diff --git a/deployment/puppet/nailgun/examples/host-only.pp b/deployment/puppet/nailgun/examples/host-only.pp index 2501a34159..24f3ab81b4 100644 --- a/deployment/puppet/nailgun/examples/host-only.pp +++ b/deployment/puppet/nailgun/examples/host-only.pp @@ -1,3 +1,5 @@ +# Configuration of Fuel Master node only + $fuel_settings = parseyaml($astute_settings_yaml) $fuel_version = parseyaml($fuel_version_yaml) @@ -35,12 +37,12 @@ class { 'nailgun::host': } -class { "openstack::clocksync": +class { 'openstack::clocksync': ntp_servers => $ntp_servers, - config_template => "ntp/ntp.conf.erb", + config_template => 'ntp/ntp.conf.erb', } -class { "docker::dockerctl": +class { 'docker::dockerctl': release => $::fuel_version['VERSION']['release'], production => $production, admin_ipaddress => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], @@ -50,43 +52,48 @@ class { "docker": docker_engine => 'lxc', } -class {'openstack::logrotate': +class { 'openstack::logrotate': role => 'server', rotation => 'weekly', keep => '4', limitsize => '100M', } -class { "nailgun::client": +class { 'nailgun::client': server => $::fuel_settings['ADMIN_NETWORK']['ipaddress'], keystone_user => $::fuel_settings['FUEL_ACCESS']['user'], keystone_pass => $::fuel_settings['FUEL_ACCESS']['password'], } -class { "nailgun::supervisor": +class { 'nailgun::supervisor': nailgun_env => false, ostf_env => false, - require => File["/etc/supervisord.d/current", "/etc/supervisord.d/${::fuel_version['VERSION']['release']}"], - conf_file => "nailgun/supervisord.conf.base.erb", + require => File['/etc/supervisord.d/current', "/etc/supervisord.d/${::fuel_version['VERSION']['release']}"], + conf_file => 'nailgun/supervisord.conf.base.erb', } -file { "/etc/supervisord.d": +class { 'osnailyfacter::ssh': + password_auth => 'yes', +} + +file { '/etc/supervisord.d': ensure => directory, } file { "/etc/supervisord.d/${::fuel_version['VERSION']['release']}": - require => File["/etc/supervisord.d"], + ensure => directory, + require => File['/etc/supervisord.d'], owner => root, group => root, recurse => true, - ensure => directory, - source => "puppet:///modules/docker/supervisor", + source => 'puppet:///modules/docker/supervisor', } -file { "/etc/supervisord.d/current": +file { '/etc/supervisord.d/current': + ensure => link, + target => "/etc/supervisord.d/${::fuel_version['VERSION']['release']}", require => File["/etc/supervisord.d/${::fuel_version['VERSION']['release']}"], replace => true, - ensure => "/etc/supervisord.d/${::fuel_version['VERSION']['release']}", } exec {'sync_deployment_tasks': diff --git a/deployment/puppet/nailgun/manifests/host.pp b/deployment/puppet/nailgun/manifests/host.pp index 418e348392..82f081a365 100644 --- a/deployment/puppet/nailgun/manifests/host.pp +++ b/deployment/puppet/nailgun/manifests/host.pp @@ -25,13 +25,6 @@ $gem_source = 'http://localhost/gems/', keytype => 'rsa', } - file { '/etc/ssh/sshd_config': - content => template('nailgun/sshd_config.erb'), - owner => 'root', - group => 'root', - mode => '0600', - } - file { '/root/.ssh/config': content => template('nailgun/root_ssh_config.erb'), owner => 'root', diff --git a/deployment/puppet/nailgun/templates/sshd_config.erb b/deployment/puppet/nailgun/templates/sshd_config.erb deleted file mode 100644 index f27dc53fb2..0000000000 --- a/deployment/puppet/nailgun/templates/sshd_config.erb +++ /dev/null @@ -1,139 +0,0 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedKeysCommand none -#AuthorizedKeysCommandRunAs nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no -PasswordAuthentication yes - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no -#KerberosUseKuserok yes - -# GSSAPI options -GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no -UsePAM yes - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#ShowPatchLevel no -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server - -UseDNS no - diff --git a/deployment/puppet/osnailyfacter/manifests/ssh.pp b/deployment/puppet/osnailyfacter/manifests/ssh.pp new file mode 100644 index 0000000000..26b3f122cb --- /dev/null +++ b/deployment/puppet/osnailyfacter/manifests/ssh.pp @@ -0,0 +1,70 @@ +# == Class: osnailyfacter::ssh +# +# Configures ssh server +# +# === Parameters +# +# [*ciphers*] +# Specifies the ciphers allowed for protocol version 2 +# +# [*macs*] +# Specifies the available MAC (message authentication code) algorithms +# +# [*protocol_ver*] +# SSH protocol version to use. Defaults to 2 +# +# [*ports*] +# Ports for SSH service to listen to. If more than one it shjould be an array +# Defaults to 22 +# +# [*log_lvl*] +# SSH daemon log level. Defaults to VERBOSE +# +# [*password_auth*] +# Use password authentication. Defaults to no +# + +class osnailyfacter::ssh( + $ciphers = 'aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128', + $macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1', + $protocol_ver = '2', + $ports = '22', + $log_lvl = 'VERBOSE', + $password_auth = 'no' +){ + + case $::osfamily { + 'redhat': { + $subsystem = 'sftp /usr/libexec/openssh/sftp-server' + } + 'debian': { + $subsystem = 'sftp /usr/lib/openssh/sftp-server' + } + default: { + $subsystem = 'sftp /usr/lib/openssh/sftp-server' + } + } + + class { 'ssh::server': + storeconfigs_enabled => false, + options => { + 'Protocol' => $protocol_ver, + 'Ciphers' => $ciphers, + 'MACs' => $macs, + 'Port' => $ports, + 'LogLevel' => $log_lvl, + 'Subsystem' => $subsystem, + 'PasswordAuthentication' => $password_auth, + 'AllowTcpForwarding' => 'yes', + 'X11Forwarding' => 'no', + 'UsePAM' => 'yes', + 'UseDNS' => 'no', + 'GSSAPIAuthentication' => 'no', + 'ChallengeResponseAuthentication' => 'no', + 'PubkeyAuthentication' => 'yes', + 'RSAAuthentication' => 'yes', + 'UsePrivilegeSeparation' => 'yes', + 'StrictModes' => 'yes', + } + } +} diff --git a/deployment/puppet/osnailyfacter/modular/tools/tools.pp b/deployment/puppet/osnailyfacter/modular/tools/tools.pp index a002cd0691..590020779a 100644 --- a/deployment/puppet/osnailyfacter/modular/tools/tools.pp +++ b/deployment/puppet/osnailyfacter/modular/tools/tools.pp @@ -2,6 +2,8 @@ notice('MODULAR: tools.pp') class { 'osnailyfacter::atop': } +class { 'osnailyfacter::ssh': } + $tools = [ 'screen', 'tmux',