Playing with Puppet part 2

I started the exercise at 22:24 local time. The exercise was done HP pavillion p6-2020sc using Kubuntu 16.04.2 from live-USB. All the files and code can be found at https://github.com/Spodah/puppet-practices

I begun by creating a script that would: set keyboard to Finnish layout, install puppet and git, clone puppet-practices repository from github, and run git and ipython modules from the repository.

kubuntu@kubuntu:~$ nano startup.sh
kubuntu@kubuntu:~$ setxkbmap fi
kubuntu@kubuntu:~$ nano startup.sh
kubuntu@kubuntu:~$ startup.sh
startup.sh: command not found
kubuntu@kubuntu:~$ bash startup.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
augeas-lenses debconf-utils facter git-man hiera libaugeas0 liberror-perl puppet-common ruby-augeas ruby-deep-merge ruby-json
ruby-nokogiri ruby-rgen ruby-safe-yaml ruby-selinux ruby-shadow virt-what
Suggested packages:
augeas-doc git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki
git-svn mcollective-common augeas-tools puppet-el vim-puppet etckeeper ruby-rrd
The following NEW packages will be installed:
augeas-lenses debconf-utils facter git git-man hiera libaugeas0 liberror-perl puppet puppet-common ruby-augeas ruby-deep-merge
ruby-json ruby-nokogiri ruby-rgen ruby-safe-yaml ruby-selinux ruby-shadow virt-what
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,666 kB of archives.
After this operation, 35.2 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/main amd64 augeas-lenses all 1.4.0-0ubuntu1 [263 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial/universe amd64 debconf-utils all 1.5.58ubuntu1 [57.5 kB]
Get:3 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-json amd64 1.8.3-1build4 [43.9 kB]
Get:4 http://archive.ubuntu.com/ubuntu xenial/universe amd64 facter all 2.4.6-1 [75.1 kB]
Get:5 http://archive.ubuntu.com/ubuntu xenial/main amd64 liberror-perl all 0.17-1.2 [19.6 kB]
Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 git-man all 1:2.7.4-0ubuntu1 [735 kB]
Get:7 http://archive.ubuntu.com/ubuntu xenial/main amd64 git amd64 1:2.7.4-0ubuntu1 [3,006 kB]
Get:8 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-deep-merge all 1.0.1+gitf9df6fdb-1 [8,226 B]
Get:9 http://archive.ubuntu.com/ubuntu xenial/universe amd64 hiera all 2.0.0-2 [21.6 kB]
Get:10 http://archive.ubuntu.com/ubuntu xenial/main amd64 libaugeas0 amd64 1.4.0-0ubuntu1 [154 kB]
Get:11 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-augeas amd64 1:0.5.0-3build4 [10.6 kB]
Get:12 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-nokogiri amd64 1.6.7.2-3build1 [88.3 kB]
Get:13 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-rgen all 0.7.0-2 [70.0 kB]
Get:14 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-safe-yaml all 1.0.4-1 [17.5 kB]
Get:15 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-shadow amd64 2.4.1-1build4 [9,490 B]
Get:16 http://archive.ubuntu.com/ubuntu xenial/universe amd64 puppet-common all 3.8.5-2 [1,015 kB]
Get:17 http://archive.ubuntu.com/ubuntu xenial/universe amd64 puppet all 3.8.5-2 [12.3 kB]
Get:18 http://archive.ubuntu.com/ubuntu xenial/universe amd64 ruby-selinux amd64 2.4-3build2 [46.2 kB]
Get:19 http://archive.ubuntu.com/ubuntu xenial/universe amd64 virt-what amd64 1.14-1 [13.0 kB]
Fetched 5,666 kB in 3s (1,557 kB/s)
Selecting previously unselected package augeas-lenses.
(Reading database ... 162826 files and directories currently installed.)
Preparing to unpack .../augeas-lenses_1.4.0-0ubuntu1_all.deb ...
Unpacking augeas-lenses (1.4.0-0ubuntu1) ...
Selecting previously unselected package debconf-utils.
Preparing to unpack .../debconf-utils_1.5.58ubuntu1_all.deb ...
Unpacking debconf-utils (1.5.58ubuntu1) ...
Selecting previously unselected package ruby-json.
Preparing to unpack .../ruby-json_1.8.3-1build4_amd64.deb ...
Unpacking ruby-json (1.8.3-1build4) ...
Selecting previously unselected package facter.
Preparing to unpack .../facter_2.4.6-1_all.deb ...
Unpacking facter (2.4.6-1) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../liberror-perl_0.17-1.2_all.deb ...
Unpacking liberror-perl (0.17-1.2) ...
Selecting previously unselected package git-man.
Preparing to unpack .../git-man_1%3a2.7.4-0ubuntu1_all.deb ...
Unpacking git-man (1:2.7.4-0ubuntu1) ...
Selecting previously unselected package git.
Preparing to unpack .../git_1%3a2.7.4-0ubuntu1_amd64.deb ...
Unpacking git (1:2.7.4-0ubuntu1) ...
Selecting previously unselected package ruby-deep-merge.
Preparing to unpack .../ruby-deep-merge_1.0.1+gitf9df6fdb-1_all.deb ...
Unpacking ruby-deep-merge (1.0.1+gitf9df6fdb-1) ...
Selecting previously unselected package hiera.
Preparing to unpack .../archives/hiera_2.0.0-2_all.deb ...
Unpacking hiera (2.0.0-2) ...
Selecting previously unselected package libaugeas0.
Preparing to unpack .../libaugeas0_1.4.0-0ubuntu1_amd64.deb ...
Unpacking libaugeas0 (1.4.0-0ubuntu1) ...
Selecting previously unselected package ruby-augeas.
Preparing to unpack .../ruby-augeas_1%3a0.5.0-3build4_amd64.deb ...
Unpacking ruby-augeas (1:0.5.0-3build4) ...
Selecting previously unselected package ruby-nokogiri.
Preparing to unpack .../ruby-nokogiri_1.6.7.2-3build1_amd64.deb ...
Unpacking ruby-nokogiri (1.6.7.2-3build1) ...
Selecting previously unselected package ruby-rgen.
Preparing to unpack .../ruby-rgen_0.7.0-2_all.deb ...
Unpacking ruby-rgen (0.7.0-2) ...
Selecting previously unselected package ruby-safe-yaml.
Preparing to unpack .../ruby-safe-yaml_1.0.4-1_all.deb ...
Unpacking ruby-safe-yaml (1.0.4-1) ...
Selecting previously unselected package ruby-shadow.
Preparing to unpack .../ruby-shadow_2.4.1-1build4_amd64.deb ...
Unpacking ruby-shadow (2.4.1-1build4) ...
Selecting previously unselected package puppet-common.
Preparing to unpack .../puppet-common_3.8.5-2_all.deb ...
Unpacking puppet-common (3.8.5-2) ...
Selecting previously unselected package puppet.
Preparing to unpack .../puppet_3.8.5-2_all.deb ...
Unpacking puppet (3.8.5-2) ...
Selecting previously unselected package ruby-selinux.
Preparing to unpack .../ruby-selinux_2.4-3build2_amd64.deb ...
Unpacking ruby-selinux (2.4-3build2) ...
Selecting previously unselected package virt-what.
Preparing to unpack .../virt-what_1.14-1_amd64.deb ...
Unpacking virt-what (1.14-1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...
Processing triggers for systemd (229-4ubuntu16) ...
Processing triggers for ureadahead (0.100.0-19) ...
ureadahead will be reprofiled on next reboot
Setting up augeas-lenses (1.4.0-0ubuntu1) ...
Setting up debconf-utils (1.5.58ubuntu1) ...
Setting up ruby-json (1.8.3-1build4) ...
Setting up facter (2.4.6-1) ...
Setting up liberror-perl (0.17-1.2) ...
Setting up git-man (1:2.7.4-0ubuntu1) ...
Setting up git (1:2.7.4-0ubuntu1) ...
Setting up ruby-deep-merge (1.0.1+gitf9df6fdb-1) ...
Setting up hiera (2.0.0-2) ...
Setting up libaugeas0 (1.4.0-0ubuntu1) ...
Setting up ruby-augeas (1:0.5.0-3build4) ...
Setting up ruby-nokogiri (1.6.7.2-3build1) ...
Setting up ruby-rgen (0.7.0-2) ...
Setting up ruby-safe-yaml (1.0.4-1) ...
Setting up ruby-shadow (2.4.1-1build4) ...
Setting up puppet-common (3.8.5-2) ...
Setting up puppet (3.8.5-2) ...
Setting up ruby-selinux (2.4-3build2) ...
Setting up virt-what (1.14-1) ...
Processing triggers for libc-bin (2.23-0ubuntu5) ...
Processing triggers for systemd (229-4ubuntu16) ...
Processing triggers for ureadahead (0.100.0-19) ...
Cloning into 'puppet-practices'...
remote: Counting objects: 98, done.
remote: Compressing objects: 100% (70/70), done.
remote: Total 98 (delta 30), reused 68 (delta 10), pack-reused 0
Unpacking objects: 100% (98/98), done.
Checking connectivity... done.
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.69 seconds
Notice: /Stage[main]/Git/File[/etc/bash.bashrc]/content: content changed '{md5}d80b5c72ee089f1e43de3f084a69495c' to '{md5}a2b11437823218db218caf1a649a64eb'
Notice: /Stage[main]/Git/File[/etc/.gitconfig]/ensure: defined content as '{md5}6c8d7e517ff0240b002d0d8a247e3beb'
Notice: Finished catalog run in 0.20 seconds
Error: Could not run: Could not find file -

setxkbmap fi
sudo apt-get install -y git puppet
git clone https://github.com/Spodah/puppet-practices.git
sudo puppet apply --modulepath /home/kubuntu/puppet-practices -e class{"git:"}
sudo puppet apply --modulepath /home/kubuntu/puppet-practices - e class{"ipython:"}

The error was caused by an extra space on line 5, between – and e.

kubuntu@kubuntu:~$ bash startup.sh
Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version (1:2.7.4-0ubuntu1).
puppet is already the newest version (3.8.5-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
fatal: destination path 'puppet-practices' already exists and is not an empty directory.
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.68 seconds
Notice: Finished catalog run in 0.18 seconds
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.64 seconds
Notice: /Stage[main]/Ipython/File[/tmp/ipython]/ensure: defined content as '{md5}38028b51833135efa362820b0daa7f8e'
Notice: /Stage[main]/Ipython/Package[ipython3]/ensure: ensure changed 'purged' to 'latest'
Notice: Finished catalog run in 7.22 seconds

Now the script is working as it should. Next, I opened a new tab in terminal for testing.

kubuntu@kubuntu:~$ mv startup.sh puppet-practices/startup.sh
kubuntu@kubuntu:~$ cd puppet-practices/
kubuntu@kubuntu:~/puppet-practices$ git config --global user.email "jpuroila@gmail.com"
kubuntu@kubuntu:~/puppet-practices$ git config --global user.name "Juuso Puroila"
kubuntu@kubuntu:~/puppet-practices$ gpush
[master 9cf6dd1] Add bashscript to jumpstart using liveUSB.
1 file changed, 5 insertions(+)
create mode 100644 startup.sh
Already up-to-date.
warning: push.default is unset; its implicit value has changed in
Git 2.0 from 'matching' to 'simple'. To squelch this message
and maintain the traditional behavior, use:

git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

git config --global push.default simple

When push.default is set to 'matching', git will push local branches
to the remote branches that already exist with the same name.

Since Git 2.0, Git defaults to the more conservative 'simple'
behavior, which only pushes the current branch to the corresponding
remote branch that 'git pull' uses to update the current branch.

See 'git help config' and search for 'push.default' for further information.
(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode
'current' instead of 'simple' if you sometimes use older versions of Git)

Username for 'https://github.com': spodah
Password for 'https://spodah@github.com':
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 439 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: Resolving deltas: 100% (1/1), completed with 1 local object.
To https://github.com/Spodah/puppet-practices.git
39655f6..9cf6dd1 master -> master
kubuntu@kubuntu:~/puppet-practices$

This demonstrates that the script worked correctly, that Git is working correctly, and that Puppet is working correctly. The environment was now sane and working.

My next goal was to configure UFW to block incoming traffic except from ports 22, 80 and 443, as would be standard for a webserver.

kubuntu@kubuntu:~/puppet-practices$ mkdir ufw
kubuntu@kubuntu:~/puppet-practices$ cd ufw/
kubuntu@kubuntu:~/puppet-practices/ufw$ cd ..
kubuntu@kubuntu:~/puppet-practices$ ls
apache exercise2.md git ipython LICENSE README.md ssh ssh_client startup.sh ufw
kubuntu@kubuntu:~/puppet-practices$ sudo apt-get install tree
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
tree
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.6 kB of archives.
After this operation, 138 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 tree amd64 1.7.0-3 [40.6 kB]
Fetched 40.6 kB in 0s (148 kB/s)
Selecting previously unselected package tree.
(Reading database ... 166335 files and directories currently installed.)
Preparing to unpack .../tree_1.7.0-3_amd64.deb ...
Unpacking tree (1.7.0-3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up tree (1.7.0-3) ...
kubuntu@kubuntu:~/puppet-practices$ tree
.
├── apache
│   ├── manifests
│   │   └── init.pp
│   └── templates
│   ├── 000-default.conf.erb
│   ├── apache2.conf.erb
│   └── se-000-default.conf.erb
├── exercise2.md
├── git
│   ├── manifests
│   │   └── init.pp
│   └── templates
│   ├── bash.bashrc.erb
│   └── gitconfig.erb
├── ipython
│   └── manifests
│   └── init.pp
├── LICENSE
├── README.md
├── ssh
│   ├── manifests
│   │   └── init.pp
│   └── templates
│   └── sshd_config.erb
├── ssh_client
│   ├── manifests
│   │   └── init.pp
│   ├── readme.md
│   └── templates
│   └── ssh_config.erb
├── startup.sh
└── ufw

15 directories, 17 files
kubuntu@kubuntu:~/puppet-practices$ mkdir ufw/manifests
kubuntu@kubuntu:~/puppet-practices$ mkdir ufw/templates
kubuntu@kubuntu:~/puppet-practices$ nano ufw/manifests/init.pp
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.47 seconds
Notice: Finished catalog run in 0.11 seconds

First, I merely created the module and ensured that ufw is installed.

kubuntu@kubuntu:~/puppet-practices$ nano ufw/manifests/init.pp
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.68 seconds
Notice: Finished catalog run in 0.14 seconds
kubuntu@kubuntu:~/puppet-practices$ sudo ufw status
Status: inactive
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ssh:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.83 seconds
Notice: /Stage[main]/Ssh/Package[ssh]/ensure: ensure changed 'purged' to 'present'
Notice: /Stage[main]/Ssh/File[/etc/ssh/sshd_config]/content: content changed '{md5}bd3a2b95f8b4b180eed707794ad81e4d' to '{md5}29d0f7095278b6cbde7e64eea3aec68e'
Notice: /Stage[main]/Ssh/Service[ssh]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 8.40 seconds
kubuntu@kubuntu:~/puppet-practices$ sudo service
service servicemenudeinstallation servicemenuinstallation
kubuntu@kubuntu:~/puppet-practices$ man service
kubuntu@kubuntu:~/puppet-practices$ sudo service --status-all
[ + ] acpid
[ - ] alsa-utils
[ - ] anacron
[ + ] apparmor
[ + ] apport
[ + ] avahi-daemon
[ - ] bluetooth
[ - ] bootmisc.sh
[ - ] checkfs.sh
[ - ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ + ] console-setup
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] cups
[ + ] cups-browsed
[ + ] dbus
[ + ] grub-common
[ - ] hostname.sh
[ - ] hwclock.sh
[ + ] irqbalance
[ - ] kerneloops
[ + ] keyboard-setup
[ - ] killprocs
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ - ] mountall-bootclean.sh
[ - ] mountall.sh
[ - ] mountdevsubfs.sh
[ - ] mountkernfs.sh
[ - ] mountnfs-bootclean.sh
[ - ] mountnfs.sh
[ + ] network-manager
[ + ] networking
[ + ] ondemand
[ - ] plymouth
[ - ] plymouth-log
[ - ] pppd-dns
[ + ] procps
[ + ] puppet
[ + ] rc.local
[ + ] resolvconf
[ - ] rsync
[ + ] rsyslog
[ - ] saned
[ + ] sddm
[ - ] sendsigs
[ + ] ssh
[ - ] thermald
[ + ] udev
[ + ] ufw
[ - ] umountfs
[ - ] umountnfs.sh
[ - ] umountroot
[ - ] unattended-upgrades
[ + ] urandom
[ - ] uuidd
[ + ] whoopsie
[ - ] x11-common

Next, enabling the firewall. As can be seen, while service –status-all command reports it to be enabled, UFW itself says that it is disabled. It appears that I have to use exec resource to enable it.

kubuntu@kubuntu:~/puppet-practices$ nano ufw/manifests/init.pp
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.72 seconds
Notice: /Stage[main]/Ufw/Exec[ufw enable]/returns: executed successfully
Notice: Finished catalog run in 1.16 seconds
kubuntu@kubuntu:~/puppet-practices$ sudo ufw status
Status: active

Now UFW is active. Next, I added the desired rules to ufw(sudo ufw allow 22 | sudo ufw allow 80 | sudo ufw allow 443) and went to search for the desired configuration file. It turns out that there are two of them: /etc/ufw/user.rules and /etc/ufw/user6.rules

kubuntu@kubuntu:~/puppet-practices$ cp /etc/ufw/user.rules ufw/templates/user.rules.erb
cp: cannot open '/etc/ufw/user.rules' for reading: Permission denied
kubuntu@kubuntu:~/puppet-practices$ sudo cp /etc/ufw/user.rules ufw/templates/user.rules.erb
kubuntu@kubuntu:~/puppet-practices$ sudo cp /etc/ufw/user6.rules ufw/templates/user6.rules.erb
kubuntu@kubuntu:~/puppet-practices$ man chown
kubuntu@kubuntu:~/puppet-practices$ sudo chown
_apt dnsmasq list proxy sshd systemd-timesync
avahi games lp pulse sync usbmux
avahi-autoipd gnats mail puppet sys uucp
backup hplip man root syslog uuidd
bin irc messagebus rtkit systemd-bus-proxy whoopsie
colord kernoops news saned systemd-network www-data
daemon kubuntu nobody sddm systemd-resolve
kubuntu@kubuntu:~/puppet-practices$ sudo chown kubuntu ufw/templates/user.rules.erb
kubuntu@kubuntu:~/puppet-practices$ sudo chown kubuntu ufw/templates/user6.rules.erb
kubuntu@kubuntu:~/puppet-practices$ nano ufw/templates/user.rules.erb
kubuntu@kubuntu:~/puppet-practices$ nano ufw/manifests/init.pp
kubuntu@kubuntu:~/puppet-practices$ sufo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
No command 'sufo' found, did you mean:
Command 'sumo' from package 'sumo' (universe)
Command 'sudo' from package 'sudo' (main)
Command 'sudo' from package 'sudo-ldap' (universe)
sufo: command not found
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.91 seconds
Notice: Finished catalog run in 0.36 seconds

Next, I changed a rule in ufw to see if restarting it works.

kubuntu@kubuntu:~/puppet-practices$ sudo ufw allow 2222
Rule added
Rule added (v6)
kubuntu@kubuntu:~/puppet-practices$ sudo puppet apply --modulepath /home/kubuntu/puppet-practices/ -e class{"ufw:"}
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.89 seconds
Notice: /Stage[main]/Ufw/File[/etc/ufw/user.rules]/content: content changed '{md5}b1d67a1bf2e623ecf6d1acccbe2b053e' to '{md5}d923f93c4e8f5c5244b3db0faa9cc18b'
Notice: /Stage[main]/Ufw/File[/etc/ufw/user6.rules]/content: content changed '{md5}7ddf56500edc7660f8155b0e32f6b910' to '{md5}5df31e42b0efc24b1d1aa23f3c15f7fb'
Notice: /Stage[main]/Ufw/Service[ufw]: Triggered 'refresh' from 2 events
Notice: Finished catalog run in 1.14 seconds
kubuntu@kubuntu:~/puppet-practices$ sudo ufw status
Status: active

To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

The module is now fully functional. Time elapsed: 1 hour and 5 minutes

Sources:
http://terokarvinen.com/2017/aikataulu-%e2%80%93-palvelinten-hallinta-ict4tn022-2-%e2%80%93-5-op-uusi-ops-loppukevat-2017-p2
https://jorilaine.wordpress.com/2016/11/13/h6/

Playing with Puppet part 1

The relevant files can be found here: https://github.com/Spodah/puppet-practices
I began the exercise at 2017-4-3 22:45 local time. The exercise was done HP pavillion p6-2020sc using Kubuntu 16.04.2 from live-USB

First, installing Puppet: sudo apt-get update, sudo apt-get install puppet

Then, checking that the environment is sane and the installation works: kubuntu@kubuntu:~$ sudo puppet apply -e ‘file { “/tmp/hellopuppet”: content => “Hello World\n” }’
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.16 seconds
Notice: /Stage[main]/Main/File[/tmp/hellopuppet]/ensure: defined content as ‘{md5}e59ff97941044f85df5297e1c302d260’
Notice: Finished catalog run in 0.02 seconds
Testing that puppet did what it said it did:
kubuntu@kubuntu:~$ cat /tmp/hellopuppet
Hello World

The environment appears to be working as it should be. By now it was 22:57. In the next part, I attempted to create a puppet module that creates a text file and installs the latest version of IPython 3.
kubuntu@kubuntu:~$ cd /etc/puppet/
kubuntu@kubuntu:/etc/puppet$ ls
etckeeper-commit-post etckeeper-commit-pre manifests modules puppet.conf
kubuntu@kubuntu:/etc/puppet$ cd modules
kubuntu@kubuntu:/etc/puppet/modules$ ls
kubuntu@kubuntu:/etc/puppet/modules$ mkdir ipython
mkdir: cannot create directory ‘ipython’: Permission denied
kubuntu@kubuntu:/etc/puppet/modules$ sudo mkdir ipython
kubuntu@kubuntu:/etc/puppet/modules$ cd ipython
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo mkdir modules
kubuntu@kubuntu:/etc/puppet/modules/ipython$ cd modules
After this, I created file init.pp. The initial version only creates a file in /tmp/(see github) and adds text to it, just like the hello world script above.
Next, testing the file:
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ sudo puppet ipython
Error: Unknown Puppet subcommand ‘ipython’
See ‘puppet help’ for help on available puppet subcommands
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ sudo puppet -e ipython
Error: Could not parse application options: invalid option: -e
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ sudo puppet apply -e ipython
Error: Could not parse for environment production: Syntax error at end of file at line 1 on node kubuntu.elisa
Error: Could not parse for environment production: Syntax error at end of file at line 1 on node kubuntu.elisa
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ sudo nano init.pp
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ sudo puppet apply -e ‘class{“ipython”:}’
Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class ipython at line 1 on node kubuntu.elisa
Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class ipython at line 1 on node kubuntu.elisa
kubuntu@kubuntu:/etc/puppet/modules/ipython/modules$ cd ..
kubuntu@kubuntu:/etc/puppet/modules/ipython$ ls
modules
kubuntu@kubuntu:/etc/puppet/modules/ipython$ cd ..
kubuntu@kubuntu:/etc/puppet/modules$ ls
ipython
kubuntu@kubuntu:/etc/puppet/modules$ cd ipython
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo mkdir manifests
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo mv ./modules/init.pp ./manifests/init.pp
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo del modules
sudo: del: command not found
kubuntu@kubuntu:/etc/puppet/modules/ipython$ cat manifests/init.pp
class ipython {
file { ‘/tmp/ipython’:
content => “Playing with puppets\n”
}
}
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo rmdir modules
kubuntu@kubuntu:/etc/puppet/modules/ipython$ sudo puppet apply -e ‘class{“ipython”:}’
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.16 seconds
Notice: /Stage[main]/Ipython/File[/tmp/ipython]/ensure: defined content as ‘{md5}38028b51833135efa362820b0daa7f8e’
Notice: Finished catalog run in 0.03 seconds
kubuntu@kubuntu:/etc/puppet/modules/ipython$ cat /tmp/ipython
Playing with puppets

After a few mistakes, the module was finally working. Next, making it install ipython3 as well. Again, the modified files are in github.
kubuntu@kubuntu:/etc/puppet/modules/ipython/manifests$ sudo puppet apply -e ‘class{“ipython”:}’
Notice: Compiled catalog for kubuntu.elisa in environment production in 0.67 seconds
Notice: /Stage[main]/Ipython/Package[ipython3]/ensure: ensure changed ‘purged’ to ‘latest’
Notice: Finished catalog run in 5.89 seconds
kubuntu@kubuntu:/etc/puppet/modules/ipython/manifests$ ipython3
Python 3.5.2 (default, Nov 17 2016, 17:05:23)
Type “copyright”, “credits” or “license” for more information.

IPython 2.4.1 — An enhanced Interactive Python.
? -> Introduction and overview of IPython’s features.
%quickref -> Quick reference.
help -> Python’s own help system.
object? -> Details about ‘object’, use ‘object??’ for extra details.

In [1]:
Here we can see that IPython3 was working as well. Now the time was 23:46.

Sources: http://terokarvinen.com/2017/aikataulu-%e2%80%93-palvelinten-hallinta-ict4tn022-2-%e2%80%93-5-op-uusi-ops-loppukevat-2017-p2
http://terokarvinen.com/2013/hello-puppet-revisited-%E2%80%93-on-ubuntu-12-04-lts
https://docs.puppet.com/puppet/latest/types/package.html

IT-pro messut: Tietoturva demo

Torstaina messuilla seurasin esitystä Kyberturvallisuuden tekninen demo, jonka piti Anssi Porttikivi. Demo ja sitä seurannut keskustelu keskittyivät ransomware-tyyppisiin haittaohjelmiin(eli ohjelmiin, jotka päästyään koneelle kryptaavat koneen kiintolevyn, sekä mahdollisuuksien mukaan verkkokiintolevyt, varokopiot, ja kaiken muun johon vain saavat kirjoitusoikeudet), mutta demossa itsessään käytetyt tekniikat pätevät muihinkin haittaohjelmiin ja mahdollisiin tietomurtoihin.

Demossa kävi suurin piirtein näin: Käyttäjälle tuli kiireellinen sähköposti, jonka sisältämä Excel-taulukko piti nopeasti avata ja lähettää eteenpäin. Vaikka tietoturva-asiat oli periaattessa otettu huomioon (virustorjunta ohjelma oli käytössä, Excelin makrot oli poistettu käytöstä, demosta ei selvinnyt olivatko kaikki käytetyt ohjelmat päivitetty viimeisimpiin versioihin – huomattava on kuitenkin, että Windowsia ilmeisesti käytettiin admin oikeuksilla, mitä ei tietenkään pitäisi tehdä, mutta suuri osa ihmisistä kuitenkin tekee), haittaohjelma pystyttiin silti lataamaan koneelle ja käynnistämään Excelin avulla, virustorjunnasta huolimatta. Itse kryptausta tai lunnasvaatimusta ei simuloitu.

Demonstraatio oli(hienoisista teknisistä vaikeuksista huolimatta – Porttikivi ei ilmeisesti saanut lupaa käyttää omaa tietokonettaan demoon, mikä tietenkin vaikeutti asioita) hyvin tehty ja suunniteltu. Itse tilanne vaikutti hyvinkin realistiselta. Ransomware on yleinen ongelma(yleisöstä noin joka kymmenes oli – tai heidän edustamansa yritys oli – joutunut sen uhriksi nopean kyselyn perusteella) ja siinä liikkuu kasvavia rahasummia, joten esitys oli myös ajankohtainen. Oli mielenkiintoista nähdä, kuinka vaikka kyseistä taulukkolaskenta ohjelmaan käytettiin periaattessa “turvallisesti”,  sen avulla pystyi silti murtautumaan käyttäjän koneeseen. Tässä kuitenkin vaadittiin käyttäjän omia toimia(tarkoitukseen valmistellun tiedoston avaamista Excelillä – olisikohan se toiminut jos tiedosto olisi avattu muulla taulukkolaskenta ohjelmalla?), joten kyseessä ei ole satavarma murtautuminen. Joitakin asioita jätettiin myös mainitsematta – esimerkiksi se, mitä virustorjunta ohjelmaa käytettiin ja olivatko käytetyt ohjelmat ajantasalla, vai olisiko päivitetty järjestelmä torjunut hyökkäyksen. Vaikka ihan kaikkea ei esityksestä selvinnytkään, oli se mielenkiintoisin niistä esityksistä joita iltapäivän mittaan seurasin.