Nigel Kersten <[email protected]> writes:
> On Sat, May 29, 2010 at 6:57 PM, Daniel Pittman <[email protected]> wrote:
>
>> One of the use cases for the File type I have been considering recently is
>> how to verify file content is correct before installing it. In many places
>> this doesn't matter too much, but *sometimes* it surely does.
>>
>> Two of the specific examples that spring to mind are managing /etc/sudoers,
>> and /etc/{passwd,shadow}, where getting it wrong can make it hard to go back
>> and get it right later.
>>
>> At the moment the File type internally supports a "post-create check"
>> operation on the file it is replacing. Would there be a reasonable degree
>> of acceptance of adding the ability to run an external check tool?
>>
>> My thought is something like this:
>>
>> file { "/etc/whatever": source => "whatever", check =>
>> "/usr/local/bin/syntax-check-whatever" }
>>
>> When puppet wanted to replace /etc/whatever it would execute the check
>> command, passing the path to the temporary file to the script, and would
>> abort the update if the script returned a failure.
>>
>> This would fit right in next to fail_if_checksum_is_wrong inside
>> lib/type/file.rb, I think.
>>
>> Thoughts?
>
> I think this is very close to the same functionality as the request to make
> the onlyif/ unless exec parameters true metaparameters for all resource
> types isn't it?
Well, if there was some way to access the new file content *before* it was
installed over the old, then yes, it would be identical.
> I guess it's going to fail in slightly different ways, but if we had that
> functionality we could do it all in a defined type?
Well, a specific example would be this:
1. Build new content for /etc/sudoers from fragments.
2. Run 'visudo -c -f /path/to/new/file'
3. If step 2 was successful, install the new content to /etc/sudoers
That makes sure that if step 1 generates an invalid file we don't overwrite
the current, working, version of the file.
That, in this case, means that I don't have to go and log access to the
emergency root password to be able to fix my mistake. I can just fix the
file.
So, yeah: this could be done with a proper sudo type in Puppet, in Ruby, but
my general feeling is that this would be a nice extension to allow
enhancements written only in puppet to use, rather than forcing me down to the
Ruby level to achieve this pretty trivial goal.
Daniel
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
