Opened on 07/08/2014 at 09:58:35 AM

Closed on 07/15/2014 at 07:06:30 PM

Last modified on 07/16/2014 at 12:23:24 PM

#760 closed change (fixed)

Make our ssh configuration used automatically for all servers

Reported by: trev Assignee: matze
Priority: P2 Milestone:
Module: Infrastructure Keywords:
Cc: fhd, matze Blocked By: #765, #766
Blocking: Platform: Unknown
Ready: yes Confidential: no
Tester: Verified working: no
Review URL(s):



It seems that not all servers are currently using our sshd_config. The ssh module isn't being used consistently, currently it is used by filtermaster and statsclient modules (with some custom configuration) and in the monitoring server configuration. Other servers still use the default configuration which accepts passwords for example.

What to change

Make sure the ssh module is included by the base module, so that it is used by all servers consistently. We won't be able to pass in class parameters then, since the base module cannot know whether custom configuration is necessary. We can add custom configuration directives using the concat module however, we've already implemented it this way for the sitescripts.ini file.

Attachments (0)

Change History (12)

comment:1 Changed on 07/08/2014 at 11:28:23 AM by matze

  • Owner set to matze

comment:2 Changed on 07/08/2014 at 11:52:29 AM by matze

Please explain the issue you've mentioned in the "What to change" section above.

As far as I can see, custom configuration is already implemented in the ssh module, using templating (modules/ssh/templates/sshd_config.erb, last line) and an empty default parameter (modules/ssh/manifests/init.pp), and applied as parameter in e.g. modules/statsclient/manifests/init.pp.

Although I understand that this is more a hack than a clean solution (like the concat module would have been), I do not see an upcoming issue - except maybe in case of multiple roles and inheritance. So, before I convert this to use concat, I just want to make sure we're on the same page --

comment:3 Changed on 07/08/2014 at 12:04:50 PM by trev

The issue is really that the ssh module can only be included once. If we include it from the base module then we won't be able to invoke it later with different parameters. The sitescripts module solves this issue by using the concat class - one fragment is defined when the sitescripts module is included, other modules can define additional fragments as needed. We can use the same approach for the ssh module, meaning that filtermaster or statsclient will define concat fragments for their server-specific SSH directives.

comment:4 Changed on 07/08/2014 at 12:17:25 PM by matze

OK, got it, thank you.

comment:5 Changed on 07/10/2014 at 05:07:27 AM by matze

  • Blocked By 765 added

Since all servers are affected by the changes (at least in theory), the Monitoring / Nagios issue is considered a blocker: It would be irresponsible not to ensure the lights staying green, even in this state, in the development and test environment (especially because checks also rely on SSH).

Last edited on 07/10/2014 at 05:10:41 AM by matze

comment:6 Changed on 07/10/2014 at 09:48:27 AM by matze

  • Blocked By 766 added; 765 removed

comment:7 Changed on 07/14/2014 at 03:13:27 AM by matze

  • Blocked By 772 added; 766 removed

comment:8 Changed on 07/14/2014 at 06:16:33 AM by trev

  • Blocked By 765, 766 added

comment:9 Changed on 07/15/2014 at 11:13:31 AM by matze

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

One question: Is the "base" relation configured via manifests/*server.pp enough?

mhennig@kali:~/AdBlockPlus/infrastructure$ grep base manifests/*
manifests/codereviewserver.pp:  include base
manifests/downloadserver.pp:  include base, statsclient
manifests/filtermasterserver.pp:  include base, filtermaster
manifests/filterserver.pp:  include base, statsclient
manifests/intraforumserver.pp:  include base, statsclient
manifests/issuesserver.pp:  include base
manifests/monitoringserver.pp:  include base, ssh, puppetmaster
manifests/statsserver.pp:  include base
manifests/updateserver.pp:  include base, statsclient
manifests/webserver.pp:  include base, statsclient

Especially when using concat::fragment for sshd_config (which is set up in modules/ssh and then included in modules/base), wouldn't it be more clean if we include base or include ssh explicitly?

(See also the review link.)

comment:10 Changed on 07/15/2014 at 03:13:00 PM by matze

I've just pushed the changes, after the review was successful. How do we proceed? Who's going to deploy the modifications? And do I need to re-assign the ticket or just close it?

comment:11 Changed on 07/15/2014 at 07:06:30 PM by trev

  • Blocked By 772 removed
  • Resolution set to fixed
  • Status changed from reviewing to closed

Fixed: Please close the review as well.

Let's have a brief screen sharing session tomorrow so that you can see how deployment works. Normally we deploy immediately after the changes landed.

comment:12 Changed on 07/16/2014 at 12:23:24 PM by matze

  • Review URL(s) modified (diff)

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from matze.
Note: See TracTickets for help on using tickets.