I am working on defining users and groups manually. I know there are
basic predefined types, but they don''t support all of the features
I''ll want, and I am learning in the process. I''m a bit stumped
when
trying to add a user to multiple groups that are defined in an array.
Currently I have code similar to that below, but its wrong since I am
not handling the $groups array correctly. How can I run add_to_group
once for each group?
define make_group($desc = "") {
exec { "addgroup --gecos \"$desc\" \"$title\"":
unless => "grep $title /etc/group",
path => "/usr/bin:/usr/sbin:/bin",
}
}
define add_to_group($group) {
exec { "adduser $title $group":
unless => "groups $title | grep $group",
path => "/usr/bin:/usr/sbin:/bin",
}
}
define make_user($fullname, $groups="") {
exec { "adduser-$title":
command => "adduser --disabled-password --gecos
\"$fullname\"
\"$title\"",
creates => "/home/$title",
path => "/usr/bin:/usr/sbin:/bin",
}
if $groups {
add_to_group { $title:
group => $groups,
require => [Class["all_groups"],
Exec["adduser-$title"]],
}
}
}
class all_groups {
make_group { "sudoers":
desc => "users allowed to sudo",
}
make_group { "admins":}
make_group { "another":}
}
class all_users {
make_user { "example":
fullname => "Full Name",
groups => ["sudoers", "another"],
}
}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
You are running into a common misconception of people new to Puppet. A define is not some sort of function. You don''t "run" defines. Puppet is a declarative language, you are trying to use it like an imperative language, and you will be fighting the tool the whole way. What features do you want that the predefined types don''t support? Maybe we can help you to understand the Puppet Way to do what you want to do. In this example you included, I don''t see you getting any features that are unsupported by Puppet users/groups. --Paul On Sun, Oct 19, 2008 at 12:33 AM, schickb <schickb@gmail.com> wrote:> > I am working on defining users and groups manually. I know there are > basic predefined types, but they don''t support all of the features > I''ll want, and I am learning in the process. I''m a bit stumped when > trying to add a user to multiple groups that are defined in an array. > Currently I have code similar to that below, but its wrong since I am > not handling the $groups array correctly. How can I run add_to_group > once for each group? > > > define make_group($desc = "") { > exec { "addgroup --gecos \"$desc\" \"$title\"": > unless => "grep $title /etc/group", > path => "/usr/bin:/usr/sbin:/bin", > } > } > > define add_to_group($group) { > exec { "adduser $title $group": > unless => "groups $title | grep $group", > path => "/usr/bin:/usr/sbin:/bin", > } > } > > define make_user($fullname, $groups="") { > exec { "adduser-$title": > command => "adduser --disabled-password --gecos \"$fullname\" > \"$title\"", > creates => "/home/$title", > path => "/usr/bin:/usr/sbin:/bin", > } > > if $groups { > add_to_group { $title: > group => $groups, > require => [Class["all_groups"], Exec["adduser-$title"]], > } > } > } > > class all_groups { > make_group { "sudoers": > desc => "users allowed to sudo", > } > make_group { "admins":} > make_group { "another":} > } > > > class all_users { > make_user { "example": > fullname => "Full Name", > groups => ["sudoers", "another"], > } > } > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Looks like a good exercise, but your approach is reinventing a square wheel. For one thing, the path you are on, once it is all fleshed out will only work for in one direction to provision a clean system and only systems that support that particular command. To manage the full life cycle of these users with your approach will only lead to a life of pain and emptiness... (ok, I might be exaggerating a little) As Paul alluded, Puppet tries really hard to allow you to specify how things should ''be'' instead of worrying about what to do. What you are trying to do would probably be easier scripted in bash, ruby, perl, or your favorite procedural language. If you need to run it on distributed systems, something like capistrano is great. There are certainly tasks where something more procedural and task oriented might make more sense, but user management is probably not one of them. This is a paradigm that many people struggle with initially, because most are used to thinking procedurally. The higher level question is: What are you wanting to do that you can''t with Puppet''s user type? and what is your overall goal? If we know that, the functionality might be added to the core, or you can learn how to extend the functionality of the providers, or there might be some ''Puppetish'' solutions to what you are trying to accomplish. That probably doesn''t seem to answer your question, but you can thank me later... On Sun, Oct 19, 2008 at 1:15 PM, Paul Lathrop <paul@tertiusfamily.net>wrote:> > You are running into a common misconception of people new to Puppet. A > define is not some sort of function. You don''t "run" defines. Puppet > is a declarative language, you are trying to use it like an imperative > language, and you will be fighting the tool the whole way. > > What features do you want that the predefined types don''t support? > Maybe we can help you to understand the Puppet Way to do what you want > to do. In this example you included, I don''t see you getting any > features that are unsupported by Puppet users/groups. > > --Paul > >> On Sun, Oct 19, 2008 at 12:33 AM, schickb <schickb@gmail.com> wrote: > > > > I am working on defining users and groups manually. I know there are > > basic predefined types, but they don''t support all of the features > > I''ll want, and I am learning in the process. I''m a bit stumped when > > trying to add a user to multiple groups that are defined in an array. > > Currently I have code similar to that below, but its wrong since I am > > not handling the $groups array correctly. How can I run add_to_group > > once for each group? > > > > > > define make_group($desc = "") { > > exec { "addgroup --gecos \"$desc\" \"$title\"": > > unless => "grep $title /etc/group", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > } > > > > define add_to_group($group) { > > exec { "adduser $title $group": > > unless => "groups $title | grep $group", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > } > > > > define make_user($fullname, $groups="") { > > exec { "adduser-$title": > > command => "adduser --disabled-password --gecos \"$fullname\" > > \"$title\"", > > creates => "/home/$title", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > > > if $groups { > > add_to_group { $title: > > group => $groups, > > require => [Class["all_groups"], Exec["adduser-$title"]], > > } > > } > > } > > > > class all_groups { > > make_group { "sudoers": > > desc => "users allowed to sudo", > > } > > make_group { "admins":} > > make_group { "another":} > > } > > > > > > class all_users { > > make_user { "example": > > fullname => "Full Name", > > groups => ["sudoers", "another"], > > } > > } > > > > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks for the tips. The main problem for me was lack of information in the puppet docs about password for newly created users on Linux systems (useradd etc). I saw no way to do --disabled-password for example, and it wasn''t clear to me what the state of the password would be if I didn''t provide it explicitly. -Brad On Oct 19, 12:15 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote:> You are running into a common misconception of people new to Puppet. A > define is not some sort of function. You don''t "run" defines. Puppet > is a declarative language, you are trying to use it like an imperative > language, and you will be fighting the tool the whole way. > > What features do you want that the predefined types don''t support? > Maybe we can help you to understand the Puppet Way to do what you want > to do. In this example you included, I don''t see you getting any > features that are unsupported by Puppet users/groups. > > --Paul > > On Sun, Oct 19, 2008 at 12:33 AM, schickb <schi...@gmail.com> wrote: > > > I am working on defining users and groups manually. I know there are > > basic predefined types, but they don''t support all of the features > > I''ll want, and I am learning in the process. I''m a bit stumped when > > trying to add a user to multiple groups that are defined in an array. > > Currently I have code similar to that below, but its wrong since I am > > not handling the $groups array correctly. How can I run add_to_group > > once for each group? > > > define make_group($desc = "") { > > exec { "addgroup --gecos \"$desc\" \"$title\"": > > unless => "grep $title /etc/group", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > } > > > define add_to_group($group) { > > exec { "adduser $title $group": > > unless => "groups $title | grep $group", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > } > > > define make_user($fullname, $groups="") { > > exec { "adduser-$title": > > command => "adduser --disabled-password --gecos \"$fullname\" > > \"$title\"", > > creates => "/home/$title", > > path => "/usr/bin:/usr/sbin:/bin", > > } > > > if $groups { > > add_to_group { $title: > > group => $groups, > > require => [Class["all_groups"], Exec["adduser-$title"]], > > } > > } > > } > > > class all_groups { > > make_group { "sudoers": > > desc => "users allowed to sudo", > > } > > make_group { "admins":} > > make_group { "another":} > > } > > > class all_users { > > make_user { "example": > > fullname => "Full Name", > > groups => ["sudoers", "another"], > > } > > }--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
adduser is a nice interactive script, but it is using useradd, etc, underneath the covers. I believe --disable-password is just going to create a user without a password which is the default behavior if no password is specified with useradd. There is no --disable-password for useradd. There are probably subtleties between systems that I''m not aware of, but I don''t think you have a problem. (Someone please correct me if I''m wrong. I''m not a battle hardened sysadmin by any stretch of the imagination) Just curious, did you try to make users with puppet? On Sun, Oct 19, 2008 at 3:47 PM, schickb <schickb@gmail.com> wrote:> > Thanks for the tips. The main problem for me was lack of information > in the puppet docs about password for newly created users on Linux > systems (useradd etc). I saw no way to do --disabled-password for > example, and it wasn''t clear to me what the state of the password > would be if I didn''t provide it explicitly. > > -Brad > > On Oct 19, 12:15 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote: > > You are running into a common misconception of people new to Puppet. A > > define is not some sort of function. You don''t "run" defines. Puppet > > is a declarative language, you are trying to use it like an imperative > > language, and you will be fighting the tool the whole way. > > > > What features do you want that the predefined types don''t support? > > Maybe we can help you to understand the Puppet Way to do what you want > > to do. In this example you included, I don''t see you getting any > > features that are unsupported by Puppet users/groups. > > > > --Paul > > > > On Sun, Oct 19, 2008 at 12:33 AM, schickb <schi...@gmail.com> wrote: > > > > > I am working on defining users and groups manually. I know there are > > > basic predefined types, but they don''t support all of the features > > > I''ll want, and I am learning in the process. I''m a bit stumped when > > > trying to add a user to multiple groups that are defined in an array. > > > Currently I have code similar to that below, but its wrong since I am > > > not handling the $groups array correctly. How can I run add_to_group > > > once for each group? > > > > > define make_group($desc = "") { > > > exec { "addgroup --gecos \"$desc\" \"$title\"": > > > unless => "grep $title /etc/group", > > > path => "/usr/bin:/usr/sbin:/bin", > > > } > > > } > > > > > define add_to_group($group) { > > > exec { "adduser $title $group": > > > unless => "groups $title | grep $group", > > > path => "/usr/bin:/usr/sbin:/bin", > > > } > > > } > > > > > define make_user($fullname, $groups="") { > > > exec { "adduser-$title": > > > command => "adduser --disabled-password --gecos \"$fullname\" > > > \"$title\"", > > > creates => "/home/$title", > > > path => "/usr/bin:/usr/sbin:/bin", > > > } > > > > > if $groups { > > > add_to_group { $title: > > > group => $groups, > > > require => [Class["all_groups"], Exec["adduser-$title"]], > > > } > > > } > > > } > > > > > class all_groups { > > > make_group { "sudoers": > > > desc => "users allowed to sudo", > > > } > > > make_group { "admins":} > > > make_group { "another":} > > > } > > > > > class all_users { > > > make_user { "example": > > > fullname => "Full Name", > > > groups => ["sudoers", "another"], > > > } > > > } > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Yes I had tried it with puppet, but I wasn''t sure if it was doing the
right thing. After this thread I''ve investigated a bit more and I
think it will be fine. When using puppet and not providing a password,
the hash in the shadow file ends up as a ''!'' character which
is an
invalid password hash. Using --disabled-password it ends up as a
''*''
character which is also an invalid hash. After some investigation, I
believe these are functionally equivalent.
My request for puppet would be more documentation on this subject. Or
an explicit disabled-password attribute would make things more clear.
Either one would reduce the amount of digging around in shadow files
to figure out what is happening.
In the end I totally agree that the following is much better than my
original approach. Any more suggestions on this code?
class groups {
group { ["sudoers", "admin"]:
ensure => "present",
}
}
define define_user($groups = [], $comment = "") {
user { $name:
ensure => "present",
comment => "$comment",
groups => $groups,
membership => "minimum",
home => "/home/$name",
managehome => "true",
shell => "/bin/bash",
require => Class["groups"],
}
}
class users {
define_user { "example":
comment => "Full Name",
groups => ["admin"],
}
define_user { "example":
}
}
-Brad
On Oct 19, 3:57 pm, "Andrew Shafer" <and...@reductivelabs.com>
wrote:> adduser is a nice interactive script, but it is using useradd, etc,
> underneath the covers.
>
> I believe --disable-password is just going to create a user without a
> password which is the default behavior if no password is specified with
> useradd. There is no --disable-password for useradd.
>
> There are probably subtleties between systems that I''m not aware
of, but I
> don''t think you have a problem. (Someone please correct me if
I''m wrong. I''m
> not a battle hardened sysadmin by any stretch of the imagination)
>
> Just curious, did you try to make users with puppet?
>
> On Sun, Oct 19, 2008 at 3:47 PM, schickb <schi...@gmail.com> wrote:
>
> > Thanks for the tips. The main problem for me was lack of information
> > in the puppet docs about password for newly created users on Linux
> > systems (useradd etc). I saw no way to do --disabled-password for
> > example, and it wasn''t clear to me what the state of the
password
> > would be if I didn''t provide it explicitly.
>
> > -Brad
>
> > On Oct 19, 12:15 pm, "Paul Lathrop"
<p...@tertiusfamily.net> wrote:
> > > You are running into a common misconception of people new to
Puppet. A
> > > define is not some sort of function. You don''t
"run" defines. Puppet
> > > is a declarative language, you are trying to use it like an
imperative
> > > language, and you will be fighting the tool the whole way.
>
> > > What features do you want that the predefined types
don''t support?
> > > Maybe we can help you to understand the Puppet Way to do what you
want
> > > to do. In this example you included, I don''t see you
getting any
> > > features that are unsupported by Puppet users/groups.
>
> > > --Paul
>
> > > On Sun, Oct 19, 2008 at 12:33 AM, schickb
<schi...@gmail.com> wrote:
>
> > > > I am working on defining users and groups manually. I know
there are
> > > > basic predefined types, but they don''t support all
of the features
> > > > I''ll want, and I am learning in the process.
I''m a bit stumped when
> > > > trying to add a user to multiple groups that are defined in
an array.
> > > > Currently I have code similar to that below, but its wrong
since I am
> > > > not handling the $groups array correctly. How can I run
add_to_group
> > > > once for each group?
>
> > > > define make_group($desc = "") {
> > > > exec { "addgroup --gecos \"$desc\"
\"$title\"":
> > > > unless => "grep $title /etc/group",
> > > > path => "/usr/bin:/usr/sbin:/bin",
> > > > }
> > > > }
>
> > > > define add_to_group($group) {
> > > > exec { "adduser $title $group":
> > > > unless => "groups $title | grep $group",
> > > > path => "/usr/bin:/usr/sbin:/bin",
> > > > }
> > > > }
>
> > > > define make_user($fullname, $groups="") {
> > > > exec { "adduser-$title":
> > > > command => "adduser --disabled-password
--gecos \"$fullname\"
> > > > \"$title\"",
> > > > creates => "/home/$title",
> > > > path => "/usr/bin:/usr/sbin:/bin",
> > > > }
>
> > > > if $groups {
> > > > add_to_group { $title:
> > > > group => $groups,
> > > > require => [Class["all_groups"],
Exec["adduser-$title"]],
> > > > }
> > > > }
> > > > }
>
> > > > class all_groups {
> > > > make_group { "sudoers":
> > > > desc => "users allowed to sudo",
> > > > }
> > > > make_group { "admins":}
> > > > make_group { "another":}
> > > > }
>
> > > > class all_users {
> > > > make_user { "example":
> > > > fullname => "Full Name",
> > > > groups => ["sudoers",
"another"],
> > > > }
> > > > }
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
A few more things I noticed about puppets users and groups: * No way to specify "system" users or groups (other than hard-coded ids) * Removing a group from the groups parameter of a user does not remove the user from that group (adding groups work) -Brad On Oct 19, 3:57 pm, "Andrew Shafer" <and...@reductivelabs.com> wrote:> adduser is a nice interactive script, but it is using useradd, etc, > underneath the covers. > > I believe --disable-password is just going to create a user without a > password which is the default behavior if no password is specified with > useradd. There is no --disable-password for useradd. > > There are probably subtleties between systems that I''m not aware of, but I > don''t think you have a problem. (Someone please correct me if I''m wrong. I''m > not a battle hardened sysadmin by any stretch of the imagination) > > Just curious, did you try to make users with puppet? > > On Sun, Oct 19, 2008 at 3:47 PM, schickb <schi...@gmail.com> wrote: > > > Thanks for the tips. The main problem for me was lack of information > > in the puppet docs about password for newly created users on Linux > > systems (useradd etc). I saw no way to do --disabled-password for > > example, and it wasn''t clear to me what the state of the password > > would be if I didn''t provide it explicitly. > > > -Brad > > > On Oct 19, 12:15 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote: > > > You are running into a common misconception of people new to Puppet. A > > > define is not some sort of function. You don''t "run" defines. Puppet > > > is a declarative language, you are trying to use it like an imperative > > > language, and you will be fighting the tool the whole way. > > > > What features do you want that the predefined types don''t support? > > > Maybe we can help you to understand the Puppet Way to do what you want > > > to do. In this example you included, I don''t see you getting any > > > features that are unsupported by Puppet users/groups. > > > > --Paul > > > > On Sun, Oct 19, 2008 at 12:33 AM, schickb <schi...@gmail.com> wrote: > > > > > I am working on defining users and groups manually. I know there are > > > > basic predefined types, but they don''t support all of the features > > > > I''ll want, and I am learning in the process. I''m a bit stumped when > > > > trying to add a user to multiple groups that are defined in an array. > > > > Currently I have code similar to that below, but its wrong since I am > > > > not handling the $groups array correctly. How can I run add_to_group > > > > once for each group? > > > > > define make_group($desc = "") { > > > > exec { "addgroup --gecos \"$desc\" \"$title\"": > > > > unless => "grep $title /etc/group", > > > > path => "/usr/bin:/usr/sbin:/bin", > > > > } > > > > } > > > > > define add_to_group($group) { > > > > exec { "adduser $title $group": > > > > unless => "groups $title | grep $group", > > > > path => "/usr/bin:/usr/sbin:/bin", > > > > } > > > > } > > > > > define make_user($fullname, $groups="") { > > > > exec { "adduser-$title": > > > > command => "adduser --disabled-password --gecos \"$fullname\" > > > > \"$title\"", > > > > creates => "/home/$title", > > > > path => "/usr/bin:/usr/sbin:/bin", > > > > } > > > > > if $groups { > > > > add_to_group { $title: > > > > group => $groups, > > > > require => [Class["all_groups"], Exec["adduser-$title"]], > > > > } > > > > } > > > > } > > > > > class all_groups { > > > > make_group { "sudoers": > > > > desc => "users allowed to sudo", > > > > } > > > > make_group { "admins":} > > > > make_group { "another":} > > > > } > > > > > class all_users { > > > > make_user { "example": > > > > fullname => "Full Name", > > > > groups => ["sudoers", "another"], > > > > } > > > > }--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brad, Comments inline: On Sun, Oct 19, 2008 at 11:48 PM, schickb <schickb@gmail.com> wrote:> A few more things I noticed about puppets users and groups: > > * No way to specify "system" users or groups (other than hard-coded > ids)If you are managing users/groups with Puppet you probably *want* hard-coded IDs. You should specify every part of the configs you care about; clearly you care that system users get IDs in a certain range, therefore you should specify the IDs.> * Removing a group from the groups parameter of a user does not remove > the user from that group (adding groups work)Yes it does, if you follow the docs. Clearly you are *aware* of the "membership" parameter, you use it in the defines you posted in another message. If you read the documentation for it, you will see that this parameter tells Puppet whether you want the membership list to be "user should be a member of *at least* these groups" or "these are *all* the groups user should be a member of". It works great :-) --Paul> -Brad > > > On Oct 19, 3:57 pm, "Andrew Shafer" <and...@reductivelabs.com> wrote: >> adduser is a nice interactive script, but it is using useradd, etc, >> underneath the covers. >> >> I believe --disable-password is just going to create a user without a >> password which is the default behavior if no password is specified with >> useradd. There is no --disable-password for useradd. >> >> There are probably subtleties between systems that I''m not aware of, but I >> don''t think you have a problem. (Someone please correct me if I''m wrong. I''m >> not a battle hardened sysadmin by any stretch of the imagination) >> >> Just curious, did you try to make users with puppet? >> >> On Sun, Oct 19, 2008 at 3:47 PM, schickb <schi...@gmail.com> wrote: >> >> > Thanks for the tips. The main problem for me was lack of information >> > in the puppet docs about password for newly created users on Linux >> > systems (useradd etc). I saw no way to do --disabled-password for >> > example, and it wasn''t clear to me what the state of the password >> > would be if I didn''t provide it explicitly. >> >> > -Brad >> >> > On Oct 19, 12:15 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote: >> > > You are running into a common misconception of people new to Puppet. A >> > > define is not some sort of function. You don''t "run" defines. Puppet >> > > is a declarative language, you are trying to use it like an imperative >> > > language, and you will be fighting the tool the whole way. >> >> > > What features do you want that the predefined types don''t support? >> > > Maybe we can help you to understand the Puppet Way to do what you want >> > > to do. In this example you included, I don''t see you getting any >> > > features that are unsupported by Puppet users/groups. >> >> > > --Paul >> >> > > On Sun, Oct 19, 2008 at 12:33 AM, schickb <schi...@gmail.com> wrote: >> >> > > > I am working on defining users and groups manually. I know there are >> > > > basic predefined types, but they don''t support all of the features >> > > > I''ll want, and I am learning in the process. I''m a bit stumped when >> > > > trying to add a user to multiple groups that are defined in an array. >> > > > Currently I have code similar to that below, but its wrong since I am >> > > > not handling the $groups array correctly. How can I run add_to_group >> > > > once for each group? >> >> > > > define make_group($desc = "") { >> > > > exec { "addgroup --gecos \"$desc\" \"$title\"": >> > > > unless => "grep $title /etc/group", >> > > > path => "/usr/bin:/usr/sbin:/bin", >> > > > } >> > > > } >> >> > > > define add_to_group($group) { >> > > > exec { "adduser $title $group": >> > > > unless => "groups $title | grep $group", >> > > > path => "/usr/bin:/usr/sbin:/bin", >> > > > } >> > > > } >> >> > > > define make_user($fullname, $groups="") { >> > > > exec { "adduser-$title": >> > > > command => "adduser --disabled-password --gecos \"$fullname\" >> > > > \"$title\"", >> > > > creates => "/home/$title", >> > > > path => "/usr/bin:/usr/sbin:/bin", >> > > > } >> >> > > > if $groups { >> > > > add_to_group { $title: >> > > > group => $groups, >> > > > require => [Class["all_groups"], Exec["adduser-$title"]], >> > > > } >> > > > } >> > > > } >> >> > > > class all_groups { >> > > > make_group { "sudoers": >> > > > desc => "users allowed to sudo", >> > > > } >> > > > make_group { "admins":} >> > > > make_group { "another":} >> > > > } >> >> > > > class all_users { >> > > > make_user { "example": >> > > > fullname => "Full Name", >> > > > groups => ["sudoers", "another"], >> > > > } >> > > > } > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
It''s not immediately clear what the "membership" parameter does, based on the description in the wiki. Once you already know what it does, the description makes sense, but if you don''t already know, it''s obtuse. This is something that tripped me up too. I know it''s a wiki, but maybe someone with more experience can update the descriptions of membership and groups, giving a better understanding of this issue. On Mon, Oct 20, 2008 at 12:26 PM, Paul Lathrop <paul@tertiusfamily.net> wrote:> > Brad, > > Comments inline: > > On Sun, Oct 19, 2008 at 11:48 PM, schickb <schickb@gmail.com> wrote: >> A few more things I noticed about puppets users and groups: >> >> * No way to specify "system" users or groups (other than hard-coded >> ids) > > If you are managing users/groups with Puppet you probably *want* > hard-coded IDs. You should specify every part of the configs you care > about; clearly you care that system users get IDs in a certain range, > therefore you should specify the IDs. > >> * Removing a group from the groups parameter of a user does not remove >> the user from that group (adding groups work) > > Yes it does, if you follow the docs. Clearly you are *aware* of the > "membership" parameter, you use it in the defines you posted in > another message. If you read the documentation for it, you will see > that this parameter tells Puppet whether you want the membership list > to be "user should be a member of *at least* these groups" or "these > are *all* the groups user should be a member of". It works great :-) > > --Paul > >> -Brad >> >> >> On Oct 19, 3:57 pm, "Andrew Shafer" <and...@reductivelabs.com> wrote: >>> adduser is a nice interactive script, but it is using useradd, etc, >>> underneath the covers. >>> >>> I believe --disable-password is just going to create a user without a >>> password which is the default behavior if no password is specified with >>> useradd. There is no --disable-password for useradd. >>> >>> There are probably subtleties between systems that I''m not aware of, but I >>> don''t think you have a problem. (Someone please correct me if I''m wrong. I''m >>> not a battle hardened sysadmin by any stretch of the imagination) >>> >>> Just curious, did you try to make users with puppet? >>> >>> On Sun, Oct 19, 2008 at 3:47 PM, schickb <schi...@gmail.com> wrote: >>> >>> > Thanks for the tips. The main problem for me was lack of information >>> > in the puppet docs about password for newly created users on Linux >>> > systems (useradd etc). I saw no way to do --disabled-password for >>> > example, and it wasn''t clear to me what the state of the password >>> > would be if I didn''t provide it explicitly. >>> >>> > -Brad >>> >>> > On Oct 19, 12:15 pm, "Paul Lathrop" <p...@tertiusfamily.net> wrote: >>> > > You are running into a common misconception of people new to Puppet. A >>> > > define is not some sort of function. You don''t "run" defines. Puppet >>> > > is a declarative language, you are trying to use it like an imperative >>> > > language, and you will be fighting the tool the whole way. >>> >>> > > What features do you want that the predefined types don''t support? >>> > > Maybe we can help you to understand the Puppet Way to do what you want >>> > > to do. In this example you included, I don''t see you getting any >>> > > features that are unsupported by Puppet users/groups. >>> >>> > > --Paul >>> >>> > > On Sun, Oct 19, 2008 at 12:33 AM, schickb <schi...@gmail.com> wrote: >>> >>> > > > I am working on defining users and groups manually. I know there are >>> > > > basic predefined types, but they don''t support all of the features >>> > > > I''ll want, and I am learning in the process. I''m a bit stumped when >>> > > > trying to add a user to multiple groups that are defined in an array. >>> > > > Currently I have code similar to that below, but its wrong since I am >>> > > > not handling the $groups array correctly. How can I run add_to_group >>> > > > once for each group? >>> >>> > > > define make_group($desc = "") { >>> > > > exec { "addgroup --gecos \"$desc\" \"$title\"": >>> > > > unless => "grep $title /etc/group", >>> > > > path => "/usr/bin:/usr/sbin:/bin", >>> > > > } >>> > > > } >>> >>> > > > define add_to_group($group) { >>> > > > exec { "adduser $title $group": >>> > > > unless => "groups $title | grep $group", >>> > > > path => "/usr/bin:/usr/sbin:/bin", >>> > > > } >>> > > > } >>> >>> > > > define make_user($fullname, $groups="") { >>> > > > exec { "adduser-$title": >>> > > > command => "adduser --disabled-password --gecos \"$fullname\" >>> > > > \"$title\"", >>> > > > creates => "/home/$title", >>> > > > path => "/usr/bin:/usr/sbin:/bin", >>> > > > } >>> >>> > > > if $groups { >>> > > > add_to_group { $title: >>> > > > group => $groups, >>> > > > require => [Class["all_groups"], Exec["adduser-$title"]], >>> > > > } >>> > > > } >>> > > > } >>> >>> > > > class all_groups { >>> > > > make_group { "sudoers": >>> > > > desc => "users allowed to sudo", >>> > > > } >>> > > > make_group { "admins":} >>> > > > make_group { "another":} >>> > > > } >>> >>> > > > class all_users { >>> > > > make_user { "example": >>> > > > fullname => "Full Name", >>> > > > groups => ["sudoers", "another"], >>> > > > } >>> > > > } >> > >> > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> > * No way to specify "system" users or groups (other than hard-coded > > ids) > > If you are managing users/groups with Puppet you probably *want* > hard-coded IDs. You should specify every part of the configs you care > about; clearly you care that system users get IDs in a certain range, > therefore you should specify the IDs.Well for now I really don''t care about IDs since users don''t span machines. I''m more concerned about hard-coding an ID that some other software hard codes as well. Hopefully that isn''t common.> > * Removing a group from the groups parameter of a user does not remove > > the user from that group (adding groups work) > > Yes it does, if you follow the docs. Clearly you are *aware* of the > "membership" parameter, you use it in the defines you posted in > another message.A yes, thanks. Being just a few hours into puppet all of the details have not sunk in yet. My awareness apparently lapsed ;) -Brad --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Paul Lathrop wrote:> On Sun, Oct 19, 2008 at 11:48 PM, schickb <schickb@gmail.com> wrote: >> * No way to specify "system" users or groups (other than hard-coded >> ids) > > If you are managing users/groups with Puppet you probably *want* > hard-coded IDs. You should specify every part of the configs you care > about; clearly you care that system users get IDs in a certain range, > therefore you should specify the IDs.I disagree! I need to create a user for a software package. I pick a uid that is currently free in the range reserved for system users (1-500 on RedHat), for example 493. Next, I install an RPM that creates a system user of its own, e.g pulseaudio; that RPM will pick a free userid in the system range, e.g 492. All is well. Now I install a new machine with the same Puppet manifests. If the pulseaudio RPM happens to be installed before my manifest creates my user, it may very well pick uid 493 for its user! Suddenly we have a collision, because I hardcoded a uid. That''s bad. You might argue that those RPMs that allocate uids dynamically are ill-mannered. However, that''s how lots and lots of RPMs work, and that''s how for instance RedHat has specified that they should work. I for one have more productive things to do with my time than trying to convince RedHat that all RPMs should allocate uids statically... And by the way, below I''m attaching a recepie for managing system users and system groups under RedHat below. It only handles a few of the most important parameters that the normal user and group types handle, but it should be fairly easy to extend if you need. Share and enjoy! /Thomas Bellman ------------------------------------------------------------------------ # Create (or remove) a system accont, i.e one with a "low" uid. # The normal user type can''t be instructed to create a system # account without hardcoding a uid, which we don''t want to do. # # A group with the same name as the user will be created at the # same time. # # This implementation is RedHat specific. define rh_sysuser($comment="", $home="/", $shell="/sbin/nologin", $ensure="present") { rh_sysgroup { $name: ensure => $ensure; } case $ensure { "present": { exec { "sysuser--$name": command => "useradd -r -c ''$comment'' -M -d ''$home'' -s ''$shell'' -g ''$name'' ''$name''", unless => "getent passwd ''$name''", path => "/sbin:/usr/sbin:/bin:/usr/bin", require => Rh_sysgroup[$name]; } } "absent": { exec { "sysuser--$name": command => "userdel -f ''$name''", onlyif => "getent passwd ''$name''", path => "/sbin:/usr/sbin:/bin:/usr/bin", before => Rh_sysgroup[$name]; } } default: { fail("Bad rh_sysuser parameter ensure: $ensure") } } # These are here so we get auto-require from things that want # user and/or group names, like the file type. user { "$name": ensure => $ensure, gid => $name, comment => $comment, home => $home, shell => $shell, require => Exec["sysuser--$name"] } } define rh_sysgroup($ensure="present") { case $ensure { "present": { exec { "sysgroup--$name": command => "groupadd -r ''$name''", unless => "getent group ''$name''", path => "/sbin:/usr/sbin:/bin:/usr/bin"; } } "absent": { exec { "sysgroup--$name": command => "groupdel ''$name''", onlyif => "getent group ''$name''", path => "/sbin:/usr/sbin:/bin:/usr/bin"; } } default: { fail("Bad rh_sysgroup parameter ensure: $ensure") } } # This is here so we get auto-require from things that want # group names, like the file type. group { "$name": ensure => $ensure, require => Exec["sysgroup--$name"] } } ------------------------------------------------------------------------ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---