[Puppet Users] Re: command line switches for a provider?
Thanks for both solutions. :) Looks like either will work for me. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] command line switches for a provider?
bobics wrote: > I'd like to pass command line options for a package installed via a > gem provider. In particular, I'm updating puppet, the equivalent > command would be: > > /usr/bin/gem1.8 install puppet -v=2.6.1 --no-rdoc --no-ri > > (The extra docs that gets installed with puppet take WAY too long and > are unnecessary on production). I'm running a very simple "self- > update" of Puppet per this thread: > http://groups.google.com/group/puppet-users/browse_thread/thread/cb26b8973bc70925 > like so: > > class puppet ($version) { > package { "puppet": ensure => $version, provider => gem } > } > > How do I pass command line options? Do I need to create a custom > provider? My guess is I'll probably end up using an "exec" resource > with an onlyif condition. > There is a patch here that John Ferlito (or perhaps Lindsay Holmwood - one of the two anyways :) ) wrote: https://github.com/jamtur01/hudson-ec2-build/blob/master/patches/puppet_gem_options.patch James -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: (RHEL) RHN banning && require package
Also for the record. We've experienced the banning - but only for RHEL4 hosts (which use up2date) and not RHEL5 (which use yum). Our solution while we still have RHEL4 hosts and haven't implemented RedHat Satellite or Spacewalk was to push the runinterval out to 14400 for these hosts. This matches the 4 hour polling cycle that RedHat set with rhnsd. We disable rhnsd on these hosts too, so the only RHN polling mechanism is the puppet run. Iain On 4 November 2010 06:43, erikthered wrote: > > > On Nov 3, 1:46 pm, Patrick Mohr wrote: > > On Wed, Nov 3, 2010 at 10:37 AM, erikthered > wrote: > > > I'm looking to get around a bit of a problem I've run into with > > > Puppet. On my puppet master, I have this definition: > > > > > Would that be the best way to handle this issue? Any opinions? > > > > I think they best way would be to put a caching proxy between your > computers > > and the mirror or run your own mirror. > > fair enough... > > just for the record it appears to be working while our local repo is > being built. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] command line switches for a provider?
On Thu, Nov 4, 2010 at 4:55 PM, bobics wrote: > I'd like to pass command line options for a package installed via a > gem provider. In particular, I'm updating puppet, the equivalent > command would be: > > /usr/bin/gem1.8 install puppet -v=2.6.1 --no-rdoc --no-ri > > (The extra docs that gets installed with puppet take WAY too long and > are unnecessary on production). I'm running a very simple "self- > update" of Puppet per this thread: > http://groups.google.com/group/puppet-users/browse_thread/thread/cb26b8973bc70925 > like so: > > class puppet ($version) { > package { "puppet": ensure => $version, provider => gem } > } > > How do I pass command line options? Do I need to create a custom > provider? My guess is I'll probably end up using an "exec" resource > with an onlyif condition. RubyGems pays attention to ~/.gemrc so you can set /root/.gemrc to contain gem: --no-rdoc --no-ri before package resources do their thing and they'll do what you want. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] command line switches for a provider?
I'd like to pass command line options for a package installed via a gem provider. In particular, I'm updating puppet, the equivalent command would be: /usr/bin/gem1.8 install puppet -v=2.6.1 --no-rdoc --no-ri (The extra docs that gets installed with puppet take WAY too long and are unnecessary on production). I'm running a very simple "self- update" of Puppet per this thread: http://groups.google.com/group/puppet-users/browse_thread/thread/cb26b8973bc70925 like so: class puppet ($version) { package { "puppet": ensure => $version, provider => gem } } How do I pass command line options? Do I need to create a custom provider? My guess is I'll probably end up using an "exec" resource with an onlyif condition. Thanks, -Andy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] /etc/puppet
http://docs.puppetlabs.com/guides/introduction.html On Thu, Nov 4, 2010 at 2:27 PM, Russell Perkins < rperk...@digitalshiftstudios.com> wrote: > I installed factor and puppet but it didn't seem to make an /etc/ > puppet/ is this something I have to manually create or did I mess up > my install somehow? > > It was pretty simple to install but maybe I missed something, "ruby > install.rb" for both factor and puppet > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- http://about.me/scoot http://twitter.com/ohlol -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] /etc/puppet
I installed factor and puppet but it didn't seem to make an /etc/ puppet/ is this something I have to manually create or did I mess up my install somehow? It was pretty simple to install but maybe I missed something, "ruby install.rb" for both factor and puppet -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] multiple package installation at same location
I'm trying to install 2 packages where 2nd packages replaces certain files from first packages. package { "jboss": provider => yum, ensure => latest } package { "jboss-fix": provider => yum, ensure => latest } This seems to error out with message like "file ... from install of jboss-fix conflicts with file from package jboss" On command line I can use "sudo yum -y install jboss jboss-fix" and it works (or use rpm with "replacefiles" option for second rpm). Is it possible to get this done in puppet? TIA, Bakul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to ... extlookup and puppet:///path/to/file
On Nov 4, 2010, at 11:10 AM, jogui wrote: > Hi! > > use case : >file { "x" : source => "puppet:///path/to/file" } > works fine, source is translated. > > but use case : >file { "x" : source => extlookup('myvar') } > > set source to "puppet:///path/to/file" without translation when csv > file contains >myvar,puppet:///path/to/file What is translation? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] how to ... extlookup and puppet:///path/to/file
Hi! use case : file { "x" : source => "puppet:///path/to/file" } works fine, source is translated. but use case : file { "x" : source => extlookup('myvar') } set source to "puppet:///path/to/file" without translation when csv file contains myvar,puppet:///path/to/file How to use puppet repository files in csv? Or what is the best practice? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Strange problem with StoredConfigs overwriting files with old versions
On 11/04/2010 01:16 PM, PBWebGuy wrote: We just ran into a condition when a templatized configuration file would get replaced with something that I had no clue where it came from and the content is no where in the puppet source tree. On subsequent updates the proper file would appear. I've been able to consistently reproduce the problem on multiple nodes that have the same role. We discovered a discrepancy in the last modified dates of the file in question. When we ran the update the first time it would create a file with an old date. On the subsquent update it would generate it with today's date. We figured then it was being cached. I therefore turned off stored configs and presto my issue disappeared. There appears to be a SERIOUS bug in stored configs that under certain conditions is stuffing the incorrect versions of files out on the node. Worse is that when watching the logs for the update, it shows the correct DIFF's of the file being made and then under the covers it writes an old version of the file to the node. I'm curious if anyone has experienced anything like this before? Regards, John Are you running the node that exports from its catalog to update the exported resource BEFORE you re run the collecting node catalog? You'll see this fairly often with Nagios due to the $runinterval window between nodes, resulting in updated information taking something near $runinterval to update. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode "When the going gets weird, the weird turn pro." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Strange problem with StoredConfigs overwriting files with old versions
We just ran into a condition when a templatized configuration file would get replaced with something that I had no clue where it came from and the content is no where in the puppet source tree. On subsequent updates the proper file would appear. I've been able to consistently reproduce the problem on multiple nodes that have the same role. We discovered a discrepancy in the last modified dates of the file in question. When we ran the update the first time it would create a file with an old date. On the subsquent update it would generate it with today's date. We figured then it was being cached. I therefore turned off stored configs and presto my issue disappeared. There appears to be a SERIOUS bug in stored configs that under certain conditions is stuffing the incorrect versions of files out on the node. Worse is that when watching the logs for the update, it shows the correct DIFF's of the file being made and then under the covers it writes an old version of the file to the node. I'm curious if anyone has experienced anything like this before? Regards, John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Prevent users from creating new accounts
It sure sounds like you need to be distributing a canonical /etc/passwd, /etc/shadow, and /etc/groups on every puppet run. * hywl51 [2010/11/04 03:11]: > Yes, you said it. Unfortunately, we have some users running as > root privilege on server, because they cann't work without it. > > But we don't want them to add new users on their own, so we hope > find a way that will delete all illegal users on the system every > 30 minute. -- To believe in something, and not to live it, is dishonest. -- Mohandas K Gandhi -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Prevent users from creating new accounts
On 11/04/2010 10:40 AM, Martin Alfke wrote: > > On Nov 4, 2010, at 8:28 AM, hywl51 wrote: > >> Hi, all >> >> I want to control the user accounts on our company servers with >> puppet. The complete requirements are the following: >> >> 1. Assuming that one user run " useradd " on the server to create >> a new account named "newuser". >> 2. Puppet will konw the new user created soon, and restore the server >> status to the before. That is, puppet will delete the new user. >> >> >> I am not sure if puppet could fullfill this requirement. Could anyone >> give me some advices. >> >> Thanks >> hywl51 > > > Hi, > > I would assume that you can define a resource default: > > User { ensure => absent } > > and afterwards define the users you would like to be present on your system. Not at all. This default will apply to all users that you define in your manifest. So this user { [ "www-data","cron" ]: } will indeed ensure those user's absence, but puppet has no concept of "remove resources I have not declared anywhere". So unless you prune /etc/passwd, /home etc., this will do you not as much good as you hope. Someone brought up the issue that puppet would erase and recreate all users during every run. That isn't how puppet works either. This User { ensure => absent } user { "www-data": ensure => present } will make puppet do nothing if the user exists already. Which is good, but of no help to the OP's problem. Cheers, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Prevent users from creating new accounts
On Nov 4, 4:34 am, Patrick wrote: > On Nov 4, 2010, at 12:28 AM, hywl51 wrote: > > > Hi, all > > > I want to control the user accounts on our company servers with > > puppet. The complete requirements are the following: > > > 1. Assuming that one user run " useradd " on the server to create > > a new account named "newuser". > > 2. Puppet will konw the new user created soon, and restore the server > > status to the before. That is, puppet will delete the new user. > > > I am not sure if puppet could fullfill this requirement. Could anyone > > give me some advices. > > Puppet isn't good at requests phrased that way. I don't use puppet to say, > "make X stay how it currently is". Instead you say, "Make X be the state I > declare." That's quite right. However, Puppet supports the state you declare encompassing exactly a specific set of users, or even exactly a specific set of users having UIDs greater than a minimum threshold. PROVIDED THAT you use Puppet to manage all the ordinary user accounts you _do_ want, you can instruct it that no other non-system accounts should be present. Do so by adding this metaresource to your manifest: resources { "user": purge => true, unless_system_user => 499 } The value of the 'unless_system_user' property is the numerically greatest UID that is considered a "system" user (administrative and system services accounts), and thus not to be deleted. 499 is the correct value for the standard setup of RedHat-family Linuxes; for some other systems it would be 99, or perhaps some other number. Read the docs for (a bit) more detail. I suspect that this will not remove user home directories, but that's not documented and I have not tested it. You should be able to do the same for groups, if you wish, but I don't think there is a built-in concept of system groups parallel to that of system users. > You could push out /etc/passwd and /etc/group with Puppet, but you would need > to be careful. Indeed so. Alternatively, you could perhaps take an altogether different approach by relying on LDAP or NIS for user authentication. That would work best if the same set of users should have access to all the systems you're managing, or if you can at least categorize the systems into a small number of sets that each share a common pool of users (each set would then need its own NIS or LDAP domain). This assumes that your local administrative accounts are not empowered to add new users in LDAP/NIS. As a third alternative, it ought to be possible to address the underlying problem with judicious configuration of sudo, or, if that's not sufficient, with SELinux (if you're using Linux). With these approaches the objective would be to grant users the ability to perform the tasks they need to perform, without empowering them to manage users. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not find default node or by name
On Nov 4, 12:03 pm, Felix Frank wrote: > > > This is not a network or name resolution issue; your manifest contains > no node definition that fits your client machine. > > Regards, > Felix Felix, holy cow! All that effort and it was a typo. I use a regex to group my nodes and I typo'ed on the domain. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not find default node or by name
On 11/04/2010 12:46 PM, theirpuppet wrote: > I have a series of hosts that sit on multiple networks. The > puppetmaster does so as well. The private internal network is for AD > and backups, the external is for public services. I was able to setup > a test host that only accesses the external network. All's great > there. But when I added a real host, that sits on both networks, > puppetmaster isn't so happy. Because the private internal network is > secured with port and vlan security, I'm trying to keep all puppet > traffic over the external network. It's much easier to manage it that > way via iptables. > > > err: Could not retrieve catalog from remote server: Error 400 on > SERVER: Could not find default node or by name with 'XXX.XXX.XXX, > XXX.XXX, XXX' on node XXX.XXX.XXX > > The XXX each represent a portion of the FQDN. > > This node was able to successfully contact puppetmaster and get the > cert going. The puppetca was able to sign it for the node and the > relevant node information was created. I can see that /var/lib/puppet/ > ssl/ca/signed/XXX.XXX.XXX.pem, /var/lib/puppet/yaml/node/ > XXX.XXX.XXX.yaml and /var/lib/puppet/yaml/facts/XXX.XXX.XXX.yaml are > all there and look good. > > The puppetmaster uses AD for DNS and does retrieve both IP Addresses > when querying for this new node. Does it know how to handle this? > Should the first DNS response be the external IP Address, I'm not sure > this is configurable in AD - we did try, but got no result when > querying again. > > I even tried skipping DNS and use /etc/hosts directly, this changed > nothing. I deleted the old configs and started the 'registration' > process again, hoping that /etc/hosts entry would do the trick and > everything would be setup correctly. No change; I still get the same > error message. This is not a network or name resolution issue; your manifest contains no node definition that fits your client machine. Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Could not find default node or by name
I have a series of hosts that sit on multiple networks. The puppetmaster does so as well. The private internal network is for AD and backups, the external is for public services. I was able to setup a test host that only accesses the external network. All's great there. But when I added a real host, that sits on both networks, puppetmaster isn't so happy. Because the private internal network is secured with port and vlan security, I'm trying to keep all puppet traffic over the external network. It's much easier to manage it that way via iptables. err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find default node or by name with 'XXX.XXX.XXX, XXX.XXX, XXX' on node XXX.XXX.XXX The XXX each represent a portion of the FQDN. This node was able to successfully contact puppetmaster and get the cert going. The puppetca was able to sign it for the node and the relevant node information was created. I can see that /var/lib/puppet/ ssl/ca/signed/XXX.XXX.XXX.pem, /var/lib/puppet/yaml/node/ XXX.XXX.XXX.yaml and /var/lib/puppet/yaml/facts/XXX.XXX.XXX.yaml are all there and look good. The puppetmaster uses AD for DNS and does retrieve both IP Addresses when querying for this new node. Does it know how to handle this? Should the first DNS response be the external IP Address, I'm not sure this is configurable in AD - we did try, but got no result when querying again. I even tried skipping DNS and use /etc/hosts directly, this changed nothing. I deleted the old configs and started the 'registration' process again, hoping that /etc/hosts entry would do the trick and everything would be setup correctly. No change; I still get the same error message. Any ideas? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: [Puppet-dev] Graph explosion and workaround technique with stages.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 They were produced from the expanded-relationships.dot. Glad to hear that there's a fix on the way, we're really liking the potential of stages! Trevor On 11/03/2010 07:55 PM, Luke Kanies wrote: > On Nov 3, 2010, at 10:02 AM, Trevor Vaughan wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> I'm cross-posting this to both the users and dev groups so that the >> users can use the workaround technique to reduce graph churn and the >> devs can hopefully fix the issue. >> >> So, I'm loving stages, but they appear, by default, to generate a >> many-to-many dependency graph. >> >> By adding 'pre' and 'post' stages that contain a single item, the graphs >> are vastly reduced in complexity and we're seeing something like a 3X >> speedup in graph execution in simple test cases. >> >> I've attached a couple of puppet files illustrating the issue with their >> associated graphs. >> >> If the graphs could be auto-reduced to a single point prior to execution >> automatically, it would be quite helpful. > > Thanks a ton for tracking this down. > > Unfortunately, I don't think it's as clear as your pictures make it seem. > Which graphs are these pictures produced from? > > There are three graphs you might reasonably look at - the normal, > pre-relationship graph which has just containment edges (I think this is > normally called resources.dot), the graph with just the relationships > (relationships.dot, I think), and the essentially multiplied graph of > dependency times containment edges (not sure what this is called). > > The latter will generally be a many to many graph, and I think that's what > you're using. The reason it's not in the case of your transitions version is > that we had to keep those class objects in there (we would normally remove > them) because if we didn't then certain kinds of dependencies got missed. > > So basically, this isn't so much a feature as the side-effect of an ugly hack > to a bug. > > I think the right answer is to get rid of the need for this graph at all by > having a single graph contain both dependency and containment edges, thus not > needing the many to many nature. I tried very hard to get this into 2.6 but > couldn't finish it in time. In seeing this multiplier, it's probably > justification to raise the priority on this, which doesn't hurt my feelings > at all. > > For those interested in the code, it's in my > refactor/master/3691-no_relationship_graph branch but is likely no longer in > a mergeable state. > - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJM0pTcAAoJECNCGV1OLcypNbMH/jaq1VZQCML/RcCcN78ZXt71 b/asA0CqRNQUpnSgh1Ro7i6KjSEfyoa93EbMVsMhRcTyS9EravksN5ElfojEY0oX oE+vd5eu87N65Frvl0ZHvmkI0vBkUQU8Mu61+/lDkH1KCA+rT8FYcdkQIl9yNU03 Z7r9f/3dGbBnA25xeaiyu9uLqc/AuwKGR4ECMo2GpRyFAV4Xg4s/Wd3qC2mc3kiX VwW/1i40bXtG/X4jhjrLFw21ucRkfidYsEnszUkVDWRurBHCdPZm2QZYHBhpuY+u 55JzxSQw4V48MeHXHQ72FFPZQdZYFyRndbF38821gQ0YR5NzpXg7XQ9P9TzlJhM= =jnAP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. <>
[Puppet Users] SSH:Auth module install error
Hi, all I follow the offical install instructions and place auth.pp into /etc/ puppet/modules/ssh/manifests/. offical site: http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns But I got the following error when running puppet: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not match 'class' at /etc/puppet/modules/ssh/manifests/ auth.pp:10 on node I guess I may omit some necessary install steps, but I don't know what they are. Thanks hywl51 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Prevent users from creating new accounts
Yes, you said it. Unfortunately, we have some users running as root privilege on server, because they cann't work without it. But we don't want them to add new users on their own, so we hope find a way that will delete all illegal users on the system every 30 minute. On Nov 4, 5:02 pm, Matt Wallace wrote: > On Thursday 04 Nov 2010 10:40:02 Martin Alfke wrote: > > > > > On Nov 4, 2010, at 8:28 AM, hywl51 wrote: > > > Hi, all > > > > I want to control the user accounts on our company servers with > > > puppet. The complete requirements are the following: > > > > 1. Assuming that one user run " useradd " on the server to create > > > a new account named "newuser". > > > 2. Puppet will konw the new user created soon, and restore the server > > > status to the before. That is, puppet will delete the new user. > > > > I am not sure if puppet could fullfill this requirement. Could anyone > > > give me some advices. > > > > Thanks > > > hywl51 > > > Hi, > > > I would assume that you can define a resource default: > > > User { ensure => absent } > > > and afterwards define the users you would like to be present on your > > system. > > Would this not mean the deletion and creation of all users on the system every > 30 minutes (or whatever your puppet run is set to?) > > I would respectfully suggest that the best way to prevent users from adding > new accounts on your systems (which is how I understand your question) is to > restrict those individual's rights on the systems, not to make sure that you > undo any "damage" they may have done whilst logged in every time puppet runs. > > M. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Prevent users from creating new accounts
On Thursday 04 Nov 2010 10:40:02 Martin Alfke wrote: > On Nov 4, 2010, at 8:28 AM, hywl51 wrote: > > Hi, all > > > > I want to control the user accounts on our company servers with > > puppet. The complete requirements are the following: > > > > 1. Assuming that one user run " useradd " on the server to create > > a new account named "newuser". > > 2. Puppet will konw the new user created soon, and restore the server > > status to the before. That is, puppet will delete the new user. > > > > > > I am not sure if puppet could fullfill this requirement. Could anyone > > give me some advices. > > > > Thanks > > hywl51 > > Hi, > > I would assume that you can define a resource default: > > User { ensure => absent } > > and afterwards define the users you would like to be present on your > system. Would this not mean the deletion and creation of all users on the system every 30 minutes (or whatever your puppet run is set to?) I would respectfully suggest that the best way to prevent users from adding new accounts on your systems (which is how I understand your question) is to restrict those individual's rights on the systems, not to make sure that you undo any "damage" they may have done whilst logged in every time puppet runs. M. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Prevent users from creating new accounts
If puppet can not fullfill this requirement, is there any other tool or solution to solve it? On Nov 4, 5:34 pm, Patrick wrote: > On Nov 4, 2010, at 12:28 AM, hywl51 wrote: > > > Hi, all > > > I want to control the user accounts on our company servers with > > puppet. The complete requirements are the following: > > > 1. Assuming that one user run " useradd " on the server to create > > a new account named "newuser". > > 2. Puppet will konw the new user created soon, and restore the server > > status to the before. That is, puppet will delete the new user. > > > I am not sure if puppet could fullfill this requirement. Could anyone > > give me some advices. > > Puppet isn't good at requests phrased that way. I don't use puppet to say, > "make X stay how it currently is". Instead you say, "Make X be the state I > declare." > > You could push out /etc/passwd and /etc/group with Puppet, but you would need > to be careful. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Prevent users from creating new accounts
On Nov 4, 2010, at 8:28 AM, hywl51 wrote: > Hi, all > > I want to control the user accounts on our company servers with > puppet. The complete requirements are the following: > > 1. Assuming that one user run " useradd " on the server to create > a new account named "newuser". > 2. Puppet will konw the new user created soon, and restore the server > status to the before. That is, puppet will delete the new user. > > > I am not sure if puppet could fullfill this requirement. Could anyone > give me some advices. > > Thanks > hywl51 Hi, I would assume that you can define a resource default: User { ensure => absent } and afterwards define the users you would like to be present on your system. Martin -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Prevent users from creating new accounts
On Nov 4, 2010, at 12:28 AM, hywl51 wrote: > Hi, all > > I want to control the user accounts on our company servers with > puppet. The complete requirements are the following: > > 1. Assuming that one user run " useradd " on the server to create > a new account named "newuser". > 2. Puppet will konw the new user created soon, and restore the server > status to the before. That is, puppet will delete the new user. > > > I am not sure if puppet could fullfill this requirement. Could anyone > give me some advices. Puppet isn't good at requests phrased that way. I don't use puppet to say, "make X stay how it currently is". Instead you say, "Make X be the state I declare." You could push out /etc/passwd and /etc/group with Puppet, but you would need to be careful. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Prevent users from creating new accounts
Hi, all I want to control the user accounts on our company servers with puppet. The complete requirements are the following: 1. Assuming that one user run " useradd " on the server to create a new account named "newuser". 2. Puppet will konw the new user created soon, and restore the server status to the before. That is, puppet will delete the new user. I am not sure if puppet could fullfill this requirement. Could anyone give me some advices. Thanks hywl51 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.