Predpekli (Void)

gpg --recv-key 7638D0442B90D010 --keyserver key.ubuntu.com
gpg --export 7638D0442B90D010 | apt-key add -


apt-get install puppet fail2ban cryptosetup-luks

Ekvivalent watch

while true; do iptables -L -n; sleep 2;clear; done

Client side

1. add puppet to your /etc/hosts

10.0.4.60 puppet puppet.starlab.cz

or

212.20.102.91 puppet puppet.starlab.cz
xen-starlab:~# puppetd --server puppet --test
info: Creating a new SSL key for xen-jpcomp.jpcomp.cz
info: Caching certificate for ca
info: Creating a new SSL certificate request for xen-jpcomp.jpcomp.cz
info: Certificate Request fingerprint (md5): AA:A6:EA:69:9A:35:91:C2:EA:8B:CF:B4:70:8E:2E:4B
Exiting; no certificate found and waitforcert is disabled

server side

The service seems to be running properly netstat's output - port 8140

tcp        0      0 0.0.0.0:8140            0.0.0.0:*               LISTEN      22428/ruby1.8

Hey! We have a new client

root@ibm:~# puppetca --list
  "xen-jpcomp.jpcomp.cz" (AA:A6:EA:69:9A:35:91:C2:EA:8B:CF:B4:70:8E:2E:4B)

So sign it!

puppetca --sign xen-jpcomp.jpcomp.cz
notice: Signed certificate request for xen-jpcomp.jpcomp.cz
notice: Removing file Puppet::SSL::CertificateRequest xen-jpcomp.jpcomp.cz at '/path/to.pem'

Client side again

puppetd --server puppet --waitforcert 80 --test

Warning –test doesn't mean 'test', it is a short for:

´onetime´, ´verbose´, ´ignorecache´, ´no-daemonize´, ´no-usecacheonfailure´, ´detailed-exit-codes´, ´no-splay´, and ´show_diff´

Here is the output:

xen-jpcomp:~# puppetd --server puppet --waitforcert 80 --test
info: Caching catalog for xen-jpcomp.jpcomp.cz
info: Applying configuration version '1413471896'
notice: /Stage[main]//File[nrpe_local.cfg]/content: 
--- /etc/nagios/nrpe_local.cfg  2013-03-09 08:53:33.000000000 +0100
+++ /tmp/puppet-file20141106-21693-vorhz2-0     2014-11-06 20:57:19.823561813 +0100
@@ -1,3 +1,10 @@
-######################################
-# Do any local nrpe configuration here
-######################################
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
+command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
+command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 8% -c 4% 
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 
+command[check_apt]=/usr/lib/nagios/plugins/check_apt
+command[check_linux_raid]=/usr/lib/nagios/plugins/check_linux_raid
+command[check_rdiff]=sudo /usr/lib/nagios/plugins/check_backup_storage
+command[check_smart]=sudo /usr/lib/nagios/plugins/check_smart
+command[check_ipmi]=/usr/lib/nagios/plugins/check_ipmi

info: FileBucket adding {md5}19c1c67393a0b6002f4595b535c71cc2
info: /Stage[main]//File[nrpe_local.cfg]: Filebucketed /etc/nagios/nrpe_local.cfg to puppet with sum 19c1c67393a0b6002f4595b535c71cc2
notice: /Stage[main]//File[nrpe_local.cfg]/content: content changed '{md5}19c1c67393a0b6002f4595b535c71cc2' to '{md5}d8116d9a68b755368037d6bc08d3f1db'
notice: Finished catalog run in 0.44 seconds

Create a cron job

    puppet resource cron puppet-agent ensure=present user=root minute=30 command='/usr/bin/puppet agent --onetime --no-daemonize --splay'

Output:

notice: /Cron[puppet-agent]/ensure: created
cron { 'puppet-agent':
  ensure  => 'present',
  command => '/usr/bin/puppet agent --onetime --no-daemonize --splay',
  minute  => ['30'],
  target  => 'root',
  user    => 'root',
}

and the cron line is not system wide, but root's

server:~# crontab -l
# HEADER: This file was autogenerated at Thu Nov 06 21:21:15 +0100 2014 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with 'Puppet Name' should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
# Puppet Name: puppet-agent
30 * * * * /usr/bin/puppet agent --onetime --no-daemonize --splay

Why cron job instead of daemon? Cron job can sometimes perform better and use less memory.

 
linux/skoleni/hromadna_bezpecnost.txt · Last modified: 2017/03/22 19:26 by admin