Puppet Class: pupmod::master

Inherits:
pupmod
Inherited by:
pupmod::master::reports
Defined in:
manifests/master.pp

Overview

Provides configuration for a puppet master.

Parameters:

  • bind_address (Simplib::IP) (defaults to: '0.0.0.0')

    The IP address to which the Puppet Master process should bind

  • ca_allow_auth_extensions (Boolean) (defaults to: false)

    If true, allows the CA to sign certificates with authorization extensions.

  • ca_allow_alt_names (Boolean) (defaults to: false)

    If true, allows the CA to sign certificates with subject alternative names.

  • ca_bind_address (Simplib::IP) (defaults to: '0.0.0.0')

    The IP address to which the Puppet CA process should bind

  • auditd (Boolean) (defaults to: simplib::lookup('simp_options::auditd', { 'default_value' => false }))

    If true, adds an audit record to watch sensitive Puppet directories for changes by any user that is not the puppet user.

  • ca_port (Simplib::Port) (defaults to: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 }))

    The port upon which the CA should listen. This has been modified from the default setting of 8140 so that it does not interfere with the certificate verification of various clients.

  • trusted_nets (Simplib::NetList) (defaults to: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] }))

    An array of networks from which to allow access to the master.

  • server_distribution (String) (defaults to: pupmod::server_distribution())

    Deprecated: The version of the server that is being managed.

    • PC1 covers everything after Puppet 3

  • server_type (Enum['monolithic', 'primary', 'compile']) (defaults to: 'monolithic')

    The type of Puppet server this is. Can be ‘monolithic’, ‘primary’, or ‘compile’ as defined in puppet.com/docs/puppetserver/latest/scaling_puppet_server.html

  • ca_ttl (Pupmod::CaTTL) (defaults to: '10y')

    This is the length after which the CA certificate will no longer be valid.

  • daemonize (Boolean) (defaults to: true)

    Whether or not to run the server as a daemon.

  • enable_ca (Boolean) (defaults to: true)

    Whether or not the system should act as a CA.

  • enable_master (Boolean) (defaults to: true)

    Whether or not the system should act as a Puppet Master

  • environmentpath (Stdlib::AbsolutePath) (defaults to: $pupmod::environmentpath)

    The location of all directory environments.

  • freeze_main (Boolean) (defaults to: false)

    Whether or not code is allowed outside of site.pp or a module.

  • masterport (Simplib::Port) (defaults to: 8140)

    The port upon which the Puppet master process will listen.

  • puppet_confdir (Stdlib::AbsolutePath) (defaults to: $pupmod::confdir)

    The Puppet server configuration directory.

  • confdir (Stdlib::AbsolutePath)

    The Puppet client configuration directory.

  • codedir (Stdlib::AbsolutePath)

    The directory holding the Puppet configuration codebase.

  • vardir (Stdlib::AbsolutePath)

    The Puppet server ‘var’ directory

  • rundir (Stdlib::AbsolutePath)

    The Puppet server runtime directory

  • logdir (Stdlib::AbsolutePath)

    The log directory for the Puppet server

  • ssldir (Stdlib::AbsolutePath)

    The SSL configuration directory for the Puppet server

  • use_legacy_auth_conf (Boolean) (defaults to: false)

    Enable processing of the legacy Puppetserver auth.conf.

    • This is NOT recommended and may cause a SIMP installation to malfunction.

  • max_queued_requests (Integer[0]) (defaults to: 10)

    The number of requests that may be queued against the server prior to being rejected.

    • Only functional on “puppetserver“ >= 5.4.1

  • max_retry_delay (Integer[1]) (defaults to: 1800)

    The maximum time that a client will wait prior to giving up on the server response.

    • Only functional on “puppetserver“ >= 5.4.1

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false }))

    If enabled, will use the SIMP iptables classes to manipulate IPTables.

  • ca_status_whitelist (Array[Simplib::Host]) (defaults to: [pick($facts['certname'], $facts['networking']['fqdn'])])

    An array of certificate short names which will be allowed to query the CA end point of the Puppet Server

  • ruby_load_path (Optional[Stdlib::AbsolutePath]) (defaults to: undef)

    The path to the system Ruby installation to use for the Puppet Server

  • max_active_instances (Integer[1]) (defaults to: pupmod::max_active_instances($server_type))

    The maximum number of active JRuby instances to be run by the Puppet Server

  • max_requests_per_instance (Integer) (defaults to: 100000)

    The number of requests a given JRuby instance will process prior to being stopped.

  • borrow_timeout (Integer[1000]) (defaults to: 1200000)

    The timeout, in milliseconds, when attempting to borrow an instance from the JRuby pool.

  • environment_class_cache_enabled (Boolean) (defaults to: true)

    Maintain a cache in conjucntion with the use of the “environment_classes“ API.

  • compat_version (Optional[Pattern['^\d+\.\d+$']]) (defaults to: undef)

    Set the JRuby compat version

    • Has no effect on “puppetserver“ >= 5.0

  • compile_mode (Enum['off', 'jit', 'force']) (defaults to: 'off')

    Set the JRuby “CompileMode“.

  • ssl_protocols (Array[Pupmod::Master::SSLProtocols]) (defaults to: ['TLSv1.2'])

    The protocols that are allowed for communication with the Puppet Server. See the ssl-protocols documentation for the Puppet Server for additional details.

  • ssl_cipher_suites (Optional[Array[Pupmod::Master::SSLCipherSuites]]) (defaults to: undef)

    The allowed SSL Cipher Suites to be used by the Puppet Server. The allowed list is Java version dependent and you will need to check the system Java documentation for details.

    • The default is in the module data

  • enable_profiler (Boolean) (defaults to: false)

    Whether or not to enable the Puppet Server profiler to allow for code metrics gathering.

  • profiling_mode (Pupmod::ProfilingMode) (defaults to: 'off')

    The JRuby profiling mode to use when profiling the server.

    • Only functional on “puppetserver“ >= 5.4.1

  • profiler_output_file (Stdlib::AbsolutePath) (defaults to: "${vardir}/server_jruby_profiling")

    The file to use when outputting server profiling information

    • Only functional on “puppetserver“ >= 5.4.1

  • admin_api_whitelist (Array[Simplib::Hostname]) (defaults to: [pick($facts['certname'], $facts['networking']['fqdn'])])

    A list of X.509 certificate names that should be allowed to access the Puppet Server’s administrative API.

  • admin_api_mountpoint (String) (defaults to: '/puppet-admin-api')

    The endpoint for the Puppet Servers adminstrative API. Changing this may break external utilities.

  • log_to_file (Boolean) (defaults to: false)

    If true, log to system log files at /var/log/puppetserver.

  • strict_hostname_checking (Boolean) (defaults to: true)

    Whether to only search for the complete hostname as it is in the certificate when searching for node information in teh catalogs or to match dot delimited segments of the cert’s certname and the hostname, fqdn, and/or domain facts.

    • Do NOT set to ‘false` unless you have read the details of CVE-2020-7942

  • cve_2020_7942_warning (Boolean) (defaults to: true)

    Whether to warn about CVE-2020-7942 when the issue is detected.

  • syslog (Boolean) (defaults to: simplib::lookup('simp_options::syslog', { 'default_value' => false }))

    If true, log to the local system logger over UDP port 514.

  • syslog_facility (String) (defaults to: 'LOCAL6')

    The syslog facility to which to report if using syslog.

  • syslog_message_format (String) (defaults to: '%logger[%thread]: %msg')

    The Logback compatible syslog message format. For more information, see the Logback documentation for ‘SuffixPattern’.

  • log_level (Pupmod::LogLevel) (defaults to: 'WARN')

    Type: One of [‘TRACE’,‘DEBUG’,‘INFO’,‘WARN’,‘ERROR’,‘OFF’] A syslog severity string limiting the messages reported. Be aware that anything above ‘WARN’ will provide a massive amount of logs at each puppet run.

  • autosign_hosts (Optional[Array[String[1]]]) (defaults to: undef)

    An array of hosts or host globs to add to the master’s “autosign.conf“ file

    • WARNING: If set, will be authoritative and overwrite the entire file!

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    String used to specify either ‘latest’, ‘installed’, or a specific version of the puppetserver package

  • enable_analytics (Boolean) (defaults to: false)

    Enable the built-in analytics, and upgrade check, on the puppetserver

  • server_webserver_options (Optional[Hash[String[1],String[1]]]) (defaults to: undef)

    A “Hash“ of “String,String“ pairs that will be added as HOCON formatted options to the “base“ section of the server’s webserver.conf configuration.

    This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md

    The results will be printed in the order that they are defined as ‘key: value` with no additional formatting so take care to ensure that your values are in proper HOCON format per github.com/lightbend/config/blob/master/HOCON.md

  • ca_webserver_options (Optional[Hash[String[1],String[1]]]) (defaults to: undef)

    A “Hash“ of “String,String“ pairs that will be added as HOCON formatted options to the “ca“ section of the server’s webserver.conf configuration.

    This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md

    The results will be printed in the order that they are defined as ‘key: value` with no additional formatting so take care to ensure that your values are in proper HOCON format per github.com/lightbend/config/blob/master/HOCON.md

  • extra_webserver_sections (Optional[Hash[String[1],Hash[String[1],String[1]]]]) (defaults to: undef)

    A “Hash“ using the following format to express the full contents of a webserver configuration section with options as defined in github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md

    Section Hash Example:

    “‘ruby {

    'section1_name' => {
  'ssl-port' => 1234
},
'section2_name' => {
  'ssl-port' => 2345
}

    } “‘

    Result Example:

    “‘json webserver: {

    ...pre-existing material...
section1_name: {
  ssl-port: 1234
}
section2_name: {
  ssl-port: 2345
}

    } “‘

    This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md

    The results will be printed in the order that they are defined as ‘key: value` with no additional formatting so take care to ensure that your values are in proper HOCON format per github.com/lightbend/config/blob/master/HOCON.md

  • mock (Boolean) (defaults to: false)

    DO NOT USE. needed for rspec testing

See Also:

Author:



282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
 
# File 'manifests/master.pp', line 282

class pupmod::master (
  Simplib::IP                                         $bind_address                    = '0.0.0.0',
  Boolean                                             $ca_allow_auth_extensions        = false,
  Boolean                                             $ca_allow_alt_names              = false,
  Simplib::IP                                         $ca_bind_address                 = '0.0.0.0',
  Boolean                                             $auditd                          = simplib::lookup('simp_options::auditd', { 'default_value' => false }),
  Simplib::Port                                       $ca_port                         = simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 }),
  Simplib::NetList                                    $trusted_nets                    = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] }),
  String                                              $server_distribution             = pupmod::server_distribution(),
  Enum['monolithic', 'primary', 'compile']            $server_type                     = 'monolithic',
  Pupmod::CaTTL                                       $ca_ttl                          = '10y',
  Boolean                                             $daemonize                       = true,
  Boolean                                             $enable_ca                       = true,
  Boolean                                             $enable_master                   = true,
  Stdlib::AbsolutePath                                $environmentpath                 = $pupmod::environmentpath,
  Boolean                                             $freeze_main                     = false,
  Simplib::Port                                       $masterport                      = 8140,
  Stdlib::AbsolutePath                                $puppet_confdir                  = $pupmod::confdir,
  Stdlib::AbsolutePath                                $confdir,
  Stdlib::AbsolutePath                                $codedir,
  Stdlib::AbsolutePath                                $vardir,
  Stdlib::AbsolutePath                                $rundir,
  Stdlib::AbsolutePath                                $logdir,
  Stdlib::AbsolutePath                                $ssldir,
  Boolean                                             $use_legacy_auth_conf            = false,
  Integer[0]                                          $max_queued_requests             = 10,
  Integer[1]                                          $max_retry_delay                 = 1800,
  Boolean                                             $firewall                        = simplib::lookup('simp_options::firewall', { 'default_value' => false }),
  Array[Simplib::Host]                                $ca_status_whitelist             = [pick($facts['certname'],                                                                      $facts['networking']['fqdn'])],
  Optional[Stdlib::AbsolutePath]                      $ruby_load_path                  = undef,
  Integer[1]                                          $max_active_instances            = pupmod::max_active_instances($server_type),
  Integer                                             $max_requests_per_instance       = 100000,
  Integer[1000]                                       $borrow_timeout                  = 1200000,
  Boolean                                             $environment_class_cache_enabled = true,
  Optional[Pattern['^\d+\.\d+$']]                     $compat_version                  = undef,
  Enum['off', 'jit', 'force']                         $compile_mode                    = 'off',
  Array[Pupmod::Master::SSLProtocols]                 $ssl_protocols                   = ['TLSv1.2'],
  Optional[Array[Pupmod::Master::SSLCipherSuites]]    $ssl_cipher_suites               = undef,
  Boolean                                             $enable_profiler                 = false,
  Pupmod::ProfilingMode                               $profiling_mode                  = 'off',
  Stdlib::AbsolutePath                                $profiler_output_file            = "${vardir}/server_jruby_profiling",
  Array[Simplib::Hostname]                            $admin_api_whitelist             = [pick($facts['certname'],                                                                      $facts['networking']['fqdn'])],
  String                                              $admin_api_mountpoint            = '/puppet-admin-api',
  Boolean                                             $log_to_file                     = false,
  Boolean                                             $strict_hostname_checking        = true,
  Boolean                                             $cve_2020_7942_warning           = true,
  Boolean                                             $syslog                          = simplib::lookup('simp_options::syslog', { 'default_value' => false }),
  String                                              $syslog_facility                 = 'LOCAL6',
  String                                              $syslog_message_format           = '%logger[%thread]: %msg',
  Pupmod::LogLevel                                    $log_level                       = 'WARN',
  Optional[Array[String[1]]]                          $autosign_hosts                  = undef,
  String                                              $package_ensure                  = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
  Boolean                                             $enable_analytics                = false,
  Optional[Hash[String[1],String[1]]]                 $server_webserver_options        = undef,
  Optional[Hash[String[1],String[1]]]                 $ca_webserver_options            = undef,
  Optional[Hash[String[1],Hash[String[1],String[1]]]] $extra_webserver_sections        = undef,
  Boolean                                             $mock                            = false
) inherits pupmod {

  $_server_version = pupmod::server_version()
  # In Puppet 6.19 the section "master" was renamed to "server" in Puppet.settings.
  # pick is used here to determine correct value for backwards compatability
  $_puppet_user = pick($facts.dig('puppet_settings','server','user'),$facts.dig('puppet_settings','master','user'))
  $_puppet_group = pick($facts.dig('puppet_settings','server','group'),$facts.dig('puppet_settings','master','group'))

  unless $mock {
    include 'pupmod::master::install'
    include 'pupmod::master::sysconfig'
    include 'pupmod::master::reports'
    include 'pupmod::master::base'
    include 'pupmod::master::service'
    include 'pupmod::master::generate_types'

    Class['pupmod::master::install'] ~> Class['pupmod::master::service']
    Class['pupmod::master::sysconfig'] ~> Class['pupmod::master::service']
    Class['pupmod::master::service'] ~> Class['pupmod::master::generate_types']

    $_conf_base = dirname($confdir)

    file { [$confdir, $codedir]:
      ensure => 'directory',
      owner  => 'root',
      group  => $_puppet_group,
      mode   => '0640'
    }

    # For Puppet 7+
    file { $_conf_base:
      ensure => 'directory',
      owner  => 'root',
      group  => $_puppet_group,
      mode   => '0660'
    }

    # Mode is managed by puppet itself
    file { $rundir:
      ensure => 'directory',
      owner  => $_puppet_user,
      group  => $_puppet_group
    }

    # Mode is managed by puppet itself
    file { $ssldir:
      ensure => 'directory',
      owner  => $_puppet_user,
      group  => $_puppet_group
    }

    file {
      default:
        ensure  => 'file',
        owner   => 'root',
        group   => $_puppet_group,
        mode    => '0640',
        require => Class['pupmod::master::install'],
        notify  => Class['pupmod::master::service'];

      "${_conf_base}/services.d/ca.cfg": content => epp("${module_name}/etc/puppetserver/ca.cfg");
      "${_conf_base}/logback.xml":       content => epp("${module_name}/etc/puppetserver/logback.xml");
      "${confdir}/ca.conf":              content => epp("${module_name}/etc/puppetserver/conf.d/ca.conf");
      "${confdir}/puppetserver.conf":    content => epp("${module_name}/etc/puppetserver/conf.d/puppetserver.conf");
      "${confdir}/web-routes.conf":      content => epp("${module_name}/etc/puppetserver/conf.d/web-routes.conf");
      "${confdir}/webserver.conf":       content => epp("${module_name}/etc/puppetserver/conf.d/webserver.conf");
    }

    if $ruby_load_path {
      file { "${confdir}/os-settings.conf":
        ensure  => 'file',
        owner   => 'root',
        group   => $_puppet_group,
        mode    => '0640',
        content => epp("${module_name}/etc/puppetserver/conf.d/os-settings.conf"),
        require => Class['pupmod::master::install'],
        notify  => Class['pupmod::master::service']
      }
    }

    # `trusted_server_facts` deprecated in Puppet 5.0.0 (PUP-6112)
    $_trusted_server_facts_ensure = (versioncmp($facts['puppetversion'], '5.0')) ? {
      -1      => 'present',
      default => 'absent',
    }

    pupmod::conf { 'trusted_server_facts':
      ensure  => $_trusted_server_facts_ensure,
      confdir => $puppet_confdir,
      setting => 'trusted_server_facts',
      value   => true,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'master_environmentpath':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'environmentpath',
      value   => $environmentpath,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'master_daemonize':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'daemonize',
      value   => $daemonize,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'master_masterport':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'masterport',
      value   => $masterport,
      notify  => Class['pupmod::master::service']
    }

    # `[master] ca` is deprecated, as of Puppet 5.5.6 (SIMP-5456), and removed
    # in Puppet 6 (PUP-9158).
    if versioncmp($facts['puppetversion'], '6.0') >= 0 {
      $_ensure_master_ca = 'absent'
    }
    elsif versioncmp($facts['puppetversion'], '5.5.6') >= 0 {
      # Puppet will emit warning messages whenever deprecated settings are
      # encountered in `puppet.conf`.  To avoid this, we remove the setting
      # if it is the same as the default `ca = true`.
      #
      # NOTE: Although the condition tests for 5.5.6 (when `ca` was marked as
      #       deprecated), due to the bug PUP-9266 this logic will not prevent
      #       deprecation warnings until the release of 5.5.8.
      $_ensure_master_ca = $enable_ca ? {
        true    => 'absent',
        default => 'present',
      }
    } else {
      $_ensure_master_ca = 'present'
    }

    pupmod::conf { 'master_ca':
      ensure  => $_ensure_master_ca,
      setting => 'ca',
      value   => $enable_ca,
      confdir => $puppet_confdir,
      section => 'server',
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'master_ca_port':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'ca_port',
      value   => $ca_port,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'ca_ttl':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'ca_ttl',
      value   => $ca_ttl,
      notify  => Class['pupmod::master::service']
    }

    if $pupmod::fips {
      $_keylength = 2048
    }
    else {
      $_keylength = 4096
    }

    pupmod::conf { 'keylength':
      section => 'server',
      confdir => $puppet_confdir,
      setting => 'keylength',
      value   => $_keylength,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'freeze_main':
      confdir => $puppet_confdir,
      setting => 'freeze_main',
      # This is hard set for now until we can ensure that this works in all
      # potential configurations.
      value   => false,
      #value   => $freeze_main,
      notify  => Class['pupmod::master::service']
    }

    pupmod::conf { 'strict_hostname_checking':
      confdir => $puppet_confdir,
      setting => 'strict_hostname_checking',
      value   => $strict_hostname_checking,
      notify  => Class['pupmod::master::service']
    }

    if !$strict_hostname_checking and $cve_2020_7942_warning {
      notify { 'CVE-2020-7942':
        message => "Setting '${module_name}::pupmod::master::strict_hostname_checking' to 'true' enables CVE-2020-7942.\n\nSet '${module_name}::pupmod::master::cve_2020_7942_warning' to 'false' to disable this message."
      }
    }

    hocon_setting { 'puppetserver analytics':
      ensure  => present,
      path    => "${confdir}/product.conf",
      setting => 'product.check-for-updates',
      value   => $enable_analytics,
      type    => 'boolean',
      notify  => Class['pupmod::master::service']
    }

    if $auditd {
      include 'auditd'

      auditd::rule { 'puppet_master':
        content => epp("${module_name}/puppet-auditd-rules")
      }
    }

    if $firewall {
      include 'iptables'

      if $enable_master {
        iptables::listen::tcp_stateful { 'allow_puppet':
          order        => 11,
          trusted_nets => $trusted_nets,
          dports       => $masterport
        }
      }

      if $enable_ca {
        iptables::listen::tcp_stateful { 'allow_puppetca':
          order        => 11,
          trusted_nets => $trusted_nets,
          dports       => $ca_port
        }
      }
    }

    if $autosign_hosts {
      $autosign_hosts.each |$autosign_host| {
        ensure_resource('pupmod::master::autosign', $autosign_host)
      }
    }
  }
}