Difference between revisions of "PuppetDemo"

From SELinux Wiki
Jump to: navigation, search
m
(Server Kickstart)
Line 92: Line 92:
 
== Server Kickstart ==
 
== Server Kickstart ==
  
[[PuppetDemoServerKickstart| Server kickstart ]].
+
Here is the [http://www.selinuxproject.org/~cgrube/puppet/kickstart/ks.server.cfg Server Kickstart].
 +
 
  
 
=== Disk Partitioning ===
 
=== Disk Partitioning ===
Line 104: Line 105:
 
*se_fqdn - fully qualified domain name of server (set to puppetmaster.${se_dnsdomain} if none provided)
 
*se_fqdn - fully qualified domain name of server (set to puppetmaster.${se_dnsdomain} if none provided)
 
*se_www - IP address or hostname of web server from which packages (selinux policy and puppet policy) should
 
*se_www - IP address or hostname of web server from which packages (selinux policy and puppet policy) should
be downloaded.  The kickstart will default to downloading the packages from selinuxproject.org.  If a local mirror is to be used boot option should be used.
+
be downloaded.  The kickstart will default to downloading the packages from selinuxproject.org.  If a local mirror is to be used the boot option should be used.
 +
*se_repo - relative path from se_www to a yum repo file for use during the installation.
  
 
The boot options can be specified by editing the kernel options in Grub during boot.
 
The boot options can be specified by editing the kernel options in Grub during boot.

Revision as of 15:26, 30 September 2009

Overview

This page describes a proposed demonstration showing how to manage systems running SELinux using Puppet, an open-source enterprise grade configuration management tool. The goals of the demonstration are to show that configuration management systems can conveniently manage multiple SELinux clients, provide examples for configuring SELinux clients, and develop policy to constrain the client and server.

The demonstration will use Puppet to bootstrap client systems to the desired server type and ensure that SELinux is properly configured to protect the services.

Components

The demonstration includes Fedora 11 kickstart files for the two main components: a Puppet server and a generic client. The example Puppet policy will transform two generic clients will be transformed into fully configured and functional servers with appropriate SELinux configurations once joined to the Puppet server.

While the number of clients is , the fully configured clients are intended to be similar to some of what might be found in an enterprise environment. Specifically, following successful configuration client will be turned into a web server or a mail server.

The web server will be configured as follows:

  • Packages
    • Install Apache and dependencies
  • Users/Groups
    • Add apache user with specific UID
    • Add apache group with specific GID
  • Apache Configuration
    • Add of three virtual hosts (client1, client1a, client1b)
    • Configure one of the virtual hosts to allow sharing of files from users's public_html directories
  • SELinux Configuration
    • Ensure updated files have the desired type
    • Ensure httpd SELinux module is loaded
    • Ensure httpd_enable_homedirs SELinux boolean is enabled

The email server will be configured as follows:

  • Packages
    • Remove default Exim package
    • Install postfix
  • Users/Groups
    • Add postfix user with specific UID
    • Add postfix group with specific GID
  • Postfix Configuration
    • Apply basic main.cf from template
  • SELinux Configuration
    • Apply desired file labels to updated files
    • Ensure {module} is loaded
    • Ensure allow_postfix_local_write_mail_spool SELinux boolean is on

Basic Infrastructure

Requirements

Working forward/reverse DNS is needed for OpenSSL certificates to work properly for client/server authentication and data encryption.

For the demo to work properly with no modifications to the puppet policy the DNS server should be able to resolve two client hostnames (client1, client2) as well as two CNAMES for client1 (client1a, client1b - because the default puppet policy will set up three Apache virtual hosts on client1.)

An example partial zone configuration for the demo could be:

puppetmaster    A       192.168.1.174
client1         A       192.168.1.175
client2         A       192.168.1.176
client1a        CNAME   client1
client1b        CNAME   client1

The matching reverse zone configuration could be:

174     IN PTR  puppetmaster.example.com.
175     IN PTR  client1.example.com.
176     IN PTR  client2.example.com.

PuppetDemoBootServer contains instructions for setting up a system to provide DHCP, DNS and HTTP services for initializing the demonstration.

Packages

The install defaults to using selinuxproject.org for downloading and installing packages, but if another web server is specified the following packages are expected:

  • puppet-policy - gzipped tarball of the puppet policy is downloaded to the server and defines the desired end state of clients.
  • sefos-demo-policy - RPM containing a small SELinux module required for some demo specific client configuration to work properly. This package is only downloaded to clients.

and server. Eventually the changes be included in the reference policy and trickle down to the Fedora RPMS, making these RPMS unnecessary.

Installation

Server Kickstart

Here is the Server Kickstart.


Disk Partitioning

The default anaconda chosen disk partitioning scheme is used unless modified by person performing the installation. 1G+ of disk space is recommended.

Kernel Boot Options

Kernel boot options for server configuration are:

  • se_dnsdomain - dns domain of server (assumes example.com if none provided)
  • se_fqdn - fully qualified domain name of server (set to puppetmaster.${se_dnsdomain} if none provided)
  • se_www - IP address or hostname of web server from which packages (selinux policy and puppet policy) should

be downloaded. The kickstart will default to downloading the packages from selinuxproject.org. If a local mirror is to be used the boot option should be used.

  • se_repo - relative path from se_www to a yum repo file for use during the installation.

The boot options can be specified by editing the kernel options in Grub during boot.

Network Configuration

By default DHCP is used for network address provisioning.

If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address and modify as needed.

Example

If no changes are made from the example DNS configuration and www.selinuxproject.org is accessible from the system being kickstarted no boot options need to be provided.

If an alternate web server is to be used se_www=http://webserver/path/to/files should be added to the boot options. If an alternate hostname is desired se_fqdn=server.thedomain should be added to the boot options. If an alternate domain is to be used se_dnsdomain=thedomain should be used to specify the domain name.

Client Kickstart

Client kickstart

Disk Partitioning

The default anaconda chosen disk partitioning scheme is used unless modified during the installation. 1G+ of disk space is recommended.

Kernel Boot Options

Kernel boot options for client configuration are:

  • se_dnsdomain - dns domain of client (assumes example.com if not provided))
  • se_fqdn - fully qualified domain name of client (assumes client1.${se_dnsdomain} if none provided)
  • se_pmaster - FQDN of puppetmaster server (assumes puppetmaster.${se_dnsdomain} if none provided)
  • se_www - IP address or resolvable DNS name of web server from which packages can be downloaded. By default the kickstart will download packages from the selinuxproject.org web server.

Network Configuration

By default DHCP is used for network address provisioning.

If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address.

Example

Assuming no changes from the example DNS configuration no boot options are required for client1, se_fqdn=client2.example.com should be added to the boot options for client2. See the examples for the server kickstart if DNS changes were made or an alternate web server is being used.


Manual Post Installation Configuraton

During the kickstart of the server and one or more clients, the clients Puppet service will contact the server and submit a certificate for signing. To list unsigned certificates on the server run puppetca -l. For each demo client run puppetca -s {hostname} to sign the client certificates.

The clients will automatically download the signed certificate at the next update (approximately every 30 minutes) and will download and apply the configuration from the server. To force an immediate update the puppet client service can be restarted with run_init service puppet restart