[MediaWiki-commits] [Gerrit] Tools: Outfactor the configuration for outgoing HBA connections - change (operations/puppet)

Mon, 01 Feb 2016 21:43:20 -0800 

Tim Landscheidt has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/267832

Change subject: Tools: Outfactor the configuration for outgoing HBA connections
......................................................................

Tools: Outfactor the configuration for outgoing HBA connections

Currently, the configuration for bastion hosts to enable outgoing ssh
connections with host-based authentication is maintained as a file
resource in three different classes, toollabs::bastion,
toollabs::cronrunner and toollabs::submit.  This makes it impossible
to apply more than one of those classes to the same instance.  In
addition, the puppetization of the ssh client configuration as a whole
is confusing with regard to what parameters are set intentionally and
what is just copied and pasted.

This change outfactors the configuration for outgoing host-based
authentication to a new class toollabs::hba::client so that it can be
used by multiple classes on the same instance, and it accomplishes the
configuration by the use of file_line resources.

Change-Id: I7c90928981c9bd71f5de061ad9aafb1b887a9890
---
D modules/toollabs/files/submithost-ssh_config
M modules/toollabs/manifests/bastion.pp
M modules/toollabs/manifests/cronrunner.pp
A modules/toollabs/manifests/hba/client.pp
M modules/toollabs/manifests/submit.pp
5 files changed, 31 insertions(+), 92 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/32/267832/1

diff --git a/modules/toollabs/files/submithost-ssh_config 
b/modules/toollabs/files/submithost-ssh_config
deleted file mode 100644
index cf234e1..0000000
--- a/modules/toollabs/files/submithost-ssh_config
+++ /dev/null
@@ -1,57 +0,0 @@
-# This file is managed by puppet!
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   ForwardX11Trusted yes
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
-#   PasswordAuthentication yes
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   GSSAPIKeyExchange no
-#   GSSAPITrustDNS no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-    SendEnv LANG LC_*
-    HashKnownHosts yes
-    GSSAPIAuthentication yes
-    GSSAPIDelegateCredentials no
-
-# Enable accessing other hosts with host-based authentication.
-HostbasedAuthentication yes
-EnableSSHKeysign yes
diff --git a/modules/toollabs/manifests/bastion.pp 
b/modules/toollabs/manifests/bastion.pp
index 73e002c..1489ba1 100644
--- a/modules/toollabs/manifests/bastion.pp
+++ b/modules/toollabs/manifests/bastion.pp
@@ -11,19 +11,11 @@
 # Sample Usage:
 #
 class toollabs::bastion inherits toollabs {
-
-    include gridengine::submit_host,
-            gridengine::admin_host,
-            toollabs::exec_environ,
-            toollabs::dev_environ
-
-    file { '/etc/ssh/ssh_config':
-        ensure => file,
-        mode   => '0444',
-        owner  => 'root',
-        group  => 'root',
-        source => 'puppet:///modules/toollabs/submithost-ssh_config',
-    }
+    include gridengine::admin_host
+    include gridengine::submit_host
+    include toollabs::dev_environ
+    include toollabs::exec_environ
+    include toollabs::hba::client
 
     # webservice-new command
     package { 'toollabs-webservice':
diff --git a/modules/toollabs/manifests/cronrunner.pp 
b/modules/toollabs/manifests/cronrunner.pp
index 8a468d3..1547be6 100644
--- a/modules/toollabs/manifests/cronrunner.pp
+++ b/modules/toollabs/manifests/cronrunner.pp
@@ -1,7 +1,8 @@
 class toollabs::cronrunner {
-    include gridengine::submit_host,
-            toollabs::hba,
-            toollabs
+    include gridengine::submit_host
+    include toollabs
+    include toollabs::hba
+    include toollabs::hba::client
 
     # We need to include exec environment here since the current
     # version of jsub checks the local environment to find the full
@@ -10,14 +11,6 @@
     # nodes. This is kind of terrible, so we need to fix that eventually.
     # Until then...
     include toollabs::exec_environ
-
-    file { '/etc/ssh/ssh_config':
-        ensure => file,
-        mode   => '0444',
-        owner  => 'root',
-        group  => 'root',
-        source => 'puppet:///modules/toollabs/submithost-ssh_config',
-    }
 
     motd::script { 'submithost-banner':
         ensure => present,
diff --git a/modules/toollabs/manifests/hba/client.pp 
b/modules/toollabs/manifests/hba/client.pp
new file mode 100644
index 0000000..45dc985
--- /dev/null
+++ b/modules/toollabs/manifests/hba/client.pp
@@ -0,0 +1,19 @@
+# Class: toollabs::hba::client
+#
+# This class configures an instance to enable outgoing ssh connections
+# with host-based authentication.
+class toollabs::hba::client {
+    file_line { 'ssh_config_hostbasedauthentication':
+        ensure => present,
+        path   => '/etc/ssh/ssh_config',
+        line   => 'HostbasedAuthentication yes',
+        match  => '^ *HostbasedAuthentication\b',
+    }
+
+    file_line { 'ssh_config_enablesshkeysign':
+        ensure => present,
+        path   => '/etc/ssh/ssh_config',
+        line   => 'EnableSSHKeysign yes',
+        match  => '^ *EnableSSHKeysign\b',
+    }
+}
diff --git a/modules/toollabs/manifests/submit.pp 
b/modules/toollabs/manifests/submit.pp
index 3aa3748..dd8b0db 100644
--- a/modules/toollabs/manifests/submit.pp
+++ b/modules/toollabs/manifests/submit.pp
@@ -13,17 +13,9 @@
 # Sample Usage:
 #
 class toollabs::submit inherits toollabs {
-
-    include gridengine::submit_host,
-            toollabs::hba
-
-    file { '/etc/ssh/ssh_config':
-        ensure => file,
-        mode   => '0444',
-        owner  => 'root',
-        group  => 'root',
-        source => 'puppet:///modules/toollabs/submithost-ssh_config',
-    }
+    include gridengine::submit_host
+    include toollabs::hba
+    include toollabs::hba::client
 
     motd::script { 'submithost-banner':
         ensure => present,

-- 
To view, visit https://gerrit.wikimedia.org/r/267832
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7c90928981c9bd71f5de061ad9aafb1b887a9890
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to