Puppet users - Apr 2008 - how to handle a random password in a config file?

Hi I''m trying to configure bacula''s config file.  The issue is
everytime the script runs a new key gets generated for bacula.

How can I have the config file update only run once with puppet, yet
replace the default bacula-fd.conf file.

script listed below:


class bacula-client {
        # define which server to use
        case $datacenter {
                1: { $backupserver = "coeus" }
                2: { $backupserver = "ulysses" }
        }

        $directorpassword = generate("/etc/puppet/bin/genkey")
        $monitorpassword = generate("/etc/puppet/bin/genkey")

        package { "hdup_supplemental":
                ensure => absent,
        }
        package { "hdup":
                ensure => absent,
                require => Package["hdup_supplemental"],
        }
        package { "bacula-client":
                ensure  => latest,
                require => Package["hdup_supplemental"],
        }
        package { "bacula_supplemental":
                ensure  => latest,
                require => Package["bacula-client"],
        }
        # track bacula-fd.conf changes
        file { "bacula-fd.conf":
                name     => "/etc/bacula/bacula-fd.conf",
                checksum => md5,
                ensure   => present,
                replace  => true,
                owner    => ''root'',
                group    => ''bacula'',
                mode     => ''0640'',
                backup   => local,
                content  => template("./apps/bacula-client/bacula-
fd.conf.erb"),
                require  => Package["bacula_supplemental"],
        }
        # make sure bacula-fd is setup to run
        service { "bacula-fd":
                name       => "bacula-fd",
                ensure     => running,
                enable     => true,
                require    => [ Package["bacula-client"],
File["bacula-
fd.conf"] ],
                subscribe  => [ Package["bacula-client"],
File["bacula-
fd.conf"] ],
        }
}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Larry,

Things run using ''generate'' really need to be idempotent... if
nothing
about the input changes, the output should also not change. The
problem here is that "/etc/puppet/bin/genkey" is producing different
output every time.

There are ways around this, but a lot depends on what exactly
"/etc/puppet/bin/genkey" does. You''d be advised to use
something that
generates consistent output for a given input.

--Paul

On Tue, Apr 15, 2008 at 6:51 PM, Larry Ludwig <larrylud@gmail.com>
wrote:
>
>  Hi I''m trying to configure bacula''s config file.  The
issue is
>  everytime the script runs a new key gets generated for bacula.
>
>  How can I have the config file update only run once with puppet, yet
>  replace the default bacula-fd.conf file.
>
>  script listed below:
>
>
>  class bacula-client {
>         # define which server to use
>         case $datacenter {
>                 1: { $backupserver = "coeus" }
>                 2: { $backupserver = "ulysses" }
>         }
>
>         $directorpassword = generate("/etc/puppet/bin/genkey")
>         $monitorpassword = generate("/etc/puppet/bin/genkey")
>
>         package { "hdup_supplemental":
>                 ensure => absent,
>         }
>         package { "hdup":
>                 ensure => absent,
>                 require => Package["hdup_supplemental"],
>         }
>         package { "bacula-client":
>                 ensure  => latest,
>                 require => Package["hdup_supplemental"],
>         }
>         package { "bacula_supplemental":
>                 ensure  => latest,
>                 require => Package["bacula-client"],
>         }
>         # track bacula-fd.conf changes
>         file { "bacula-fd.conf":
>                 name     => "/etc/bacula/bacula-fd.conf",
>                 checksum => md5,
>                 ensure   => present,
>                 replace  => true,
>                 owner    => ''root'',
>                 group    => ''bacula'',
>                 mode     => ''0640'',
>                 backup   => local,
>                 content  => template("./apps/bacula-client/bacula-
>  fd.conf.erb"),
>                 require  => Package["bacula_supplemental"],
>         }
>         # make sure bacula-fd is setup to run
>         service { "bacula-fd":
>                 name       => "bacula-fd",
>                 ensure     => running,
>                 enable     => true,
>                 require    => [ Package["bacula-client"],
File["bacula-
>  fd.conf"] ],
>                 subscribe  => [ Package["bacula-client"],
File["bacula-
>  fd.conf"] ],
>         }
>  }
>  >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

The thing is following off of the bacula rpm it auto generates the
password entries (doing /usr/bin/openssl rand -base64 33 -out).  By
having all bacula clients with the same password isn''t really a good
idea (but of course is possible) so this isn''t ideal.

We make some other changes to the config file so it''s not stock rpm
config file.



On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net>
wrote:
> Larry,
>
> Things run using ''generate'' really need to be
idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing
different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You''d be advised to use
something that
> generates consistent output for a given input.
>
> --Paul
>
> On Tue, Apr 15, 2008 at 6:51 PM, Larry Ludwig <larry...@gmail.com>
wrote:
>
> >  Hi I''m trying to configure bacula''s config file. 
The issue is
> >  everytime the script runs a new key gets generated for bacula.
>
> >  How can I have the config file update only run once with puppet, yet
> >  replace the default bacula-fd.conf file.
>
> >  script listed below:
>
> >  class bacula-client {
> >         # define which server to use
> >         case $datacenter {
> >                 1: { $backupserver = "coeus" }
> >                 2: { $backupserver = "ulysses" }
> >         }
>
> >         $directorpassword =
generate("/etc/puppet/bin/genkey")
> >         $monitorpassword =
generate("/etc/puppet/bin/genkey")
>
> >         package { "hdup_supplemental":
> >                 ensure => absent,
> >         }
> >         package { "hdup":
> >                 ensure => absent,
> >                 require => Package["hdup_supplemental"],
> >         }
> >         package { "bacula-client":
> >                 ensure  => latest,
> >                 require => Package["hdup_supplemental"],
> >         }
> >         package { "bacula_supplemental":
> >                 ensure  => latest,
> >                 require => Package["bacula-client"],
> >         }
> >         # track bacula-fd.conf changes
> >         file { "bacula-fd.conf":
> >                 name     => "/etc/bacula/bacula-fd.conf",
> >                 checksum => md5,
> >                 ensure   => present,
> >                 replace  => true,
> >                 owner    => ''root'',
> >                 group    => ''bacula'',
> >                 mode     => ''0640'',
> >                 backup   => local,
> >                 content  =>
template("./apps/bacula-client/bacula-
> >  fd.conf.erb"),
> >                 require  =>
Package["bacula_supplemental"],
> >         }
> >         # make sure bacula-fd is setup to run
> >         service { "bacula-fd":
> >                 name       => "bacula-fd",
> >                 ensure     => running,
> >                 enable     => true,
> >                 require    => [ Package["bacula-client"],
File["bacula-
> >  fd.conf"] ],
> >                 subscribe  => [ Package["bacula-client"],
File["bacula-
> >  fd.conf"] ],
> >         }
> >  }
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I just thought about one idea:

I could pass the host name to my genkey script and then create a
routine that will look to to see if I already created a file (in some
local folder) that has a pre-gen key.  If not create one.  That way it
will always give the same key and will prevent it from re-creating the
configuration file everytime.

Not bad for 9AM in the morning :-)

On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net>
wrote:
> Larry,
>
> Things run using ''generate'' really need to be
idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing
different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You''d be advised to use
something that
> generates consistent output for a given input.
>
> --Paul
>
> On Tue, Apr 15, 2008 at 6:51 PM, Larry Ludwig <larry...@gmail.com>
wrote:
>
> >  Hi I''m trying to configure bacula''s config file. 
The issue is
> >  everytime the script runs a new key gets generated for bacula.
>
> >  How can I have the config file update only run once with puppet, yet
> >  replace the default bacula-fd.conf file.
>
> >  script listed below:
>
> >  class bacula-client {
> >         # define which server to use
> >         case $datacenter {
> >                 1: { $backupserver = "coeus" }
> >                 2: { $backupserver = "ulysses" }
> >         }
>
> >         $directorpassword =
generate("/etc/puppet/bin/genkey")
> >         $monitorpassword =
generate("/etc/puppet/bin/genkey")
>
> >         package { "hdup_supplemental":
> >                 ensure => absent,
> >         }
> >         package { "hdup":
> >                 ensure => absent,
> >                 require => Package["hdup_supplemental"],
> >         }
> >         package { "bacula-client":
> >                 ensure  => latest,
> >                 require => Package["hdup_supplemental"],
> >         }
> >         package { "bacula_supplemental":
> >                 ensure  => latest,
> >                 require => Package["bacula-client"],
> >         }
> >         # track bacula-fd.conf changes
> >         file { "bacula-fd.conf":
> >                 name     => "/etc/bacula/bacula-fd.conf",
> >                 checksum => md5,
> >                 ensure   => present,
> >                 replace  => true,
> >                 owner    => ''root'',
> >                 group    => ''bacula'',
> >                 mode     => ''0640'',
> >                 backup   => local,
> >                 content  =>
template("./apps/bacula-client/bacula-
> >  fd.conf.erb"),
> >                 require  =>
Package["bacula_supplemental"],
> >         }
> >         # make sure bacula-fd is setup to run
> >         service { "bacula-fd":
> >                 name       => "bacula-fd",
> >                 ensure     => running,
> >                 enable     => true,
> >                 require    => [ Package["bacula-client"],
File["bacula-
> >  fd.conf"] ],
> >                 subscribe  => [ Package["bacula-client"],
File["bacula-
> >  fd.conf"] ],
> >         }
> >  }
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 16 abr, 15:10, Larry Ludwig <larry...@gmail.com>
wrote:
> I just thought about one idea:
>
> I could pass the host name to my genkey script and then create a
> routine that will look to to see if I already created a file (in some
> local folder) that has a pre-gen key.  If not create one.  That way it
> will always give the same key and will prevent it from re-creating the
> configuration file everytime.
>
> Not bad for 9AM in the morning :-)
>
> On Apr 15, 10:29 pm, "Paul Lathrop"
<p...@tertiusfamily.net> wrote:
>
We are generating passwords for bacula using a custom function that
computes the MD5 hash of a constant string for every combination of
server-client nodes (director-file daemon, director-storage daemon,
director-console,...). This creates a security problem, as everybody
knowing how we compute the source string would be able to get all the
bacula passwords, but we favoured ease of implementation (and you may
change some bit of the source string from time to time just in case).
Anyway, this would be ideally implemented using a random password
generator and storing those generated passwords in a database in the
puppet master, everything enclosed in a custom function. This is in
our todo list, but not for the near future (maybe something worth
including in puppet itself?).

HTH, best regards
Jose
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 21, 4:01 am, José González Gómez
<jose.gonzalez.go...@gmail.com> wrote:
> On 16 abr, 15:10, Larry Ludwig <larry...@gmail.com> wrote:
>
> > I just thought about one idea:
>
> > I could pass the host name to my genkey script and then create a
> > routine that will look to to see if I already created a file (in some
> > local folder) that has a pre-gen key.  If not create one.  That way it
> > will always give the same key and will prevent it from re-creating the
> > configuration file everytime.
>
> > Not bad for 9AM in the morning :-)
>
> > On Apr 15, 10:29 pm, "Paul Lathrop"
<p...@tertiusfamily.net> wrote:
>
> We are generating passwords for bacula using a custom function that
> computes the MD5 hash of a constant string for every combination of
> server-client nodes (director-file daemon, director-storage daemon,
> director-console,...). This creates a security problem, as everybody
> knowing how we compute the source string would be able to get all the
> bacula passwords, but we favoured ease of implementation (and you may
> change some bit of the source string from time to time just in case).
> Anyway, this would be ideally implemented using a random password
> generator and storing those generated passwords in a database in the
> puppet master, everything enclosed in a custom function. This is in
> our todo list, but not for the near future (maybe something worth
> including in puppet itself?).
A random function in Puppet that stores the info could be neat for
situations like this.

Ok here''s the code.

IMHO no need to store in a SQL db, especially since Puppet by default
doesn''t use one.  A flat file should be fine.  This function could be
made more generic to suit other random password situations.

In the bacula class file:

        $baculapassword = generate(''/usr/bin/env'',
''/etc/puppet/bin/
bacula-genkey'', "$fqdn")

which goes to a erb template.

The bacula-genkey stores a random key in a file (if it''s not already
created) based upon the fqdn.  If the file is already there do not
generate a new one instead get the existing one.   I copied the
openssl statement from the bacula rpm that generates the same random
password to create the config file.

#!/usr/bin/perl

umask 066;

$keyfile="/etc/puppet/etc/bacula/".$ARGV[0].".key";

if (!-e $keyfile) {
        `/usr/bin/openssl rand -base64 33 -out $keyfile >& /dev/null`;
}

open(FILE,"$keyfile");
while ($line=<FILE>) {
        $line =~ s/\n//g;
        print $line;
}
close(FILE);

The /etc/puppet/etc/bacula/ folder has to be writable by puppet user
since the puppetmasterd runs as that user.


-L
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed and Unmanaged Xen VPSes
http://www.hostcube.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---