[Puppet Users] Access to hiera repository

2016-02-02 Thread 'Stefan Schulte' via Puppet Users 
Hello everyone,

I am currently working in a Linux team that decided to use Puppet as a
configuration management tool and we developed a couple of own modules,
use a lot from the forge and we keep hiera data in a separate git
repository (tools: r10k+controlrepo, one separate hiera repo not managed
by r10k, gitlabs server to manage all git repos)

The IT department is quite big and has different silos (e.g VMWare team,
Linux team, Backup team, Storage team, etc) but we (meaning the linux
team) want to use puppet to replace workflows that beforehand went
through different departments, e.g. to configure backup for a new
machine, the backup team had to create a node in their backup tool and
than give us the necessary input to generate the correct configuration
file on the new server.

Ideally I would like them to manage the data in hiera the same way as we
do, so they can leverage the hierarchy to define defaults on a subnet
level, host level, etc. but on the otherhand access to the single hiera
repo would allow them to basically reconfigure everything on a server
(like adding data for the sudo module to add custom sudo rules).

Even though this would be tracked through git logs, a lot of my
collegues are not comfortable with that (and might even be against
internal regulations) so I am wondering how you manage the fact when a
lot of different teams with different knowledge about puppet, yaml, and
git should contribute to hiera but should only manage stuff they care
about/are responsible for.

- Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/56B12FDC.8090801%40taunusstein.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: exec without a shell

2016-01-27 Thread 'Stefan Schulte' via Puppet Users 


On 27.01.2016 15:28, jcbollinger wrote:
> [...]
> Puppet implements the "posix" provider by passing the command to
> Ruby's Kernel.exec()
> .
> [...]

Thanks for the inside view John. This would explain the current
behaviour. IIRC this behaves quite similar to perl's "system" command
(single argument vs. array). I also just remembered about some old
discussions on redmine but I could only dig up

http://projects.puppetlabs.com/issues/4288#note-16

which all talk about feeding the exec with the "array form" but that
does not work as expected either.

# test.pp
exec { 'Test03':
  command  => [ "/bin/echo", "arg1", "arg2", "arg3" ],
  provider => posix,
}
$ puppet apply test.pp
Error: Parameter command failed on Exec[Test03]: Command must be a
String,
got value of class Array at /home/stefan/test.pp:1

So without the help of the shellescape function (which I strangely never
saw in the wild before) I basically give everyone with access to hiera
data root-rights as a bonus (If I happen to use hiera data to generate
command line arguments).

I guess the sane approach would be to add a feature request to allow
passing an array as a command parameter which in turn would run ruby's
exec with an array as well, bypassing the shell.

-- Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/56A964E2.7010203%40taunusstein.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: exec without a shell

2016-01-27 Thread 'Stefan Schulte' via Puppet Users 


On 28.01.2016 01:46, 'Stefan Schulte' via Puppet Users wrote:
> [...]
> I guess the sane approach would be to add a feature request to allow
> passing an array as a command parameter which in turn would run ruby's
> exec with an array as well, bypassing the shell.
> [...]
> -- Stefan

just for reference. There already is such a feature request:
https://tickets.puppetlabs.com/browse/PUP-3142

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/56A96695.5030508%40taunusstein.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] exec without a shell

2016-01-26 Thread 'Stefan Schulte' via Puppet Users 
Hello,

I've got a quick question about the exec type. The exec type does have a
shell provider and a posix provider and the posix provider says

#
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/exec/posix.rb
Executes external binaries **directly, without passing through a
shell** or
performing any interpolation. This is a safer and more predictable way
to execute most commands, but prevents the use of globbing and shell
built-ins (including control logic like "for" and "if" statements).

but when I test the following manifest:

$unsafe_input = "I will fail; /bin/false"
   
exec { 'Test01':
  command  => "/bin/echo ${unsafe_input}",
  provider => posix,
}
   
exec { 'Test02':
  command  => shellquote("/bin/echo", $unsafe_input),
  provider => posix,
}


then the first test will fail (because /bin/false is executed instead of
printed), while the second test does work (I am not sure how reliable
shellquote acutally works though).

# on puppet version 4.3.1:
Notice: /Stage[main]/Main/Exec[Test01]/returns: I will fail
Error: /bin/echo I will fail; /bin/false returned 1 instead of one
of [0]
Error: /Stage[main]/Main/Exec[Test01]/returns: change from notrun to
0 failed: /bin/echo I will fail; /bin/false returned 1 instead of one of [0]
Notice: /Stage[main]/Main/Exec[Test02]/returns: executed successfully

Am I misreading the documentation here?

- Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/56A81F7C.2000702%40taunusstein.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Prefetch in custom types in Puppet v4?

2016-01-26 Thread 'Stefan Schulte' via Puppet Users 


On 19.01.2016 02:53, Jakov Sosic wrote:
> On 01/19/2016 02:52 AM, Jakov Sosic wrote:
>> Hi guys,
>>
>>
>> I've noticed the following problem with one of my providers in v4.
>>
>> This is the original prefetch method I used:
>>
>> def self.prefetch(resources)
>>   instances.each do |prov|
>> if resource = resources[prov[:name]]
>>   resource.provider = prov
>> +resource.provider = new(prov)
>> end
>>   end
>> end
>
> Sorry, ignore the line with `+` prefix :)
>

Are you sure the error is in the prefetch method? Looks to me like the
instances method does not return an array of provider instances but
something else (array of hashes?)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/56A82155.2080503%40taunusstein.net.
For more options, visit https://groups.google.com/d/optout.