Re: [Puppet Users] Patch Management
++ RIP, I've piloted mcollective but have not yet deployed as a standard C&C tool. It is the future IMO, so if you're starting from scratch, it's probably what you want to go with, as I sort of view puppet as not being the tool for this job For this stuff now, I use a combo of Nagios and capistrano. Nagios can tell me when nodes are out of date via the check_cluster plugin (info generated dynamically from puppet) as a cluster of the check_apt plugin. Capistrano can easily pull my nodes from puppet stored configs, dynamically stuff them into roles based on hostname (mcollective does not have the limitation of relying on hostnames), and I can update to various groups of hosts based on OS, DC/location, or type of service such as webservers, smtp servers, etc. I suppose some logic could be coded into my capfile to get this info more gracefully than simple hostname parsing, but at that point I would just deploy mcollective. I have some really simple code I can share if you need to, but I am warning you right now, capistrano is not a scalable tool. It barfs, last time I checked, on more than 30 or so simultaneous ssh connections. This could be a limitation of the ssh-agent, but I've worked around it and haven't done any stress testing in months. Security stuff like CVE's would be a little more involved. The company I work for scans for this stuff, but we don't really have an automated fix integration process. We generate remediation reports, but that just tells a human what to do. Like I said, mcollective is the future for this kind of stuff, but cap is sort of easier to get going with since it's plain ssh connections. I guess it depends on a few factors like, size of your infrastructure, how quick you need it, etc. If you have time, go with mcollective. On 11/02/2010 10:38 AM, R.I.Pienaar wrote: - "Joel Merrick" wrote: Is there any way this could be accomplished? I suppose the nirvana for me would be to be able to instantly see if a package needs updating, based upon a CVE/DSA/RSA etc similar to the way pakiti does it [1].. (although I suppose a sources.list with just security sources would do) and then use something like mcollective to slowly, but safely upgrade the package. not sure if this will solve all your needs but it should be trivial to write something for mcollective to parse 'yum check-update' output and aggregate that over your entire estate. -- -- Joe McDonagh Operations Engineer AIM: YoosingYoonickz IRC: joe-mac on freenode "When the going gets weird, the weird turn pro." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Patch Management
On Nov 2, 7:26 am, Joel Merrick wrote: > Hi Puppeteers! > > I've just been speaking to Ohad on #theforeman about package > management, specifically about generating lists of packages : version > numbers across the estate for things like patch management. Hi Joel, It's not really an answer but there was related talk at puppetcamp. One of the ideas from puppetlabs was integration between package management databases and puppets resource modeling. I don't think there were any detailed plans, but I imagine it would make your query requirements pretty easy. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Lenny and lenny-backports
Hi Richard, On Nov 6, 12:59 am, Richard Crowley wrote: > You can't get around running an `apt-get update` but you can do that > from an exec resource in an earlier run stage. > > stage { pre: before => Stage["main"] } > exec { "apt-get update": stage => "pre" } > > You'll probably want to do your backports setup before the `apt-get > update` in your early run stage, too. Hmm, i haven't even seen that 'stage' type before, guess it's time to hit the manual on that one :) Walter -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Lenny and lenny-backports
Hi Patrick, On Nov 6, 1:25 am, Patrick wrote: > First, if you update puppet, it's probably a good idea to update facter. I thought that would be done by dependencies? If not, yes that is also what I need :) > Second, are you trying to use lenny-backports for everything or just puppet > and related stuff? I think 'the official debian way' is to only use backports for packages that you choose, not for everything, right? > Are you using apache for anything other than puppet? Not yet, but I will be. It's going to be a setup used for shared hosting, and I haven't found a more secure way to do that then apache + mod_fcgid > Are you using ruby for more than just puppet? Only on the puppetmaster, it will be running redmine. cheers, Walter -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] updating kernel in centos shows failure
R P Herrold wrote: On Fri, 5 Nov 2010, Trevor Hemsley wrote: Steve Hoffman wrote: .../Package[kernel]/ensure) change from 2.6.18-194.el5 to 2.6.18-194.17.4.el5 failed: Could not update: Failed to update to version 2.6.18-194.17.4.el5, got version 2.6.18-194.el5 instead at ... # rpm -qa | grep kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.17.4.el5 This is a long standing bug that currently seems to have no action scheduled for it. https://projects.puppetlabs.com/issues/1720 gee -- a two year old bug This 'issue' is readily solveable by a person running their mirror locally of the desired content -- Upstreams retire content. If you are counting on being able to access a specific version, run a mirror When I ran into this bug it was because I had ensure => latest specified for the package name and the intent was to have puppet install the latest kernel RPM and notify me that it had been done so I could schedule a reboot. Most of the time I want the latest kernel installed and puppet cannot handle the way that kernels (installonly) packages work on RHEL + clones. -- Trevor Hemsley Infrastructure Engineer . * C A L Y P S O * 4th Floor, Tower Point, 44 North Road, Brighton, BN1 1YR, UK OFFICE +44 (0) 1273 666 350 FAX +44 (0) 1273 666 351 . www.calypso.com This electronic-mail might contain confidential information intended only for the use by the entity named. If the reader of this message is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying is strictly prohibited. * P * /*/ Please consider the environment before printing this e-mail /*/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] updating kernel in centos shows failure
On Fri, 5 Nov 2010, Trevor Hemsley wrote: Steve Hoffman wrote: .../Package[kernel]/ensure) change from 2.6.18-194.el5 to 2.6.18-194.17.4.el5 failed: Could not update: Failed to update to version 2.6.18-194.17.4.el5, got version 2.6.18-194.el5 instead at ... # rpm -qa | grep kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.17.4.el5 This is a long standing bug that currently seems to have no action scheduled for it. https://projects.puppetlabs.com/issues/1720 gee -- a two year old bug This 'issue' is readily solveable by a person running their mirror locally of the desired content -- Upstreams retire content. If you are counting on being able to access a specific version, run a mirror -- Russ herrold herrold at centos dot org -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] updating kernel in centos shows failure
Steve Hoffman wrote: .../Package[kernel]/ensure) change from 2.6.18-194.el5 to 2.6.18-194.17.4.el5 failed: Could not update: Failed to update to version 2.6.18-194.17.4.el5, got version 2.6.18-194.el5 instead at ... # rpm -qa | grep kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.17.4.el5 This is a long standing bug that currently seems to have no action scheduled for it. https://projects.puppetlabs.com/issues/1720 -- Trevor Hemsley Infrastructure Engineer . * C A L Y P S O * 4th Floor, Tower Point, 44 North Road, Brighton, BN1 1YR, UK OFFICE +44 (0) 1273 666 350 FAX +44 (0) 1273 666 351 . www.calypso.com This electronic-mail might contain confidential information intended only for the use by the entity named. If the reader of this message is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying is strictly prohibited. * P * /*/ Please consider the environment before printing this e-mail /*/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: trouble using manifests out of manifestdir
Jeff, Thanks for the advice. What is the manifestdir setting for? -eric On Nov 5, 1:49 pm, Jeff McCune wrote: > Eric, > > I recommend defining classes inside of modules rather than > manifestdir. The two settings pertaining to environments are manifest > and modulepath, I do not believe manifestdir is customizable per > environment. > > Hope thus helps. > > -- > Jeff McCune - (+1-503-208-4484) > > On Nov 5, 2010, at 10:33 AM, Eric Snow wrote: > > > > > > > > > I am using environments to manage my modules. I am using manifests > > out of the manifestdir as well, per environment. So my config for my > > development environment looks like this: > > > [development] > > modulepath = /usr/share/puppet/development/modules > > manifestdir = /usr/share/puppet/development/manifests > > > I have several manifests in the manifestdir that define classes which > > subsequently are used by classes in several of my modules. However, > > when the puppetmaster tries to pull everything during a run, it cannot > > find the classes defined in the manifests in my manifestdir, when > > referenced by the manifests in my modules. > > > Maybe I misunderstood the purpose of the manifestdir, but it is > > certainly not behaving the way I expected. My understanding is that > > all manifests (in manifestdir and in modules) are evaluated and > > everything at the top level of the manifest is bound to puppet's > > global namespace for that run. If the manifests in the manifestdir > > are not included in that evaluation then I definitely need to > > reorganize my manifests. My preference is to use the manifestdir the > > way I have it set up. Thanks. > > > -eric > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Restarting services
Use the audit meta-parameter. Set it to enable and ensure, or all. service { "foo": audit => ['ensure','enable']; } http://www.puppetlabs.com/blog/all-about-auditing-with-puppet/ On Nov 5, 2010, at 3:20 PM, byron appelt wrote: > Is it possible to use a Service resource, but not have puppet start or > start the service? I want to declare service resources so that I can > easily make sure that puppet will restart them when packages are > upgraded, etc., but I do not want puppet to restart them if a sysadmin > shuts the down for some reason. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Restarting services
On Fri, Nov 5, 2010 at 1:20 PM, byron appelt wrote: > Is it possible to use a Service resource, but not have puppet start or > start the service? I want to declare service resources so that I can > easily make sure that puppet will restart them when packages are > upgraded, etc., but I do not want puppet to restart them if a sysadmin > shuts the down for some reason. Instead of manually stopping a service, the resource should specify enable => false and ensure => stopped. To my knowledge there isn't a no-op value for these parameters. Richard -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] updating kernel in centos shows failure
Steve Hoffman wrote: .../Package[kernel]/ensure) change from 2.6.18-194.el5 to 2.6.18-194.17.4.el5 failed: Could not update: Failed to update to version 2.6.18-194.17.4.el5, got version 2.6.18-194.el5 instead at ... # rpm -qa | grep kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.17.4.el5 This is a long standing bug that currently seems to have no action scheduled for it. https://projects.puppetlabs.com/issues/1720 -- Trevor Hemsley Infrastructure Engineer . * C A L Y P S O * 4th Floor, Tower Point, 44 North Road, Brighton, BN1 1YR, UK OFFICE +44 (0) 1273 666 350 FAX +44 (0) 1273 666 351 . www.calypso.com This electronic-mail might contain confidential information intended only for the use by the entity named. If the reader of this message is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying is strictly prohibited. * P * /*/ Please consider the environment before printing this e-mail /*/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Restarting services
Is it possible to use a Service resource, but not have puppet start or start the service? I want to declare service resources so that I can easily make sure that puppet will restart them when packages are upgraded, etc., but I do not want puppet to restart them if a sysadmin shuts the down for some reason. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] updating kernel in centos shows failure
I wanted to use puppet to update my kernel. Afterwards I wanted to reboot the computer. I'm using centos5.5. Googling around I came up with this: exec { rebootDueToPackageUpdates: command => "/sbin/reboot", refreshonly => "true" } package { "kernel": ensure => "2.6.18-194.17.4.el5", notify => Exec[rebootDueToPackageUpdates] } When it runs I see an error, even though the new version is installed. Because the old version still exists (I'm guessing), it determines it failed: .../Package[kernel]/ensure) change from 2.6.18-194.el5 to 2.6.18-194.17.4.el5 failed: Could not update: Failed to update to version 2.6.18-194.17.4.el5, got version 2.6.18-194.el5 instead at ... # rpm -qa | grep kernel kernel-2.6.18-194.el5 kernel-2.6.18-194.17.4.el5 I can only assume the package type doesn't deal with the special case of the 'kernel' package always doing an install rather than an update. This may be a rpm/redhat/centos specific thing... Is my assessment wrong? Anybody got ideas how to do this maybe w/o package? Do I really have to resort to an exec onlyif test for missing version? Seems messy... Seems like something the rpm provider for package should handle as any rpm install of 'kernel' is always an install and not an update. Thanks, Steve -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] /etc/puppet
If you did not install from a package the puppet.conf file is not created for you. I recommend looking at puppet --genconfig and removing all pieces you want to leave at their default values. -- Jeff McCune - (+1-503-208-4484) On Nov 5, 2010, at 10:17 AM, Russell Perkins wrote: > From the configuration guide - > "The main configuration file for Puppet is /etc/puppet/puppet.conf. A > package based installation file will have created this file > automatically." > > And I followed the instructions from the install guide, yet I don't > have an /etc/puppet. I have the man files and executables. > > Scott Smith wrote: >> http://docs.puppetlabs.com/guides/introduction.html >> >> On Thu, Nov 4, 2010 at 2:27 PM, Russell Perkins < >> rperk...@digitalshiftstudios.com> wrote: >> >>> I installed factor and puppet but it didn't seem to make an /etc/ >>> puppet/ is this something I have to manually create or did I mess up >>> my install somehow? >>> >>> It was pretty simple to install but maybe I missed something, "ruby >>> install.rb" for both factor and puppet >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-us...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> >> >> -- >> http://about.me/scoot >> http://twitter.com/ohlol > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] trouble using manifests out of manifestdir
Eric, I recommend defining classes inside of modules rather than manifestdir. The two settings pertaining to environments are manifest and modulepath, I do not believe manifestdir is customizable per environment. Hope thus helps. -- Jeff McCune - (+1-503-208-4484) On Nov 5, 2010, at 10:33 AM, Eric Snow wrote: > I am using environments to manage my modules. I am using manifests > out of the manifestdir as well, per environment. So my config for my > development environment looks like this: > > [development] > modulepath = /usr/share/puppet/development/modules > manifestdir = /usr/share/puppet/development/manifests > > I have several manifests in the manifestdir that define classes which > subsequently are used by classes in several of my modules. However, > when the puppetmaster tries to pull everything during a run, it cannot > find the classes defined in the manifests in my manifestdir, when > referenced by the manifests in my modules. > > Maybe I misunderstood the purpose of the manifestdir, but it is > certainly not behaving the way I expected. My understanding is that > all manifests (in manifestdir and in modules) are evaluated and > everything at the top level of the manifest is bound to puppet's > global namespace for that run. If the manifests in the manifestdir > are not included in that evaluation then I definitely need to > reorganize my manifests. My preference is to use the manifestdir the > way I have it set up. Thanks. > > -eric > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] do custom facts load first?
when running puppet agent, the 'pluginsync' option ensures that custom facts are synced and sent with the request for catalog. On Fri, Nov 5, 2010 at 11:11 AM, Christopher McCrory wrote: > Hello... > > When do custom facts get loaded during the client run? > > this is what I am doing: > /corp/lib/facter/corp.rb # has some custom facts > > /openssh/manafests/init.pp # uses custom fact from corp in if > statement > > Do I have to worry that the openssh class bits might be run before the > custom facts load? > > I'm using puppet 0.25.5 and 0.25.4 > > thanks > > > > > > -- > Christopher McCrory > To the optimist, the glass is half full. > To the pessimist, the glass is half empty. > To the engineer, the glass is twice as big as it needs to be. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: managing normal users with Puppet
On Nov 5, 9:19 am, Mark_SysAdm wrote: > What are the recommended practices for adding regular users with a > specific group and password ? I'd like to add new users to a cluster, > and also to append an existing ssh key to authorized_keys on all the > cluster nodes for some users. > > This is the best user add solution I've found so far, but it doesn't > quite do everything I want : > > http://itand.me/using-puppet-to-manage-users-passwords-and-ss > > I'm looking for a way to do something like: > > class users { > @user { "ajolie": > ensure => "present", > uid => "1001", > group => "1550", > comment => "Tomb Raider", > home => "/home/ajolie", > managehome => true, > password => "abc01010", > } > > @user { "nextuser": > ... > password => "aaccd01", > } > > } > > Does Puppet handle passwords with something already built-in? If not, > is it in future plans? > Would love to have one file that has all the user info in it, > including encrypted passwords. > > Played with making a setpasswd script that used a specific encrypted > password: > - > #!/bin/bash > #setpass.sh: > copyfrom=existingusername > encpass=`grep $copyfrom /etc/shadow | cut -f 2 -d : ` > /usr/sbin/usermod -p "$encpass" $username > --- > but then I have to copy that script out to all nodes first. > > Any better suggestions? http://forge.puppetlabs.com/ghoneycutt/generic That module shows how I handle users. You define them all in one place and then realize them as needed. You can specify password hashes, but those can be brute forced, so you would want to build security around who can access your puppet code. Below is a snippet of how it works. # Sample Usage: # # create apachehup user and realize it # @mkuser { "apachehup": # uid=> "32001", # gid=> "32001", # home => "/home/apachehup", # managehome => "true", # comment=> "Apache Restart User", # dotssh => "true", # } # @mkuser # # realize Generic::Mkuser[apachehup] -g -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] do custom facts load first?
Hello... When do custom facts get loaded during the client run? this is what I am doing: /corp/lib/facter/corp.rb # has some custom facts /openssh/manafests/init.pp # uses custom fact from corp in if statement Do I have to worry that the openssh class bits might be run before the custom facts load? I'm using puppet 0.25.5 and 0.25.4 thanks -- Christopher McCrory To the optimist, the glass is half full. To the pessimist, the glass is half empty. To the engineer, the glass is twice as big as it needs to be. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Training in the UK
On Fri, Oct 22, 2010 at 9:29 AM, Matt Wallace wrote: > Hi all, > > I've asked my company to send me on the training in London at the end of > November, however owing to budget restraints I've been asked to investigate > training next year instead. > > Does anyone know when the next round of training will be in the UK after > November? > I am not sure when the next UK training will be exactly, but I expect it to be no later than Q2 of next year. You can signup for our mailing list and get notified when we announce our next training. http://www.puppetlabs.com/services/training-workshops/ Cheers, Teyo -- Teyo Tyree :: www.puppetlabs.com:: +1.503.208.4475 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] trouble using manifests out of manifestdir
I am using environments to manage my modules. I am using manifests out of the manifestdir as well, per environment. So my config for my development environment looks like this: [development] modulepath = /usr/share/puppet/development/modules manifestdir = /usr/share/puppet/development/manifests I have several manifests in the manifestdir that define classes which subsequently are used by classes in several of my modules. However, when the puppetmaster tries to pull everything during a run, it cannot find the classes defined in the manifests in my manifestdir, when referenced by the manifests in my modules. Maybe I misunderstood the purpose of the manifestdir, but it is certainly not behaving the way I expected. My understanding is that all manifests (in manifestdir and in modules) are evaluated and everything at the top level of the manifest is bound to puppet's global namespace for that run. If the manifests in the manifestdir are not included in that evaluation then I definitely need to reorganize my manifests. My preference is to use the manifestdir the way I have it set up. Thanks. -eric -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] managing normal users with Puppet
What are the recommended practices for adding regular users with a specific group and password ? I'd like to add new users to a cluster, and also to append an existing ssh key to authorized_keys on all the cluster nodes for some users. This is the best user add solution I've found so far, but it doesn't quite do everything I want : http://itand.me/using-puppet-to-manage-users-passwords-and-ss I'm looking for a way to do something like: class users { @user { "ajolie": ensure => "present", uid => "1001", group => "1550", comment => "Tomb Raider", home => "/home/ajolie", managehome => true, password => "abc01010", } @user { "nextuser": ... password => "aaccd01", } } Does Puppet handle passwords with something already built-in? If not, is it in future plans? Would love to have one file that has all the user info in it, including encrypted passwords. Played with making a setpasswd script that used a specific encrypted password: - #!/bin/bash #setpass.sh: copyfrom=existingusername encpass=`grep $copyfrom /etc/shadow | cut -f 2 -d : ` /usr/sbin/usermod -p "$encpass" $username --- but then I have to copy that script out to all nodes first. Any better suggestions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Lenny and lenny-backports
On Nov 5, 2010, at 9:52 AM, Walter Heck wrote: > Hi all, > > I'm runnign debian lenny and that has puppet 0.24.5 in it. Lenny- > backports ahs Puppet 2.6.2 in it, which is what I want. How do I make > puppet update itself through puppet recipes? I already had it create > an /etc/apt/preferences, where I pin backports at 900 and lenny stable > at 700. Is that correct? I don't want to have to run apt-get update / > apt-get upgrade / any other command on the nodes at all, but I don't > know how :) > > Walter First, if you update puppet, it's probably a good idea to update facter. Second, are you trying to use lenny-backports for everything or just puppet and related stuff? Are you using apache for anything other than puppet? Are you using ruby for more than just puppet? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Strange problem with StoredConfigs overwriting files with old versions
Hi Joe, Thanks for you update. I eventually found that the problem wasn't Puppet at all. As it turned out, when a new WAR file is being deployed, Tomcat will overwrite the tomcat/conf/Catalina/localhost/ ROOT.xml configuration file with the META-INF/context.xml file. This is something that I was never aware of. Regards, John On Nov 4, 1:58 pm, Joe McDonagh wrote: > On 11/04/2010 01:16 PM, PBWebGuy wrote: > > > We just ran into a condition when a templatized configuration file > > would get replaced with something that I had no clue where it came > > from and the content is no where in the puppet source tree. On > > subsequent updates the proper file would appear. I've been able to > > consistently reproduce the problem on multiple nodes that have the > > same role. > > > We discovered a discrepancy in the last modified dates of the file in > > question. When we ran the update the first time it would create a > > file with an old date. On the subsquent update it would generate it > > with today's date. We figured then it was being cached. I therefore > > turned off stored configs and presto my issue disappeared. > > > There appears to be a SERIOUS bug in stored configs that under certain > > conditions is stuffing the incorrect versions of files out on the > > node. Worse is that when watching the logs for the update, it shows > > the correct DIFF's of the file being made and then under the covers it > > writes an old version of the file to the node. > > > I'm curious if anyone has experienced anything like this before? > > > Regards, > > > John > > Are you running the node that exports from its catalog to update the > exported resource BEFORE you re run the collecting node catalog? You'll > see this fairly often with Nagios due to the $runinterval window between > nodes, resulting in updated information taking something near > $runinterval to update. > > -- > Joe McDonagh > AIM: YoosingYoonickz > IRC: joe-mac on freenode > "When the going gets weird, the weird turn pro." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] /etc/puppet
>From the configuration guide - "The main configuration file for Puppet is /etc/puppet/puppet.conf. A package based installation file will have created this file automatically." And I followed the instructions from the install guide, yet I don't have an /etc/puppet. I have the man files and executables. Scott Smith wrote: > http://docs.puppetlabs.com/guides/introduction.html > > On Thu, Nov 4, 2010 at 2:27 PM, Russell Perkins < > rperk...@digitalshiftstudios.com> wrote: > > > I installed factor and puppet but it didn't seem to make an /etc/ > > puppet/ is this something I have to manually create or did I mess up > > my install somehow? > > > > It was pretty simple to install but maybe I missed something, "ruby > > install.rb" for both factor and puppet > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com > > . > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > > -- > http://about.me/scoot > http://twitter.com/ohlol -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Lenny and lenny-backports
On Fri, Nov 5, 2010 at 9:52 AM, Walter Heck wrote: > Hi all, > > I'm runnign debian lenny and that has puppet 0.24.5 in it. Lenny- > backports ahs Puppet 2.6.2 in it, which is what I want. How do I make > puppet update itself through puppet recipes? I already had it create > an /etc/apt/preferences, where I pin backports at 900 and lenny stable > at 700. Is that correct? I don't want to have to run apt-get update / > apt-get upgrade / any other command on the nodes at all, but I don't > know how :) You can't get around running an `apt-get update` but you can do that from an exec resource in an earlier run stage. stage { pre: before => Stage["main"] } exec { "apt-get update": stage => "pre" } You'll probably want to do your backports setup before the `apt-get update` in your early run stage, too. Richard -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Lenny and lenny-backports
Hi all, I'm runnign debian lenny and that has puppet 0.24.5 in it. Lenny- backports ahs Puppet 2.6.2 in it, which is what I want. How do I make puppet update itself through puppet recipes? I already had it create an /etc/apt/preferences, where I pin backports at 900 and lenny stable at 700. Is that correct? I don't want to have to run apt-get update / apt-get upgrade / any other command on the nodes at all, but I don't know how :) Walter -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Failed to retrieve current state of resource: Error 400 on SERVER
On Nov 5, 2010, at 5:52 AM, Maciej Skrzetuski wrote: > Hello everyone, > > I updated puppet to 2.6.2 and with the same configuration I am > getting: > > err: /Stage[main]/Webspheremq/File[/tmp/mq_license/license/ > status.dat]: Could not evaluate: Could not retrieve information from > source(s) puppet:///modules/webspheremq/status.dat at /etc/puppet/ > manifests/classes/webspheremq.pp:58 > > My status.dat is placed in /etc/puppet/modules/webspheremq/files. This > is correct, isn't it? Do I have to do s.th. special in the version > 2.6.2? Try this: *) Become root *) su - puppet *) cd /etc/puppet/modules/webspheremq/files *) vi status.dat Does any of this fail with a permission error? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple package installation at same location
On Nov 4, 3:28 pm, Bakul wrote: > I'm trying to install 2 packages where 2nd packages replaces certain > files from first packages. > > package { "jboss": > provider => yum, > ensure => latest > > } > > package { "jboss-fix": > provider => yum, > ensure => latest > > } > > This seems to error out with message like "file ... from install of > jboss-fix conflicts with file from package jboss" > > On command line I can use "sudo yum -y install jboss jboss-fix" and it > works (or use rpm with "replacefiles" option for second rpm). You should be able to configure yum to always act as if the -y switch had been passed. See the "assumeyes" parameter. However, packages replacing others' files is a bad idea. That's why by default it requires confirmation or special options. I urge you to consider instead building packages that do not require such treatment. If you download the jboss source RPM, you should be able to quickly build an alternative jboss rpm that incorporates your changes. (Perhaps you would call *that* "jboss-fix".) You can make such an alternative package satisfy other packages' dependencies on jboss by appropriate use of the "Provides:" header. Regards, John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Prevent users from creating new accounts
2010/11/4 hywl51 > If puppet can not fullfill this requirement, is there any other tool > or solution to solve it? > [...] > There are several solutions you can use to audit your system. You can log all events to a central server which might not be sufficent because root can stop reporting or you can use things like PowerBroker to restrikt and audit access to root or other accounts ( http://www.beyondtrust.com/PowerBroker-Servers-Unix.aspx?section=PowerBroker-Servers-Unix). I'm still searching for something comparable based on an open source solution but didn't find something yet. Kind regards, Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Prevent users from creating new accounts
On Nov 4, 9:23 am, Felix Frank wrote: > On 11/04/2010 10:40 AM, Martin Alfke wrote: > > I would assume that you can define a resource default: > > > User { ensure => absent } > > > and afterwards define the users you would like to be present on your system. > > Not at all. This default will apply to all users that you define in your > manifest. So this > > user { [ "www-data","cron" ]: } > > will indeed ensure those user's absence, Correct. > but puppet has no concept of > "remove resources I have not declared anywhere". Incorrect. See the discussion above of the "resources" meta-type. It can be used to purge unmanaged resources of any type. In fact, that seems currently to be its *sole* use. I agree with several others' comments, however, that this is a problem that should not arise. It is rarely necessary to grant users unfettered administrative rights to any system, and when such rights are granted it is a bit silly to try to restrict them by the back door. A user with such access and an intent to do harm has so many ways to go about it that you will never block them all. Instead, give users the means to perform only those administrative functions they need to perform, taking care to protect against privilege escalation. If a user really does need complete administrative access, then he is a de facto sysadmin, and he should be saddled with all the corresponding responsibilities. If necessary, you can rope off his computer in a DMZ, or otherwise protect the rest of your network from it, but you cannot protect a computer from its own admin. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Module names - limitations / reserved words?
On Nov 5, 12:04 pm, Peter Meier wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Then I've found this thread/bugreport that explains it all : > >http://www.mail-archive.com/puppet-b...@googlegroups.com/msg03637.html > > But I agreee that it should probably it should print a warning or > > something. > > can you file a feature request? > > ~pete > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzT1sYACgkQbwltcAfKi39giwCfVgGFrZ2T36k9gxrgeiBl52HJ > bN8AniIyKS1b20wHw1yqcxAaORhT0iDg > =GLZv > -END PGP SIGNATURE- I've filed a feature request : http://projects.puppetlabs.com/issues/5208 with a typo and messed up links... Regards, Nikolay Next time I'll click "Preview" first :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Failed to retrieve current state of resource: Error 400 on SERVER
Hello everyone, I updated puppet to 2.6.2 and with the same configuration I am getting: err: /Stage[main]/Webspheremq/File[/tmp/mq_license/license/ status.dat]: Could not evaluate: Could not retrieve information from source(s) puppet:///modules/webspheremq/status.dat at /etc/puppet/ manifests/classes/webspheremq.pp:58 My status.dat is placed in /etc/puppet/modules/webspheremq/files. This is correct, isn't it? Do I have to do s.th. special in the version 2.6.2? Kind regards Maciej On 26 Okt., 20:41, Maciej Skrzetuski wrote: > Yes, that worked. Thank you very much! ;) > > On 26 Okt., 18:33, Patrick wrote: > > > > > > > > > On Oct 26, 2010, at 8:17 AM, MaciejSkrzetuskiwrote: > > > > Well if I do this: > > > > fileserver.conf (default): > > > > # Define a section 'files' > > > # Adapt the allow/deny settings to your needs. Order > > > # for allow/deny does not matter, allow always takes precedence > > > # over deny > > > # [files] > > > # path /var/lib/puppet/files > > > # allow *.example.com > > > # deny *.evil.example.com > > > # allow 192.168.0.0/24 > > > > And my file status.dat is in /etc/puppet/modules/webspheremq/files on > > > the master. > > > And the class is configured like that: > > > > file { "/tmp/status.dat": > > > source => "puppet://master/modules/webspheremq/files/ > > > status.dat" > > > } > > > > Then I get s.th. new from my master /var/log/messages: > > > Oct 26 17:09:53 i11936 puppetmasterd[16999]: (//webspheremq/File[/tmp/ > > > status.dat]) Failed to retrieve current state of resource: Could not > > > retrieve information from source(s) > > > puppet://master/modules/webspheremq/files/status.dat > > > at /etc/puppet/manifests/classes/webspheremq.pp:25 > > > > I don't understand this error. What information, from what source? > > > When you use "puppet://" the file is not sent in the manifest. It's saying > > it can't get the file using the puppet protocol. > > > This is happening because I made a typo in my example. The "files" part of > > the path shouldn't be there. Also, there is no need to tell puppet which > > server to get the file from. > > > Try 'puppet:///modules/webspheremq/status.dat' instead. > > > Note: Using 3 slashes in a row tells the client to get the file from the > > same location as the manifest. > > > > On 26 Okt., 15:56, Patrick wrote: > > >> On Oct 26, 2010, at 3:03 AM, MaciejSkrzetuskiwrote: > > > >>> Hello there, > > > >>> I am very new to puppet and tried to copy some files (namely /etc/ > > >>> puppet/manifests/files/websphermq/status.dat [on master] to /tmp/ > > >>> status.dat [on puppet]) from master to the puppets. My setup is as > > >>> follows: > > > >>> Puppet 0.25.5 > > > >>> fileserver.conf: > > >>> [webspheremq] > > >>> path /etc/puppet/manifests/files/webspheremq > > >>> allow * > > > >>> Definition in class: > > > >>> file { "/tmp/status.dat": > > >>> source => "puppet:/// > > >>> webspheremq/status.dat" > > >>> } > > > >>> I am getting the following error: > > > >>> What is the problem here? What is file_metadata? Is this folder > > >>> suppose to exist on my master? > > > >> I don't know what's wrong. That folder doesn't need to be created. > > >> It's possible you have a permissions problem. > > > >> Can't you just use the default path created by modules like this: > > >> *) Remove that section from fileserver.conf. > > >> *) Put the file at /etc/puppet/modules/webspheremq/files/status.dat > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-us...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscr...@googlegroups.com. > > > For more options, visit this group > > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Module names - limitations / reserved words?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Then I've found this thread/bugreport that explains it all : > http://www.mail-archive.com/puppet-b...@googlegroups.com/msg03637.html > But I agreee that it should probably it should print a warning or > something. can you file a feature request? ~pete -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzT1sYACgkQbwltcAfKi39giwCfVgGFrZ2T36k9gxrgeiBl52HJ bN8AniIyKS1b20wHw1yqcxAaORhT0iDg =GLZv -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Module names - limitations / reserved words?
On Oct 27, 4:56 pm, KnightOrc wrote: > Greeting, > > I'm attempting to solve a mystery we had with a puppet module we > couldn't get to auto load. > > The module named / folder was called "nfs" > > We notice when we ran 'puppetmasterd --no-daemonize --verbose' that > when the client connected that our 'nfs' module was not being auto > loaded. > > We reviewed and triple checked our syntax. We located no errors. As a > result of the module not being loaded we were unable to access a > resource defined within the init.pp. > > Finally as a "Hail Mary" we renamed the module to 'nfsexports'. On > the next client run the module was auto loaded and all was well in > puppet land. > > My question today is, Are there "reserved" words that can't be used as > module to resource names? If yes, does anyone have the list or a URL > to the list? We've looked but all we found are references to class > name limitations, "ie can't begin with a CAPTIAL letter". > > Thanks in advance, > > Wade I think I've hit similar problem, and the issue really was that I was trying to include a class in a subclass when both have the same name. I.e. class baseclass::apache { include apache } This include will reference the baseclass:apache class, and not the apache class, to work around it you should use : class baseclass::apache { include ::apache } Then I've found this thread/bugreport that explains it all : http://www.mail-archive.com/puppet-b...@googlegroups.com/msg03637.html But I agreee that it should probably it should print a warning or something. Regards, Nikolay -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Prevent users from creating new accounts
On Thu, Nov 04, 2010 at 03:11:43AM -0700, hywl51 wrote: > Yes, you said it. Unfortunately, we have some users running as root > privilege on server, because they cann't work without it. Are they admins or developers? If developers, then there is always a way round - sudo, fakeroot, giving them virtual hosts to play with. If they really need to be adminning the boxes then sudo will take you so far, but past a certain point they have enough privileges to give themselves more privileges. SELinux might be the answer, although you'd have to use it carefully if you wanted to avoid it locking puppet down as well. And if puppet isn't locked down, and they have root access... -- Bruce A problem shared brings the consolation that someone else is now feeling as miserable as you. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Prevent users from creating new accounts
On Thu, Nov 04, 2010 at 10:40:02AM +0100, Martin Alfke wrote: > > Hi, > > I would assume that you can define a resource default: > > User { ensure => absent } > > and afterwards define the users you would like to be present on your system. No, that would only establish the default for any user resources declared within Puppet. It would have no effect on users created outside of puppet with names not used in Puppet. -- Bruce I object to intellect without discipline. I object to power without constructive purpose. -- Spock -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Prevent users from creating new accounts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, Am Do den 4. Nov 2010 um 11:11 schrieb hywl51: > Yes, you said it. Unfortunately, we have some users running as root > privilege on server, because they cann't work without it. For me that sounds that you should never give such users root rights. If you give it to them they will have all rights. Surely there are ways to prevent alternation of files (like /etc/passwd or /etc/shadow) but if you or someone has root rights he or she can easily change this back. > But we don't want them to add new users on their own, so we hope find > a way that will delete all illegal users on the system every 30 > minute. And what if such a user disable puppet at all? This sounds like a human problem. You can not solve them technical. Regards Klaus - -- Klaus Ethgenhttp://www.ethgen.de/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBTNO5fZ+OKpjRpO3lAQo3LAf/WHFZ5Ka5VnF28BHssYcbhXCzDdQ17S3k TI6N1aMrxsjlnv+QfZg9AKCvgFxOAYwMVJc/55fxbS77bbiRUcixpD98kolrV2nw 0c2f12qjmRoBkUNL2O5BziiTinR74QJSXarxfgthlArS9MbYCW7kJliB7wt/3PlY LUgNldqsAMLqRwuyvkswEkglTRgDcPSoClC5Fs+QgfBYy2rRG5MHGFUtPFhNcgi2 okVM0sdsBv3fmX4FfIuL1GRqrifXqRx99cqjV6eZJTpfgj5GXLE5TvSku4LdseGI SXpVc9KMhNXnjhiP/gZ+E/6rDh+Jg8X6/KN/CvxgtOxaoJF8GVVJJw== =ik4m -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.