Puppet Enterprise: Deleting a user

18 January 2016, 13:16 CDT

After spending the last several months building automation/configuration management with open source Puppet, we’re looking at Puppet Enterprise.  Between a move from Puppet 3.x to 4.x and PE — theres enough different it feels like learning everything all over again.

One of the first things I ran into was that I wanted to configure Puppet to use our Active Directory server for authentication.  I made the mistake in that process of adding myself as a local PE console user.  The PE console gives you no way to recover from this.  You can only revoke that local user’s access, not remove them entirely so as to delegate the authentication out to AD.

Bad.  Worse, the documentation doesn’t really help you out here.  Fortunately, there’s an API.  In the middle of trying to sort out everything else for getting this set up, yes, you have to use the API to fix the honest mistake made in the console.

The first step is understanding how to create an API request.  Fortunately, you can do it with cURL.  It’s messy, but it works.  But wait.  The section there about generating a token for your API authentication?  Ignore it for now, because it turns out at this stage if you go down that road it won’t work.

Note: For security reasons, authentication tokens
can only be generated for revocable users. The admin
user and api_user cannot be revoked.

Well Bob, since the only local users I have are the one I’m trying to delete, admin, and api_user — I guess a token is out of the question.

You’ll need to use a whitelisted certificate, which you already have for your PE server.  Just to be sure, look at the contents of /etc/puppetlabs/console-services/rbac-certificate-whitelist.  You should see your PE server’s FQDN or something along those lines.  Note that value.  (Ignore the one that says “pe-internal-orchestrator”)

At this point, you have what you need to retrieve the UUID for the user that you need to delete.

curl -k -X GET https://localhost:4433/rbac-api/v1/users \ 
--cert /etc/puppetlabs/puppet/ssl/certs/<PE_SERVER>.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/<PE_SERVER>.pem \
--cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
-H "Content-Type: application/json" | python -m json.tool

Note the port number is 4433.  If you try to use the standard SSL port, 443, it won’t work because the server will return a 302 redirect.

It’s long and messy.  The result is JSON data, which is much easier to read if you pipe it into a pretty print filter.  Python (at least on RHEL7) ships with one.  Scan the output for the user you want to delete.  It’s probably the last one in the list.  You need the id field.

Now use cURL to DELETE the user in question, replacing <id> with the id you found above.  In the instructions it says “DELETE /users/:sid”.  Don’t include the colon.  It’s there to indicate that you need to replace :sid with a value.

curl -kiv -X DELETE https://localhost:4433/rbac-api/v1/users/<id> \
--cert /etc/puppetlabs/puppet/ssl/certs/<PE_SERVER>.pem \
--key /etc/puppetlabs/puppet/ssl/private_keys/<PE_SERVER>.pem \
--cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
-H "Content-Type: application/json" | python -m json.tool

If you get back

HTTP/1.1 204 No Content, you succeeded.

Now if you’ve configured your AD/LDAP parameters correctly and you try to log in as the user you just deleted, it will work.

This is a very long and unnecessarily painful route to remove a local user.

365 Project: Day 1/365

1 January 2015, 17:35 CDT

Having successfully completed the photography program at Kansas City Art Institute, my capstone instructor challenged us to complete a 365 project.  That is, make a photograph each day for a year.  I have no specific theme or genre in mind, but rather am leaving it open.

I’ll be using the project to explore both familiar and uncharted territory – flash photography as an example of the latter.

Link: Flyover Country 365 project

Today’s photo, Day 1 of 365:

2015 365 Project: Day 1

Google Fiber – Gigabit Speeds, Your Router Part 2: QoS

25 February 2014, 22:06 CDT

This is a continuation of Google Fiber – Gigabit Speeds, Your Router.  Part 1 covered the required VLAN configuration.  Here, we walk through the QoS settings you’ll need to get your upload speed over 10Mb/s using a Netgear GS108Tv2 switch.

Part 2: QoS

The QoS settings are tricky, and how to set them up varies widely from switch to switch.  The GS108T is probably a little worse than most.  It isn’t a Cisco 2800.  It also doesn’t cost what a 2800 does.  First, ignore the first section under QoS called “CoS”.  For our purposes, it is useless.  Skip it and go to the DiffServ section.

For review, the QoS settings we need are:

  • DHCP traffic should have 802.1p bit = 2
  • IGMP traffic should have 802.1p bit = 6
  • All other internet traffic 802.1p bit = 3

Technically, we only need the settings for “all other internet traffic” but to play nicely, make it less likely for Google to have a problem with our router, and completeness here, we’ll set it up as above.

The 108’s QoS is configured in three parts: class, policy, and service.  They must be configured in this order, and unconfigured (if you choose to do so) in reverse order.  The class sets up the matching rules, the policy modifies the packets to include the proper QoS bits, and the service applies the rules to a switch port.

Choose Advanced > DiffServ Configuration

Class Configuration

Add the three classes, but don’t configure them yet.  Enter DHCP into the Class Name box, select All from the Class Type. (All is the only choice.)  Click the Add button from the bottom right.  Do the same for IGMP and Default.

GS108T: Classes

Click on the class you created for DHCP.  Enter the following settings, leave the rest blank.

  • VLAN = 2
  • Source L4 Port = Other 68
  • Destination L4 Port = Other 67

GS108T: QoS: Class: DHCP

Click the apply button in the lower right.

Go back to the Class Configuration screen, and configure the IGMP class.  Leave the other settings blank.

  • VLAN = 2
  • Protocol Type = IGMP (Ignore the box, it will fill itself)

GS108T: QoS: Policy: IGMP

Click the apply button in the lower right.

Go back to the Class Configuration screen, and configure the Default class.  Leave the empty settings blank.

  • VLAN = 2

GS108T: QoS: Class: Default

Click the apply button in the lower right.

Policy Configuration

Basically, the policy is where you’re going to tell the switch what to do with the packets that match the classes you set up.  This is also one of the nasty places in the UI where it is easy to think you’re stuck.

Go to Policy Configuration.  Please read the next couple of paragraphs carefully before continuing.  The way you create the policies is a little confusing.

Enter a policy name of GF and select DHCP as the member class.  Click the Add button in the lower right.

Now, to add the IGMP policy, check the box next to the row you just created for the DHCP policy, and select IGMP as the member class.  Click the Apply button in the lower right.  The reason it works this way is because you need to group all of your classes under one policy.  The Add button will add a new policy, which is not what you want.  You want to add a class to the policy you already created.  Confusing until you understand what the UI is doing.

To add the Default policy, check the box next to the row you just created for the IGMP policy, select Default as the member class.  Click the Apply button in the lower right.  Your screen should look like so:

GS108T: Policies: Assigning the classes

Note: If you need to remove a class from the policy, you have to do so from the bottom up.  Make sure you re-add any in the way and order described above.  Once you set a policy’s configuration (next section), you will have to delete the policy to change it.  This means that if you need to change the policy for the DHCP class, you will have to remove both the Default and IGMP policies from the class first.

To set the policy for the DHCP class, click on GF on the first row where DHCP is the member class.

Select the Policy Attribute > Mark COS and set the value to 2.  Make sure you mark the radio button for Mark COS.

GS108T: QoS: Policy: DHCP

Click the apply button in the lower right.

Go back to the Policy Configuration.

To set the policy for the IGMP class, click on GF on the second row where IGMP is the member class.

Select the Policy Attribute > Mark COS and set the value to 6.  Make sure you mark the radio button for Mark COS.

GS108T: QoS: Policy: IGMP

Go back to the Policy Configuration.

To set the policy for the Default class, click on GF on the third row where Default is the member class.

Select the Policy Attribute > Mark COS and set the value to 3.  Make sure you mark the radio button for Mark COS.

GS108T: Qos: Policy: Default

Click the apply button in the lower right.

Service Configuration

Almost there.  Go to the Service Configuration.

Mark the box next to g2 and choose the policy GF.

GS108T: QoS: Service Configuration

Note: g2 is not a typo.  This isn’t true of all switches, but here make sure to choose your router WAN port for the service configuration.  The GS108T QoS only acts on packets coming into a switch port, not packets leaving a port.  You need to mark the packets for QoS as they’re leaving the router coming into switch port 2, then outbound on switch port 1 to the OTN.

Click the apply button in the lower right.

Conclusion

That’s it.  Go back and run your speed test and compare it with your baseline to make sure everything is working properly.

If you need to make adjustments to the QoS, you’re going to have to walk backwards through the configuration.  That means first removing the policy in the Service Configuration.

If you have questions, come find us on the Google Fiber thread, or the pfSense thread, or leave them in the comments below.

Google Fiber – Gigabit Speeds, Your Router Part 1: VLANs

25 February 2014, 22:03 CDT

Google Fiber is great.  True symmetric gigabit speeds — both downstream and upstream — for $70/month.  ComcastTimeWarner should be shaking in their market monopoly boots.

Background

However, the Google Fiber “Network Box” (GFNB) is, to put it plainly, a piece of junk.  This device is what we know as a router.  Any advanced feature such as port forwarding is allowed in the advanced interface, but may or may not work.  Not much else is supported.  Unlike any other $20 router there is no bridge mode, no way to turn off the DHCP server, no DMZ, etc.  At one point while I was trying to troubleshoot a port forwarding issue, the GFNB created a hidden (read: could-not-be-deleted-because-it-wasn’t-visible) access rule that prevented my main computer from getting online at all.  A factory reset was required to fix this.  A group of us on the Google Fiber product forums decided to pool our knowledge and figure out how to use our own router, despite the insistence from Google that this was either not possible, or only with a double NAT — their router had to remain between you and the Interwebs.

Following a tip which set us on the right path, Atlantisman did most of the hard work to figure out how to get pfSense set up, so all due credit to him and JeffV in the GF product forum and the pfSense forums.  Atlantisman wrote up how to to set up pfSense, and gave some general guidance about the switch.  This post will focus on the setting up the Netgear GS108Tv2.  The switch configuration falls into two main parts: setting up the VLANs, and the QoS.  pfSense is not required, most any modern router will do, but a VLAN + QoS capable switch is required.  The VLAN configuration is required to get your router online.  Without the proper QoS, uploads are limited to 10Mb/s.

This following assumes that you’re following Atlantisman’s guide.  Specifically, you have port 1 plugged into your ONT and port 2 plugged into the WAN port for your router of choice.

One more note: I’ve had a bunch of trouble with the Google Fiber speed test lately  I recommend running an initial test with the GFNB before you make any modifications to the network to get a baseline.  You may wish to also get some baseline numbers from speedtest.net.

Optional: UI Session Timeout

The default idle timeout for the 108’s UI is 5 minutes.  I find this annoying when I’m trying to comprehend their manual and change settings.  If you want to change this, go to Security > Access > HTTP Configuration > Soft Session Timeout and set it to something more reasonable.  I have mine at 30 minutes.

Part 1: The VLANs

The traffic in and out of the ONT (the Fiber Jack) must be tagged with VLAN2.  The easiest way to do this is to put the ONT and your router on VLAN2, and everything else on VLAN1.  In the GS108T, you must set up the VLAN in two different places.

First, to avoid any troubles, disable the Voice VLAN in Switching > Voice VLAN > Properties.  You won’t be able to dedicate VOIP applications to VLAN2 with this switch because the ONT already uses it.GS108T: Voice VLAN

Port Grouping

Next, configure the port grouping.  Go to Switching > VLAN.  From the menu on the left, choose Advanced > VLAN Membership.  Don’t bother trying to rename the first 3 VLANs.  It won’t let you.

Ensure that VLAN ID 1 is selected, click the annoyingly small triangle next to the word PORT, and then click each port (3 – 8) until they all say ‘U’.

GS108T: VLAN1 - Grouping

Note: I have port 3 ungrouped in the screenshot here because I am using it for other purposes.

Click the apply button in the lower right.

Select VLAN ID 2 from the drop down, click the annoyingly small triangle next to the word PORT, and then click port 1 to make it say ‘T’.  Click port 2 to make it say ‘U’.

GS108T: VLAN2 - Grouping

Click the apply button in the lower right.

Port Assignment

Choose Port PVID Configuration from the menu on the left.  Mark the boxes for g1 and g2, enter a value of 2 into the box PVID Configured.  Click the apply button in the lower right.

GS108T: Port Assignment

Note: I have port g3 assigned to VLAN3 in the screenshot here because I am using it for other purposes.

That all there is to the VLAN configuration.  Your router, pfSense or otherwise, should now be able to obtain a public address from the Google DHCP server, and you can get online.  At this point, you should stop and make sure your router is functioning correctly, and that you’re able to run a speed test.

Upload speeds are limited to 10Mb/s until you get QoS configured, but it is better to get the VLAN configuration settled and confirmed working before moving on.

 

Update 15 Aug 2014: Atlantisman’s guide is back on dropbox, and has a few updates so I’ve changed the links in the post back directly to his guide.  The archived guide is still available if needed.

Next – Part 2: QoS

If you have questions, come find us on the Google Fiber thread, or the pfSense thread, or leave them in the comments below.