• CSI Documentation
• Working with CSI
  • Support Practices
  • Supported Operating Systems
• Linux Build Services
  • Overview of Linux Environment
  • Getting Started
    • Prerequisites
    • Firewall Setup
    • Get a Foreman Org
    • Setup Wolftech OU (optional)
    • Configure Org Defaults
    • Add Users to Your Org
  • Building Hosts
    • Overview
    • Hardware
    • New host creation
    • Network Interfaces
    • Node Classification
    • Other goodies
  • Using Puppet
    • Overview
    • Environments
    • Branches and Updates
    • Workstation Setup
    • Encrypted Hiera
    • Puppet Module References
• Software Repositories
  • Overview
  • Public Mirrors
  • Private Mirrors
  • Hosted Mirror Services
  • Red Hat Install Media
• Satellite deployment
  • Overview
  • Satellite Hosts
  • Registration Guide
  • Satellite Interface
  • Troubleshooting RHEL 6
  • Troubleshooting RHEL 7
• NTP time
  • Overview
• SFTP/SCP
  • SFTP/SCP Service
  • SFTP/SCP On Call Support
• Monitoring
  • Overview (SysNews/Nagios/Pager)
  • Problems (SysNews/Nagios)
  • Zabbix Information (Zabbix/OnCall/Iris)
  • Zabbix Monitoring FAQ (Zabbix/OnCall/Iris)
• AFS/Auristor Filestore
  • Overview
• MySQL / MariaDB
  • Overview
• Proxy
  • Overview
  • Datacenter proxies
  • PCI-DSS proxies
  • Proxy service calls
• Load Balancing
  • Overview
• ERP
  • Overview
  • IPA Auth
  • MTA Mail Relays
  • Secure File Transfer
  • End-of-Support Systems
• PCI
  • Overview
  • Web Proxy
  • PCI Linux Builds
    • Migration from PE
    • Move a host from PE
    • New PCI hosts
    • Puppet Module for PCI
• CSI Internal docs
  • Operational docs
  • Updating Documentation
  • Auditing
  • Tag summaries for CSI docs
  • Pager Admin Commands
  • Nagios Config for Windows
  • SSL Certificate Management
  • Build Environment
    • CSI - Make an org
    • CSI - Make a dev environment
    • Foreman templates
    • Code Flow
    • LDAP recipes for AD
  • Firewall Information
    • Avamar
    • Satellite
    • Foreman + Puppet
  • On-Call Playbook
    • General OS checks
    • role::oit_linux::foreman
    • role::oit_linux::puppet_ca
    • role::oit_linux::puppet_master
    • role::oit_linux::tftpserver
    • Sysnews monitoring servers
    • Legacy Proxy Servers
    • PCI timeserver
    • Satellite servers

Differences

“Mostly in one” architecture

The new pcibuild.oit.ncsu.edu host includes Foreman (GUI and ENC), Puppet, and the TFTP smart proxy needed to manage PXE boots. The Puppet Certificate Authority will remain on pci100pem.unity.ncsu.edu so that existing clients will not need to re-register. When we decommission the Puppet Enterprise software, we will transfer the private key for pci100pem.unity.ncsu.edu to an open source Puppet CA. Only RENV auth will be implemented You can currently authenticate to the console with almost all of the environments available on campus. This was fine when bld100frm was our only foreman server and we were testing many scenarios, but the new system is meant exclusively for PCI.

The line between PCI and ERP systems is currently a little fuzzy, as the security requirements are similar and currently the same build system is used for both environments. Since the build system is in place, staff involved with ERP systems have functioning RENV accounts. No shell access to Server OS On bld100frm, it is necessary to have shell access in order to manage the PCI puppet environment. The requirements fall into two general areas.

Some staff use the servers’ shell to promote new code from github onto the puppet server (the puppet code deploy production command). In the version of Puppet Enterprise that we originally installed, this was the best way to perform this function. In later upgrades, puppet created a “code manager” subsystem that allows these deploy commands to be run from a suitably secured workstation (https://github.ncsu.edu/pcipuppet/pcipem_control/wiki/Installing-Code-Manager-and-puppet-code) With code manager, shell access to the PEM is no longer required.

The second need for shell access was to revoke a host’s certificate in order to re-install that host (the puppet cert clean $fqdn command). Re-installing a host is a normal part of the life-cycle of a machine, and this needs to be administered by every group with hosts in the system.

Puppet enterprise has no published method to do this other than with shell access,/ R10K webhooks replace puppet code deploy In place of manually using puppet code deploy, the new system uses a “webhook” such that when changes are made to github, it informs the Puppet ecosystem which can then automatically incorporate the changes. Easier, more secure, and just as auditable, as github logs who pushed exactly what changes.

Certificates

While we are running both PE and the new pcibuild.oit environments, Certificate Requests will still need to be hand signed using the PE GUI on https://pci100pem.unity.ncsu.edu

When we decommission PE, the CA will mobe to pcibuild.oit and certificates

Organization model for RBAC

Our Role Based Access Control (RBAC) is currently based on creating big whole organization host groups, and using human discretion to ensure that hosts are properly classified and managed.

By switching to Organizations to manage access control and permissions, we immediately gain some ease of use and security benefits. In a nutshell, all objects, including hosts, are more or less invisible to those outside of the organization with which they are associated.

Technical details are in their own document “Managing by Organizations Model”