pureVirtual | In The Cloud | Page 5
important for system administrators to understand the relationships and . Although SSH stands for Secure Shell, it is not a true shell in the sense of the Unix Bourne shell . A user's home directory on a Unix machine, particularly when used in a file . 4. Load the keys into the agent with the ssh-add program. This requires. Significant Updates. – Security Announcements. – RPM Updates. 4 . If pki = ' simp' or true, this is the directory from which certs will be. # . Restrict auditing of puppet-related files to the Puppet Server .. Removed EL7 references to function keys which no longer are rm -rf `puppet config print ssldir`. Puppet code is written in manifests (files knifedirectory.info extension) . On Puppet 4.x only directory environments are supported. . It's possible to enable automatic clients certificates signing on the Master (be aware of security concerns) the hierarchy's data sources of a given key and not the first use, use hiera_array() for that.
The only difference is the inclusion of Ruby escape characters to inject variables from our module. Notice also the inclusion of fqdn, which is a variable that stores the fully qualified domain name of the system. This is known as a system fact. System facts are collected from each system prior to generating each respective system's Puppet catalog.
Puppet uses the facter command to gather these system facts and you can also run facter to view a list of these facts. The content for this file is the myserver. We also check the httpd package is installed before adding this file. We also add a second file resource declaration.
This checks our configuration file for any changes. If the file has changed, Puppet restarts the service. You can override this value with the Satellite Server. Would have triggered 'refresh' from 4 events Notice: The highlighted lines show the creation of the configuration file and our web host directory 2.
The open problem is that different versions of Red Hat Enterprise Linux uses different methods for controlling the firewall. For Red Hat Enterprise Linux 6 and below, we use iptables. For Red Hat Enterprise Linux 7, we use firewalld. This decision is something Puppet handles using conditional logic and system facts. For this step, we add a statement to check the operating system and run the appropriate firewall commands.
Add the following code inside your mymodule:: Use the operatingsystemmajrelease fact to determine whether the operating system is Red Hat Enterprise Linux 6 or 7. If using Red Hat Enterprise Linux 6, declare an executable exec resource that runs iptables and iptables-save to add a permanent firewall rule. After the exec resource completes, we trigger a refresh of the iptables service.
To achieve this, we define a service resource that includes the subscribe attribute. This attribute checks if any there are any changes to another resource and, if so, performs a refresh.
In this case, it checks the iptables executable resource. If using Red Hat Enterprise Linux 7, declare a similar executable resource that runs firewall-cmd to add a permanent firewall rule. After the exec resource completes, we trigger a refresh of the firewalld service but with a subscribe attribute pointing to the firewall-cmd executable resource.
This ensures the firewall commands only run after the httpd installs. Without these attributes, subsequent runs will add multiple instances of the same firewall rule. Run the puppet apply command again to test the changes to our module. The following example is a test of Red Hat Enterprise Linux 6: Would have triggered 'refresh' from 1 events The highlighted lines show the execution of the firewall rule creation and the subsequent service refresh as a result of the subscribe attribute.
If you aim to manage multiple firewall rules for your system in the future, it is recommended to create a custom resource for firewalls. If we define a custom port, we need to add configuration that allows SELinux to grant access. Puppet contains resource types to manage some SELinux functions, such as Booleans and modules.
Where or how do I include the intermediate and root CA chain pem in P4SSLDIR?
However, we need to execute the semanage command to manage port settings. This tool is a part of the policycoreutils-python package, which is not installed on Red Hat Enterprise Linux systems by default. This ensures the SELinux commands only run after the httpd installs. Without these attributes, subsequent runs result in failure. This is because SELinux detects the port is already enabled and reports an error. This provides a platform for installing a web-based application, which Puppet can also configure.
For this example, however, we will only copy over a simple index webpage to our web host. Create file named index. Add the following content to this file: This declaration copies a file from the module's file directory from the Puppet server to the system and sets its permissions.
Additionally, the require attribute ensures the mymodule:: Finally, include this new manifest in our main init. Would have triggered 'refresh' from 8 events Notice: To export the module into an archive for Red Hat Satellite 6 to use, run the following command: This means you must create a custom product and then upload the modules that form the basis of that product.
For example, a custom product might consist of a set of Puppet modules required to setup a HTTP server, a database, and a custom application. Creating a Custom Product 1. Login to your Red Hat Satellite 6 server. Navigate to Content Products. Provide your custom product with a Name. In this example, use MyProduct as the name. The Label field automatically populates with a label based on the Name. For our example, leave those fields blank. Creating a Custom Puppet Repository 1.
On the Products page, click on the custom product created previously MyProduct. Navigate to the Repositories subtab. Provide the repository with a Name. This example uses the name MyRepo. Select puppet as the repository Type. Leave the URL field blank. This field is used for remote repositories, but in our case Satellite 6 creates its own repository.
Click the Name of the newly created repository. In the Upload Puppet Module section, click Browse and select the mymodule archive. You can upload more modules to this repository. For our example, we only need to upload the mymodule module.
Our Puppet module is now a part of your Red Hat Satellite 6 environment.
Directories: The SSLdir - Puppet (PE and open source) | Puppet
On the Products page, click on the custom product containing the module to remove. Click the Name of the repository containing the module to remove. Click Manage Puppet Modules. The screen displays a list of Puppet modules contained within the repository. Select the modules to remove. Click Remove Puppet Modules. This tool checks out repositories containing a set of modules, builds the modules, and publishes them in a structure for Satellite 6 to synchronize.
This provides an efficient way to manage module development in Git and include them in the Satellite 6 workflow. NOTE You can also install the pulp-puppet-module-builder tool on other machines using the pulp-puppet-tools package. Publishing Git Repository to a Local Directory 1. Create a directory on the Satellite server to synchronize the modules.
Run the pulp-puppet-module-builder and checkout the Git repository. The same procedure applies to publishing modules to a HTTP server. Publishing Git Repository to a Web Server 1. Create a directory on the web server to synchronize the modules. Creating a Repository for Puppet Modules from Git 1.
This example uses the name MyGitRepo. In the URL field, set the location you defined earlier. For example, local directories on the Satellite 6 server use the file: Click Sync Now to synchronize the repository. You can add this module to an existing view but for our example we will create a new view.
Publishing a Content View 1. Navigate to Content Content Views. Provide your view with a Name. In this example, we use MyView as the name. Make sure Composite View is not selected. Select the Name of your newly created view. Navigate to Content Repositories.
The Tools RPM collection contains the packages to set up our remote Puppet configuration on provisioned systems. Navigate to Puppet Modules. Scroll to your module and click Select a Version. Scroll to the module version Use Latest and click Select Version. Our module is now a part of the content view. Navigate to Versions to publish and promote a new version of the content view. Click Publish New Version. On the Publish New Version page, click Save. This publishes the content view with our module.
Choose a lifecycle environment and click Promote Version. This makes the view a part of the chosen lifecycle environment. Our content view is now published. As a part of the content view creation, Red Hat Satellite 6 creates a new Puppet environment for use in the provisioning process. This puppet environment contains our module. Satellite 6 has the ability to import classes and allow modification of such parameters.
This is called a smart variable. For example, mymodule contains a parameter for the HTTP port of our web server. This provides an easy way to change the HTTP port on our webserver.
This procedure requires the mymodule module uploaded to a product and added to a content view. This is because we need to edit the classes in the resulting Puppet environment.
Navigate to Configure Smart variables. A table appears listing all smart variables from the classes in your Puppet modules. The options for the smart variable appears. To allow overriding this variable during provisioning, select the Override option.
Selecting the Override option allows us to change the Parameter type and Default value. This is useful if we aim to globally change this value for all future configurations. The following parameter types are available: String The value is interpreted as a plain text string. For example, if your smart variable sets the hostname, the value is interpreted as a string: True true 1 Integer 19 24 Puppet Guide The value is interpreted and validated as an integer value.
Real The value is interpreted and validated as a real number value. For our example, leave this section blank. Selecting the Override option also exposes Override Value For Specific Hosts, which defines a hierarchical order of system facts and a set of matcher-value combinations.
The matcher-value combinations determine the right parameter to use depending on an evaluation of the system facts.
August « Going to Cisco World
The same rule applies to self-signed certificates. In this case, users may get used to seeing a warning message saying the certificate has expired, and then will probably not notice if it is a bogus certificate. Programmers writing larger pieces of code such as these without bugs is virtually impossible, so we should always use the latest stable versions of the above software.
The latest versions should theoretically contain fewer security vulnerabilities both discovered and not-yet discovered than previous versions. Acceptance of SSL v2. Otherwise, there is a risk that client can be tricked into negotiating parameters that can dramatically lower the security level of the connection.
For this reason we should disable the use of the SSLv2. Use of weak encryption Early implementations of SSL were only able to use bit keys for symmetric encryption, due to US government restrictions. Unfortunately, the data encrypted by bits symmetric keys can now be decrypted in a relatively short period of time, and for this reason bit and bit keys should no longer be used. Otherwise we may not be able to detect any attacks, except denial of service, performed against the web server.
Vulnerable client machines When we focus on securing Apache web servers, we can easily forget about the security of the client machines. Most importantly, web browser versions should be always up-to-date. Otherwise, an intruder can sniff the HTTP traffic between web server and victim, and can try to use session IDs to get access to authorized part of web application via SSL.
Conclusion This article closes the series of articles devoted to configuring Apache 2.