Ask Your Question
0

question regarding include -- need to have separate modules due to CIS implementation

asked 2018-06-21 13:10:42 -0500

jgh gravatar image

updated 2018-06-25 13:16:44 -0500

Hello,

Hoping folks here may have an answer for this. We are using puppet inside of Satellite via RedHat packaging (my previous experience is not with the Satellite layer). We have a module:

  class ntpd(
  $tinker_panic = 0,
  $restrict1 = "default ignore",
  $restrict2 = '127.0.0.1',
  $driftfile = '/var/lib/ntp/drift',
  $broadcastdelay = '0.008',
  $timeserver1 = '129.65.xx.x',
  $timeserver1_options = 'burst iburst',
  $timeserver1_restrict_mask = '255.255.255.255',
  $timeserver1_restrict_options = 'nomodify notrap noquery',
  $timeserver2 = '129.65.xx.xxx',
  $timeserver2_options = 'burst iburst',
  $timeserver2_restrict_mask = '255.255.255.255',
  $timeserver2_restrict_options = 'nomodify notrap noquery',) { 
   package { 'ntp':
     ensure => installed,
   }
   package { 'chrony':
     ensure => absent,
   }

   if $hostname =~ /^p-x(xx|nn)/ {
     file { '/etc/ntp.conf':
       owner => 'root',
       group => 'root',
       mode  => '644',
       source => "puppet:///modules/ntpd/ntp.conf.$hostname",
       require => Package['ntp'],
       notify  => Service['ntpd'],
    }
 } else {
 file { '/etc/ntp.conf':
    owner => 'root',
    group => 'root',
    mode  => '644',
    content => template('ntpd/ntp.conf.erb'),
    require => Package['ntp'],
    notify  => Service['ntpd'],
  }
}

service { 'ntpd':
  ensure => running,
  enable => true,
  hasstatus => true,
  hasrestart => true,
 }
}

Contents of template:

 tinker panic <%= @tinker_panic %>
 restrict <%= @restrict1 %>
 restrict <%= @restrict2 %>

 driftfile <%= @driftfile %>
 broadcastdelay <%= @broadcastdelay %> 

 restrict <%= @timeserver1 %> mask <%= @timeserver1_restrict_mask %> <%=@timeserver1_restrict_options %>
 server <%= @timeserver1 %> <%= @timeserver1_options %>
 restrict <%= @timeserver2 %> mask <%= @timeserver2_restrict_mask %> <%=@timeserver2_restrict_options %>
 server <%= @timeserver2 %> <%= @timeserver2_options %>
 <% if @cisrestrict -%>
 restrict -4 default kod nomodify notrap nopeer noquery
 restrict -6 default kod nomodify notrap nopeer noquery 
 <% end %>

For CIS hardening efforts, we need to have a completely different module and are also trying to streamline rollout so both modules can co-exist in same content_view (using Satellite w/ Foreman (https://www.theforeman.org)).

Our other module is this:

 class cis_ntpd {

 if $::operatingsystemmajrelease == '6' {
   class { 'ntpd':
     cisrestrict => true,
   } 
 } else {
    include ntpd
 }
 }

Ideally, we would like to notify the other module and have the service restart, however the other module is maintaining content based on the template, and this is changing the same source file, so we are thinking it will be looping....

Can this be solved with include and notifications.... Any solutions and content updates are welcome, but want to not touch the first module named "ntpd." Please kindly forgive formatting issue, as the markup for code inserting on this site is not ideal.

Thanks for your help in advance!

edit retag flag offensive close merge delete

Comments

1

Why aren't you using the NTP module, 'puppetlabs-ntp'? It seems to me you're reinventing the NTP wheel here, so-to-speak. A quick check of puppetlabs-ntp shows that what you want to do is possible.

bschonecker gravatar imagebschonecker ( 2018-06-22 06:05:09 -0500 )edit

I'm maintaining what we have, because we are more than likely shifting to a different solution in the very near term. We need to keep what we have, and iterate on it to provide solution with little change.

jgh gravatar imagejgh ( 2018-06-22 18:06:23 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-06-22 09:12:15 -0500

reesek gravatar image

This sounds like a good case for roles and profiles. You could use the puppetlabs/ntp module to manage all of your NTP settings for you, and profile it for your disparate need. https://puppet.com/docs/pe/2017.2/r_n...

I can't speak to the use of Satellite here, so sorry if the suggestion doesn't fit that model, but that's what I'd consider in this case.

edit flag offensive delete link more

Comments

Unable to use this solution (please refer to comment above). Still iterating on this work and everything I am trying is simply not working.

jgh gravatar imagejgh ( 2018-06-25 13:11:28 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-21 13:10:42 -0500

Seen: 177 times

Last updated: Jun 25