Puppet Class: pupmod

Inherited by:
pupmod::master
pupmod::master::sysconfig
Defined in:
manifests/init.pp

Overview

A class for managing Puppet configurations.

This is mainly a stub class for hooking other classes along the way with a small bit of logic to flex the system toward being a Puppet master or client. It manages Puppet and Facter configurations.

All Puppet configuration parameters are, by default, written to the

main

config block of the Puppet configuration file. Selective options

may be written to their respective components as necessary for deconfliction.

Parameters:

  • ca_port (Simplib::Port) (defaults to: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 }))

    The port where the remote CA should be contacted.

  • ca_server (Variant[Simplib::Host,Enum['$server']]) (defaults to: simplib::lookup('simp_options::puppet::ca', { 'default_value' => '$server' }))

    The puppet CA from which to obtain your system certificates.

  • puppet_server (Variant[Simplib::Host, Array[Simplib::Host]]) (defaults to: simplib::lookup('simp_options::puppet::server', { 'default_value' => "puppet.${facts['networking']['domain']}" }))

    One or more puppet servers from which to retrieve your configuration.

  • server_distribution (Simplib::ServerDistribution) (defaults to: pupmod::server_distribution(false))

    The server distribution used. This changes the configuration based on whether we are using PC1 or PE

  • certname (Simplib::Host) (defaults to: ($trusted['authenticatedx'] ? { 'remote' => $trusted['certname'], default => pick($facts['clientcert'], $facts['networking']['fqdn']))

    The puppet certificate CN name of the system.

    • For authenticated remote requests, this defaults to ‘$trusted

    • For all other requests (e.g., bolt), the default is ‘$facts`

    For additional details, see:

  • classfile (String[0]) (defaults to: '$vardir/classes.txt')

    The path to the puppet class file.

    See docs.puppetlabs.com/references/latest/configuration.html for additional details.

  • confdir (Stdlib::AbsolutePath)

    The path to the puppet configuration directory.

    See docs.puppetlabs.com/references/latest/configuration.html for additional details.

  • daemonize (Boolean) (defaults to: false)

    Whether or not to daemonize the Puppet agent.

    SIMP systems do not, by default, daemonize their agents so that the consumed resources can be freed for other uses and so that the cron job can maintain a safe system state over time.

  • digest_algorithm (Enum['md5','sha256']) (defaults to: 'sha256')

    The hash Digest to use for file operations on the system.

  • enable_puppet_master (Boolean) (defaults to: false)

    Whether or not to make the system a puppetmaster.

  • environmentpath (Stdlib::AbsolutePath)

    The path to the directory holding the puppet environments.

  • listen (Boolean) (defaults to: false)

    Whether or not to listen for incoming connections to the puppet agent.

    Given the ability to run puppet remotely via SSH, MCollective, or many other means, we will not open this by default. If you decide to enable it, don’t forget to add an associated IPTables rule.

  • logdir (Stdlib::AbsolutePath)

    The path to the puppet log directory.

    See docs.puppetlabs.com/references/latest/configuration.html for additional details.

  • purge_logs (Boolean) (defaults to: true)

    Purge old logs from the system.

  • purge_logs_duration (Pattern['\d+(h|m|w)']) (defaults to: '4w')

    The timeframe after which logs will be purged.

    • Uses systemd tmpfiles age notation

  • purge_log_dirs (Array[Stdlib::AbsolutePath]) (defaults to: ['/puppet*'])

    The directories under ‘$logdir` to be purged.

  • masterport (Simplib::Port) (defaults to: 8140)

    The port where the Puppet Master should be contacted.

  • report (Boolean) (defaults to: false)

    Whether or not to send reports to the report server. This is disabled by default to allow users to reduce network load unless reports are required.

  • rundir (Stdlib::AbsolutePath)

    The path to the puppet run status directory.

    See docs.puppetlabs.com/references/latest/configuration.html for additional details.

  • runinterval (Integer[0]) (defaults to: 1800)

    The number of seconds between puppet runs. Has no effect on the client cron job.

  • splay (Boolean) (defaults to: false)

    Whether or not to splay the puppet runs.

    This is done by default to add some randomization to client system runs on large systems.

  • splaylimit (Optional[Integer[1]]) (defaults to: undef)
  • srv_domain (Simplib::Host) (defaults to: $facts['networking']['domain'])

    The domain to search when using SRV records.

  • ssldir (Stdlib::AbsolutePath)

    The path to the puppet ssl directory.

    See docs.puppetlabs.com/references/latest/configuration.html for additional details.

  • syslogfacility (Simplib::Syslog::Facility) (defaults to: 'local6')

    The Syslog facility to use when outputting messages from puppet.

  • use_srv_records (Boolean) (defaults to: false)

    Whether the server will search for SRV records in DNS for the current domain.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    If true, include haveged to assist with entropy generation.

  • fips (Boolean) (defaults to: simplib::lookup('simp_options::fips', { 'default_value' => false }))

    If true, enable fips mode

  • vardir (Stdlib::AbsolutePath)

    The directory where puppet will store all of its ‘variable’ data.

  • manage_facter_conf (Boolean) (defaults to: false)

    Whether to manage the Facter configuration file.

  • facter_conf_dir (Stdlib::Absolutepath) (defaults to: '/etc/puppetlabs/facter')

    Directory containing the Facter configuration file.

  • facter_options (Hash)

    Hash of Facter configuration options.

    • Only applies when ‘manage_facter_conf` is `true`.

    • Each primary key is a section in the Facter configuration file (e.g., ‘facts’, ‘global’, ‘cli’)

    • When the configuration for a section is empty, that section will be removed entirely from the Facter configuration file.

    • See puppet.com/docs/facter/latest/configuring_facter.html for details on how to configure Facter.

  • mock (Boolean) (defaults to: false)

    If true, disable all code.

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false }))

    Whether or not firewall rules should be created

  • pe_classlist (Hash) (defaults to: {})

    Hash of pe classes and assorted metadata.

  • package_ensure (String[1]) (defaults to: simplib::lookup('simp_options::package_ensure' , { 'default_value' => 'installed'}))

    String used to specify ‘latest’, ‘installed’, or a specific version of the puppet-agent package

  • set_environment (Variant[Boolean, Enum['no_clean']]) (defaults to: false)

    Set the environment on the system to the currently running environment

    • This will automatically purge the ‘environment` setting from the `main` section of the configuration to prevent issues from arising when running various puppet tools. To prevent this from happening, you may set this to `no_clean` and the entry will be preserved if present.

Author:



176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
 
# File 'manifests/init.pp', line 176

class pupmod (
  Variant[Simplib::Host,Enum['$server']]       $ca_server            = simplib::lookup('simp_options::puppet::ca', { 'default_value' => '$server' }),
  Simplib::Port                                $ca_port              = simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 }),
  Variant[Simplib::Host, Array[Simplib::Host]] $puppet_server        = simplib::lookup('simp_options::puppet::server', { 'default_value' => "puppet.${facts['networking']['domain']}" }),
  Simplib::ServerDistribution                  $server_distribution  = pupmod::server_distribution(false), # Can't self-reference in this lookup
  Simplib::Host                                $certname             = ($trusted['authenticatedx'] ? {
                                                                  'remote' => $trusted['certname'],
                                                                  default  => pick($facts['clientcert'], $facts['networking']['fqdn']),
                                                                }),
  String[0]                                    $classfile            = '$vardir/classes.txt',
  Stdlib::AbsolutePath                         $confdir,
  Boolean                                      $daemonize            = false,
  Enum['md5','sha256']                         $digest_algorithm     = 'sha256',
  Boolean                                      $enable_puppet_master = false,
  Stdlib::AbsolutePath                         $environmentpath,
  Boolean                                      $listen               = false,
  Stdlib::AbsolutePath                         $logdir,
  Boolean                                      $purge_logs           = true,
  Pattern['\d+(h|m|w)']                        $purge_logs_duration  = '4w',
  Array[Stdlib::AbsolutePath]                  $purge_log_dirs       = ['/puppet*'],
  Simplib::Port                                $masterport           = 8140,
  Boolean                                      $report               = false,
  Stdlib::AbsolutePath                         $rundir,
  Integer[0]                                   $runinterval          = 1800,
  Boolean                                      $splay                = false,
  Optional[Integer[1]]                         $splaylimit           = undef,
  Simplib::Host                                $srv_domain           = $facts['networking']['domain'],
  Stdlib::AbsolutePath                         $ssldir,
  Simplib::Syslog::Facility                    $syslogfacility       = 'local6',
  Boolean                                      $use_srv_records      = false,
  Stdlib::AbsolutePath                         $vardir,
  Boolean                                      $haveged              = simplib::lookup('simp_options::haveged', { 'default_value' => false }),
  Boolean                                      $fips                 = simplib::lookup('simp_options::fips', { 'default_value' => false }),
  Boolean                                      $firewall             = simplib::lookup('simp_options::firewall', { 'default_value' => false }),
  Hash                                         $pe_classlist         = {},
  String[1]                                    $package_ensure       = simplib::lookup('simp_options::package_ensure' , { 'default_value' => 'installed'}),
  Variant[Boolean, Enum['no_clean']]           $set_environment      = false,
  Boolean                                      $manage_facter_conf   = false,
  Stdlib::Absolutepath                         $facter_conf_dir      = '/etc/puppetlabs/facter',
  Hash                                         $facter_options,      # module data
  Boolean                                      $mock                 = false
) {

  unless $mock {
    simplib::assert_metadata($module_name)

    # This regex matches absolute paths or paths that begin with an existing
    # puppet configuration variable, like $vardir

    assert_type(Pattern['^(\$(?!/)|/).+'], $classfile)

    if $haveged {
      include '::haveged'
    }

    if $enable_puppet_master {
      include 'pupmod::master'
    }
    package { 'puppet-agent': ensure => $package_ensure }

    if $daemonize {
      $_puppet_service_ensure = 'running'
    }
    else {
      $_puppet_service_ensure = 'stopped'
    }

    include 'pupmod::agent::cron'

    service { 'puppet':
      ensure     => $_puppet_service_ensure,
      enable     => $daemonize,
      hasrestart => true,
      hasstatus  => true,
      subscribe  => File["${confdir}/puppet.conf"]
    }

    pupmod::conf { 'agent_daemonize':
      section => 'agent',
      confdir => $confdir,
      setting => 'daemonize',
      value   => $daemonize
    }

    # This takes some explaining. You may be asking yourself: Dear god? why?
    #
    # The short answer is, to make the UX for PE better, we need to make no
    # assumptions about the amount of configuration the user has done before
    # trying to lay SIMP on top of PE.
    #
    # Therefore, we have to inspect the catalog to see which PE
    # classes are included, and tailor our configuration
    # accordingly.
    #
    # To do this we have to use defined(). But this has an inherent
    # race condition if you use it in a normal class, as if this class
    # is evaluated before the class you are checking, you
    # will get an erroneous false result.
    #
    # The workaround is to take advantage of the fact that the puppet catalog
    # compiler takes multiple passes, a first pass for most classes to be
    # evaluated, and a second pass for resource collection statements. Basically
    # by creating a virtual defined type and realizing it immediately, we
    # 'throw' any puppet code in the defined type into the next pass of the
    # compiler.
    #
    # Disgusting? yes. Necessary? unfortunately. This will have to be
    # re-evaluated for every major PE release.

    @pupmod::pass_two { 'main':
      server_distribution => $server_distribution,
      confdir             => $confdir,
      firewall            => $firewall,
      pe_classlist        => $pe_classlist,
      pupmod_server       => $puppet_server,
      pupmod_ca_server    => $ca_server,
      pupmod_masterport   => $masterport,
      pupmod_ca_port      => $ca_port,
      pupmod_report       => $report,
    }
    Pupmod::Pass_two <| |>

    if !empty($splaylimit) {
      pupmod::conf { 'splaylimit':
        confdir => $confdir,
        setting => 'splaylimit',
        value   => $splaylimit
      }
    }

    if $set_environment {
      unless ($set_environment == 'no_clean') {
        pupmod::conf { 'remove environment from main':
          ensure  => 'absent',
          section => 'main',
          confdir => $confdir,
          setting => 'environment',
          value   => null
        }
      }

      unless simplib::in_bolt() {
        pupmod::conf { 'environment':
          confdir => $confdir,
          setting => 'environment',
          value   => $environment
        }
      }
    }

    pupmod::conf {
      default: confdir => $confdir;

      'splay':
        setting => 'splay',
        value   => $splay;
      'syslogfacility':
        setting => 'syslogfacility',
        value   => $syslogfacility;
      'srv_domain':
        setting => 'srv_domain',
        value   => $srv_domain;
      'certname':
        setting => 'certname',
        value   => $certname;
      'vardir':
        setting => 'vardir',
        value   => $vardir;
      'classfile':
        setting => 'classfile',
        value   => $classfile;
      'confdir':
        setting => 'confdir',
        value   => $confdir,;
      'logdir':
        setting => 'logdir',
        value   => $logdir;
      'rundir':
        setting => 'rundir',
        value   => $rundir;
      'runinterval':
        setting => 'runinterval',
        value   => $runinterval;
      'ssldir':
        setting => 'ssldir',
        value   => $ssldir;
      'stringify_facts':
        setting => 'stringify_facts',
        value   => false;
      'digest_algorithm':
        setting => 'digest_algorithm',
        value   => $digest_algorithm;
    }

    # This is to allow the hosts to boot faster.  It should probably be
    # re-worked.
    file { '/etc/sysconfig/puppet':
      ensure  => 'file',
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => "PUPPET_EXTRA_OPTS='--daemonize'\n"
    }

    $puppet_agent_sebool = 'puppetagent_manage_all_files'
    if $facts['os']['selinux']['enabled'] and $facts['os']['selinux']['current_mode'] and ($facts['os']['selinux']['current_mode'] != 'disabled') {
      selboolean { $puppet_agent_sebool :
        persistent => true,
        value      => 'on'
      }
    }

    if $manage_facter_conf {
      include 'pupmod::facter::conf'
    }

    if $purge_logs {
      unless empty($purge_log_dirs) {
        $_purge_logdir = dirname($logdir)

        if empty($_purge_logdir) or ($_purge_logdir == '/') {
          fail("Refusing to purge top-level directories. Please ensure that ${module_name}::logdir is set to something sensible.")
        }

        $_purge_logs_content = $purge_log_dirs.map |$x| { "e ${_purge_logdir}${x} - - - ${purge_logs_duration}" }

        systemd::tmpfile { 'puppet_purge_puppet_service_logs.conf':
          content => join($_purge_logs_content, "\n")
        }
      }
    }
    else {
      systemd::tmpfile { 'puppet_purge_puppet_service_logs': ensure => 'absent' }
    }
  }
}