The New Layout for all SIMP Modules

Owned by Trevor Vaughan
Last updated: Oct 14, 2016
5 min read
Status
DONE
Stakeholders
Chris Tessmer Kendall Moore Nicholas Markowski Judith Johnson 
Outcome(Read the Background section)
Due date
Owner
Trevor Vaughan 


Background

This is a record of the discussion on the 12th regarding the new layout of all SIMP Puppet Component Modules

As we were working through issues regarding SIMP-57 - Getting issue details... STATUS , we started discussing how make our module collection more consistent and make it easier to adopt across the board.

Our decision ended up being as follows.

Basic Module Assumptions

  • It expected that SIMP 6 modules will drop support for Puppet 3.

Basic Module Structure

Our component modules will be patterned after the Puppet Labs suggested layout du jour.  SIMP-specific additions are in bold below.

  • module/manifests/
    • init.pp 
    • params.pp
    • install.pp
    • config.pp
    • service.pp
    • simp/firewall/simp.pp
    • simp/logging/simp.pp
    • simp/audit/simp.pp
    • simp/selinux/simp.pp
    • simp/pki/simp.pp
    • simp/tcpwrappers/simp.pp

SIMP Subsystems

The bold files above correspond with optional security subsystems that SIMP can integrate with the module's resources. 

  • SIMP subsystems rely on environmental conventions that cannot be assumed to be present outside of SIMP.
  • They are opt-in, so Forge users can use SIMP modules within non-SIMP infrastructures.
  • A full SIMP ecosystem's hiera will enable each subsystem by default in simp_def.yaml
  • IMPORTANT:  These subsystem only manage SIMP-specific resources and integrations for the module.
    • Each module may naturally have its own way of configuring PKI, logging, etc.  That belongs within the conventional module structure.
      • Examples: enabling SSL or TCP wrappers in a config file, setting SELinux contexts for module resources.
      • QUESTION: are any of the SELinux contexts we use SIMP-specific? ANSWER: No

Standard Class Parameters in init.pp

Each module willl have the following class parameters in init.pp (when applicable):

  • simp_opt::trusted_nets
    • Old Name: client_nets
    • Array of Strings or String = subnets to permit, generally in CIDR notation.  This may be required by the module regardless of whether any SIMP subsystems are used.
       
  • simp_opt::firewall
    • Old Name: simp_firewall and use_iptables
    • true = includes simp-iptables and sets up rules to permit the application
    • false = Firewall settings for the application are not managed; use a profile to make your own arrangements

  • simp_opt::syslog
    • Old Name: simp_logging
    • true = includes simp-rsyslog and configures rsyslog hooks into the application (and/or sets things up to be logged appropriately through the SIMP default LOCAL6 for security relevant items.)
      • NOTE: in the future this may expand to logging providers beyond rsyslog, thus requiring le Stroolean
    • false = doesn't set up logging via SIMP
       
  • simp_opt::audit
    • Old Name: simp_auditd

    • true  = If applicable, include the ::auditd class and add audit rules that are specific to the current module. If not applicable, this should do nothing.

    • false = Does not include any auditing capabilities via SIMP
       

  • simp_opt::selinux

    • Old Name: simp_selinux

    • true  = includes simp-selinux (which effectively manages the SELinux enforcement and mode) and manages SIMP-specific SELinux configurations (QUESTION: like what? ANSWER: Not a lot, honestly besides the fact that we actually configure SELinux as a core part of the system and you need our facts to make it work.)

      • NOTE:  Most if not all module-specific SElinux configurations are handled as attributes of native puppet resources and will not be influence by this parameter.

      • SE boolean flipping should probably be done here, especially if they rely on the SIMP environment (NOTE: this is pretty vague. NOTE NOTE: We have a couple of facts that we added to help detect the SELinux state on your system.)

    • false = does not ensure that SELinux is enabled via simp-selinux; make your own arrangements elsewhere.   

      • NOTE: It may seem counterintuitive, but setting this parameter to false DOES NOT disable SELinux!  

      • To disable SELinux (within a SIMP ecosystem), include simp-selinux (with $simp_selinux = trueand ensure that the top-scope hiera or ENC variable  $::selinux::enable is set to false.
         

  • simp_opt::pki
    • Old Name: simp_pki
    • true or 'simp' = includes simp-pki and uses pki::copy to distribute PKI certificates to the correct locations
    • false = PKI certificates are not distributed by SIMP; make your own arrangements to get them in place
       
  • simp_opt::tcpwrappers
    • Old Name: simp_tcpwrappers
    • true = includes simp-tcpwrappers and uses tcpwrappers::allow to permit the application to the subnets in $::simp_opt::trusted_nets
    • false = TCP wrappers (/etc/hosts.*) entries for the application are not managed; make your own arrangements (using a profile, probably).

Behavior of the Standard $simp_* Class Parameters

Each of the $simp_* parameters must adhere to the following:

  1. The parameter must be disabled (false) by default (NOTE: starting with SIMP 6).
  2. The parameter must honor booleans and Strings where the Boolean true and the String 'simp' amount to the same action.
    1. Welcome to the Trevorian type "Stroolean." (big grin)
    2. The String value such as 'simp' will translate into the filename in the subsystem  path simp/<subsystem>/simp.pp 
      1. This is intended to permit backwards compatibility between SIMP versions if they require mutually exclusive logic (i.e., 'simp', 'simp4', 'simp4_2', 'simp5', etc.,).
      2. QUESTION: what is the benefit of these files over the ::params pattern? 
        ANSWER
        1. it allows n parallel configuration tracks to coexist without conflicting
        2. it separates SIMP-specific settings from the rest of the module.
  3. The parameter must allow for an ENC or Hiera or straight parameter, since we want maximum module uptake where possible.

    1. This will look something like the following:

          $simp_firewall = defined('$::simp_opt::firewall') ? { true => getvar('::simp_opt::firewall'), default => hiera('simp_opt::firewall',true) }

      Note: When SIMP-1694 is complete, this will look like the following

          $simp_firewall = simp_opt('firewall', 'true')

      Translation:

          $parameter => { <if set> => <use global/ENV variable>, <otherwise> => <use what's in Hiera or default to true> }
      1. QUESTIONShould we make this defined->hiera->default logic a function in simplib?
        ANSWER: Yeah, probably. How about.....simp_def('variable','default')
      2. QUESTION: Why not just lookup()?
        ANSWER: lookup() was introduced in Puppet 4.  The core SIMP modules will need to support Puppet 3.x for at some time (at least another major version, probably longer).
  4. The default parameter lookup will reference the associated Global Catalyst.

Advanced Module Structure

Some modules may manage components that do not easily fit the recommended structure.  

  • If the module has taken on too much responsibility for a single component, refactor it into separate component modules and use the recommended structure.
  • If the module manages a single responsibility yet is inherently complex, apply the recommended structure to appropriate areas.

Below are two recommended patterns for complex adaptations:

Modules that manage a client and a server

This pattern applies to any module that manages several asymmetric services that must manage the same resources.

The general pattern is to:

    • create a namespace (directory) for each service
    • apply the basic structure to each namespace
    • continue to use the basic (top-level) module structure to manage module-wide configurations and resource orderings
Separate Client and Server Components (When NOT to apply this pattern)

In the case that you have a server and client that are two separately isolated services, such as the SSH server and client, then two separate modules should be created. This provides for a clean usage pattern over time.

Combined Client and Server Components (When TO apply this pattern)

There are going to be times where the server and client components cannot be split. A classic example is ntp, where the client and server require the same package and config file. 

In these cases, isolate the functionality within the module to the bests of your ability and repeat the pattern below each subdirectory segment.

As an example, you may use something like the following:

  • module/manifests/
    • init.pp
    • params.pp, config.pp, etc (for module-wide settings)
    • server.pp
    • server/
      • params.pp
      • install.pp
      • config.pp
      • service.pp
      • firewall.pp
      • logging.pp
      • audit.pp
      • selinux.pp
    • client.pp
    • client/
      • params.pp
      • install.pp
      • config.pp
      • service.pp
      • firewall.pp
      • logging.pp
      • audit.pp
      • selinux.pp

NOTE: Many legacy modules will use an earlier client/server pattern in init.pp where the Boolean parameters $is_client and $is_server.  To maintain compatibility, keep the parameters in init.pp and .

Modules that manage their own internal "services"

Occasionally there may be a component (like xinted) that manages multiple services of its own.  Managing these services 

  • module/manifests/
    • init.pp
    • params.pp
    • config.pp
    • config/inet_service.pp  (a define that configures an inet_service)
    • service.pp
    • firewall.pp
    • firewall/inet_service.pp  (a define that establishes firewall rules for the inet_service)
    • logging.pp
    • audit.pp
    • selinux.pp (this one may just have to be mixed in at times, however, any boolean flipping should probably be done here)

Action Items

  • Discuss these decisions on Monday and ensure that I didn't miss anything of note. Update the page accordingly.
  • Construct the Puppet module skeleton defined in  SIMP-20 - Getting issue details... STATUS  to adhere to this structure.