Hiera and how it works within Puppet
Hiera allows us to modify settings from modules within Puppet - for this example I will be tweaking some of the default settings from the saz/ssh module.
Let's start by firstly install hiera:
puppet module install puppet/hiera
Hiera makes use of hierarchies - for example servers in a specific location might need a paticular DNS server, however all servers might require a specific SSH configuration. These settings are defined within the hiera.yaml file:
cat /etc/puppetlabs/code/environments/production/hiera.yaml
---
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
# When specifying a datadir, make sure the directory exists.
# See https://docs.puppet.com/puppet/latest/environments.html for further details on environments.
# datadir: data
# data_hash: yaml_data
hierarchy:
- name: "Per-node data (yaml version)"
path: "nodes/%{::trusted.certname}.yaml"
- name: "Other YAML hierarchy levels"
paths:
- "common.yaml"
We're going to modify the heirarchy a little - so let's back it up firstly:
cp /etc/puppetlabs/code/environments/production/hiera.yaml /etc/puppetlabs/code/environments/production/hiera.yaml.bak
and replace it with:
---
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
# When specifying a datadir, make sure the directory exists.
# See https://docs.puppet.com/puppet/latest/environments.html for further details on environments.
# datadir: data
# data_hash: yaml_data
hierarchy:
- name: "Per-Node"
path: "nodes/%{::trusted.certname}.yaml"
- name: "Operating System"
path: "os/%{osfamily}.yaml"
- name: "Defaults"
paths:
- "common.yaml"
We now have the ability to set OS specific settings - for example some (older) operating systems might not support specific cipher suites.
Let's run the following on our client to identify what Puppet classifies it as:
facter | grep family
family => "RedHat",
So let's create the relevent structure:
touch /etc/puppetlabs/code/environments/production/data/os/RedHat.yaml
touch /etc/puppetlabs/code/environments/production/data/os/Debian.yaml
touch /etc/puppetlabs/code/environments/production/data/os/common.yaml
We'll proceed by installing the saz/ssh module:
puppet module install saz/ssh
In this example we will concentrate on hardening the SSH server:
cat <<EOT > /etc/puppetlabs/code/environments/production/data/common.yaml
---
ssh::storeconfigs_enabled: true
ssh::server_options:
Protocol: '2'
ListenAddress:
- '127.0.0.0'
- '%{::hostname}'
PasswordAuthentication: 'no'
SyslogFacility: 'AUTHPRIV'
HostbasedAuthentication: 'no'
PubkeyAuthentication: 'yes'
UsePAM: 'yes'
X11Forwarding: 'no'
ClientAliveInterval: '300'
ClientAliveCountMax: '0'
IgnoreRhosts: 'yes'
PermitEmptyPasswords: 'no'
StrictModes: 'yes'
AllowTcpForwarding: 'no'
EOT
We can check / test the values with:
puppet lookup ssh::server_options --merge deep --environment production --explain --node <node-name>
Finally restart the puppet server:
sudo service puppetserver restart
and poll the server from the client:
puppet client -t
Hiera allows us to modify settings from modules within Puppet - for this example I will be tweaking some of the default settings from the saz/ssh module.
Let's start by firstly install hiera:
puppet module install puppet/hiera
Hiera makes use of hierarchies - for example servers in a specific location might need a paticular DNS server, however all servers might require a specific SSH configuration. These settings are defined within the hiera.yaml file:
cat /etc/puppetlabs/code/environments/production/hiera.yaml
---
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
# When specifying a datadir, make sure the directory exists.
# See https://docs.puppet.com/puppet/latest/environments.html for further details on environments.
# datadir: data
# data_hash: yaml_data
hierarchy:
- name: "Per-node data (yaml version)"
path: "nodes/%{::trusted.certname}.yaml"
- name: "Other YAML hierarchy levels"
paths:
- "common.yaml"
We're going to modify the heirarchy a little - so let's back it up firstly:
cp /etc/puppetlabs/code/environments/production/hiera.yaml /etc/puppetlabs/code/environments/production/hiera.yaml.bak
and replace it with:
---
version: 5
defaults:
# The default value for "datadir" is "data" under the same directory as the hiera.yaml
# file (this file)
# When specifying a datadir, make sure the directory exists.
# See https://docs.puppet.com/puppet/latest/environments.html for further details on environments.
# datadir: data
# data_hash: yaml_data
hierarchy:
- name: "Per-Node"
path: "nodes/%{::trusted.certname}.yaml"
- name: "Operating System"
path: "os/%{osfamily}.yaml"
- name: "Defaults"
paths:
- "common.yaml"
We now have the ability to set OS specific settings - for example some (older) operating systems might not support specific cipher suites.
Let's run the following on our client to identify what Puppet classifies it as:
facter | grep family
family => "RedHat",
So let's create the relevent structure:
touch /etc/puppetlabs/code/environments/production/data/os/RedHat.yaml
touch /etc/puppetlabs/code/environments/production/data/os/Debian.yaml
touch /etc/puppetlabs/code/environments/production/data/os/common.yaml
We'll proceed by installing the saz/ssh module:
puppet module install saz/ssh
In this example we will concentrate on hardening the SSH server:
cat <<EOT > /etc/puppetlabs/code/environments/production/data/common.yaml
---
ssh::storeconfigs_enabled: true
ssh::server_options:
Protocol: '2'
ListenAddress:
- '127.0.0.0'
- '%{::hostname}'
PasswordAuthentication: 'no'
SyslogFacility: 'AUTHPRIV'
HostbasedAuthentication: 'no'
PubkeyAuthentication: 'yes'
UsePAM: 'yes'
X11Forwarding: 'no'
ClientAliveInterval: '300'
ClientAliveCountMax: '0'
IgnoreRhosts: 'yes'
PermitEmptyPasswords: 'no'
StrictModes: 'yes'
AllowTcpForwarding: 'no'
EOT
We can check / test the values with:
puppet lookup ssh::server_options --merge deep --environment production --explain --node <node-name>
Finally restart the puppet server:
sudo service puppetserver restart
and poll the server from the client:
puppet client -t