This is a record of the discussion on the 12th regarding the new layout of all SIMP Puppet Component Modules
As we were working through issues regarding , we started discussing how make our module collection more consistent and make it easier to adopt across the board.
Our decision ended up being as follows.
Basic Module Assumptions
It expected that SIMP 6 modules will drop support for Puppet 3.
Basic Module Structure
Our component modules will be patterned after the Puppet Labs suggested layout du jour. SIMP-specific additions are in bold below.
module/manifests/
init.pp
params.pp
install.pp
config.pp
service.pp
simp/firewall/simp.pp
simp/logging/simp.pp
simp/audit/simp.pp
simp/selinux/simp.pp
simp/pki/simp.pp
simp/tcpwrappers/simp.pp
SIMP Subsystems
The bold files above correspond with optional security subsystems that SIMP can integrate with the module's resources.
SIMP subsystems rely on environmental conventions that cannot be assumed to be present outside of SIMP.
They are opt-in, so Forge users can use SIMP modules within non-SIMP infrastructures.
A full SIMP ecosystem's hiera will enable each subsystem by default in simp_def.yaml
IMPORTANT: These subsystem only manage SIMP-specific resources and integrations for the module.
Each module may naturally have its own way of configuring PKI, logging, etc. That belongs within the conventional module structure.
Examples: enabling SSL or TCP wrappers in a config file, setting SELinux contexts for module resources.
QUESTION: are any of the SELinux contexts we use SIMP-specific? ANSWER: No
Standard Class Parameters in init.pp
Each module willl have the following class parameters in init.pp (when applicable):
simp_opt::trusted_nets
Old Name: client_nets
Array of Strings or String = subnets to permit, generally in CIDR notation. This may be required by the module regardless of whether any SIMP subsystems are used.
simp_opt::firewall
Old Name: simp_firewall and use_iptables
true = includes simp-iptables and sets up rules to permit the application
false = Firewall settings for the application are not managed; use a profile to make your own arrangements
simp_opt::syslog
Old Name: simp_logging
true = includes simp-rsyslog and configures rsyslog hooks into the application (and/or sets things up to be logged appropriately through the SIMP default LOCAL6 for security relevant items.)
NOTE: in the future this may expand to logging providers beyond rsyslog, thus requiring le Stroolean
false = doesn't set up logging via SIMP
simp_opt::audit
Old Name: simp_auditd
true = If applicable, include the ::auditd class and add audit rules that are specific to the current module. If not applicable, this should do nothing.
false = Does not include any auditing capabilities via SIMP
simp_opt::selinux
Old Name: simp_selinux
true = includes simp-selinux (which effectively manages the SELinux enforcement and mode) and manages SIMP-specific SELinux configurations (QUESTION: like what? ANSWER: Not a lot, honestly besides the fact that we actually configure SELinux as a core part of the system and you need our facts to make it work.)
NOTE: Most if not all module-specific SElinux configurations are handled as attributes of native puppet resources and will not be influence by this parameter.
SE boolean flipping should probably be done here, especially if they rely on the SIMP environment (NOTE: this is pretty vague. NOTE NOTE: We have a couple of facts that we added to help detect the SELinux state on your system.)
false = does not ensure that SELinux is enabled via simp-selinux; make your own arrangements elsewhere.
NOTE: It may seem counterintuitive, but setting this parameter to false DOES NOT disable SELinux!
To disable SELinux (within a SIMP ecosystem), include simp-selinux (with$simp_selinux = true) and ensure that the top-scope hiera or ENC variable $::selinux::enable is set to false.
simp_opt::pki
Old Name: simp_pki
true or 'simp' = includes simp-pki and uses pki::copy to distribute PKI certificates to the correct locations
false = PKI certificates are not distributed by SIMP; make your own arrangements to get them in place
simp_opt::tcpwrappers
Old Name: simp_tcpwrappers
true = includes simp-tcpwrappers and uses tcpwrappers::allow to permit the application to the subnets in $::simp_opt::trusted_nets
false = TCP wrappers (/etc/hosts.*) entries for the application are not managed; make your own arrangements (using a profile, probably).
Behavior of the Standard $simp_* Class Parameters
Each of the $simp_* parameters must adhere to the following:
The parameter must be disabled (false) by default (NOTE: starting with SIMP 6).
The parameter must honor booleans and Strings where the Boolean true and the String 'simp' amount to the same action.
Welcome to the Trevorian type "Stroolean."
The String value such as 'simp' will translate into the filename in the subsystem path simp/<subsystem>/simp.pp
This is intended to permit backwards compatibility between SIMP versions if they require mutually exclusive logic (i.e., 'simp', 'simp4', 'simp4_2', 'simp5', etc.,).
QUESTION: what is the benefit of these files over the ::params pattern? ANSWER:
it allows n parallel configuration tracks to coexist without conflicting
it separates SIMP-specific settings from the rest of the module.
The parameter must allow for an ENC or Hiera or straight parameter, since we want maximum module uptake where possible.
Note: When SIMP-1694 is complete, this will look like the following
$simp_firewall = simp_opt('firewall', 'true')
Translation:
$parameter => { <if set> => <use global/ENV variable>, <otherwise> => <use what's in Hiera or default to true> }
QUESTION: Should we make this defined->hiera->default logic a function in simplib? ANSWER: Yeah, probably. How about.....simp_def('variable','default')
QUESTION: Why not just lookup()? ANSWER: lookup() was introduced in Puppet 4. The core SIMP modules will need to support Puppet 3.x for at some time (at least another major version, probably longer).
The default parameter lookup will reference the associated Global Catalyst.
Advanced Module Structure
Some modules may manage components that do not easily fit the recommended structure.
If the module has taken on too much responsibility for a single component, refactor it into separate component modules and use the recommended structure.
If the module manages a single responsibility yet is inherently complex, apply the recommended structure to appropriate areas.
Below are two recommended patterns for complex adaptations:
Modules that manage a client and a server
This pattern applies to any module that manages several asymmetric services that must manage the same resources.
The general pattern is to:
create a namespace (directory) for each service
apply the basic structure to each namespace
continue to use the basic (top-level) module structure to manage module-wide configurations and resource orderings
Separate Client and Server Components (When NOT to apply this pattern)
In the case that you have a server and client that are two separately isolated services, such as the SSH server and client, then two separate modules should be created. This provides for a clean usage pattern over time.
Combined Client and Server Components (When TO apply this pattern)
There are going to be times where the server and client components cannot be split. A classic example is ntp, where the client and server require the same package and config file.
In these cases, isolate the functionality within the module to the bests of your ability and repeat the pattern below each subdirectory segment.
As an example, you may use something like the following:
NOTE: Many legacy modules will use an earlier client/server pattern in init.pp where the Boolean parameters $is_client and $is_server. To maintain compatibility, keep the parameters in init.pp and .
Modules that manage their own internal "services"
Occasionally there may be a component (like xinted) that manages multiple services of its own. Managing these services
module/manifests/
init.pp
params.pp
config.pp
config/inet_service.pp (a define that configures an inet_service)
service.pp
firewall.pp
firewall/inet_service.pp (a define that establishes firewall rules for the inet_service)
logging.pp
audit.pp
selinux.pp (this one may just have to be mixed in at times, however, any boolean flipping should probably be done here)
Action Items
Discuss these decisions on Monday and ensure that I didn't miss anything of note. Update the page accordingly.
Construct the Puppet module skeleton defined in to adhere to this structure.
