#1584 Requesting approval to disclose some puppet modules to CAcert Infrastructure staff
Closed: Fixed None Opened 10 years ago by nb.

I am involved with CAcert (http://www.cacert.org), and our infrastructure lead is wanting to re-do our infrastructure to be managed by puppet. I have mentioned to him that we use puppet for basically everything in Fedora infrastructure and he was interested in seeing some of our modules since he is new to using puppet.

According to our security policy, I need approval from admin@fedoraproject.org and admin@fedoraproject.org to relocate information off-site.

If you would like me to get approval for each module, that is fine. I would then be requesting the ssh, httpd, mysql, for now, and possibly to show him an example of a node file and some of our servergroup files, and more to come possibly later

If you are willing, however, I'd like to get blanket approval to provide to him copies of files from /git/puppet, after reviewing them to make sure they do not contain any sensitive information, although I think all of the sensitive information should already be in /git/private, I will make sure there is none in the regular puppet files I provide to him. I'm not intending on giving him a complete copy of /git/puppet, I'd just like approval to provide whatever is helpful from there, of course after making sure nothing sensitive is in the files I give him.

Can I get 2 +1's (for either of my proposals)?


Comment coming out of discussion on IRC:

I'm not intending on giving him a complete copy of /git/puppet, I'd just like approval to provide whatever is helpful from there, of course after making sure nothing sensitive is in the files I give him.

If you would like me to come up with a list of specific files I would like to give him, I can do that if that is preferred.

+1 to doing this per-module where we get a chance to look through the module first. Most of the stuff outside of modules isn't very well organized/in good style, so that likely won't be all that useful to you guys anyway.

+1 to httpd
+1 to ssh
+1 to mysql

http://git.puppetmanaged.org/ is another public puppet repository that I found useful (thanks to kanarip on IRC).

And a preemptive +1 to puppet (replace fileserver.conf with a generic one) since that will likely be one of the first modules that you'll want to get setup.

+1 from here too. We'd ultimatly like to publish all of our puppet stuff in the public but we haven't given it all a solid security sanity check. +1 to httpd, ssh and mysql. If you want additional modules just ask and we'll probably grant that too.

+1 to httpd, mysql, and ssh. Please send us feedback from them so that we can better put these in a format we can publish to the world.

Dan had some more requests:

aide, memcached, git, squid, git-email, postfix, wordpress-mu, awstats, haproxy, libvirt-qpid, mod_evasive, sudo, logrotate, moin, puppet, iptables, fingerprints, tmpwatch, rsyslog, supybot, supybot-meetbot

(I gave him a list of the modules we had, because I didn't figure that was sensitive information, and these are the ones he requested).

hey guys, I'm Dan. I really appreciate you (all of you) opening up these modules to share. From the last list you probably guess I'm just trying to forecast what I might need in the future. At the moment its myself and brian working on the puppet setup. I'll give you my word that if i see anything sensitive, security weak or otherwise I'll let you know. I should be heading in the same direction as you and providing as much publicly from the start and I'll try to structure our modules in a public/non-public way. CAcert like Fedora is still going along the lines of as much public as possible.

Thanks for your time and consideration in providing this info. I'm happy to talk about other aspects of collaboration if you see an avenue of interest.

Replying to [comment:6 nb]:

Dan had some more requests:

aide, memcached, git, squid, git-email, postfix, wordpress-mu, awstats, haproxy, libvirt-qpid, mod_evasive, sudo, logrotate, moin, puppet, iptables, fingerprints, tmpwatch, rsyslog, supybot, supybot-meetbot

(I gave him a list of the modules we had, because I didn't figure that was sensitive information, and these are the ones he requested).

+1 to all of those. I should note though that aide and moin aren't really used anymore (we switched to rkhunter for the aide stuff though they don't match totally so you may not want rkhunter). We haven't actually used moin in a couple of years so it might flat out not work.

Make sure to remove everything under "Authentication Unique Keys." in wp-config.php.erb.
It'd also be good to replace fileserver.conf in puppet with a generic blank one. Same thing for iptables.erb.

+1 otherwise, enjoy.

Login to comment on this ticket.

Metadata