From 25b9b5f7cd2d64f464fb198d90cc757a1bff1c81 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 22 Apr 2014 00:17:34 -0700 Subject: replace homedir with more specific keydir, authdir, and authfile in order to allow overriding each. modify ::agent, ::agent::config, and ::agent::generate_sshkey to allow changing at each level, with reasonable defaults --- manifests/agent.pp | 44 ++++++++++++++++++++++++++++---------- manifests/agent/config.pp | 21 ++++++++++++++---- manifests/agent/generate_sshkey.pp | 43 ++++++++++++++++++++++++++----------- 3 files changed, 80 insertions(+), 28 deletions(-) (limited to 'manifests') diff --git a/manifests/agent.pp b/manifests/agent.pp index 2ff9da5..505db64 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -4,7 +4,9 @@ class check_mk::agent ( $ip_whitelist = undef, $port = '6556', $server_dir = '/usr/bin', - $homedir = '/omd/sites/monitoring', + $keydir = '/omd/sites/monitoring', + $authdir = '/omd/sites/monitoring', + $authfile = undef, $use_cache = false, $user = 'root', $version = undef, @@ -40,16 +42,36 @@ class check_mk::agent ( agent_logwatch_package_name => $agent_logwatch_package_name, method => $method } - class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - homedir => $homedir, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - require => Class['check_mk::agent::install'], + + if $authfile { + # if authfile is set, pass it though + class { 'check_mk::agent::config': + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + require => Class['check_mk::agent::install'], + } + } else { + # otherwise don't + class { 'check_mk::agent::config': + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + require => Class['check_mk::agent::install'], + } } if ( $register_agent ) { diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 256af8f..40b9ff5 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,8 +1,10 @@ class check_mk::agent::config ( - $ip_whitelist = '', + $ip_whitelist = '', $port, $server_dir, - $homedir, + $keydir, + $authdir, + $authfile = undef, $use_cache, $user, $method = 'xinetd', @@ -34,8 +36,19 @@ class check_mk::agent::config ( } 'ssh' : { if $generate_sshkey { - check_mk::agent::generate_sshkey { 'check_mk_key': - homedir => $homedir + if $authfile { + # if authfile is overridden, pass it through + check_mk::agent::generate_sshkey { 'check_mk_key': + keydir => $keydir, + authdir => $authdir, + authfile => $authfile + } + } else { + # otherwise don't + check_mk::agent::generate_sshkey { 'check_mk_key': + keydir => $keydir, + authdir => $authdir + } } } } diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 47f3026..3bc9a1d 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -1,27 +1,47 @@ -define check_mk::agent::generate_sshkey( +define check_mk::agent::generate_sshkey ( + # dir on the check-mk-server where the collected key pairs are stored + $keydir, + # dir on the check-mk-agent where the authorized_keys file is stored + $authdir, + # name of the authorized_keys file + $authfile = undef, + # dir on the puppetmaster where keys are stored $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys', + # user and group to run the agent as $user = 'monitoring', $group = 'monitoring', - $homedir, $check_mk_tag = 'check_mk_sshkey' ){ # generate check-mk ssh keypair - $ssh_key_name = "monitoring_${::fqdn}_id_rsa" + $ssh_key_name = "${user}_${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') $public_type = $public[0] $public_key = $public[1] $secret_key = $ssh_keys[0] - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - options => 'command="/usr/bin/check_mk_agent"'; + if $authdir or $authfile { + # if $authkey or $authdir are set, override authorized_keys path and file + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => 'root', + target => "${authdir}/${authfile}", + options => 'command="/usr/bin/check_mk_agent"'; + } + } else { + # otherwise use the defaults + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => 'root', + options => 'command="/usr/bin/check_mk_agent"'; + } } - @@file { "${homedir}/.ssh/${ssh_key_name}": + # resource collector, these end up on the check-mk-server host + @@file { "${keydir}/${ssh_key_name}": content => $secret_key, owner => $user, group => $group, @@ -29,14 +49,11 @@ define check_mk::agent::generate_sshkey( tag => $check_mk_tag; } - - @@file { "${homedir}/.ssh/${ssh_key_name}.pub": + @@file { "${keydir}/${ssh_key_name}.pub": content => $public_key, owner => $user, group => $group, mode => '0666', tag => $check_mk_tag; } - - } -- cgit v1.2.3