-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathrollout.cfg
343 lines (323 loc) · 10.6 KB
/
rollout.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
# This is the main configuration file for Rollout
# It defines the base classes and machines
#
# Anything in fragments/ overrides whatever is in this file.
#
# Some rules for this file:
# 1. Hostnames *must* start with a lowercase letter, and classes with an uppercase letter.
# vim:tw=100 sw=2 expandtab ft=perl
# Define a class that all production machines will inherit
# Everything in production inherits from the Demo_Netbackup_Client class
class Demo_Production => {
inherits(Demo_Netbackup_Client),
# These are the production nameservers
nameservers => [ '192.168.1.1', '192.168.1.2' ],
# These services should be managed
service => {
# These should be started, and configured to start on boot
sshd => 1,
snmpd => 1,
snmptrapd => 1,
ntpd => 1,
syslog => { proc => 'syslogd', status => 1 },
# Make sure these are stopped
cups => 0,
isdn => 0,
cpuspeed => 0,
gpm => 0,
messagebus => 0,
pcmcia => { proc => 'cardmgr', status => 0 },
},
# Install these packages
packages => [qw( net-snmp ntp )],
# Install the snmpd configuration file from the rollout server, downloaded by HTTP
# Restart snmpd if the file has been updated
file_install => {
"/etc/snmp/snmpd.conf" => {
# This can be a url, local filename or rollout: which gets it from the rollout base url
source => "rollout:/conf/snmpd.conf",
# Run this command if the file is created or updated
command => "/etc/init.d/snmpd restart",
},
},
# Add a forward entry for root to /etc/aliases
file_append => [
[
"/etc/aliases", # The file to change
"root: root\@yourdomain.com", # The line to add
qr/^root/, # Replace any lines matching this regex
"newaliases" # Run this if the file is changed
],
],
group => {
# Make sure the "admin" group exists
admin => { },
},
# Create 2 test users
user => {
# One is an admin
testadmin => {
name => "Test Admin",
groups => [ "admin", "cdrom" ], # Add the user to these 2 groups
# This password is only set when the user is first created
password => '$1$sOVcUMAy$janTja1meiuCfZfG4iJw8/',
},
# The other is a standard user
testuser => {
name => "Test User",
groups => [ "cdrom" ],
password => '$1$sOVcUMAy$janTja1meiuCfZfG4iJw8/',
},
},
# Add testadmin's SSH key to root's authorized_keys file
ssh_keys_add => [ 'testadmin' ],
# Configure sudo permissions
sudo => {
# Anyone in the 'admin' group can run these commands
'%admin' => [
'/usr/local/sbin/rollout',
'/bin/ps',
'/usr/bin/strace',
'/usr/sbin/lsof',
'/bin/netstat',
'/usr/sbin/tcpdump',
'/sbin/route',
'/usr/bin/dpkg',
'/usr/bin/apt-get',
'/usr/bin/apt-cache',
'/usr/bin/vmstat',
'/usr/bin/iostat',
'/usr/bin/sar',
'/bin/mount',
'/bin/umount',
'/bin/grep',
'/bin/cat',
'/usr/bin/less',
'/usr/bin/zless',
'/bin/more',
'/usr/sbin/lshw',
'/sbin/lspci',
'/sbin/lsusb',
'/usr/bin/co',
'/usr/bin/ci',
'/usr/bin/rlog',
'/usr/bin/rcsdiff',
'/usr/bin/sudosh',
],
# The 'testuser' user can only reboot the machine
testuser => [
'/sbin/reboot',
],
},
firewall_accept => [
# Allow any hosts in the 'admin' network to ssh and snmp to this class of devices
demo_admin => 'ssh',
demo_admin => 'snmp:udp',
],
# This is added to the message of the day, which should be displayed on user login
motd => 'Warning! You are logged into a production machine.',
};
# These 2 classes bring in the Demo_RHEL4 base class, but also set the apt base for the correcet
# CPU architecture
class Demo_RHEL4_i386 => {
inherits(Demo_RHEL4),
apt => {
repos => [
"rpm $config->{base_url}/apt rhel4-i386 rhel4 harbour",
],
},
};
class Demo_RHEL4_x86_64 => {
inherits(Demo_RHEL4),
apt => {
repos => [
"rpm $config->{base_url}/apt rhel4-x86_64 rhel4 harbour",
],
},
};
# Base class for all RHEL4 machines
class Demo_RHEL4 => {
# Update some network sysctls
sysctl => {
'net.ipv4.tcp_syncookies' => 1,
'net.ipv4.conf.all.accept_source_route' => 0,
'net.ipv4.icmp_echo_ignore_broadcasts' => 0,
'net.ipv4.conf.all.accept_redirects' => 0,
'net.ipv4.conf.all.send_redirects' => 0,
'net.ipv4.conf.all.log_martians' => 0,
},
# Install these packages
packages => [qw( sysstat lshw sudo )],
file_modify => [
# Run updatedb daily
'/etc/updatedb.conf' => [
's/^DAILY_UPDATE=no/DAILY_UPDATE=yes/', # Run this regex across every line in the file
],
# Don't prompt for interactive boot
'/etc/sysconfig/init' => [
's/^PROMPT=yes/PROMPT=no/',
],
],
service => {
# Stop RedHat Network from running
rhnsd => 0,
},
};
# Ubuntu is really just Debian
class Demo_Ubuntu => {
inherits(Demo_Debian),
};
class Demo_Debian => {
# More network sysctls
sysctl => {
'net.ipv4.tcp_syncookies' => 1,
'net.ipv4.conf.all.accept_source_route' => 0,
'net.ipv4.icmp_echo_ignore_broadcasts' => 0,
'net.ipv4.conf.all.accept_redirects' => 0,
'net.ipv4.conf.all.send_redirects' => 0,
'net.ipv4.conf.all.log_martians' => 0,
},
# Install some handy packages
packages => [qw( bind9-host sysstat lshw ntp tcpdump lsof strace sudo )],
};
# This is an example of a class to install & configure a specific package
# You can add "Demo_Netbackup_Client" to any "inherits" block to include this class
class Demo_Netbackup_Client => {
file_extract => {
# Download the tarball from the rollout web server and extract it to /
"rollout:/utils/netbackup_client.tar.bz2" => {
dest => "/",
check => "/usr/openv", # Don't run this block if /usr/openv already exists
},
},
file_append => [
# Configure netbackup
[ '/usr/openv/netbackup/bp.conf', "SERVER = backupserver.domain", qr/^SERVER\s*=/ ],
[ '/usr/openv/netbackup/bp.conf', "CLIENT_NAME = $hostname", qr/^CLIENT_NAME\s*=/ ],
],
file_install => {
# Install some inetd blocks to start the netbackup daemons
"/etc/xinetd.d/bpcd" => { source => "rollout:/conf/netbackup/bpcd", command => "/etc/init.d/xinetd reload" },
"/etc/xinetd.d/vnetd" => { source => "rollout:/conf/netbackup/vnetd", command => "/etc/init.d/xinetd reload" },
"/etc/xinetd.d/vopied" => { source => "rollout:/conf/netbackup/vopied", command => "/etc/init.d/xinetd reload" },
"/etc/xinetd.d/bpjava-msvc" => { source => "rollout:/conf/netbackup/bpjava-msvc", command => "/etc/init.d/xinetd reload" },
},
port_check => [
# Make sure the following ports exist in /etc/services
'vopied' => { port => '13783/tcp', comment => 'VOPIED Protocol' },
'vopied' => { port => '13783/udp', comment => 'VOPIED Protocol' },
'bpjava-msvc' => { port => '13722/tcp', comment => 'BP Java MSVC Protocol' },
'bpjava-msvc' => { port => '13722/udp', comment => 'BP Java MSVC Protocol' },
'bpcd' => { port => '13782/tcp', comment => 'VERITAS NetBackup' },
'bpcd' => { port => '13782/udp', comment => 'VERITAS NetBackup' },
'vnetd' => { port => '13724/tcp', comment => 'Veritas Network Utility' },
'vnetd' => { port => '13724/udp', comment => 'Veritas Network Utility' },
],
hosts_append => {
# Append the IP of backupserver to /etc/hosts
'192.168.4.1' => 'backupserver.domain backupserver',
},
firewall_accept => [
# Allow NetBackup ports from backupserver
backupserver => 'vopied',
backupserver => 'vopied:udp',
backupserver => 'bpjava-msvc',
backupserver => 'bpjava-msvc:udp',
backupserver => 'bpcd',
backupserver => 'bpcd:udp',
backupserver => 'vnetd',
backupserver => 'vnetd:udp',
],
# Add logfiles to logrotate's config
logrotate => {
'/usr/openv/netbackup/log/server.log' => {
# if no frequency is specified, weekly is the default
monthly => 1,
# Default number of files kept is 7, or:
#rotate => 12,
postrotate => "/usr/openv/netbackup/bin/restart.sh",
# rotated logfiles are compressed by default, unless:
#compress => 0,
},
},
};
class Demo_Nfs_Server => {
# Allow the NFS ports in from anywhere
firewall_accept => [
"# Allow NFS",
any => 'sunrpc',
any => 'sunrpc:udp',
any => 'nfs',
any => 'nfs:udp',
any => '4000',
any => '4000:udp',
any => '4001',
any => '4001:udp',
any => '4002',
any => '4002:udp',
any => '4003',
any => '4003:udp',
],
};
class Demo_Web_Server => {
firewall_accept => [
# Allow the http port from anywhere
any => 'http',
],
sudo => {
# Let users in the 'admin' group restart the web server with sudo
'%admin' => [
'/etc/init.d/httpd',
'/etc/init.d/apache',
'/etc/init.d/apache2',
'/usr/sbin/apachectl',
'/usr/sbin/apache2ctl',
],
},
# Don't do version control on files in these dirs
# Apache won't exclude the RCS dirs automatically
unsafe_dir => [ "/etc/httpd/conf.d", "/etc/apache2/conf.d" ],
};
# This class doesn't actually install Oracle, but sets up everything required
# to install it manually by the GUI
class Demo_Oracle_Server => {
group => {
dba => { },
},
user => {
# Create the oracle user, in the 'oinstall' and 'dba' groups
oracle => {
name => "Oracle",
gid => 'oinstall',
groups => [ "dba" ],
password => '$1$TTaFfyNU$CJkFPhdvny81s8q2KlXAs0',
},
},
sysctl => {
# Oracle has specific requirements for shared memory & network buffers
'kernel.sem' => "250 32000 100 128",
'kernel.shmmni' => "4096",
'kernel.shmall' => "2097152",
'kernel.shmmax' => "2147483648",
'net.ipv4.ip_local_port_range' => "1024 65000",
'net.core.rmem_default' => "262144",
'net.core.rmem_max' => "262144",
'net.core.wmem_default' => "262144",
'net.core.wmem_max' => "262144",
},
firewall_accept => [
# Allow anywhere to use the Oracle port
any => '1521',
# Allow the 'vpn' netmask to ssh into this class of devices
demo_vpn => 'ssh',
],
# These are required for Oracle to run
packages => [qw( gcc gcc-c++ compat-db compat-gcc-32 compat-libstdc++-33 control-center glibc
glibc-common libaio libgcc libstdc++ xorg-x11-deprecated-libs )],
};
# You can define specific network ranges here.
# These are the base, and the 'network' item for devices is appended to it, as well as an entry for
# every device's class
network demo_admin => '192.168.1.0/24';
network demo_vpn => '192.168.2.176/28', '192.168.2.192/28';
network demo_backup_lan => '192.168.4.0/24';