how to handle a random password in a config file?
441 views
Skip to first unread message
Larry Ludwig
Apr 15, 2008, 9:51:50 PM4/15/08
to Puppet Users
Hi I'm trying to configure bacula's config file. The issue is
everytime the script runs a new key gets generated for bacula.
How can I have the config file update only run once with puppet, yet
replace the default bacula-fd.conf file.
script listed below:
class bacula-client {
# define which server to use
case $datacenter {
1: { $backupserver = "coeus" }
2: { $backupserver = "ulysses" }
}
$directorpassword = generate("/etc/puppet/bin/genkey")
$monitorpassword = generate("/etc/puppet/bin/genkey")
package { "hdup_supplemental":
ensure => absent,
}
package { "hdup":
ensure => absent,
require => Package["hdup_supplemental"],
}
package { "bacula-client":
ensure => latest,
require => Package["hdup_supplemental"],
}
package { "bacula_supplemental":
ensure => latest,
require => Package["bacula-client"],
}
# track bacula-fd.conf changes
file { "bacula-fd.conf":
name => "/etc/bacula/bacula-fd.conf",
checksum => md5,
ensure => present,
replace => true,
owner => 'root',
group => 'bacula',
mode => '0640',
backup => local,
content => template("./apps/bacula-client/bacula-
fd.conf.erb"),
require => Package["bacula_supplemental"],
}
# make sure bacula-fd is setup to run
service { "bacula-fd":
name => "bacula-fd",
ensure => running,
enable => true,
require => [ Package["bacula-client"], File["bacula-
fd.conf"] ],
subscribe => [ Package["bacula-client"], File["bacula-
fd.conf"] ],
}
}
everytime the script runs a new key gets generated for bacula.
How can I have the config file update only run once with puppet, yet
replace the default bacula-fd.conf file.
script listed below:
class bacula-client {
# define which server to use
case $datacenter {
1: { $backupserver = "coeus" }
2: { $backupserver = "ulysses" }
}
$directorpassword = generate("/etc/puppet/bin/genkey")
$monitorpassword = generate("/etc/puppet/bin/genkey")
package { "hdup_supplemental":
ensure => absent,
}
package { "hdup":
ensure => absent,
require => Package["hdup_supplemental"],
}
package { "bacula-client":
ensure => latest,
require => Package["hdup_supplemental"],
}
package { "bacula_supplemental":
ensure => latest,
require => Package["bacula-client"],
}
# track bacula-fd.conf changes
file { "bacula-fd.conf":
name => "/etc/bacula/bacula-fd.conf",
checksum => md5,
ensure => present,
replace => true,
owner => 'root',
group => 'bacula',
mode => '0640',
backup => local,
content => template("./apps/bacula-client/bacula-
fd.conf.erb"),
require => Package["bacula_supplemental"],
}
# make sure bacula-fd is setup to run
service { "bacula-fd":
name => "bacula-fd",
ensure => running,
enable => true,
require => [ Package["bacula-client"], File["bacula-
fd.conf"] ],
subscribe => [ Package["bacula-client"], File["bacula-
fd.conf"] ],
}
}
Paul Lathrop
Apr 15, 2008, 10:29:06 PM4/15/08
to puppet...@googlegroups.com
Larry,
Things run using 'generate' really need to be idempotent... if nothing
about the input changes, the output should also not change. The
problem here is that "/etc/puppet/bin/genkey" is producing different
output every time.
There are ways around this, but a lot depends on what exactly
"/etc/puppet/bin/genkey" does. You'd be advised to use something that
generates consistent output for a given input.
--Paul
Larry Ludwig
Apr 16, 2008, 9:02:30 AM4/16/08
to Puppet Users
The thing is following off of the bacula rpm it auto generates the
password entries (doing /usr/bin/openssl rand -base64 33 -out). By
having all bacula clients with the same password isn't really a good
idea (but of course is possible) so this isn't ideal.
We make some other changes to the config file so it's not stock rpm
config file.
On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote:
> Larry,
>
> Things run using 'generate' really need to be idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You'd be advised to use something that
> generates consistent output for a given input.
>
> --Paul
>
password entries (doing /usr/bin/openssl rand -base64 33 -out). By
having all bacula clients with the same password isn't really a good
idea (but of course is possible) so this isn't ideal.
We make some other changes to the config file so it's not stock rpm
config file.
On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote:
> Larry,
>
> Things run using 'generate' really need to be idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You'd be advised to use something that
> generates consistent output for a given input.
>
> --Paul
>
Larry Ludwig
Apr 16, 2008, 9:10:15 AM4/16/08
to Puppet Users
I just thought about one idea:
I could pass the host name to my genkey script and then create a
routine that will look to to see if I already created a file (in some
local folder) that has a pre-gen key. If not create one. That way it
will always give the same key and will prevent it from re-creating the
configuration file everytime.
Not bad for 9AM in the morning :-)
I could pass the host name to my genkey script and then create a
routine that will look to to see if I already created a file (in some
local folder) that has a pre-gen key. If not create one. That way it
will always give the same key and will prevent it from re-creating the
configuration file everytime.
Not bad for 9AM in the morning :-)
> Larry,
>
> Things run using 'generate' really need to be idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You'd be advised to use something that
> generates consistent output for a given input.
>
> --Paul
>
>
> Things run using 'generate' really need to be idempotent... if nothing
> about the input changes, the output should also not change. The
> problem here is that "/etc/puppet/bin/genkey" is producing different
> output every time.
>
> There are ways around this, but a lot depends on what exactly
> "/etc/puppet/bin/genkey" does. You'd be advised to use something that
> generates consistent output for a given input.
>
> --Paul
>
José González Gómez
Apr 21, 2008, 4:01:26 AM4/21/08
to Puppet Users
On 16 abr, 15:10, Larry Ludwig <larry...@gmail.com> wrote:
> I just thought about one idea:
>
> I could pass the host name to my genkey script and then create a
> routine that will look to to see if I already created a file (in some
> local folder) that has a pre-gen key. If not create one. That way it
> will always give the same key and will prevent it from re-creating the
> configuration file everytime.
>
> Not bad for 9AM in the morning :-)
>
> On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote:
>
We are generating passwords for bacula using a custom function that
> I just thought about one idea:
>
> I could pass the host name to my genkey script and then create a
> routine that will look to to see if I already created a file (in some
> local folder) that has a pre-gen key. If not create one. That way it
> will always give the same key and will prevent it from re-creating the
> configuration file everytime.
>
> Not bad for 9AM in the morning :-)
>
> On Apr 15, 10:29 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote:
>
computes the MD5 hash of a constant string for every combination of
server-client nodes (director-file daemon, director-storage daemon,
director-console,...). This creates a security problem, as everybody
knowing how we compute the source string would be able to get all the
bacula passwords, but we favoured ease of implementation (and you may
change some bit of the source string from time to time just in case).
Anyway, this would be ideally implemented using a random password
generator and storing those generated passwords in a database in the
puppet master, everything enclosed in a custom function. This is in
our todo list, but not for the near future (maybe something worth
including in puppet itself?).
HTH, best regards
Jose
Larry Ludwig
Apr 21, 2008, 9:01:31 AM4/21/08
to Puppet Users
On Apr 21, 4:01 am, José González Gómez
situations like this.
Ok here's the code.
IMHO no need to store in a SQL db, especially since Puppet by default
doesn't use one. A flat file should be fine. This function could be
made more generic to suit other random password situations.
In the bacula class file:
$baculapassword = generate('/usr/bin/env', '/etc/puppet/bin/
bacula-genkey', "$fqdn")
which goes to a erb template.
The bacula-genkey stores a random key in a file (if it's not already
created) based upon the fqdn. If the file is already there do not
generate a new one instead get the existing one. I copied the
openssl statement from the bacula rpm that generates the same random
password to create the config file.
#!/usr/bin/perl
umask 066;
$keyfile="/etc/puppet/etc/bacula/".$ARGV[0].".key";
if (!-e $keyfile) {
`/usr/bin/openssl rand -base64 33 -out $keyfile >& /dev/null`;
}
open(FILE,"$keyfile");
while ($line=<FILE>) {
$line =~ s/\n//g;
print $line;
}
close(FILE);
The /etc/puppet/etc/bacula/ folder has to be writable by puppet user
since the puppetmasterd runs as that user.
-L
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed and Unmanaged Xen VPSes
http://www.hostcube.com/
Reply all
Reply to author
Forward
0 new messages