wiki:NCI Bundles/Getting Started

  1. Starting Out on the NCI NeCTAR Cloud
    1. Requesting a Cloud Account
    2. Bundle Structure
    3. Booting a VM
    4. Default Settings
    5. Customizing the Configuration
      1. Firewall rules
      2. NFS mounts
      3. Shell Access
      4. Sudo Access
      5. Adding new modules

Starting Out on the NCI NeCTAR Cloud

Requesting a Cloud Account

Cloud accounts must be requested by emailing help@…

Bundle Structure

The NCI Bundle system can be downloaded from git@repos.nci.org.au:/nci/puppet

  • puppet/
    • hieradata/ - Hiera configuration files for setting Puppet default arguments
    • manifests/ - Contains the Puppet entry point site.pp
    • modules/ - Contains Puppet modules that can be used to configure the system
    • corefw/ - NCI provided modules
    • private/ - Contains sensitive information
    • tools/ - VM Boot scripts

Booting a VM

To boot a VM you will need your NCI OpenStack credentials loaded in your environment. If you're running on cloudlogin this should be done automatically, if you're working from your own computer you will need to install python-novaclient (e.g. pip install --user python-novaclient), copy the file ~/.nci-os-creds-${USER}.sh from cloudlogin and then source that into your environment.

Default Settings

By default the NCI Puppet repository will apply the Puppet class bundle::role::default. This class has the following effects:

  • Load the class bundle::project::common
    • Load the class bundle::nci::baseline
      • Load the class nci::puppet
        • Creates a symlink /puppet -> /etc/puppet
        • Makes sure that /puppet/private is only visible to root
        • Installs bash
        • Creates a script /usr/local/sbin/puppet-update
        • Sets up root's .vimrc file
      • Load the class bundle::nci::networking
        • Load the class nci::resolv_conf
          • Sets up DHCP
        • Load the class nci::hostname
          • Sets VM hostname in various places
        • Load the class nci::firewall
          • Sets up an iptables firewall
      • Load the class nci::dirs::home
        • Creates /home on the local filesystem
      • Load the class pam::access
        • Sets a list of users that are allowed onto the system
      • Load the class ssh
        • Sets up /etc/ssh/sshd_config
        • Opens port 22 in the firewall
        • Loads the class ssh::denyhosts
          • Blocks attempts to brute-force SSH access
      • Load the class dircolors
        • Makes ls output look pretty for root
    • Load the class ldap::client
      • Installs OpenLDAP
      • Sets up NCI LDAP credentials
      • Load the class nci::nfsh
        • Installs the script that lets you choose your NCI project on login
    • Load the class nci::sudo
      • Grants sudo access to OpenStack tenant members

You can see the Puppet commands that each class executes by going to:

  • Classes starting with bundle:: are under modules/bundle/manifests
  • Other classes are under corefw/$MODULE/manifests, with $MODULE replaced by the first section of the class name

Customizing the Configuration

Puppet gets its default configuration settings through a system called Hiera. Hiera allows you to create a hierarchy of configuration files based on different facts about the server that it will combine intelligently.

For instance the hierarchy: 

  - hieradata/%{::hostname}
  - hieradata/common

will first search for settings in hieradata/$HOSTNAME.yaml, then if it cannot find them there it will look in hieradata/common.yaml (the %{::foo} syntax in Hiera configuration files will be replaced with the output of the command facter foo on the VM).

The NCI bundle uses the following hierarchy: 

  - private/hieradata/node/%{::fqdn}
  - hieradata/node/%{::fqdn}
  - private/hieradata/node/%{::hostname}
  - hieradata/node/%{::hostname}
  - private/hieradata/project
  - hieradata/project
  - corefw/hieradata/global

The configuration files use YAML syntax

Firewall rules

By default the firewall will:

  • Allow ICMP (ping) connections
  • Allow any internal loopback connections
  • Allow connections on port 22 (SSH)
  • Block connections to the OpenStack metadata service from users other than root
  • Block any other connections

Additional firewall rules (e.g. opening up port 80 for websites) can be set using the puppetlabs/firewall module.

NFS mounts

The bundle system supports mounting /home from NFS. To do this add the mount path in your Hiera config, e.g.: 

nci::dirs::home::device: 'os-home.nci.org.au:/ab1/home'

Shell Access

To allow users onto the system you must specify them using Hiera. Groups should be specified using parentheses: 

# List of users and groups allowed onto the system:
pam::access::allowed_array:
  - 'abc123'
  - 'def456'
  - '(a01)'

# List of users and groups not allowed onto the system:
pam::access::denied_array:
  - 'ghi789'
  - '(b23)'

# Allow anyone to log onto the system:
pam::access:default: 'allow'

# Only allow listed users to log onto the system:
pam::access:default: 'deny'

Sudo Access

To grant Sudo access to a user in Hiera: 

nci::sudo::user_specs_hash:
  'sudo for abc123':
      user_list: 'abc123'
      run_as: 'root'
      cmd_list: 'ALL'

Adding new modules

A large number of modules for different projects are available at the Puppet Forge, including a number of important modules supported by the puppet developers for programs like Apache and Postgresql.

To install a module from the Puppet Forge: 

puppet module install --target-dir modules puppetlabs/apache

Refer to the documentation of individual modules for how to configure them, generally you'll want to include the module in manifests/nodes.pp, e.g. 

node default {
  include bundle::role::default
  include apache
}
Last modified 9 years ago Last modified on Apr 4, 2014 2:16:22 PM