[Puppet Users] Re: Mac OS X plist resource type spec
Carl, Nigel, Thanks for working on this. It looks great and will be a valuable addition. Sorry for the late reply. I haven't been watching the lists closely lately. I agree that the name auth_membership is probably a poor choice since auth and membership bring to mind other unrelated topics. Here are a few alternative names: union merge merge_values exclusive inclusive Kyle On Oct 8, 2009, at 12:05 PM, Carl Caum wrote: Sorry it took me so long to reply. I don't actually remember why we decided on auth_membership exactly. I remember I originally had it as purge but that was confusing for obvious reasons. If auth_membership was set to true, it would blow away every other entry in that dict/array that was not known by puppet. This is outlined in the text of the doc. On Mon, Oct 5, 2009 at 10:10 AM, Allan Marcus al...@lanl.gov wrote: Very nice. I think there should be support for delete. Maybe expand ensure parameter with values: present: create key/value if not there, do nothing if there absent: remove the key - the value param would not be needed force: create key/value if not there, force the value to equal the value param I'm not sure why the parameter auth_membership is called that. Would this option let me set or replace one value or an array or dict and not blow away the other values, if it were set to true? If set to false, it would blow away all other array/dict values? Also, will it handle the plists in byhost correctly? Figuring our which plist file to change is half the battle. I know there were some articles in recent MacTech magazines about this topic. Have you read them? This look like it's the beginning of being able to manage MCX items via puppet in a more efficient manner. Awesome. Once it's ready, I can envision a ton of type definition libraries to manage all the common stuff. --- Thanks, Allan Marcus 505-667-5666 On Oct 5, 2009, at 8:52 AM, Carl Caum wrote: Nigel Kersten and I had previously worked on a plist provider spec for Mac OS X. Attached is a PDF of the current state. I would appreciate any input and criticisms. Puppet Plist native type spec.pdf --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: puppet at WWDC 2009?
It doesn't look like I'll make it this year. Have an Odwalla for me. Kyle On May 1, 2009, at 7:02 PM, Allan Marcus wrote: Great! I'll be the nerdy looking guy in a black Apple t-shirt holding a MacBook. Shouldn't be too hard to find! :-) How about we meet for lunch at noon on Tuesday. Let's try to get the table closet to the Odwalla refrigerator, just for reference. We can get more specific on this list on the 8th after we verify the set up. I might even get there a little earlier and put down reserved tags. --- Thanks, Allan Marcus 505-667-5666 On May 1, 2009, at 1:42 PM, Nigel Kersten wrote: I'll be there and would love to do a roundtable discussion on Puppet on the Mac. I was considering trying to organize a Config Management BOF style meet up through my other hat on the MacEnterprise.org board, but perhaps a Puppet specific thing would be good if there are a few of us there? On Fri, May 1, 2009 at 12:14 PM, Åsmund Ødegård man...@gmail.com wrote: Hi, I'm going to wwdc'09. We're not using puppet on mac yet, but use it as our main config tool on Linux - so I'm not a good discussion partner here, but will like to join the lunch, as using Puppet on Mac is something we are considering. Åsmund. [simula.research laboratory] Den 1. mai. 2009 kl. 20.42 skrev Allan Marcus al...@lanl.gov: Any puppeteers going to Apple's WWDC this year? I will there and I would love to have lunch one day and talk about how people use Puppet on Mac OS X. -Allan -- Nigel Kersten nig...@google.com System Administrator Google, Inc. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Thoughts: Advantages of having a puppetmaster ?
On Feb 5, 2009, at 11:53 AM, Nigel Kersten wrote: So we've been tossing around the idea of rsyncing our puppet manifests onto our laptop clients and always running puppet locally. This is primarily due to having conditional puppet manifests that depend upon facts that may change when the clients are offline, so the compiled catalog doesn't change until the clients can connect to the puppetmaster(s) again. On the assumption that exposing the puppet manifests themselves to the clients doesn't create any security issues, I'm interested in people's thoughts on the advantages of having a puppetmaster for a laptop client base. I'm thinking that you'll lose reporting and manifest delivery. On the other hand, delivery isn't that hard. And puppet reporting seems pretty bare-bones out of the box anyway. This may be a good way to more easily integrate puppet into an existing management solution that already handles delivery and reporting rather than integrate all that into puppet server. So this sounds appealing to me. Will puppet standalone continue to be supported as a first class citizen? Kyle --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Join active directory domain on Mac OS X Leopard
Is the client running on Mac hardware and not in a VM? Seems like system_profiler, which is used to generate default facts is failing. Maybe it doesn't work because of virtual hardware. On Dec 22, 2008, at 12:28 PM, Carl Caum wrote: Most plist management can be done with the defaults command. It means we exec out everytime, but we could write a definition/plugin around it. I'm having trouble getting puppet to run on OS X. I installed 0.24.7 on my OS X server VM using gems. After signing the certificate on the puppetmaster side, I get this on the client side: 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while calling [SPPlatformReporter updateDictionary:] *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2) err: Could not retrieve catalog: undefined method `[]' for nil:NilClass Any ideas? On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote: On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote: On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle kcrw...@gmail.com wrote: On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum carl.c...@gmail.com wrote: Does anyone know how to go about joining Mac OS X Leopard to an Active Directory domain with puppet? Primarily it needs to be broken down in to doing LDAP authentication with a few attribute mappings and using kerberos for the password authentication. You're going to want to push out your DS preferences and then do an exec for the joining of the machine account I imagine, although you could do some of this with templates. How were you doing this before Puppet? There are no native types now, because those of us doing the Mac stuff with Puppet don't work in AD environments :) I'm more than happy to spend time helping you work through this though Carl. I'm reasonably familiar with AD integration even though we don't do it here. This would be a great recipe to get up on the Puppet wiki. We are in a large AD environment using Puppet. We currently handle the AD joining outside of Puppet with a python script in a launchd job that runs at first boot, though we will probably be moving this to Puppet. The typical steps are: Make sure time server is set and time is set correctly ( ntpd.conf or exec systemsetup ) Activate AD plugin by enabling it in DirectoryService.plist. ( just a simple key value but I think you need to restart DirectoryService for it to notice ) Configure AD plugin using dsconfigad options. ( this can take a lot of options all of these just change key values in ActiveDirectory.plist ) Join to domain using dsconfigad with a limited AD account and password with permissions to add machines to your OU. ( this would need to exec the dsconfigad command with username, password, OU, machine join name. Unfortunately the password is passed to dsconfigad in clear text as a parameter ) Set the authentication search path to Custom, and include your AD domain node using dscl. ( dscl exec ) We do manage the time server with Puppet and setting a couple of mapping attributes in the AD plists. I'm happy to help you get this all working in Puppet as well. oh cool. I didn't realize you were doing AD integration Kyle. How are you ensuring that AD continues to be configured on the clients? Does the python launchd job do all of this? Or are you managing some components as Puppet resources? I've been thinking for a while about how to mange DirectoryService nodes as native Puppet types, but there are so many attributes to think about I'm not sure it actually simplifies matters all that much... Yes, I've done a lot of AD integration work. The python script I wrote tests the configuration and scenarios related to AD Node status and takes action if necessary. The only part in Puppet so far is management of a couple AD plist keys. Agreed, DirectoryService node configuration can get complex. There may be lower hanging fruit like improved plist management that would help in all areas including DirectoryService. Kyle --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Join active directory domain on Mac OS X Leopard
On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote: On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle kcrw...@gmail.com wrote: On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum carl.c...@gmail.com wrote: Does anyone know how to go about joining Mac OS X Leopard to an Active Directory domain with puppet? Primarily it needs to be broken down in to doing LDAP authentication with a few attribute mappings and using kerberos for the password authentication. You're going to want to push out your DS preferences and then do an exec for the joining of the machine account I imagine, although you could do some of this with templates. How were you doing this before Puppet? There are no native types now, because those of us doing the Mac stuff with Puppet don't work in AD environments :) I'm more than happy to spend time helping you work through this though Carl. I'm reasonably familiar with AD integration even though we don't do it here. This would be a great recipe to get up on the Puppet wiki. We are in a large AD environment using Puppet. We currently handle the AD joining outside of Puppet with a python script in a launchd job that runs at first boot, though we will probably be moving this to Puppet. The typical steps are: Make sure time server is set and time is set correctly ( ntpd.conf or exec systemsetup ) Activate AD plugin by enabling it in DirectoryService.plist. ( just a simple key value but I think you need to restart DirectoryService for it to notice ) Configure AD plugin using dsconfigad options. ( this can take a lot of options all of these just change key values in ActiveDirectory.plist ) Join to domain using dsconfigad with a limited AD account and password with permissions to add machines to your OU. ( this would need to exec the dsconfigad command with username, password, OU, machine join name. Unfortunately the password is passed to dsconfigad in clear text as a parameter ) Set the authentication search path to Custom, and include your AD domain node using dscl. ( dscl exec ) We do manage the time server with Puppet and setting a couple of mapping attributes in the AD plists. I'm happy to help you get this all working in Puppet as well. oh cool. I didn't realize you were doing AD integration Kyle. How are you ensuring that AD continues to be configured on the clients? Does the python launchd job do all of this? Or are you managing some components as Puppet resources? I've been thinking for a while about how to mange DirectoryService nodes as native Puppet types, but there are so many attributes to think about I'm not sure it actually simplifies matters all that much... Yes, I've done a lot of AD integration work. The python script I wrote tests the configuration and scenarios related to AD Node status and takes action if necessary. The only part in Puppet so far is management of a couple AD plist keys. Agreed, DirectoryService node configuration can get complex. There may be lower hanging fruit like improved plist management that would help in all areas including DirectoryService. Kyle --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: who uses clear text passwords with directoryservice/netinfo providers?
When I quickly realized it was using clear text I started distributing the /var/db/shadow/hash/ file. We want no clear text. Thanks for working on this Nigel. On Oct 17, 2008, at 2:16 PM, Nigel Kersten wrote: Sparked off from this discussion on puppet-dev: http://groups.google.com/group/puppet-dev/browse_thread/thread/88f60414c3dfbe5c Who is currently using clear-text passwords with the directoryservice provider in particular, and would you be exceedingly upset if Puppet changed to no longer allow you to set a password in clear text on Mac clients, and only allowed you to set a hash? I'd like to change the provider so that it no longer used clear text passwords. -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] certificate strategy for workstations
Hi, I am wondering how people are handling certificates for workstations whose names commonly change. I am using Puppet to manage Mac workstations. When they initially come on network, they haven't been named, dynamic dns has not updated and they have the potential to have name conflicts. I wind up with different cert requests for the same machine. If I use autosign, the names will be completely wrong. What I'd like to do is probably create the cert request on the client side using the en0 macaddress of the machine or something unique rather than the current fqdn of the host. I realize that I could do this on the server, but that requires out of band distribution of the cert to the client right? Thanks, Kyle --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: certificate strategy for workstations
On Sep 29, 2008, at 1:06 PM, Nigel Kersten wrote: On Mon, Sep 29, 2008 at 8:56 AM, Crawford Kyle [EMAIL PROTECTED] wrote: Hi, I am wondering how people are handling certificates for workstations whose names commonly change. I am using Puppet to manage Mac workstations. When they initially come on network, they haven't been named, dynamic dns has not updated and they have the potential to have name conflicts. I wind up with different cert requests for the same machine. If I use autosign, the names will be completely wrong. What I'd like to do is probably create the cert request on the client side using the en0 macaddress of the machine or something unique rather than the current fqdn of the host. I realize that I could do this on the server, but that requires out of band distribution of the cert to the client right? Thanks, Kyle, we use a UUID for all our clients for this exact problem. Our puppet installation creates puppet.conf with the output of uuidgen | tr [A-Z] [a-z] instead so that's the certname that's requested by the client. You could easily make it something related to the en0 MAC if you wanted. Ah certname in puppet.conf. Excellent. Thanks Nigel, Kyle --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
