New cloudstack' VMs security and password management

I happen to work with cloud infrastructure and use to create lots of virtual machines to test and develop new puppet modules.

Since the target is to finalize cloud templates and correct installation of the modules often these VMs stay up a few days to allow refining and so on.

I start from a very basic template, and all is installed by puppet, security has to be managed by the cloud and these machines are destined to stay in the internal private network exposing just the services they offer (whether they are a moodle machine or a JBoss server or whatever).

So no particular attention has been made in securing the host, but to be able to work with ease I just opened the 22 port of SSH server to connect and to the configurations.

Unfortunately the password was a simple one and since the work sometimes take more than a couple of days some machine were compromised; brute force attack to SSH server.

This to learn to use a good password: so since using a different password for each VM in the cloud could be difficult to remember (especially if you want to use non simple ones) I decided to use a nice feature of keepass: the ability to execute PUTTY as a URL action; in this way I do not have to bother to remember or type complex passwords anymore.

Here the code to insert in keepass:

cmd://PuTTY.exe -ssh {USERNAME}@{URL:HOST} {URL:PORT} -pw {PASSWORD}

cmd://WinSCP.exe scp://{USERNAME}:{PASSWORD}@{URL}

The first is for opening ssh URL the second to create a "scp" URL.  Mind that there is already an "ssh" URL scheme, but if you have SSH on another port you have to follow the command above to manage to connect.  This command works with the latest keepass 2.x version

To add it go to Tools -> Options...    press "URL Scheme Overrides"

Keepass options dialog

Create a new Scheme pressing "Add..."

URL Override

Adding "ssh" to scheme and the command above in the URL Override.

This way you can start PUTTY from keepass using secure complex passwords with ease.

To solve the problem of unsecure new machines I also added the installation of fail2ban to the puppet node description: no more brute force attack allowed.

Will work on automatically changing the root password and creating a CSV file to send to administrator to add info to central keepass DB.

Puppet and modules

I've been working with puppet and the good impression of the product balances with the few really good modules around.
There are lots of modules, some are good, but most are build to statisfy the specific needs of the author and not a generic management of the software also there is little integration or common approach: one uses wget another curl, one manage different ps, one require dependecy to a module from the same author and not to more official ones ( comprehensible but can be problematic when the dependancy is with things like apache or Java ).
Obviously this is the normal characteristic of oss project but I think that this calls for more control from project' developers.
The project is a good one and with version 3 has lots of good features: we need a bunch of basic modules designed with the state of the art so that there can be a common solution over which people can develop new more complex or dedicated mods.
This could help the grown of the contributing community.

Puppet and exported resources

I've recently started using puppet for the european project Open-DAI I'm working on and I can say that after a steep learning period the tool is really nice.

I expecially like the exported resources that allow for "piloting" the creation of resources on a remote node from a first node.

The use case is installing stuff like a DB on a remote DB host for the application we are installing.
My example case is Zabbix.
I want to install zabbix in a distributed configuration using an existing MySQL server I have on the cloud and placing the application on a new cloud host.

Usually all the example and modules I find around imply to have all the stuff on the same host.

The idea id to declare on the application node the fact that you need a DB and to transform this declaration to a command execution on the Db to provision the required DB.

I'm using puppet 3.0.rc4 and opting to use puppet-mysql from puppetlabs (I must say that there is a bit of jungle on the puppet modules around and prefer to stick and possibly contribute to the puppetlabs collection)

The solution I found is to use exported resources on the application node and collecting them on the DB node in this way


In the zabbix host

...
@@mysql::db { zabbix1:
user => 'zabbix1',
password => 'mypass',
host => $::fqdn,
grant => ['all'],
tag => 'new_db_nodeDBname'
}
...

On the MySQL node

...
class { 'mysql::server':
config_hash => {root_password => 'changeme',}
}
Mysql::Db <<| tag == 'new_db_nodeDBname' |>>
...

Now I'll have to solve the orchestration and piloting of the whole process that is after created the DB I'll have to issue a sql creation and to do so I'll need to be sure to have the DB installed so this will require to:
force a puppet agent execution on the MySQL node (possibly using mcollective)
a second run of the puppect agent on the zabbix node to check the availability of the DB and proceed with the installation.

In any case a nice start.