Skip to content

Lottabytes

Adventures in Enterprise Systems Management and Automation

  • My Gitlab
Lottabytes

Month: November 2013

Intelligent Password Changes with Puppet

0
November 19, 2013

I need to change the root password on all my hosts but I have a small problem: some hosts have older md5 hashed passwords and the newer ones use the more secure SHA-512 hash. If I did not care about the different hashes and wanted to have SHA-512 across the board I would do a very simple manifest entry to make this happen: Problem is I want to replace the old md5 hashes with new md5 hashes and the old SHA-512 with new SHA-512; not something that Puppet supports very easily. To do this we are going to build a new module with a Custom Fact written in Ruby. First off I need to explain some things if you are new to Puppet.

  • A module is stored under /etc/puppet/modules and is called via an include declaration in the site.pp Master Manifest
  • A module has it’s own Manifest called init.pp under /etc/puppet/modules/<module_name>/manifests
  • Inside the init.pp is a class that MUST be named the same as your folder structure. Example: if the folder at /etc/puppet/modules/<module_name> is named “rootpass” then your class declaration must be “class rootpass {….”
  • A module is very powerful and the functionality is written in Ruby

Now that we have those out of the way lets start. If you are doing this your self here is the folder structure to make life easier:

password-structure

Let’s visit each component a piece at a time

1. Custom Fact – sha512rootpass.rb. Puppet if Statements can be a bit tricky (see http://docs.puppetlabs.com/learning/variables.html) so in this case I needed a Custom Fact that checked to see if the root password was a SHA-512 hash which is indicated by it starting with “$6$” (md5 is $1$). If the root password is indeed a SHA-512 hash then the variable sha512rootpass will return with a “true” value. This functionality is delivered by Ruby Facter. For more information take a look at http://docs.puppetlabs.com/guides/custom_facts.html. My custom fact is silly simple, it just greps the shadow file for “root:$6$*” and if it’s there then returns “true” which means that root has a SHA-512 hashed password.

password-sha512

2. New Class – init.pp. The logic for the operation that we actually want to run is located in the init.pp file. Here is where we define our class (reminder, it needs to be the same as you top level folder name). This one basically says “If root is using a SHA-512 password hash (defined by $sha512rootpass = true) replace it with this new one. If not then assume it’s md5 and replace it with this new md5 hash.

password-init

Now we need to tell Puppet what servers to apply this to and this is done by modifying the site.pp Manifest on the Puppet Master. For now I’m going to apply it to all my nodes and so I just add it to my default. If you wanted you can add a new section that says “node <hostname> {include rootpass}” and it would be applied just to that host.

password-include

Now lets test it on an agent box that has an md5 hashed password and a box that has a SHA-512 password. Our older box with md5 is the first up to bat…..

password-md5

As you can see the password was a md5 ($1$) and was changed appropriately. Next let’s look at a box with SHA-512.

password-shachange

As you can see the old password was a SHA-512 hash and has been replaced with the new SHA-512 hash. Success!

custom fact, md5, module, password change, Puppet, Puppet Master, sha-512

Getting Started with Puppet Open Source

0
November 19, 2013

I’m starting to work with Puppet and noticed that when I am using the open source version there is not really a good “Getting Started” guide and documentation is rather lacking. Not wanting anyone else to suffer through that here is my attempt at it. Hope it helps others.

Building the Puppet Master

First we are going to check what OS we are running, in my case it’s CentOS 6.4 x64 so we’re going to grab the repo from yum.puppetlabs.com. After that I look to see what’s available and then finally install with a yum install puppet-server.noarch.

 puppet-repo

Once Puppet is installed we need to do some things. First we take a look at the stock puppet.conf file. Now, let’s make it useful by adding the server name (remember: this is the Puppet Master so it’s $HOSTNAME) and enabling pluginsync.

puppet-start-config

As you can see the file structure of Puppet is pretty empty with the open source version… Let’s add site.pp which is the master Manifest for all your Puppet tasks.

puppet-site.pp

I’m going to add a very simple puppet command that applies to all hosts (nodes) and creates a new user with a SHA-512 password hash. This Manifest file is the source of truth for all your Puppet tasks, more about that later for now remember site.pp is critical.

puppet-site-pp-creation

Lastly before starting the services we need to open 2 ports on the firewall.

iptables-puppet

Now that the Manifest is complete and we have open ports let’s start the Puppet and Puppet Master services.

puppet-running

We did all that work, let’s see if Puppet works. (Note, if you get an error here there is a good chance that iptables is blocking your Puppet traffic). To do that we are going to call the Puppet agent and tell it to run, but not apply any changes (-noop). As we can see it detected that our new user account is missing but did not change anything.

puppet-noop-test

That’s all great, now let’s apply it. There are a couple ways to do this:

1. Wait 30 minutes, the agent will automatically run and apply the change.

2. Run puppet agent –test

puppet-add-user

As we can see, the change was successfully made on the Puppet Master, now lets go start installing an agent on another host.

Installing Puppet Agents

As you can see we are doing basically the same thing as on the Puppet Master but only installing the Puppet Agent.

puppet-agent-install

After the install completes we need to configure the agent to talk to the Puppet Master. This configuration is done in the same /etc/puppet/puppet.conf as the Puppet Master but we change what we add…

puppet-agent-config

Next you need to start the Puppet Agent Service: puppet resource service puppet ensure=running enable=true

At this point assuming no firewall issues your agent is now talking to the Puppet Master (test using the “puppet agent –test –noop” command we used earlier); however there is still one thing that needs to be done. We need to approve the agent’s certificate on the Puppet Master; once that is complete then the agent will start applying changes that are specified in the Puppet Master’s site.pp. You do that from the Puppet Master using the puppet cert commands:

puppet-sign-cert

Congratulations! You just setup a Puppet Open Source instance and are now well on your way to using Puppet to help you manage your infrastructure.

Build, configure, Getting Started, guide, Install, Open Source, Puppet, Puppet Master

About Me

My name is Caleb Stephenson, and I am a Sr. Cloud Reliability Engineer working on the Private Cloud Team at VMware and specializing in Systems Management and Automation. We make cloud computing happen at scale. If you have attended a VMworld since 2013 and taken a Hands-On-Labs or used HOL for another event, it is just one of the many things that we provide as a cloud provider.

I am a jack-of-all-trades and unfortunately, master at none. My various IT certifications over the years have included AWS Certified Solutions Architect – Associate,  VMware Certified Professional (VCP), Certified Scrum Product Owner (CSPO), ITIL-F, RHCSA (RHEL 7), MCSA 2003 and MCSE 2003. While I am an engineer, I am also the Product Owner for my team which means my career is a delicate balance of technical and managerial skills.

Everything on this blog should be considered mine personally and not representative of my employer. There may be stuff published here that is pertaining to VMware products or product issues/fixes or bits of code I wrote. My blog should be read just like any other blog and not as a representative of VMware in any way, shape or form.

Recent Posts

  • NFSv3 Usage and Audit Logging
  • EXEC useradd in Docker fills hard drive on host
  • Python Exception inside Try/Except Statement
  • Playing with Wavefront – Network Packet Loss
  • Playing with Wavefront – Missing Agents

Recent Comments

  • Caleb on Automatically Configure VMware Log Insight
  • Dan on Error Removing Host from vSphere
  • Caleb on Getting Fancy with Log Insight Alerting (aka. Monitoring DHCP pools via logs)
  • Caleb on Monitoring VMware vCenter Servers using HTTP Health checks
  • Karuna Yarlagadda on SSRS 2008 Domain User Issue

Archives

  • November 2018
  • August 2018
  • July 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • June 2017
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • May 2016
  • March 2016
  • February 2016
  • December 2015
  • July 2015
  • July 2014
  • May 2014
  • March 2014
  • February 2014
  • November 2013
  • October 2013
  • August 2013
  • June 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • April 2012
  • March 2012
  • February 2012
  • November 2011
  • October 2011
  • August 2011
  • March 2011
  • February 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • December 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009

Categories

  • .mp3
  • .vlcp
  • .wmv
  • 00000000000000d1
  • 0x8024402C
  • 2005
  • 2008
  • 29506
  • 5.5
  • 64bit VPN
  • 80072ee7
  • aag
  • Ac
  • Access is Denied
  • account
  • Acrobat
  • Active Directory
  • AD
  • Adobe
  • agent
  • agentless
  • alert
  • alwayson
  • analytics
  • ansible
  • API
  • Apple Mac XServer Cron Backup Windows File Server
  • APSB09-01
  • apt-get
  • ARP Poisoning
  • ASA
  • ASDM
  • audacity
  • Authentication
  • AutoDeploy
  • automation
  • availability group
  • Awesome
  • backup
  • BartPE
  • Bind
  • BitLocker
  • blinking folder with question mark
  • bluetooth
  • boot
  • bottleneck
  • bridge address-table
  • broken
  • bsod
  • Build
  • but no Image Profile is associated with it.
  • cannot display the page
  • Cannot open the Outlook Window
  • CDP
  • CentOS
  • cfapi
  • Change
  • chkdsk
  • Chuck Swindoll
  • CIM
  • Cisco
  • Cisco ASA 5510
  • cluster
  • cmd
  • Comparison
  • compliance
  • Configuration
  • Configuration Managenent
  • configure
  • Content Pack
  • converting
  • Crash
  • CSV
  • Custom Drivers
  • custom fact
  • database log
  • debugging
  • decrypting drive
  • deployment
  • detected corruption
  • DHCP
  • disable
  • dism
  • DN
  • DNS
  • Docker
  • does not have required permissions
  • Download
  • downtime.
  • Dr. Os Guinness
  • driver
  • drivers
  • DTS
  • ECM
  • Edge
  • error
  • Error: Enabling Active Directory failed
  • ESX
  • ESX Cluster
  • ESXi
  • ESXi 4
  • ethics
  • event viewer
  • exchange 2007
  • exhausted
  • Fails
  • FedEx
  • File DNS
  • find VM by MAC
  • finding rogue mac
  • firmware
  • fqdn
  • Freedom
  • FreeTDS
  • FTP
  • full
  • G7
  • get-vmhostadvancedconfiguration
  • GetDataBack for NTFS
  • Getting Started
  • Google Down
  • Government
  • guide
  • Hands On Labs
  • hangs
  • hangs on boot
  • Hardware
  • high CPU
  • History
  • Host
  • Host Profiles
  • HP
  • hung
  • hyperic
  • ID 57
  • identity source
  • IEESC
  • iLO driver
  • InetAddress Ping
  • InfluxDB
  • Install
  • Integrated
  • Integrity
  • IP-Pools
  • IPS
  • IPSec
  • iSCSI
  • Isolate
  • James
  • java
  • job
  • kb950772
  • kerberos
  • kernel
  • ldaps
  • License not available to perform the operation
  • linux
  • Linux Mint
  • log
  • Log Insight
  • log insight agent
  • Log Parsing
  • logging
  • Loginsight
  • logs
  • lust
  • Macbook
  • Make Availale Offline
  • McAfee
  • md5
  • Microsoft
  • mind
  • missing
  • missing public traffic
  • missing traffic
  • mntapi error: 176
  • module
  • Momentus XT
  • mon
  • monitoring
  • MSI
  • MSSQL
  • mssql. sql
  • multiple monitors
  • Nested 64bit
  • NetFN 0x36
  • NetGen
  • netio.sys
  • netios.sys
  • network
  • network adapter
  • new hire
  • ntbtlog.txt
  • Office12
  • Oops
  • Open Source
  • Openfiler
  • Orchestrator
  • Outage
  • Outlook 2007
  • P2V
  • password change
  • percent
  • performance issues
  • perl
  • plugins
  • pool
  • Postgres
  • PostgreSQL
  • PowerCLI
  • Powershell
  • PPTP
  • Process
  • Prometheus
  • proxy
  • Puppet
  • Puppet Master
  • purity
  • pymssql
  • python
  • reached target initrd default
  • reboot
  • recovery model
  • RedHat
  • removing bitlocker
  • replica
  • response traffic dropped
  • Review
  • RHEL
  • robocopy
  • routing
  • SCM
  • Script
  • Seagate
  • Security
  • selinux
  • serial
  • series
  • Serv-U
  • Server
  • server 2003
  • server 2008
  • Server 2012
  • services
  • set-vmhostadvancedconfiguration
  • sfc
  • sha-512
  • Sign-On and Discovery
  • simple
  • Socrates in the City
  • spn
  • SQL
  • SQL Management Studio Express
  • SS
  • ssl
  • sso
  • SSRS
  • SSRS 2008
  • svchost.exe
  • syslog
  • SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
  • target
  • theology
  • This host has been added to VC
  • time
  • tongue
  • troubleshooting
  • tsdb
  • tsql
  • Uncategorized
  • undionly.kpxe.vmw-hardwired
  • unexpected
  • uninstall drivers
  • Update DNS
  • UPS
  • US
  • used
  • user
  • vC
  • vCD
  • vcenter operations manager
  • vcloud director
  • vCM
  • vCNS
  • vCO
  • vcops
  • vCSA
  • VDR
  • vFabric
  • VIBs
  • Virtual
  • vm
  • VMware
  • VMware Configuration Manager
  • VMware Data Recovery
  • VMware HA
  • VMware vCenter Configuration Manager
  • VMworld 2013
  • VMworld2013
  • vpxd_servicecfg
  • vRealize
  • vRLI
  • vs
  • vShield
  • vSphere
  • W32/Wecorl.a
  • Wavefront
  • Web Client
  • Wecorl.a
  • Windows
  • Windows 7
  • Windows Authentication
  • Windows cannot access the specified device
  • Windows Server 2003
  • Windows Update Error
  • Windows User Account Control (UAC) restrictions have been addressed
  • WinFF
  • winrm
  • wireshark
  • won't boot
  • wordpress
  • workaround
  • x64
  • XFCE
  • XP
  • You do not have the Backup and Restore Files user rights
  • zenoss

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

WordPress Theme: Idealist

This site uses cookies: Find out more.