Difference between revisions of "Production Puppet"

From Dreamwidth Notes
Jump to: navigation, search
Line 71: Line 71:
 
Then we need this file created in /etc/iptables.up.rules:
 
Then we need this file created in /etc/iptables.up.rules:
  
*filter
+
*filter
 
+
 
  # Allows all loopback (lo0) traffic and drop all  
 
  # Allows all loopback (lo0) traffic and drop all  
 
  # traffic to 127/8 that doesn't use lo0
 
  # traffic to 127/8 that doesn't use lo0

Revision as of 20:21, 6 March 2009

This page describes the steps that the Puppet configuration management system should be responsible for.

Setup

Setup DW user account and add it to sudo.

adduser dw
echo "dw ALL=NOPASSWD: ALL" >> /etc/sudoers

Configure /etc/apt/sources.list to use our cache:

deb http://dw-lb01:9999/ubuntu/ hardy main restricted universe
deb-src http://dw-lb01:9999/ubuntu/ hardy main restricted universe

deb http://dw-lb01:9999/ubuntu/ hardy-updates main restricted universe
deb-src http://dw-lb01:9999/ubuntu/ hardy-updates main restricted universe

deb http://dw-lb01:9999/ubuntu hardy-security main restricted universe
deb-src http://dw-lb01:9999/ubuntu hardy-security main restricted universe

Let's do a system update and upgrade. This may not be something we can easily do in puppet? Or is it? I only want to do this from time to time - i.e., only on initial install, and only manually. (I don't want to automatically update packages every night, e.g.)

apt-get update
apt-get dist-upgrade

Now install packages:

vim-perl screen mercurial subversion dh-make-perl apache2-mpm-prefork
libgtop2-dev libapache2-mod-perl2 libapache2-request-perl
libcaptcha-recaptcha-perl libclass-accessor-perl libclass-autouse-perl
libclass-data-inheritable-perl libclass-trigger-perl libcompress-zlib-perl
libcrypt-dh-perl libdbd-mysql-perl libdbi-perl libdatetime-perl
libdigest-hmac-perl libmd5-perl libdigest-sha1-perl libgd-gd2-perl
libgd-graph-perl libgnupg-interface-perl libhtml-parser-perl
libhtml-tagset-perl libhtml-template-perl libio-stringy-perl
perlmagick libimage-size-perl libwww-perl libwww-perl libmime-lite-perl
libmime-perl libmailtools-perl libmail-gnupg-perl libmath-bigint-gmp-perl
libnet-dns-perl libproc-process-perl librpc-xml-perl libsoap-lite-perl
libstring-crc32-perl libtext-vcard-perl liburi-fetch-perl liburi-perl
libunicode-maputf8-perl libxml-atom-perl libxml-rss-perl libxml-simple-perl
mysql-client

Next up, we need to configure Apache. This only needs to be done on webservers. On non-webservers, we need to DISABLE "apache2" from starting at boot time.

$ cat /etc/apache2/conf.d/dw.conf
User dw
Group dw
UseCanonicalName off

StartServers 3
MaxSpareServers 5
MinSpareServers 1
MaxClients 2
MaxRequestsPerChild 200

DocumentRoot /home/dw/current/htdocs
PerlSetEnv  LJHOME /home/dw/current
PerlPassEnv LJHOME
PerlRequire  /home/dw/current/cgi-bin/modperl.pl

There's some more Apache setup that is required to get rid of the default site and enable the request library:

sudo a2dissite default
sudo a2enmod apreq

Last thing is to configure the network. We need to add the following lines in /etc/network/interfaces:

# ensure we load our rules 
pre-up iptables-restore < /etc/iptables.up.rules

Then we need this file created in /etc/iptables.up.rules:

*filter

# Allows all loopback (lo0) traffic and drop all 
# traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accept inbound private traffic from one of our servers
-A INPUT -s 172.19.1.5 -j ACCEPT
-A INPUT -s 172.19.1.84 -j ACCEPT
-A INPUT -s 172.19.1.85 -j ACCEPT
-A INPUT -s 172.19.1.86 -j ACCEPT
-A INPUT -s 172.19.1.87 -j ACCEPT
-A INPUT -s 172.19.1.88 -j ACCEPT
-A INPUT -s 172.19.1.89 -j ACCEPT
-A INPUT -s 172.19.1.90 -j ACCEPT
-A INPUT -s 172.19.1.91 -j ACCEPT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
-A OUTPUT -j ACCEPT

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

One thing to note is that this file will get changed each time I add a new server. Also, every time it's pushed out, you have to run the iptables-restore command mentioned above. Puppet should handle that.

The source code for the site needs to be copied, but that's something I can do with rsync. Assuming the dw user is setup from the first step, then all I have to do is rsync the code and start Apache. Assuming the rest of this is all good.