Re: [Puppet Users] Re: /etc/passwd, shadow, group, hosts

Fri, 23 Apr 2010 07:36:39 -0700 

On Apr 23, 2010, at 7:15 AM, CraftyTech wrote:

> On Apr 23, 7:24 am, Daniel Pittman <dan...@rimspace.net> wrote:
>> CraftyTech <hmmed...@gmail.com> writes:
>>> I'm new to puppet, and I'd like to know: Is there a formal best practices
>>> guide for syncing { /etc/passwd, shadow, group, hosts} across clients from
>>> the master?
>> 
>> You will probably find the most common "best practice" answer to this is
>> "don't do it that way": the risks probably outweigh the cost, and using a
>> proper system like LDAP, NIS, or puppet user bits is probably less painful.
>> 
>>> For instance; is it a better practice to make a hard link to these files and
>>> share the link, as opposed to just sharing the files directly via a target
>>> in fileserver.conf?
>> 
>> I would, simply because you reduce the list of exposed files that way.
>> 
>>         Daniel
>> 
>> By "would" I mean "would deploy LDAP, but if you insist", of course.
>> --
>> ✣ Daniel Pittman            ✉ dan...@rimspace.net            ☎ +61 401 155 
>> 707
>>                ♽ made with 100 percent post-consumer electrons
>> 
> Thanks for the quick reply.  I should have been more specific in my
> question: We do use ldap/DNS in our environment; I wanted to use
> puppet for syncing  the { /etc/passwd, shadow, group, hosts} for the
> purposes of service accounts only, and not users in general.  Also the
> host file would be helpful in case there are hosts names that need to
> be hard coded.  I suppose I can create a class that creates the users
> for the service accounts and propagate it that way...  My thought
> process was that if I have a hand-full of service accounts that need
> to be present in all hosts, and certain hosts that need to be hard-
> coded in the hosts file, that I would just share the previously
> mentioned files via hard link on fileserver.conf.  There appear to be
> some security holes with this approach, so I have to re-think my
> deployment strategy.. All suggestions are welcome :-))

If you only have a few service accounts, it's probably easiest to just manage 
them using the user resource.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to