[Mageia-sysadm] ssh keys

Michael Scherer misc at zarb.org
Tue Oct 26 16:46:35 CEST 2010 

Le lundi 25 octobre 2010 à 22:04 +0200, Michael Scherer a écrit :
> Hi fellow admins,
> 
> In order to let you rui^W crash^W manage the server like I did, I need
> your ssh keys to be sent here.
> 
> So if you didn't already do ( ie, if you are not nanar, not coincoin and
> not me ), please sent it to me. 

I have added the keys that were sent to me in puppet ( without svn or
anything yet, nothing fancy ).

So, a quick ( well, not so quick ) explanation of what I did :
1) setup puppetmaster ( ie, the reference ) on valstar :

  urpmi puppet-server
  create some files in /etc/puppet/manifests/

  site.pp , who just reference the 2 others :

  [root at valstar manifests]# ls
  common.pp  nodes.pp  site.pp
  [root at valstar manifests]# cat site.pp 
  import "common"
  import "nodes"

  nodes.pp (arbitrary name ) contains the list of nodes, and their
  class ( here, only one class, default_mageia_server, defined in
common ):

  node alamut {
        include default_mageia_server
  }

in common.pp, we have this class :

class default_mageia_server {
    include default_ssh_root_key
    include base_packages
}

which lead me to the 2 first type of thing we will do with puppet 
1) packages installation :

class base_packages {

    $package_list = ['screen', 'vim-enhanced']

    package { $package_list:
        ensure => installed;
    }
}

basically, this mean that screen and vim-enhanced will be installed by
default, using urpmi ( or the appropriate tool depending on the OS ), on
every server. Add packages if needed, please keep the comment I have
added about who requested what and why, if not obvious ( first one to
install kde will be killed so hard that even his ancestors will die (tm)
sinfest ). 

We can also use this to ensure a package is never installed ( just cut
and past the class, and change the list, and the ensure value. See
puppet doc for that .

2) ssh_keys installation.

Like packages, there is a type for ssh keys :

class default_ssh_root_key {
    ssh_authorized_key { "ssh key misc":
        type => "ssh-rsa",
        key => "insert-real-long-key-here", 
        user => "root"
    }
    ssh_authorized_key { "ssh key blino":
        type => "ssh-dss",
        key => "insert-real-longer-and-stronger-bigger-blino-key-here", 
        user => "root"
    }
}

this mean that my key ( and blino's one ) is added to the proper file
directly, with correct permission. I have added blino, nanar, dmorgan,
coling, dams and me. Others didn't send it yet.
 

that's for the basic part. Puppetmaster reload itself when it detect the
config change. And it refuse invalid config in case of problem as does
the puppet agent on each node.


So next, on each server ( the 4 one in LO, I am taking care of the gandi
vm as soon as I finished to write this mail ), I have setup the puppet
agent :


2) setup puppet
for each node :

  urpmi puppet
  vim /etc/puppet/puppet.conf ( add a "server = valstar.mageia.org" 
     entry in [puppetd], will likely be taken care by puppet itself
     later )
  service puppet start

on valstar, to authenticate the request ( ie, when puppet is started, it
exchanges ssl certs with the master to encrypt future exchange ).

puppetca --list
puppetca --sign server

on the node that just signed :
tail -f /var/log/messages, see there is no error, and test that we can
still connect as root.
Beware, this changed with puppet 2.6 some months ago, so i suggest
people to read the documentation if they read this mail after the end of
2010 :).

If you have any questions on how to use puppet after this quick
introduction, do not hesitate to ping me on irc, or better here so
everybody will get the answer.


-- 
Michael Scherer

More information about the Mageia-sysadm mailing list