Customizing a hostname facts

418 views
Skip to first unread message

mac01

unread,
Apr 5, 2012, 2:39:24 AM4/5/12
to puppet...@googlegroups.com

Hi,

I am trying to override a hostname.rp from path: /usr/lib/ruby/site_ruby/1.8/facter as,

Facter.add(:hostname) do
  confine :hostname => "serialnumber"
  setcode do
    Facter::Util::Resolution.exec('cat /sys/power/states')
  end
end

Is the fact code correct as I want puppet to pick serialnumber instead of hostname from facter ?

Thanks
mac01

jcbollinger

unread,
Apr 5, 2012, 9:17:06 AM4/5/12
to Puppet Users


On Apr 5, 1:39 am, mac01 <smilemukul2...@gmail.com> wrote:
> Hi,
>
> I am trying to override a hostname.rp from path: *
> /usr/lib/ruby/site_ruby/1.8/facter* as,
>
> Facter.add(:hostname) do
>   confine :hostname => "serialnumber"
>   setcode do
>     Facter::Util::Resolution.exec('cat /sys/power/states')
>   end
> end
>
> Is the fact code correct as I want puppet to pick serialnumber instead of hostname from facter ?


You are trying to confine the 'hostname' fact based on the value of
that same fact. I don't see how that could possibly work. Either it
will throw Facter into an infinite loop, or that version of the fact
will just never be chosen.

There is probably a better approach to your problem than redefining
the hostname fact. Not knowing what your actual problem is, I can
only speculate, but you might be better off creating and using a
"serialnumber" custom fact. You might also want to look into Puppet's
"certname" parameter.


John

Mukul Malhotra

unread,
Apr 7, 2012, 6:17:23 AM4/7/12
to Puppet Users

 
Hi,

Actually I want that nobody in my network can change the hostname as some has already changed the hostname of their node so
I want to restrict a check that nobody in the network or outside network can change the hostname as they are already provided the sudo access as per requirement. Also all the nodes in the network are configured with serialnumber.

Can you elaborate more that how "serialnumber" custom fact can be written & the same will be loaded through puppet for every node in the network.

Thanks
mac01



--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

 


Email Disclaimer: www.stjude.org/emaildisclaimer

John Kennedy

unread,
Apr 8, 2012, 5:02:17 AM4/8/12
to puppet...@googlegroups.com
No one should be able to change the hostname through the fact (they can override any fact for a one time occurrance but that is not a pernanent change)
As to how you can get a serialnumber fact, we would need to know how you get the serial number from your system to begin with. Then you write the fact around that. You then put your rb file in with all the other fact rb files and puppet will find it.
John

John Kennedy

Mukul Malhotra

unread,
Apr 8, 2012, 8:32:09 AM4/8/12
to puppet...@googlegroups.com

Hi,

I get the serialnumber from my system through "facter | grep serialnumber"

Also this is possible whether puppet picks the serialnumber fact instead of hostname fact from the nodes.

Can you provide the serialnumber.rb fact syntax

Thanks

Christopher Wood

unread,
Apr 8, 2012, 8:58:32 AM4/8/12
to puppet...@googlegroups.com
/usr/lib/ruby/1.8/facter/manufacturer.rb has it on my system.

On Sun, Apr 08, 2012 at 06:02:09PM +0530, Mukul Malhotra wrote:
> Hi,
>
> I get the serialnumber from my system through "facter | grep serialnumber"
>
> Also this is possible whether puppet picks the serialnumber fact instead
> of hostname fact from the nodes.
>
> Can you provide the serialnumber.rb fact syntax
>
> Thanks
>

> <[3]John.Bo...@stjude.org> wrote:

> To post to this group, send email to [5]puppet...@googlegroups.com.


> To unsubscribe from this group, send email to

> [6]puppet-users...@googlegroups.com.


> For more options, visit this group at

> [7]http://groups.google.com/group/puppet-users?hl=en.
>
> �
>
> --------------------------------------------------------------------------
>
> Email Disclaimer: [8]www.stjude.org/emaildisclaimer


>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.

> To post to this group, send email to [9]puppet...@googlegroups.com.


> To unsubscribe from this group, send email to

> [10]puppet-users...@googlegroups.com.


> For more options, visit this group at

> [11]http://groups.google.com/group/puppet-users?hl=en.


>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.

> To post to this group, send email to [12]puppet...@googlegroups.com.


> To unsubscribe from this group, send email to

> [13]puppet-users...@googlegroups.com.


> For more options, visit this group at

> [14]http://groups.google.com/group/puppet-users?hl=en.


>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>

> References
>
> Visible links
> 1. mailto:ske...@gmail.com
> 2. mailto:smilemu...@gmail.com
> 3. mailto:John.Bo...@stjude.org
> 4. mailto:smilemukul2...@gmail.com
> 5. mailto:puppet...@googlegroups.com
> 6. mailto:puppet-users%2Bunsu...@googlegroups.com
> 7. http://groups.google.com/group/puppet-users?hl=en
> 8. http://www.stjude.org/emaildisclaimer
> 9. mailto:puppet...@googlegroups.com
> 10. mailto:puppet-users%2Bunsu...@googlegroups.com
> 11. http://groups.google.com/group/puppet-users?hl=en
> 12. mailto:puppet...@googlegroups.com
> 13. mailto:puppet-users%2Bunsu...@googlegroups.com
> 14. http://groups.google.com/group/puppet-users?hl=en

Mukul Malhotra

unread,
Apr 9, 2012, 12:51:43 AM4/9/12
to puppet...@googlegroups.com

hi,

But how can i redirect the parameter from hostname to serialnumber so that puppet will pick the serialnumber by default instead of hostname for the updates on the nodes.

Thanks

jcbollinger

unread,
Apr 9, 2012, 10:16:27 AM4/9/12
to Puppet Users


On Apr 8, 11:51 pm, Mukul Malhotra <smilemukul2...@gmail.com> wrote:
> hi,
>
> But how can i redirect the parameter from hostname to serialnumber so that
> puppet will pick the serialnumber by default instead of hostname for the
> updates on the nodes.


You have a serious misunderstanding. Puppet uses cryptographic
certificates to identify nodes to the master and the master to nodes.
It does by default use the node's hostname as the certname, but once
the master (or another CA that the master trusts) signs the
certificate, changing the node's hostname hostname is not sufficient
to allow it to impersonate another node. To node A impersonate node B
that is already known to Puppet, an attacker would need also to steal
a copy of B's certificate. Anyone who can do that already has
sufficient access to node B that he gains nothing by making some other
node impersonate it, and anyway he doesn't need Puppet's help to steal
data from node B or to present a fake node B to others.

Even if Puppet didn't rely on certificates, using serial number
instead of hostname as you propose would gain nothing in security. An
adversary with sufficient privilege to change nodes' hostnames could
as easily modify Facter to present facts of his choosing, including a
forged serialnumber.

Allowing untrusted users unrestricted access to your systems presents
a very serious security problem. I would advise you to consider
whether your requirements can be changed, or at least met in some less
risky way. Alternatively, it might be wise to look into an
alternative means to secure those parts of your systems that even
privileged users must not touch. SELinux can do this for you, but you
would want to design your SELinux policy very carefully. It is
conceivable that your requirements are inconsistent with adequately
securing your systems even via SELinux.

Bottom line: Puppet already does better on the security issue than you
would achieve with your proposed reconfiguration / modification. If
the security already provided by Puppet is insufficient, then you need
to look deeper to secure your systems.


John

Christopher Wood

unread,
Apr 9, 2012, 10:58:07 AM4/9/12
to puppet...@googlegroups.com
Not that I've ever done it, but perhaps in the same way as Nan Liu suggests to do for the mac address in this thread:

https://groups.google.com/group/puppet-users/tree/browse_frm/month/2010-10/060a412fb3b33b2c?rnum=171&_done=%2Fgroup%2Fpuppet-users%2Fbrowse_frm%2Fmonth%2F2010-10%3Ffwc%3D1%26

On Mon, Apr 09, 2012 at 10:21:43AM +0530, Mukul Malhotra wrote:
> hi,
>
> But how can i redirect the parameter from hostname to serialnumber so that
> puppet will pick the serialnumber by default instead of hostname for the
> updates on the nodes.
>
> Thanks
>
> On Sun, Apr 8, 2012 at 6:28 PM, Christopher Wood
> <[1]christop...@pobox.com> wrote:
>
> /usr/lib/ruby/1.8/facter/manufacturer.rb has it on my system.
> On Sun, Apr 08, 2012 at 06:02:09PM +0530, Mukul Malhotra wrote:
> >    Hi,
> >
> >    I get the serialnumber from my system through "facter | grep
> serialnumber"
> >
> >    Also this is possible whether puppet picks the serialnumber fact
> instead
> >    of hostname fact from the nodes.
> >
> >    Can you provide the serialnumber.rb fact syntax
> >
> >    Thanks
> >
> >    On Sun, Apr 8, 2012 at 2:32 PM, John Kennedy

> <[1][2]ske...@gmail.com> wrote:
> >
> >      No one should be able to change the hostname through the fact
> (they can
> >      override any fact for a one time occurrance but that is not a
> pernanent
> >      change)
> >      As to how you can get a serialnumber fact, we would need to know
> how you
> >      get the serial number from your system to begin with. Then you
> write the
> >      fact around that. You then put your rb file in with all the other
> fact
> >      rb files and puppet will find it.
> >      John
> >
> >      John Kennedy
> >
> >      On Sat, Apr 7, 2012 at 11:17, Mukul Malhotra

> >      <[2][3]smilemu...@gmail.com> wrote:
> >
> >        �
> >        Hi,
> >
> >        Actually I want that nobody in my network can change the
> hostname as
> >        some has already changed the hostname of their node so
> >        I want to restrict a check that nobody in the network or
> outside
> >        network can change the hostname as they are already provided
> the sudo
> >        access as per requirement. Also all the nodes in the network
> are
> >        configured with serialnumber.
> >
> >        Can you elaborate more that how "serialnumber" custom fact can
> be
> >        written & the same will be loaded through puppet for every node
> in the
> >        network.
> >
> >        Thanks
> >        mac01
> >
> >        On Thu, Apr 5, 2012 at 6:47 PM, jcbollinger

> >        <[3][4]John.Bo...@stjude.org> wrote:
> >
> >        On Apr 5, 1:39�am, mac01 <[4][5]smilemukul2...@gmail.com>

> [5][6]puppet...@googlegroups.com.


> >        To unsubscribe from this group, send email to

> >        [6][7]puppet-users...@googlegroups.com.


> >        For more options, visit this group at

> >        [7][8]http://groups.google.com/group/puppet-users?hl=en.
> >
> >        �
> >
> >  
>  --------------------------------------------------------------------------
> >
> >        Email Disclaimer: [8][9]www.stjude.org/emaildisclaimer


> >
> >        --
> >        You received this message because you are subscribed to the
> Google
> >        Groups "Puppet Users" group.
> >        To post to this group, send email to

> [9][10]puppet...@googlegroups.com.


> >        To unsubscribe from this group, send email to

> >        [10][11]puppet-users...@googlegroups.com.


> >        For more options, visit this group at

> >        [11][12]http://groups.google.com/group/puppet-users?hl=en.


> >
> >      --
> >      You received this message because you are subscribed to the
> Google
> >      Groups "Puppet Users" group.
> >      To post to this group, send email to

> [12][13]puppet...@googlegroups.com.


> >      To unsubscribe from this group, send email to

> >      [13][14]puppet-users...@googlegroups.com.


> >      For more options, visit this group at

> >      [14][15]http://groups.google.com/group/puppet-users?hl=en.


> >
> >    --
> >    You received this message because you are subscribed to the Google
> Groups
> >    "Puppet Users" group.
> >    To post to this group, send email to

> [16]puppet...@googlegroups.com.


> >    To unsubscribe from this group, send email to

> >    [17]puppet-users...@googlegroups.com.


> >    For more options, visit this group at

> >    [18]http://groups.google.com/group/puppet-users?hl=en.
> >
> > References
> >
> >    Visible links
> >    1. mailto:[19]ske...@gmail.com
> >    2. mailto:[20]smilemu...@gmail.com
> >    3. mailto:[21]John.Bo...@stjude.org
> >    4. mailto:[22]smilemukul2...@gmail.com
> >    5. mailto:[23]puppet...@googlegroups.com
> >    6. mailto:[24]puppet-users%2Bunsu...@googlegroups.com
> >    7. [25]http://groups.google.com/group/puppet-users?hl=en
> >    8. [26]http://www.stjude.org/emaildisclaimer
> >    9. mailto:[27]puppet...@googlegroups.com
> >   10. mailto:[28]puppet-users%2Bunsu...@googlegroups.com
> >   11. [29]http://groups.google.com/group/puppet-users?hl=en
> >   12. mailto:[30]puppet...@googlegroups.com
> >   13. mailto:[31]puppet-users%2Bunsu...@googlegroups.com
> >   14. [32]http://groups.google.com/group/puppet-users?hl=en


> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.

> To post to this group, send email to [33]puppet...@googlegroups.com.


> To unsubscribe from this group, send email to

> [34]puppet-users...@googlegroups.com.


> For more options, visit this group at

> [35]http://groups.google.com/group/puppet-users?hl=en.


>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links

> 1. mailto:christop...@pobox.com
> 2. mailto:ske...@gmail.com
> 3. mailto:smilemu...@gmail.com
> 4. mailto:John.Bo...@stjude.org
> 5. mailto:smilemukul2...@gmail.com
> 6. mailto:puppet...@googlegroups.com
> 7. mailto:puppet-users%2Bunsu...@googlegroups.com
> 8. http://groups.google.com/group/puppet-users?hl=en
> 9. http://www.stjude.org/emaildisclaimer
> 10. mailto:puppet...@googlegroups.com
> 11. mailto:puppet-users%2Bunsu...@googlegroups.com
> 12. http://groups.google.com/group/puppet-users?hl=en
> 13. mailto:puppet...@googlegroups.com
> 14. mailto:puppet-users%2Bunsu...@googlegroups.com
> 15. http://groups.google.com/group/puppet-users?hl=en
> 16. mailto:puppet...@googlegroups.com
> 17. mailto:puppet-users%2Bunsu...@googlegroups.com
> 18. http://groups.google.com/group/puppet-users?hl=en
> 19. mailto:ske...@gmail.com
> 20. mailto:smilemu...@gmail.com
> 21. mailto:John.Bo...@stjude.org
> 22. mailto:smilemukul2...@gmail.com
> 23. mailto:puppet...@googlegroups.com
> 24. mailto:puppet-users%252Buns...@googlegroups.com
> 25. http://groups.google.com/group/puppet-users?hl=en
> 26. http://www.stjude.org/emaildisclaimer
> 27. mailto:puppet...@googlegroups.com
> 28. mailto:puppet-users%252Buns...@googlegroups.com
> 29. http://groups.google.com/group/puppet-users?hl=en
> 30. mailto:puppet...@googlegroups.com
> 31. mailto:puppet-users%252Buns...@googlegroups.com
> 32. http://groups.google.com/group/puppet-users?hl=en
> 33. mailto:puppet...@googlegroups.com
> 34. mailto:puppet-users%2Bunsu...@googlegroups.com
> 35. http://groups.google.com/group/puppet-users?hl=en

Reply all
Reply to author
Forward
0 new messages