From b14ceb03bf9bfc77f43f1848400c868a2ab2208f Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 6 Feb 2014 23:38:00 -0800 Subject: added support for monitor ssh keys (requires latest leap_cli) --- platform.rb | 10 ++++++++-- provider_base/services/monitor.json | 6 ++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/platform.rb b/platform.rb index 60b0d9a5..62fb0215 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "0.2.4" - self.compatible_cli = "1.2.4".."1.99" + self.version = "0.3.0" + self.compatible_cli = "1.3.0".."1.99" # # the facter facts that should be gathered @@ -43,6 +43,8 @@ Leap::Platform.define do :user_pgp => 'users/#{arg}/#{arg}_pgp.pub', :known_hosts => 'files/ssh/known_hosts', :authorized_keys => 'files/ssh/authorized_keys', + :monitor_pub_key => 'files/ssh/monitor_ssh.pub', + :monitor_priv_key => 'files/ssh/monitor_ssh', :ca_key => 'files/ca/ca.key', :ca_cert => 'files/ca/ca.crt', :client_ca_key => 'files/ca/client_ca.key', @@ -73,5 +75,9 @@ Leap::Platform.define do self.node_files = [ :node_config, :hiera, :node_x509_cert, :node_x509_key, :node_ssh_pub_key ] + + self.monitor_username = 'monitor' + + self.reserved_usernames = ['monitor'] end diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index c3e2b954..b6886603 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -2,5 +2,11 @@ "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + }, + "ssh": { + "monitor": { + "username": "= Leap::Platform.monitor_username", + "private_key": "= file(:monitor_priv_key)" + } } } -- cgit v1.2.3 From b9fa9cfc83d552faafe41ebba183fb06f45f6ca5 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 7 Feb 2014 00:01:42 -0800 Subject: monitor nodes get all nodes listed in /etc/hosts --- platform.rb | 2 +- provider_base/services/monitor.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/platform.rb b/platform.rb index 62fb0215..ee87789a 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.3.0" - self.compatible_cli = "1.3.0".."1.99" + self.compatible_cli = "1.3.1".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index b6886603..cf117869 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -3,6 +3,7 @@ "nagiosadmin_pw": "= secret :nagios_admin_password", "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, + "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", "ssh": { "monitor": { "username": "= Leap::Platform.monitor_username", -- cgit v1.2.3 From 665db30f37838bcebbfdc368f65ed369282c31b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 9 Feb 2014 17:04:58 -0800 Subject: deploy a valid /etc/ssh/ssh_known_hosts for all nodes (requires new leap_cli) --- platform.rb | 4 ++-- provider_base/common.json | 1 - provider_base/services/monitor.json | 2 +- puppet/modules/site_sshd/manifests/init.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/known_hosts.pp | 11 +++++++++++ puppet/modules/site_sshd/templates/ssh_known_hosts.erb | 5 +++++ 6 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_known_hosts.erb diff --git a/platform.rb b/platform.rb index ee87789a..54590f4b 100644 --- a/platform.rb +++ b/platform.rb @@ -3,8 +3,8 @@ # Leap::Platform.define do - self.version = "0.3.0" - self.compatible_cli = "1.3.1".."1.99" + self.version = "0.4.0" + self.compatible_cli = "1.4.0".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/common.json b/provider_base/common.json index 07a45972..07a58bba 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -16,7 +16,6 @@ }, "ssh": { "authorized_keys": "= authorized_keys", - "known_hosts": "=> known_hosts_file", "port": 22, "mosh": { "ports": "60000:61000", diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json index cf117869..53e6b1f1 100644 --- a/provider_base/services/monitor.json +++ b/provider_base/services/monitor.json @@ -1,7 +1,7 @@ { "nagios": { "nagiosadmin_pw": "= secret :nagios_admin_password", - "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" + "hosts": "= nodes_like_me[:services => '!monitor'].pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')" }, "hosts": "= hosts_file(nodes_like_me[:services => '!monitor'])", "ssh": { diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 90dd2d0e..d2b13822 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') + $hosts = hiera_hash('hosts') ## ## SETUP AUTHORIZED KEYS @@ -11,6 +12,14 @@ class site_sshd { keys => $authorized_keys } + ## + ## SETUP KNOWN HOSTS + ## + + class { 'site_sshd::known_hosts': + hosts => $hosts + } + ## ## OPTIONAL MOSH SUPPORT ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp new file mode 100644 index 00000000..290ffd0b --- /dev/null +++ b/puppet/modules/site_sshd/manifests/known_hosts.pp @@ -0,0 +1,11 @@ +class site_sshd::known_hosts ($hosts) { + # these owner and permissions seem odd to me, but it is what is defined + # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. + file { '/etc/ssh/ssh_known_hosts': + ensure => present, + owner => root, + group => 0, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + } +} diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb new file mode 100644 index 00000000..c5a71378 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -0,0 +1,5 @@ +# This file is generated by Puppet + +<% hosts.sort.each do |name, hash| -%> +<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> -- cgit v1.2.3 From 0b3e87cd6916d4ca4404fd2b375d21468d17f343 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Feb 2014 15:43:39 -0800 Subject: turn off StrictHostKeyChecking for vagrant ssh clients --- puppet/modules/site_sshd/manifests/init.pp | 15 +++++++++++--- puppet/modules/site_sshd/manifests/known_hosts.pp | 11 ----------- puppet/modules/site_sshd/templates/ssh_config.erb | 23 ++++++++++++++++++++++ .../site_sshd/templates/ssh_known_hosts.erb | 6 ++++-- 4 files changed, 39 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_config.erb diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d2b13822..2bcde603 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -13,11 +13,20 @@ class site_sshd { } ## - ## SETUP KNOWN HOSTS + ## SETUP KNOWN HOSTS and SSH_CONFIG ## - class { 'site_sshd::known_hosts': - hosts => $hosts + file { + '/etc/ssh/ssh_known_hosts': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_config.erb'); } ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp deleted file mode 100644 index 290ffd0b..00000000 --- a/puppet/modules/site_sshd/manifests/known_hosts.pp +++ /dev/null @@ -1,11 +0,0 @@ -class site_sshd::known_hosts ($hosts) { - # these owner and permissions seem odd to me, but it is what is defined - # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. - file { '/etc/ssh/ssh_known_hosts': - ensure => present, - owner => root, - group => 0, - mode => '0644', - content => template('site_sshd/ssh_known_hosts.erb'); - } -} diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb new file mode 100644 index 00000000..7e967413 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_config.erb @@ -0,0 +1,23 @@ +# This file is generated by Puppet +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no +<% if scope.lookupvar('::site_config::params::environment') == 'local' -%> + # + # Vagrant nodes should have strict host key checking + # turned off. The problem is that the host key for a vagrant + # node is specific to the particular instance of the vagrant + # node you have running locally. For this reason, we can't + # track the host keys, or your host key for vpn1 would conflict + # with my host key for vpn1. + # + StrictHostKeyChecking no +<% end -%> + diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb index c5a71378..002ab732 100644 --- a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -1,5 +1,7 @@ # This file is generated by Puppet -<% hosts.sort.each do |name, hash| -%> -<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% @hosts.sort.each do |name, hash| -%> +<% if hash['host_pub_key'] -%> +<%= name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> <% end -%> -- cgit v1.2.3