Difference between revisions of "PuppetDemo"
CraigGrube (Talk | contribs) m |
CraigGrube (Talk | contribs) (→Packages) |
||
Line 87: | Line 87: | ||
* [[PuppetDemoClientKickstart| Client kickstart ]] file. | * [[PuppetDemoClientKickstart| Client kickstart ]] file. | ||
− | * puppet-policy.tar.gz - gzipped tarball of the puppet policy is | + | * [http://www.selinuxproject.org/~cgrube/puppet/packages/puppet-policy.tar.gz puppet-policy] - gzipped tarball of the puppet policy is downloaded to the server and defines the desired end state of clients. |
− | downloaded to the server and defines the desired end state of | + | |
− | clients. | + | |
− | * sefos-demo-policy-0.1- | + | * [http://www.selinuxproject.org/~cgrube/puppet/packages/sefos-demo-policy-0.1-2.fc11.i386.rpm sefos-demo-policy] - RPM containing a small SELinux module required for some demo specific client configuration to work properly. This package is only downloaded to clients. |
− | SELinux module required for some demo specific client configuration | + | |
− | to work properly. This package is only downloaded to clients. | + | |
− | * selinux-policy- | + | * [http://www.selinuxproject.org/~cgrube/puppet/packages/selinux-policy-3.6.12-78.fc11.noarch.rpm selinux-policy],[http://www.selinuxproject.org/~cgrube/puppet/packages/selinux-policy-targeted-3.6.12-78.fc11.noarch.rpm selinux-policy-targeted], [http://www.selinuxproject.org/~cgrube/puppet/packages/selinux-policy-doc-3.6.12-78.fc11.noarch.rpm selinux-policy-doc] - SELinux policy RPMs including new policy to constrain the Puppet client |
− | SELinux policy RPMs including new policy to constrain the Puppet client | + | and server. Eventually the changes be included in the reference policy and trickle down to the Fedora RPMS, making these RPMS unnecessary. |
− | and server. | + | |
= Installation = | = Installation = |
Revision as of 01:00, 18 September 2009
Overview
This page describes a proposed demonstration showing how to manage systems running SELinux using Puppet, an open-source enterprise grade configuration management tool. The goals of the demonstration are to show that configuration management systems can conveniently manage multiple SELinux clients, provide examples for configuring SELinux clients, and develop policy to constrain the client and server.
The demonstration will use Puppet to bootstrap client systems to the desired server type and ensure that SELinux is properly configured to protect the services.
Components
The demonstration includes Fedora 11 kickstart files for the two main components: a Puppet server and a generic client. The example Puppet policy will transform two generic clients will be transformed into fully configured and functional servers with appropriate SELinux configurations once joined to the Puppet server.
While the number of clients is , the fully configured clients are intended to be similar to some of what might be found in an enterprise environment. Specifically, following successful configuration client will be turned into a web server or a mail server.
The web server will be configured as follows:
- Packages
- Install Apache and dependencies
- Users/Groups
- Add apache user with specific UID
- Add apache group with specific GID
- Apache Configuration
- Add of three virtual hosts (client1, client1a, client1b)
- Configure one of the virtual hosts to allow sharing of files from users's public_html directories
- SELinux Configuration
- Ensure updated files have the desired type
- Ensure httpd SELinux module is loaded
- Ensure httpd_enable_homedirs SELinux boolean is enabled
The email server will be configured as follows:
- Packages
- Remove default Exim package
- Install postfix
- Users/Groups
- Add postfix user with specific UID
- Add postfix group with specific GID
- Postfix Configuration
- Apply basic main.cf from template
- SELinux Configuration
- Apply desired file labels to updated files
- Ensure {module} is loaded
- Ensure allow_postfix_local_write_mail_spool SELinux boolean is on
Basic Infrastructure
Requirements
Working forward/reverse DNS is needed for OpenSSL certificates to work properly for client/server authentication and data encryption.
For the demo to work properly with no modifications to the puppet policy the DNS server should be able to resolve two client hostnames (client1, client2) as well as two CNAMES for client1 (client1a, client1b - because the default puppet policy will set up three Apache virtual hosts on client1.)
An example partial zone configuration for the demo could be:
puppetmaster A 192.168.1.174 client1 A 192.168.1.175 client2 A 192.168.1.176 client1a CNAME client1 client1b CNAME client1
The matching reverse zone configuration could be:
174 IN PTR puppetmaster.example.com. 175 IN PTR client1.example.com. 176 IN PTR client2.example.com.
PuppetDemoBootServer contains instructions for setting up a system to provide DHCP, DNS and HTTP services for initializing the demonstration.
Packages
The server and client automated installs expect certain packages to be present in /packages/ on a web server designated during the kickstart install. The following packages are expected:
- Server kickstart file.
- Client kickstart file.
- puppet-policy - gzipped tarball of the puppet policy is downloaded to the server and defines the desired end state of clients.
- sefos-demo-policy - RPM containing a small SELinux module required for some demo specific client configuration to work properly. This package is only downloaded to clients.
- selinux-policy,selinux-policy-targeted, selinux-policy-doc - SELinux policy RPMs including new policy to constrain the Puppet client
and server. Eventually the changes be included in the reference policy and trickle down to the Fedora RPMS, making these RPMS unnecessary.
Installation
Server Kickstart
Disk Partitioning
The default anaconda chosen disk partitioning scheme is used unless modified by person performing the installation. 1G+ of disk space is recommended.
Kernel Boot Options
Kernel boot options for server configuration are:
- se_dnsdomain - dns domain of server (assumes example.com if none provided)
- se_fqdn - fully qualified domain name of server (set to puppetmaster.${se_dnsdomain} if none provided)
- se_www - IP address or hostname of web server from which packages (selinux policy and puppet policy) should
be downloaded.
Network Configuration
By default DHCP is used for network address provisioning.
If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address and modify as needed.
Example
Client Kickstart
Disk Partitioning
The default anaconda chosen disk partitioning scheme is used unless modified during the installation. 1G+ of disk space is recommended.
Kernel Boot Options
Kernel boot options for client configuration are:
- se_dnsdomain - dns domain of client (assumes example.com if not provided))
- se_fqdn - fully qualified domain name of client (assumes client1.${se_dnsdomain} if none provided)
- se_pmaster - FQDN of puppetmaster server (assumes puppetmaster.${se_dnsdomain} if none provided)
- se_www - IP address or resolvable DNS name of web server from which packages can be downloaded.
Network Configuration
By default DHCP is used for network address provisioning.
If static addressing is desired/required comment out DHCP 'network' line, and uncomment and edit the 'network' line containing the static address.
Example
When installing client1 only se_www needs to be specified as the default values for hostname, DNS Domain and Puppetmaster DNS name will be sufficient as long the demo environment is the same as the provided examples.
Assuming no changes from the demo, se_fqdn and se_www should be used when kickstarting client2.
Manual Post Installation Configuraton
During the kickstart of the server and one or more clients, the clients Puppet service will
contact the server and submit a certificate for signing. To list unsigned certificates on
the server run puppetca -l
. For each demo client run puppetca -s {hostname}
to sign the client certificates.
The clients will automatically download the signed certificate at the next update (approximately every
30 minutes) and will download and apply the configuration from the server. To force an immediate update
the puppet client service can be restarted with run_init service puppet restart