_sql_as_security_mode => true, + sql_collation => 'SQL_Latin1_General_CP850_BIN2', + } +} diff --git a/site/profile/manifests/app/sql/server.pp b/site/profile/manifests/app/sql/server.pp new file mode 100644 index 000000000..c1af891a7 --- /dev/null +++ b/site/profile/manifests/app/sql/server.pp @@ -0,0 +1,76 @@ +# Class: profile::app::sql::server +# +# +class profile::app::sql::server ( +# Commented out due to mount not working +# Stdlib::Absolutepath $sql_iso_to_mount, + String[1] $sa_password, + Stdlib::Absolutepath $temp_db_location = 'D:\\TempDB', + Stdlib::Absolutepath $sql_source = 'K:\\', + String[1] $sql_version_fact = 'SQL_2017', + Boolean $use_sql_as_security_mode = false, + Array $sql_feature_array = [ 'Conn', 'BC', 'SDK' ], + Enum['SQL_Latin1_General_CP1_CI_AS', 'SQL_Latin1_General_CP850_BIN2'] $sql_collation = 'SQL_Latin1_General_CP1_CI_AS', +) { + # resources + file { $temp_db_location: + ensure => directory, + } + +# if $facts['sqlserver_instances'][$sql_version_fact].empty and $facts['sqlserver_features'][$sql_version_fact] != $sql_feature_array { +# class {'profile::tools::map_install_storage': +# iso_to_mount => $sql_iso_to_mount, +# before => [ Sqlserver_instance['MSSQLSERVER'],Sqlserver_features['Generic Features'] ], +# } +# } + + if $use_sql_as_security_mode { + sqlserver_instance { 'MSSQLSERVER': + source => $sql_source, + features => ['SQLEngine','FullText'], + security_mode => 'SQL', + sa_pwd => $sa_password, + sql_svc_account => 'SYSTEM', + install_switches => { + 'SQLTEMPDBDIR' => $temp_db_location, + 'SQLCOLLATION' => $sql_collation, + }, + agt_svc_account => 'SYSTEM', + sql_sysadmin_accounts => 'BUILTIN\Administrators', + require => File[$temp_db_location], + } + } else { + sqlserver_instance { 'MSSQLSERVER': + source => $sql_source, + features => ['SQLEngine','FullText'], + sql_svc_account => 'SYSTEM', + install_switches => { + 'SQLTEMPDBDIR' => $temp_db_location, + 'SQLCOLLATION' => $sql_collation, + }, + agt_svc_account => 'SYSTEM', + sql_sysadmin_accounts => 'BUILTIN\Administrators', + require => File[$temp_db_location], + } + } + + sqlserver_features { 'Generic Features': + source => $sql_source, + features => $sql_feature_array, + require => Sqlserver_instance['MSSQLSERVER'], + } + +# Resource to connect to the DB instance +sqlserver::config { 'MSSQLSERVER': + admin_login_type => 'WINDOWS_LOGIN' +} + +sqlserver::login {'sa': + instance => 'MSSQLSERVER', + disabled => true, + } + + reboot { 'reboot after sql installation change': + subscribe => [Sqlserver_instance['MSSQLSERVER'],Sqlserver_features['Generic Features']], + } +} diff --git a/site/profile/manifests/app/tomcat/webserver.pp b/site/profile/manifests/app/tomcat/webserver.pp new file mode 100644 index 000000000..df4c91686 --- /dev/null +++ b/site/profile/manifests/app/tomcat/webserver.pp @@ -0,0 +1,15 @@ +# This profile will install tomcat +class profile::app::tomcat::webserver ( + Optional[String] $download_url = undef, + Stdlib::Absolutepath $tomcat_install_path = '/opt/tomcat', +) { + require profile::app::java + + if $download_url { + tomcat::install { $tomcat_install_path: + source_url => $download_url, + } + } else { + fail("download_url not set for ${title}.") + } +} diff --git a/site/profile/manifests/cloud/azure/deployhost.pp b/site/profile/manifests/cloud/azure/deployhost.pp new file mode 100644 index 000000000..543e7fe06 --- /dev/null +++ b/site/profile/manifests/cloud/azure/deployhost.pp @@ -0,0 +1,91 @@ +## +# profile::cloud::azure::deployhost +# +# Builds a host used to interface with Azure (to be used by puppetlabs/azure module). +# Gems and packages are required to be installed into ruby packaged with Puppet Agent. +# Tested on CentOS and Windows 2012R2. +# +# Module requirements: +# * puppetlabs/hocon +# +# Other requirements: +# * Azure login (https://azure.microsoft.com/) +# * Azure Service Principal (SP) with permissions to create objects. +# +# @summary Micosoft Azure deployer proxy host. +# +# @param azure_packages Packages required for azure_gems on Linux. +# +# @param azure_gems Gems required. +# +# @param azure_config +# subscription_id: +# * Portal: Subscriptions -> $name -> Subscription ID +# * CLI 2.0: `az account list --output table` +# tenant_id: +# * Portal: Azure Active Directory -> Properties -> Directory ID +# * CLI 2.0: `az account show --output table` +# client_id: +# * Portal: Azure Active Directory -> App Registrations -> $name -> Application ID +# * CLI 2.0: `az ad app list` +# client_secret: Only displayed once upon creation of client_id. +# * Portal: Azure Active Directory -> App Registrations -> New application registration +# * CLI 2.0: `az ad sp create-for-rbac --name $sp_name` +# +class profile::cloud::azure::deployhost ( + Array $azure_packages = ['gcc-c++', 'zlib-devel'], + Hash $azure_gems = { + 'activesupport' => '4.2.9', + 'nokogiri' => '~>1.7.0', + 'azure' => '~>0.7.0', + 'azure-armrest' => '0.3.1', + 'azure_mgmt_compute' => '~>0.3.0', + 'azure_mgmt_storage' => '~>0.3.0', + 'azure_mgmt_resources' => '~>0.3.0', + 'azure_mgmt_network' => '~>0.3.0', + 'hocon' => '~>1.1.2', + 'retries' => 'latest', + }, + + Hash $azure_config = { + 'subscription_id' => undef, + 'tenant_id' => undef, + 'client_id' => undef, + 'client_secret' => undef, + } +) { + + ## + # Packges & Gems + # + if $facts['kernel'] == 'Linux' { + package { $azure_packages: + ensure => installed, + } + } + + $azure_gems.each | String $gem, String $version | { + package { $gem: + ensure => $version, + provider => 'puppet_gem', + } + } + + ## + # Configuration + # + $agent_confdir = $facts['os']['family'] ? { + 'windows' => 'C:/ProgramData/PuppetLabs/puppet/etc', + default => '/etc/puppetlabs/puppet', + } + + $azure_config.each | $i, $v | { + hocon_setting {"azure.conf-${i}": + ensure => present, + path => "${agent_confdir}/azure.conf", + setting => "azure.${i}", + value => $v, + } + } + +} diff --git a/site/profile/manifests/cloud/azure/vm_test.pp b/site/profile/manifests/cloud/azure/vm_test.pp new file mode 100644 index 000000000..2d1493884 --- /dev/null +++ b/site/profile/manifests/cloud/azure/vm_test.pp @@ -0,0 +1,19 @@ +## +# Create a VM in Azure using Resource Manager method. +# +# Caveats: +# * 'user' can not be "admin". +# * 'password' must be at least 12 characters. +# +class profile::cloud::azure::vm_test { + azure_vm { 'vm1': + ensure => present, + location => 'westus', + image => 'OpenLogic:CentOS:7.3:latest', + user => 'puppet', + password => '6Eji6PB9ErXJ7PrJtWQP', + size => 'Basic_A0', + resource_group => 'my-group', + } +} + diff --git a/site/profile/manifests/os/README.md b/site/profile/manifests/os/README.md new file mode 100644 index 000000000..3edf25691 --- /dev/null +++ b/site/profile/manifests/os/README.md @@ -0,0 +1,19 @@ +### The OS folder + +`./manifests/os/` + + * This directory should contain profiles that manage items built-in to an operating system. For example, DNS, NTP, Users, firewall rules, etc.... + * If the thing being managed is "out of the box", it goes here. + +`./manifests/os/baseline.pp` + + * Profile that will wrap the OS level profiles + * Profile that build to support all business supported OS. + * Profile to implement the minimium base that security, product and sysadmins will allow on a company network. + * Profile built to install the base software for a company that is identified as site wide software, ie backup etc. + +`./manifests/os//` + + * Profiles that are specific to built-in settings of one operating system go here. + * For example, `/manifests/os/windows/registry.pp`, `/manifests/os/linux/firewall.pp`, or `/manifests/os/solaris/enable_ssh.pp`. + diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp new file mode 100644 index 000000000..046fc416f --- /dev/null +++ b/site/profile/manifests/os/baseline.pp @@ -0,0 +1,40 @@ +# This profile an example of base profile. +# It should support all site OS's and sould be enforced +# on all agent hosts. This is the minimum bar of site +# specific hosts. +class profile::os::baseline ( + Array[String[1]] $name_servers = [ '8.8.8.8', '8.8.4.4' ], + Array[String[1]] $search_path = [ 'localdomain', 'puppet.vm' ], +) { + # Profile to set a default base level of acceptable security and + # configuration for systems to be used within the company networks. + case $facts['os']['family'] { + 'RedHat': { + class { 'profile::os::baseline::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + #include 'profile::os::linux::security' + } + 'windows': { + class { 'profile::os::baseline::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + #include profile::os::windows::security + } + 'Solaris': { + class { 'profile::os::baseline::dns_resolver': + name_servers => $name_servers, + search_path => $search_path, + } + include profile::os::solaris::enable_ssh + } + default: { + fail("OS family ${facts['os']['family']} is not supported with ${title}.") + } + } + # Profile does the OS case statement + # Profile will normalize the 'temp' path for Linux, Solaris, and Windows + include profile::os::baseline::archive +} diff --git a/site/profile/manifests/os/baseline/archives.pp b/site/profile/manifests/os/baseline/archives.pp new file mode 100644 index 000000000..9cddf685a --- /dev/null +++ b/site/profile/manifests/os/baseline/archives.pp @@ -0,0 +1,24 @@ +# This profile is to normalize archive for a site +# it will set temp dir and install dir for the build +class profile::os::baseline::archives ( + Optional[Stdlib::Absolutepath] $in_temp_path = undef, +) { + include '::archive' + + if ! $in_temp_path { + case $facts['kernel'] { + 'Linux', 'Solaris': { + $temp_path = '/tmp' + } + 'windows': { + $temp_path = 'C:/Windows/Temp' + } + default: { + fail("OS ${facts['kernel']} is not supported with ${title}.") + } + } + } else { + $temp_path = $in_temp_path + } + +} diff --git a/site/profile/manifests/os/baseline/dns_resolver.pp b/site/profile/manifests/os/baseline/dns_resolver.pp new file mode 100644 index 000000000..30bdb0070 --- /dev/null +++ b/site/profile/manifests/os/baseline/dns_resolver.pp @@ -0,0 +1,54 @@ +# @summary A DNS profile for *nix and Windows +# +# @description This profile abstracts away the configuration of DNS settings into +# 2 parameters, 'name_servers' and 'search_path'. +# +# @param name_servers An array of DNS name servers to use. +# @param search_path An array of domain suffixes to use in the DNS search path. +# +class profile::os::baseline::dns_resolver ( + Array[String[1]] $name_servers, + Array[String[1]] $search_path, +) { + + case $facts['kernel'] { + 'linux','solaris': { + + # Use saz/resolv_conf Forge module + class { 'resolv_conf': + nameservers => $name_servers, + searchpath => $search_path, + } + + } + 'windows': { + + # Use the puppetlabs/dsc module + # Rather than set every interface, you could instead just set the primary + # by changing the dsc_interfacealias param to $facts['networking']['primary'] + # and removing the each loop. + #$facts['networking']['interfaces'].keys.each |$interface| { + # dsc_xdnsserveraddress { "Configure-DNS-${interface}-interface": + # ensure => present, + # dsc_address => $name_servers, + # dsc_interfacealias => $interface, + # dsc_addressfamily => 'IPv4', + # } + #} + dsc_xdnsserveraddress { 'Configure-DNS-primary-interface': + ensure => present, + dsc_address => $name_servers, + dsc_interfacealias => $facts['networking']['primary'], + dsc_addressfamily => 'IPv4', + } + dsc_xdnsclientglobalsetting { 'Configure-DNS-search-path': + ensure => present, + dsc_suffixsearchlist => $search_path, + dsc_issingleinstance => 'Yes' + } + + } + default: { notify { 'This profile does not support your OS': } } + } + +} diff --git a/site/profile/manifests/os/linux/ms_ca_root_cert.pp b/site/profile/manifests/os/linux/ms_ca_root_cert.pp new file mode 100644 index 000000000..a02a27ffa --- /dev/null +++ b/site/profile/manifests/os/linux/ms_ca_root_cert.pp @@ -0,0 +1,19 @@ +# Assuming you have the root CA cert stored on the master +# this declaration will allow you to push it around +# so a linux node can use it for web services +# and windows users will get internally trusted certs +# without needing to provision third party certs +class profile::os::linux::ms_ca_root_cert { + + file { '/etc/pki/tls/certs/msca.crt': + ensure => 'file', + source => 'puppet:///modules/profile/msca.crt', + } + + file { '/etc/pki/tls/certs/4adae044.0': + ensure => 'link', + target => '/etc/pki/tls/certs/msca.crt', + require => File['/etc/pki/tls/certs/msca.crt'], + } + +} diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp new file mode 100644 index 000000000..a6a14707c --- /dev/null +++ b/site/profile/manifests/os/linux/security.pp @@ -0,0 +1,28 @@ +# This profile is example of security configurations for +# site specific security settings. +class profile::os::linux::security ( + # This allows hiera to control if the saz/ssh::server class should be used + # on perspective agent hosts. Setting to false will mean the agents ssh server + # configuration will not be managed. If 'profile::os::linux::security::ssh_server' + # to change this behavior + Boolean $ssh_server = true +) { + if $ssh_server { + # This lookup allows the hash to be constructed over multiple hierarchies + # example is located in common.yaml and virtual/virtualbox.yaml + $ssh_server_opts = lookup( 'name' => 'profile::os::linux::security::ssh_server_opts', + { 'merge' => { + 'strategy' => 'deep', + 'default_value' => {} }, }) + + $ssh_client_opts = lookup( 'name' => 'profile::os::linux::security::ssh_client_opts', + { 'merge' => { + 'strategy' => 'deep', + 'default_value' => {} }, }) + + # Pass the found options to saz/ssh server class + class { 'ssh::server': + options => $ssh_server_opts, + } + } +} diff --git a/site/profile/manifests/os/solaris/enable_ssh.pp b/site/profile/manifests/os/solaris/enable_ssh.pp new file mode 100644 index 000000000..19960ff86 --- /dev/null +++ b/site/profile/manifests/os/solaris/enable_ssh.pp @@ -0,0 +1,22 @@ +# This class enables SSH and enables root login + +class profile::os::solaris::enable_ssh ( + String $permit_root_login = 'yes', +) { + + # Start up the service and enable it at boot time. + service { 'svc:/network/ssh:default': + ensure => running, + enable => true, + } + + # Manage whether root is allowed to login. (Default: yes) + file_line { 'permit root ssh': + ensure => present, + path => '/etc/ssh/sshd_config', + line => "PermitRootLogin ${permit_root_login}", + match => '^PermitRootLogin ', + notify => Service['svc:/network/ssh:default'], + } + +} diff --git a/site/profile/manifests/os/windows/disable_firewall.pp b/site/profile/manifests/os/windows/disable_firewall.pp new file mode 100644 index 000000000..ccd006350 --- /dev/null +++ b/site/profile/manifests/os/windows/disable_firewall.pp @@ -0,0 +1,29 @@ +# This profile disables all local firewalls on Windows nodes. +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_firewall { + + registry::value { 'Disable DomainProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + + registry::value { 'Disable PublicProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + + registry::value { 'Disable StandardProfile firewall': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile', + value => 'EnableFirewall', + data => '0', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/disable_ieesc.pp b/site/profile/manifests/os/windows/disable_ieesc.pp new file mode 100644 index 000000000..2399dda83 --- /dev/null +++ b/site/profile/manifests/os/windows/disable_ieesc.pp @@ -0,0 +1,22 @@ +# This will disable Internet Explorer Enhanced Security Configuration +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_ieesc { + + registry::value { 'Disable IE ESC for Administrators': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}', + value => 'IsInstalled', + data => '0', + type => 'dword', + } + + registry::value { 'Disable IE ESC for Users': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}', + value => 'IsInstalled', + data => '0', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/disable_ipv6.pp b/site/profile/manifests/os/windows/disable_ipv6.pp new file mode 100644 index 000000000..4d4ede92b --- /dev/null +++ b/site/profile/manifests/os/windows/disable_ipv6.pp @@ -0,0 +1,14 @@ +# This will turn off ipv6 for Windows nodes +# +# Requires puppetlabs/registry +# +class profile::os::windows::disable_ipv6 { + + registry::value { 'Disable IPv6': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters', + value => 'DisabledComponents', + data => '255', + type => 'dword', + } + +} diff --git a/site/profile/manifests/os/windows/disable_uac.pp b/site/profile/manifests/os/windows/disable_uac.pp new file mode 100644 index 000000000..84b1077ed --- /dev/null +++ b/site/profile/manifests/os/windows/disable_uac.pp @@ -0,0 +1,25 @@ +# This will disable UAC on Windows nodes. +# +# Requires: puppetlabs/registry +# +class profile::os::windows::disable_uac { + + registry::value { 'Disable UAC': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', + value => 'EnableLUA', + data => '0', + type => 'dword', + } + + # Refer to the link below to determine what different values do. + # Valid data values are 0 - 5. + # https://msdn.microsoft.com/en-us/library/Cc232761.aspx + registry::value { 'Set UAC Consent Prompt Level': + key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System', + value => 'ConsentPromptBehaviorAdmin', + data => '5', + type => 'dword', + } + +} + diff --git a/site/profile/manifests/os/windows/enable_remote_desktop.pp b/site/profile/manifests/os/windows/enable_remote_desktop.pp new file mode 100644 index 000000000..6c439f84c --- /dev/null +++ b/site/profile/manifests/os/windows/enable_remote_desktop.pp @@ -0,0 +1,21 @@ +# This profile will enable remote desktop connections +# +# Requires: puppetlabs/registry +# +class profile::os::windows::enable_remote_desktop { + + registry::value { 'Enable Terminal Services connections': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server', + value => 'fDenyTSConnections', + data => '0', + type => 'dword', + } + + registry::value { 'Enable TS Network Level Authentication': + key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp', + value => 'SecurityLayer', + data => '1', + type => 'dword', + } + +} diff --git a/site/profile/manifests/os/windows/security.pp b/site/profile/manifests/os/windows/security.pp new file mode 100644 index 000000000..f81abe368 --- /dev/null +++ b/site/profile/manifests/os/windows/security.pp @@ -0,0 +1,13 @@ +# This profile is example of security configurations for +# site specific security settings. +class profile::os::windows::security ( + Boolean $disable_ipv6 = true, + Boolean $enable_rdesktop = false, +) { + if $disable_ipv6 { + include profiles::os::windows::disable_ipv6 + } + if $enable_rdesktop { + include profile::os::windows::enable_remote_desktop + } +} diff --git a/site/profile/manifests/os/windows/winrm_ssl_config.pp b/site/profile/manifests/os/windows/winrm_ssl_config.pp new file mode 100644 index 000000000..66c1c079f --- /dev/null +++ b/site/profile/manifests/os/windows/winrm_ssl_config.pp @@ -0,0 +1,33 @@ +# This profile configures winrm to use SSL, and uses +# an existing certificate already installed in the +# trusted store. +# +# This assumes a root CA has already been passed +# via GPO or the like. +# +# Required modules in Puppetfile format, versions current as of last update: +# mod 'puppet-windows_firewall', '2.0.0' +# mod 'puppetlabs-stdlib', '4.24.0' ( windows_firewall (>= 4.6.0 < 5.0.0)) +# mod 'puppetlabs-registry', '1.1.4' ( windows_firewall (>= 1.1.1 < 2.0.0)) +# mod 'liamjbennett-win_facts', '0.0.2' ( windows_firewall (>= 0.0.2 < 2.0.0)) +# mod 'nekototori-winrmssl', '0.1.0' +class profile::os::windows::winrm_ssl_config { + + winrmssl { 'example.com': + ensure => 'present', + issuer => 'CN=example.com, DC=example, DC=com', + } + + windows_firewall::exception { '$CLIENT_WINRM_SSL': + ensure => 'present', + direction => 'in', + action => 'Allow', + enabled => 'yes', + protocol => 'TCP', + local_port => '5986', + remote_port => 'any', + display_name => '$CLIENT_WINRM_SSL', + description => 'Inbound rule for secure remote management. [TCP 5986]', + } + +} diff --git a/site/role/README.md b/site/role/README.md new file mode 100644 index 000000000..5ebc365aa --- /dev/null +++ b/site/role/README.md @@ -0,0 +1,22 @@ +# Puppet Example Roles + +This directory is working example roles for customers to use as well as model +future development after. They should follow best practice and model a multi OS +use case. + +It SHOULD go without saying that everything should pass linting/validation, but +we're gonna go ahead and say that anyway. + +## Organization and Namespaces + +Roles should be organized in a hierarchical form with product categories that descend into more specific services for the product. DO NOT just throw all your roles at the root of the `manifests/` folder. Oh, and please use sub-folders for related roles. + +### The Product folders + +`/manifests//` + + * This directory should contain roles that manage nodes running specific product line functions. + * For example: + * `./manifests/fastb/web_be.pp` is `FastB product Web Backend`. + * `./manifests/spiders/database.pp` is `Spiders product SQL Database Backend`. + diff --git a/site/role/manifests/fastb/web_be.pp b/site/role/manifests/fastb/web_be.pp new file mode 100644 index 000000000..5ba84dc88 --- /dev/null +++ b/site/role/manifests/fastb/web_be.pp @@ -0,0 +1,7 @@ +# This is an example of a product called +# "Fast B" +# This is a web backend for that product. +class role::fastb::web_be { + include profile::os::baseline + include profile::app::fastb +} diff --git a/site/role/manifests/spider/web_be.pp b/site/role/manifests/spider/web_be.pp new file mode 100644 index 000000000..1d7343e91 --- /dev/null +++ b/site/role/manifests/spider/web_be.pp @@ -0,0 +1,8 @@ +# This is an example of a product called +# "Fast B" +# This is a web backend for that product. +class role::spider::web_be { + include profile::os::baseline + include profile::app::iis::default_app_pool + # include profile::app::spider +} diff --git a/site/role/manifests/sup_svc/monitor/server.pp b/site/role/manifests/sup_svc/monitor/server.pp new file mode 100644 index 000000000..0e41bea93 --- /dev/null +++ b/site/role/manifests/sup_svc/monitor/server.pp @@ -0,0 +1,5 @@ +# This is a monitoring server for that many products and services +class role::sup_svc::monitor::server { + include profile::os::baseline + include profile::app::icinga::server +} diff --git a/site/role/manifests/sup_svc/puppet/compiler.pp b/site/role/manifests/sup_svc/puppet/compiler.pp new file mode 100644 index 000000000..997369324 --- /dev/null +++ b/site/role/manifests/sup_svc/puppet/compiler.pp @@ -0,0 +1,4 @@ +# This is a role to add to the Puppet compiler group +class role::sup_svc::puppet::compiler { + include profile::os::baseline +} diff --git a/site/role/manifests/sup_svc/puppet/master.pp b/site/role/manifests/sup_svc/puppet/master.pp new file mode 100644 index 000000000..5de84cc24 --- /dev/null +++ b/site/role/manifests/sup_svc/puppet/master.pp @@ -0,0 +1,4 @@ +# This is a role to add to the Puppet Master. +class role::sup_svc::puppet::master { + # include profile::os::baseline +} diff --git a/spec/acceptance/nodesets/onceover-nodes.yml b/spec/acceptance/nodesets/onceover-nodes.yml new file mode 100644 index 000000000..707300694 --- /dev/null +++ b/spec/acceptance/nodesets/onceover-nodes.yml @@ -0,0 +1,41 @@ +HOSTS: + centos6a: + roles: + - agent + type: aio + platform: el-6-64 + box: puppetlabs/centos-6.6-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-6.6-64-puppet + hypervisor: vagrant_virtualbox + CentOS-7.0-64: + roles: + - agent + type: aio + platform: el-7-64 + box: puppetlabs/centos-7.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-7.2-64-puppet + hypervisor: vagrant_virtualbox + centos7b: + roles: + - agent + type: aio + platform: el-7-64 + box: puppetlabs/centos-7.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/centos-7.2-64-puppet + hypervisor: vagrant_virtualbox + ubuntu1404: + roles: + - agent + type: aio + platform: ubuntu-14.04-64 + box: puppetlabs/ubuntu-14.04-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/ubuntu-14.04-64-puppet + hypervisor: vagrant_virtualbox + debian82: + roles: + - agent + type: aio + platform: debian-8.2-64 + box: puppetlabs/debian-8.2-64-puppet + box_url: https://app.vagrantup.com/puppetlabs/boxes/debian-8.2-64-puppet + hypervisor: vagrant_virtualbox diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 000000000..ea1e4808e --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,7 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/factsets/README.md b/spec/factsets/README.md new file mode 100644 index 000000000..dd72566c9 --- /dev/null +++ b/spec/factsets/README.md @@ -0,0 +1,7 @@ +# Factsets + +This directory is where we put any custom factsets that we want to use. They can be generated by running `puppet facts` on the target system. + +**Hot tip:** If you already have factsets in here when you run `onceover init` they will be picked up and added to the config file Automatically + +More info: https://github.com/dylanratcliffe/onceover#factsets diff --git a/spec/factsets/Windows_Server-2012r2-64.json b/spec/factsets/Windows_Server-2012r2-64.json new file mode 100644 index 000000000..63ed8d804 --- /dev/null +++ b/spec/factsets/Windows_Server-2012r2-64.json @@ -0,0 +1,164 @@ +{ + "name": "win-e5k8tm30719", + "values": { + "agent_specified_environment": "production", + "architecture": "x64", + "dhcp_servers": { + "Ethernet": "10.0.2.2", + "system": "10.0.2.2" + }, + "dmi": { + "manufacturer": "innotek GmbH", + "product": { + "name": "VirtualBox", + "serial_number": "0" + } + }, + "env_windows_installdir": "C:\\Program Files\\Puppet Labs\\Puppet", + "facterversion": "3.1.1", + "fqdn": "WIN-E5K8TM30719", + "hardwareisa": "x64", + "hardwaremodel": "x86_64", + "hostname": "WIN-E5K8TM30719", + "id": "WIN-E5K8TM30719\\vagrant", + "identity": { + "user": "WIN-E5K8TM30719\\vagrant" + }, + "interfaces": "Ethernet", + "ipaddress": "10.0.2.15", + "ipaddress6": "fe80::a180:36e0:3a6e:1005%12", + "ipaddress6_Ethernet": "fe80::a180:36e0:3a6e:1005%12", + "ipaddress_Ethernet": "10.0.2.15", + "is_virtual": true, + "kernel": "windows", + "kernelmajversion": "6.3", + "kernelrelease": "6.3.9600", + "kernelversion": "6.3.9600", + "macaddress": "08:00:27:81:38:FA", + "macaddress_Ethernet": "08:00:27:81:38:FA", + "manufacturer": "innotek GmbH", + "memory": { + "system": { + "available": "1.42 GiB", + "available_bytes": 1521610752, + "capacity": "29.13%", + "total": "2.00 GiB", + "total_bytes": 2147012608, + "used": "596.43 MiB", + "used_bytes": 625401856 + } + }, + "memoryfree": "1.42 GiB", + "memoryfree_mb": 1451.12109375, + "memorysize": "2.00 GiB", + "memorysize_mb": 2047.55078125, + "mtu_Ethernet": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "netmask6_Ethernet": "ffff:ffff:ffff:ffff::", + "netmask_Ethernet": "255.255.255.0", + "network": "10.0.2.0", + "network6": "fe80::%12", + "network6_Ethernet": "fe80::%12", + "network_Ethernet": "10.0.2.0", + "networking": { + "dhcp": "10.0.2.2", + "fqdn": "WIN-E5K8TM30719", + "hostname": "WIN-E5K8TM30719", + "interfaces": { + "Ethernet": { + "bindings": [ + { + "address": "10.0.2.15", + "netmask": "255.255.255.0", + "network": "10.0.2.0" + } + ], + "bindings6": [ + { + "address": "fe80::a180:36e0:3a6e:1005%12", + "netmask": "ffff:ffff:ffff:ffff::", + "network": "fe80::%12" + } + ], + "dhcp": "10.0.2.2", + "ip": "10.0.2.15", + "ip6": "fe80::a180:36e0:3a6e:1005%12", + "mac": "08:00:27:81:38:FA", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::%12" + } + }, + "ip": "10.0.2.15", + "ip6": "fe80::a180:36e0:3a6e:1005%12", + "mac": "08:00:27:81:38:FA", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::%12", + "primary": "Ethernet" + }, + "operatingsystem": "windows", + "operatingsystemmajrelease": "2012 R2", + "operatingsystemrelease": "2012 R2", + "os": { + "architecture": "x64", + "family": "windows", + "hardware": "x86_64", + "name": "windows", + "release": { + "full": "2012 R2", + "major": "2012 R2" + }, + "windows": { + "system32": "C:\\Windows\\system32" + } + }, + "osfamily": "windows", + "path": "C:/Program Files/Puppet Labs/Puppet/facter/bin;C:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\facter\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\hiera\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\mcollective\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\sys\\tools\\bin;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files (x86)\\Git\\cmd;C:\\Program Files (x86)\\Git\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin", + "physicalprocessorcount": 1, + "processor0": "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz", + "processorcount": 1, + "processors": { + "count": 1, + "isa": "x64", + "models": [ + "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz" + ], + "physicalcount": 1 + }, + "productname": "VirtualBox", + "puppetversion": "4.2.3", + "ruby": { + "platform": "x64-mingw32", + "sitedir": "C:/Program Files/Puppet Labs/Puppet/sys/ruby/lib/ruby/site_ruby/2.1.0", + "version": "2.1.7" + }, + "rubyplatform": "x64-mingw32", + "rubysitedir": "C:/Program Files/Puppet Labs/Puppet/sys/ruby/lib/ruby/site_ruby/2.1.0", + "rubyversion": "2.1.7", + "serialnumber": "0", + "system32": "C:\\Windows\\system32", + "system_uptime": { + "days": 0, + "hours": 0, + "seconds": 287, + "uptime": "0:04 hours" + }, + "timezone": "Coordinated Universal Time", + "uptime": "0:04 hours", + "uptime_days": 0, + "uptime_hours": 0, + "uptime_seconds": 287, + "virtual": "virtualbox", + "clientcert": "win-e5k8tm30719", + "clientversion": "4.2.3", + "clientnoop": false + }, + "timestamp": "2015-11-19T01:47:05.215450000+00:00", + "expiration": "2015-11-19T02:17:05.215450000+00:00" +} diff --git a/spec/factsets/osx-10.13-x86_64.json b/spec/factsets/osx-10.13-x86_64.json new file mode 100644 index 000000000..7a00e7941 --- /dev/null +++ b/spec/factsets/osx-10.13-x86_64.json @@ -0,0 +1,184 @@ +{ + "name": "something-c02nfmkgg3qh", + "values": { + "puppetversion": "6.0.4", + "agent_specified_environment": "production", + "puppet_inventory_metadata": { + "packages": { + "collection_enabled": false, + "last_collection_time": "0.0s" + } + }, + "platform_symlink_writable": true, + "pe_concat_basedir": "/Users/something/.puppetlabs/opt/puppet/cache/pe_concat", + "is_pe": false, + "puppet_files_dir_present": false, + "platform_tag": "osx-10.13-x86_64", + "aio_agent_build": "1.10.14", + "staging_http_get": "curl", + "aio_agent_version": "1.10.14", + "kernelversion": "17.7.0", + "uptime": "5:20 hours", + "kernelrelease": "17.7.0", + "uptime_seconds": 19255, + "path": "/usr/local/sbin:/Users/something/bin:/Library/Frameworks/Python.framework/Versions/2.7/bin:/usr/local/bin:/opt/local/bin:/opt/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/MacGPG2/bin:/opt/puppetlabs/bin:/usr/local/munki:/opt/puppetlabs/pdk/bin:/Users/something/.rvm/bin:/usr/local/Cellar/ec2-api-tools/1.7.1.0/bin", + "kernel": "Darwin", + "hostname": "something", + "productname": "MacBookPro11,1", + "operatingsystem": "Darwin", + "processors": { + "count": 4, + "speed": "2.6 GHz" + }, + "uptime_days": 0, + "kernelmajversion": "17.7", + "timezone": "CST", + "ps": "ps auxwww", + "virtual": "physical", + "is_virtual": false, + "architecture": "x86_64", + "hardwaremodel": "x86_64", + "os": { + "name": "Darwin", + "family": "Darwin", + "release": { + "major": "17", + "minor": "7", + "full": "17.7.0" + } + }, + "network_lo0": "127.0.0.0", + "network_en0": "192.168.1.0", + "network_vboxnet0": "10.20.1.0", + "rubysitedir": "/Library/Ruby/Site/2.3.0", + "sp_smc_version_system": "2.16f68", + "sp_boot_rom_version": "149.0.0.0.0", + "sp_cpu_type": "Intel Core i5", + "sp_current_processor_speed": "2.6 GHz", + "sp_l2_cache_core": "256 KB", + "sp_l3_cache": "3 MB", + "sp_machine_model": "MacBookPro11,1", + "sp_machine_name": "MacBook Pro", + "sp_number_processors": 2, + "sp_packages": 1, + "sp_physical_memory": "8 GB", + "sp_platform_uuid": "83B229EC-0FF7-589A-8239-C087E9DCE28C", + "sp_serial_number": "C02NFMKGG3QH", + "sp_boot_mode": "normal_boot", + "sp_boot_volume": "Macintosh HD", + "sp_kernel_version": "Darwin 17.7.0", + "sp_local_host_name": "Troys Macbook Pro (2)", + "sp_os_version": "macOS 10.13.6 (17G3025)", + "sp_secure_vm": "secure_vm_enabled", + "sp_system_integrity": "integrity_enabled", + "sp_uptime": "up 0:5:21:24", + "sp_user_name": "Troy E Klein (something)", + "macosx_productname": "Mac OS X", + "macosx_productversion": "10.13.6", + "macosx_buildversion": "17G3025", + "macosx_productversion_major": "10.13", + "macosx_productversion_minor": "6", + "operatingsystemmajrelease": "17", + "gid": "staff", + "hardwareisa": "i386", + "rubyversion": "2.3.7", + "processorcount": 4, + "system_uptime": { + "seconds": 19255, + "hours": 5, + "days": 0, + "uptime": "5:20 hours" + }, + "macaddress": "6c:40:08:8b:27:76", + "osfamily": "Darwin", + "id": "something", + "uptime_hours": 5, + "facterversion": "2.5.1", + "memorysize": "8.00 GB", + "memoryfree": "96.96 MB", + "swapsize": "1024.00 MB", + "swapfree": "980.00 MB", + "swapsize_mb": "1024.00", + "swapfree_mb": "980.00", + "memorysize_mb": "8192.00", + "memoryfree_mb": "96.96", + "swapencrypted": true, + "netmask": "255.255.255.0", + "domain": "something-C02NFMKGG3QH", + "interfaces": "lo0,gif0,stf0,XHC20,en1,en2,en0,p2p0,awdl0,bridge0,utun0,vboxnet0,vboxnet1,vboxnet10,vboxnet11,vboxnet12,vboxnet13,vboxnet14,vboxnet15,vboxnet16,vboxnet17,vboxnet18,vboxnet19,vboxnet2,vboxnet20,vboxnet3,vboxnet4,vboxnet5,vboxnet6,vboxnet7,vboxnet8,vboxnet9", + "ipaddress_lo0": "127.0.0.1", + "netmask_lo0": "255.0.0.0", + "mtu_lo0": 16384, + "mtu_gif0": 1280, + "mtu_stf0": 1280, + "mtu_xhc20": 0, + "macaddress_en1": "72:00:06:01:a0:10", + "mtu_en1": 1500, + "macaddress_en2": "72:00:06:01:a0:11", + "mtu_en2": 1500, + "ipaddress_en0": "192.168.1.31", + "macaddress_en0": "6c:40:08:8b:27:76", + "netmask_en0": "255.255.255.0", + "mtu_en0": 1500, + "macaddress_p2p0": "0e:40:08:8b:27:76", + "mtu_p2p0": 2304, + "macaddress_awdl0": "f6:a3:5b:2a:e2:8a", + "mtu_awdl0": 1484, + "macaddress_bridge0": "72:00:06:01:a0:10", + "mtu_bridge0": 1500, + "mtu_utun0": 2000, + "ipaddress_vboxnet0": "10.20.1.1", + "macaddress_vboxnet0": "0a:00:27:00:00:00", + "netmask_vboxnet0": "255.255.255.0", + "mtu_vboxnet0": 1500, + "macaddress_vboxnet1": "0a:00:27:00:00:01", + "mtu_vboxnet1": 1500, + "macaddress_vboxnet10": "0a:00:27:00:00:0a", + "mtu_vboxnet10": 1500, + "macaddress_vboxnet11": "0a:00:27:00:00:0b", + "mtu_vboxnet11": 1500, + "macaddress_vboxnet12": "0a:00:27:00:00:0c", + "mtu_vboxnet12": 1500, + "macaddress_vboxnet13": "0a:00:27:00:00:0d", + "mtu_vboxnet13": 1500, + "macaddress_vboxnet14": "0a:00:27:00:00:0e", + "mtu_vboxnet14": 1500, + "macaddress_vboxnet15": "0a:00:27:00:00:0f", + "mtu_vboxnet15": 1500, + "macaddress_vboxnet16": "0a:00:27:00:00:10", + "mtu_vboxnet16": 1500, + "macaddress_vboxnet17": "0a:00:27:00:00:11", + "mtu_vboxnet17": 1500, + "macaddress_vboxnet18": "0a:00:27:00:00:12", + "mtu_vboxnet18": 1500, + "macaddress_vboxnet19": "0a:00:27:00:00:13", + "mtu_vboxnet19": 1500, + "macaddress_vboxnet2": "0a:00:27:00:00:02", + "mtu_vboxnet2": 1500, + "macaddress_vboxnet20": "0a:00:27:00:00:14", + "mtu_vboxnet20": 1500, + "macaddress_vboxnet3": "0a:00:27:00:00:03", + "mtu_vboxnet3": 1500, + "macaddress_vboxnet4": "0a:00:27:00:00:04", + "mtu_vboxnet4": 1500, + "macaddress_vboxnet5": "0a:00:27:00:00:05", + "mtu_vboxnet5": 1500, + "macaddress_vboxnet6": "0a:00:27:00:00:06", + "mtu_vboxnet6": 1500, + "macaddress_vboxnet7": "0a:00:27:00:00:07", + "mtu_vboxnet7": 1500, + "macaddress_vboxnet8": "0a:00:27:00:00:08", + "mtu_vboxnet8": 1500, + "macaddress_vboxnet9": "0a:00:27:00:00:09", + "mtu_vboxnet9": 1500, + "fqdn": "something-C02NFMKGG3QH", + "operatingsystemrelease": "17.7.0", + "ipaddress": "192.168.1.31", + "rubyplatform": "universal.x86_64-darwin17", + "clientcert": "something-c02nfmkgg3qh", + "clientversion": "6.0.4", + "clientnoop": false + }, + "timestamp": "2018-12-03T14:16:56.056860000-06:00", + "expiration": "2018-12-03T14:46:56.057472000-06:00" +} diff --git a/spec/hiera.yaml b/spec/hiera.yaml new file mode 100644 index 000000000..82c645b33 --- /dev/null +++ b/spec/hiera.yaml @@ -0,0 +1,25 @@ +--- +version: 5 +defaults: # Used for any hierarchy level that omits these keys. + datadir: ../data # This path is relative to hiera.yaml's directory. + data_hash: yaml_data # Use the built-in YAML backend. + +hierarchy: + - name: "Per-node data" # Human-readable name. + path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. + # ^^^ IMPORTANT: include the file extension! + - name: "Per-datacenter business role data" # Uses trusted data extentions. + path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + + - name: "Role business data" + path: "role/%{trusted.extentions.pp_role}.yaml" + + - name: "Per-OS defaults" + path: "os/%{facts.os.family}.yaml" + + - name: "Virtual defaults" # Used to configure PE master from within virtual + path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform + + - name: "Common data" + path: "common.yaml" + diff --git a/spec/onceover.yaml b/spec/onceover.yaml new file mode 100644 index 000000000..767c18653 --- /dev/null +++ b/spec/onceover.yaml @@ -0,0 +1,57 @@ +# Classes to be tested +# test all roles in repo +classes: + - '/role::/' + - profile::os::baseline + +# Nodes to tests classes on, this refers to a 'factset' or 'nodeset' +# depending on weather you are running 'spec' or 'acceptance' tests +nodes: + - CentOS-7.0-64 + - CentOS-6.6-64 + - Windows_Server-2012r2-64 + - solaris-11.2-sparc-64 + +# You can group classes here to save typing +class_groups: + base: + - 'profile::os::baseline' + windows: + - '/role::spider/' + - 'profile::os::baseline' + linux: + - '/role::sup_svc/' + - '/role::fastb/' + - profile::os::baseline +# You can group nodes here to save typing +# We have created a 'non_windows_nodes' group because we can't +# give you Windows vagrant boxes to test with because licensing, +# we can give you fact sets though so go crazy with spec testing! +node_groups: + windows_nodes: + - Windows_Server-2012r2-64 + linux_nodes: + - CentOS-7.0-64 + - CentOS-6.6-64 + solaris_nodes: + - solaris-11.2-sparc-64 + non_windows_nodes: + include: 'linux_nodes' + include: 'solaris_nodes' + exclude: 'windows_nodes' + +test_matrix: + - linux_nodes: + classes: 'linux' + tests: 'spec' + - windows_nodes: + classes: 'windows' + tests: 'spec' + - solaris_nodes: + classes: 'base' + tests: 'spec' + - non_windows_nodes: + classes: + - 'linux' + - 'solaris' + tests: 'acceptance' diff --git a/spec/pre_conditions/README.md b/spec/pre_conditions/README.md new file mode 100644 index 000000000..f0a81bf9c --- /dev/null +++ b/spec/pre_conditions/README.md @@ -0,0 +1,24 @@ +# Pre Conditions + +This folder should contain any \*.pp files that you want to be included in every test. + +A common use of this is defining resources that may not exist in the catalog when you are running tests. For example, if we are using a resource that tries to restart the `pe-puppetserver` service, unless it is compiled on a Puppet Maser the `pe-puppetserver` service will not exist and the catalog will fail to compile. To get around this we can create a .pp file and define the resource like so: + +``` puppet +# We are not going to actually have this service anywhere on our servers but +# our code needs to refresh it. This is to trick puppet into doing nothing +service { 'pe-puppetserver': + ensure => 'running', + enable => false, + hasrestart => false, # Force Puppet to use start and stop to restart + start => 'echo "Start"', # This will always exit 0 + stop => 'echo "Stop"', # This will also always exit 0 + hasstatus => false, # Force puppet to use our command for status + status => 'echo "Status"', # This will always exit 0 and therefore Puppet will think the service is running + provider => 'base', +} +``` + +This will mean that the `pe-puppetserver` service is in the catalog for spec testing and will even allow you to try to restart it during acceptance tests without the service actually being present. + +More info: https://github.com/dylanratcliffe/onceover#using-workarounds diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 000000000..35654b3d2 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,44 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_fact_files = [ + File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), + File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), +] + +default_fact_files.each do |f| + next unless File.exist?(f) && File.readable?(f) && File.size?(f) + + begin + default_facts.merge!(YAML.safe_load(File.read(f))) + rescue => e + RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" + end +end + +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + end +end + +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) + last_module.const_get(next_module, false) + end +end + +# 'spec_overrides' from sync.yml will appear below this line From b726dc0914b48f7baf43b6cf9bd3095857747df3 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 8 Aug 2019 06:05:02 -0600 Subject: [PATCH 014/134] fix some lint issues and remove example.pp files --- site/profile/manifests/app/sql/server.pp | 2 +- site/profile/manifests/base.pp | 5 ----- site/profile/manifests/example.pp | 3 --- site/profile/manifests/puppetmaster.pp | 1 + site/role/manifests/all_in_one_pe.pp | 1 + site/role/manifests/database_server.pp | 1 + site/role/manifests/example.pp | 3 --- site/role/manifests/webserver.pp | 1 + 8 files changed, 5 insertions(+), 12 deletions(-) delete mode 100644 site/profile/manifests/base.pp delete mode 100644 site/profile/manifests/example.pp delete mode 100644 site/role/manifests/example.pp diff --git a/site/profile/manifests/app/sql/server.pp b/site/profile/manifests/app/sql/server.pp index c1af891a7..6f0f68bc7 100644 --- a/site/profile/manifests/app/sql/server.pp +++ b/site/profile/manifests/app/sql/server.pp @@ -4,7 +4,7 @@ class profile::app::sql::server ( # Commented out due to mount not working # Stdlib::Absolutepath $sql_iso_to_mount, - String[1] $sa_password, + String[1] $sa_password, Stdlib::Absolutepath $temp_db_location = 'D:\\TempDB', Stdlib::Absolutepath $sql_source = 'K:\\', String[1] $sql_version_fact = 'SQL_2017', diff --git a/site/profile/manifests/base.pp b/site/profile/manifests/base.pp deleted file mode 100644 index ae85e6550..000000000 --- a/site/profile/manifests/base.pp +++ /dev/null @@ -1,5 +0,0 @@ -class profile::base { - - #the base profile should include component modules that will be on all nodes - -} diff --git a/site/profile/manifests/example.pp b/site/profile/manifests/example.pp deleted file mode 100644 index 0b48c3a10..000000000 --- a/site/profile/manifests/example.pp +++ /dev/null @@ -1,3 +0,0 @@ -class profile::example { - -} diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 9109c7d0a..f8289dc49 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,3 +1,4 @@ +# class for puppet master class profile::puppetmaster ( $hiera_yaml = "${::settings::confdir}/hiera.yaml" ){ diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index b6b883e80..cdc6ba9c5 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,3 +1,4 @@ +# call role::all_in_one_pe class role::all_in_one_pe { include profile::puppetmaster diff --git a/site/role/manifests/database_server.pp b/site/role/manifests/database_server.pp index aacc912b2..86af1658a 100644 --- a/site/role/manifests/database_server.pp +++ b/site/role/manifests/database_server.pp @@ -1,3 +1,4 @@ +# class role::database_server class role::database_server { #This role would be made of all the profiles that need to be included to make a database server work diff --git a/site/role/manifests/example.pp b/site/role/manifests/example.pp deleted file mode 100644 index 2c1d2d724..000000000 --- a/site/role/manifests/example.pp +++ /dev/null @@ -1,3 +0,0 @@ -class role::example { - -} diff --git a/site/role/manifests/webserver.pp b/site/role/manifests/webserver.pp index 314fa55f3..30cc517f4 100644 --- a/site/role/manifests/webserver.pp +++ b/site/role/manifests/webserver.pp @@ -1,3 +1,4 @@ +# class role::webserver class role::webserver { #This role would be made of all the profiles that need to be included to make a webserver work From ea48fc8b5b12fe959fe10a63d60767363e7227cf Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 19 Aug 2019 21:23:42 -0400 Subject: [PATCH 015/134] added some quotes --- site/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/README.md b/site/README.md index a6b73d2d9..8846b2aa7 100644 --- a/site/README.md +++ b/site/README.md @@ -11,9 +11,9 @@ These examples have been constructed with the following requirements: | Supported OS | Product Role | State | |--------------------------|---------------------|-----| -| Win 2012r2 | role::spider::web_be | WIP | -| Win 2012r2 | role::spider::database | WIP | -| CentOS 7 | role::spider::balancer | WIP | +| Win 2012r2 | 'role::spider::web\_be' | WIP | +| Win 2012r2 | 'role::spider::database' | WIP | +| CentOS 7 | 'role::spider::balancer' | WIP | - Modeling should support three operating systems From 9bf7760de13590bd1a78a02baf4e7ec7ae59e309 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 19 Aug 2019 21:26:08 -0400 Subject: [PATCH 016/134] added some quotes --- site/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/README.md b/site/README.md index 8846b2aa7..b6df7874d 100644 --- a/site/README.md +++ b/site/README.md @@ -11,9 +11,9 @@ These examples have been constructed with the following requirements: | Supported OS | Product Role | State | |--------------------------|---------------------|-----| -| Win 2012r2 | 'role::spider::web\_be' | WIP | -| Win 2012r2 | 'role::spider::database' | WIP | -| CentOS 7 | 'role::spider::balancer' | WIP | +| Win 2012r2 | 'role:\:spider::web\_be' | WIP | +| Win 2012r2 | 'role:\:spider::database' | WIP | +| CentOS 7 | 'role:\:spider::balancer' | WIP | - Modeling should support three operating systems From ea4fdd2b4fdfe683bf47fe857d426e3c767adccc Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 19 Aug 2019 21:29:31 -0400 Subject: [PATCH 017/134] added some quotes --- site/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/README.md b/site/README.md index b6df7874d..266fee94a 100644 --- a/site/README.md +++ b/site/README.md @@ -11,9 +11,9 @@ These examples have been constructed with the following requirements: | Supported OS | Product Role | State | |--------------------------|---------------------|-----| -| Win 2012r2 | 'role:\:spider::web\_be' | WIP | -| Win 2012r2 | 'role:\:spider::database' | WIP | -| CentOS 7 | 'role:\:spider::balancer' | WIP | +| Win 2012r2 | `role::spider::web\_be` | WIP | +| Win 2012r2 | `role::spider::database` | WIP | +| CentOS 7 | `role::spider::balancer` | WIP | - Modeling should support three operating systems From 636e58ec22c919b5597fd44cda7c96d960d2079a Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 19 Aug 2019 21:30:13 -0400 Subject: [PATCH 018/134] added some quotes --- site/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/README.md b/site/README.md index 266fee94a..9ad1f8032 100644 --- a/site/README.md +++ b/site/README.md @@ -11,7 +11,7 @@ These examples have been constructed with the following requirements: | Supported OS | Product Role | State | |--------------------------|---------------------|-----| -| Win 2012r2 | `role::spider::web\_be` | WIP | +| Win 2012r2 | `role::spider::web_be` | WIP | | Win 2012r2 | `role::spider::database` | WIP | | CentOS 7 | `role::spider::balancer` | WIP | From 65bef5e05fa6dff81960ec6fe93bb9ca0f024c92 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 19 Aug 2019 21:38:43 -0400 Subject: [PATCH 019/134] added some quotes --- site/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/README.md b/site/README.md index 9ad1f8032..1ab2e3ce2 100644 --- a/site/README.md +++ b/site/README.md @@ -27,11 +27,11 @@ These examples have been constructed with the following requirements: - HAProxy loadbalancer 'role::spiders::balancer' - SQL Database server 'role::spiders::database' - Fastb - - Linux and Solaris systmes hoting the product + - Linux and Solaris systems hosting the product - Tomcat web backend 'role::fastb::web_be' - HAProxy loadbalancer 'role::fastb::balancer' - MYSQL Database server 'role::fastb::database' - - These products are examples and will be deploying a `hello world` code base + - These products are examples and will be deploying a `hello world` java application code base - Support services - While products usually do not share hosts support services do - Example of monitoring service 'role::sup\_svc::monitoring::server' From 52d87da9ddf9d75df206a7ead03642e8e03ac8d9 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 26 Aug 2019 12:58:43 -0500 Subject: [PATCH 020/134] cleanup hiera.yaml to clarity --- hiera.yaml | 50 +++++++++++--------------------------------------- 1 file changed, 11 insertions(+), 39 deletions(-) diff --git a/hiera.yaml b/hiera.yaml index ef83aeec0..e10d94cd3 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -2,55 +2,27 @@ version: 5 defaults: # Used for any hierarchy level that omits these keys. datadir: data # This path is relative to hiera.yaml's directory. - data_hash: yaml_data # Use the built-in YAML backend. + lookup_key: eyaml_lookup_key # Uses non-default backend. + options: + pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem + pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem hierarchy: - - name: "Per-node data" # Human-readable name. - path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. - # ^^^ IMPORTANT: include the file extension! - - name: "Per-node secret data (encrypted)" # Using same file as unencrypted - lookup_key: eyaml_lookup_key # Uses non-default backend. + - name: "Per-node trusted.certname data (can be encrypted)" # Using same file as unencrypted path: "nodes/%{trusted.certname}.yaml" - options: - pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem - pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem - - name: "Per-datacenter business role data" # Uses trusted data extentions. + - name: "Per-datacenter buiness trusted.extentions.pp_role data (can be encrypted)" # Using same file as unencrypted path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" - - name: "Per-datacenter buiness role secret data (encrypted)" # Using same file as unencrypted - lookup_key: eyaml_lookup_key # Uses non-default backend. - path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" - options: - pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem - pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem - - name: "Role business data" - path: "role/%{trusted.extentions.pp_role}.yaml" - - name: "Role business secret data (encrypted)" # Using same file as unencrypted - lookup_key: eyaml_lookup_key # Uses non-default backend. + - name: "Role trusted.extentions.pp_role data (can be encrypted)" # Using same file as unencrypted path: "role/%{trusted.extentions.pp_role}.yaml" - options: - pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem - pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem - - name: "Per-OS defaults" + - name: "Per-OS facts.os.family defaults data (can be encrypted)" # Using same file as unencrypted path: "os/%{facts.os.family}.yaml" - - name: "Per-OS defaults secret data (encrypted)" # Using same file as unencrypted - lookup_key: eyaml_lookup_key # Uses non-default backend. - path: "os/%{facts.os.family}.yaml" - options: - pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem - pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem - - name: "Virtual defaults" # Used to configure PE master from within virtual - path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform + - name: "Virtual facts.virtual defaults" # Used to configure PE master from within virtual + path: "virtual/%{facts.virtual}.yaml" # like virtualbox or testing platform - - name: "Common data" - path: "common.yaml" - - name: "Common secret data (encrypted)" # Using same file as unencrypted - lookup_key: eyaml_lookup_key # Uses non-default backend. + - name: "Common data (can be encrypted)" # Using same file as unencrypted path: "common.yaml" - options: - pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem - pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem From 27665f9556d8e44532a76fdcb2833f84b03475e6 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 28 Aug 2019 10:50:40 -0500 Subject: [PATCH 021/134] moved role to example_role to avoid conflicts --- site/{role => example_role}/README.md | 0 site/{role => example_role}/manifests/fastb/web_be.pp | 2 +- site/{role => example_role}/manifests/spider/web_be.pp | 2 +- site/{role => example_role}/manifests/sup_svc/monitor/server.pp | 2 +- .../{role => example_role}/manifests/sup_svc/puppet/compiler.pp | 2 +- site/{role => example_role}/manifests/sup_svc/puppet/master.pp | 2 +- 6 files changed, 5 insertions(+), 5 deletions(-) rename site/{role => example_role}/README.md (100%) rename site/{role => example_role}/manifests/fastb/web_be.pp (81%) rename site/{role => example_role}/manifests/spider/web_be.pp (84%) rename site/{role => example_role}/manifests/sup_svc/monitor/server.pp (74%) rename site/{role => example_role}/manifests/sup_svc/puppet/compiler.pp (63%) rename site/{role => example_role}/manifests/sup_svc/puppet/master.pp (64%) diff --git a/site/role/README.md b/site/example_role/README.md similarity index 100% rename from site/role/README.md rename to site/example_role/README.md diff --git a/site/role/manifests/fastb/web_be.pp b/site/example_role/manifests/fastb/web_be.pp similarity index 81% rename from site/role/manifests/fastb/web_be.pp rename to site/example_role/manifests/fastb/web_be.pp index 5ba84dc88..5e0fb68cb 100644 --- a/site/role/manifests/fastb/web_be.pp +++ b/site/example_role/manifests/fastb/web_be.pp @@ -1,7 +1,7 @@ # This is an example of a product called # "Fast B" # This is a web backend for that product. -class role::fastb::web_be { +class example_role::fastb::web_be { include profile::os::baseline include profile::app::fastb } diff --git a/site/role/manifests/spider/web_be.pp b/site/example_role/manifests/spider/web_be.pp similarity index 84% rename from site/role/manifests/spider/web_be.pp rename to site/example_role/manifests/spider/web_be.pp index 1d7343e91..2f3b04ab2 100644 --- a/site/role/manifests/spider/web_be.pp +++ b/site/example_role/manifests/spider/web_be.pp @@ -1,7 +1,7 @@ # This is an example of a product called # "Fast B" # This is a web backend for that product. -class role::spider::web_be { +class example_role::spider::web_be { include profile::os::baseline include profile::app::iis::default_app_pool # include profile::app::spider diff --git a/site/role/manifests/sup_svc/monitor/server.pp b/site/example_role/manifests/sup_svc/monitor/server.pp similarity index 74% rename from site/role/manifests/sup_svc/monitor/server.pp rename to site/example_role/manifests/sup_svc/monitor/server.pp index 0e41bea93..91460f829 100644 --- a/site/role/manifests/sup_svc/monitor/server.pp +++ b/site/example_role/manifests/sup_svc/monitor/server.pp @@ -1,5 +1,5 @@ # This is a monitoring server for that many products and services -class role::sup_svc::monitor::server { +class example_role::sup_svc::monitor::server { include profile::os::baseline include profile::app::icinga::server } diff --git a/site/role/manifests/sup_svc/puppet/compiler.pp b/site/example_role/manifests/sup_svc/puppet/compiler.pp similarity index 63% rename from site/role/manifests/sup_svc/puppet/compiler.pp rename to site/example_role/manifests/sup_svc/puppet/compiler.pp index 997369324..74fdb2581 100644 --- a/site/role/manifests/sup_svc/puppet/compiler.pp +++ b/site/example_role/manifests/sup_svc/puppet/compiler.pp @@ -1,4 +1,4 @@ # This is a role to add to the Puppet compiler group -class role::sup_svc::puppet::compiler { +class example_role::sup_svc::puppet::compiler { include profile::os::baseline } diff --git a/site/role/manifests/sup_svc/puppet/master.pp b/site/example_role/manifests/sup_svc/puppet/master.pp similarity index 64% rename from site/role/manifests/sup_svc/puppet/master.pp rename to site/example_role/manifests/sup_svc/puppet/master.pp index 5de84cc24..d0b8f6bb8 100644 --- a/site/role/manifests/sup_svc/puppet/master.pp +++ b/site/example_role/manifests/sup_svc/puppet/master.pp @@ -1,4 +1,4 @@ # This is a role to add to the Puppet Master. -class role::sup_svc::puppet::master { +class example_role::sup_svc::puppet::master { # include profile::os::baseline } From c61fa0c02640e13675c6572c03f7fc058f6a8e61 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:10:26 -0500 Subject: [PATCH 022/134] fix some names and add masters class --- site/example_role/README.md | 2 +- site/profile/manifests/app/puppet/masters.pp | 41 +++++++++++++++++++ ...infra_agent.pp[D => non_pe_infra_agent.pp} | 0 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 site/profile/manifests/app/puppet/masters.pp rename site/profile/manifests/app/puppet/{non_pe_infra_agent.pp[D => non_pe_infra_agent.pp} (100%) diff --git a/site/example_role/README.md b/site/example_role/README.md index 5ebc365aa..e99cd2734 100644 --- a/site/example_role/README.md +++ b/site/example_role/README.md @@ -15,7 +15,7 @@ Roles should be organized in a hierarchical form with product categories that de `/manifests//` - * This directory should contain roles that manage nodes running specific product line functions. + * This directory should contain example roles that manage nodes running specific product line functions. * For example: * `./manifests/fastb/web_be.pp` is `FastB product Web Backend`. * `./manifests/spiders/database.pp` is `Spiders product SQL Database Backend`. diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp new file mode 100644 index 000000000..970e76cff --- /dev/null +++ b/site/profile/manifests/app/puppet/masters.pp @@ -0,0 +1,41 @@ +# This class can be used to enforce site specific settings on the +# masters +class profile::app::puppet::masters ( + Optional[String] $puppet_ca = undef, +) { + include puppet_enterprise + + # This section will check repo provided keys in the demo/example + # control-repo and warn if they are still in use. + $hiera_private_key = '/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem' + $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") + + # This will quiery the puppet_db to see what hosts are running as the Puppet CA. + $puppetdb_puppet_ca = [ 'from', 'nodes', ['=', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] + $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } + # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host + if $puppet_ca == undef { + $pe_ca = $puppet_enterprise::certificate_authority_host + } else { + $pe_ca = $puppet_ca + } + + if $hiera_private_key_exists { + $warning_content = "${hiera_private_key} file should be removed from the control repo and all eyaml encrypted \ + data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo! \ + See https://github.com/voxpupuli/hiera-eyaml#generate-keys" + + warning("${warning_content}) + notify { 'key error': + message => "${warning_content}", + } + } + + # This code will include a class on compilers but not on the puppet_ca (Master of Masters) + if (! $trusted['certname'] in $puppet_ca_nodes) and (! $trusted['certname'] == $pe_ca) { + include profile::app::puppet::compiler + } else { + # This is a Master of Masters section to add classes to + } + +} diff --git a/site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp similarity index 100% rename from site/profile/manifests/app/puppet/non_pe_infra_agent.pp[D rename to site/profile/manifests/app/puppet/non_pe_infra_agent.pp From b9958c1d1de9e6a9f3496c17177e4a695843b0a0 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:13:41 -0500 Subject: [PATCH 023/134] added change to config_version --- scripts/code_manager_config_version.rb | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/scripts/code_manager_config_version.rb b/scripts/code_manager_config_version.rb index 28afda718..beacabcc8 100755 --- a/scripts/code_manager_config_version.rb +++ b/scripts/code_manager_config_version.rb @@ -1,10 +1,19 @@ -#!/usr/bin/env ruby +#!/opt/puppetlabs/puppet/bin/ruby require 'json' +require 'socket' environmentpath = ARGV[0] environment = ARGV[1] +# Get the hostname of the Puppet master compiling the catalog. +# Sometimes the hostname is the fqdn, so we'll take the first segment. +compiling_master = Socket.gethostname.split('.').first + +# Get the path to the Code Manager deployment info file. r10k_deploy_file_path = File.join(environmentpath, environment, '.r10k-deploy.json') -# output the sha1 from the control-repo -puts JSON.parse(File.read(r10k_deploy_file_path))['signature'] +# Get the first 12 characters of the commit ID out of the deployment file. +commit_id = JSON.parse(File.read(r10k_deploy_file_path))['signature'][0...11] + +# Show the compiling master, environment name, and commit ID. +puts "#{compiling_master}-#{environment}-#{commit_id}" From bbb757371683e51fe330f555f470b095ce63ec56 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:16:56 -0500 Subject: [PATCH 024/134] added change to config_version --- scripts/config_version.rb | 16 +++++++++++----- scripts/config_version.sh | 11 ++++------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/scripts/config_version.rb b/scripts/config_version.rb index 1d5c1f975..abb339032 100755 --- a/scripts/config_version.rb +++ b/scripts/config_version.rb @@ -1,6 +1,7 @@ -#!/usr/bin/env ruby +#!/opt/puppetlabs/puppet/bin/ruby begin require 'rugged' + require 'socket' rescue LoadError t = Time.new puts t.to_i @@ -8,12 +9,17 @@ environmentpath = ARGV[0] environment = ARGV[1] + # Get the hostname of the Puppet master compiling the catalog. + # Sometimes the hostname is the fqdn, so we'll take the first segment. + compiling_master = Socket.gethostname.split('.').first + + # Get the path to the environment being compiled. repo = Rugged::Repository.discover(File.join(environmentpath, environment)) head = repo.head - # sha1 hash of the newest commit - head_sha = head.target_id + # First 12 characters of the sha1 hash of the newest commit. + commit_id = head.target_id[0...11] - # add something to find the remote url - puts head_sha + # Show the compiling master, environment name, and commit ID. + puts "#{compiling_master}-#{environment}-#{commit_id}" end diff --git a/scripts/config_version.sh b/scripts/config_version.sh index 07b3a0715..8dd8086b6 100755 --- a/scripts/config_version.sh +++ b/scripts/config_version.sh @@ -1,15 +1,12 @@ #!/bin/bash -master_name=$(facter hostname) if [ -e $1/$2/.r10k-deploy.json ] then - hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2) - echo "${master_name}_${hash}" + /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2 elif [ -e /opt/puppetlabs/server/pe_version ] -then - hash=$(/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2) - echo "${master_name}_${hash}" +then + /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2 else /usr/bin/git --version > /dev/null 2>&1 && /usr/bin/git --git-dir $1/$2/.git rev-parse HEAD || date +%s -fi +fi From 1e6f596c82250ba1bb501dafaf9dc8af29131b64 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:20:50 -0500 Subject: [PATCH 025/134] fix syntax error --- site/profile/manifests/app/puppet/masters.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 970e76cff..f94c85da7 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -25,7 +25,7 @@ data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo! \ See https://github.com/voxpupuli/hiera-eyaml#generate-keys" - warning("${warning_content}) + warning("${warning_content}") notify { 'key error': message => "${warning_content}", } From 58a3cb645f95888b68d6776f307b56161718a87d Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:29:30 -0500 Subject: [PATCH 026/134] added required quote --- site/profile/manifests/app/puppet/masters.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index f94c85da7..87a8cb3a4 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -11,7 +11,7 @@ $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") # This will quiery the puppet_db to see what hosts are running as the Puppet CA. - $puppetdb_puppet_ca = [ 'from', 'nodes', ['=', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] + $puppetdb_puppet_ca = [ 'from', 'nodes', ['==', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host if $puppet_ca == undef { From a64a79880052e26b3b9fc3556d62d0046da46b5d Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:55:42 -0500 Subject: [PATCH 027/134] fix for query --- site/profile/manifests/app/puppet/masters.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 87a8cb3a4..11e912080 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -11,7 +11,8 @@ $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") # This will quiery the puppet_db to see what hosts are running as the Puppet CA. - $puppetdb_puppet_ca = [ 'from', 'nodes', ['==', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] + #$puppetdb_puppet_ca = [ 'from', 'nodes', ['=', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] + $puppetdb_puppet_ca = 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Certificate_authority" }' $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host if $puppet_ca == undef { From 30c549aff2992f0746172d0bce95d511029a725e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 07:59:37 -0500 Subject: [PATCH 028/134] notify to validate query --- site/profile/manifests/app/puppet/masters.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 11e912080..237596009 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -37,6 +37,9 @@ include profile::app::puppet::compiler } else { # This is a Master of Masters section to add classes to + notify { 'Master message': + message => "$facts['fqdn'] is running the Puppet_enterprise::Profile::Certificate_authority class", + } } } From 13a036195f51d503d326e7fc1f10c145832980e0 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 08:02:33 -0500 Subject: [PATCH 029/134] notify to validate query --- site/profile/manifests/app/puppet/masters.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 237596009..a6a0d4631 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -38,7 +38,7 @@ } else { # This is a Master of Masters section to add classes to notify { 'Master message': - message => "$facts['fqdn'] is running the Puppet_enterprise::Profile::Certificate_authority class", + message => "${facts['fqdn']} is running the Puppet_enterprise::Profile::Certificate_authority class", } } From c767e05e102f7bcebbab4941b563bd555cca05a6 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 08:03:56 -0500 Subject: [PATCH 030/134] notify to validate query --- site/profile/manifests/app/puppet/masters.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index a6a0d4631..59d377b59 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -15,11 +15,11 @@ $puppetdb_puppet_ca = 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Certificate_authority" }' $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host - if $puppet_ca == undef { - $pe_ca = $puppet_enterprise::certificate_authority_host - } else { - $pe_ca = $puppet_ca - } +# if $puppet_ca == undef { +# $pe_ca = $puppet_enterprise::certificate_authority_host +# } else { +# $pe_ca = $puppet_ca +# } if $hiera_private_key_exists { $warning_content = "${hiera_private_key} file should be removed from the control repo and all eyaml encrypted \ From 0949f75fca17d66a0be85954755eb1472846927d Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 08:09:54 -0500 Subject: [PATCH 031/134] cleanup for puppet-lint --- site/profile/manifests/app/puppet/masters.pp | 22 +++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 59d377b59..6f5deeb5e 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -2,6 +2,7 @@ # masters class profile::app::puppet::masters ( Optional[String] $puppet_ca = undef, + Boolean $debug_messages = false, ) { include puppet_enterprise @@ -11,24 +12,23 @@ $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") # This will quiery the puppet_db to see what hosts are running as the Puppet CA. - #$puppetdb_puppet_ca = [ 'from', 'nodes', ['=', ['type', 'Class'], 'and', ['title', 'Puppet_enterprise::Profile::Certificate_authority']] ] $puppetdb_puppet_ca = 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Certificate_authority" }' $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host -# if $puppet_ca == undef { -# $pe_ca = $puppet_enterprise::certificate_authority_host -# } else { -# $pe_ca = $puppet_ca -# } + if $puppet_ca == undef { + $pe_ca = $puppet_enterprise::certificate_authority_host + } else { + $pe_ca = $puppet_ca + } if $hiera_private_key_exists { $warning_content = "${hiera_private_key} file should be removed from the control repo and all eyaml encrypted \ data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo! \ See https://github.com/voxpupuli/hiera-eyaml#generate-keys" - warning("${warning_content}") + warning($warning_content) notify { 'key error': - message => "${warning_content}", + message => $warning_content, } } @@ -37,8 +37,10 @@ include profile::app::puppet::compiler } else { # This is a Master of Masters section to add classes to - notify { 'Master message': - message => "${facts['fqdn']} is running the Puppet_enterprise::Profile::Certificate_authority class", + if $debug_messages { + notify { 'Master message': + message => "${facts['fqdn']} is running the Puppet_enterprise::Profile::Certificate_authority class", + } } } From bd1a4888d3db8ad3da582b24bd930381116d543c Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 29 Aug 2019 08:14:19 -0500 Subject: [PATCH 032/134] cleanup for warning about eyaml keys --- site/profile/manifests/app/puppet/masters.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 6f5deeb5e..88f4c807b 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -22,8 +22,8 @@ } if $hiera_private_key_exists { - $warning_content = "${hiera_private_key} file should be removed from the control repo and all eyaml encrypted \ - data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo! \ + $warning_content = "${hiera_private_key} file should be removed from the control repo!\n \ + Any eyaml encrypted data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo!\n \ See https://github.com/voxpupuli/hiera-eyaml#generate-keys" warning($warning_content) From 38c592aa65c15119ac8053baf2d901d8d44c401d Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 05:35:21 -0500 Subject: [PATCH 033/134] added tier in hiera for testing and example to be deleted. --- data/{common.yaml => to_be_deleted.yaml} | 13 +++++++++++++ hiera.yaml | 2 ++ 2 files changed, 15 insertions(+) rename data/{common.yaml => to_be_deleted.yaml} (53%) diff --git a/data/common.yaml b/data/to_be_deleted.yaml similarity index 53% rename from data/common.yaml rename to data/to_be_deleted.yaml index 45b5f56b4..1899fc4e4 100644 --- a/data/common.yaml +++ b/data/to_be_deleted.yaml @@ -16,3 +16,16 @@ profile::os::linux::security::ssh_server_opts: PasswordAuthentication: 'no' SyslogFacility: 'AUTHPRIV' X11Forwarding: 'no' + +# example of eyaml encrypted mysql password +profile::app::mysql::server::root_password: > + ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw + DQYJKoZIhvcNAQEBBQAEggEAn1OG1qv3jepoxIrbfU8lOpVc3+4HuyLlncet + QtWvvWRdTtkUu/3A+0rLHbtLHQNo8skLgJZadaQHR3JfAXW+OfKGhS31Q5sb + yOxIWD7t9J7ud1Ks+w2Ejmy2W5SI5W5FAWFM3IpKxTe2LZI2nRQ6IPL1PSG6 + WsU6qeDI47mQtqP030UNBchZafpUlN4KpknSLijhy/Hb1kRU+wyWc1ESt50L + RmLseK+lDx6r8g8DH9XVLM9YpvexnvcyPO2i7i//zRnN1dH6y0D7r3oH3duI + YwqwI1sPPgPVoWTN3bP3sKOoAdTiwXpgakP9rVanxw67S7VtJOJK3ujjP++l + orMyfTBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADm3woaNcUD4FUmLZI + dsaYgCDJ4RUT7bXT1cHxBdHbvqgype082aVHqhqKHC9CI9mJGQ==] + diff --git a/hiera.yaml b/hiera.yaml index e10d94cd3..b69e31f0f 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -26,3 +26,5 @@ hierarchy: - name: "Common data (can be encrypted)" # Using same file as unencrypted path: "common.yaml" + - name: "Should be deleted data (this data is for testing purposes only)" # feel free to delete this layer + path: "to_be_deleted.yaml" From aa20e4eeb0a7dfbebd60b856d916ccb1a77fccce Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 05:38:55 -0500 Subject: [PATCH 034/134] fixed some lint warnings --- site/profile/manifests/app/puppet/non_pe_infra_agent.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/non_pe_infra_agent.pp b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp index 9e9ce3cea..79acbd6f1 100644 --- a/site/profile/manifests/app/puppet/non_pe_infra_agent.pp +++ b/site/profile/manifests/app/puppet/non_pe_infra_agent.pp @@ -3,7 +3,7 @@ String $puppet_server = 'puppet.exampledomain.com', Stdlib::Absolutepath $path_to_puppet_conf_dir = '/etc/puppetlabs/puppet', ) { - ini_setting { "puppet server setting": + ini_setting { 'puppet server setting': ensure => present, path => "${path_to_puppet_conf_dir}/puppet.conf", section => 'main', From 6fdadfabd20ec86228c07bb10b3418e85a26bd74 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 05:46:13 -0500 Subject: [PATCH 035/134] added link to role and profile readme.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 30a5a419a..5d08b0062 100644 --- a/README.md +++ b/README.md @@ -182,7 +182,9 @@ One of the components setup by this control-repo is that when you "push" code to The Roles and Profiles in this repo are usable examples. Some of the code has been commented out to protect the inocent but the examples sound. Please review the following README's for a more detailed description of the examples. - * The role and profile patern (method for naming and suggestions for hierachy) are only examples and suggestions. + * The role and profile patern (method for naming and suggestions for hierachy) are only examples and suggestions. * Some of the Windows profiles may not totally work due to depencies. * Software download locations * Method for package install ie (chocolatey, or wmi, etc.) are not specified. + + **Please see [Role and Profile examples](./site/README.md)** From 80c8ca41ede26f62fc22dfceb6ceb8dc76ce450e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 05:47:05 -0500 Subject: [PATCH 036/134] first pass at wordpress and mysql --- site/profile/manifests/app/mysql/server.pp | 16 +++++++++++++++ site/profile/manifests/app/wordpress.pp | 24 ++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 site/profile/manifests/app/mysql/server.pp create mode 100644 site/profile/manifests/app/wordpress.pp diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp new file mode 100644 index 000000000..c5319a2da --- /dev/null +++ b/site/profile/manifests/app/mysql/server.pp @@ -0,0 +1,16 @@ +# This is an example profile to install +# MYSql +class profile::app::mysql::server ( + # root_password is set in hiera data based on role and env_n_role + # Please delete files in " $root_password, + } + $mysql_bindings.each | String $binding | { + contain "mysql::bindings::${binding}" + } + contain mysql::server +} diff --git a/site/profile/manifests/app/wordpress.pp b/site/profile/manifests/app/wordpress.pp new file mode 100644 index 000000000..1958dbec5 --- /dev/null +++ b/site/profile/manifests/app/wordpress.pp @@ -0,0 +1,24 @@ +# This profile will deploy a wordpress blogserver +class profile::app::wordpress ( + String $mysql_server = 'localhost', + String $mysql_user = 'wp_db_user', + Stdlib::HTTPUrl $wp_site_url = "http://${facts['networking']['ip']}/port/4005/", +) { + if ($mysql_server == 'localhost') { + contain profile::app::mysql::server + } + + include apache + include apache::mod::php + apache::vhost { $facts['fqdn']: + port => '80', + priority => '00', + docroot => '/opt/wordpress', + } + + class { 'wordpress': + wp_owner => 'apache', + wp_site_url => $wp_site_url, + require => Class['apache'], + } +} From 897abce3c81bbc080459127be415e490b6235029 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 05:56:01 -0500 Subject: [PATCH 037/134] added data for ssh and eyaml test keys for compiler profile --- data/to_be_deleted.yaml | 147 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 1899fc4e4..a8890652a 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -29,3 +29,150 @@ profile::app::mysql::server::root_password: > orMyfTBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADm3woaNcUD4FUmLZI dsaYgCDJ4RUT7bXT1cHxBdHbvqgype082aVHqhqKHC9CI9mJGQ==] +#example private key stored in eyaml for profile::app::puppet::compiler +profile::app::puppet::compiler::eyaml_private_key_content: > + ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEw + DQYJKoZIhvcNAQEBBQAEggEA7xJ/b0pCJUSbNsfIKtcC2VJ76U57ACePXtOX + 0E0QDj8aVtBbx6hm2F5rd4ys/7ynIhrB14509E00sTFCJsYyrq2PhVD7gE0h + XPjXtJQbXyKigZMJAlFlDJUJCOM2hjm9x9zrzx30p9OgG8r5FRGKbDoqN1Us + f20+N8f/8qPAKiZGtOmukeDkWqXsJdCT/V8TaU6m/p667+W66m/MhIZ+wTe0 + QidVklcu3bDP33UVfodQNTrOlMZXNGeRnh/Z+SfLjUyp57I7sVq3ZceP0vCF + ulVa+ymED88Hb7chhAT2tWcQUZHd5SbK/qltvzNOaBVy0LUukBRwxD9yJOVB + 1XGmCjCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJ/RwACeR4ZK/L4E + lk0WFg2AggaQr+ktXx/g3NPzeGzIlZh0u6sul4qm8DPhoRnVQMhbG095LBqP + kaZBv+b9Hpd339Uo7uBiYihfXmDOV/XHefKBhWbhxuSlQAVcU9EUqHKfxKP7 + Wnakk571lEpNzGbr0NSxuwrJxJwTc4UWCMkAXSMRv/x37a2TH68Zyfr22FIw + +wgBpvrCzUuqRjbFkroxBpLk3UtVfqzQTe8e394+uNoU5DyOJGoFaXcg+QI8 + MB+gcvIl0qWY1n6opNHbOEMaU7Kc1dn/8F7wjzWMvrME1DnS40u0N8hGbWhE + 0W+WSzVkYb0DoPDAaTeXyXzAAkDKtsq/KRFZrQ3jbJc3O1MbtBC19RQ5vUEN + TXYZk11mQFZW41ukOqPk1udfIRnjoerp43opGUyQFHGTh3EVBsE1W5WL2oY9 + KWTpMZRHDHzMNAkBgvdUbmkQY002TZ+Ze2P/zm0iHjtpBqWdzt4DXf5rGrjd + CmDH84GqULfHkUo63vD7bSck6dPnMF1aL7Ro1H6+859aJTSHUhtWJuAmHxRc + /gmAeAybFmjs5IHhM5bWT/rGceOgQv3Wj58Bp1WJyIW04BVMZlouBbdRZ2su + jpBevq7s+l1SRxyfSOaILzEoEuWmMDMZ7JV6RVDUiomemN92fngmLZccdW6A + 7IQcNHIu/JF9CVh46NbwdSsMcHqCn13oB6UDCIbbsWbQc43yxAPK5d1jVBaZ + hb3HVJcmZ9nqxAooHnIPSma46W4kTiR4+BHkgf4hFZMwoNAbWB8qtgxqrb+v + e7FCEprkGfm1Fx/Rb+prvMEoUZbanlA6IcQ5hr965p5Niktn1nCQpVNBFOjG + n6giyg+wXvXdIdnA6Wn+BPmyf/YZbwFZ2jYww5/P2Xfh9VgVQJ61sOpa6Klh + tcwymMqgdrV6RR4sVltv+WmA0yCxm+J3IBoVAmHg6eRngVPNyalRSdUkBSG8 + IHa3QPA2eyiWfHEnrnH9y9ePNYcO0XRPz9+uAbLeIHlKoYIuLFWPs0FKXsiQ + AEyHftnUXZ1AoSr9/y9tyjadiNPu/+qceI8NNNgclhQgxB3YhJ7e7voBLXtd + g8WL25qEuqlhcMoZ58fg1GBeF1tYjtHLpSc5pYvXFaKs3i57jCOK7X32Stjq + ipqgqVWsDKv41CbEaN6pjIUCg73Rn+GlfmjuoxMt61S2TbCj3Yb7mnnYEsND + 45VcxRDCLIXHH676TjleAuZxu7wnrRpobOfdlHxCkM8tidwnjJvKsa1SLvFv + hEU2uAUO0ViSTlIV3LEkgFGyuNb4F0MLMdtNG9Pikx+ILc3kQnRyn4jb3mKW + TmlBCmIAVduxWLzyPM2g6caWpy4RW+72RXh//Sj4lhcmYRpAeI3m59gPFECc + o6n6kAkIYrk1NgjpGmyv/KdH0PBxZqUdeSxztlCbkMtfpIKI+jvRIP7ZXYQY + JffRRxHFFB1G1qRpHBwhVyTHss64mydOuuBSY4snLG+bvP2Q5f0gjQeJ7BHh + eqmVX+fAe3dce8z6VwzVf4l6MLbxwW47GHd/89Tr88MgGVNIKRZkU9jICLJ/ + JwOjnzTFK9DYeD9AlMT8C9W47ruJsL4UvlP5k0qZyAk2fu9/d7BTap5YY9ND + POI+Dkqr30EPcy+Ymgtky1tQuLMWAjKcJxb8/m/Vs8v9P1YL7SR9MbyMTyU6 + 0yhhnVgFVzXuPQpHGbKOMGKZD2UjxSOYya6a5f3lRFRtvLDZH9PfPCULEEAu + LD3aqHiFRRpfEIu3/LcQ15ZuRbDzzICjVNTaOkRfhE0LM49nXIk2zd5M3IQs + xskHKN8nH18hXumJLcKDpowTPTFyDKYgJ64884/oSGl3Vl0pri42mRdSLQBJ + sXhGjgCtKwJqQRx2uJDYX6+OjUTCP7JMpM6SIw0dVKpZfGQkqoqS7ExaJFS8 + Ebgra+Bhx8yVPkvhsrlXpUmE7dyA2RZpqgnl3oxp6KQbRsTRMRgE4UK5KYZT + V3CFq0dEOB/F9uUL821qtSLIQyD1gFlHWGnL97kwzmINTQYCKm38s8gBDM5Y + ecVbMZXrHSbSBm+4IMpBPUBPb4Ui5iRF+4usFyCJBGgSVxl96xXHRPPVvjAK + EyK1k5cl8YwvoJd5CfuixpvzCWRCulh7GrjfEDcUdX4l5E7zFw2vIEAvjj8x + 4gLCkiqX0ZY1B63bl52TVS1QdejMB7McT66DlfF05oWPo7buMjsgTTRb9e5K + 8UA9HrhVrg+ugdPHUzp/d7YlF30/7pS9] +profile::app::puppet::compiler::ssh_private_key_content: > + ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEw + DQYJKoZIhvcNAQEBBQAEggEA4TvF7y+icqTngijNa8M+9NDt/ESIjhifCxUL + 0KSGbC72jwwuNFMBYbLMwPwy4iXg3my7meKp9YoaI4HIe3q7p/Mv6RJ0GSou + yxaGWQ0edOAFCsCuHz8uB4RCY69IOj1hmewb7VlYlf1Y71rtlfCKlfIyiBcY + oIYWXN0brstg/Feg36M7DZQCGOP9M/yvNilOCIQzPYThu5qPBAZzu5yezOzF + L2phAI0tXyHd52RNokIldZPPdL7FxDnR4KTJxl2M2dwk6qbTavlAksl/PoW0 + Jve9g26Q6IxWsl7a/iq77wjOZRNPOZP1FIiveJaXw+B8K5DbIMIkldxSOSy0 + nKOPAzCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAYRil4dbCZDOD0D + NcM6dxSAggaQhR3+O7JpTGsHza6NpqX9xsMz+LAbhOTU8SGVyMgMS3gJuM0q + r6JNsb7a/dzNaXxc2fwz/MEI3Vf6TKknJkyVhpB1nAH3CXUtBCYpKrAqRj+v + Pi/kTgU+DoOKnpBOkFaFEJnhlCKvitzvG8x86Y45AGnZwsdXZCGkuY9pXjxl + U4oZu2GvuOHBuz/m/d+a93YELF7NvJ1MYvSVNuHiOW2DZT5bQLpDLpeChQdB + pwQaHfjG580mLnSNm2iTqsWiQ8oQjDNCKhMaxayKM/fITFI0IVtZQ2yNctZq + +gWknUBgvaqZ1xuIHVyGG8OghFlNkRIEKWppvg/dn2bR+2NY7v6EMfeIkdDp + VY6432kzc/GIT00xlnu3EcJHDWq9n7fM5HXjvq4xSial/oFVCbOmkVMqzh4o + wL0x+xrlQRQJ72Wt/C/k+4Yd/n98tiXmG3Zc10YW8XVxsDEDi1d4/2k0Lt/I + kwecN1rT9gbL4szz7JtQPF7U0AzEgIewekqH3WUeFbFR4REoNtgGRnAwawKh + MuVAykZICV7rRgrXL+bafvic6/QNmOqzbbJ8snNEl1dTJ/meB/zzK5DFuq3F + gYEmYJN3ffxd784FkTjeQ3VOFmiTzYHGj0LgJyWuZgy1oz5QSBtdJwfVP53D + Xg93zkNtJess1weQ09cwW7ve/ppDazPFEQQ1ixLxRygOpVtRM3ue9lL+I4zt + BHgzUSeTbfXxc8bvI7n2r3ArLvRE5sVXqbIV82QQg0ZLFMW0seVH21Ui0RDD + 8nMTEgSKnibeitx3P1Ua+Oyqbf+qcwpFDO3T9+ym98ksSgPCW3oJ7dwb4yn+ + EPB9pGMQChQo9pEb9xIm2NbpohqenT2FxR2AvknxEOI2AeVw//YmOxUJtt3J + ovLgPieaghUVq4Vch87uE6V7VgT2pHYB7w/iLJDvgRTYFP0miDIALkVyrceo + gSTitft0aeMGRMV//0aZh70NfqTjBdzlPJmDfkt6PB5rHrlSz7bavt7wSDLc + rY+7FbttFjhwcZiTSnMfWVtKo3RmmmhpF8VO8p3p5vivJ6/cYGi8QZEwZMdU + +hTHGcdSJazH6z8Zv/nloPfxWekjpWxXgyL9CJp4OsMyzS0MR0vObm9e/tF3 + RKlUW9SwEWT2ICAaCxAX6fijV4C6poHhodaOjAMmSnPXthJs2MQwIMF3gryA + ekB6ltNQCJyTorylaNaq/dGVr2IPuJdGlMi9Ydv2YoWXTaYU2AwYYju/2CST + o7tgtu1IAlcZyh533xFU4FVDj4tWTLyxXvxAXhsGluMIo0qEOrsvlPOvmSV6 + PMfqOQPe2Jpt6AB8o6p7w2LDEP5MWU45OZoLGGsphaGUw/CZL30/DKHjqbGn + mqVcQ9GR+/W9sv8rBdUXY1HsAiiPW7L3+Hg7R+2XDkIVQcRmGj0hIeKX5QVX + dBv/DY2Z4iEjKdEYVG/GZfE2WvyAGjblA99Sr28xae2L8eyakPz0vneDV58x + AkhM+ejNHurYZWjqvozbtmLxmthtyWdycFwGE72lujMOeIBkm8NvwEZlLK4B + z8/rrHlTlzW+Iipzr02d4/wmXzEpjZF82uYzCXxyMEmZ1RHWiQYkbZx7AXHc + z0+2kyZUVHX3sBhpHhv1W8NwsTJUWyaBgIpAann+IXsWA8xudMBX4HdAxVM0 + mEHI7KoTMVCm2kZ5gSzmHaHY5q4V1LmTpiCvFWqUfLFz0Z9z5uV6q3pZuOUu + cH+C0biwbhKT+vJRIuVzk6Jx7+JaTVYeBtj46rk/1OVgQQ5uor0dWZ/XphEO + 2hxTkQWytWrIwpoU2TodtVQnI2dxpsSwNrL+oULHeVFMqmH1LszLkiHG6TSB + jgdhvVbNNr33dZU5s3iFRj651bSYnj4NZ8I2LQJzERzhMnvgExw7neNfZR1I + TkMEvXpcFp9H3MlS8clwlvy0vQae5FxGOgHiVRtY+vgHHwUBm8h7clNuHPc+ + /ms02FbQX0CtOCTxfTaA6hR34fSyeCxZvY7UCPqeiAQoOX1cMJJahJ31o6zO + O37LM/5N1JdjXsXfb7woqGCxV8tMt8n/hK+jTZSphn3C5qvN9GvzuSUVEctq + OlIyIcXeJW98S0gBtqNFB2J0rzU99oZrZ2m5qp2YAI/RRlMi1X7LT2cj5x++ + a+KDBrkXUD7+jJc2a9seUH6gOQbiHlGT0EhwFqfhVaX2fX1S95MZmm/WZZS6 + KaMKaApqLrFsVzyNngGgTd8XRXFV9PDR] +profile::app::puppet::compiler::eyaml_public_key_content: > + ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEw + DQYJKoZIhvcNAQEBBQAEggEASWsFHYa/FyWNNE4a9Zuc7Pqg50OOcdA8pV5w + Oxs7sgDAhmO4tUcu5GIk84MwQDd1ieU8eSASCrZGxM84fAfr0xmncA7DEI8F + 1qkprYqto72YUJX1EJi1itAlmC6iXgHsPrjorxG2q1mqMyAl6DyKJ/78gWyR + d3aS+MeShF8QZQjCqQ3y6WIylV5HyxBFCJk77jquiXZeTSc+zWwUjxJOjILX + TjeKXrOVr1pA6PVNPQjQPXNGzeLXdHdqjHvCHNXHet8Ja2bKb3NUqFa58Rzq + nky2tSPcWqjiOo1zjO1TmPkQI1adr2B5zOIQrNF4bU8Rk8BCqJxzs0DxkGqf + slr12jCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEBu89wK0tIPrUUsW + usyzeqKAggQgKypMUlofJAARYq63AsQl7OnSJSKyHWuKwDpwlZHmmkLB8w4Q + J8YL7m/08OSULpEUoB9afwihrzPrxPnvJT3AbLYmFIH+qSPEnNoS0s4wGw7r + WiHgw6UDolGH6cxPeNjoSBVGvjN7kapxrgF5iz5AqNj3Xv8XvXQLmhbwh2uL + 9VZRXCE2TvfgbcgNZoBw4TdYJu4NpfVzKvpeqibmuLdoGxbuLVLlKYjlGwRF + u5Ssx9Ax2H07fQPiROAlEkw2x7V/+gPd47kiu+5s9gRvYPIhduuhy/Q35NcB + Yxdi2p0HO57tOa2qy2/7N6x0bnXlMi8nn2PwCbyl2S+J68vBEhQ+g2BaLcfA + K4nEycRJjp5ykAKwFlSJWC6Kdsb0DXZBCiTqqrpnjLrRLKzQzKEoc+G16CAw + z3DMRWUss/oH/rxoiWS+MuxQKfQEs3S+AnZjmEKwk+luXV26vKxBjxbyyVmk + I6nv/g008TZH85oaUcbLP6goph9k15olz1m+ECToS64TXZRhrzvCmT+GxFmg + fOIAMONI/Vw8oZJTzWapnQNdxlBRa+GJwncaUn8gk2bH7qQS1cE3O5te3Mu0 + EH7hWtp1dflzKPTUU6mXHt2/O8ROU3QEbF10y7aDsn6bYI/pfe026nEuCSxU + RrJxUTkjnB2lXqeDVDE2XlxjHgS/GhGvYFx4Z9bBPq1RCHR7OWFfqnuQz77n + yrKfmwnpSAgrZINlOAsE7qJg9+PWisn2qcP6Oxzla+wRy/oEkPfUtrM3fBKP + UwIEZ4pBWoE0Hl2QzmmReSCMcwMPn66zssJTn1hGPRyR5GGCMz+LsE9Bn2FI + oJ+MYvDZxrBm5gsdqvqepIlyiKC0EPxXPuBaY1tWXtiRprO7KvGzM6uNzAWz + DHcXggZvYlDGV5+583XlIICqm8TEhHx//pqXJkm9XtALl+cM7bfAryhWVpyU + qj4Lx1uTbnElSHKE3Ru0OleZ//2jknmH1IE4lFgHrIEpFTZYZraZl09qloJI + XiKKSmCa7Diil+iAthyFHgP/AUBJDS85lxd3c0OcWOpl2f7hufno1qBK5g+u + lrjfcz0XwPcNX8ZkdES1ZjN+dmRDK7vh0tRgNbsQweL+9yQuvaMX5imyYFw0 + S9FYyY5WcN6FYuP8GfMDmp5eyUMertlvdr4++g5BPrccQ+bYfmhg7s8hxaYl + 3u8xpMD+8aJgNsO63oIlFWdYWBcguH/up6jA/jkMVUZ/aRulXQMvQ0SJ+7Qn + 5ha9L0cALAyhmmLwHc1BdWyrkYJ+W6CXdzBrM1aURt6XDLM9aaF1m75XEf8S + aqYnQF2nOhdvluuvGFFKBz9fai7K6gFKQVgI9OjS88hFAjkWXMC8g/ZaZmeQ + jYqHGT1oWHHDYtT5KPQtaMbUC0bsEJ+jtbAJeOW9] +profile::app::puppet::compiler::ssh_public_key_content: > + ENC[PKCS7,MIIDDQYJKoZIhvcNAQcDoIIC/jCCAvoCAQAxggEhMIIBHQIBADAFMAACAQEw + DQYJKoZIhvcNAQEBBQAEggEAzyl+GLbgOpZu7I/mI8SXksLOgvrhrZlKeM1z + qyJF9eRxxepSCLRnDee9qo/Gj08/Si+KVZ3mNOljtSQC3XyrIOv+EscZaN9K + DCr9hlhDWT9WaDgykKpIEKnVrqR11vY28l8uHrce4ME1X7A4SQZn0odN9CP0 + 9OzaEYgiWRWcLbw9eGXkH0OCS2OrXiYTuQpkHCcJTDeYma3qN9gMC9mQLSPx + +wBC1143Nb3AprS2O6nu9UHnTpGM72kF1cJt20DaKItlmRVRGL+2rHWfHraR + SXF1wxi5ffpfetzE8MvPlZGLcrt+AQaODkvscZLYLNNgjxYccweu8A309liX + /07mTzCCAc4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAABNCM7lW1AsVF+ + oyM9yVyAggGgfp/WQ1DUTGHmbPUvgpVWD0hhArQu2r5tmi9lU/aYR5ltOFjt + hnvvyvsiQykqLUlBHI+/Jc0ma5/pDTpZklNSHlXyY69s8wc+SM3yoKwT3//R + PLUVFetSifFDiaIatngNmOF03FbOrnWqa1MqVGCqYPlm1nRdt7i65zU+GlPJ + wTSFOSSvgDEIEuo2pOM1b45kTmf9yrKILGIGhjE8qP5ZEibZf35wBBP9KhW7 + 75yj/DVJgCDlmX7WC7bCdGUTdkFUCui9Z78s0ze6ig4zCykv33TibTksj6zE + RolScusJqtM1+zRDtpT+qk3u7xcUBKrDm4wZ4E7eEVBp5k1rJ6Z+WQ9N4XWe + ZpZ/qSJzo/bJjaQLXtipVsvRtoIi27p7kmjAup1ehgIlyKUbY9GLhOlPYtEn + 4/UWR2PSBOmWb2uE3KWnVPJEfLGKyZhjExOXXH7IAsf8Nn5IGcpfO0nD48QO + U0LFXP8TsaVrBdOLfnhryj8hvwNNEGtOFvJDrtinpPJfJY1pxNFcH4sID3Qt + G1b2zTCABCXgkfwNt0WFcdxMITE=] From 4ed39ce319e360a551b3b51957ddc16a1bdbfc13 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 06:27:23 -0500 Subject: [PATCH 038/134] added profiles for security --- Puppetfile | 3 ++ site/profile/manifests/os/baseline.pp | 4 +- site/profile/manifests/os/linux/security.pp | 43 +++++++------------ site/profile/manifests/os/windows/security.pp | 1 + 4 files changed, 22 insertions(+), 29 deletions(-) diff --git a/Puppetfile b/Puppetfile index 180407b86..15abff6e2 100644 --- a/Puppetfile +++ b/Puppetfile @@ -19,6 +19,9 @@ mod 'puppetlabs-powershell', '2.2.0' mod 'puppet-windows_env', '3.2.0' mod 'cyberious-pget', '1.1.0' mod 'cyberious-windows_java', '1.0.2' +# These modules are to assist in securing the os's +mod 'autostructure-secure_windows', '1.0.5' +mod 'shearn89-toughen', '1.0.0' #mod 'tomcat', # git: 'https://github.com/spidersddd/puppetlabs-tomcat' diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index 046fc416f..e8d2d4a4d 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -14,14 +14,14 @@ name_servers => $name_servers, search_path => $search_path, } - #include 'profile::os::linux::security' + include 'profile::os::linux::security' } 'windows': { class { 'profile::os::baseline::dns_resolver': name_servers => $name_servers, search_path => $search_path, } - #include profile::os::windows::security + include profile::os::windows::security } 'Solaris': { class { 'profile::os::baseline::dns_resolver': diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index a6a14707c..5ad51d472 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -1,28 +1,17 @@ -# This profile is example of security configurations for -# site specific security settings. -class profile::os::linux::security ( - # This allows hiera to control if the saz/ssh::server class should be used - # on perspective agent hosts. Setting to false will mean the agents ssh server - # configuration will not be managed. If 'profile::os::linux::security::ssh_server' - # to change this behavior - Boolean $ssh_server = true -) { - if $ssh_server { - # This lookup allows the hash to be constructed over multiple hierarchies - # example is located in common.yaml and virtual/virtualbox.yaml - $ssh_server_opts = lookup( 'name' => 'profile::os::linux::security::ssh_server_opts', - { 'merge' => { - 'strategy' => 'deep', - 'default_value' => {} }, }) - - $ssh_client_opts = lookup( 'name' => 'profile::os::linux::security::ssh_client_opts', - { 'merge' => { - 'strategy' => 'deep', - 'default_value' => {} }, }) - - # Pass the found options to saz/ssh server class - class { 'ssh::server': - options => $ssh_server_opts, - } - } +# This is a class example for security +class profile::os::linux::security { + include toughen::auditing + include toughen::banners + include toughen::boot + include toughen::cron + include toughen::filesystem + include toughen::init + include toughen::legacy_services + include toughen::mandatory_access + include toughen::network + include toughen::pam + include toughen::perms_owners + include toughen::process + include toughen::services + include toughen::shadow } diff --git a/site/profile/manifests/os/windows/security.pp b/site/profile/manifests/os/windows/security.pp index f81abe368..f45a6acbd 100644 --- a/site/profile/manifests/os/windows/security.pp +++ b/site/profile/manifests/os/windows/security.pp @@ -10,4 +10,5 @@ if $enable_rdesktop { include profile::os::windows::enable_remote_desktop } + contain secure_windows } From 61c8d631b407f8cdd773b39f26ab8d12c20d3c46 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 06:39:14 -0500 Subject: [PATCH 039/134] added profiles for security --- Puppetfile | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Puppetfile b/Puppetfile index 15abff6e2..1edb6ae08 100644 --- a/Puppetfile +++ b/Puppetfile @@ -21,6 +21,17 @@ mod 'cyberious-pget', '1.1.0' mod 'cyberious-windows_java', '1.0.2' # These modules are to assist in securing the os's mod 'autostructure-secure_windows', '1.0.5' +mod 'ayohrling-local_security_policy', '0.6.1' +mod 'autostructure-auditpol', '1.0.0' +mod 'puppetlabs-acl', '2.1.0' +mod 'puppetlabs-registry', '2.1.0' +mod 'puppet-windowsfeature', '3.2.2' +mod 'autostructure-applocker', '1.0.0' +mod 'puppet-sslcertificate', '3.4.0' +mod 'ipcrm-registry_acl', '0.0.6' +mod 'puppetlabs-powershell', '2.3.0' +mod 'puppet-windows_firewall', '2.0.2' +mod 'autostructure-ad_acl', '1.0.0' mod 'shearn89-toughen', '1.0.0' #mod 'tomcat', From 12f3fa634fb4675b8fb51a6a4ba5bdbe0fa6a29a Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 06:42:31 -0500 Subject: [PATCH 040/134] added role for masters --- site/example_role/manifests/sup_svc/puppet/master.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/example_role/manifests/sup_svc/puppet/master.pp b/site/example_role/manifests/sup_svc/puppet/master.pp index d0b8f6bb8..206f17024 100644 --- a/site/example_role/manifests/sup_svc/puppet/master.pp +++ b/site/example_role/manifests/sup_svc/puppet/master.pp @@ -1,4 +1,5 @@ # This is a role to add to the Puppet Master. class example_role::sup_svc::puppet::master { - # include profile::os::baseline + include profile::os::baseline + include profile::app::puppet::masters } From 0265039eff885ac5bdbb728e6163cf40927c8655 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 06:57:09 -0500 Subject: [PATCH 041/134] added security modules --- Puppetfile | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Puppetfile b/Puppetfile index 1edb6ae08..639cf603e 100644 --- a/Puppetfile +++ b/Puppetfile @@ -32,7 +32,18 @@ mod 'ipcrm-registry_acl', '0.0.6' mod 'puppetlabs-powershell', '2.3.0' mod 'puppet-windows_firewall', '2.0.2' mod 'autostructure-ad_acl', '1.0.0' + mod 'shearn89-toughen', '1.0.0' +mod 'puppetlabs-firewall', '1.12.0' +mod 'puppetlabs-limits', '0.1.0' +mod 'thias-sysctl', '1.0.6' +mod 'puppetlabs-ntp', '7.1.1' +mod 'herculesteam-augeasproviders_core', '2.1.4' +mod 'herculesteam-augeasproviders_grub', '3.0.1' +mod 'kemra102-auditd', '2.2.0' +mod 'puppetlabs-concat', '4.2.1' +mod 'puppet-selinux', '1.5.2' + #mod 'tomcat', # git: 'https://github.com/spidersddd/puppetlabs-tomcat' From 9e8b37344ad8f0d2fb519c6538b04c39ae7b51b9 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:00:29 -0500 Subject: [PATCH 042/134] fix for security --- site/profile/manifests/os/linux/security.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 5ad51d472..8f5513856 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -5,13 +5,11 @@ include toughen::boot include toughen::cron include toughen::filesystem - include toughen::init include toughen::legacy_services include toughen::mandatory_access include toughen::network include toughen::pam include toughen::perms_owners - include toughen::process include toughen::services include toughen::shadow } From 0199de93234569ef914f5fe3520719c85870c1e3 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:04:15 -0500 Subject: [PATCH 043/134] fix for name --- site/profile/manifests/os/baseline/archives.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/baseline/archives.pp b/site/profile/manifests/os/baseline/archives.pp index 9cddf685a..cc231092c 100644 --- a/site/profile/manifests/os/baseline/archives.pp +++ b/site/profile/manifests/os/baseline/archives.pp @@ -1,6 +1,6 @@ # This profile is to normalize archive for a site # it will set temp dir and install dir for the build -class profile::os::baseline::archives ( +class profile::os::baseline::archive ( Optional[Stdlib::Absolutepath] $in_temp_path = undef, ) { include '::archive' From aa00db818228b8984a823bed6a20c6c738f30699 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:07:09 -0500 Subject: [PATCH 044/134] fix for archives profile --- site/profile/manifests/os/baseline.pp | 2 +- site/profile/manifests/os/baseline/archives.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index e8d2d4a4d..38380393d 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -36,5 +36,5 @@ } # Profile does the OS case statement # Profile will normalize the 'temp' path for Linux, Solaris, and Windows - include profile::os::baseline::archive + include profile::os::baseline::archives } diff --git a/site/profile/manifests/os/baseline/archives.pp b/site/profile/manifests/os/baseline/archives.pp index cc231092c..9cddf685a 100644 --- a/site/profile/manifests/os/baseline/archives.pp +++ b/site/profile/manifests/os/baseline/archives.pp @@ -1,6 +1,6 @@ # This profile is to normalize archive for a site # it will set temp dir and install dir for the build -class profile::os::baseline::archive ( +class profile::os::baseline::archives ( Optional[Stdlib::Absolutepath] $in_temp_path = undef, ) { include '::archive' From 8ff2642faaa8e4c7615508f09ba1ceecaa6305bd Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:17:33 -0500 Subject: [PATCH 045/134] fix for testing env --- data/to_be_deleted.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index a8890652a..ae0a07533 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -176,3 +176,6 @@ profile::app::puppet::compiler::ssh_public_key_content: > 4/UWR2PSBOmWb2uE3KWnVPJEfLGKyZhjExOXXH7IAsf8Nn5IGcpfO0nD48QO U0LFXP8TsaVrBdOLfnhryj8hvwNNEGtOFvJDrtinpPJfJY1pxNFcH4sID3Qt G1b2zTCABCXgkfwNt0WFcdxMITE=] + +profile::os::baseline::dns_resolver::name_server: [ '192.168.0.10', '192.168.0.7' ] +profile::os::baseline::dns_resolver::search_path: 'platform9.puppet.net' From 2c36219b4e67004ffe97f6e96a81c14bb7e2ef90 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:21:56 -0500 Subject: [PATCH 046/134] fix for testing env --- data/to_be_deleted.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index ae0a07533..5291110a4 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -177,5 +177,5 @@ profile::app::puppet::compiler::ssh_public_key_content: > U0LFXP8TsaVrBdOLfnhryj8hvwNNEGtOFvJDrtinpPJfJY1pxNFcH4sID3Qt G1b2zTCABCXgkfwNt0WFcdxMITE=] -profile::os::baseline::dns_resolver::name_server: [ '192.168.0.10', '192.168.0.7' ] -profile::os::baseline::dns_resolver::search_path: 'platform9.puppet.net' +profile::os::baseline::dns_resolver::name_servers: [ '192.168.0.10', '192.168.0.7' ] +profile::os::baseline::dns_resolver::search_path: [ 'platform9.puppet.net' ] From e6f29dbf3c5996f9e180ef843007769f730d4940 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:25:22 -0500 Subject: [PATCH 047/134] fix for testing env --- hiera.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hiera.yaml b/hiera.yaml index b69e31f0f..1ff0b7673 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -8,6 +8,9 @@ defaults: # Used for any hierarchy level that omits these keys. pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem hierarchy: + - name: "Should be deleted data (this data is for testing purposes only)" # feel free to delete this layer + path: "to_be_deleted.yaml" + - name: "Per-node trusted.certname data (can be encrypted)" # Using same file as unencrypted path: "nodes/%{trusted.certname}.yaml" @@ -26,5 +29,3 @@ hierarchy: - name: "Common data (can be encrypted)" # Using same file as unencrypted path: "common.yaml" - - name: "Should be deleted data (this data is for testing purposes only)" # feel free to delete this layer - path: "to_be_deleted.yaml" From 4a6f3a3215ea5097a4065567ff189c55094fc2c9 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 30 Aug 2019 07:33:59 -0500 Subject: [PATCH 048/134] fix for testing env --- site/profile/manifests/os/baseline/dns_resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/os/baseline/dns_resolver.pp b/site/profile/manifests/os/baseline/dns_resolver.pp index 30bdb0070..085d87c4c 100644 --- a/site/profile/manifests/os/baseline/dns_resolver.pp +++ b/site/profile/manifests/os/baseline/dns_resolver.pp @@ -12,7 +12,7 @@ ) { case $facts['kernel'] { - 'linux','solaris': { + 'Linux','Solaris': { # Use saz/resolv_conf Forge module class { 'resolv_conf': @@ -48,7 +48,7 @@ } } - default: { notify { 'This profile does not support your OS': } } + default: { fail("This profile does not support your OS type ${facts['kernel']}") } } } From 905f7eceacc971cf816732dada60c4a0f2dde018 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Sat, 31 Aug 2019 07:43:32 -0500 Subject: [PATCH 049/134] pulled some security due to issues with PE, trying to find class that breaks pe. --- site/profile/manifests/os/linux/security.pp | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 8f5513856..9e3cbbe5b 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -4,12 +4,11 @@ include toughen::banners include toughen::boot include toughen::cron - include toughen::filesystem - include toughen::legacy_services - include toughen::mandatory_access - include toughen::network - include toughen::pam - include toughen::perms_owners - include toughen::services + #include toughen::legacy_services + #include toughen::mandatory_access + #include toughen::network + #include toughen::pam + #include toughen::perms_owners + #include toughen::services include toughen::shadow } From 20977f9c865243b12ccea4a613bb7ffacfabbff4 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 07:00:06 -0500 Subject: [PATCH 050/134] removed duplicate modules from Puppetfile --- Puppetfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Puppetfile b/Puppetfile index 639cf603e..c5b10bde2 100644 --- a/Puppetfile +++ b/Puppetfile @@ -3,7 +3,6 @@ forge "http://forge.puppetlabs.com" mod "puppetlabs/inifile", '1.6.0' mod 'puppetlabs-stdlib', '4.24.0' mod 'puppetlabs-tomcat', '2.4.0' -mod 'puppetlabs/concat', '2.2.1' mod 'puppetlabs-java', '3.2.0' mod 'puppetlabs-chocolatey', '3.1.0' mod 'puppetlabs-iis', '4.5.0' @@ -15,7 +14,6 @@ mod 'icinga-icinga2', '1.3.7' mod 'puppetlabs-dsc', '1.7.0' mod 'puppetlabs-reboot', '2.0.0' -mod 'puppetlabs-powershell', '2.2.0' mod 'puppet-windows_env', '3.2.0' mod 'cyberious-pget', '1.1.0' mod 'cyberious-windows_java', '1.0.2' From 6a700b9cbac662d3617bf4e89536b611af70f6dd Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 07:12:27 -0500 Subject: [PATCH 051/134] removed toughen::auditing --- site/profile/manifests/os/linux/security.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 9e3cbbe5b..eb6181a60 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -1,9 +1,9 @@ # This is a class example for security class profile::os::linux::security { - include toughen::auditing include toughen::banners include toughen::boot include toughen::cron + #include toughen::auditing #include toughen::legacy_services #include toughen::mandatory_access #include toughen::network From 5be9078c3fff6001c1ed1d2b2f36fee932fe770f Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 07:16:20 -0500 Subject: [PATCH 052/134] removed incorrect profiles changed to profile --- site/profile/manifests/os/windows/security.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/windows/security.pp b/site/profile/manifests/os/windows/security.pp index f45a6acbd..8adb556a5 100644 --- a/site/profile/manifests/os/windows/security.pp +++ b/site/profile/manifests/os/windows/security.pp @@ -5,7 +5,7 @@ Boolean $enable_rdesktop = false, ) { if $disable_ipv6 { - include profiles::os::windows::disable_ipv6 + include profile::os::windows::disable_ipv6 } if $enable_rdesktop { include profile::os::windows::enable_remote_desktop From dd823b74a29a8249cdf04c0261b8d0e683c15b39 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 07:28:44 -0500 Subject: [PATCH 053/134] check for windows version to use secure_windows --- site/profile/manifests/os/windows/security.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/os/windows/security.pp b/site/profile/manifests/os/windows/security.pp index 8adb556a5..c572af37f 100644 --- a/site/profile/manifests/os/windows/security.pp +++ b/site/profile/manifests/os/windows/security.pp @@ -10,5 +10,7 @@ if $enable_rdesktop { include profile::os::windows::enable_remote_desktop } - contain secure_windows + if $facts['os']['release']['major'] != '2012 R2' { + contain secure_windows + } } From 7303a0616ce0fd31d07695a878acb5502ed3e41b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 08:42:23 -0500 Subject: [PATCH 054/134] Fix for onceover with new masters class --- .../manifests/app/puppet/check_hiera_keys.pp | 19 +++++++ site/profile/manifests/app/puppet/masters.pp | 51 +++++++------------ spec/pre_conditions/puppet_enterprise.pp | 5 ++ 3 files changed, 43 insertions(+), 32 deletions(-) create mode 100644 site/profile/manifests/app/puppet/check_hiera_keys.pp create mode 100644 spec/pre_conditions/puppet_enterprise.pp diff --git a/site/profile/manifests/app/puppet/check_hiera_keys.pp b/site/profile/manifests/app/puppet/check_hiera_keys.pp new file mode 100644 index 000000000..59e8372d1 --- /dev/null +++ b/site/profile/manifests/app/puppet/check_hiera_keys.pp @@ -0,0 +1,19 @@ +# This section will check repo provided keys in the demo/example +# control-repo and warn if they are still in use. +class profile::app::puppet::check_hiera_keys { + + $hiera_private_key = '/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem' + $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") + + if $hiera_private_key_exists { + $warning_content = "${hiera_private_key} file should be removed from the control repo!\n \ + Any eyaml encrypted data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo!\n \ + See https://github.com/voxpupuli/hiera-eyaml#generate-keys" + + warning($warning_content) + notify { 'key error': + message => $warning_content, + } + } + +} diff --git a/site/profile/manifests/app/puppet/masters.pp b/site/profile/manifests/app/puppet/masters.pp index 88f4c807b..d73b53d37 100644 --- a/site/profile/manifests/app/puppet/masters.pp +++ b/site/profile/manifests/app/puppet/masters.pp @@ -4,44 +4,31 @@ Optional[String] $puppet_ca = undef, Boolean $debug_messages = false, ) { - include puppet_enterprise + if $facts['pe_server_version'] { + include puppet_enterprise - # This section will check repo provided keys in the demo/example - # control-repo and warn if they are still in use. - $hiera_private_key = '/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem' - $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") - - # This will quiery the puppet_db to see what hosts are running as the Puppet CA. - $puppetdb_puppet_ca = 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Certificate_authority" }' - $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } - # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host - if $puppet_ca == undef { - $pe_ca = $puppet_enterprise::certificate_authority_host - } else { - $pe_ca = $puppet_ca - } - - if $hiera_private_key_exists { - $warning_content = "${hiera_private_key} file should be removed from the control repo!\n \ - Any eyaml encrypted data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo!\n \ - See https://github.com/voxpupuli/hiera-eyaml#generate-keys" - - warning($warning_content) - notify { 'key error': - message => $warning_content, + # This will quiery the puppet_db to see what hosts are running as the Puppet CA. + $puppetdb_puppet_ca = 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Certificate_authority" }' + $puppet_ca_nodes = puppetdb_query($puppetdb_puppet_ca).each |$value| { $value["certname"] } + # This will check if puppet_ca param was assigned and if not use $puppet_enterprise::certificate_authority_host + if $puppet_ca == undef { + $pe_ca = $puppet_enterprise::certificate_authority_host + } else { + $pe_ca = $puppet_ca } - } - # This code will include a class on compilers but not on the puppet_ca (Master of Masters) - if (! $trusted['certname'] in $puppet_ca_nodes) and (! $trusted['certname'] == $pe_ca) { + # This code will include a class on compilers but not on the puppet_ca (Master of Masters) + if (! $trusted['certname'] in $puppet_ca_nodes) and (! $trusted['certname'] == $pe_ca) { include profile::app::puppet::compiler - } else { - # This is a Master of Masters section to add classes to - if $debug_messages { - notify { 'Master message': - message => "${facts['fqdn']} is running the Puppet_enterprise::Profile::Certificate_authority class", + } else { + # This is a Master of Masters section to add classes to + if $debug_messages { + notify { 'Master message': + message => "${facts['fqdn']} is running the Puppet_enterprise::Profile::Certificate_authority class", + } } } } + include profile::app::puppet::check_hiera_keys } diff --git a/spec/pre_conditions/puppet_enterprise.pp b/spec/pre_conditions/puppet_enterprise.pp new file mode 100644 index 000000000..a41ab15ba --- /dev/null +++ b/spec/pre_conditions/puppet_enterprise.pp @@ -0,0 +1,5 @@ +# this class is just to verify masters class works +class puppet_enterprise ( + $certificate_authority_host = 'localhost', +) { +} From 154447fa04edbaaf05d72065d6cf8d9090c2c56e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 08:53:21 -0500 Subject: [PATCH 055/134] fix for solaris dns_resolver issue --- site/profile/manifests/os/baseline/dns_resolver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/baseline/dns_resolver.pp b/site/profile/manifests/os/baseline/dns_resolver.pp index 085d87c4c..0eb88d876 100644 --- a/site/profile/manifests/os/baseline/dns_resolver.pp +++ b/site/profile/manifests/os/baseline/dns_resolver.pp @@ -12,7 +12,7 @@ ) { case $facts['kernel'] { - 'Linux','Solaris': { + 'Linux','SunOS': { # Use saz/resolv_conf Forge module class { 'resolv_conf': From 6c9dd22d46b8b545bb18bcb342b23fce16b24422 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 09:09:27 -0500 Subject: [PATCH 056/134] Set kernel to SunOS for Solaris --- site/profile/manifests/os/baseline/archives.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/baseline/archives.pp b/site/profile/manifests/os/baseline/archives.pp index 9cddf685a..a3c4711cc 100644 --- a/site/profile/manifests/os/baseline/archives.pp +++ b/site/profile/manifests/os/baseline/archives.pp @@ -7,7 +7,7 @@ if ! $in_temp_path { case $facts['kernel'] { - 'Linux', 'Solaris': { + 'Linux', 'SunOS': { $temp_path = '/tmp' } 'windows': { From 18cc99026cdc952a89e3ad68f1b7e98973521aee Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 13:36:20 -0500 Subject: [PATCH 057/134] remove toughen::cron for now. --- site/profile/manifests/os/linux/security.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index eb6181a60..3a0c7b051 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -2,7 +2,7 @@ class profile::os::linux::security { include toughen::banners include toughen::boot - include toughen::cron + #include toughen::cron #include toughen::auditing #include toughen::legacy_services #include toughen::mandatory_access From 240cffd6fadd69ee1d09dbd68b6e6e93fc0ee7ff Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 13:45:58 -0500 Subject: [PATCH 058/134] change to reflect correct platfrom9 info --- data/to_be_deleted.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 5291110a4..18851d340 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -177,5 +177,5 @@ profile::app::puppet::compiler::ssh_public_key_content: > U0LFXP8TsaVrBdOLfnhryj8hvwNNEGtOFvJDrtinpPJfJY1pxNFcH4sID3Qt G1b2zTCABCXgkfwNt0WFcdxMITE=] -profile::os::baseline::dns_resolver::name_servers: [ '192.168.0.10', '192.168.0.7' ] -profile::os::baseline::dns_resolver::search_path: [ 'platform9.puppet.net' ] +profile::os::baseline::name_servers: [ '192.168.0.10', '192.168.0.7' ] +profile::os::baseline::search_path: [ 'platform9.puppet.net' ] From 0edada86eec6f067995efec3814c44f3708b4f7e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 13:52:17 -0500 Subject: [PATCH 059/134] testing other toughen classes on PE Master --- site/profile/manifests/os/linux/security.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 3a0c7b051..4b09dc11c 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -2,13 +2,13 @@ class profile::os::linux::security { include toughen::banners include toughen::boot - #include toughen::cron + include toughen::cron + include toughen::perms_owners + include toughen::shadow #include toughen::auditing #include toughen::legacy_services #include toughen::mandatory_access #include toughen::network #include toughen::pam - #include toughen::perms_owners #include toughen::services - include toughen::shadow } From 8cc34703f933d1e54640f4959731dd1cdaebb02b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 14:01:36 -0500 Subject: [PATCH 060/134] added some service securing --- site/profile/manifests/os/linux/security.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 4b09dc11c..de1edf430 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -5,10 +5,11 @@ include toughen::cron include toughen::perms_owners include toughen::shadow + include toughen::legacy_services + include toughen::services #include toughen::auditing - #include toughen::legacy_services #include toughen::mandatory_access #include toughen::network #include toughen::pam - #include toughen::services + } From 5fd0d1ff9c179b90ae7b259da594365f9e9933cd Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 14:18:09 -0500 Subject: [PATCH 061/134] make waring more forward --- site/profile/manifests/app/puppet/check_hiera_keys.pp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/app/puppet/check_hiera_keys.pp b/site/profile/manifests/app/puppet/check_hiera_keys.pp index 59e8372d1..d1b998376 100644 --- a/site/profile/manifests/app/puppet/check_hiera_keys.pp +++ b/site/profile/manifests/app/puppet/check_hiera_keys.pp @@ -6,9 +6,12 @@ $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") if $hiera_private_key_exists { - $warning_content = "${hiera_private_key} file should be removed from the control repo!\n \ - Any eyaml encrypted data should be re-encrypted with new keys. DO NOT PLACE PRIVATE KEY in control-repo!\n \ - See https://github.com/voxpupuli/hiera-eyaml#generate-keys" + $warning_content = "**WARNING** ${hiera_private_key}\n \ + file should be removed from the control repo!\n \ + Please generate new eyaml keys for your Puppet Master.\n \ + Any eyaml encrypted data should be re-encrypted with new keys.\n \ + DO NOT PLACE PRIVATE KEY in control-repo!\n \ + See https://github.com/voxpupuli/hiera-eyaml#generate-keys \n" warning($warning_content) notify { 'key error': From ad83a072e486aaaa6715f8391518ee6ec31d0571 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 14:18:34 -0500 Subject: [PATCH 062/134] Added toughen::pam --- site/profile/manifests/os/linux/security.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index de1edf430..c1a246a7f 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -7,9 +7,9 @@ include toughen::shadow include toughen::legacy_services include toughen::services + include toughen::pam #include toughen::auditing #include toughen::mandatory_access #include toughen::network - #include toughen::pam } From 7f6b4d6624bcef2d61d54ab8a5e7fca413b410c5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Tue, 3 Sep 2019 14:22:50 -0500 Subject: [PATCH 063/134] eyaml warning --- site/profile/manifests/app/puppet/check_hiera_keys.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/puppet/check_hiera_keys.pp b/site/profile/manifests/app/puppet/check_hiera_keys.pp index d1b998376..075413af2 100644 --- a/site/profile/manifests/app/puppet/check_hiera_keys.pp +++ b/site/profile/manifests/app/puppet/check_hiera_keys.pp @@ -6,7 +6,7 @@ $hiera_private_key_exists = inline_template("<% if File.exist?('${hiera_private_key}') -%>true<% end -%>") if $hiera_private_key_exists { - $warning_content = "**WARNING** ${hiera_private_key}\n \ + $warning_content = "\n**WARNING** ${hiera_private_key}\n \ file should be removed from the control repo!\n \ Please generate new eyaml keys for your Puppet Master.\n \ Any eyaml encrypted data should be re-encrypted with new keys.\n \ From c06a460089181999b83ad5d207e05756541c4ad6 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:16:35 -0500 Subject: [PATCH 064/134] change to support Debian --- site/profile/manifests/os/baseline.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index 38380393d..aa0d57102 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -9,7 +9,7 @@ # Profile to set a default base level of acceptable security and # configuration for systems to be used within the company networks. case $facts['os']['family'] { - 'RedHat': { + 'RedHat','Debian': { class { 'profile::os::baseline::dns_resolver': name_servers => $name_servers, search_path => $search_path, From 4afef0b9b0caadb782834c3d69dd3f3470b0651c Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:25:07 -0500 Subject: [PATCH 065/134] Change to remove toughen module --- Puppetfile | 12 ++---------- site/profile/manifests/os/linux/security.pp | 13 +------------ 2 files changed, 3 insertions(+), 22 deletions(-) diff --git a/Puppetfile b/Puppetfile index c5b10bde2..9b0c752da 100644 --- a/Puppetfile +++ b/Puppetfile @@ -31,16 +31,8 @@ mod 'puppetlabs-powershell', '2.3.0' mod 'puppet-windows_firewall', '2.0.2' mod 'autostructure-ad_acl', '1.0.0' -mod 'shearn89-toughen', '1.0.0' -mod 'puppetlabs-firewall', '1.12.0' -mod 'puppetlabs-limits', '0.1.0' -mod 'thias-sysctl', '1.0.6' -mod 'puppetlabs-ntp', '7.1.1' -mod 'herculesteam-augeasproviders_core', '2.1.4' -mod 'herculesteam-augeasproviders_grub', '3.0.1' -mod 'kemra102-auditd', '2.2.0' -mod 'puppetlabs-concat', '4.2.1' -mod 'puppet-selinux', '1.5.2' +mod 'hardening-os_hardening', '2.2.6' +mod 'herculesteam-augeasproviders_sysctl', '2.3.1' #mod 'tomcat', diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index c1a246a7f..90807fa78 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -1,15 +1,4 @@ # This is a class example for security class profile::os::linux::security { - include toughen::banners - include toughen::boot - include toughen::cron - include toughen::perms_owners - include toughen::shadow - include toughen::legacy_services - include toughen::services - include toughen::pam - #include toughen::auditing - #include toughen::mandatory_access - #include toughen::network - + include os_hardening } From c914fd5d90e0b5a1e0b923a44e598ec8092ce155 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:29:38 -0500 Subject: [PATCH 066/134] added $pe_environment to profile --- site/profile/manifests/os/linux/security.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/os/linux/security.pp b/site/profile/manifests/os/linux/security.pp index 90807fa78..9f905300e 100644 --- a/site/profile/manifests/os/linux/security.pp +++ b/site/profile/manifests/os/linux/security.pp @@ -1,4 +1,8 @@ # This is a class example for security -class profile::os::linux::security { - include os_hardening +class profile::os::linux::security ( + Boolean $pe_environment = true, +) { + class { '::os_hardening': + pe_environment => $pe_environment, + } } From d19bd7502aa8ef4d675184ee7371f63f2771d98e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:33:54 -0500 Subject: [PATCH 067/134] add module --- Puppetfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Puppetfile b/Puppetfile index 9b0c752da..295669131 100644 --- a/Puppetfile +++ b/Puppetfile @@ -33,6 +33,7 @@ mod 'autostructure-ad_acl', '1.0.0' mod 'hardening-os_hardening', '2.2.6' mod 'herculesteam-augeasproviders_sysctl', '2.3.1' +mod 'herculesteam-augeasproviders_core', '2.5.0' #mod 'tomcat', From 68ac043fa24c0d083ac3066277f60dfb9b1202d5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:44:37 -0500 Subject: [PATCH 068/134] added Debian to java --- site/profile/manifests/app/java.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/java.pp b/site/profile/manifests/app/java.pp index 1c87c7434..ebddeb7a3 100644 --- a/site/profile/manifests/app/java.pp +++ b/site/profile/manifests/app/java.pp @@ -2,7 +2,7 @@ # agent hosts. class profile::app::java { case $facts['os']['family'] { - 'RedHat': { + 'RedHat', 'Debian': { require java } 'windows': { From b9d64614eadca0f0f577540646b2ed4f6ea8939a Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:47:03 -0500 Subject: [PATCH 069/134] added debian download url for tomcat --- data/os/Debian.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 data/os/Debian.yaml diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml new file mode 100644 index 000000000..b237a8d5f --- /dev/null +++ b/data/os/Debian.yaml @@ -0,0 +1,3 @@ +--- + +profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' From a46a0d790921538396326577b1d6619492509d25 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:49:53 -0500 Subject: [PATCH 070/134] added concat --- Puppetfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Puppetfile b/Puppetfile index 295669131..857e90f37 100644 --- a/Puppetfile +++ b/Puppetfile @@ -11,6 +11,7 @@ mod 'puppet-hiera', '3.3.4' mod 'saz-ssh', '4.0.0' mod 'saz-resolv_conf', '3.3.0' mod 'icinga-icinga2', '1.3.7' +mod 'puppetlabs-concat', '6.1.0' mod 'puppetlabs-dsc', '1.7.0' mod 'puppetlabs-reboot', '2.0.0' @@ -36,5 +37,6 @@ mod 'herculesteam-augeasproviders_sysctl', '2.3.1' mod 'herculesteam-augeasproviders_core', '2.5.0' + #mod 'tomcat', # git: 'https://github.com/spidersddd/puppetlabs-tomcat' From 3fb537e8bbe9da068beffdf384d2056e637d9b4f Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 09:52:41 -0500 Subject: [PATCH 071/134] change version of concat --- Puppetfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 857e90f37..28e60c25b 100644 --- a/Puppetfile +++ b/Puppetfile @@ -11,7 +11,7 @@ mod 'puppet-hiera', '3.3.4' mod 'saz-ssh', '4.0.0' mod 'saz-resolv_conf', '3.3.0' mod 'icinga-icinga2', '1.3.7' -mod 'puppetlabs-concat', '6.1.0' +mod 'puppetlabs-concat', '4.2.1' mod 'puppetlabs-dsc', '1.7.0' mod 'puppetlabs-reboot', '2.0.0' From aa4d9e191411f0d5d9b95c78228d975a5f059fd3 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 10:08:58 -0500 Subject: [PATCH 072/134] added motd to setup --- data/to_be_deleted.yaml | 8 ++++++++ site/profile/manifests/os/baseline.pp | 1 + site/profile/manifests/os/baseline/banner.pp | 8 ++++++++ 3 files changed, 17 insertions(+) create mode 100644 site/profile/manifests/os/baseline/banner.pp diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 18851d340..5ad48d6b2 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -179,3 +179,11 @@ profile::app::puppet::compiler::ssh_public_key_content: > profile::os::baseline::name_servers: [ '192.168.0.10', '192.168.0.7' ] profile::os::baseline::search_path: [ 'platform9.puppet.net' ] + +profile::os::baseline::banner::motd: '------------- +W A R N I N G +------------- + +Authorized users only. All activity may be monitored and logged. Use of +this system means you consent to such monitoring. Unauthorized users may +be prosecuted.' \ No newline at end of file diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index aa0d57102..a2810c60e 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -37,4 +37,5 @@ # Profile does the OS case statement # Profile will normalize the 'temp' path for Linux, Solaris, and Windows include profile::os::baseline::archives + include profile::os::baseline::motd } diff --git a/site/profile/manifests/os/baseline/banner.pp b/site/profile/manifests/os/baseline/banner.pp new file mode 100644 index 000000000..982ca1f2e --- /dev/null +++ b/site/profile/manifests/os/baseline/banner.pp @@ -0,0 +1,8 @@ +# This class will setup MOTD for Windows and Linux hosts +class profile::os::baseline::banner ( + String $motd, +) { + class { 'motd': + content => $motd, + } +} From 3a645ecfec6f93b9c618b0952b9b5bc4c1e67911 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 10:18:21 -0500 Subject: [PATCH 073/134] chnage to archive tomcat --- data/os/Debian.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml index b237a8d5f..7fba5bda1 100644 --- a/data/os/Debian.yaml +++ b/data/os/Debian.yaml @@ -1,3 +1,3 @@ --- -profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' +profile::app::tomcat::webserver::download_url: 'https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' From 4c27c9861a602ee01ca4dacbdde46dcb4facc402 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 10:21:06 -0500 Subject: [PATCH 074/134] fix for motd --- site/profile/manifests/os/baseline.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index a2810c60e..8cd2c88fb 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -37,5 +37,5 @@ # Profile does the OS case statement # Profile will normalize the 'temp' path for Linux, Solaris, and Windows include profile::os::baseline::archives - include profile::os::baseline::motd + include profile::os::baseline::banner } From b21f1df1bfac7c629796d2010014428a33723263 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 10:23:30 -0500 Subject: [PATCH 075/134] added motd module --- Puppetfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Puppetfile b/Puppetfile index 28e60c25b..928870603 100644 --- a/Puppetfile +++ b/Puppetfile @@ -12,6 +12,7 @@ mod 'saz-ssh', '4.0.0' mod 'saz-resolv_conf', '3.3.0' mod 'icinga-icinga2', '1.3.7' mod 'puppetlabs-concat', '4.2.1' +mod 'puppetlabs-motd', '3.1.0' mod 'puppetlabs-dsc', '1.7.0' mod 'puppetlabs-reboot', '2.0.0' From f070223bf60523ff14149f7e6019b59475903bb4 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 10:54:13 -0500 Subject: [PATCH 076/134] test for fastb web_be --- site/profile/manifests/app/fastb.pp | 32 ++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index da56ca0db..1ecfa5724 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -6,7 +6,7 @@ include profile::app::tomcat::webserver tomcat::instance { 'tomcat8-fastb': - catalina_home => "${app_path}/..", + catalina_home => $app_path, catalina_base => $app_path, } @@ -15,24 +15,24 @@ war_source => $download_url, } - tomcat::instance { 'tomcat-second': - catalina_home => '/opt/tomcat', - catalina_base => '/opt/tomcat/second', - } +# tomcat::instance { 'tomcat-second': +# catalina_home => '/opt/tomcat', +# catalina_base => '/opt/tomcat/second', +# } # Change the default port of the second instance server and HTTP connector - tomcat::config::server { 'tomcat-second': - catalina_base => '/opt/tomcat/second', - port => '8006', - } +# tomcat::config::server { 'tomcat-second': +# catalina_base => '/opt/tomcat/second', +# port => '8006', +# } - tomcat::config::server::connector { 'tomcat-second-http': - catalina_base => '/opt/tomcat/second', - port => '8081', - protocol => 'HTTP/1.1', - additional_attributes => { - 'redirectPort' => '8443' - }, + tomcat::config::server::connector { 'tomcat-fastb-http': + catalina_base => $app_path, + port => '8081', + protocol => 'HTTP/1.1', +# additional_attributes => { +# 'redirectPort' => '8443' +# }, } } From e5f5d0f8523892c81a79b0f00d9e409248ca83ca Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 11:04:38 -0500 Subject: [PATCH 077/134] fix for fastb --- site/profile/manifests/app/fastb.pp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 1ecfa5724..57a8b93d4 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -1,17 +1,19 @@ # This is a example profile to deploy fastb application software. class profile::app::fastb ( Stdlib::HTTPSUrl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', - Stdlib::Absolutepath $app_path = '/opt/tomcat/fastb', + Stdlib::Absolutepath $app_path = 'fastb', ) { include profile::app::tomcat::webserver + $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path + tomcat::instance { 'tomcat8-fastb': - catalina_home => $app_path, - catalina_base => $app_path, + catalina_home => $catalina_home, + catalina_base => "${catalina_home}/${app_path}", } - tomcat::war { "${app_path}/fastb_app.war": - catalina_base => $app_path, + tomcat::war { "${catalina_home}/${app_path}/fastb_app.war": + catalina_base => "${catalina_home}/${app_path}", war_source => $download_url, } @@ -27,7 +29,7 @@ # } tomcat::config::server::connector { 'tomcat-fastb-http': - catalina_base => $app_path, + catalina_base => "${catalina_home}/${app_path}", port => '8081', protocol => 'HTTP/1.1', # additional_attributes => { From 8cfd0c5b0eff3be99a2fab8827cb028794c3d6ee Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 11:07:18 -0500 Subject: [PATCH 078/134] fix for path error --- site/profile/manifests/app/fastb.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 57a8b93d4..54811190d 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -1,7 +1,7 @@ # This is a example profile to deploy fastb application software. class profile::app::fastb ( Stdlib::HTTPSUrl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', - Stdlib::Absolutepath $app_path = 'fastb', + String $app_dir = 'fastb', ) { include profile::app::tomcat::webserver @@ -9,11 +9,11 @@ tomcat::instance { 'tomcat8-fastb': catalina_home => $catalina_home, - catalina_base => "${catalina_home}/${app_path}", + catalina_base => "${catalina_home}/${app_dir}", } - tomcat::war { "${catalina_home}/${app_path}/fastb_app.war": - catalina_base => "${catalina_home}/${app_path}", + tomcat::war { "${catalina_home}/${app_dir}/fastb_app.war": + catalina_base => "${catalina_home}/${app_dir}", war_source => $download_url, } @@ -29,7 +29,7 @@ # } tomcat::config::server::connector { 'tomcat-fastb-http': - catalina_base => "${catalina_home}/${app_path}", + catalina_base => "${catalina_home}/${app_dir}", port => '8081', protocol => 'HTTP/1.1', # additional_attributes => { From 35fa6d24a782d88985b14864b56cebb6b755e867 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:27:14 -0500 Subject: [PATCH 079/134] change to sample for fastb --- site/profile/manifests/app/fastb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 54811190d..a62421f3f 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -1,6 +1,6 @@ # This is a example profile to deploy fastb application software. class profile::app::fastb ( - Stdlib::HTTPSUrl $download_url = 'https://tomcat.apache.org/tomcat-9.0-doc/appdev/sample/sample.war', + Stdlib::HTTPSUrl $download_url = 'https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/sureshatt/http-demo.war', String $app_dir = 'fastb', ) { include profile::app::tomcat::webserver @@ -12,7 +12,7 @@ catalina_base => "${catalina_home}/${app_dir}", } - tomcat::war { "${catalina_home}/${app_dir}/fastb_app.war": + tomcat::war { "${catalina_home}/${app_dir}/fastb.war": catalina_base => "${catalina_home}/${app_dir}", war_source => $download_url, } From c5392a48f62beaa87eb8e5da1911280cfdac92dc Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:35:07 -0500 Subject: [PATCH 080/134] new sample test --- site/profile/manifests/app/fastb.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index a62421f3f..f463e8010 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -14,6 +14,7 @@ tomcat::war { "${catalina_home}/${app_dir}/fastb.war": catalina_base => "${catalina_home}/${app_dir}", + app_base => "${catalina_home}/${app_dir}/webapps", war_source => $download_url, } From 2a3892da7cef844f4496c20e69e1a6e7b2d2e76b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:45:01 -0500 Subject: [PATCH 081/134] fix for catalina_home --- site/profile/manifests/app/fastb.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index f463e8010..63f313779 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -8,14 +8,12 @@ $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path tomcat::instance { 'tomcat8-fastb': - catalina_home => $catalina_home, - catalina_base => "${catalina_home}/${app_dir}", + catalina_home => "${catalina_home}/${app_dir}", } - tomcat::war { "${catalina_home}/${app_dir}/fastb.war": - catalina_base => "${catalina_home}/${app_dir}", - app_base => "${catalina_home}/${app_dir}/webapps", - war_source => $download_url, + tomcat::war { 'fastb.war': + app_base => "${catalina_home}/${app_dir}/webapps", + war_source => $download_url, } # tomcat::instance { 'tomcat-second': From efe453c488b86a33ec1ab6b657d15716ebef0034 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:48:17 -0500 Subject: [PATCH 082/134] fix for fastb --- site/profile/manifests/app/fastb.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 63f313779..7835fbc97 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -28,9 +28,8 @@ # } tomcat::config::server::connector { 'tomcat-fastb-http': - catalina_base => "${catalina_home}/${app_dir}", - port => '8081', - protocol => 'HTTP/1.1', + port => '8081', + protocol => 'HTTP/1.1', # additional_attributes => { # 'redirectPort' => '8443' # }, From ee755dbe043ba034817acf93e6a875bd7c36fe8f Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:51:59 -0500 Subject: [PATCH 083/134] fastb fix --- site/profile/manifests/app/fastb.pp | 7 ------- 1 file changed, 7 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 7835fbc97..a38f92790 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -26,13 +26,6 @@ # catalina_base => '/opt/tomcat/second', # port => '8006', # } - - tomcat::config::server::connector { 'tomcat-fastb-http': - port => '8081', - protocol => 'HTTP/1.1', -# additional_attributes => { -# 'redirectPort' => '8443' -# }, } } From 76c6721d0d7458a7ab6831aeb68e95ea29a43995 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:53:11 -0500 Subject: [PATCH 084/134] bug fix --- site/profile/manifests/app/fastb.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index a38f92790..8a710e82f 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -26,6 +26,5 @@ # catalina_base => '/opt/tomcat/second', # port => '8006', # } - } } From 6fbcef1369fdc564a03d44a7f075dd636f6069b7 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 15:55:26 -0500 Subject: [PATCH 085/134] next test --- site/profile/manifests/app/fastb.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 8a710e82f..8b8e7d67f 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -8,11 +8,10 @@ $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path tomcat::instance { 'tomcat8-fastb': - catalina_home => "${catalina_home}/${app_dir}", + catalina_home => $catalina_home, } tomcat::war { 'fastb.war': - app_base => "${catalina_home}/${app_dir}/webapps", war_source => $download_url, } From 8634f7c16beb2d77383fc40ae45d5f628aae701d Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 16:47:09 -0500 Subject: [PATCH 086/134] simplify fastb --- site/profile/manifests/app/fastb.pp | 18 ------------------ site/profile/manifests/app/tomcat/webserver.pp | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 8b8e7d67f..bec851c80 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -7,23 +7,5 @@ $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path - tomcat::instance { 'tomcat8-fastb': - catalina_home => $catalina_home, - } - - tomcat::war { 'fastb.war': - war_source => $download_url, - } - -# tomcat::instance { 'tomcat-second': -# catalina_home => '/opt/tomcat', -# catalina_base => '/opt/tomcat/second', -# } - - # Change the default port of the second instance server and HTTP connector -# tomcat::config::server { 'tomcat-second': -# catalina_base => '/opt/tomcat/second', -# port => '8006', -# } } diff --git a/site/profile/manifests/app/tomcat/webserver.pp b/site/profile/manifests/app/tomcat/webserver.pp index df4c91686..268e40523 100644 --- a/site/profile/manifests/app/tomcat/webserver.pp +++ b/site/profile/manifests/app/tomcat/webserver.pp @@ -2,13 +2,27 @@ class profile::app::tomcat::webserver ( Optional[String] $download_url = undef, Stdlib::Absolutepath $tomcat_install_path = '/opt/tomcat', + String[1] $user = 'tomcat', + String[1] $group = 'tomcat', + String[1] $service = 'tomcat', + Integer $port = 8080, ) { require profile::app::java if $download_url { + class { 'tomcat': + catalina_home => $tomcat_install_path, + user => $user, + group => $group, + } + tomcat::install { $tomcat_install_path: source_url => $download_url, } + + tomcat::service { $service: + require => Tomcat::Install[$tomcat_install_path] + } } else { fail("download_url not set for ${title}.") } From eeb22e1eaaa1b5a0da1a21d42f6ade93e5c85e85 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 16:59:37 -0500 Subject: [PATCH 087/134] fastb with tomcat::war --- site/profile/manifests/app/fastb.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index bec851c80..aa2d4244b 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -5,7 +5,15 @@ ) { include profile::app::tomcat::webserver + $user = $profile::app::tomcat::webserver::user + $group = $profile::app::tomcat::webserver::group + $service = $profile::app::tomcat::webserver::service $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path - + tomcat::war { 'http-demo.war': + war_source => $download_url, + user => $user, + group => $group, + notify => Service['service'], + } } From 4b9f313712485265ada413e5204a00c4c85ff8cb Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 17:01:08 -0500 Subject: [PATCH 088/134] bug fix --- site/profile/manifests/app/fastb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index aa2d4244b..27372320b 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -14,6 +14,6 @@ war_source => $download_url, user => $user, group => $group, - notify => Service['service'], + notify => Service[$service], } } From 68e26ff22768a013754dd6bde28382ecfcc860ce Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Wed, 4 Sep 2019 17:03:00 -0500 Subject: [PATCH 089/134] bug fix --- site/profile/manifests/app/fastb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 27372320b..d1fb67ae2 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -14,6 +14,6 @@ war_source => $download_url, user => $user, group => $group, - notify => Service[$service], + notify => Tomcat::Service[$service], } } From 539b1a1fbf92250628f185b8b0c17ba5d7c5f33e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 07:25:26 -0500 Subject: [PATCH 090/134] fix motd --- data/to_be_deleted.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 5ad48d6b2..d39262a47 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -184,6 +184,6 @@ profile::os::baseline::banner::motd: '------------- W A R N I N G ------------- -Authorized users only. All activity may be monitored and logged. Use of -this system means you consent to such monitoring. Unauthorized users may +Authorized users only. All activity may be monitored and logged. Use of \n +this system means you consent to such monitoring. Unauthorized users may \n be prosecuted.' \ No newline at end of file From 4138e2256ba55b75ac79beccd89aa9f913bbc203 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 07:37:11 -0500 Subject: [PATCH 091/134] adding \n to motd --- data/to_be_deleted.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index d39262a47..416b6c0d0 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -180,10 +180,10 @@ profile::app::puppet::compiler::ssh_public_key_content: > profile::os::baseline::name_servers: [ '192.168.0.10', '192.168.0.7' ] profile::os::baseline::search_path: [ 'platform9.puppet.net' ] -profile::os::baseline::banner::motd: '------------- -W A R N I N G -------------- - +profile::os::baseline::banner::motd: "------------- \n +W A R N I N G \n +------------- \n +\n Authorized users only. All activity may be monitored and logged. Use of \n this system means you consent to such monitoring. Unauthorized users may \n -be prosecuted.' \ No newline at end of file +be prosecuted." \ No newline at end of file From 148daa16c5e689b30bd54ca91af21633b9e2a100 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 09:13:35 -0500 Subject: [PATCH 092/134] adding infor for new fastb_database --- data/role/fastb_database.yaml | 10 ++++ data/to_be_deleted.yaml | 5 +- site/README.md | 2 + site/profile/manifests/app/mysql/server.pp | 55 ++++++++++++++++++++++ 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 data/role/fastb_database.yaml diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml new file mode 100644 index 000000000..96eb2c205 --- /dev/null +++ b/data/role/fastb_database.yaml @@ -0,0 +1,10 @@ +--- + +profile::app::mysql::server::settings: + users: + 'fastb_db_user': + host: 'localhost' + grant: + - 'SELECT' + - 'UPDATE' + password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] \ No newline at end of file diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 416b6c0d0..2b4f24cd2 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -186,4 +186,7 @@ W A R N I N G \n \n Authorized users only. All activity may be monitored and logged. Use of \n this system means you consent to such monitoring. Unauthorized users may \n -be prosecuted." \ No newline at end of file +be prosecuted." + +profile::app::mysql::server::settings: + remove_default_accounts: true \ No newline at end of file diff --git a/site/README.md b/site/README.md index 1c2b2add0..2efe94cea 100644 --- a/site/README.md +++ b/site/README.md @@ -15,11 +15,13 @@ These examples have been constructed with the following requirements: | Win 2012r2 | `role::spider::web_be` | WIP | | Win 2012r2 | `role::spider::database` | WIP | | CentOS 7 | `role::spider::balancer` | WIP | +| Ubuntu 16.04 | role::fastb::web_be | Complete | - Modeling should support three operating systems - Windows 2012R2 - CentOS (6,7) + - Ubuntu 16.04 - Solaris 11.2 - Two products should be represented - Spider diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index c5319a2da..8fa77ca07 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -5,12 +5,67 @@ # Please delete files in " 'profile::app::mysql::server::settings', + merge => { + 'stratagy' => 'deep', + 'knockout_prefix' => '--', + }, + }) + assert_type(Hash[String, Any], $lookup_settings) + + } class { 'mysql::server': root_password => $root_password, + * => $lookup_settings, } $mysql_bindings.each | String $binding | { contain "mysql::bindings::${binding}" } contain mysql::server + + $dbs.each |$dbname, $opts| { + mysql::db { $dbname: + * => $opts, + } + } + + # @summary Install the MySQL database server +# +# @see https://forge.puppet.com/puppetlabs/mysql +# +# @example Basic usage +# include r_profile::database::mysql_server +# +# @example Server settings +# r_profile::database::mysql_server::settings: +# root_password: "TopSecr3t" +# remove_default_accounts: true +# +# @example Database creation +# r_profile::database::mysql_server::dbs: +# 'mydb': +# user: 'myuser' +# password: 'mypass' +# host: 'localhost' +# grant: +# - 'SELECT' +# - 'UPDATE' +# +# @param settings Hash of server settings to enforce (see examples) +# @param dbs Hash of databases to create (see examples) + + class { 'mysql::server': + * => $settings, + } + + $dbs.each |$key, $opts| { + mysql::db { $key: + * => $opts, + } + } + +} } From 13ca7fcf48e140157ad899198d73f5c8d90ae9ce Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 09:21:13 -0500 Subject: [PATCH 093/134] bug fix --- site/profile/manifests/app/mysql/server.pp | 40 ++-------------------- 1 file changed, 2 insertions(+), 38 deletions(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index 8fa77ca07..fb5567025 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -13,14 +13,14 @@ 'stratagy' => 'deep', 'knockout_prefix' => '--', }, - }) + } ) assert_type(Hash[String, Any], $lookup_settings) - } class { 'mysql::server': root_password => $root_password, * => $lookup_settings, } + $mysql_bindings.each | String $binding | { contain "mysql::bindings::${binding}" } @@ -32,40 +32,4 @@ } } - # @summary Install the MySQL database server -# -# @see https://forge.puppet.com/puppetlabs/mysql -# -# @example Basic usage -# include r_profile::database::mysql_server -# -# @example Server settings -# r_profile::database::mysql_server::settings: -# root_password: "TopSecr3t" -# remove_default_accounts: true -# -# @example Database creation -# r_profile::database::mysql_server::dbs: -# 'mydb': -# user: 'myuser' -# password: 'mypass' -# host: 'localhost' -# grant: -# - 'SELECT' -# - 'UPDATE' -# -# @param settings Hash of server settings to enforce (see examples) -# @param dbs Hash of databases to create (see examples) - - class { 'mysql::server': - * => $settings, - } - - $dbs.each |$key, $opts| { - mysql::db { $key: - * => $opts, - } - } - -} } From c205e96eb23059cb77cd465aa89049d17ce85bfb Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 09:32:57 -0500 Subject: [PATCH 094/134] set password to Sensitive data type --- site/profile/manifests/app/mysql/server.pp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index fb5567025..c33d87425 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -3,7 +3,7 @@ class profile::app::mysql::server ( # root_password is set in hiera data based on role and env_n_role # Please delete files in " $root_password, + default => Sensitive($root_password) + } + class { 'mysql::server': - root_password => $root_password, + root_password => $secure_root_pass, * => $lookup_settings, } From 3bb46abc4a303f3a4d5ee454770d060e2d818e62 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 09:48:05 -0500 Subject: [PATCH 095/134] big fix --- site/profile/manifests/app/mysql/server.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index c33d87425..770e47b53 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -9,8 +9,8 @@ ) { #This will do a lookup to create one large hash from the hiera data $lookup_settings = lookup( { 'name' => 'profile::app::mysql::server::settings', - merge => { - 'stratagy' => 'deep', + 'merge' => { + 'strategy' => 'deep', 'knockout_prefix' => '--', }, } ) From b3fd04c37b4ee9007059f6d5546ce6d692f99997 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 09:53:36 -0500 Subject: [PATCH 096/134] added puppetlabs-mysql --- Puppetfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 928870603..5f2448f5f 100644 --- a/Puppetfile +++ b/Puppetfile @@ -37,7 +37,9 @@ mod 'hardening-os_hardening', '2.2.6' mod 'herculesteam-augeasproviders_sysctl', '2.3.1' mod 'herculesteam-augeasproviders_core', '2.5.0' - +#This is for fastb_database +mod 'puppetlabs-translate', '2.0.0' +mod 'puppetlabs-mysql', '10.1.0' #mod 'tomcat', # git: 'https://github.com/spidersddd/puppetlabs-tomcat' From 4310868447c2b726c84c2be06915e29577e1e00a Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 10:09:11 -0500 Subject: [PATCH 097/134] removed conversion to Sensitive datatype, not supported --- site/profile/manifests/app/mysql/server.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index 770e47b53..fc89fbd3f 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -16,10 +16,15 @@ } ) assert_type(Hash[String, Any], $lookup_settings) - $secure_root_pass = $root_password ? { - Sensitive[String] => $root_password, - default => Sensitive($root_password) - } + # This will ensure the root_password is of Sensitive datatype to protect the + # root_password from showing up in the logs. + # Currently mysql::server expects String not Sensitive[String] that is why + # this is commented out. + #$secure_root_pass = $root_password ? { + # Sensitive[String] => $root_password, + # default => Sensitive($root_password) + #} + $secure_root_pass = $root_password class { 'mysql::server': root_password => $secure_root_pass, From 744b15a3a9d97ac17866302ff8c0e37ec601aa1b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 10:44:08 -0500 Subject: [PATCH 098/134] pass mysql_user and password_hash --- data/role/fastb_database.yaml | 24 ++++++++++++++-------- site/profile/manifests/app/mysql/server.pp | 21 +++++++++++++++++-- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 96eb2c205..591acbb88 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -1,10 +1,18 @@ --- -profile::app::mysql::server::settings: - users: - 'fastb_db_user': - host: 'localhost' - grant: - - 'SELECT' - - 'UPDATE' - password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] \ No newline at end of file +profile::app::mysql::server::mysql_users: + 'fastb_db_user@localhost': + ensure: present + grant: + - 'SELECT' + - 'UPDATE' + +profile::app::mysql::server::fastb_db_user@localhost::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] + +profile::app::mysql::server::dbs: + 'fastb_db': + user: 'fastb_db_user' + host: 'localhost' + grant: + - 'SELECT' + - 'ALL' \ No newline at end of file diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index fc89fbd3f..a13835290 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -3,7 +3,8 @@ class profile::app::mysql::server ( # root_password is set in hiera data based on role and env_n_role # Please delete files in " 'profile::app::mysql::server::mysql_users', + 'merge' => { + 'strategy' => 'deep', + 'knockout_prefix' => '--', + }, + } ) + assert_type(Hash[Hash, Any], $lookup_mysql_users) + # This will ensure the root_password is of Sensitive datatype to protect the # root_password from showing up in the logs. # Currently mysql::server expects String not Sensitive[String] that is why @@ -30,11 +39,19 @@ root_password => $secure_root_pass, * => $lookup_settings, } + contain mysql::server $mysql_bindings.each | String $binding | { contain "mysql::bindings::${binding}" } - contain mysql::server + + $lookup_mysql_users.each |String $username, Hash $user_opts| { + $password_hash = mysql_password(lookup("profile::app::mysql::server::${username}::password")) + mysql_user { $username: + password_hash => $password_hash, + * => $user_opts, + } + } $dbs.each |$dbname, $opts| { mysql::db { $dbname: From a8d14bac8eed02025ace15ac64be9e310dd009a6 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 10:54:56 -0500 Subject: [PATCH 099/134] fix bug for misspelling --- hiera.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hiera.yaml b/hiera.yaml index 1ff0b7673..a881025f8 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -15,10 +15,10 @@ hierarchy: path: "nodes/%{trusted.certname}.yaml" - name: "Per-datacenter buiness trusted.extentions.pp_role data (can be encrypted)" # Using same file as unencrypted - path: "datacenter/%{facts.datacenter}/%{trusted.extentions.pp_role}.yaml" + path: "datacenter/%{facts.datacenter}/%{trusted.extensions.pp_role}.yaml" - name: "Role trusted.extentions.pp_role data (can be encrypted)" # Using same file as unencrypted - path: "role/%{trusted.extentions.pp_role}.yaml" + path: "role/%{trusted.extensions.pp_role}.yaml" - name: "Per-OS facts.os.family defaults data (can be encrypted)" # Using same file as unencrypted path: "os/%{facts.os.family}.yaml" From bf8efa1d784face911c71fcd3fe46154632dcb74 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 10:57:00 -0500 Subject: [PATCH 100/134] fix datatype --- site/profile/manifests/app/mysql/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index a13835290..c4659ce13 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -23,7 +23,7 @@ 'knockout_prefix' => '--', }, } ) - assert_type(Hash[Hash, Any], $lookup_mysql_users) + assert_type(String[Hash, Any], $lookup_mysql_users) # This will ensure the root_password is of Sensitive datatype to protect the # root_password from showing up in the logs. From 066da56051172f4cd81f27cb4f3040930dc7bf4b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 11:10:27 -0500 Subject: [PATCH 101/134] change type bugfix --- site/profile/manifests/app/mysql/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index c4659ce13..90d60df5b 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -23,7 +23,7 @@ 'knockout_prefix' => '--', }, } ) - assert_type(String[Hash, Any], $lookup_mysql_users) + assert_type(Hash, $lookup_mysql_users) # This will ensure the root_password is of Sensitive datatype to protect the # root_password from showing up in the logs. From ef59c1c681a42a3a9c2abc41de80f78397d54374 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 11:13:06 -0500 Subject: [PATCH 102/134] added password for db --- data/role/fastb_database.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 591acbb88..0cb353b30 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -13,6 +13,7 @@ profile::app::mysql::server::dbs: 'fastb_db': user: 'fastb_db_user' host: 'localhost' + password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] grant: - 'SELECT' - 'ALL' \ No newline at end of file From 203aea1152def2fab2e37c4d39399be55fa280a3 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 11:17:58 -0500 Subject: [PATCH 103/134] removed grants for db creation --- data/role/fastb_database.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 0cb353b30..a8c4e1574 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -13,7 +13,4 @@ profile::app::mysql::server::dbs: 'fastb_db': user: 'fastb_db_user' host: 'localhost' - password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] - grant: - - 'SELECT' - - 'ALL' \ No newline at end of file + password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] \ No newline at end of file From 4ac4336672c96dd332413105bb1fdf9ceb4aa6b5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 11:36:59 -0500 Subject: [PATCH 104/134] fix for db grant --- data/role/fastb_database.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index a8c4e1574..848b8f10e 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -3,9 +3,6 @@ profile::app::mysql::server::mysql_users: 'fastb_db_user@localhost': ensure: present - grant: - - 'SELECT' - - 'UPDATE' profile::app::mysql::server::fastb_db_user@localhost::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] @@ -13,4 +10,7 @@ profile::app::mysql::server::dbs: 'fastb_db': user: 'fastb_db_user' host: 'localhost' + grant: + - 'SELECT' + - 'UPDATE' password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] \ No newline at end of file From 9bf1cb09433021fdbd9cfa8289b0bfcb00702276 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 11:43:09 -0500 Subject: [PATCH 105/134] added example role --- site/example_role/manifests/fastb/database.pp | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 site/example_role/manifests/fastb/database.pp diff --git a/site/example_role/manifests/fastb/database.pp b/site/example_role/manifests/fastb/database.pp new file mode 100644 index 000000000..5c2218827 --- /dev/null +++ b/site/example_role/manifests/fastb/database.pp @@ -0,0 +1,7 @@ +# This is an example of a product called +# "Fast B" +# This is a database for that product. +class example_role::fastb::database { + include profile::os::baseline + include profile::app::mysql::server +} From e8a0595a4ba7b0ac80be33679b135b4aedd572ea Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 17:21:47 -0500 Subject: [PATCH 106/134] verify trusted.extensions --- site/profile/manifests/os/baseline.pp | 5 ++++ .../os/baseline/verify_trusted_data.pp | 27 +++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 site/profile/manifests/os/baseline/verify_trusted_data.pp diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index 8cd2c88fb..dde98927b 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -37,5 +37,10 @@ # Profile does the OS case statement # Profile will normalize the 'temp' path for Linux, Solaris, and Windows include profile::os::baseline::archives + # Profile does motd and banner include profile::os::baseline::banner + # Profile validates trusted.extensions are set + class { 'profile::os::baseline::verify_trusted_data': + extensions_to_check => [ 'pp_role', 'pp_product', 'pp_service' ], + } } diff --git a/site/profile/manifests/os/baseline/verify_trusted_data.pp b/site/profile/manifests/os/baseline/verify_trusted_data.pp new file mode 100644 index 000000000..a0c914ebb --- /dev/null +++ b/site/profile/manifests/os/baseline/verify_trusted_data.pp @@ -0,0 +1,27 @@ +# profile::base::chk_facts_exist +# +# This class to to check and see if required facts are set. +# The list of facts can be placed in hiera or can be set +# when the class is called (param) +# +# @summary Check and see if required trusted.extensions are set +# +# @param extensions_to_check: list of extensions to verify are not undef +# +# @example +# class { '::profile::os::baseline::verify_trusted_data': +# extensions_to_check => [ 'pp_product', 'pp_role', +# 'pp_service' ], +# } +class profile::os::baseline::verify_trusted_data ( + Optional[Array] $extensions_to_check = undef +) { + if $extensions_to_check != undef { + $extensions_to_check.each | $key | { + $extension_name = "trusted.extensions.${key}" + if "${$extension_name}" == undef { # lint:ignore:only_variable_string + fail("Required ${extension_name} does not exists!\nExtension must be set!") + } + } + } +} From 4113cd6f370e7d1b60c6b1a334b16710adb1ed42 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Thu, 5 Sep 2019 17:36:18 -0500 Subject: [PATCH 107/134] change to evaluate data in key --- site/profile/manifests/os/baseline/verify_trusted_data.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/os/baseline/verify_trusted_data.pp b/site/profile/manifests/os/baseline/verify_trusted_data.pp index a0c914ebb..b1637d6cd 100644 --- a/site/profile/manifests/os/baseline/verify_trusted_data.pp +++ b/site/profile/manifests/os/baseline/verify_trusted_data.pp @@ -18,9 +18,9 @@ ) { if $extensions_to_check != undef { $extensions_to_check.each | $key | { - $extension_name = "trusted.extensions.${key}" - if "${$extension_name}" == undef { # lint:ignore:only_variable_string - fail("Required ${extension_name} does not exists!\nExtension must be set!") + $extension_value = $trusted['extensions'][$key] + if $extension_value == undef { + fail("Required trusted.extensions.${key} does not exists!\nExtension must be set!") } } } From 7012727c2a25aa7f41ea01fdb25e39e69eb1df9b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 07:44:08 -0500 Subject: [PATCH 108/134] Added trusted extension to hiera --- data/role/fastb_database.yaml | 5 ++++- data/to_be_deleted.yaml | 11 +++++++++-- site/profile/manifests/os/baseline.pp | 3 ++- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 848b8f10e..dc3b20130 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -13,4 +13,7 @@ profile::app::mysql::server::dbs: grant: - 'SELECT' - 'UPDATE' - password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] \ No newline at end of file + password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] + + profile::os::baseline::verify_trusted_data::extentions: + - 'pp_preshared_key' \ No newline at end of file diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 2b4f24cd2..ef744d6b3 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -186,7 +186,14 @@ W A R N I N G \n \n Authorized users only. All activity may be monitored and logged. Use of \n this system means you consent to such monitoring. Unauthorized users may \n -be prosecuted." +be prosecuted.\n" profile::app::mysql::server::settings: - remove_default_accounts: true \ No newline at end of file + remove_default_accounts: true + +profile::app::haproxy::server::stats_password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEA2/B9diMes+/bwkA3XX4ezcWkYMRaaJxCnTeHAi6TcH9/GIfdbzWubGwsHKr3gS07UsYIKzXeJaK5TExxMalXZenx8x4EJ113MOs7vNQ1O6wytS944FOw2Cjd4LunuaeoGRw3biRora/eUxG5gqQR4ZPJUDk3FakX2pOFqaruvvcKHvo3+MHvcE5Mbf3WkM5sOHVsWVhLOO4p3aj5cHKPvxuqE5RsnOHhopLaIln3Hgr0nVEetOw24dwFSBOwsdz4yKxrp1skMH1BJWNVwh5EnuMTKyB+/rT7EDG8j50pT92PnLy7Xox+XXSvzFsMa1NIPFuFqcrIuOqkDU5ckupSADA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAC7PxGEQGuhQ9aQ3XHO5tgBBLH9b+677eakHW3nOvvN4h] + +profile::os::baseline::verify_trusted_data::extentions: + - 'pp_role' + - 'pp_service' + - 'pp_product' \ No newline at end of file diff --git a/site/profile/manifests/os/baseline.pp b/site/profile/manifests/os/baseline.pp index dde98927b..ee744ec72 100644 --- a/site/profile/manifests/os/baseline.pp +++ b/site/profile/manifests/os/baseline.pp @@ -40,7 +40,8 @@ # Profile does motd and banner include profile::os::baseline::banner # Profile validates trusted.extensions are set + $extensions = lookup('profile::os::baseline::verify_trusted_data::extentions', Array, 'deep') class { 'profile::os::baseline::verify_trusted_data': - extensions_to_check => [ 'pp_role', 'pp_product', 'pp_service' ], + extensions_to_check => $extensions, } } From 01ae097d1d22df586a5ad16a4778aaffd1e19eb7 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 07:59:28 -0500 Subject: [PATCH 109/134] added hiearchy for onceover --- spec/hiera.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spec/hiera.yaml b/spec/hiera.yaml index 82c645b33..f9039821a 100644 --- a/spec/hiera.yaml +++ b/spec/hiera.yaml @@ -5,6 +5,9 @@ defaults: # Used for any hierarchy level that omits these keys. data_hash: yaml_data # Use the built-in YAML backend. hierarchy: + - name: "Should be deleted data (this data is for testing purposes only)" # feel free to delete this layer + path: "to_be_deleted.yaml" + - name: "Per-node data" # Human-readable name. path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. # ^^^ IMPORTANT: include the file extension! From 250cf44010b083129af346a34c1e7b0265521ff1 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 08:07:23 -0500 Subject: [PATCH 110/134] added extension --- data/role/fastb_web-be.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 data/role/fastb_web-be.yaml diff --git a/data/role/fastb_web-be.yaml b/data/role/fastb_web-be.yaml new file mode 100644 index 000000000..55c217f60 --- /dev/null +++ b/data/role/fastb_web-be.yaml @@ -0,0 +1,4 @@ +--- + +profile::os::baseline::verify_trusted_data::extentions: + - 'pp_preshared_key' \ No newline at end of file From 96613350740e28b8ea336269a65f532548941c13 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 10:17:03 -0500 Subject: [PATCH 111/134] fix for tomcat --- data/os/RedHat.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index b237a8d5f..7fba5bda1 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,3 +1,3 @@ --- -profile::app::tomcat::webserver::download_url: 'https://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' +profile::app::tomcat::webserver::download_url: 'https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz' From 1778763bd0babd26a0333e8df7e3fa690190de16 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 10:21:49 -0500 Subject: [PATCH 112/134] fix for order of fastb --- site/profile/manifests/app/fastb.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index d1fb67ae2..ac38f39b5 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -3,7 +3,7 @@ Stdlib::HTTPSUrl $download_url = 'https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/sureshatt/http-demo.war', String $app_dir = 'fastb', ) { - include profile::app::tomcat::webserver + contain profile::app::tomcat::webserver $user = $profile::app::tomcat::webserver::user $group = $profile::app::tomcat::webserver::group @@ -16,4 +16,5 @@ group => $group, notify => Tomcat::Service[$service], } + } From 58ecd13a5d79cbfafdb5f53968e0346e361f05b4 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 10:46:01 -0500 Subject: [PATCH 113/134] change to fix CI testing --- spec/factsets/CentOS-6.6-64.json | 348 +++++++++ spec/factsets/CentOS-7.0_76.json | 511 +++++++++++++ spec/factsets/Windows_Server-2012r2-64.json | 6 + spec/factsets/osx-10.13-x86_64.json | 6 + spec/factsets/solaris-11.2-sparc-64.json | 780 ++++++++++++++++++++ spec/onceover.yaml | 4 + 6 files changed, 1655 insertions(+) create mode 100644 spec/factsets/CentOS-6.6-64.json create mode 100644 spec/factsets/CentOS-7.0_76.json create mode 100644 spec/factsets/solaris-11.2-sparc-64.json diff --git a/spec/factsets/CentOS-6.6-64.json b/spec/factsets/CentOS-6.6-64.json new file mode 100644 index 000000000..488ae7ed8 --- /dev/null +++ b/spec/factsets/CentOS-6.6-64.json @@ -0,0 +1,348 @@ +{ + "name": "centos6a.pdx.puppetlabs.demo", + "trusted": { + "pp_role": "agent", + "pp_service": "puppet", + "pp_product": "puppet", + "pp_preshared_key": "Somekey" + }, + "values": { + "aio_agent_build": "1.2.2", + "aio_agent_version": "1.2.2", + "architecture": "x86_64", + "augeas": { + "version": "1.4.0" + }, + "augeasversion": "1.4.0", + "bios_release_date": "12/01/2006", + "bios_vendor": "innotek GmbH", + "bios_version": "VirtualBox", + "blockdevice_sda_model": "VBOX HARDDISK", + "blockdevice_sda_size": 21474836480, + "blockdevice_sda_vendor": "ATA", + "blockdevices": "sda", + "boardmanufacturer": "Oracle Corporation", + "boardproductname": "VirtualBox", + "boardserialnumber": "0", + "chassistype": "Other", + "concat_basedir": "/opt/puppetlabs/puppet/cache/concat", + "custom_auth_conf": "false", + "datacenter": "portland", + "dhcp_servers": { + "eth0": "10.0.2.2", + "system": "10.0.2.2" + }, + "disks": { + "sda": { + "model": "VBOX HARDDISK", + "size": "20.00 GiB", + "size_bytes": 21474836480, + "vendor": "ATA" + } + }, + "dmi": { + "bios": { + "release_date": "12/01/2006", + "vendor": "innotek GmbH", + "version": "VirtualBox" + }, + "board": { + "manufacturer": "Oracle Corporation", + "product": "VirtualBox", + "serial_number": "0" + }, + "chassis": { + "type": "Other" + }, + "manufacturer": "innotek GmbH", + "product": { + "name": "VirtualBox", + "serial_number": "0", + "uuid": "DA4CD203-2C23-4E21-B169-293D1749C38C" + } + }, + "domain": "pdx.puppetlabs.demo", + "facterversion": "3.0.2", + "filesystems": "ext4,iso9660", + "fqdn": "centos6a.pdx.puppetlabs.demo", + "gid": "root", + "hardwareisa": "x86_64", + "hardwaremodel": "x86_64", + "homedir": "/root", + "hostname": "centos6a", + "id": "root", + "identity": { + "gid": 0, + "group": "root", + "uid": 0, + "user": "root" + }, + "interfaces": "eth0,eth1,lo", + "ip6tables_version": "1.4.7", + "ipaddress": "10.0.2.15", + "ipaddress6": "fe80::a00:27ff:fe0f:d276", + "ipaddress6_eth0": "fe80::a00:27ff:fe0f:d276", + "ipaddress6_eth1": "fe80::a00:27ff:fe66:988a", + "ipaddress6_lo": "::1", + "ipaddress_eth0": "10.0.2.15", + "ipaddress_eth1": "10.20.1.88", + "ipaddress_lo": "127.0.0.1", + "iptables_version": "1.4.7", + "is_admin": true, + "is_pe": false, + "is_virtual": true, + "kernel": "Linux", + "kernelmajversion": "2.6", + "kernelrelease": "2.6.32-504.8.1.el6.x86_64", + "kernelversion": "2.6.32", + "load_averages": { + "15m": 0.0, + "1m": 0.0, + "5m": 0.0 + }, + "macaddress": "08:00:27:0f:d2:76", + "macaddress_eth0": "08:00:27:0f:d2:76", + "macaddress_eth1": "08:00:27:66:98:8a", + "manufacturer": "innotek GmbH", + "memory": { + "swap": { + "available": "992.00 MiB", + "available_bytes": 1040183296, + "capacity": "0%", + "total": "992.00 MiB", + "total_bytes": 1040183296, + "used": "0 bytes", + "used_bytes": 0 + }, + "system": { + "available": "348.41 MiB", + "available_bytes": 365338624, + "capacity": "28.95%", + "total": "490.39 MiB", + "total_bytes": 514215936, + "used": "141.98 MiB", + "used_bytes": 148877312 + } + }, + "memoryfree": "348.41 MiB", + "memoryfree_mb": 348.4140625, + "memorysize": "490.39 MiB", + "memorysize_mb": 490.39453125, + "mountpoints": { + "/": { + "available": "16.94 GiB", + "available_bytes": 18193268736, + "capacity": "6.51%", + "device": "/dev/mapper/VolGroup-lv_root", + "filesystem": "ext4", + "options": [ + "rw" + ], + "size": "18.12 GiB", + "size_bytes": 19459338240, + "used": "1.18 GiB", + "used_bytes": 1266069504 + }, + "/boot": { + "available": "448.35 MiB", + "available_bytes": 470125568, + "capacity": "5.85%", + "device": "/dev/sda1", + "filesystem": "ext4", + "options": [ + "rw" + ], + "size": "476.22 MiB", + "size_bytes": 499355648, + "used": "27.88 MiB", + "used_bytes": 29230080 + } + }, + "mtu_eth0": 1500, + "mtu_eth1": 1500, + "mtu_lo": 65536, + "mysql_server_id": 8555670, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "netmask6_eth0": "ffff:ffff:ffff:ffff::", + "netmask6_eth1": "ffff:ffff:ffff:ffff::", + "netmask6_lo": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", + "netmask_eth0": "255.255.255.0", + "netmask_eth1": "255.255.255.0", + "netmask_lo": "255.0.0.0", + "network": "10.0.2.0", + "network6": "fe80::", + "network6_eth0": "fe80::", + "network6_eth1": "fe80::", + "network6_lo": "::1", + "network_eth0": "10.0.2.0", + "network_eth1": "10.20.1.0", + "network_lo": "127.0.0.0", + "networking": { + "dhcp": "10.0.2.2", + "domain": "pdx.puppetlabs.demo", + "fqdn": "centos6a.pdx.puppetlabs.demo", + "hostname": "centos6a", + "interfaces": { + "eth0": { + "dhcp": "10.0.2.2", + "ip": "10.0.2.15", + "ip6": "fe80::a00:27ff:fe0f:d276", + "mac": "08:00:27:0f:d2:76", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::" + }, + "eth1": { + "ip": "10.20.1.88", + "ip6": "fe80::a00:27ff:fe66:988a", + "mac": "08:00:27:66:98:8a", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.20.1.0", + "network6": "fe80::" + }, + "lo": { + "ip": "127.0.0.1", + "ip6": "::1", + "mtu": 65536, + "netmask": "255.0.0.0", + "netmask6": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", + "network": "127.0.0.0", + "network6": "::1" + } + }, + "ip": "10.0.2.15", + "ip6": "fe80::a00:27ff:fe0f:d276", + "mac": "08:00:27:0f:d2:76", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.0.2.0", + "network6": "fe80::" + }, + "operatingsystem": "CentOS", + "operatingsystemmajrelease": "6", + "operatingsystemrelease": "6.6", + "os": { + "architecture": "x86_64", + "family": "RedHat", + "hardware": "x86_64", + "name": "CentOS", + "release": { + "full": "6.6", + "major": "6", + "minor": "6" + }, + "selinux": { + "enabled": false + } + }, + "osfamily": "RedHat", + "partitions": { + "/dev/mapper/VolGroup-lv_root": { + "filesystem": "ext4", + "mount": "/", + "size": "0 bytes", + "size_bytes": 0, + "uuid": "a29409f8-0b58-4271-a348-032caefec8b8" + }, + "/dev/mapper/VolGroup-lv_swap": { + "filesystem": "swap", + "size": "0 bytes", + "size_bytes": 0, + "uuid": "b30b464a-8ac9-492a-a1c5-2da75bb7488a" + }, + "/dev/sda1": { + "filesystem": "ext4", + "mount": "/boot", + "size": "500.00 MiB", + "size_bytes": 524288000, + "uuid": "da946872-1406-4ac1-9a4d-f7ce5f7be47e" + }, + "/dev/sda2": { + "filesystem": "LVM2_member", + "size": "19.51 GiB", + "size_bytes": 20949499904, + "uuid": "nRdWPh-INkA-aHPs-TNtk-HjJG-SxBU-DdqI8a" + } + }, + "path": "/opt/puppetlabs/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin", + "pe_concat_basedir": "/opt/puppetlabs/puppet/cache/pe_concat", + "pe_razor_server_version": "package pe-razor-server is not installed", + "physicalprocessorcount": 1, + "platform_symlink_writable": true, + "platform_tag": "el-6-x86_64", + "processor0": "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz", + "processorcount": 1, + "processors": { + "count": 1, + "isa": "x86_64", + "models": [ + "Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz" + ], + "physicalcount": 1 + }, + "productname": "VirtualBox", + "puppet_files_dir_present": false, + "puppet_vardir": "/opt/puppetlabs/puppet/cache", + "puppetversion": "4.2.1", + "root_home": "/root", + "ruby": { + "platform": "x86_64-linux", + "sitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0", + "version": "2.1.6" + }, + "rubyplatform": "x86_64-linux", + "rubysitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0", + "rubyversion": "2.1.6", + "selinux": false, + "serialnumber": "0", + "ssh": { + "dsa": { + "fingerprints": { + "sha1": "SSHFP 2 1 5dad11db93cde6e3b1d5ce5a5fe5ad02825037e8", + "sha256": "SSHFP 2 2 576fe2b6a8412ada50cb776e6f1da5dd4bc301f2aa682be2ff82c70558c14745" + }, + "key": "AAAAB3NzaC1kc3MAAACBAJSFgQJi2VfgHnp2MQsV2wNpONevQuhi1Jb/nX0EjHtrAgc8MNRXLQTmjunh5q4+mjcYMHXDIx6F0Oc4XCnR5g6uQwBOGg70oXJmUkmwCw/mdgu3ppepOQJssBKnKFCR7QsbrBL+U1YmYmV8eGYDB76eXWRBOd9LewcGkjhHYbpzAAAAFQCShhFDlgHvmj6kcr6XRUuYPNziNwAAAIBBjLzEbwqoedlUKXRGuKc7nU71qWAkahN8rI4lU7d6PrVS7XziNX3OTCXbRCF3wT/dlYBU+grjmOIF4dbOrjBCHmmYVzlntXsefyR6XIbJw/H08L2LdDT6aye+MDWdYGK0PqgV6AZ5pWUzu7wS+qJduOaNMts5YrzqvlhiFDO8EAAAAIAJoqYk2bkNTPnjYi4qhIP3o+7Lhpxh5akAkjPMpM4tf/BedBqzKimvWhtDNVTcNCOZwJuSkHL4SSafvPCoxbKY4YhFWYykS/Vdle9ixNtH+wMU5d8DsSsvZpfa4lvj9FpzgfcM+NT1aYHis/pIRpBblPfHHnFBsxGKX66v6webHg==" + }, + "rsa": { + "fingerprints": { + "sha1": "SSHFP 1 1 e1e2811771eb093d9b74333a111e089bc8e434ef", + "sha256": "SSHFP 1 2 4513b7ba6b47b22319ea40fe9e0f12e9ac200b367b78508364a80a2a9b92409c" + }, + "key": "AAAAB3NzaC1yc2EAAAABIwAAAQEA3Gn072MPvlL1R0RpTGod7BxiCvm4Wp6p8gRYJgEba9FLtYTWYhx18ueLnuFWKnK6WMpwe24732ZGGCsagjBkEo8DFJZABZbfSHxW1gsmU6smUM9o2wt9ZEeYJ036DqIkg4DzsBLc206NKStuKCTOINFSwBtHAWkZCeGdon8ssEoery//yZchbHBXQB1f312Re42W4eLNpWm0T93eEwRRMOpnLtNFrVa9kvHv71eQx2crvDG2xd6BfN0PkU0tx0TBzDS2xUqBg5m1MdNbarxWH1Km8JUEH40jl3YKgh5g0lrfEE36xIItPtW2mFawsMBpMK0iPerqs60or9SjM1LwXQ==" + } + }, + "sshdsakey": "AAAAB3NzaC1kc3MAAACBAJSFgQJi2VfgHnp2MQsV2wNpONevQuhi1Jb/nX0EjHtrAgc8MNRXLQTmjunh5q4+mjcYMHXDIx6F0Oc4XCnR5g6uQwBOGg70oXJmUkmwCw/mdgu3ppepOQJssBKnKFCR7QsbrBL+U1YmYmV8eGYDB76eXWRBOd9LewcGkjhHYbpzAAAAFQCShhFDlgHvmj6kcr6XRUuYPNziNwAAAIBBjLzEbwqoedlUKXRGuKc7nU71qWAkahN8rI4lU7d6PrVS7XziNX3OTCXbRCF3wT/dlYBU+grjmOIF4dbOrjBCHmmYVzlntXsefyR6XIbJw/H08L2LdDT6aye+MDWdYGK0PqgV6AZ5pWUzu7wS+qJduOaNMts5YrzqvlhiFDO8EAAAAIAJoqYk2bkNTPnjYi4qhIP3o+7Lhpxh5akAkjPMpM4tf/BedBqzKimvWhtDNVTcNCOZwJuSkHL4SSafvPCoxbKY4YhFWYykS/Vdle9ixNtH+wMU5d8DsSsvZpfa4lvj9FpzgfcM+NT1aYHis/pIRpBblPfHHnFBsxGKX66v6webHg==", + "sshfp_dsa": "SSHFP 2 1 5dad11db93cde6e3b1d5ce5a5fe5ad02825037e8\nSSHFP 2 2 576fe2b6a8412ada50cb776e6f1da5dd4bc301f2aa682be2ff82c70558c14745", + "sshfp_rsa": "SSHFP 1 1 e1e2811771eb093d9b74333a111e089bc8e434ef\nSSHFP 1 2 4513b7ba6b47b22319ea40fe9e0f12e9ac200b367b78508364a80a2a9b92409c", + "sshrsakey": "AAAAB3NzaC1yc2EAAAABIwAAAQEA3Gn072MPvlL1R0RpTGod7BxiCvm4Wp6p8gRYJgEba9FLtYTWYhx18ueLnuFWKnK6WMpwe24732ZGGCsagjBkEo8DFJZABZbfSHxW1gsmU6smUM9o2wt9ZEeYJ036DqIkg4DzsBLc206NKStuKCTOINFSwBtHAWkZCeGdon8ssEoery//yZchbHBXQB1f312Re42W4eLNpWm0T93eEwRRMOpnLtNFrVa9kvHv71eQx2crvDG2xd6BfN0PkU0tx0TBzDS2xUqBg5m1MdNbarxWH1Km8JUEH40jl3YKgh5g0lrfEE36xIItPtW2mFawsMBpMK0iPerqs60or9SjM1LwXQ==", + "staging_http_get": "curl", + "swapfree": "992.00 MiB", + "swapfree_mb": 991.99609375, + "swapsize": "992.00 MiB", + "swapsize_mb": 991.99609375, + "system_uptime": { + "days": 0, + "hours": 0, + "seconds": 352, + "uptime": "0:05 hours" + }, + "timezone": "UTC", + "uptime": "0:05 hours", + "uptime_days": 0, + "uptime_hours": 0, + "uptime_seconds": 352, + "uuid": "DA4CD203-2C23-4E21-B169-293D1749C38C", + "virtual": "virtualbox", + "clientcert": "centos6a.pdx.puppetlabs.demo", + "clientversion": "4.2.1", + "clientnoop": false + }, + "timestamp": "2015-09-23T01:56:02.689718267+00:00", + "expiration": "2015-09-23T02:26:02.690130706+00:00" +} diff --git a/spec/factsets/CentOS-7.0_76.json b/spec/factsets/CentOS-7.0_76.json new file mode 100644 index 000000000..f5829e990 --- /dev/null +++ b/spec/factsets/CentOS-7.0_76.json @@ -0,0 +1,511 @@ +{ + "name": "centos7.somedomain.info", + "trusted": { + "pp_role": "agent", + "pp_service": "puppet", + "pp_product": "puppet", + "pp_preshared_key": "Somekey" + }, + "values": { + "aio_agent_build": "6.4.3", + "aio_agent_version": "6.4.3", + "architecture": "x86_64", + "augeas": { + "version": "1.12.0" + }, + "augeasversion": "1.12.0", + "bios_release_date": "01/01/2011", + "bios_vendor": "Seabios", + "bios_version": "0.5.1", + "blockdevice_vda_size": 8589934592, + "blockdevice_vda_vendor": "0x1af4", + "blockdevices": "vda", + "chassistype": "Other", + "dhcp_servers": { + "eth0": "192.168.0.10", + "system": "192.168.0.10" + }, + "disks": { + "vda": { + "size": "8.00 GiB", + "size_bytes": 8589934592, + "vendor": "0x1af4" + } + }, + "dmi": { + "bios": { + "release_date": "01/01/2011", + "vendor": "Seabios", + "version": "0.5.1" + }, + "chassis": { + "type": "Other" + }, + "manufacturer": "OpenStack Foundation", + "product": { + "name": "OpenStack Nova", + "serial_number": "3c2513f4-b791-4ce7-9b2f-558c71093ec7", + "uuid": "F037E492-B099-4C5F-9D71-983D102E9AEB" + } + }, + "domain": "somedomain.info", + "ec2_metadata": { + "ami-id": "None", + "ami-launch-index": "0", + "ami-manifest-path": "FIXME", + "block-device-mapping": { + "ami": "vda", + "ebs0": "/dev/vda", + "root": "/dev/vda" + }, + "hostname": "centos7", + "instance-action": "none", + "instance-id": "i-000085b6", + "instance-type": "vol.small", + "local-hostname": "centos7", + "local-ipv4": "192.168.0.2", + "placement": { + "availability-zone": "local-storage" + }, + "public-hostname": "centos7", + "public-ipv4": "", + "public-keys": { + "0": { + "openssh-key": "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsMvODgIqL1NoUgP65qmgf0sJjQy78QdA5rHw9tIwK5KstVSh+0w4TLHJq8Jz8E4UeXhx0NioP3kE3otjCC8kSM5y99QOs4qQh7q6cLN9hQpXMQUD9UnJMP0b5agd0PdErH0ML9hnWfsZX707v31VSIbco+X6Kg9wN8WJhlTXgbbrJTUIPnMzNXrN7Z5/jY6Vss7NTCVI7OxUbIna37l5y8s4jxViaXjoVEXP8e4QtTX8p0BYc2vgerI04ZilhbIe4KEcHiR+n/GUr6MmkY5qtLum/7IZLHbHfWha1q7VaPnz/CHmlDySxxq4sF81N4x2V7d0+x8/wNZx2d+duJmV0Q==" + } + }, + "reservation-id": "r-pz8wel3j", + "security-groups": "default" + }, + "facterversion": "3.13.3", + "filesystems": "xfs", + "fips_enabled": false, + "fqdn": "centos7.somedomain.info", + "gid": "root", + "hardwareisa": "x86_64", + "hardwaremodel": "x86_64", + "home_users": "/home/centos,/home/tomcat", + "hostname": "centos7", + "hypervisors": { + "kvm": { + "openstack": true + } + }, + "icinga2_puppet_hostcert": "/etc/puppetlabs/puppet/ssl/certs/centos7.somedomain.info.pem", + "icinga2_puppet_hostprivkey": "/etc/puppetlabs/puppet/ssl/private_keys/centos7.somedomain.info.pem", + "icinga2_puppet_localcacert": "/etc/puppetlabs/puppet/ssl/certs/ca.pem", + "id": "root", + "identity": { + "gid": 0, + "group": "root", + "privileged": true, + "uid": 0, + "user": "root" + }, + "interfaces": "eth0,lo", + "ipaddress": "192.168.0.2", + "ipaddress_eth0": "192.168.0.2", + "ipaddress_lo": "127.0.0.1", + "is_pe": false, + "is_virtual": true, + "java_default_home": "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64", + "java_libjvm_path": "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/amd64/server", + "java_major_version": "8", + "java_patch_level": "222", + "java_version": "1.8.0_222", + "kernel": "Linux", + "kernelmajversion": "3.10", + "kernelrelease": "3.10.0-957.1.3.el7.x86_64", + "kernelversion": "3.10.0", + "load_averages": { + "15m": 0.15, + "1m": 0.32, + "5m": 0.14 + }, + "macaddress": "fa:16:3e:ee:90:cd", + "macaddress_eth0": "fa:16:3e:ee:90:cd", + "manufacturer": "OpenStack Foundation", + "memory": { + "system": { + "available": "1.47 GiB", + "available_bytes": 1583357952, + "capacity": "17.86%", + "total": "1.80 GiB", + "total_bytes": 1927516160, + "used": "328.21 MiB", + "used_bytes": 344158208 + } + }, + "memoryfree": "1.47 GiB", + "memoryfree_mb": 1510.0078125, + "memorysize": "1.80 GiB", + "memorysize_mb": 1838.22265625, + "mountpoints": { + "/": { + "available": "6.66 GiB", + "available_bytes": 7149559808, + "capacity": "16.66%", + "device": "rootfs", + "filesystem": "rootfs", + "options": [ + "rw" + ], + "size": "7.99 GiB", + "size_bytes": 8578400256, + "used": "1.33 GiB", + "used_bytes": 1428840448 + }, + "/dev": { + "available": "896.79 MiB", + "available_bytes": 940351488, + "capacity": "0%", + "device": "devtmpfs", + "filesystem": "devtmpfs", + "options": [ + "rw", + "seclabel", + "nosuid", + "size=918312k", + "nr_inodes=229578", + "mode=755" + ], + "size": "896.79 MiB", + "size_bytes": 940351488, + "used": "0 bytes", + "used_bytes": 0 + }, + "/dev/hugepages": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "hugetlbfs", + "filesystem": "hugetlbfs", + "options": [ + "rw", + "seclabel", + "relatime" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/dev/mqueue": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "mqueue", + "filesystem": "mqueue", + "options": [ + "rw", + "seclabel", + "relatime" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/dev/pts": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "devpts", + "filesystem": "devpts", + "options": [ + "rw", + "seclabel", + "nosuid", + "noexec", + "relatime", + "gid=5", + "mode=620", + "ptmxmode=000" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/dev/shm": { + "available": "919.11 MiB", + "available_bytes": 963756032, + "capacity": "0%", + "device": "tmpfs", + "filesystem": "tmpfs", + "options": [ + "rw", + "seclabel", + "nosuid", + "nodev" + ], + "size": "919.11 MiB", + "size_bytes": 963756032, + "used": "0 bytes", + "used_bytes": 0 + }, + "/run": { + "available": "902.70 MiB", + "available_bytes": 946548736, + "capacity": "1.79%", + "device": "tmpfs", + "filesystem": "tmpfs", + "options": [ + "rw", + "seclabel", + "nosuid", + "nodev", + "mode=755" + ], + "size": "919.11 MiB", + "size_bytes": 963756032, + "used": "16.41 MiB", + "used_bytes": 17207296 + }, + "/run/user/1000": { + "available": "183.82 MiB", + "available_bytes": 192753664, + "capacity": "0%", + "device": "tmpfs", + "filesystem": "tmpfs", + "options": [ + "rw", + "seclabel", + "nosuid", + "nodev", + "relatime", + "size=188236k", + "mode=700", + "uid=1000", + "gid=1000" + ], + "size": "183.82 MiB", + "size_bytes": 192753664, + "used": "0 bytes", + "used_bytes": 0 + }, + "/sys/fs/cgroup": { + "available": "919.11 MiB", + "available_bytes": 963756032, + "capacity": "0%", + "device": "tmpfs", + "filesystem": "tmpfs", + "options": [ + "ro", + "seclabel", + "nosuid", + "nodev", + "noexec", + "mode=755" + ], + "size": "919.11 MiB", + "size_bytes": 963756032, + "used": "0 bytes", + "used_bytes": 0 + }, + "/var/lib/nfs/rpc_pipefs": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "rpc_pipefs", + "filesystem": "rpc_pipefs", + "options": [ + "rw", + "relatime" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + } + }, + "mtu_eth0": 1500, + "mtu_lo": 65536, + "mysql_server_id": 17237197, + "netmask": "255.255.255.0", + "netmask_eth0": "255.255.255.0", + "netmask_lo": "255.0.0.0", + "network": "192.168.0.0", + "network_eth0": "192.168.0.0", + "network_lo": "127.0.0.0", + "networking": { + "dhcp": "192.168.0.10", + "domain": "somedomain.info", + "fqdn": "centos7.somedomain.info", + "hostname": "centos7", + "interfaces": { + "eth0": { + "bindings": [ + { + "address": "192.168.0.2", + "netmask": "255.255.255.0", + "network": "192.168.0.0" + } + ], + "dhcp": "192.168.0.10", + "ip": "192.168.0.2", + "mac": "fa:16:3e:ee:90:cd", + "mtu": 1500, + "netmask": "255.255.255.0", + "network": "192.168.0.0" + }, + "lo": { + "bindings": [ + { + "address": "127.0.0.1", + "netmask": "255.0.0.0", + "network": "127.0.0.0" + } + ], + "ip": "127.0.0.1", + "mtu": 65536, + "netmask": "255.0.0.0", + "network": "127.0.0.0" + } + }, + "ip": "192.168.0.2", + "mac": "fa:16:3e:ee:90:cd", + "mtu": 1500, + "netmask": "255.255.255.0", + "network": "192.168.0.0", + "primary": "eth0" + }, + "operatingsystem": "CentOS", + "operatingsystemmajrelease": "7", + "operatingsystemrelease": "7.6.1810", + "os": { + "architecture": "x86_64", + "family": "RedHat", + "hardware": "x86_64", + "name": "CentOS", + "release": { + "full": "7.6.1810", + "major": "7", + "minor": "6" + }, + "selinux": { + "config_mode": "enforcing", + "config_policy": "targeted", + "current_mode": "enforcing", + "enabled": true, + "enforced": true, + "policy_version": "31" + } + }, + "osfamily": "RedHat", + "package_provider": "yum", + "partitions": { + "/dev/vda1": { + "filesystem": "xfs", + "mount": "/", + "size": "8.00 GiB", + "size_bytes": 8588886016, + "uuid": "f41e390f-835b-4223-a9bb-9b45984ddf8d" + } + }, + "path": "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin", + "pe_concat_basedir": "/opt/puppetlabs/puppet/cache/pe_concat", + "pe_razor_server_version": "package pe-razor-server is not installed", + "physicalprocessorcount": 1, + "platform_symlink_writable": true, + "platform_tag": "el-7-x86_64", + "powershell_version": 0, + "processor0": "Intel Core Processor (Haswell)", + "processorcount": 1, + "processors": { + "count": 1, + "isa": "x86_64", + "models": [ + "Intel Core Processor (Haswell)" + ], + "physicalcount": 1 + }, + "productname": "OpenStack Nova", + "puppet_environmentpath": "/etc/puppetlabs/code/environments", + "puppet_files_dir_present": false, + "puppet_inventory_metadata": { + "packages": { + "collection_enabled": false, + "last_collection_time": "0.0s" + } + }, + "puppet_server": "rampup-test-master.somedomain.info", + "puppet_vardir": "/opt/puppetlabs/puppet/cache", + "puppetversion": "6.4.3", + "retrieve_system_users": "root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,systemd-network,dbus,polkitd,rpc,rpcuser,sshd,postfix,chrony", + "root_home": "/root", + "ruby": { + "platform": "x86_64-linux", + "sitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.5.0", + "version": "2.5.3" + }, + "rubyplatform": "x86_64-linux", + "rubysitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.5.0", + "rubyversion": "2.5.3", + "selinux": true, + "selinux_config_mode": "enforcing", + "selinux_config_policy": "targeted", + "selinux_current_mode": "enforcing", + "selinux_enforced": true, + "selinux_policyversion": "31", + "serialnumber": "3c2513f4-b791-4ce7-9b2f-558c71093ec7", + "service_provider": "systemd", + "should_install_shiro_ini": true, + "ssh": { + "ecdsa": { + "fingerprints": { + "sha1": "SSHFP 3 1 2fe85de6459487dc3ab85f5995a6d5e8958f565f", + "sha256": "SSHFP 3 2 0fa1224c2453f230b076433dd42b5f5a862a862bc508c594ebb348bbc1deefc0" + }, + "key": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKzZbfdqsDgzsxWqTmcEPWoZdo4sYZWPOCB6/4J5kdJDlBxZvOzn3doBXo1QiTHkK9a5TEqwUKkFoWJbwRgqpxM=", + "type": "ecdsa-sha2-nistp256" + }, + "ed25519": { + "fingerprints": { + "sha1": "SSHFP 4 1 1e0256cc498990e4d80d6a2b39fd4808a458efe3", + "sha256": "SSHFP 4 2 f0cc3e18b108026d598d67aa6dbb226e6eb73aa172d27a9d7ac5b580c5ea5402" + }, + "key": "AAAAC3NzaC1lZDI1NTE5AAAAIARKGmVDn4GWu7g/LOEZQ3Bonlc3l2rfWHUTq2+dI1lH", + "type": "ssh-ed25519" + }, + "rsa": { + "fingerprints": { + "sha1": "SSHFP 1 1 e8667b8ae1174e1d7f0c0c47af3afd776b021dbe", + "sha256": "SSHFP 1 2 51689e30a5e077d3143b85acf31c5cb0aec78a0722883de3b51180034a43af63" + }, + "key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCsaoFsStAo0xJdOWveTYg/PF98PxHMu8vtbP8041saU6D8X7Ero/M1lTfL+oSjHaCbGe9zjoOm9NLnKd0Qfbxaol5oHqmsfi+0C5iITD4U9ELvy2OBb8qtSqsDeterJ4OuQpxllDNVQaenMw+iYdHQh3BzAdbqTyxWveXE64JJJPYUfUd6tj0rVeDuRe2+Vf2H128agAqwwgjH0ueUaWk6EWAkAN788H92uUNrbq0VLUhWUHy9jGmI/mI+NfwYFO+NA3eAMeJMSZnN4E8FUrtoZDaFZsOs7BoEtcdJSKbQR156wdkUz69l0v1FY9T5x38+JjE4wjEU1ifd5pJJQozl", + "type": "ssh-rsa" + } + }, + "ssh_client_version_full": "7.4p1", + "ssh_server_version_full": "7.4p1", + "ssh_server_version_major": "7", + "ssh_server_version_release": "7.4", + "sshecdsakey": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKzZbfdqsDgzsxWqTmcEPWoZdo4sYZWPOCB6/4J5kdJDlBxZvOzn3doBXo1QiTHkK9a5TEqwUKkFoWJbwRgqpxM=", + "sshed25519key": "AAAAC3NzaC1lZDI1NTE5AAAAIARKGmVDn4GWu7g/LOEZQ3Bonlc3l2rfWHUTq2+dI1lH", + "sshfp_ecdsa": "SSHFP 3 1 2fe85de6459487dc3ab85f5995a6d5e8958f565f\nSSHFP 3 2 0fa1224c2453f230b076433dd42b5f5a862a862bc508c594ebb348bbc1deefc0", + "sshfp_ed25519": "SSHFP 4 1 1e0256cc498990e4d80d6a2b39fd4808a458efe3\nSSHFP 4 2 f0cc3e18b108026d598d67aa6dbb226e6eb73aa172d27a9d7ac5b580c5ea5402", + "sshfp_rsa": "SSHFP 1 1 e8667b8ae1174e1d7f0c0c47af3afd776b021dbe\nSSHFP 1 2 51689e30a5e077d3143b85acf31c5cb0aec78a0722883de3b51180034a43af63", + "sshrsakey": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCsaoFsStAo0xJdOWveTYg/PF98PxHMu8vtbP8041saU6D8X7Ero/M1lTfL+oSjHaCbGe9zjoOm9NLnKd0Qfbxaol5oHqmsfi+0C5iITD4U9ELvy2OBb8qtSqsDeterJ4OuQpxllDNVQaenMw+iYdHQh3BzAdbqTyxWveXE64JJJPYUfUd6tj0rVeDuRe2+Vf2H128agAqwwgjH0ueUaWk6EWAkAN788H92uUNrbq0VLUhWUHy9jGmI/mI+NfwYFO+NA3eAMeJMSZnN4E8FUrtoZDaFZsOs7BoEtcdJSKbQR156wdkUz69l0v1FY9T5x38+JjE4wjEU1ifd5pJJQozl", + "staging_http_get": "curl", + "system_uptime": { + "days": 0, + "hours": 1, + "seconds": 6872, + "uptime": "1:54 hours" + }, + "timezone": "UTC", + "uptime": "1:54 hours", + "uptime_days": 0, + "uptime_hours": 1, + "uptime_seconds": 6872, + "uuid": "F037E492-B099-4C5F-9D71-983D102E9AEB", + "virtual": "kvm", + "windows_java_temp": "\\tmp", + "clientcert": "centos7.somedomain.info", + "clientversion": "6.4.3", + "clientnoop": false + }, + "timestamp": "2019-09-06T15:32:06.821290011+00:00", + "expiration": "2019-09-06T16:02:06.822101814+00:00" + } diff --git a/spec/factsets/Windows_Server-2012r2-64.json b/spec/factsets/Windows_Server-2012r2-64.json index 63ed8d804..ec7fbdf87 100644 --- a/spec/factsets/Windows_Server-2012r2-64.json +++ b/spec/factsets/Windows_Server-2012r2-64.json @@ -1,5 +1,11 @@ { "name": "win-e5k8tm30719", + "trusted": { + "pp_role": "agent", + "pp_service": "puppet", + "pp_product": "puppet", + "pp_preshared_key": "Somekey" + }, "values": { "agent_specified_environment": "production", "architecture": "x64", diff --git a/spec/factsets/osx-10.13-x86_64.json b/spec/factsets/osx-10.13-x86_64.json index 7a00e7941..b99d84ec4 100644 --- a/spec/factsets/osx-10.13-x86_64.json +++ b/spec/factsets/osx-10.13-x86_64.json @@ -1,5 +1,11 @@ { "name": "something-c02nfmkgg3qh", + "trusted": { + "pp_role": "agent", + "pp_service": "puppet", + "pp_product": "puppet", + "pp_preshared_key": "Somekey" + }, "values": { "puppetversion": "6.0.4", "agent_specified_environment": "production", diff --git a/spec/factsets/solaris-11.2-sparc-64.json b/spec/factsets/solaris-11.2-sparc-64.json new file mode 100644 index 000000000..9d2eec977 --- /dev/null +++ b/spec/factsets/solaris-11.2-sparc-64.json @@ -0,0 +1,780 @@ +{ + "name": "solaris-11_2-sparc-t4-64.puppet.example", + "trusted": { + "pp_role": "agent", + "pp_service": "puppet", + "pp_product": "puppet", + "pp_preshared_key": "Somekey" + }, + "values": { + "aio_agent_build": "1.4.2", + "aio_agent_version": "1.4.2", + "architecture": "sun4v", + "augeas": { + "version": "1.4.0" + }, + "augeasversion": "1.4.0", + "blockdevice_sd4_size": -1168154624, + "blockdevice_sd4_vendor": "HITACHI", + "blockdevice_sd5_size": -647710720, + "blockdevice_sd5_vendor": "HITACHI", + "blockdevice_sd6_size": 0, + "blockdevice_sd6_vendor": "AMI", + "blockdevice_sd7_size": 0, + "blockdevice_sd7_vendor": "TEAC", + "blockdevice_sd8_size": -1168154624, + "blockdevice_sd8_vendor": "HITACHI", + "blockdevice_sd9_size": -647710720, + "blockdevice_sd9_vendor": "HITACHI", + "blockdevices": "sd4,sd5,sd8,sd9,sd7,sd6", + "custom_auth_conf": false, + "dhcp_servers": { + "net0": "10.32.22.10", + "system": "10.32.22.10" + }, + "disks": { + "sd4": { + "product": "H109060SESUN600GRevision", + "size": "558.91 GiB", + "size_bytes": -1168154624, + "vendor": "HITACHI" + }, + "sd5": { + "product": "H109030SESUN300GRevision", + "size": "279.40 GiB", + "size_bytes": -647710720, + "vendor": "HITACHI" + }, + "sd6": { + "product": "Virtual CDROM Revision", + "size": "0 bytes", + "size_bytes": 0, + "vendor": "AMI" + }, + "sd7": { + "product": "DV-W28SS-W Revision", + "size": "0 bytes", + "size_bytes": 0, + "vendor": "TEAC" + }, + "sd8": { + "product": "H109060SESUN600GRevision", + "size": "558.91 GiB", + "size_bytes": -1168154624, + "vendor": "HITACHI" + }, + "sd9": { + "product": "H109030SESUN300GRevision", + "size": "279.40 GiB", + "size_bytes": -647710720, + "vendor": "HITACHI" + } + }, + "dmi": { + "manufacturer": "Oracle Corporation" + }, + "domain": "puppet.example", + "facterversion": "3.1.6", + "fqdn": "solaris-11_2-sparc-t4-64.puppet.example", + "gid": "root", + "hardwareisa": "sparc", + "hardwaremodel": "sun4v", + "hostname": "solaris-11_2-sparc-t4-64", + "id": "root", + "identity": { + "gid": 0, + "group": "root", + "uid": 0, + "user": "root" + }, + "interfaces": "lo0,net0", + "ipaddress": "10.32.77.68", + "ipaddress_lo0": "127.0.0.1", + "ipaddress_net0": "10.32.77.68", + "is_pe": false, + "is_virtual": true, + "kernel": "SunOS", + "kernelmajversion": "11", + "kernelrelease": "5.11", + "kernelversion": "11.2", + "load_averages": { + "15m": 1.0234375, + "1m": 1.21875, + "5m": 1.28125 + }, + "macaddress": "02:08:20:41:26:8c", + "macaddress_net0": "02:08:20:41:26:8c", + "manufacturer": "Oracle Corporation", + "memory": { + "swap": { + "available": "4.00 GiB", + "available_bytes": -8192, + "capacity": "0%", + "total": "4.00 GiB", + "total_bytes": -8192, + "used": "0 bytes", + "used_bytes": 0 + }, + "system": { + "available": "2.34 GiB", + "available_bytes": -1777401856, + "capacity": "84.80%", + "total": "15.43 GiB", + "total_bytes": -611737600, + "used": "13.09 GiB", + "used_bytes": 1165664256 + } + }, + "memoryfree": "2.34 GiB", + "memoryfree_mb": 2400.9375, + "memorysize": "15.43 GiB", + "memorysize_mb": 15800.6015625, + "mountpoints": { + "/": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.18%", + "device": "rpool/ROOT/solaris-0", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "mountpoint=/zones/cisparc/root/", + "zone=cisparc", + "nozonemod", + "sharezone=38", + "dev=495017b" + ], + "size": "476.16 GiB", + "size_bytes": 175171072, + "used": "889.53 MiB", + "used_bytes": 932736000 + }, + "/dev": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "/dev", + "filesystem": "dev", + "options": [ + "zone=cisparc", + "nozonemod", + "sharezone=38", + "dev=8e0001c" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/dev/fd": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "fd", + "filesystem": "fd", + "options": [ + "rw", + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=9040027" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/etc/dfs/sharetab": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "sharefs", + "filesystem": "sharefs", + "options": [ + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=8f40016" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/etc/mnttab": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "mnttab", + "filesystem": "mntfs", + "options": [ + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=8e80027" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/export": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool/export", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=495017f" + ], + "size": "475.29 GiB", + "size_bytes": -757532160, + "used": "32.00 KiB", + "used_bytes": 32768 + }, + "/export/home": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool/export/home", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=4950180" + ], + "size": "475.29 GiB", + "size_bytes": -757533184, + "used": "31.00 KiB", + "used_bytes": 31744 + }, + "/proc": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "proc", + "filesystem": "proc", + "options": [ + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=8dc0026" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/rpool": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=4950181" + ], + "size": "475.29 GiB", + "size_bytes": -757533184, + "used": "31.00 KiB", + "used_bytes": 31744 + }, + "/system/contract": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "ctfs", + "filesystem": "ctfs", + "options": [ + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=8e40027" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/system/object": { + "available": "0 bytes", + "available_bytes": 0, + "capacity": "100%", + "device": "objfs", + "filesystem": "objfs", + "options": [ + "nodevices", + "rstchown", + "zone=cisparc", + "sharezone=38", + "dev=8f00027" + ], + "size": "0 bytes", + "size_bytes": 0, + "used": "0 bytes", + "used_bytes": 0 + }, + "/system/volatile": { + "available": "4.53 GiB", + "available_bytes": 571752448, + "capacity": "0.01%", + "device": "swap", + "filesystem": "tmpfs", + "options": [ + "nodevices", + "rstchown", + "xattr", + "zone=cisparc", + "sharezone=38", + "dev=8ec004d" + ], + "size": "4.53 GiB", + "size_bytes": 572342272, + "used": "576.00 KiB", + "used_bytes": 589824 + }, + "/tmp": { + "available": "4.53 GiB", + "available_bytes": 571752448, + "capacity": "0.95%", + "device": "swap", + "filesystem": "tmpfs", + "options": [ + "nodevices", + "rstchown", + "xattr", + "zone=cisparc", + "sharezone=38", + "dev=8ec004e" + ], + "size": "4.58 GiB", + "size_bytes": 618414080, + "used": "44.50 MiB", + "used_bytes": 46661632 + }, + "/var": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.05%", + "device": "rpool/ROOT/solaris-0/var", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "mountpoint=/zones/cisparc/root/var", + "zone=cisparc", + "nozonemod", + "sharezone=38", + "dev=495017d" + ], + "size": "475.51 GiB", + "size_bytes": -521269760, + "used": "225.35 MiB", + "used_bytes": 236295168 + }, + "/var/share": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool/VARSHARE", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=495017e" + ], + "size": "475.30 GiB", + "size_bytes": -756610048, + "used": "932.50 KiB", + "used_bytes": 954880 + }, + "/var/share/pkg": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool/VARSHARE/pkg", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=4950182" + ], + "size": "475.29 GiB", + "size_bytes": -757532160, + "used": "32.00 KiB", + "used_bytes": 32768 + }, + "/var/share/pkg/repositories": { + "available": "475.29 GiB", + "available_bytes": -757564928, + "capacity": "0.00%", + "device": "rpool/VARSHARE/pkg/repositories", + "filesystem": "zfs", + "options": [ + "rw", + "nodevices", + "setuid", + "nonbmand", + "exec", + "rstchown", + "xattr", + "atime", + "zone=cisparc", + "sharezone=38", + "dev=4950183" + ], + "size": "475.29 GiB", + "size_bytes": -757533184, + "used": "31.00 KiB", + "used_bytes": 31744 + } + }, + "mtu_lo0": 8232, + "mtu_net0": 1500, + "netmask": "255.255.255.0", + "netmask_lo0": "255.0.0.0", + "netmask_net0": "255.255.255.0", + "network": "10.32.77.0", + "network_lo0": "127.0.0.0", + "network_net0": "10.32.77.0", + "networking": { + "dhcp": "10.32.22.10", + "domain": "puppet.example", + "fqdn": "solaris-11_2-sparc-t4-64.puppet.example", + "hostname": "solaris-11_2-sparc-t4-64", + "interfaces": { + "lo0": { + "bindings": [ + { + "address": "127.0.0.1", + "netmask": "255.0.0.0", + "network": "127.0.0.0" + } + ], + "ip": "127.0.0.1", + "mtu": 8232, + "netmask": "255.0.0.0", + "network": "127.0.0.0" + }, + "net0": { + "bindings": [ + { + "address": "10.32.77.68", + "netmask": "255.255.255.0", + "network": "10.32.77.0" + } + ], + "dhcp": "10.32.22.10", + "ip": "10.32.77.68", + "mac": "02:08:20:41:26:8c", + "mtu": 1500, + "netmask": "255.255.255.0", + "network": "10.32.77.0" + } + }, + "ip": "10.32.77.68", + "mac": "02:08:20:41:26:8c", + "mtu": 1500, + "netmask": "255.255.255.0", + "network": "10.32.77.0", + "primary": "net0" + }, + "operatingsystem": "Solaris", + "operatingsystemmajrelease": "11", + "operatingsystemrelease": "11.2", + "os": { + "architecture": "sun4v", + "family": "Solaris", + "hardware": "sun4v", + "name": "Solaris", + "release": { + "full": "11.2", + "major": "11", + "minor": "2" + } + }, + "osfamily": "Solaris", + "path": "PATH:/opt/puppetlabs/bin:/usr/sbin:/usr/bin:/sbin", + "pe_concat_basedir": "/opt/puppetlabs/puppet/cache/pe_concat", + "physicalprocessorcount": 1, + "platform_symlink_writable": true, + "platform_tag": "solaris-11-sparc", + "processor0": "SPARC-T4", + "processor1": "SPARC-T4", + "processor10": "SPARC-T4", + "processor11": "SPARC-T4", + "processor12": "SPARC-T4", + "processor13": "SPARC-T4", + "processor14": "SPARC-T4", + "processor15": "SPARC-T4", + "processor16": "SPARC-T4", + "processor17": "SPARC-T4", + "processor18": "SPARC-T4", + "processor19": "SPARC-T4", + "processor2": "SPARC-T4", + "processor20": "SPARC-T4", + "processor21": "SPARC-T4", + "processor22": "SPARC-T4", + "processor23": "SPARC-T4", + "processor24": "SPARC-T4", + "processor25": "SPARC-T4", + "processor26": "SPARC-T4", + "processor27": "SPARC-T4", + "processor28": "SPARC-T4", + "processor29": "SPARC-T4", + "processor3": "SPARC-T4", + "processor30": "SPARC-T4", + "processor31": "SPARC-T4", + "processor32": "SPARC-T4", + "processor33": "SPARC-T4", + "processor34": "SPARC-T4", + "processor35": "SPARC-T4", + "processor36": "SPARC-T4", + "processor37": "SPARC-T4", + "processor38": "SPARC-T4", + "processor39": "SPARC-T4", + "processor4": "SPARC-T4", + "processor40": "SPARC-T4", + "processor41": "SPARC-T4", + "processor42": "SPARC-T4", + "processor43": "SPARC-T4", + "processor44": "SPARC-T4", + "processor45": "SPARC-T4", + "processor46": "SPARC-T4", + "processor47": "SPARC-T4", + "processor48": "SPARC-T4", + "processor49": "SPARC-T4", + "processor5": "SPARC-T4", + "processor50": "SPARC-T4", + "processor51": "SPARC-T4", + "processor52": "SPARC-T4", + "processor53": "SPARC-T4", + "processor54": "SPARC-T4", + "processor55": "SPARC-T4", + "processor56": "SPARC-T4", + "processor57": "SPARC-T4", + "processor58": "SPARC-T4", + "processor59": "SPARC-T4", + "processor6": "SPARC-T4", + "processor60": "SPARC-T4", + "processor61": "SPARC-T4", + "processor62": "SPARC-T4", + "processor63": "SPARC-T4", + "processor7": "SPARC-T4", + "processor8": "SPARC-T4", + "processor9": "SPARC-T4", + "processorcount": 64, + "processors": { + "count": 64, + "isa": "sparc", + "models": [ + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4", + "SPARC-T4" + ], + "physicalcount": 1, + "speed": "2.85 GHz" + }, + "puppet_files_dir_present": false, + "puppetversion": "4.4.2", + "ruby": { + "platform": "sparc-solaris2.11", + "sitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0", + "version": "2.1.8" + }, + "rubyplatform": "sparc-solaris2.11", + "rubysitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0", + "rubyversion": "2.1.8", + "solaris_zones": { + "current": "cisparc", + "zones": { + "cisparc": { + "brand": "solaris", + "id": "38", + "ip_type": "excl", + "path": "/", + "status": "running", + "uuid": "9903e75b-f048-4e38-83b3-977cde7b3782" + } + } + }, + "ssh": { + "dsa": { + "fingerprints": { + "sha1": "SSHFP 2 1 db349d276f0d3465ddf320d4f39d91349f1b576f", + "sha256": "SSHFP 2 2 b8e58d26d36f2ce088034a1ce3be70b03ef404671f0c6ed3256152af9c9ad607" + }, + "key": "AAAAB3NzaC1kc3MAAACBAMVAhiKM1nrem5tlbgwagi6NKV1e6RIpLxXj+vovBAb/vWf6+in2lBrxLqljbxYWq1XTOJoXUTybb24gpnDwZC2v/5TytqJ35P4ptOH1fY2zthRnkgyYUMfF7nLslOgoy24A19uwmR3lhFpklhCUe1xkMHOXkToujrfym+nwpFZ5AAAAFQDRqOSYA1u47UtVMg4zXL0txwFHIwAAAIBNxcSYfeOSQrkFawbG0GQpSNs2Z/iqFDbJFz/Ha1xkitkpmBBNizRva5tqNR8uaK/VHoIdaK7Rn1qS/D2Sl3w4Ps4UhEN9qOOylQplUmqb4JAFtAFInDMIHz/69SYMyBJ9eXQHh8mOeLX8s2lQow+Z/iOVpAlGIB0PxrHClqSN5AAAAIEAqHqE/Ry0hL98YpXRvMw0kpMl439iXQjzfx3IgJzSScNpNx3G5QDDysSu8dzanOvqXxJ0ynwc1LxuXhuvq4hJ990snyYLOgNOOJ5v86G1TkXTq3Ny0gb+7efiwI7u4xIY6WrQeXt32hbRY0kF/MswmKjz3NSBK6jozSNwHlP6jeA=" + }, + "rsa": { + "fingerprints": { + "sha1": "SSHFP 1 1 865be76b66792c0d98006a6ed5227f19f8241cf3", + "sha256": "SSHFP 1 2 c74d9f97237b06070909f30fbb68afbe0943450a8ea3d1b85fb16db53441a824" + }, + "key": "AAAAB3NzaC1yc2EAAAABIwAAAQEA8bZpHkHvgZEBhn7qlupS61DjwXYOnTVFuaOaDI6eesXxU1yDJfEqO1eHp6YF6x5gmM/mDyfFU9hixMmH9yLRgi2/QUhoYa44z8NB3EBaHxFtLQLnoFTGq/VR5xZ+pyBcbwUswvDel3OfXTcepmT6lWLCBRLOfYTc6hzwRCfyrWgdVc3kruu9hh9pKIWFEyUUztHWuR7+akNH3nD+EcqsmuMowEzzssWC8msWnAX89geFPuhilAgz7Qcc1bJZUaWGgOzyaZKn3IVNNa3grOWzgKDE6gdLMefnk0dgndtIbB1E9iY1syosQCrBIiEfMMGEBjrDstcNKs+Ge8stRljjMw==" + } + }, + "sshdsakey": "AAAAB3NzaC1kc3MAAACBAMVAhiKM1nrem5tlbgwagi6NKV1e6RIpLxXj+vovBAb/vWf6+in2lBrxLqljbxYWq1XTOJoXUTybb24gpnDwZC2v/5TytqJ35P4ptOH1fY2zthRnkgyYUMfF7nLslOgoy24A19uwmR3lhFpklhCUe1xkMHOXkToujrfym+nwpFZ5AAAAFQDRqOSYA1u47UtVMg4zXL0txwFHIwAAAIBNxcSYfeOSQrkFawbG0GQpSNs2Z/iqFDbJFz/Ha1xkitkpmBBNizRva5tqNR8uaK/VHoIdaK7Rn1qS/D2Sl3w4Ps4UhEN9qOOylQplUmqb4JAFtAFInDMIHz/69SYMyBJ9eXQHh8mOeLX8s2lQow+Z/iOVpAlGIB0PxrHClqSN5AAAAIEAqHqE/Ry0hL98YpXRvMw0kpMl439iXQjzfx3IgJzSScNpNx3G5QDDysSu8dzanOvqXxJ0ynwc1LxuXhuvq4hJ990snyYLOgNOOJ5v86G1TkXTq3Ny0gb+7efiwI7u4xIY6WrQeXt32hbRY0kF/MswmKjz3NSBK6jozSNwHlP6jeA=", + "sshfp_dsa": "SSHFP 2 1 db349d276f0d3465ddf320d4f39d91349f1b576f\nSSHFP 2 2 b8e58d26d36f2ce088034a1ce3be70b03ef404671f0c6ed3256152af9c9ad607", + "sshfp_rsa": "SSHFP 1 1 865be76b66792c0d98006a6ed5227f19f8241cf3\nSSHFP 1 2 c74d9f97237b06070909f30fbb68afbe0943450a8ea3d1b85fb16db53441a824", + "sshrsakey": "AAAAB3NzaC1yc2EAAAABIwAAAQEA8bZpHkHvgZEBhn7qlupS61DjwXYOnTVFuaOaDI6eesXxU1yDJfEqO1eHp6YF6x5gmM/mDyfFU9hixMmH9yLRgi2/QUhoYa44z8NB3EBaHxFtLQLnoFTGq/VR5xZ+pyBcbwUswvDel3OfXTcepmT6lWLCBRLOfYTc6hzwRCfyrWgdVc3kruu9hh9pKIWFEyUUztHWuR7+akNH3nD+EcqsmuMowEzzssWC8msWnAX89geFPuhilAgz7Qcc1bJZUaWGgOzyaZKn3IVNNa3grOWzgKDE6gdLMefnk0dgndtIbB1E9iY1syosQCrBIiEfMMGEBjrDstcNKs+Ge8stRljjMw==", + "staging_http_get": "curl", + "swapfree": "4.00 GiB", + "swapfree_mb": 4095.9921875, + "swapsize": "4.00 GiB", + "swapsize_mb": 4095.9921875, + "system_uptime": { + "days": 2, + "hours": 62, + "seconds": 225780, + "uptime": "2 days" + }, + "timezone": "PDT", + "uptime": "2 days", + "uptime_days": 2, + "uptime_hours": 62, + "uptime_seconds": 225780, + "virtual": "zone", + "zfs_featurenumbers": "1,2,3,4,5,6", + "zfs_version": "6", + "zone_cisparc_brand": "solaris", + "zone_cisparc_id": "38", + "zone_cisparc_iptype": "excl", + "zone_cisparc_name": "cisparc", + "zone_cisparc_path": "/", + "zone_cisparc_status": "running", + "zone_cisparc_uuid": "9903e75b-f048-4e38-83b3-977cde7b3782", + "zonename": "cisparc", + "zones": 1, + "zpool_featurenumbers": "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35", + "zpool_version": "35", + "clientcert": "solaris-11_2-sparc-t4-64.puppet.example", + "clientversion": "4.4.2", + "clientnoop": false + }, + "timestamp": "2016-05-02T09:17:24.513519261-07:00", + "expiration": "2016-05-02T09:47:24.517016904-07:00" +} diff --git a/spec/onceover.yaml b/spec/onceover.yaml index 767c18653..2b55248b4 100644 --- a/spec/onceover.yaml +++ b/spec/onceover.yaml @@ -55,3 +55,7 @@ test_matrix: - 'linux' - 'solaris' tests: 'acceptance' + +opts: + :facts_dirs: + - spec/factsets \ No newline at end of file From 2df65c10e07570c51721399553788e8cc0aba962 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:03:17 -0500 Subject: [PATCH 114/134] fix for missing fact --- spec/factsets/CentOS-6.6-64.json | 1 + spec/factsets/CentOS-7.0_76.json | 1 + 2 files changed, 2 insertions(+) diff --git a/spec/factsets/CentOS-6.6-64.json b/spec/factsets/CentOS-6.6-64.json index 488ae7ed8..c70e646b4 100644 --- a/spec/factsets/CentOS-6.6-64.json +++ b/spec/factsets/CentOS-6.6-64.json @@ -69,6 +69,7 @@ "hardwareisa": "x86_64", "hardwaremodel": "x86_64", "homedir": "/root", + "home_users": "/home/centos", "hostname": "centos6a", "id": "root", "identity": { diff --git a/spec/factsets/CentOS-7.0_76.json b/spec/factsets/CentOS-7.0_76.json index f5829e990..3666d757f 100644 --- a/spec/factsets/CentOS-7.0_76.json +++ b/spec/factsets/CentOS-7.0_76.json @@ -58,6 +58,7 @@ "ebs0": "/dev/vda", "root": "/dev/vda" }, + "home_users": "/home/centos", "hostname": "centos7", "instance-action": "none", "instance-id": "i-000085b6", From 247cb1fe117681759e0836568e4905846ca41bd6 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:07:47 -0500 Subject: [PATCH 115/134] Fix for tomcat not installed as tomcat user --- site/profile/manifests/app/fastb.pp | 1 + site/profile/manifests/app/haproxy/server.pp | 44 ++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 site/profile/manifests/app/haproxy/server.pp diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index ac38f39b5..2e67bd1a2 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -15,6 +15,7 @@ user => $user, group => $group, notify => Tomcat::Service[$service], + require => Class['profile::app::tomcat::webserver'], } } diff --git a/site/profile/manifests/app/haproxy/server.pp b/site/profile/manifests/app/haproxy/server.pp new file mode 100644 index 000000000..342c8ff39 --- /dev/null +++ b/site/profile/manifests/app/haproxy/server.pp @@ -0,0 +1,44 @@ +#class for HaProxy services +class profile::app::haproxy::server( + Hash[String, Hash[String, Any]] $listeners = {}, + Hash[String, Hash[String, Any]] $frontends = {}, + Hash[String, Hash[String, Any]] $backends = {}, + Enum['enable', 'disable' ] $admin_stats = 'disable', + Array[Integer] $stats_port = [9090], + String $stats_username = 'puppet', + String $stats_password = 'puppet', +) { + + include haproxy + +class { 'haproxy': + global_options => { + 'log' => "${facts['ipaddress']} local0", + 'chroot' => '/var/lib/haproxy', + 'pidfile' => '/var/run/haproxy.pid', + 'maxconn' => '4000', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'stats' => 'socket /var/lib/haproxy/stats', + }, + defaults_options => { + 'log' => 'global', + 'stats' => $admin_stats, + 'option' => [ + 'redispatch', + ], + 'retries' => '3', + 'timeout' => [ + 'http-request 10s', + 'queue 1m', + 'connect 10s', + 'client 1m', + 'server 1m', + 'check 10s', + ], + 'maxconn' => '8000', + }, +} + +} From 7e6203bece14b5c3c92191642990f433d7fcf95e Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:11:54 -0500 Subject: [PATCH 116/134] fix for webserver --- site/profile/manifests/app/tomcat/webserver.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site/profile/manifests/app/tomcat/webserver.pp b/site/profile/manifests/app/tomcat/webserver.pp index 268e40523..ffb70e437 100644 --- a/site/profile/manifests/app/tomcat/webserver.pp +++ b/site/profile/manifests/app/tomcat/webserver.pp @@ -18,6 +18,8 @@ tomcat::install { $tomcat_install_path: source_url => $download_url, + user => $user, + group => $group, } tomcat::service { $service: From a0622d3ce5cdec444fe08f9a0fe2401992277297 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:14:22 -0500 Subject: [PATCH 117/134] Fix for fastb --- site/profile/manifests/app/fastb.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 2e67bd1a2..ac38f39b5 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -15,7 +15,6 @@ user => $user, group => $group, notify => Tomcat::Service[$service], - require => Class['profile::app::tomcat::webserver'], } } From fc115872310f2aec48e1d472d198d58e2e16e38b Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:21:02 -0500 Subject: [PATCH 118/134] set order with contain on tomcat class --- site/profile/manifests/app/fastb.pp | 3 ++- site/profile/manifests/app/tomcat/webserver.pp | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index ac38f39b5..93a23d64c 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -3,7 +3,7 @@ Stdlib::HTTPSUrl $download_url = 'https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/sureshatt/http-demo.war', String $app_dir = 'fastb', ) { - contain profile::app::tomcat::webserver + require profile::app::tomcat::webserver $user = $profile::app::tomcat::webserver::user $group = $profile::app::tomcat::webserver::group @@ -15,6 +15,7 @@ user => $user, group => $group, notify => Tomcat::Service[$service], + require => Class['Profile::App::Tomcat::Webserver'], } } diff --git a/site/profile/manifests/app/tomcat/webserver.pp b/site/profile/manifests/app/tomcat/webserver.pp index ffb70e437..606eeed5a 100644 --- a/site/profile/manifests/app/tomcat/webserver.pp +++ b/site/profile/manifests/app/tomcat/webserver.pp @@ -28,4 +28,5 @@ } else { fail("download_url not set for ${title}.") } + contain tomcat } From 3b7290d70bbff974983ee2790a0a038b9b3cb4e7 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:25:06 -0500 Subject: [PATCH 119/134] fix for fastb --- site/profile/manifests/app/fastb.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 93a23d64c..7775ce254 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -5,9 +5,9 @@ ) { require profile::app::tomcat::webserver - $user = $profile::app::tomcat::webserver::user - $group = $profile::app::tomcat::webserver::group - $service = $profile::app::tomcat::webserver::service + $user = $profile::app::tomcat::webserver::user + $group = $profile::app::tomcat::webserver::group + $service = $profile::app::tomcat::webserver::service $catalina_home = $profile::app::tomcat::webserver::tomcat_install_path tomcat::war { 'http-demo.war': @@ -15,7 +15,6 @@ user => $user, group => $group, notify => Tomcat::Service[$service], - require => Class['Profile::App::Tomcat::Webserver'], } } From 4b2264ee832c9974cd09f278e65fc319366afcd2 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:29:40 -0500 Subject: [PATCH 120/134] ordering fastb --- site/profile/manifests/app/fastb.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 7775ce254..79fa0850c 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -14,7 +14,6 @@ war_source => $download_url, user => $user, group => $group, - notify => Tomcat::Service[$service], } } From 50d90e4509568b4fefbf4b954ece8370be86a1f5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:37:47 -0500 Subject: [PATCH 121/134] Trying to fix onceover --- spec/factsets/CentOS-6.6-64.json | 1 + spec/factsets/CentOS-7.0_76.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/spec/factsets/CentOS-6.6-64.json b/spec/factsets/CentOS-6.6-64.json index c70e646b4..3abe0a3e8 100644 --- a/spec/factsets/CentOS-6.6-64.json +++ b/spec/factsets/CentOS-6.6-64.json @@ -333,6 +333,7 @@ "seconds": 352, "uptime": "0:05 hours" }, + "system_users": "sshd", "timezone": "UTC", "uptime": "0:05 hours", "uptime_days": 0, diff --git a/spec/factsets/CentOS-7.0_76.json b/spec/factsets/CentOS-7.0_76.json index 3666d757f..8e4f2acd0 100644 --- a/spec/factsets/CentOS-7.0_76.json +++ b/spec/factsets/CentOS-7.0_76.json @@ -58,7 +58,6 @@ "ebs0": "/dev/vda", "root": "/dev/vda" }, - "home_users": "/home/centos", "hostname": "centos7", "instance-action": "none", "instance-id": "i-000085b6", @@ -495,6 +494,7 @@ "seconds": 6872, "uptime": "1:54 hours" }, + "system_users": "sshd", "timezone": "UTC", "uptime": "1:54 hours", "uptime_days": 0, From 703c1f5ebc6125a6dfb45bb9cc7a43d7fd730f12 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 11:44:04 -0500 Subject: [PATCH 122/134] fix for onceover --- spec/factsets/CentOS-6.6-64.json | 2 +- spec/factsets/{CentOS-7.0_76.json => CentOS-7.0-64.json} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename spec/factsets/{CentOS-7.0_76.json => CentOS-7.0-64.json} (100%) diff --git a/spec/factsets/CentOS-6.6-64.json b/spec/factsets/CentOS-6.6-64.json index 3abe0a3e8..8331f6c1a 100644 --- a/spec/factsets/CentOS-6.6-64.json +++ b/spec/factsets/CentOS-6.6-64.json @@ -292,6 +292,7 @@ "puppet_vardir": "/opt/puppetlabs/puppet/cache", "puppetversion": "4.2.1", "root_home": "/root", + "retrieve_system_users": "root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,systemd-network,dbus,polkitd,rpc,rpcuser,sshd,postfix,chrony", "ruby": { "platform": "x86_64-linux", "sitedir": "/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0", @@ -333,7 +334,6 @@ "seconds": 352, "uptime": "0:05 hours" }, - "system_users": "sshd", "timezone": "UTC", "uptime": "0:05 hours", "uptime_days": 0, diff --git a/spec/factsets/CentOS-7.0_76.json b/spec/factsets/CentOS-7.0-64.json similarity index 100% rename from spec/factsets/CentOS-7.0_76.json rename to spec/factsets/CentOS-7.0-64.json From 0af2f7f0556bff2a8c217db49a3ab16ceeb42dc4 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 12:50:54 -0500 Subject: [PATCH 123/134] moved to exported resources for mysql_users --- data/to_be_deleted.yaml | 4 +++- site/profile/manifests/app/fastb.pp | 4 ++++ site/profile/manifests/app/mysql/server.pp | 18 ++++-------------- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index ef744d6b3..2665606e9 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -196,4 +196,6 @@ profile::app::haproxy::server::stats_password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoII profile::os::baseline::verify_trusted_data::extentions: - 'pp_role' - 'pp_service' - - 'pp_product' \ No newline at end of file + - 'pp_product' + +profile::app::fastb::fastb_db_password::iETraGpZcnRcPiuZGPCytoq3eWkwaWC6vqzudJkvPmu2: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHPuFhkR38VKbQ76hhp5wWkjuD90sOMXSnw8bbQjU29abIChXtSTll1MZv1iWr2d5BHX1a/E/8cmJxZpc+GXjiV0YXnMHODAOCc+I4QWYmBBKUsUC9N2x6kIYoTAOupOWMnsCOxgyWea9+aWaNsuchg+cRmgQqgo9Ry3nuiEbdD7YHpywRElG4CbTUAMOEJEHexxW54B4svzUFklTNDFRsyura3qkyZLQzf/3rB8WrMKKrbM5vcNg0p0Y8LLp9KYRR13jBmsQ1FawhbS3BIz2f6mHjQrW/DnFxRCi+9fNd8yMHmWM2tAcXyjMdHs3dau41t+9APKuqOWjG3KlV3lGXzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZ3nrbPxeAmXguU6LfmXzbgBDo/PVHoLJxFfpwp+VMjXId] \ No newline at end of file diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 79fa0850c..467cd3ee5 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -16,4 +16,8 @@ group => $group, } + @@mysql_user { "fastb_db_user@${facts['fqdn']}": + ensure => present, + password_hash => mysql_password(lookup("profile::app::fastb::fastb_db_password::${trusted['extensions']['pp_preshared_key']}")), + } } diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index 90d60df5b..b865324a9 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -17,13 +17,9 @@ } ) assert_type(Hash[String, Any], $lookup_settings) - $lookup_mysql_users = lookup( { 'name' => 'profile::app::mysql::server::mysql_users', - 'merge' => { - 'strategy' => 'deep', - 'knockout_prefix' => '--', - }, - } ) - assert_type(Hash, $lookup_mysql_users) + $tag_for_exported_mysql_users = $trusted['extensions']['pp_preshared_key'] + + assert_type(String, $tag_for_exported_mysql_users) # This will ensure the root_password is of Sensitive datatype to protect the # root_password from showing up in the logs. @@ -45,13 +41,7 @@ contain "mysql::bindings::${binding}" } - $lookup_mysql_users.each |String $username, Hash $user_opts| { - $password_hash = mysql_password(lookup("profile::app::mysql::server::${username}::password")) - mysql_user { $username: - password_hash => $password_hash, - * => $user_opts, - } - } + Mysql_user <<| tag == $tag_for_exported_mysql_users |>> $dbs.each |$dbname, $opts| { mysql::db { $dbname: From 1d2ef6512bb4f810b4b8e8095d92402f749138f7 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 14:00:19 -0500 Subject: [PATCH 124/134] fix for database --- site/profile/manifests/app/mysql/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index b865324a9..eee74c09a 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -6,7 +6,7 @@ #Variant[String, Sensitive[String]] $root_password, String $root_password, Array[String] $mysql_bindings = [ 'php' ], - Hash[String, Hash[String, Any]] $dbs = {}, + Hash $dbs = {}, ) { #This will do a lookup to create one large hash from the hiera data $lookup_settings = lookup( { 'name' => 'profile::app::mysql::server::settings', From dc50b7ef926c67ce3eca064940dc73f87de063d0 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 14:38:29 -0500 Subject: [PATCH 125/134] Try to fix fastb_database --- data/role/fastb_loadbalancer.yaml | 4 ++++ site/profile/manifests/app/mysql/server.pp | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 data/role/fastb_loadbalancer.yaml diff --git a/data/role/fastb_loadbalancer.yaml b/data/role/fastb_loadbalancer.yaml new file mode 100644 index 000000000..55c217f60 --- /dev/null +++ b/data/role/fastb_loadbalancer.yaml @@ -0,0 +1,4 @@ +--- + +profile::os::baseline::verify_trusted_data::extentions: + - 'pp_preshared_key' \ No newline at end of file diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index eee74c09a..de3ec0404 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -43,7 +43,7 @@ Mysql_user <<| tag == $tag_for_exported_mysql_users |>> - $dbs.each |$dbname, $opts| { + $dbs.each |String $dbname, Hash $opts| { mysql::db { $dbname: * => $opts, } From ab489c5e4ee29050895ea7e3f2595a2b95917878 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 14:45:46 -0500 Subject: [PATCH 126/134] fix for Tuple --- site/profile/manifests/app/mysql/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index de3ec0404..9fdd52541 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -43,7 +43,7 @@ Mysql_user <<| tag == $tag_for_exported_mysql_users |>> - $dbs.each |String $dbname, Hash $opts| { + $dbs.each |String $dbname, $opts| { mysql::db { $dbname: * => $opts, } From 2ffc244b522af0e6ed5d5f46efe7fc250dcba8e1 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 14:51:28 -0500 Subject: [PATCH 127/134] fix for server --- site/profile/manifests/app/mysql/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/app/mysql/server.pp b/site/profile/manifests/app/mysql/server.pp index 9fdd52541..eee74c09a 100644 --- a/site/profile/manifests/app/mysql/server.pp +++ b/site/profile/manifests/app/mysql/server.pp @@ -43,7 +43,7 @@ Mysql_user <<| tag == $tag_for_exported_mysql_users |>> - $dbs.each |String $dbname, $opts| { + $dbs.each |$dbname, $opts| { mysql::db { $dbname: * => $opts, } From 065fb90c6690360d01a60a875f09582073a210d5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 15:17:51 -0500 Subject: [PATCH 128/134] fix --- data/role/fastb_database.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index dc3b20130..77734627e 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -6,14 +6,14 @@ profile::app::mysql::server::mysql_users: profile::app::mysql::server::fastb_db_user@localhost::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] -profile::app::mysql::server::dbs: - 'fastb_db': - user: 'fastb_db_user' - host: 'localhost' - grant: - - 'SELECT' - - 'UPDATE' - password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] +#profile::app::mysql::server::dbs: +# 'fastb_db': +# user: 'fastb_db_user' +# host: 'localhost' +# grant: +# - 'SELECT' +# - 'UPDATE' +# password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] profile::os::baseline::verify_trusted_data::extentions: - 'pp_preshared_key' \ No newline at end of file From 59057b0dd5cc98dd22aed94ec26f041d2dcc6eaf Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Fri, 6 Sep 2019 15:27:04 -0500 Subject: [PATCH 129/134] fix --- data/role/fastb_database.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 77734627e..5bce0da64 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -6,14 +6,14 @@ profile::app::mysql::server::mysql_users: profile::app::mysql::server::fastb_db_user@localhost::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] -#profile::app::mysql::server::dbs: -# 'fastb_db': -# user: 'fastb_db_user' -# host: 'localhost' -# grant: -# - 'SELECT' -# - 'UPDATE' -# password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] +profile::app::mysql::server::dbs: + 'fastb_db': + user: 'fastb_db_user' + host: 'localhost' + grant: + - 'SELECT' + - 'UPDATE' + password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] - profile::os::baseline::verify_trusted_data::extentions: - - 'pp_preshared_key' \ No newline at end of file +profile::os::baseline::verify_trusted_data::extentions: + - 'pp_preshared_key' \ No newline at end of file From 74e572e97e6d785b51d453282a5bb877ad06acc9 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 9 Sep 2019 09:23:07 -0400 Subject: [PATCH 130/134] fix yaml --- data/role/fastb_database.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/role/fastb_database.yaml b/data/role/fastb_database.yaml index 5bce0da64..7d8169f74 100644 --- a/data/role/fastb_database.yaml +++ b/data/role/fastb_database.yaml @@ -1,7 +1,7 @@ --- profile::app::mysql::server::mysql_users: - 'fastb_db_user@localhost': + fastb_db_user@localhost: ensure: present profile::app::mysql::server::fastb_db_user@localhost::password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] @@ -16,4 +16,4 @@ profile::app::mysql::server::dbs: password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAW555w9viO6soOOVHngrMRv2P+hNn4jBgn4hmXHF0/nvOIvzT7eIwCb+7sdbYbc3BWeEYkHvD+qyj1YUdt3akuAgeYMHdYdajsqU27QOTdERA+Vto2A21gIVyLlRG6x3+fGQAExpzCUiSWE4CEmVawOFCuMibl8FIs337jZrZ5JoEXrLuGXW9lG4EHoMfrNlKzAxQCwDoudhrKcJHtGp3xXJFJ5RV311SlduZeyC/VoYI+eIyxx15C8cvTV08D6dkM9wv1fnkjnqS2Fj5OoKP+fnIoHHxhou/ulMKNBQgH/6I/GpiFZshK8i/y7hptT0qd3n8UVCcfPU0lHdURD4RrzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAVeef6a4h7jMgdhdbQbRagBARC9r7oclAgaT/NHx+raTM] profile::os::baseline::verify_trusted_data::extentions: - - 'pp_preshared_key' \ No newline at end of file + - 'pp_preshared_key' From 9df838b4eeec37a25e26cd0b737fe559ac92f1b5 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 9 Sep 2019 09:38:16 -0400 Subject: [PATCH 131/134] fix for onceover testing --- data/to_be_deleted.yaml | 5 ++++- spec/factsets/CentOS-6.6-64.json | 2 +- spec/factsets/CentOS-7.0-64.json | 2 +- spec/factsets/Windows_Server-2012r2-64.json | 2 +- spec/factsets/osx-10.13-x86_64.json | 2 +- spec/factsets/solaris-11.2-sparc-64.json | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index 2665606e9..b1fdf6f23 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -198,4 +198,7 @@ profile::os::baseline::verify_trusted_data::extentions: - 'pp_service' - 'pp_product' -profile::app::fastb::fastb_db_password::iETraGpZcnRcPiuZGPCytoq3eWkwaWC6vqzudJkvPmu2: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHPuFhkR38VKbQ76hhp5wWkjuD90sOMXSnw8bbQjU29abIChXtSTll1MZv1iWr2d5BHX1a/E/8cmJxZpc+GXjiV0YXnMHODAOCc+I4QWYmBBKUsUC9N2x6kIYoTAOupOWMnsCOxgyWea9+aWaNsuchg+cRmgQqgo9Ry3nuiEbdD7YHpywRElG4CbTUAMOEJEHexxW54B4svzUFklTNDFRsyura3qkyZLQzf/3rB8WrMKKrbM5vcNg0p0Y8LLp9KYRR13jBmsQ1FawhbS3BIz2f6mHjQrW/DnFxRCi+9fNd8yMHmWM2tAcXyjMdHs3dau41t+9APKuqOWjG3KlV3lGXzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZ3nrbPxeAmXguU6LfmXzbgBDo/PVHoLJxFfpwp+VMjXId] \ No newline at end of file +# This is test data for onceover +profile::app::fastb::fastb_db_password::somekey: 'somesillystringfordata' + +profile::app::fastb::fastb_db_password::iETraGpZcnRcPiuZGPCytoq3eWkwaWC6vqzudJkvPmu2: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHPuFhkR38VKbQ76hhp5wWkjuD90sOMXSnw8bbQjU29abIChXtSTll1MZv1iWr2d5BHX1a/E/8cmJxZpc+GXjiV0YXnMHODAOCc+I4QWYmBBKUsUC9N2x6kIYoTAOupOWMnsCOxgyWea9+aWaNsuchg+cRmgQqgo9Ry3nuiEbdD7YHpywRElG4CbTUAMOEJEHexxW54B4svzUFklTNDFRsyura3qkyZLQzf/3rB8WrMKKrbM5vcNg0p0Y8LLp9KYRR13jBmsQ1FawhbS3BIz2f6mHjQrW/DnFxRCi+9fNd8yMHmWM2tAcXyjMdHs3dau41t+9APKuqOWjG3KlV3lGXzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZ3nrbPxeAmXguU6LfmXzbgBDo/PVHoLJxFfpwp+VMjXId] diff --git a/spec/factsets/CentOS-6.6-64.json b/spec/factsets/CentOS-6.6-64.json index 8331f6c1a..e52ef3d71 100644 --- a/spec/factsets/CentOS-6.6-64.json +++ b/spec/factsets/CentOS-6.6-64.json @@ -4,7 +4,7 @@ "pp_role": "agent", "pp_service": "puppet", "pp_product": "puppet", - "pp_preshared_key": "Somekey" + "pp_preshared_key": "somekey" }, "values": { "aio_agent_build": "1.2.2", diff --git a/spec/factsets/CentOS-7.0-64.json b/spec/factsets/CentOS-7.0-64.json index 8e4f2acd0..73790aedd 100644 --- a/spec/factsets/CentOS-7.0-64.json +++ b/spec/factsets/CentOS-7.0-64.json @@ -4,7 +4,7 @@ "pp_role": "agent", "pp_service": "puppet", "pp_product": "puppet", - "pp_preshared_key": "Somekey" + "pp_preshared_key": "somekey" }, "values": { "aio_agent_build": "6.4.3", diff --git a/spec/factsets/Windows_Server-2012r2-64.json b/spec/factsets/Windows_Server-2012r2-64.json index ec7fbdf87..dfa5e2923 100644 --- a/spec/factsets/Windows_Server-2012r2-64.json +++ b/spec/factsets/Windows_Server-2012r2-64.json @@ -4,7 +4,7 @@ "pp_role": "agent", "pp_service": "puppet", "pp_product": "puppet", - "pp_preshared_key": "Somekey" + "pp_preshared_key": "somekey" }, "values": { "agent_specified_environment": "production", diff --git a/spec/factsets/osx-10.13-x86_64.json b/spec/factsets/osx-10.13-x86_64.json index b99d84ec4..5cf1490a7 100644 --- a/spec/factsets/osx-10.13-x86_64.json +++ b/spec/factsets/osx-10.13-x86_64.json @@ -4,7 +4,7 @@ "pp_role": "agent", "pp_service": "puppet", "pp_product": "puppet", - "pp_preshared_key": "Somekey" + "pp_preshared_key": "somekey" }, "values": { "puppetversion": "6.0.4", diff --git a/spec/factsets/solaris-11.2-sparc-64.json b/spec/factsets/solaris-11.2-sparc-64.json index 9d2eec977..8d6a0e9c3 100644 --- a/spec/factsets/solaris-11.2-sparc-64.json +++ b/spec/factsets/solaris-11.2-sparc-64.json @@ -4,7 +4,7 @@ "pp_role": "agent", "pp_service": "puppet", "pp_product": "puppet", - "pp_preshared_key": "Somekey" + "pp_preshared_key": "somekey" }, "values": { "aio_agent_build": "1.4.2", From 8e173225c95d75ac7b3bd730b765d7095acbe9aa Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 9 Sep 2019 09:50:27 -0400 Subject: [PATCH 132/134] site/profile/manifests/app/fastb.pp --- data/to_be_deleted.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/data/to_be_deleted.yaml b/data/to_be_deleted.yaml index b1fdf6f23..125eae369 100644 --- a/data/to_be_deleted.yaml +++ b/data/to_be_deleted.yaml @@ -198,7 +198,4 @@ profile::os::baseline::verify_trusted_data::extentions: - 'pp_service' - 'pp_product' -# This is test data for onceover -profile::app::fastb::fastb_db_password::somekey: 'somesillystringfordata' - profile::app::fastb::fastb_db_password::iETraGpZcnRcPiuZGPCytoq3eWkwaWC6vqzudJkvPmu2: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHPuFhkR38VKbQ76hhp5wWkjuD90sOMXSnw8bbQjU29abIChXtSTll1MZv1iWr2d5BHX1a/E/8cmJxZpc+GXjiV0YXnMHODAOCc+I4QWYmBBKUsUC9N2x6kIYoTAOupOWMnsCOxgyWea9+aWaNsuchg+cRmgQqgo9Ry3nuiEbdD7YHpywRElG4CbTUAMOEJEHexxW54B4svzUFklTNDFRsyura3qkyZLQzf/3rB8WrMKKrbM5vcNg0p0Y8LLp9KYRR13jBmsQ1FawhbS3BIz2f6mHjQrW/DnFxRCi+9fNd8yMHmWM2tAcXyjMdHs3dau41t+9APKuqOWjG3KlV3lGXzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAZ3nrbPxeAmXguU6LfmXzbgBDo/PVHoLJxFfpwp+VMjXId] From b5d00e62affa18583f9d2d93b516bea4ffc034ca Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 9 Sep 2019 10:59:48 -0400 Subject: [PATCH 133/134] change to added default for testing --- site/profile/manifests/app/fastb.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 467cd3ee5..7458dffb4 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -16,8 +16,14 @@ group => $group, } + $mysql_passwd = lookup( 'name' => "profile::app::fastb::fastb_db_password::${trusted['extensions']['pp_preshared_key']}", + { 'merge' => { + 'strategy' => 'unique', + 'default_value' => 'somesillystringfortestdata' }, }) + + @@mysql_user { "fastb_db_user@${facts['fqdn']}": ensure => present, - password_hash => mysql_password(lookup("profile::app::fastb::fastb_db_password::${trusted['extensions']['pp_preshared_key']}")), + password_hash => mysql_password($mysql_passwd) } } From 10333e5b53d6be2c41257a28626989dac6e93c23 Mon Sep 17 00:00:00 2001 From: Troy Klein Date: Mon, 9 Sep 2019 16:28:00 -0400 Subject: [PATCH 134/134] fix for fastb app --- site/profile/manifests/app/fastb.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/app/fastb.pp b/site/profile/manifests/app/fastb.pp index 7458dffb4..d1ff81ba6 100644 --- a/site/profile/manifests/app/fastb.pp +++ b/site/profile/manifests/app/fastb.pp @@ -16,8 +16,8 @@ group => $group, } - $mysql_passwd = lookup( 'name' => "profile::app::fastb::fastb_db_password::${trusted['extensions']['pp_preshared_key']}", - { 'merge' => { + $mysql_passwd = lookup( { 'name' => "profile::app::fastb::fastb_db_password::${trusted['extensions']['pp_preshared_key']}", + 'merge' => { 'strategy' => 'unique', 'default_value' => 'somesillystringfortestdata' }, })