Puppet users - Sep 2009 - environments for several internal customers?

We are planning to use a puppet server for several internal customers at 
our school (ETHZ - Swiss Fedral Institute of Technology Zürich).

One way could be to choose  a separate environment for each customer ...

Each customer will get a normal user on the puppet server. With this he 
can edit his files inside his own environment path ...


But how can  we ensure that the customers are separated? It should NOT 
be possible for customer X to choose a environment from customer Y.

Is there a way to implement this?


Philipp Hanselmann

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

philipp Hanselmann wrote:
> But how can  we ensure that the customers are separated? It should NOT 
> be possible for customer X to choose a environment from customer Y.
> 
> Is there a way to implement this?
You should probably run multiple puppetmasters, one per customer.

Because each puppetmaster has its own ssl configuration, you''ll be able
to choose which puppetmaster a particular client can connect to. The
obvious drawback is that each puppetmaster has to listen on a different
port.

I tried to define $ssldir differently between environments but it
didn''t
worked out. It''s likely the same kind of chicken and egg problem found
with SSL virtual hosts. The environment name is not known by the server
before the SSL handshake finish.

François

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I do that in this way:

On puppet.conf on the puppetmaster:
-----------------------------------
[puppetmasterd]
    reports = store,rrdgraph,tagmail,log
    autosign = true
    environments = alpha,beta,gamma
    manifest = /no/file

[beta]
    modulepath = /etc/puppet/data/beta/
    manifest = /etc/puppet/manifests/site-beta.pp

[alpha]
    modulepath = /etc/puppet/data/alpha/
    manifest = /etc/puppet/manifests/site-alpha.pp

[gamma]
    modulepath = /etc/puppet/data/gamma/
    manifest = /etc/puppet/manifests/site-gamma.pp
-----------------------------------

 /etc/puppet/manifests/site-beta.pp has something like:
import "project_beta" (a module, in  where you define your
infrastructure, placed in /etc/puppet/data/beta/ )

Permissions on /etc/puppet/data/beta/ are limited to the users/groups
that can manage files for the beta environment.


On puppet.conf on the client (for example of the beta environment):
[main]
    vardir = /var/lib/puppet
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl
    environment = beta

[puppetd]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    environments = beta



You can define also testing / production environments for each
department, with something like:

On clients:
[main]
    vardir = /var/lib/puppet
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl
    environment = betaprod

[puppetd]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    environments = betatest,betaprod

(normal puppetruns use beta-prod, with "puppetd -t --
environment=betatest" you run on the test environment of beta).

puppet.conf on the puppet master becomes something like:
[puppetmasterd]
    reports = store,rrdgraph,tagmail,log
    autosign = true
    environments = alphatest,alphaprod,betatest,betaprod ...
    manifest = /no/file


[betatest]
    modulepath = /etc/puppet/data/beta/test/
    manifest = /etc/puppet/manifests/site-beta.pp

[betaprod]
    modulepath = /etc/puppet/data/beta/prod/
    manifest = /etc/puppet/manifests/site-beta.pp


/etc/puppet/data/beta/test/ and /etc/puppet/data/beta/prod/ are both
git clones that pull from something like  /etc/puppet/data/beta/
gitrepo

My2c

Alessandro Franceschi

On 7 Set, 10:24, philipp Hanselmann <philipp.hanselm...@gmail.com>
wrote:
> We are planning to use a puppet server for several internal customers at
> our school (ETHZ - Swiss Fedral Institute of Technology Zürich).
>
> One way could be to choose  a separate environment for each customer ...
>
> Each customer will get a normal user on the puppet server. With this he
> can edit his files inside his own environment path ...
>
> But how can  we ensure that the customers are separated? It should NOT
> be possible for customer X to choose a environment from customer Y.
>
> Is there a way to implement this?
>
> Philipp Hanselmann
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Macno

My intention was to use a similar setup like you explained ...

The big issue is now ...
    the customer beta can get the configuration from alpha!

All what customer beta has to do is to run  something like that in the 
console

puppetd -t --environment=alpha

or to change the environment entry to alpha in /etc/puppet/puppet.conf 
on the client side !

So there is no security in place ;-(.

Philippp

Macno schrieb:
> I do that in this way:
>
> On puppet.conf on the puppetmaster:
> -----------------------------------
> [puppetmasterd]
>     reports = store,rrdgraph,tagmail,log
>     autosign = true
>     environments = alpha,beta,gamma
>     manifest = /no/file
>
> [beta]
>     modulepath = /etc/puppet/data/beta/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
> [alpha]
>     modulepath = /etc/puppet/data/alpha/
>     manifest = /etc/puppet/manifests/site-alpha.pp
>
> [gamma]
>     modulepath = /etc/puppet/data/gamma/
>     manifest = /etc/puppet/manifests/site-gamma.pp
> -----------------------------------
>
>  /etc/puppet/manifests/site-beta.pp has something like:
> import "project_beta" (a module, in  where you define your
> infrastructure, placed in /etc/puppet/data/beta/ )
>
> Permissions on /etc/puppet/data/beta/ are limited to the users/groups
> that can manage files for the beta environment.
>
>
> On puppet.conf on the client (for example of the beta environment):
> [main]
>     vardir = /var/lib/puppet
>     logdir = /var/log/puppet
>     rundir = /var/run/puppet
>     ssldir = $vardir/ssl
>     environment = beta
>
> [puppetd]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
>     environments = beta
>
>
>
> You can define also testing / production environments for each
> department, with something like:
>
> On clients:
> [main]
>     vardir = /var/lib/puppet
>     logdir = /var/log/puppet
>     rundir = /var/run/puppet
>     ssldir = $vardir/ssl
>     environment = betaprod
>
> [puppetd]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
>     environments = betatest,betaprod
>
> (normal puppetruns use beta-prod, with "puppetd -t --
> environment=betatest" you run on the test environment of beta).
>
> puppet.conf on the puppet master becomes something like:
> [puppetmasterd]
>     reports = store,rrdgraph,tagmail,log
>     autosign = true
>     environments = alphatest,alphaprod,betatest,betaprod ...
>     manifest = /no/file
>
>
> [betatest]
>     modulepath = /etc/puppet/data/beta/test/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
> [betaprod]
>     modulepath = /etc/puppet/data/beta/prod/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
>
> /etc/puppet/data/beta/test/ and /etc/puppet/data/beta/prod/ are both
> git clones that pull from something like  /etc/puppet/data/beta/
> gitrepo
>
> My2c
>
> Alessandro Franceschi
>
> On 7 Set, 10:24, philipp Hanselmann <philipp.hanselm...@gmail.com>
> wrote:
>   
>> We are planning to use a puppet server for several internal customers
at
>> our school (ETHZ - Swiss Fedral Institute of Technology Zürich).
>>
>> One way could be to choose  a separate environment for each customer
...
>>
>> Each customer will get a normal user on the puppet server. With this he
>> can edit his files inside his own environment path ...
>>
>> But how can  we ensure that the customers are separated? It should NOT
>> be possible for customer X to choose a environment from customer Y.
>>
>> Is there a way to implement this?
>>
>> Philipp Hanselmann
>>     
> >
>
>   

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> All what customer beta has to do is to run  something like that in the
> console
>
> puppetd -t --environment=alpha
>
> or to change the environment entry to alpha in /etc/puppet/puppet.conf
> on the client side !
>
> So there is no security in place ;-(.
Well, not exactly.
In order to do this he should be able to add his client hostname on
the alpha environment node list (I take for granted that no specific
activity is made for the default basenode), and he hasn''t the
privileges to do that.

Actually, anyway, I used this approach in a place where the the puppet
managers are few and trusted, and can even sudo to restart
puppetmasterd in case of necessity.

Ciao
Alessandro


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Philipp,
a side note  to avoid confusion: Macno = Al @ Lab42
There was some bug lurking in Google groups that used in this group a
nick I defined for another one...

Alessandro

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Meanwhile I found a solution ...

I just use environment names which can''t be guessed ... like

On puppet.conf on the puppetmaster:
[math-34lkdfjop34j-dev]
    modulepath = /etc/puppet/data/math/dev/modules
    manifest = /etc/puppet/date/math/dev/manifests/init.pp
[math-34lkdfjop34j-prd]
    modulepath = /etc/puppet/data/math/prd/modules
    manifest = /etc/puppet/date/math/prd/manifests/init.pp
[infk-.289n3D0dg2-dev]
    modulepath = /etc/puppet/data/inf/dev/modules
    manifest = /etc/puppet/date/inf/dev/manifests/init.pp
[infk-.289n3D0dg2-prd]
    modulepath = /etc/puppet/data/inf/dev/modules
    manifest = /etc/puppet/date/inf/prd/manifests/init.pp


So the math department has it''s own user math. With this, they have
only
access to /etc/puppet/data/math/
So they know their own environments, but they don''t know the
environment
names of the other puppet users.
The puppet.conf on the puppet server is only readable by the 
puppetmaster deamon ...

It this suitable way?


Philipp




Macno schrieb:
> I do that in this way:
>
> On puppet.conf on the puppetmaster:
> -----------------------------------
> [puppetmasterd]
>     reports = store,rrdgraph,tagmail,log
>     autosign = true
>     environments = alpha,beta,gamma
>     manifest = /no/file
>
> [beta]
>     modulepath = /etc/puppet/data/beta/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
> [alpha]
>     modulepath = /etc/puppet/data/alpha/
>     manifest = /etc/puppet/manifests/site-alpha.pp
>
> [gamma]
>     modulepath = /etc/puppet/data/gamma/
>     manifest = /etc/puppet/manifests/site-gamma.pp
> -----------------------------------
>
>  /etc/puppet/manifests/site-beta.pp has something like:
> import "project_beta" (a module, in  where you define your
> infrastructure, placed in /etc/puppet/data/beta/ )
>
> Permissions on /etc/puppet/data/beta/ are limited to the users/groups
> that can manage files for the beta environment.
>
>
> On puppet.conf on the client (for example of the beta environment):
> [main]
>     vardir = /var/lib/puppet
>     logdir = /var/log/puppet
>     rundir = /var/run/puppet
>     ssldir = $vardir/ssl
>     environment = beta
>
> [puppetd]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
>     environments = beta
>
>
>
> You can define also testing / production environments for each
> department, with something like:
>
> On clients:
> [main]
>     vardir = /var/lib/puppet
>     logdir = /var/log/puppet
>     rundir = /var/run/puppet
>     ssldir = $vardir/ssl
>     environment = betaprod
>
> [puppetd]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
>     environments = betatest,betaprod
>
> (normal puppetruns use beta-prod, with "puppetd -t --
> environment=betatest" you run on the test environment of beta).
>
> puppet.conf on the puppet master becomes something like:
> [puppetmasterd]
>     reports = store,rrdgraph,tagmail,log
>     autosign = true
>     environments = alphatest,alphaprod,betatest,betaprod ...
>     manifest = /no/file
>
>
> [betatest]
>     modulepath = /etc/puppet/data/beta/test/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
> [betaprod]
>     modulepath = /etc/puppet/data/beta/prod/
>     manifest = /etc/puppet/manifests/site-beta.pp
>
>
> /etc/puppet/data/beta/test/ and /etc/puppet/data/beta/prod/ are both
> git clones that pull from something like  /etc/puppet/data/beta/
> gitrepo
>
> My2c
>
> Alessandro Franceschi
>
> On 7 Set, 10:24, philipp Hanselmann <philipp.hanselm...@gmail.com>
> wrote:
>   
>> We are planning to use a puppet server for several internal customers
at
>> our school (ETHZ - Swiss Fedral Institute of Technology Zürich).
>>
>> One way could be to choose  a separate environment for each customer
...
>>
>> Each customer will get a normal user on the puppet server. With this he
>> can edit his files inside his own environment path ...
>>
>> But how can  we ensure that the customers are separated? It should NOT
>> be possible for customer X to choose a environment from customer Y.
>>
>> Is there a way to implement this?
>>
>> Philipp Hanselmann
>>     
> >
>
>   

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---