On May 30, 2010, at 7:03 PM, Daniel Pittman wrote:
Nigel Kersten <[email protected]> writes:
On Sat, May 29, 2010 at 6:57 PM, Daniel Pittman
<[email protected]> wrote:
One of the use cases for the File type I have been considering
recently is
how to verify file content is correct before installing it. In
many places
this doesn't matter too much, but *sometimes* it surely does.
Two of the specific examples that spring to mind are managing /etc/
sudoers,
and /etc/{passwd,shadow}, where getting it wrong can make it hard
to go back
and get it right later.
At the moment the File type internally supports a "post-create
check"
operation on the file it is replacing. Would there be a
reasonable degree
of acceptance of adding the ability to run an external check tool?
My thought is something like this:
file { "/etc/whatever": source => "whatever", check =>
"/usr/local/bin/syntax-check-whatever" }
When puppet wanted to replace /etc/whatever it would execute the
check
command, passing the path to the temporary file to the script, and
would
abort the update if the script returned a failure.
This would fit right in next to fail_if_checksum_is_wrong inside
lib/type/file.rb, I think.
Thoughts?
I think this is very close to the same functionality as the request
to make
the onlyif/ unless exec parameters true metaparameters for all
resource
types isn't it?
Well, if there was some way to access the new file content *before*
it was
installed over the old, then yes, it would be identical.
I guess it's going to fail in slightly different ways, but if we
had that
functionality we could do it all in a defined type?
Well, a specific example would be this:
1. Build new content for /etc/sudoers from fragments.
2. Run 'visudo -c -f /path/to/new/file'
3. If step 2 was successful, install the new content to /etc/sudoers
That makes sure that if step 1 generates an invalid file we don't
overwrite
the current, working, version of the file.
That, in this case, means that I don't have to go and log access to
the
emergency root password to be able to fix my mistake. I can just
fix the
file.
The only way to make this work would be to support some kind of macro
in the checks:
onlyif => "visudo -c -f %tmpfile"
Or something similar.
Not unreasonable, but not in the current plans.
It almost makes me want "validate before write" as a general feature -
that is, I could see having it for builtin types, too:
validate { "/etc/sudoers": with => "visudo -c -f %tmpfile" }
All file writing in Puppet would need to be done in a common interface
that supported this, but we already have to do something similar for
backups.
So, yeah: this could be done with a proper sudo type in Puppet, in
Ruby, but
my general feeling is that this would be a nice extension to allow
enhancements written only in puppet to use, rather than forcing me
down to the
Ruby level to achieve this pretty trivial goal.
I concur.
--
It is said that power corrupts, but actually it's more true that power
attracts the corruptible. The sane are usually attracted by other things
than power. -- David Brin
---------------------------------------------------------------------
Luke Kanies -|- http://puppetlabs.com -|- +1(615)594-8199
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
