Using Puppet + Augeas to turn off usb ports

no usb

Augeas and Puppet can team up to modify the modprobe config files

My blog posts always seem to start with a question asked on stackexchange or ask.puppetlabs.com. This is no exception.

Danilo asked if puppet was able to block access to usb ports on linux machines. I decided to flex the Augeas muscle.

 

tl;dr Here is a working solution

class blockusb {

   augeas {'block usb-storage':
    context   =>"/files/etc/modprobe.d/blacklist.conf/",
    changes =>["set blacklist[last()+1] usb-storage",],
    onlyif =>"match blacklist[.='usb-storage'] size == 0 ",
  }
}
include blockusb

 

The match functionality in augeas is very non intuitive. Instinct would suggest that the following solution should work:

onlyif =>"match blacklist not_include 'usb-storage' ",

However as pointed out by Dominic in the user list, match returns a list of paths, not the values of those paths.  While you *can* see the values of the path when using augtool from the command line, those values are not included in Augeas’s API call.

 augtool> match /files/etc/modprobe.d/blacklist.conf/blacklist
/files/etc/modprobe.d/blacklist.conf/blacklist[1] = evbug
/files/etc/modprobe.d/blacklist.conf/blacklist[2] = usbmouse
/files/etc/modprobe.d/blacklist.conf/blacklist[3] = usbkbd
....
/files/etc/modprobe.d/blacklist.conf/blacklist[16] = amd76x_edac
/files/etc/modprobe.d/blacklist.conf/blacklist[17] = usb-storage

 

By requesting the actual usb-storage value in the tree and then checking it’s length we are able to return a boolean. The result is that puppet will only modify the blacklist.conf file once.

 

Setting up puppet board with Apache

PuppetDB appears to be the way of the future. By leveraging PuppetDB, some enterprising individuals have written a web interface that knocks the socks off of the regular puppet dashboard. It is called puppetboard

Clean and elegant – puppetboard

View of a node

Puppetboard with Apache

Normally puppet board requires Passenger. Here is how to configure puppet board to work with Apache instead.

You can install puppet board on cent with apache using the mod_wsgi plugin

Clone & install  puppetboard

git clone https://github.com/nedap/puppetboard.git /var/www/puppetboard
sudo yum install python-pip
Install mod_wsgi yum install mod_wsgi.x86_64

(You can see what was installed with the following)
rpm –query –list mod_wsgi.x86_64

Verify that /etc/httpd/confi.d/wdgi.conf exists and has the following content

LoadModule wsgi_module modules/mod_wsgi.so

Add a vhost to /etc/httpd/

$sudo vim /etc/httpd/conf/httpd.conf
<VirtualHost *>
 ServerName foo.bar
WSGIDaemonProcess puppetboard user=apache group=apache threads=5
 WSGIScriptAlias / /var/www/puppetboard/wsgi.py
<Directory /var/www/puppetboard>
 WSGIProcessGroup puppetboard
 WSGIApplicationGroup %{GLOBAL}
 Order deny,allow
 Allow from all
 </Directory>
 </VirtualHost>

 Restart Apache
 sudo apachectl -k stop
 sudo /etc/init.d/httpd start

If you are running CentOS/RHEL You get the following errors, it is because the WSGI root path is incorrect.

[Fri Jan 03 16:53:13 2014] [error] [client 10.1.5.231] (13)Permission denied: mod_wsgi (pid=2029): Unable to connect to WSGI daemon process 'puppetboard' on '/etc/httpd/logs/wsgi.2024.0.1.sock' after multiple attempts.

Solution
Add this to /etc/httpd/conf/httpd.conf *before* the vhost

WSGISocketPrefix ../../var/run/wsgi

Restart Apache and puppet board should be installed

Additional Resources

https://uwsgi.readthedocs.org/en/latest/Configuration.html
https://groups.google.com/forum/#!topic/modwsgi/UmNPV-2nQMM
https://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-on-centos-6
https://code.google.com/p/modwsgi/wiki/ConfigurationIssues
https://code.google.com/p/modwsgi/issues/detail?id=291