This article is going to demonstrates that editing/updating files on puppet agent nodes. In the previous article , we have seen that how to copy the static files from “module/files” directory(Puppet Server) to puppet agent nodes. But sometimes , you can’t replace the complete file and you may need to edit specific line on that. For example you may just want to add a line to the /etc/hosts file. This is the case when you are dealing with system config files that are part of the OS. For example /etc/ssh/sshd_config and /etc/fstab. Other system administrators may do the manual changes to those files. So if you ensure the state of this file using static-files/templates, then it will end up constantly over-riding manual changes made by the system administrators. To avoid this ,you need to ensure a file’s state at a more granular line/section level rather than at a file level.
Controlling the state of a certain line or (group of lines) is present in a given file is possible in puppet using Augeas. Augeas is a configuration editing tool. It parses configuration files in their native formats and transforms them into a tree. Configuration changes are made by manipulating this tree and saving it back into native config files.
Augeas
Augeas is standalone tool which is used for querying and editing config files from the command line. “augtool” command line utility will help you to navigate/drill-down to a particular part of a config file.
1.Install augeas tool on puppet agent nodes.
[root@UA-HA ~]# yum install augeas Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package augeas.x86_64 0:1.4.0-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================== Package Arch Version Repository Size ========================================================================================================== Installing: augeas x86_64 1.4.0-2.el7 repo-update 38 k Transaction Summary ========================================================================================================== Install 1 Package Total download size: 38 k Installed size: 62 k Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : augeas-1.4.0-2.el7.x86_64 1/1 Verifying : augeas-1.4.0-2.el7.x86_64 1/1 Installed: augeas.x86_64 0:1.4.0-2.el7 Complete! [root@UA-HA ~]# rpm -qa augeas augeas-1.4.0-2.el7.x86_64 [root@UA-HA ~]# rpm -ql augeas /usr/bin/augparse /usr/bin/augtool /usr/bin/fadot /usr/share/man/man1/augparse.1.gz /usr/share/man/man1/augtool.1.gz /usr/share/vim/vimfiles/ftdetect/augeas.vim /usr/share/vim/vimfiles/syntax/augeas.vim [root@UA-HA ~]#
2.Execute the “augtool” command and see the available options.
[root@UA-HA ~]# augtool augtool> help Admin commands: help - print help load - (re)load files under /files quit - exit the program retrieve - transform tree into text save - save all pending changes store - parse text into tree transform - add a file transform Read commands: dump-xml - print a subtree as XML get - get the value of a node label - get the label of a node ls - list children of a node match - print matches for a path expression print - print a subtree errors - show all errors encountered in processing files span - print position in input file corresponding to tree Write commands: clear - clear the value of a node clearm - clear the value of multiple nodes ins - insert new node insert - insert new node (alias of 'ins') mv - move a subtree move - move a subtree (alias of 'mv') cp - copy a subtree copy - copy a subtree (alias of 'cp') rename - rename a subtree label rm - delete nodes and subtrees set - set the value of a node setm - set the value of multiple nodes touch - create a new node Path expression commands: defnode - set a variable, possibly creating a new node defvar - set a variable Type 'help' for more information on a command augtool> quit [root@UA-HA ~]#
3. Augeas can’t edit all the files. It can edit only those that has a schema (aka lens). There are a set of stock lenses that comes with augeas by default. These lens are stored in “/usr/share/augeas/lenses/dist” directory.
[root@UA-HA ~]# ls -lrt /usr/share/augeas/lenses/dist total 1068 -rw-r--r--. 1 root root 1966 May 21 2015 wine.aug -rw-r--r--. 1 root root 450 May 21 2015 securetty.aug -rw-r--r--. 1 root root 732 May 21 2015 postfix_access.aug -rw-r--r--. 1 root root 1450 May 21 2015 odbc.aug -rw-r--r--. 1 root root 2216 May 21 2015 lokkit.aug -rw-r--r--. 1 root root 780 May 21 2015 inittab.aug -rw-r--r--. 1 root root 663 May 21 2015 ethers.aug -rw-r--r--. 1 root root 2852 May 21 2015 dpkg.aug -rw-r--r--. 1 root root 398 May 21 2015 cobblermodules.aug -rw-r--r--. 1 root root 2228 May 22 2015 xymon.aug -rw-r--r--. 1 root root 10361 May 22 2015 xorg.aug -rw-r--r--. 1 root root 1097 May 22 2015 xendconfsxp.aug -rw-r--r--. 1 root root 1257 May 22 2015 webmin.aug -rw-r--r--. 1 root root 2722 May 22 2015 vsftpd.aug -rw-r--r--. 1 root root 702 May 22 2015 vmware_config.aug -rw-r--r--. 1 root root 1756 May 22 2015 vfstab.aug -rw-r--r--. 1 root root 4606 May 22 2015 util.aug -rw-r--r--. 1 root root 2264 May 22 2015 up2date.aug -rw-r--r--. 1 root root 1345 May 22 2015 thttpd.aug -rw-r--r--. 1 root root 2817 May 22 2015 subversion.aug -rw-r--r--. 1 root root 2260 May 22 2015 stunnel.aug -rw-r--r--. 1 root root 1245 May 22 2015 splunk.aug -rw-r--r--. 1 root root 1379 May 22 2015 spacevars.aug -rw-r--r--. 1 root root 1167 May 22 2015 soma.aug -rw-r--r--. 1 root root 3228 May 22 2015 solaris_system.aug -rw-r--r--. 1 root root 747 May 22 2015 smbusers.aug -rw-r--r--. 1 root root 1119 May 22 2015 simplelines.aug -rw-r--r--. 1 root root 745 May 22 2015 shells.aug -rw-r--r--. 1 root root 1306 May 22 2015 sep.aug -rw-r--r--. 1 root root 1832 May 22 2015 schroot.aug -rw-r--r--. 1 root root 2017 May 22 2015 rsyncd.aug -rw-r--r--. 1 root root 3939 May 22 2015 resolv.aug -rw-r--r--. 1 root root 4863 May 22 2015 reprepro_uploaders.aug -rw-r--r--. 1 root root 3818 May 22 2015 rabbitmq.aug -rw-r--r--. 1 root root 6868 May 22 2015 quote.aug -rw-r--r--. 1 root root 670 May 22 2015 qpid.aug -rw-r--r--. 1 root root 3190 May 22 2015 puppetfileserver.aug -rw-r--r--. 1 root root 2001 May 22 2015 puppet_auth.aug -rw-r--r--. 1 root root 1558 May 22 2015 puppet.aug -rw-r--r--. 1 root root 1080 May 22 2015 protocols.aug -rw-r--r--. 1 root root 1460 May 22 2015 postfix_transport.aug -rw-r--r--. 1 root root 1884 May 22 2015 postfix_master.aug -rw-r--r--. 1 root root 3947 May 22 2015 phpvars.aug -rw-r--r--. 1 root root 2977 May 22 2015 pg_hba.aug -rw-r--r--. 1 root root 638 May 22 2015 pbuilder.aug -rw-r--r--. 1 root root 1262 May 22 2015 pamconf.aug -rw-r--r--. 1 root root 1095 May 22 2015 openshift_quickstarts.aug -rw-r--r--. 1 root root 1052 May 22 2015 openshift_http.aug -rw-r--r--. 1 root root 2524 May 22 2015 openshift_config.aug -rw-r--r--. 1 root root 4861 May 22 2015 ntpd.aug -rw-r--r--. 1 root root 4985 May 22 2015 ntp.aug -rw-r--r--. 1 root root 2329 May 22 2015 nsswitch.aug -rw-r--r--. 1 root root 1789 May 22 2015 nrpe.aug -rw-r--r--. 1 root root 1116 May 22 2015 networks.aug -rw-r--r--. 1 root root 1732 May 22 2015 netmasks.aug -rw-r--r--. 1 root root 2182 May 22 2015 monit.aug -rw-r--r--. 1 root root 1068 May 22 2015 modules_conf.aug -rw-r--r--. 1 root root 741 May 22 2015 modules.aug -rw-r--r--. 1 root root 3420 May 22 2015 modprobe.aug -rw-r--r--. 1 root root 4783 May 22 2015 mke2fs.aug -rw-r--r--. 1 root root 1272 May 22 2015 memcached.aug -rw-r--r--. 1 root root 10287 May 22 2015 mdadm_conf.aug -rw-r--r--. 1 root root 1473 May 22 2015 logwatch.aug -rw-r--r--. 1 root root 615 May 22 2015 login_defs.aug -rw-r--r--. 1 root root 1793 May 22 2015 lightdm.aug -rw-r--r--. 1 root root 7833 May 22 2015 ldif.aug -rw-r--r--. 1 root root 1965 May 22 2015 json.aug -rw-r--r--. 1 root root 1482 May 22 2015 inputrc.aug -rw-r--r--. 1 root root 6365 May 22 2015 inetd.aug -rw-r--r--. 1 root root 1043 May 22 2015 htpasswd.aug -rw-r--r--. 1 root root 4426 May 22 2015 hosts_access.aug -rw-r--r--. 1 root root 422 May 22 2015 hostname.aug -rw-r--r--. 1 root root 1925 May 22 2015 host_conf.aug -rw-r--r--. 1 root root 855 May 22 2015 gtkbookmarks.aug -rw-r--r--. 1 root root 1841 May 22 2015 gdm.aug -rw-r--r--. 1 root root 1228 May 22 2015 fstab.aug -rw-r--r--. 1 root root 819 May 22 2015 fonts.aug -rw-r--r--. 1 root root 9502 May 22 2015 fai_diskconfig.aug -rw-r--r--. 1 root root 2213 May 22 2015 dput.aug -rw-r--r--. 1 root root 3701 May 22 2015 debctrl.aug -rw-r--r--. 1 root root 773 May 22 2015 darkice.aug -rw-r--r--. 1 root root 459 May 22 2015 cups.aug -rw-r--r--. 1 root root 3087 May 22 2015 crypttab.aug -rw-r--r--. 1 root root 4116 May 22 2015 cron.aug -rw-r--r--. 1 root root 869 May 22 2015 collectd.aug -rw-r--r--. 1 root root 2293 May 22 2015 cobblersettings.aug -rw-r--r--. 1 root root 3929 May 22 2015 channels.aug -rw-r--r--. 1 root root 2432 May 22 2015 cgrules.aug -rw-r--r--. 1 root root 1574 May 22 2015 carbon.aug -rw-r--r--. 1 root root 2051 May 22 2015 cachefilesd.aug -rw-r--r--. 1 root root 3736 May 22 2015 bootconf.aug -rw-r--r--. 1 root root 4342 May 22 2015 bbhosts.aug -rw-r--r--. 1 root root 1014 May 22 2015 backuppchosts.aug -rw-r--r--. 1 root root 1417 May 22 2015 avahi.aug -rw-r--r--. 1 root root 3391 May 22 2015 automaster.aug -rw-r--r--. 1 root root 1135 May 22 2015 apt_update_manager.aug -rw-r--r--. 1 root root 1552 May 22 2015 aptsources.aug -rw-r--r--. 1 root root 3984 May 22 2015 aptconf.aug -rw-r--r--. 1 root root 726 May 22 2015 aptcacherngsecurity.aug -rw-r--r--. 1 root root 1286 May 22 2015 approx.aug -rw-r--r--. 1 root root 2545 May 22 2015 anacron.aug -rw-r--r--. 1 root root 1950 May 22 2015 mysql.aug -rw-r--r--. 1 root root 2123 May 22 2015 yum.aug -rw-r--r--. 1 root root 6259 May 22 2015 xymon_alerting.aug -rw-r--r--. 1 root root 6238 May 22 2015 xml.aug -rw-r--r--. 1 root root 4120 May 22 2015 xinetd.aug -rw-r--r--. 1 root root 387 May 22 2015 tuned.aug -rw-r--r--. 1 root root 5790 May 22 2015 systemd.aug -rw-r--r--. 1 root root 2615 May 22 2015 sysconfig_route.aug -rw-r--r--. 1 root root 2550 May 22 2015 sysconfig.aug -rw-r--r--. 1 root root 20119 May 22 2015 sudoers.aug -rw-r--r--. 1 root root 861 May 22 2015 sssd.aug -rw-r--r--. 1 root root 2987 May 22 2015 ssh.aug -rw-r--r--. 1 root root 16330 May 22 2015 squid.aug -rw-r--r--. 1 root root 1651 May 22 2015 sip_conf.aug -rw-r--r--. 1 root root 1779 May 22 2015 shellvars_list.aug -rw-r--r--. 1 root root 2887 May 22 2015 services.aug -rw-r--r--. 1 root root 1755 May 22 2015 samba.aug -rw-r--r--. 1 root root 4159 May 22 2015 rx.aug -rw-r--r--. 1 root root 2062 May 22 2015 rsyslog.aug -rw-r--r--. 1 root root 788 May 22 2015 rmt.aug -rw-r--r--. 1 root root 4706 May 22 2015 redis.aug -rw-r--r--. 1 root root 2035 May 22 2015 pythonpaste.aug -rw-r--r--. 1 root root 2359 May 22 2015 pylonspaste.aug -rw-r--r--. 1 root root 1484 May 22 2015 puppetfile.aug -rw-r--r--. 1 root root 2305 May 22 2015 properties.aug -rw-r--r--. 1 root root 2085 May 22 2015 postgresql.aug -rw-r--r--. 1 root root 1295 May 22 2015 postfix_virtual.aug -rw-r--r--. 1 root root 636 May 22 2015 postfix_sasl_smtpd.aug -rw-r--r--. 1 root root 1500 May 22 2015 postfix_main.aug -rw-r--r--. 1 root root 2284 May 22 2015 php.aug -rw-r--r--. 1 root root 1462 May 22 2015 pgbouncer.aug -rw-r--r--. 1 root root 2316 May 22 2015 pam.aug -rw-r--r--. 1 root root 2663 May 22 2015 pagekite.aug -rw-r--r--. 1 root root 6561 May 22 2015 openvpn.aug -rw-r--r--. 1 root root 2047 May 22 2015 networkmanager.aug -rw-r--r--. 1 root root 1604 May 22 2015 nagiosobjects.aug -rw-r--r--. 1 root root 2138 May 22 2015 nagioscfg.aug -rw-r--r--. 1 root root 3354 May 22 2015 multipath.aug -rw-r--r--. 1 root root 1201 May 22 2015 mongodbserver.aug -rw-r--r--. 1 root root 2911 May 22 2015 mailscanner_rules.aug -rw-r--r--. 1 root root 1699 May 22 2015 mailscanner.aug -rw-r--r--. 1 root root 2079 May 22 2015 lvm.aug -rw-r--r--. 1 root root 4265 May 22 2015 logrotate.aug -rw-r--r--. 1 root root 2065 May 22 2015 limits.aug -rw-r--r--. 1 root root 1085 May 22 2015 ldso.aug -rw-r--r--. 1 root root 6111 May 22 2015 krb5.aug -rw-r--r--. 1 root root 898 May 22 2015 koji.aug -rw-r--r--. 1 root root 10456 May 22 2015 keepalived.aug -rw-r--r--. 1 root root 2977 May 22 2015 kdump.aug -rw-r--r--. 1 root root 1375 May 22 2015 jmxpassword.aug -rw-r--r--. 1 root root 1386 May 22 2015 jmxaccess.aug -rw-r--r--. 1 root root 1552 May 22 2015 jettyrealm.aug -rw-r--r--. 1 root root 684 May 22 2015 iscsid.aug -rw-r--r--. 1 root root 2703 May 22 2015 iptables.aug -rw-r--r--. 1 root root 323 May 22 2015 iproute2.aug -rw-r--r--. 1 root root 4429 May 22 2015 interfaces.aug -rw-r--r--. 1 root root 15859 May 22 2015 inifile.aug -rw-r--r--. 1 root root 485 May 22 2015 hosts.aug -rw-r--r--. 1 root root 2240 May 22 2015 gshadow.aug -rw-r--r--. 1 root root 1755 May 22 2015 group.aug -rw-r--r--. 1 root root 2423 May 22 2015 exports.aug -rw-r--r--. 1 root root 4161 May 22 2015 erlang.aug -rw-r--r--. 1 root root 2963 May 22 2015 dns_zone.aug -rw-r--r--. 1 root root 6713 May 22 2015 dhclient.aug -rw-r--r--. 1 root root 620 May 22 2015 device_map.aug -rw-r--r--. 1 root root 1422 May 22 2015 desktop.aug -rw-r--r--. 1 root root 1546 May 22 2015 cyrus_imapd.aug -rw-r--r--. 1 root root 824 May 22 2015 cpanel.aug -rw-r--r--. 1 root root 1570 May 22 2015 clamav.aug -rw-r--r--. 1 root root 8257 May 22 2015 chrony.aug -rw-r--r--. 1 root root 3435 May 22 2015 cgconfig.aug -rw-r--r--. 1 root root 17045 May 22 2015 build.aug -rw-r--r--. 1 root root 4148 May 22 2015 automounter.aug -rw-r--r--. 1 root root 1883 May 22 2015 authorized_keys.aug -rw-r--r--. 1 root root 1831 May 22 2015 aptpreferences.aug -rw-r--r--. 1 root root 2231 May 22 2015 aliases.aug -rw-r--r--. 1 root root 1602 May 22 2015 afs_cellalias.aug -rw-r--r--. 1 root root 864 May 22 2015 activemq_xml.aug -rw-r--r--. 1 root root 1509 May 22 2015 activemq_conf.aug -rw-r--r--. 1 root root 3669 May 22 2015 access.aug -rw-r--r--. 1 root root 871 May 22 2015 fuse.aug -rw-r--r--. 1 root root 923 Jun 1 2015 sysctl.aug -rw-r--r--. 1 root root 9346 Jun 1 2015 shellvars.aug -rw-r--r--. 1 root root 2404 Jun 1 2015 shadow.aug -rw-r--r--. 1 root root 2925 Jun 1 2015 nginx.aug -rw-r--r--. 1 root root 1112 Jun 1 2015 mcollective.aug -rw-r--r--. 1 root root 1309 Jun 1 2015 known_hosts.aug -rw-r--r--. 1 root root 9707 Jun 1 2015 grub.aug -rw-r--r--. 1 root root 3609 Jun 1 2015 passwd.aug -rw-r--r--. 1 root root 3921 Jun 1 2015 httpd.aug -rw-r--r--. 1 root root 1033 Jul 30 2015 updatedb.aug -rw-r--r--. 1 root root 7429 Jul 30 2015 syslog.aug -rw-r--r--. 1 root root 3444 Jul 30 2015 sshd.aug -rw-r--r--. 1 root root 3864 Jul 30 2015 sshd_140.aug -rw-r--r--. 1 root root 5231 Jul 30 2015 slapd.aug -rw-r--r--. 1 root root 5259 Jul 30 2015 slapd_140.aug -rw-r--r--. 1 root root 1463 Jul 30 2015 simplevars.aug -rw-r--r--. 1 root root 1130 Jul 30 2015 rhsm.aug -rw-r--r--. 1 root root 1344 Jul 30 2015 jaas.aug -rw-r--r--. 1 root root 3435 Jul 30 2015 dovecot.aug -rw-r--r--. 1 root root 1451 Jul 30 2015 dnsmasq.aug -rw-r--r--. 1 root root 15855 Jul 30 2015 dhcpd.aug -rw-r--r--. 1 root root 21299 Jul 30 2015 dhcpd_140.aug [root@UA-HA ~]#
4. Let’s have a loot at the hosts.aug lens.
[root@UA-HA dist]# cat hosts.aug
(* Parsing /etc/hosts *)
module Hosts =
autoload xfm
let word = /[^# \n\t]+/
let record = [ seq "host" . Util.indent .
[ label "ipaddr" . store word ] . Sep.tab .
[ label "canonical" . store word ] .
[ label "alias" . Sep.space . store word ]*
. Util.comment_or_eol ]
let lns = ( Util.empty | Util.comment | record ) *
let xfm = transform lns (incl "/etc/hosts")
[root@UA-HA dist]#
Here , we no need to stretch ourself to understand the above code. Just look at the labels.
Label 1 – IP Address
Label 2 – Canonical Name
Label 3 – Alias.
5. Let’s launch the “augtool” CLI. List the available context.
[root@UA-HA dist]# augtool augtool> ls / augeas/ = (none) files/ = (none) augtool>
Here , we have “augeas” and “files”. “augeas” refers to the tool’s root and it’s settings.
augtool> ls /augeas/ root = / context = /files variables = (none) version/ = 1.4.0 save = overwrite span = disable load/ = (none) files/ = (none) augtool>
“files” refers to system hierarchy.
augtool> ls /files/ etc/ = (none) usr/ = (none) boot/ = (none) lib/ = (none) root/ = (none) augtool>
6. We will use /etc/hosts file for demonstration. Let’s view the hosts file.
[root@UA-HA ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.203.131 UA-HA uaha.unixarena.com master 192.168.203.134 UA-HA2 uapa1.unixarena.com 192.155.89.90 pm.puppetlabs.com 54.231.16.224 s3.amazonaws.com [root@UA-HA ~]#
View the same file using augtool.
[root@UA-HA ~]# augtool print /files/etc/hosts /files/etc/hosts /files/etc/hosts/1 /files/etc/hosts/1/ipaddr = "127.0.0.1" /files/etc/hosts/1/canonical = "localhost" /files/etc/hosts/1/alias[1] = "localhost.localdomain" /files/etc/hosts/1/alias[2] = "localhost4" /files/etc/hosts/1/alias[3] = "localhost4.localdomain4" /files/etc/hosts/2 /files/etc/hosts/2/ipaddr = "::1" /files/etc/hosts/2/canonical = "localhost" /files/etc/hosts/2/alias[1] = "localhost.localdomain" /files/etc/hosts/2/alias[2] = "localhost6" /files/etc/hosts/2/alias[3] = "localhost6.localdomain6" /files/etc/hosts/3 /files/etc/hosts/3/ipaddr = "192.168.203.131" /files/etc/hosts/3/canonical = "UA-HA" /files/etc/hosts/3/alias[1] = "uaha.unixarena.com" /files/etc/hosts/3/alias[2] = "master" /files/etc/hosts/4 /files/etc/hosts/4/ipaddr = "192.168.203.134" /files/etc/hosts/4/canonical = "UA-HA2" /files/etc/hosts/4/alias = "uapa1.unixarena.com" /files/etc/hosts/5 /files/etc/hosts/5/ipaddr = "192.155.89.90" /files/etc/hosts/5/canonical = "pm.puppetlabs.com" /files/etc/hosts/6 /files/etc/hosts/6/ipaddr = "54.231.16.224" /files/etc/hosts/6/canonical = "s3.amazonaws.com" [root@UA-HA ~]#
Let’s dig more in to the above output.
The below command shows the number of lines in “/etc/hosts” file.
[root@UA-HA ~]# augtool ls /files/etc/hosts 1/ = (none) 2/ = (none) 3/ = (none) 4/ = (none) 5/ = (none) 6/ = (none) [root@UA-HA ~]#
Let’s view line “4” using augtool. It uses the label to differentiate the IP address, canonical name and alias.
[root@UA-HA ~]# augtool print /files/etc/hosts/4 /files/etc/hosts/4 /files/etc/hosts/4/ipaddr = "192.168.203.134" /files/etc/hosts/4/canonical = "UA-HA2" /files/etc/hosts/4/alias = "uapa1.unixarena.com" [root@UA-HA ~]#
We can use the get command to filter the IP address.
[root@UA-HA ~]# augtool get /files/etc/hosts/3/ipaddr /files/etc/hosts/3/ipaddr = 192.168.203.131 [root@UA-HA ~]#
Let’s modify the IP address in line “3” .
[root@UA-HA ~]# augtool set /files/etc/hosts/3/ipaddr 192.168.203.139 Saved 1 file(s) [root@UA-HA ~]# augtool get /files/etc/hosts/3/ipaddr /files/etc/hosts/3/ipaddr = 192.168.203.139 [root@UA-HA ~]#
Hope this part has given an overview of augeas tool. In the second part of article ,we will see that how it can be integrated with puppet to edit the config files.
Puppet – Augeas Resource type: (To Edit sshd config)
Augeas is available as puppet resource type to edit the configuration files. Assume that you got a request from security team to restrict direct “ssh” direct root login on all the servers. Using augeas resource type , we will edit the sshd_config file on puppet agent nodes to complete the task.
1.Login to Puppet server as root.
2.Navigate to production environment’s module directory.
[root@UA-HA ~]# cd /etc/puppetlabs/code/environments/production/modules/ [root@UA-HA modules]# ls -lrt total 0 drwxr-xr-x 3 root root 22 Feb 8 14:16 helloworld drwxr-xr-x 6 root root 65 Feb 8 15:15 accounts drwxr-xr-x 6 root root 65 Feb 10 23:36 httpd drwxr-xr-x 5 root root 50 Feb 14 07:18 ntpconfig drwxr-xr-x 5 root root 50 Feb 14 09:02 filetest drwxr-xr-x 5 root root 50 Feb 14 10:55 testdirs [root@UA-HA modules]#
3. Create a new module structure for sshd_config changes.
[root@UA-HA modules]# mkdir -p sshdroot/{files,manifests,templates}
[root@UA-HA modules]# tree sshdroot
sshdroot
├── files
├── manifests
└── templates
3 directories, 0 files
[root@UA-HA modules]#
4. Navigate to manifest directory .
[root@UA-HA manifests]# cd sshdroot/manifests [root@UA-HA manifests]#
5.Create a file called init.pp with following contents.
class sshdroot {
augeas { "sshd_config":
changes => [
"set /files/etc/ssh/sshd_config/PermitRootLogin no",
],
}
}
6. Navigate back to production environment’s manifest directory to classify the nodes.
[root@UA-HA manifests]# ls -lrt total 4 -rw-r--r-- 1 root root 124 Feb 15 14:13 init.pp [root@UA-HA manifests]# pwd /etc/puppetlabs/code/environments/production/modules/sshdroot/manifests [root@UA-HA manifests]# [root@UA-HA manifests]# cd ../../../manifests/ [root@UA-HA manifests]# ls -lrt total 8 -rw-r--r-- 1 pe-puppet pe-puppet 1226 Feb 10 23:44 site.pp -rw-r--r-- 1 root root 35 Feb 14 11:59 nodes.pp [root@UA-HA manifests]#
7. Edit the node.pp and specify the puppet agent node and call the module “sshdroot”.
[root@UA-HA manifests]# cat nodes.pp
node uapa1 {
include sshdroot
}
[root@UA-HA manifests]#
8.Login to puppet agent node and check the current sshd_config.
[root@uapa1 ~]# grep Root /etc/ssh/sshd_config PermitRootLogin yes [root@uapa1 ~]#
9.Execute the puppet agent command to update the master config. (Or you need to wait for 30 mins for automatic trigger)
[root@uapa1 ~]# puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for uapa1 Info: Applying configuration version '1455602675' Notice: Augeas[sshd_config](provider=augeas): --- /etc/ssh/sshd_config 2016-02-19 16:53:13.595263754 -0500 +++ /etc/ssh/sshd_config.augnew 2016-02-19 16:55:49.758072581 -0500 @@ -46,7 +46,7 @@ # Authentication: #LoginGraceTime 2m -PermitRootLogin yes +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 Notice: /Stage[main]/Sshdroot/Augeas[sshd_config]/returns: executed successfully Notice: Applied catalog in 7.44 seconds
10. Verify the current settings in sshd_config. You should see that “PermitRootlogin” should be set to “no”.
[root@uapa1 ~]# grep Root /etc/ssh/sshd_config PermitRootLogin no # the setting of "PermitRootLogin without-password". [root@uapa1 ~]#
This is how you need to analysis the augeas config, create the module using augeas resource type and push the changes to puppet agent nodes from puppet server.
Hope this article is informative to you . Share it ! Comment it !! Be Sociable !!!
Leave a Reply