Tag Archives: CentOS

Configuring Interface Bonding on CentOS/RHEL/OEL 6.x

In my previous article I wrote about configuring configuring network interface bonding under Debian Wheezy. Here, I’ll briefly outline the steps required to get the same configuration running under recent RHEL-flavoured distributions - namely CentOS 6.4 in my case.

I will be bonding eth0 and eth1 into a bond named bond0. Ensure that you’re connected to your host via a console. I’ll be using active-backup (i.e. failover) bonding, but there are other options available - see the Debian article for links to reference material for those.

First, create the ifcfg-bond0 configuration file:

# cd /etc/sysconfig/network-scripts
# vi ifcfg-bond0
DEVICE=bond0
IPADDR=192.168.122.12
NETMASK=255.255.255.0
GATEWAY=192.168.122.1
NM_CONTROLLED=no
BOOTPROTO=none
ONBOOT=yes
USERCTL=no

# cd /etc/sysconfig/network-scripts

# vi ifcfg-bond0

DEVICE=bond0

IPADDR=192.168.122.12

NETMASK=255.255.255.0

GATEWAY=192.168.122.1

NM_CONTROLLED=no

BOOTPROTO=none

ONBOOT=yes

USERCTL=no

Substitute relevant values as appropriate for your setup. Next, edit/create the ifcfg-eth{0,1} files. Note that these are created as slave interfaces (SLAVE=yes) with bond0 as the master interface (MASTER=bond0):

# vi ifcfg-eth0
DEVICE=eth0
USERCTL=no
ONBOOT=yes
NM_CONTROLLED=no
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
# sed 's/eth0/eth1/' ifcfg-eth0 > ifcfg-eth1

# vi ifcfg-eth0

DEVICE=eth0

USERCTL=no

ONBOOT=yes

NM_CONTROLLED=no

MASTER=bond0

SLAVE=yes

BOOTPROTO=none

# sed 's/eth0/eth1/' ifcfg-eth0 > ifcfg-eth1

Note - that if NM_CONTROLLED is set, you should strictly define your HWADDR entries too at this step, for each interface. Configure the bonding module. miimon is the MII link monitoring frequency in milliseconds, {down,up}delay are the times, in milliseconds, to wait before disabling or enabling an interface in the bond (to safeguard against flapping), and should be a multiple of the miimon value. Note that /etc/modprobe.conf is deprecated in CentOS 6.x so an appropriate file should be created under /etc/modprobe.d - in our case, bonding.conf:

# vi /etc/modprobe.d/bonding.conf
alias bond0 bonding
options bond0 mode=active-backup miimon=100 downdelay=200 updelay=200

# vi /etc/modprobe.d/bonding.conf

alias bond0 bonding

options bond0 mode=active-backup miimon=100 downdelay=200 updelay=200

To test, manually load the module (and appropriate options - I see many tutorials with a simple modprobe bonding here - you’ll end up with the default bonding mode which is round-robin - not what we want):

# modprobe bonding mode=active-backup miimon=100 downdelay=200 updelay=200

1	# modprobe bonding mode=active-backup miimon=100 downdelay=200 updelay=200

And restart networking:

# service network restart

1	# service network restart

Verify that all is well with ifconfig -a, or more suitably a cat on /proc/net/bonding/bond0:

# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.6.0 (September 26, 2009)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 200
Down Delay (ms): 200
Slave Interface: eth0
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 52:54:00:c1:77:fc
Slave queue ID: 0
Slave Interface: eth1
MII Status: up
Speed: 100 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 52:54:00:f3:11:1e
Slave queue ID: 0

# cat /proc/net/bonding/bond0

Ethernet Channel Bonding Driver: v3.6.0 (September 26, 2009)

Bonding Mode: fault-tolerance (active-backup)

Primary Slave: None

Currently Active Slave: eth0

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth0

MII Status: up

Speed: Unknown

Duplex: Unknown

Link Failure Count: 0

Permanent HW addr: 52:54:00:c1:77:fc

Slave queue ID: 0

Slave Interface: eth1

MII Status: up

Speed: 100 Mbps

Duplex: full

Link Failure Count: 0

Permanent HW addr: 52:54:00:f3:11:1e

Slave queue ID: 0

Reboot the host at the earliest opportunity to verify that all is well after a reboot.

Securing and Hardening the Linux Operating System

Any application is only as secure as the operating system hosting it. Whilst most servers are protected behind firewalls with the main avenue of exploit being the application, if an application is exploited and the user did manage to obtain server access, we need to minimise the damage that can be done to the exploited machine and others. Running hardened systems is a requirement of certain data security standards such as PCI-DSS (PCI Application Data Security Standard), as well as mandated by many organisations. Plus, it is just good practice. Out-of-the-box, most modern OSes are configured to be secure. There is still a great deal we can do, however, to further harden the operating system to various vectors of attack.

This article will only cover the core aspects of Linux OS lockdown, and will focus on CentOS 6.4. Most of the concepts here should be able to be ported to other flavours, using the appropriate commands for your OS.

For further detail, consult the security benchmarks available at http://cisecurity.org. You should employ multiple layers of security within your architecture – for example, using network-based firewalls as well as host firewalls, writing secure code, ensuring that all aspects of the application stack are patched and up-to-date, etc. Hardening the OS is just one more layer of security.

Continue reading →

Puppet Module: security::tcpwrappers with Hiera

Module: security::tcpwrappers

Purpose: This module configures TCP Wrappers on CentOS 6 and Solaris 10 hosts with Hiera.

Notes: This module does some pretty fancy things. It uses Hiera to provide lookup for the $hostsallow and $hostsdeny variables, and interfaces with inetadm and svccfg on Solaris. Let’s look at hiera.yaml first.

File: /etc/puppet/hiera.yaml

---
:backends:
   - yaml
:yaml:
   :datadir: /etc/puppet/hieradata
:hierarchy:
   - %{::clientcert}
   - %{::operatingsystem}
   - common

---

:backends:

- yaml

:yaml:

:datadir: /etc/puppet/hieradata

:hierarchy:

- %{::clientcert}

- %{::operatingsystem}

- common

As you can see, we first check the %{::clientcert}, then the %{::operatingsystem} before falling back to common. So, essentially you have hostname-specific control if you need it.

Under /etc/puppet/hieradata, I have the following:

[root@centosa hieradata]# cat centosa.local.yaml 
---
security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-centosa.local"
security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-centosa.local"
[root@centosa hieradata]# cat common.yaml 
---
security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-common"
security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-common"
[root@centosa hieradata]# cat Solaris.yaml 
---
security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-solaris"
security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-solaris"

[root@centosa hieradata]# cat centosa.local.yaml

---

security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-centosa.local"

security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-centosa.local"

[root@centosa hieradata]# cat common.yaml

---

security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-common"

security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-common"

[root@centosa hieradata]# cat Solaris.yaml

---

security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-solaris"

security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-solaris"

Host centosa.local would use centosa.local.yaml (due to %{::clientcert} in the hierarchy) and pull the values in for security::tcpwrappers::hostsallow and security::tcpwrappers::hostsdeny from that file. Host centosb.local would fall through to common.yaml (unless there was a %{::clientcert}.yaml or Centos.yaml), and a Solaris host would use Solaris.yaml.

File: security/manifests/tcpwrappers.pp

Notes: Uses Hiera to copy in appropriate files. On Solaris, it configures inetd-controlled services to use TCP Wrappers via inetadm, and enables TCP Wrappers for the RPC portmapping service via svccfg.

# class security::tcpwrappers
# Set up tcpwrappers on Solaris and CentOS hosts
class security::tcpwrappers ( $hostsallow = "", $hostsdeny = "" ) {
  file { '/etc/hosts.allow' :
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => $hostsallow
  }
  file { '/etc/hosts.deny' :
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => $hostsdeny
  }
  case $::operatingsystem {
    'CentOS' : {
      # nothing else to do, files are in place
    }
    'Solaris' : {
      # set up inetd-controlled services for tcp_wrappers
      exec { '/usr/sbin/inetadm -M tcp_wrappers=TRUE' :
        unless => '/usr/sbin/inetadm -p | /bin/grep tcp_wrappers=TRUE'
      }
      # enable TCP wrappers for RPC portmapping service
      exec { '/usr/sbin/svccfg -s svc:/network/rpc/bind setprop config/enable_tcpwrappers=true' :
        unless => '/usr/sbin/svccfg -s svc:/network/rpc/bind listprop config/enable_tcpwrappers | /bin/grep true',
        notify => Service['svc:/network/rpc/bind']
      }
      # need the service defined here so we can notify it
      service { 'svc:/network/rpc/bind' :
        ensure => running,
        enable => true
      }
    }
    default : { fail( 'OS unsupported by security::tcp_wrappers class' ) }
  }
}

# class security::tcpwrappers

# Set up tcpwrappers on Solaris and CentOS hosts

class security::tcpwrappers ( $hostsallow = "", $hostsdeny = "" ) {

file { '/etc/hosts.allow' :

owner => 'root',

group => 'root',

mode => '0644',

source => $hostsallow

}

file { '/etc/hosts.deny' :

owner => 'root',

group => 'root',

mode => '0644',

source => $hostsdeny

}

case $::operatingsystem {

'CentOS' : {

# nothing else to do, files are in place

}

'Solaris' : {

# set up inetd-controlled services for tcp_wrappers

exec { '/usr/sbin/inetadm -M tcp_wrappers=TRUE' :

unless => '/usr/sbin/inetadm -p | /bin/grep tcp_wrappers=TRUE'

}

# enable TCP wrappers for RPC portmapping service

exec { '/usr/sbin/svccfg -s svc:/network/rpc/bind setprop config/enable_tcpwrappers=true' :

unless => '/usr/sbin/svccfg -s svc:/network/rpc/bind listprop config/enable_tcpwrappers | /bin/grep true',

notify => Service['svc:/network/rpc/bind']

}

# need the service defined here so we can notify it

service { 'svc:/network/rpc/bind' :

ensure => running,

enable => true

}

default : { fail( 'OS unsupported by security::tcp_wrappers class' ) }

}

Secure MySQL Replication over SSL

MySQL is a popular open-source relational-database management system. One of its core features is replication, and in this article I will be showing how to configure a master and slave MySQL instance, and then configure replication from master to slave over SSL. Encryption will help protect the replication from snooping. This type of replication has many uses, for example: disaster-recovery scenarios whereby the slave can be switched to a master role in the case of a master outage, for performance where all reads can take place on the slave with writes and updates occurring on the master, and so on. Replication can be configured without encryption, but encrypting with SSL is preferred as part of a defence-in-depth strategy - it’s an extra layer of security.

This article already presumes a good working knowledge of MySQL. The master server is centosa with IP address 10.1.1.150, and is running a minimal installation of CentOS 6.4 x86_64. The slave, centosb, is running the same OS and has IP address 10.1.1.151. MySQL will be installed from the latest current stable RPMs available at dev.mysql.com, rather than using the upstream versions. The latest stable version available at the time of writing is 5.6.14.

This article will cover the configuration of an SSL-encrypted replicated environment from scratch - it does not cover the migration of an existing replicated configuration to an SSL-encrypted replicated configuration, or the migration of any existing data to a new slave.

Continue reading →

SELinux: Allowing httpd to Listen on Non-Standard Ports

If you attempt to have httpd listen on a non-standard port (we’ll get to what’s “standard” and what isn’t in a moment) on an SELinux enabled host, SELinux will deny the request. Let’s try it out (on a CentOS 6.4 box):

# cd /etc/httpd/conf.d
# echo "Listen 8585" > listen.conf
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:
(13)Permission denied: make_sock: could not bind to address [::]:8585
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

# cd /etc/httpd/conf.d

# echo "Listen 8585" > listen.conf

# service httpd restart

Stopping httpd: [ OK ]

Starting httpd:

(13)Permission denied: make_sock: could not bind to address [::]:8585

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585

no listening sockets available, shutting down

Unable to open logs

[FAILED]

Kaboom! As you can see, the error message is quite clear “(13)Permission denied: make_sock: could not bind to address”. Let’s take a look at the audit logs and see what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371477046.382:20196): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20196): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

There are two sets of messages there, one for the IPv4 bind, the other for the IPv6 bind. The AVC message actually makes it clear what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

You can see that the violation is from source context (scontext) unconfined_u:system_r:httpd_t which is the httpd process, and the target context (tcontext) is system_u:object_r:port_t with target class (tclass) tcp_socket. The denied port (8585 in this case) is also logged in the src field.

SELinux will only allow httpd to bind to ports of type http_port_t. Here, we can see that httpd is attempting to bind to a port of type port_t - which is going to be denied by the policy. We need to define port 8585 as a port of type http_port_t. semanage is the tool for that - and you’ll need the policycoreutils-python package installed:

# yum install policycoreutils-python
# rpm -qf `which semanage`
policycoreutils-python-2.0.83-19.30.el6.x86_64

# yum install policycoreutils-python

# rpm -qf `which semanage`

policycoreutils-python-2.0.83-19.30.el6.x86_64

First, let’s look at which ports are currently defined as type http_port_t:

# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

1 2	# semanage port -l \| grep '^http_port_t' http_port_t tcp 80, 443, 488, 8008, 8009, 8443

And add our desired listen port, 8585/tcp to the list:

# semanage port -a -t http_port_t -p tcp 8585
# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      8585, 80, 443, 488, 8008, 8009, 8443

# semanage port -a -t http_port_t -p tcp 8585

# semanage port -l | grep '^http_port_t'

http_port_t tcp 8585, 80, 443, 488, 8008, 8009, 8443

Looks good. Fire up httpd:

# service httpd start
Starting httpd:                                            [  OK  ]

1 2	# service httpd start Starting httpd: [ OK ]

And test with nc or similar:

# echo "GET /" | nc localhost 8585
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>

# echo "GET /" | nc localhost 8585

...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

rsyslog - “Could not open dynamic file - discarding message” errors on CentOS 6

Whilst configuring a central syslog server using rsyslog on CentOS 6, I was experiencing issues with dynamic log filenames being created. I had created a new filesystem, mounted at /var/syslog, for my logs, and configured rsyslog.conf with the following:

...
$template FILENAME,"/var/syslog/%HOSTNAME%/syslog.log"
*.* ?FILENAME
...

...

$template FILENAME,"/var/syslog/%HOSTNAME%/syslog.log"

*.* ?FILENAME

...

However, the dynamic logs were not being created, and instead the following error message was observed in the local /var/log/messages file (mars being the hostname):

Jun 13 23:30:01 mars rsyslogd-3000: Could not open dynamic file '/var/syslog/mars/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ]

1	Jun 13 23:30:01 mars rsyslogd-3000: Could not open dynamic file '/var/syslog/mars/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ]

A quick check of the SELinux context found the issue:

# ls -Zd /var/syslog
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/syslog
# ls -Zd /var/log
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   /var/log

# ls -Zd /var/syslog

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/syslog

# ls -Zd /var/log

drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log

chcon to the rescue, referencing /var/log:

# chcon --reference /var/log /var/syslog

1	# chcon --reference /var/log /var/syslog

A restart of rsyslog later, and we were in business:

# ls -l /var/syslog/mars
total 4
-rw-------. 1 root root 445 Jun 13 23:33 syslog.log

# ls -l /var/syslog/mars

total 4

-rw-------. 1 root root 445 Jun 13 23:33 syslog.log

Note: it’s worth noting here that I updated my dynamically created file rule to be as follows (including the date too) as one huge file per host is not very useful:

$template FILENAME,"/var/syslog/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

1	$template FILENAME,"/var/syslog/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Running Puppet Master under Apache and Passenger - CentOS 6.4

I have been running my puppetmaster using the embedded WEBrick server for a while. I decided it was time to migrate to something a little more robust - namely Apache and Passenger. I loosely followed the documentation available on the Puppet site, although that covers Passenger 3.0.x and I’m using 4.0.x, and the supplied Apache configuration does not work. There were also a few other changes I had to make along the way to suit my configuration requirements. My puppetmaster is running CentOS 6.4.

Continue reading →

Adding Puppet DB to a CentOS 6.4-based puppetmaster

After configuring my puppetmaster to run on Passenger on Apache, the next step was to add Puppet DB so that I could take advantage of exported resources, as well as have a central store of facts/catalogs that I could query. I am configuring Puppet DB to run on the same host as my puppetmaster, on CentOS 6.4.

Whilst you can use the embedded HSQLDB database, I opted for the scale-out offered by a backend PostgreSQL database (which is recommended by Puppet Labs for deployments of more than 100 nodes). MySQL is not supported, as it doesn’t support recursive queries.

I installed PostgreSQL using my postgresql::server class. The class is shown below (you can see it includes postgres, which does nothing more than install the PostgreSQL client package). Essentially, it covers the installation of the postgresql-server package on the host, initialisation tasks, ensuring an appropriate pg_hba.conf is installed (for example, replacing localhost ident authentication methods with password), registering the service, and starting PostgreSQL:

# postgresql/server.pp
#
# Class to install a simple PostgreSQL server
class postgresql::server {
  case $::operatingsystem {
    'CentOS' : {
      # implictly add the client package too
      include postgresql
      package { "postgresql-server": 
              ensure  => latest }
      exec { "/sbin/service postgresql initdb":
              creates => "/var/lib/pgsql/data",
              before  => Service["postgresql"],
              require => Package["postgresql-server"] }
      file { "/var/lib/pgsql/data/pg_hba.conf":
              owner   => "postgres",
              group   => "postgres",
              mode    => "0640",
              source  => "puppet:///modules/postgresql/pg_hba.conf",
              notify  => Service["postgresql"],
              require => Exec["/sbin/service postgresql initdb"] }
      service { "postgresql":
            ensure  => running,
            enable  => true,
            require => Exec["/sbin/service postgresql initdb"] }
    }
    default : {
      fail("Operating system is unsupported by the postgresql::server class")
    }
  }
}

# postgresql/server.pp

# Class to install a simple PostgreSQL server

class postgresql::server {

case $::operatingsystem {

'CentOS' : {

# implictly add the client package too

include postgresql

package { "postgresql-server":

ensure => latest }

exec { "/sbin/service postgresql initdb":

creates => "/var/lib/pgsql/data",

before => Service["postgresql"],

require => Package["postgresql-server"] }

file { "/var/lib/pgsql/data/pg_hba.conf":

owner => "postgres",

group => "postgres",

mode => "0640",

source => "puppet:///modules/postgresql/pg_hba.conf",

notify => Service["postgresql"],

require => Exec["/sbin/service postgresql initdb"] }

service { "postgresql":

ensure => running,

enable => true,

require => Exec["/sbin/service postgresql initdb"] }

}

default : {

fail("Operating system is unsupported by the postgresql::server class")

}

To install, it was as simple as:

# puppet agent --test

1	# puppet agent --test

Next, I created a PostgreSQL user and database:

# su - postgres
$ createuser -DRSP puppetdb
$ createdb -O puppetdb puppetdb

# su - postgres

$ createuser -DRSP puppetdb

$ createdb -O puppetdb puppetdb

The user is created so that it cannot create databases (-D), or roles (-R) and doesn’t have superuser privileges (-S) - it’ll prompt for a password (-P). Let’s assume a password of “s3cr3tp@ss” has been used. The database is created and owned (-O) by the puppetdb user.

Access to the database can then be tested:

# psql -h 127.0.0.1 -p 5432 -U puppetdb -W puppetdb
Password for user puppetdb: 
psql (8.4.13)
Type "help" for help.
puppetdb=> \q

# psql -h 127.0.0.1 -p 5432 -U puppetdb -W puppetdb

Password for user puppetdb:

psql (8.4.13)

Type "help" for help.

puppetdb=> \q

Next, install the puppetdb and puppetdb-terminus packages. I installed from the Puppet Labs yum repository:

# yum install puppetdb puppetdb-terminus

1	# yum install puppetdb puppetdb-terminus

Configure /etc/puppetdb/conf.d/database.ini as appropriate (it ships configured for HSQLDB):

# grep '^[^#]' /etc/puppetdb/conf.d/database.ini 
[database]
classname = org.postgresql.Driver
subprotocol = postgresql
subname = //127.0.0.1:5432/puppetdb
username = puppetdb
password = s3cr3tp@ss
log-slow-statements = 10

# grep '^[^#]' /etc/puppetdb/conf.d/database.ini

[database]

classname = org.postgresql.Driver

subprotocol = postgresql

subname = //127.0.0.1:5432/puppetdb

username = puppetdb

password = s3cr3tp@ss

log-slow-statements = 10

Create /etc/puppet/puppetdb.conf, as appropriate for the Jetty configuration on the host. You can check the Jetty configuration under /etc/puppetdb/conf.d/jetty.ini. Here’s puppetdb.conf (my puppetmaster runs on sun.local):

[main]
server = sun.local
port = 8081

[main]

server = sun.local

port = 8081

Create /etc/puppet/routes.yaml:

---
master:
  facts:
    terminus: puppetdb
    cache: yaml

---

master:

facts:

terminus: puppetdb

cache: yaml

Finally, update /etc/puppet/puppet.conf:

...
[master]
	storeconfigs = true
	storeconfigs_backend = puppetdb

...

[master]

storeconfigs = true

storeconfigs_backend = puppetdb

Once all steps are complete, restart your puppetmaster. As I’m running under Passenger:

# service httpd restart

1	# service httpd restart

Run a puppet agent --test from once of your nodes (or wait for your scheduled runs):

venus.local# puppet agent --test

1	venus.local# puppet agent --test

As you can see, I ran from venus.local. Let’s check that the data is being stored in puppetdb - by the time I got there three more nodes had already had an agent run:

puppetdb=> select distinct certname from certname_facts;
   certname    
---------------
 venus.local
 mercury.local
 sun.local
 mars.local
(4 rows)

puppetdb=> select distinct certname from certname_facts;

certname

---------------

venus.local

mercury.local

sun.local

mars.local

(4 rows)

Awesome! Let’s get something meaningful. Suppose we want to know what OS is running on all of our nodes:

puppetdb=> select * from certname_facts where name = 'operatingsystem' or name = 'operatingsystemrelease';
   certname    |          name          | value  
---------------+------------------------+--------
 venus.local   | operatingsystem        | CentOS
 venus.local   | operatingsystemrelease | 6.4
 mercury.local | operatingsystem        | CentOS
 mercury.local | operatingsystemrelease | 6.4
 mars.local    | operatingsystem        | CentOS
 mars.local    | operatingsystemrelease | 6.4
 sun.local     | operatingsystem        | CentOS
 sun.local     | operatingsystemrelease | 6.4
(8 rows)

puppetdb=> select * from certname_facts where name = 'operatingsystem' or name = 'operatingsystemrelease';

certname | name | value

---------------+------------------------+--------

venus.local | operatingsystem | CentOS

venus.local | operatingsystemrelease | 6.4

mercury.local | operatingsystem | CentOS

mercury.local | operatingsystemrelease | 6.4

mars.local | operatingsystem | CentOS

mars.local | operatingsystemrelease | 6.4

sun.local | operatingsystem | CentOS

sun.local | operatingsystemrelease | 6.4

(8 rows)

An important note: ensure that all of your puppet nodes can connect to the puppetdb server on the appropriate SSL-enabled Jetty port (by default, 8081) so they can report in.

With Puppet DB now configured, I can start writing some reports, and using exported resources.

Toki Winter

Advanced UNIX for the experienced system administrator

Tag Archives: CentOS

Configuring Interface Bonding on CentOS/RHEL/OEL 6.x

Securing and Hardening the Linux Operating System

Puppet Module: security::tcpwrappers with Hiera

Secure MySQL Replication over SSL

SELinux: Allowing httpd to Listen on Non-Standard Ports

rsyslog - “Could not open dynamic file - discarding message” errors on CentOS 6

Running Puppet Master under Apache and Passenger - CentOS 6.4

Adding Puppet DB to a CentOS 6.4-based puppetmaster