Can you give me a bit more of an example of what you are trying to do? I'm not quite sure what it means to have a tunnel that 'spans two different nodes'.

from puppet-stunnel.

Aaron,

Thanks for fixing the CentOS problem and replying so quickly!

On 18 Mar 2014, at 2:45 AM, Aaron Russo wrote:

Can you give me a bit more of an example of what you are trying to do? I'm not quite sure what it means to have a tunnel that 'spans two different nodes'.

I mean that there are two different computers (nodes) involved and and the
goal is to create a secure connection between them through the open internet.

As it happens, I'm trying to do exactly as described in the following web page:

https://help.knthost.com/mysql-help/using-stunnel-secure-mysql-database

However, I'm really confused by your module because there seems to be
no way to specify whether an installation is a client or a server, and this
asymmetry seems critical to the two ends connecting together and working
properly. Other stunnel Puppet modules allow this to be specified. However,
one of them seems to minimal and the Puppet Labs module gives me this error

Error: Execution of '/usr/bin/yum -d 0 -e 0 -y install stunnel4' returned 1: Error: Nothing to do

which I can't overcome, even if I uninstall stunnel4. So I tried your module
and it installed fine (except for the CentOS problem).

Right now, in using your module, I have two ends that install perfectly,
have init.d scripts that work, have stunnel processes appearing in the
process list on both nodes, but the tunnel doesn't work.

I've been using Puppet for about two months and have written about
1000 lines of Puppet code to configure four servers, but I haven't yet
learned how to write my own modules in Ruby. I had a quick look at your
module code to see if I could find some kind of client/server concept somewhere,
but I couldn't see anything.

My next step is to look at the stunnel config files that your module has
generated on each end and see if they have the right client = no/yes
settings, and, if they don't, wave a dead chicken over your module
until it spits out the right settings. :-)

Ross

from puppet-stunnel.

Update:

I located the stunnel configuration files on my two nodes and found that the database node had:

This file managed by Puppet

cert = /etc/ssl/certs/mysql_stunnel.pem

setuid = root
setgid = root
pid = /var/run/stunnel-mysql_stunnel.pid

debug = 0

output = /var/log/stunnel/mysql_stunnel.log

timeoutidle = 60
options = NO_SSLv2

[mysql_stunnel]
accept=3307
connect=localhost:3306

and the webserver node had:

This file managed by Puppet

cert = /etc/ssl/certs/mysql_stunnel.pem

setuid = root
setgid = root
pid = /var/run/stunnel-mysql_stunnel.pid

debug = 0

output = /var/log/stunnel/mysql_stunnel.log

timeoutidle = 60
options = NO_SSLv2

[mysql_stunnel]
accept=localhost:3306
connect=db.swarmcritic.com:3307

I found a web page that told me that stunnel defaults to server mode so
I decided to see if I could get your module to include a line saying

client = yes

I tried this:

stunnel::tun { 'mysql_stunnel':
accept => '3306', # The local stunnel client will listen to port 3306 on the local machine.
connect => 'db.swarmcritic.com:3307', # The local stunnel client will connect to port 3307 on the database server.
options => 'NO_SSLv2',
cert => '/etc/ssl/certs/mysql_stunnel.pem',
client => 'yes',
}

but it said that 'client' is not a valid parameter.

So I'm now going to go and see if your module has any 'general configuration' parameters and
then if I can't find them desperately hack the stunnel config files directly to try and get stunnel
at least to work.

Ross

On 18 Mar 2014, at 2:45 AM, Aaron Russo wrote:

Can you give me a bit more of an example of what you are trying to do? I'm not quite sure what it means to have a tunnel that 'spans two different nodes'.

—
Reply to this email directly or view it on GitHub.

from puppet-stunnel.

Update:

I hacked the stunnel config files directly and got the tunnel working!
I had to add

client=yes

at the client end, and remove 'localhost' from the connect setting at the server end.

I am sure that I got it working because when I stopped stunnel,
the web page stopped loading.

My working client and server configuration appear below.

My question to you is:

How can I get arusso-stunnel to generate these config files?

This question can actually be reformulated simply as:

How can get arusso-stunnel to insert 'client=yes' into the config file?

If you can't answer that question without modifying your module, then it
seems to me that your module can't actually be used in a two-node tunnel!

Meanwhile, as a get-it-done fix, I'm going to use Augeus to hack the line in
after your module has done its work.

Thanks for listening!

Ross

www1.swarmcritic.com
# This file managed by Puppet
cert = /etc/ssl/certs/mysql_stunnel.pem

setuid = root
setgid = root
pid = /var/run/stunnel-mysql_stunnel.pid

debug = 0

output = /var/log/stunnel/mysql_stunnel.log

timeoutidle = 60 
options = NO_SSLv2
client = yes

[mysql_stunnel]
  accept=3306
  connect=db.swarmcritic.com:3307

db.swarmcritic.com
# This file managed by Puppet
cert = /etc/ssl/certs/mysql_stunnel.pem

setuid = root
setgid = root
pid = /var/run/stunnel-mysql_stunnel.pid

debug = 0

output = /var/log/stunnel/mysql_stunnel.log

timeoutidle = 60 
options = NO_SSLv2

[mysql_stunnel]
  accept=3307
  connect=3306

On 18 Mar 2014, at 2:45 AM, Aaron Russo wrote:

Can you give me a bit more of an example of what you are trying to do? I'm not quite sure what it means to have a tunnel that 'spans two different nodes'.

—
Reply to this email directly or view it on GitHub.

from puppet-stunnel.

Aaron,

I managed to configure Puppet to get it all working, but it's an appalling hack.

I include the client and server Puppet code below.

It would all be much simpler if arusso-stunnel accepted a parameter to
specify whether stunnel is a client or a server.

It would be good if 'require' were allowed too (is that easy for you to do?)

Does your stunnel package ensure that stunnel is actually running, or
does it just install the software?

Thanks,

Ross

On 18 Mar 2014, at 2:45 AM, Aaron Russo wrote:

Can you give me a bit more of an example of what you are trying to do? I'm not quite sure what it means to have a tunnel that 'spans two different nodes'.

—
Reply to this email directly or view it on GitHub.

#-------------------------------------------------------------------------------

stunnel Client

--------------

SwarmCritic clients on other servers need to access the database securely.

This was previously performed using SSH tunnels, but experience showed

that they were unreliable (the ssh processes tended to disappar), so I

switched to stunnel which is designed to be a more permanent service.

Unlike ssh which relies on a standard pre-installed ssh server, stunnel

does not come as standard on CentOS and must be installed on both the

client and the server using the same SSL certificate.

See https://forge.puppetlabs.com/arusso/stunnel

See https://github.com/puppetlabs/puppetlabs-stunnel/blob/master/tests/site.pp

include stunnel

include augeas

file { '/etc/ssl/certs/mysql_stunnel.pem':
ensure => "file",
owner => "root",
group => "root",
mode => $mode_rwx______,
source => 'puppet:///modules/swarmcritic_website/mysql_stunnel.pem',
}
->
stunnel::tun { 'mysql_stunnel':
accept => '3306', # The local stunnel client will listen to port 3306 on the local machine.
connect => 'db.swarmcritic.com:3307', # The local stunnel client will connect to port 3307 on the database server.
options => 'NO_SSLv2',
cert => '/etc/ssl/certs/mysql_stunnel.pem',

PUPPET ERROR # client => 'yes',

PUPPET ERROR # require => File['/etc/ssl/certs/mysql_stunnel.pem'],

}
->

We have to pull the following hack because there doesn't seem to be any

way to get the arusso-stunnel Puppet module to set 'client = yes' in the config file.

See https://forge.puppetlabs.com/camptocamp/augeas

FAIL # I can't get augeas to work. It doesn't generate any kind of error.

FAIL # It just doesn't do anything.

FAIL # augeas { 'make_stunnel_a_client':

FAIL # context => '/etc/stunnel/conf.d/mysql_stunnel.conf',

FAIL # changes => ['set client yes'],

FAIL # }

FAIL # I tried putting in an Exec using sed to hack the file, but sed

FAIL # required a temporary file and it all got so complicated (200+ char command line) that

FAIL # I decided to try other methods.

FAIL # I tried simply overwriting the file, but I collided with the stunnel module!!!!!!

FAIL # file { '/etc/stunnel/conf.d/mysql_stunnel.conf':

FAIL # ensure => "file",

FAIL # owner => "root",

FAIL # group => "root",

FAIL # mode => $mode_rwx______,

FAIL # source => 'puppet:///modules/swarmcritic_website/mysql_stunnel.conf',

FAIL # }

Now resorting to utter sneakery. Here I go!

Create a temporary file containing the contents of the config file from the Puppet directory.

HACKATTACK: This is not idempotent.

file { '/etc/stunnel/conf.d/mysql_stunnel.conf.tmp':
ensure => "file",
owner => "root",
group => "root",
mode => $mode_rwx______,
source => 'puppet:///modules/swarmcritic_website/mysql_stunnel.conf',
}
->

Now move the temp file right onto the config file! Ha ha!

HACKATTACK: This is not idempotent.

exec { 'overwrite_stunnel_config_file_with_patched_file':
command => '/bin/mv -f /etc/stunnel/conf.d/mysql_stunnel.conf.tmp /etc/stunnel/conf.d/mysql_stunnel.conf',
user => 'root',
group => 'root',
}
->

We have to manually reboot the tunnel processes because the stunnel package

might have started stunnel before the config file was replaced.

HACKATTACK: This is not idempotent in that it might restart stunnel every time.

exec { 'restart_stunnel':
command => '/etc/init.d/stunnel-mysql_stunnel restart',
user => 'root',
group => 'root',
}

#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------

stunnel Server

--------------

SwarmCritic clients on other servers need to access the database securely.

This was previously performed using SSH tunnels, but experience showed

that they were unreliable (the ssh processes tended to disappar), so I

switched to stunnel which is designed to be a more permanent service.

Unlike ssh which relies on a standard pre-installed ssh server, stunnel

does not come as standard on CentOS and must be installed on both the

client and the server using the same SSL certificate.

See https://forge.puppetlabs.com/arusso/stunnel

See https://github.com/puppetlabs/puppetlabs-stunnel/blob/master/tests/site.pp

include stunnel

include augeas

The stunnel Puppet module creates a reboot initialisation script at:

/etc/init.d/stunnel-mysql_stunnel

However, it calls some functions that are not installed on CentOS by default.

To make it work, we have to install the redhat-lsb package.

See http://unix.stackexchange.com/questions/9314/no-such-file-or-directory-etc-init-d-functions

Note: I am using the -> mechanism because stunnel::tun won't accept a require parameter.

Note: Aaron Russo has apparently changed the module so that the package invocation

is no longer required. However, I'm leaving it in as a precaution. After all, it's idempotent!

Note: I tried this an got an error, so I'm commenting it out again.

#package { 'redhat-lsb':

name => 'redhat-lsb',

ensure => installed,

provider => "yum",

#}

file { '/etc/ssl/certs/mysql_stunnel.pem':
ensure => "file",
owner => "root",
group => "root",
mode => $mode_rwx______,
source => 'puppet:///modules/swarmcritic_mysql_and_database/mysql_stunnel.pem',
}
->
stunnel::tun { 'mysql_stunnel':
accept => '3307', # The remote stunnel client will connect to port 3307 on this database server.
connect => '3306', # The local stunnel server will connect to port 3306 on this database server.
# Note: I previously had 'localhost:3306' and the 'localhost' stopped it from working.
options => 'NO_SSLv2',
cert => '/etc/ssl/certs/mysql_stunnel.pem',
require => Package['redhat-lsb'],
}
->

IMPORTANT: stunnel defaults to server mode, so we don't need to specify:

client = no

in the configuration file, as we must do in the client Puppet code.

It's not clear to me that the stunnel package actually starts stunnel.

So I'm doing it manually.

HACKATTACK: This is not idempotent in that it might restart stunnel every time.

exec { 'restart_stunnel':
command => '/etc/init.d/stunnel-mysql_stunnel restart',
user => 'root',
group => 'root',
}

from puppet-stunnel.

This shouldn't be an issue to extend. I'll see if I can get around to this later this afternoon.

from puppet-stunnel.

Hey Ross -- can you try using the code from the issues/5_client branch, and tell me if that works. There should be a stunnel::tun param client that you just need to set to true

from puppet-stunnel.

Aaron,

On 19 Mar 2014, at 1:46 PM, Aaron Russo wrote:

Hey Ross -- can you try using the code from the issues/5_client branch, and tell me if that works. There should be a stunnel::tun param client that you just need to set to true

Thanks for implementing this so quickly.

I'm sorry. I've only ever installed puppet module using puppet

puppet module install puppetlabs/firewall
puppet module install puppetlabs/ruby
puppet module install alup/rbenv
puppet module install puppetlabs/passenger
puppet module install puppetlabs/mysql
puppet module install puppetlabs-haproxy
puppet module install evenup-rsyslog
puppet module install arusso-stunnel

and also I so far haven't used GitHub (I know subversion though).

Could you tell me what kind of commands I could use to install a branch?

Can I just grab a directory tree out of github and use it to replace the module directory in the puppet modules folder and then run puppet?

Would you be able to email me a zip file of the directory so I don't have to learn GitHub in order to test your fix?
Is there a single file I can replace manually?

Ross

from puppet-stunnel.

Hi Ross,

This is pretty simple, here's how to do it:

You can download the tarball (.tar.gz) for the latest copy of this branch here: here

To install, copy the downloaded module to your puppet user's (whichever owns the module files) home directory on your puppet master and navigate to the puppet modules directory (ie. /etc/puppet/modules) and run:

# remove stunnel module, we can easily reinstall from forge
rm -rf stunnel/
# install the new version
mkdir stunnel
tar -xzf ~/puppet-stunnel-issues_5_client.tar.gz -C stunnel/

You should now have the latest code from issues/5_client branch, which is the one I'm making changes related to this issue in.

To re-install the latest off the forge, you follow the same instructions as above, but instead of extracting the stunnel module, you run: puppet module install arusso-stunnel -i ./

Let me know if you have any trouble.

Best,

Aaron

from puppet-stunnel.

Aaron,

Thanks for your instructions. Here's an extract from my Puppet module installation bash script:

puppet module install puppetlabs/firewall
puppet module install puppetlabs/ruby
puppet module install alup/rbenv
puppet module install puppetlabs/passenger
puppet module install puppetlabs/mysql
puppet module install puppetlabs-haproxy
puppet module install evenup-rsyslog

Install either the standard or specially hacked version of arusso-stunnel

if [ "a" == "b" ]
then
echo "Installing standard arusso-stunnel tunnel module."
puppet module install arusso-stunnel
else
echo "Installing special client-capable arusso-stunnel tunnel module."
cd /root
rm -rf /etc/puppet/modules/stunnel
mkdir /etc/puppet/modules/stunnel
wget https://github.com/arusso/puppet-stunnel/archive/issues/5_client.tar.gz -O 5_client.tar.gz
cd /etc/puppet/modules
tar -xzf /root/5_client.tar.gz -C /etc/puppet/modules/stunnel/
mv /etc/puppet/modules/stunnel/puppet-stunnel-issues-5_client/* /etc/puppet/modules/stunnel/
rm -rf /etc/puppet/modules/stunnel/puppet-stunnel-issues-5_client
fi

The modified module works fine. I tested the client with

client => true,

and it worked.

I tested the server with the attribute absent and it worked.
I tested the server with the attribute set to:

client => false,

and it worked, but didn't explicitly put the directive in the output config file.
I guess it doesn't have to so long as the server-is-default holds, but it feels
a bit strange to specify it explicitly in the puppet directive and not have it turn
up explicitly in the output configuration file.

Thank you for implementing the "client" feature.

Please let me know when you have added the feature to the official
version so that I can delete the "Installing special client-capable arusso-stunnel tunnel module."
branch of the above if statement.

Thanks,

Ross

On 20 Mar 2014, at 7:30 PM, Aaron Russo wrote:

Hi Ross,

This is pretty simple, here's how to do it:

You can download the tarball (.tar.gz) for the latest copy of this branch here: here

To install, copy the downloaded module to your puppet user (whichever owns the module files) home directory on your puppet master and navigate to the puppet modules directory (ie. /etc/puppet/modules) and run:

remove stunnel module, we can easily reinstall from forge

rm -rf stunnel/

install the new version

mkdir stunnel
tar -xzf ~/puppet-stunnel-issues_5_client.tgz -C stunnel/
You should now have the latest code from issues/5_client branch, which is the one I'm making changes related to this issue in.

To re-install the latest off the forge, you follow the same instructions as above, but instead of extracting the stunnel module, you run: puppet module install arusso-stunnel -i ./

Let me know if you have any trouble.

Best,

Aaron

—
Reply to this email directly or view it on GitHub.

from puppet-stunnel.

Not explicitly defining client=no violates the principal of least surprise, so I went ahead and force client to always be set one way or another.

With that, version 1.1.0 is now available on the forge and incorporates this work. Let me know if you have further trouble.

from puppet-stunnel.