This module contains facts and classes specific for CERIT-SC environment.
Module has been tested on:
- Puppet 3.3
- Debian and Red Hat family systems
Required modules:
Fact | Description | Example |
---|---|---|
city | Machine physical location | brno, jihlava |
is_cluster | Is cluster node? | true, false |
clustername | Detect name of cluster | zewura |
clusternodeid | Detect node ID in cluster | 12 |
link_ethX | Is link on net. iface? | true, false |
speed_ethX | Net. iface speed [Mbit/s] | 10000 |
speeds_ethX | List of supported net. speeds | 10,100,1000 |
kernels_avail | List of available kernel pkgs | |
headers_avail | List of available header pkgs | |
has_dmar_error | Is there DMAR error on machine? | true, false |
has_kernel_zs | Is running kernel patched by ZS? | true, false |
has_libnfsidmap2_du | Is installed our libnfsidmap2? | true, false |
has_scratch | Is /scratch available? | true, false |
has_scratchssd | Is /scratch.ssd available? | true, false |
mounts | List of current mount points | /,/boot,/home |
virtual | Fixed generic fact for KVM | |
is_numa | Is hardware NUMA? | true, false |
numacount | Number of NUMA nodes | |
has_hyperthreading | Is hyperthreading enabled? | true, false |
physicalcorecount | Number of physical cores | |
processorcorethreadcount | Number of threads per core | |
processorcorecount | Number of cores per socket | |
processorsocketcount | Number of CPU sockets in system | |
processorl1dsize | L1 data cache size | |
processorl1isize | L1 instruction cache size | |
processorl2size | L2 cache size | |
processorl3size | L3 cache size |
List:
Configure firewall default rules (based on RHEL's defaults).
class { 'cerit::firewall':
enabled => false|true, # enable configuration
purge => false|true, # purge rules not managed by Puppet
strict => false|true, # drop all undefined traffic
source_ssh => '0.0.0.0/0', # enable sshd from address range
source_http => CIDR, # enable http from address range
source_https => CIDR, # enable https from address range
services => {}, # hash of cerit::firewall::service resources
}
Simple custom service rules can be specified as hash passed to
create_resources
to get cerit::firewall::service
resources.
Example:
$services = {
'postgresql' => {
'port' => '5432',
'source' => '1.2.3.4/24'
}
}
class { 'cerit::firewall':
services => $services,
}
Set password for privileged user default or based on host (group) security level.
class { 'cerit::passwd':
user => 'root', # privileged user name
password => '*', # default password
level => '...', # host security level
levels => { ... }, # hash of security levels and passwords
}
Example:
class { 'cerit::passwd':
password => '*', # empty default password, if no level specified
level => 2, # take password for security level 2
levels => {
1 => 'password hash X',
2 => 'password hash Y',
3 => 'password hash Z'
},
}
Simple Puppet agent boostrap.
class { 'cerit::puppet':
enabled => false|true, # enable Puppet
cron => false|true, # Puppet as service or cron
command => '...', # cron command
packages => array, # packages override
config => '...', # configuration file
service => 'puppet', # service name
server => '...'. # Puppet server hostname
environment => 'production', # Puppet environment
runinterval => 1800, # run interval
configtimeout => 120, # server timeout
prerun_command => '...', # prerun command
postrun_command => '...', # postrun command
}
Example:
class { 'cerit::puppet':
server => 'puppet.example.com',
environment => 'devel',
runinterval => 3600, # once per hour
}
Creates standard login banners for CERIT-SC or ICS-MU.
class { 'cerit::motd':
message => '...', # custom add-on message
logo => array, # custom 4 lines logo in 4 array elements
}
Example:
$logo = [
' ___ ',
'| __|__ ___ ',
'| _/ _ \/ _ \',
'|_|\___/\___/',
]
class { 'cerit::motd':
message => 'Merry Christmas and Happy New Year',
logo => $logo,
}
Typical banner looks like:
___ ___ ___ _ _____ ___ ___ Hostname: localhost.localdomain (Brno)
/ __| __| _ \| |_ _|__/ __|/ __| System: Debian 6.0.7 on x86_64
| (__| _|| /| | | ||___\__ \ (__ CPU cores: 80x (80x physical)
\___|___|_|_\|_| |_| |___/\___| Mem./swap: 504.90 GB / 162.71 GB (NUMA)
<<< custom $message here (if any) >>>
Last login: Tue Oct 8 11:45:19 2013 from localhost.localdomain
Create unprivileged Zenoss user for remote monitoring via SSH.
class { 'cerit::zenoss':
enabled => false|true, # enable Zenoss user
user_name => '...', # user name
group_name => '...', # group name
allow_from => '...', # restrict access via SSH key from
key => '...', # SSH public key
type => '...', # SSH public key type
sudo_package => '...', # package name with sudo
sudo_parameters => ['!requiretty'], # list of sudo parameters for user group
sudo_commands => [ # list of allowed commands in sudo format
'(ALL) NOPASSWD: /usr/sbin/dmidecode *',
'(ALL) NOPASSWD: /usr/bin/ipmitool *',
'(ALL) NOPASSWD: /usr/sbin/smartctl *'
],
}
Example:
class { 'cerit::zenoss':
allow_from => 'zenoss.localdomain',
user_name => 'zen',
group_name => 'zen',
}
Various one-time OS hacks
Enable/disable asynchronous NFS mounts on Debian.
Write FQDN into machine hostname configuration.
CERIT Scientific Cloud, support@cerit-sc.cz