I would like to write up brief tutorial/documentation on how to manage /etc/passwd using puppet. While this may seem pretty straight forward to some...the documentation is not. We have been able to create a manifest that defines all of our users "virtually" and are able to "realize" users and add them to the system(s) running puppetd. Is there a way to simply realize all users in the virtual_users file? Or must I specifically realize each and everyone in a separate class? How do we delete users? Specifically when I remove a user from the manifest it does not get deleted from the passwd file on the client nodes. Any examples out there would be great. -Jeff _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Wed, Sep 26, 2007 at 05:27:08PM -0700, Jeffrey Lord wrote:> I would like to write up brief tutorial/documentation on how to manage > /etc/passwd using puppet. While this may seem pretty straight forward to > some...the documentation is not. We have been able to create a manifest > that defines all of our users "virtually" and are able to "realize" users > and add them to the system(s) running puppetd. Is there a way to simply > realize all users in the virtual_users file? Or must I specifically > realize each and everyone in a separate class?Does "User <||>" work for you?> How do we delete users? > Specifically when I remove a user from the manifest it does not get > deleted from the passwd file on the client nodes.Puppet doesn''t know that the user that doesn''t exist in the manifest was once a Puppet-managed resource, so you either have users that get removed from the manifest hanging around, or you delete all users that aren''t specified in the manifest. I think the former is the better way of doing things, myself. The solution is to not remove the user from the manifest entirely, but to specify that the user should be deleted ("ensure => absent"). This is the *correct* way to ensure that a particular user doesn''t exist. There''s some hackish parameter to tell Puppet to assume that any resource it doesn''t know about of a type is to be removed, but I don''t recommend using it. - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
Matthew Palmer wrote:> Puppet doesn''t know that the user that doesn''t exist in the manifest was > once a Puppet-managed resource, so you either have users that get removed > from the manifest hanging around, or you delete all users that aren''t > specified in the manifest. I think the former is the better way of doing > things, myself. The solution is to not remove the user from the manifestwhy not lock the account? then you don''t run into issues with stray uid''s. -scott
Matthew Palmer <mpalmer@hezmatt.org> writes:> There''s some hackish parameter to tell Puppet to assume that any > resource it doesn''t know about of a type is to be removed, but I don''t > recommend using it.Huh, why? And why do you think this is a hack? It accomplishes exactly what I want, namely to automatically remove users added by a sysadmin who decided to bypass Puppet "and go fix it later," which was the sort of problem we had great difficulty with before we went to Puppet. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
On Wed, Sep 26, 2007 at 07:05:09PM -0700, Scott Smith wrote:> Matthew Palmer wrote: > > Puppet doesn''t know that the user that doesn''t exist in the manifest was > > once a Puppet-managed resource, so you either have users that get removed > > from the manifest hanging around, or you delete all users that aren''t > > specified in the manifest. I think the former is the better way of doing > > things, myself. The solution is to not remove the user from the manifest > > why not lock the account? then you don''t run into issues with stray uid''s.Sometimes you do actually want the account gone. But that discussion is orthogonal to the OP''s question. - Matt -- MySQL seems to be the Windows of the database world. Broken, underspecced, and mainly only popular due to inertia and people who don''t really know what they''re doing. -- Peter Corlett, in the Monastery
I "solved" this problem on my install by defining a remove_users class this class is part of my base definition, and i define the virtual and realize it in this class. I also have to remove the user from virt_all_users (it isn''t a user afterall). This way i can ensure a user is to be removed weather or not it was once a puppet resource. now if you have always managed your users with puppet simply changing ensure to ready ensure=>absent would get the job done, but if you moved a host from one node that had the user realized to node that doesn''t it will not get removed since the realization didn''t occur. On Sep 26, 2007, at 7:09 PM, Matt Palmer wrote:> On Wed, Sep 26, 2007 at 07:05:09PM -0700, Scott Smith wrote: > > Matthew Palmer wrote: > > > Puppet doesn''t know that the user that doesn''t exist in the > manifest was > > > once a Puppet-managed resource, so you either have users that > get removed > > > from the manifest hanging around, or you delete all users that > aren''t > > > specified in the manifest. I think the former is the better > way of doing > > > things, myself. The solution is to not remove the user from > the manifest > > > > why not lock the account? then you don''t run into issues with > stray uid''s. > > Sometimes you do actually want the account gone. But that > discussion is > orthogonal to the OP''s question. > > - Matt > > MySQL seems to be the Windows of the database world. Broken, > underspecced, > and mainly only popular due to inertia and people who don''t really > know what > they''re doing. > -- Peter Corlett, in the Monastery > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
--On Thursday, September 27, 2007 10:53 AM +1000 Matthew Palmer <mpalmer@hezmatt.org> wrote:>> How do we delete users? >> Specifically when I remove a user from the manifest it does not get >> deleted from the passwd file on the client nodes. > > Puppet doesn''t know that the user that doesn''t exist in the manifest was > once a Puppet-managed resource, so you either have users that get removed > from the manifest hanging around, or you delete all users that aren''t > specified in the manifest. I think the former is the better way of doing > things, myself. The solution is to not remove the user from the manifest > entirely, but to specify that the user should be deleted ("ensure => > absent"). This is the *correct* way to ensure that a particular user > doesn''t exist. There''s some hackish parameter to tell Puppet to assume > that any resource it doesn''t know about of a type is to be removed, but I > don''t recommend using it. > > - MattUnless you have purging turned on, in which case, puppet does in fact remove users you aren''t managing.
--On Wednesday, September 26, 2007 7:09 PM -0700 Russ Allbery <rra@stanford.edu> wrote:>> There''s some hackish parameter to tell Puppet to assume that any >> resource it doesn''t know about of a type is to be removed, but I don''t >> recommend using it. > > Huh, why? And why do you think this is a hack? It accomplishes exactly > what I want, namely to automatically remove users added by a sysadmin who > decided to bypass Puppet "and go fix it later," which was the sort of > problem we had great difficulty with before we went to Puppet.Not to mention that when an admin leaves the group, we just remove him from the class that realizes our admin users and poof! -- he disappears from all of our systems.
--On Wednesday, September 26, 2007 7:26 PM -0700 Jesse Nelson <jnelson@military-inc.com> wrote:> I "solved" this problem on my install by defining a remove_users class > > this class is part of my base definition, and i define the virtual > and realize it in this class. I also have to remove the user from > virt_all_users (it isn''t a user afterall). This way i can ensure a > user is to be removed weather or not it was once a puppet resource. > > now if you have always managed your users with puppet simply changing > ensure to ready ensure=>absent would get the job done, but if you > moved a host from one node that had the user realized to node that > doesn''t it will not get removed since the realization didn''t occur.You might look into purging. It is very, very, very easy and works very very well: resources { user: purge => true } You also don''t have to worry about puppet removing system users because unless_system_user is true by default. You can also set unless_system_user to a value if you want to user a different minimum uid to determine if an entry is a user or a system user.
does "purging" only remove once puppet managed resorces ? not every user in all of my systems is defined by puppet atm. On Sep 27, 2007, at 12:51 AM, Digant C Kasundra wrote:> --On Wednesday, September 26, 2007 7:26 PM -0700 Jesse Nelson > <jnelson@military-inc.com> wrote: > > > I "solved" this problem on my install by defining a remove_users > class > > > > this class is part of my base definition, and i define the virtual > > and realize it in this class. I also have to remove the user from > > virt_all_users (it isn''t a user afterall). This way i can ensure a > > user is to be removed weather or not it was once a puppet resource. > > > > now if you have always managed your users with puppet simply > changing > > ensure to ready ensure=>absent would get the job done, but if you > > moved a host from one node that had the user realized to node that > > doesn''t it will not get removed since the realization didn''t occur. > > You might look into purging. It is very, very, very easy and works > very > very well: > > resources { user: purge => true } > > You also don''t have to worry about puppet removing system users > because > unless_system_user is true by default. You can also set > unless_system_user > to a value if you want to user a different minimum uid to determine > if an > entry is a user or a system user. > > > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
Interesting, have you gotten purging to work for both users and groups? I never could get it to work. Thanks, Trevor On 9/27/07, Digant C Kasundra <digant@stanford.edu> wrote:> --On Wednesday, September 26, 2007 7:26 PM -0700 Jesse Nelson > <jnelson@military-inc.com> wrote: > > > I "solved" this problem on my install by defining a remove_users class > > > > this class is part of my base definition, and i define the virtual > > and realize it in this class. I also have to remove the user from > > virt_all_users (it isn''t a user afterall). This way i can ensure a > > user is to be removed weather or not it was once a puppet resource. > > > > now if you have always managed your users with puppet simply changing > > ensure to ready ensure=>absent would get the job done, but if you > > moved a host from one node that had the user realized to node that > > doesn''t it will not get removed since the realization didn''t occur. > > You might look into purging. It is very, very, very easy and works very > very well: > > resources { user: purge => true } > > You also don''t have to worry about puppet removing system users because > unless_system_user is true by default. You can also set unless_system_user > to a value if you want to user a different minimum uid to determine if an > entry is a user or a system user. > > > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
--On Thursday, September 27, 2007 12:55 AM -0700 Jesse Nelson <jnelson@military-inc.com> wrote:> does "purging" only remove once puppet managed resorces ? not every > user in all of my systems is defined by puppet atm.Purging would remove users that it is not currently managing, whether it once managed them or not, so basically any user on your system that you aren''t defining in puppet would get removed.
--On Thursday, September 27, 2007 8:30 AM -0400 Trevor Vaughan <peiriannydd@gmail.com> wrote:> Interesting, have you gotten purging to work for both users and groups? > > I never could get it to work.I''ve never tried for groups but we''ve been using it for users for some time and it is working great.