Puppet

Fully worked sshd_config module with template example¶

Assume you want to write a module to deploy an sshd_config file, your modulepath is defined as :

[root@puppetbeta sshdconfig]# puppet --configprint modulepath
/etc/puppet/modules:/usr/share/puppet/modules

You’ve created the module directory structure for a module called sshdconfig:

[root@puppetbeta sshdconfig]# pwd
/etc/puppet/modules/sshdconfig
[root@puppetbeta sshdconfig]# find ./
./
./depends
./files
./templates
./templates/sshd_config.erb
./manifests
./manifests/init.pp

Comment by windowsrefund: Why bother using a define (shown below) at all? Everything inside of it can just as easily be placed into the sshdconfig class and the $ipaddress fact can still be used.

Reply by silverknight: I suspect the idea was to make it easy to pass in a different listenaddress setting (other than is presented by the $ipaddress fact) by replacing the $ipaddress variable but there are other ways to do this, so I cannot be certain that was the intent here. (PS: Sorry about moving your comment, but it’s kinda rude to plop a comment right in the middle of a code snippet without actually making it a #comment in the language of the code snippet itself, in case someone wanted to copy and paste the code directly.)

with an init.pp which contains:

class sshdconfig 
{
        sshd_config{ puppet: listenaddress => $ipaddress }
}

define sshd_config($listenaddress)
{
        file
        { "/etc/ssh/sshd_config":
                path    => "/etc/ssh/sshd_config",
                owner   => root,
                group   => root,
                mode    => 444,
                content => template("sshdconfig/sshd_config.erb"),
                notify  => Service[sshd],
        }

        service 
        { sshd:
                ensure  => running
        }
}

So you defined sshd_config, which takes a single parameter called $listenaddress, and defines a type file. The content of that file is defined to be the template provided by module sshdconfig and the template file itself is sshd_config.erb The template’s path is NOT sshdconfig/templates/sshd_config.erb but instead specifies that it is the template file sshd_config.erb which comes with the module sshdconfig, that there is a templates directory in the module is assumed. The class sshdconfig itself calls sshd_config and sets the listen address to be that of the host on which this is to take effect. Finally, if the file is changed a restart of the ssh daemon is called.

The template in this case contains:

Port 22
Protocol 2
ListenAddress <%= listenaddress %>

SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Banner /etc/motd

Note line 3 contains <%= listenaddress %> which will use the argument passed into the sshd_config definition.

Having tested this to confirm it’s working here is a more dramatic test that destroy’s the target file, and then creates it:

[root@puppetslave ~]# ls -l /etc/ssh/sshd_config
-r--r--r-- 1 root root 337 Jan 19 12:31 /etc/ssh/sshd_config
[root@puppetslave ~]# rm /etc/ssh/sshd_config 
[root@puppetslave ~]# ls -l /etc/ssh/sshd_config
ls: /etc/ssh/sshd_config: No such file or directory
[root@puppetslave ~]# puppetd -t
info: Retrieving plugins
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
warning: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/checksum: File /etc/ssh/sshd_config does not exist -- cannot checksum
notice: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/checksum: defined 'checksum' as '{md5}0a653ccfa58715c4da554b7effad3e03'
notice: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/content: created file with contents {md5}0a653ccfa58715c4da554b7effad3e03
notice: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/owner: defined 'owner' as 'root'
notice: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/group: defined 'group' as 'root'
notice: //Node[default]/linux-default/sshdconfig/Sshd_config[puppet]/File[/etc/ssh/sshd_config]/mode: defined 'mode' as '444'
notice: Finished catalog run in 0.15 seconds
[root@puppetslave ~]# ls -l /etc/ssh/sshd_config
-r--r--r-- 1 root root 337 Jan 19 12:43 /etc/ssh/sshd_config
[root@puppetslave ~]# cat /etc/ssh/sshd_config Port 22                  
Protocol 2
ListenAddress 192.168.154.235

SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Banner /etc/motd

In this example the site.pp (located in /etc/puppet/manifests/) contained:

import "classes/*"

node default
{
        case $operatingsystem
        {
                RedHat:  { include linux-default }
                default: { include shared-default }
        }
}

and /etc/puppet/manifests/classes/linux.classes contained:

import "sshdconfig"

class linux-default
{
        include sshdconfig
}