Friday, May 18, 2018

Puppetizing ntpd on Solaris 11.4

Puppetizing ntpd on Solaris 11.4

Last time we configured a Puppet master, see Puppet Master on Solaris 11.3 SRU 23.

Let's do some basic configuration with Puppet today. I'm doing this on Solaris 11.4 Beta with Puppet 5.3.3 so some paths on the master are slightly different. Keep this in mind when you're still on Solaris 11.3.

First things first, setup hiera.

root@master # cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
  datadir: /var/lib/hiera
  data_hash: yaml_data
hierarchy:
  - name: "Per-node data"
    path: "nodes/%{trusted.certname}.yaml"

  - name: "Per-net data"
    paths:
      - "net/%{::network_net0}.yaml"
      - "net/%{::network_ipmp0}.yaml"

  - name: "Other YAML hierarchy levels"
    path: "common.yaml"

root@master # cat /var/lib/hiera/common.yaml
---
classes:
  - ntp

# https://forge.puppetlabs.com/puppetlabs/ntp
ntp::enable: true
ntp::iburst_enable: true
# fix "ntpd[12345]: [ID 702911 daemon.warning] restrict default: KOD does nothing without LIMITED."
ntp::restrict:
  - default nomodify notrap nopeer noquery
  - -6 default nomodify notrap nopeer noquery
  - 127.0.0.1
  - -6 ::1
ntp::servers:
  - 10.1.2.3
  - 10.4.5.6

root@master # cat /var/lib/hiera/net/192.168.1.0.yaml
---
ntp::servers:
  - 192.168.1.1

I pulled a lot of hair out while figuring this out... when changing hiera.yaml you have to restart puppet!

Puppet master note: If you modify hiera.yaml between agent runs, you’ll have to restart your Puppet master for your changes to take effect.

And we're almost done. We just have to add one line to site.pp and restart puppet:master because we changed hiera.yaml.

root@master # cat /etc/puppetlabs/code/environments/production/manifests/site.pp
include(lookup('classes', Array[String], 'unique'))

root@master # svcadm restart puppet:master
root@master # tail /var/log/puppetlabs/puppet/puppet-master.log
2018-05-18 13:09:22 +0200 Puppet (notice): Starting Puppet master version 5.3.3

Let's hop on to the agent and see if it works.

# puppet agent --test --noop --server master.mycompany.com
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Applying configuration version '1526649508'
Notice: /Stage[main]/Ntp::Config/File[/etc/inet/ntp.conf]/ensure: current_value 'absent', should be 'file' (noop)
Notice: Class[Ntp::Config]: Would have triggered 'refresh' from 1 event
Info: Class[Ntp::Config]: Scheduling refresh of Class[Ntp::Service]
Notice: Class[Ntp::Service]: Would have triggered 'refresh' from 1 event
Info: Class[Ntp::Service]: Scheduling refresh of Service[ntp]
Notice: /Stage[main]/Ntp::Service/Service[ntp]/ensure: current_value 'stopped', should be 'running' (noop)
Info: /Stage[main]/Ntp::Service/Service[ntp]: Unscheduling refresh on Service[ntp]
Notice: Class[Ntp::Service]: Would have triggered 'refresh' from 1 event
Notice: Class[Ntp]: Would have triggered 'refresh' from 2 events
Notice: Stage[main]: Would have triggered 'refresh' from 3 events
Notice: Applied catalog in 1.90 seconds

# svcadm enable puppet:agent
# svcs ntp
STATE          STIME    FMRI
online         15:19:34 svc:/network/ntp:default
# ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.1.1     LOCAL(0)         2 u   58   64  377    1.010    0.017   0.037

Neat, we have puppetized NTP with a few lines of code.

Links

Puppet Master on Solaris 11.3 SRU 23

Puppet Master on Solaris 11.3 SRU 23

I wasn't really happy with Puppet on Solaris 11.3. But SRU 23 had the following highlight.

Puppet has been updated to 3.8.6 (Bug 22264785). Along with the Puppet update, Facter has been updated to 2.4.6 (Bug 22308383).

Let's give Puppet another try. We'll start with configuring the Puppet master.

# pkg install --no-backup-be system/management/puppet
           Packages to install:        14
...
root@master # svccfg -s puppet:master setprop config/server=$(uname -n).mycompany.com
root@master # svccfg -s puppet:master setprop config/bindaddress=0.0.0.0
root@master # svccfg -s puppet:master refresh
root@master # svcadm enable puppet:master
root@master # tail /var/log/puppet/puppet-master.log
2017-10-19 09:05:16 +0200 Puppet (notice): Starting Puppet master version 3.8.6

We'll configure a client as well.

# pkg install --no-backup-be system/management/puppet
...
# svccfg -s puppet:agent setprop config/server=master.mycompany.com
# svccfg -s puppet:agent refresh

# puppet agent --test --server master.mycompany.com
...
Notice: Finished catalog run in 0.10 seconds

Let's sign the client certificate on the master.

root@master # puppet cert list
  "agent.mycompany.com" (SHA256) XX:XX:XX:XX:...

root@master # puppet cert sign agent.mycompany.com
Signing Certificate Request for:
  "agent.mycompany.com" (SHA256) XX:XX:XX:XX:...
Notice: Signed certificate request for agent.mycompany.com
Notice: Removing file Puppet::SSL::CertificateRequest agent.mycompany.com at '/etc/puppet/ssl/certificate_requests/agent.mycompany.com.pem'

The puppet agent should now be able to communicate with our puppet master.

# puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent.mycompany.com
Info: Applying configuration version '1526560515'
Notice: Applied catalog in 0.20 seconds

# svcadm enable puppet:agent

And now our Puppet master is pulling the strings.

Read the next part at Puppetizing ntpd on Solaris 11.4.

Links

Monday, May 14, 2018

Vendor lock-in or let's have some fun with libucrypto

Vendor lock-in or let's have some fun with libucrypto

So one of the new features of Solaris 11.4 is the libucrypto library. They sell it as:

a lightweight library that provides access to hardware accelerated cryptography

Sadly the documentation is... scarce. The only opensource program that seems to be using it is Java.

Anyway, let's code a small sample RC4 (don't ever use RC4 for real world crypto!) program today and verify the cipher text against a known-good test vector. And yes, the plain text input is all zeros.

$ cat ucrypto_rc4.c
#include <libucrypto.h>

#include <assert.h>
#include <stdio.h>
#include <strings.h> // memcmp()

// https://tools.ietf.org/html/rfc6229
static const uchar_t key_str[] = {
    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
};

static const uchar_t tv3_out[] = {
    0x97, 0xab, 0x8a, 0x1b, 0xf0, 0xaf, 0xb9, 0x61,
    0x32, 0xf2, 0xf6, 0x72, 0x58, 0xda, 0x15, 0xa8,
    0x82, 0x63, 0xef, 0xdb, 0x45, 0xc4, 0xa1, 0x86,
    0x84, 0xef, 0x87, 0xe6, 0xb1, 0x9e, 0x5b, 0x09
};

int
main(void)
{
    const ucrypto_mech_t mech = CRYPTO_RC4;
    int rv = CRYPTO_FAILED;
    int ret = -1;

    size_t out_len = sizeof(tv3_out);

    uchar_t in[out_len];
    memset(&in, 0x0, sizeof(in));

    uchar_t out[out_len];
    memset(&out, 0x1, sizeof(out));

    printf("RFC 6229 key: 0x0102030405060708\n");
    rv = ucrypto_encrypt(mech, key_str, sizeof(key_str),
            NULL, 0,
            in, sizeof(in),
            out, &out_len);
    //printf("errror is %s\n", ucrypto_strerror(rv));
    assert(rv == CRYPTO_SUCCESS);
    ret = memcmp(out, tv3_out, sizeof(tv3_out));
    assert(ret == 0);

    printf("All tests passed\n");

    return 0;
}

$ cc -m64 -Wall ucrypto_rc4.c -lucrypto
$ ./a.out
RFC 6229 key: 0x0102030405060708
All tests passed

Well I'm pretty sure it would be more lines of code with OpenSSL. I'd still advice to use NaCL or OpenSSL though. And please don't use RC4 for anything anymore!

Links

389 Directory Server 1.3.x LDAP client authentication

389 Directory Server 1.3.x LDAP client authentication Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Repl...