Friday, August 4, 2017

Generally using puppet modules

Puppet is an automation and configuration management tool using cross platform systems. This is generally used in now a days where automation is the key part of the IT firms . Here i am providing a nutshell of puppet modules which are using generic purposes . Which you can use as a template for creating your customized codes as per your environment

1. Puppet manifest to add an entry in hosts file 

******************************************

/etc/puppet/environments/unixchips/modules/hostentry/manifests
class hostentry {
     host {'webserver01':
    name => 'webserver01.unixchips.com',
Ip   => '10.152.21.3',
host_aliases => 'web01',
comment => 'This is a webserver primary',
}

2.module to assign network configuration 

*****************************************************
/etc/puppet/environments/prod/modules/network/manifests

1.first install the module 

 #puppet module instll example42-network

class network {
  network :: interface { 'eth0';
    ipaddress => '10.1.24.20',
netmask   => '255.255.255.0'}
}

2.if dhcp configuration needs to be enabled 


class network {
  network :: interface { 'eth0':
    enable_dhcp => true,
}
}

3. if route need to be added into the routing table 


class network :: route {'eth1':
   ipaddress => [ '192.168.22.0' ],
   netmask   => [ '255.255.255.0' ],
   gateway   => [ '192.168.22.1' ],
   table     => [ 'vlan22' ],
}

4. Adding routes to a single interface may be contains multiple routes 


network::route { 'bond0':
  ipaddress => [ '192.168.2.0', '10.0.0.0', '192.168.3.0', ]
  netmask   => [ '255.255.255.0', '255.0.0.0', '255.255.255.0', ],
  gateway   => [ '192.168.1.1', '10.0.0.1', '192.168.3.1', ],
  table     => [ false, false, 'vlan22' ],
}

3.Puppet configuration for a yumrepo

**********************************************
class basic_yum_repo {
  yumrepo { 'company_app_repo' :
    enabled => 1,
descr   => 'Local repo for company applications',
baseurl => 'http://repos.example.org/apps'
gpgcheck => 0,
  }
}

the above class will create a repo like this

cat /etc/yum.repos.d/company_app_repo.repo

[company_app_repo]
name=Local repo holding company application packages
baseurl=http://repos.example.org/apps
enabled=1
gpgcheck=0

4. Restart a service after configuration changes in a file ( here it is sshd service)

*******************************************************************************
class ssh {
 service { 'sshd'
   ensure => 'running',
   enable => true',
   require => Package['openssh-server'],
 }

file { '/etc/ssh/sshd_config' :
  notify => service['sshd'],
  mode   => 0600,
  owner  => 'root',
  group  => 'root',
  require => Package['openssh-server'],
  source  => 'puppet:///modules/sshd/sshd_config', ## this is the file which we are going to copy to desired location###
}

}

5. creating user's and groups 

**********************************************************
Location of the module /etc/puppet/environments/prod/modules/mobile_users_groups/manifests

1. creating a group


class mobile_users_groups {

    group { 'wasadmin' :
      ensure  => present,
      gid     => '2100',
    }
}

2. creating a user and adding to the above mentioned group

class mobile_users_groups {
user { 'bbduser' :
      ensure           => present,
      uid              => '2100',
      gid              => '2100',
      home             => '/home/bbduser',
     password         => '$6$L48.W/1Q$l14x2dRsoruV14c8ZrkEr.JgmbYW/H7r3HFFcYVqwKarEwEs8Ux6rXGDU3wFqGTa0SBbFWt1jYxQAGS2.Hw731', ##here the password will be set as per the encrypted format##
      managehome       => true,
      shell            => '/bin/bash',
      groups           => [ 'wasadmin', 'localusers' ], ##adding to the above group##
      comment          => " APP_USER Application Account",
      password_max_age => '99999',
      password_min_age => '0',
    }
##setting the warning period##
    exec { 'warndays_bbduser' :
      command => 'chage -W 7 bbduser',
      path    => '/bin:/usr/bin:/sbin:/usr/sbin',
      require =>  User['bbduser'],
      unless  => 'grep "^bbduser" /etc/shadow | cut -d: -f6 | grep "^7$"',
    }

}

6. Package installation with ordering 

*******************************************************

The two examples below create the same ordering relationship:


package { 'openssh-server':
  ensure => present,
  before => File['/etc/ssh/sshd_config'],
}
file { '/etc/ssh/sshd_config':
  ensure  => file,
  mode    => '0600',
  source  => 'puppet:///modules/sshd/sshd_config',
  require => Package['openssh-server'],
}

Same we can configure using array 

service { 'sshd':
  ensure  => running,
  require => [
    Package['openssh-server'],
    File['/etc/ssh/sshd_config'],
  ],
}
package { 'openssh-server':
  ensure => present,
  before => Service['sshd'],
}

file { '/etc/ssh/sshd_config':
  ensure => file,
  mode   => '0600',
  source => 'puppet:///modules/sshd/sshd_config',
  before => Service['sshd'],
}

7. Manifest to configure pam module 

********************************************

module location:/etc/puppet/environments/prod/modules/hdn_pam/manifests/password_auth.pp

class hdn_pam::password_auth {

  pam { 'hdn_pw_faillock_3' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => 'sufficient',
    control_is_param => true,
    module           => 'pam_faillock.so',
    arguments        => ['authsucc', 'audit', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_deny.so" and control="required"]',
  } ->

  pam { 'hdn_pw_faillock_2' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => '[default=die]',
    control_is_param => true,
    module           => 'pam_faillock.so',
    arguments        => ['authfail', 'audit', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_faillock.so" and control="sufficient"]',
  } ->

  pam { 'hdn_pw_unix.so' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => '[success=1 default=bad]',
    control_is_param => true,
    module           => 'pam_unix.so',
    position         => 'before *[type="auth" and module="pam_faillock.so" and control="[default=die]"]',
  } ->

  pam { 'hdn_pw_faillock_1' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => 'required',
    control_is_param => true,
    module           => 'pam_faillock.so',
    arguments        => ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_unix.so" and control="[success=1 default=bad]"]',
  }

  pam { 'hdn_pw_pw_pam_unix' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'password',
    control          => 'sufficient',
    control_is_param => true,
    module           => 'pam_unix.so',
    arguments        => ['sha512','shadow','nullok', 'try_first_pass', 'use_authtok'],
    position         => 'after *[type="password" and module="pam_cracklib.so" and control="requisite"]',
  }

}

8. Manifest to configure mount points 

***************************************

class hdn_mounts {

  mount { "/tmp" :
    device  => "/dev/mapper/rootvg-tmplv",
    fstype  => "ext4",
    ensure  => "mounted",
    options => "nodev,nosuid",
    pass    => "2",
    dump    => "1",
    atboot  => "true",
  }

 mount { "/dev/shm" :
    device  => "tmpfs",
    fstype  => "tmpfs",
    ensure  => "mounted",
    options => "nodev,noexec,nosuid",
    atboot  => "true",
  }


9. Manifest to configure sysctl values 

********************************************

# install the sysctl module and its dependencies
$ sudo /opt/puppetlabs/bin/puppet module install herculesteam-augeasproviders_sysctl 

Once the sysctl module is installed we can add the values as below 

class add_sysctl {
  sysctl { 'kernel.demesage_restrict' :
     ensure => present,
     value  => '1'
}
We can remove the kernel parameter as below 

class rem_sysctl {
  sysctl { 'kernel.panic_on_oops' :
     ensure => absent 
}

10 . Start the service on boot 

************************************

class enable_service {
   service { 'puppet': 
      enable => true, } 
 }