The roles and profiles pattern: Start with a baseline profile

A good baseline profile sets each node up at the minimum level for the operating system (OS) in its site environment. For example, it enables and configures firewalls on agents, installs required software (such as virus scanners), and lays out required configurations from teams like infosec, and OS admins.

Guidelines for baseline profile

The baseline profile (in the profile::baseline class) is unique in what it manages at each site.

A good baseline profile:

• Wraps OS level profiles.
• Supports all business supported operating systems.
• Fails when used on unsupported operating systems.
• Implements the minimum level of security allowed on business networks.
• Installs base, site-wide software for your organization. For example, backup software and virus scanners.

Get started

Create a baseline profile as your first profile. Start small, by managing something simple and low-risk on one node, such as a legal notice or MOTD. Once that profile is stable, deploy the profile out to many nodes. Expand over time to include the items in the guidelines.

Here’s an example of a baseline profile for a MOTD:

class profile::baseline {
  # Profile does motd and banner
  include profile::baseline::banner
}

class profile::baseline::banner (
  String $motd = 'Message of the day is managed by Puppet',
  String $windows_motd_title = 'Puppet Set message of the Day',
) {
  class { 'motd':
    content            => $motd,
    windows_motd_title => $windows_motd_title,
  }
}

Supporting more than one OS

Every node that Puppet manages should include a profile::baseline. Use a case statement to set minimum requirements for each OS. Avoid putting nodes into an unknown state by ensuring that there’s a default case.

For example:

class profile::baseline (
  Array[String[1]] $time_servers = [ '0.pool.ntp.org', '1.pool.ntp.org' ],
 ) {
  # Profile to set a default base level of acceptable security and
  # configuration for systems to be used within the company networks.
  case $facts['os']['family'] {
    'RedHat','Debian': {
      class { 'profile::baseline::timesync':
        name_servers => $time_servers,
      }
      include 'profile::linux::security'
    }
    'windows': {
      class { 'profile::baseline::timesync':
        name_servers => $time_servers,
      }
      include profile::windows::security
    }
    'Solaris': {
      class { 'profile::baseline::timesync':
        name_servers => $time_servers,
      }
      include profile::solaris::security
    }
    default: {
      fail("OS family ${facts['os']['family']} is not supported with ${title}.")
    }
  }
  # Profile does motd and banner
  include profile::baseline::banner
}

Add baseline to all roles and default host

The example above is written so that all roles can include it, and so that each operating system is secured and configured to a site-wide multi-team spec. Once profile::baseline is tested and complete, include it in roles to add it to the classification of each Puppet managed node. Ensure that the baseline profile is applied to any unclassified nodes by adding it to the default node definition.

For example:

site.pp

node default {
  include profile::baseline
}

When you’ve completed a baseline profile, start working on roles.