I have a need to audit user accounts on all of my puppet clients. Essentially, I need to collect the password and shadow file from all of my clients to one central location and analyze them. How would someone do this using puppet. Is there any mechanism to ship files to the master from the client? From the recent Fabric vs ControlTier thread, it sounds like people end up using other tools to do stuff like this but I was wondering if I can use puppet for this... Another, unrelated, question I have is regarding tags. Can I do "puppetrun --host <hostA> --tags <classA>" if classA is not otherwise assigned to hostA? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Apr 19, 2010 at 12:42 PM, Sukh Khehra <skhehra@proofpoint.com> wrote:> I have a need to audit user accounts on all of my puppet clients. > Essentially, I need to collect the password and shadow file from all of my > clients to one central location and analyze them. How would someone do this > using puppet. Is there any mechanism to ship files to the master from the > client? From the recent Fabric vs ControlTier thread, it sounds like people > end up using other tools to do stuff like this but I was wondering if I can > use puppet for this…There is a backup facility, though it''s probably not want you want in this case. Currently it''s not highly instrumented for combing through backups and finding what you want to look at, and stores things named after md5sums. http://docs.reductivelabs.com/guides/types/file.html You could use Puppet to execute something like rdiff-backup ?> > > > Another, unrelated, question I have is regarding tags. Can I do “puppetrun > --host <hostA> --tags <classA>” if classA is not otherwise assigned to > hostA?Tags are really not about classes, tags are a seperate concept. --tags means "run resources tagged with this value". Puppetrun is due for some upgrades -- though these are going to wait a bit in priority behind some other things, as we''re doing a lot of improvements to the way the internals of the catalog/etc behave and want to make a puppetrun that works well with multiple sources of node information, rather than just LDAP, which it does now.> > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks for your reply. On my tags question I used the class as an example because I read that puppet auto creates a tag using the class name. My question really is whether the resource referenced by the tag should already be assigned to the host via node classification for this to work. E.g. lets say I have a class like this. class preupgrade { exec { "/etc/init.d/httpd stop": tag => "stopapache" } } I don''t want to assign this class to all nodes but want to be able to trigger it on an ad hoc basis. So my question is can I do this on the master without first assigning the "preupgrade" class to hostA? puppetrun --host <hostA> --tags stopapache In other words, does puppet look for the tagged resources in the entire config codebase or just the stuff that is applicable to the node by virtue of node classification. Hope this makes sense. -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael DeHaan Sent: Monday, April 19, 2010 11:07 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] ad hoc tasks with puppet On Mon, Apr 19, 2010 at 12:42 PM, Sukh Khehra <skhehra@proofpoint.com> wrote:> I have a need to audit user accounts on all of my puppet clients. > Essentially, I need to collect the password and shadow file from allof my> clients to one central location and analyze them. How would someone dothis> using puppet. Is there any mechanism to ship files to the master fromthe> client? From the recent Fabric vs ControlTier thread, it sounds likepeople> end up using other tools to do stuff like this but I was wondering ifI can> use puppet for this...There is a backup facility, though it''s probably not want you want in this case. Currently it''s not highly instrumented for combing through backups and finding what you want to look at, and stores things named after md5sums. http://docs.reductivelabs.com/guides/types/file.html You could use Puppet to execute something like rdiff-backup ?> > > > Another, unrelated, question I have is regarding tags. Can I do"puppetrun> --host <hostA> --tags <classA>" if classA is not otherwise assigned to > hostA?Tags are really not about classes, tags are a seperate concept. --tags means "run resources tagged with this value". Puppetrun is due for some upgrades -- though these are going to wait a bit in priority behind some other things, as we''re doing a lot of improvements to the way the internals of the catalog/etc behave and want to make a puppetrun that works well with multiple sources of node information, rather than just LDAP, which it does now.> > > > -- > You received this message because you are subscribed to the GoogleGroups> "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Apr 19, 2010 at 2:51 PM, Sukh Khehra <skhehra@proofpoint.com> wrote:> Thanks for your reply. On my tags question I used the class as an > example because I read that puppet auto creates a tag using the class > name. My question really is whether the resource referenced by the tag > should already be assigned to the host via node classification for this > to work.Yes, it means "of all the resources assigned to the host, run the ones that are tagged foo".> > E.g. lets say I have a class like this. > > class preupgrade { > exec { "/etc/init.d/httpd stop": tag => "stopapache" } > } > > I don''t want to assign this class to all nodes but want to be able to > trigger it on an ad hoc basis. So my question is can I do this on the > master without first assigning the "preupgrade" class to hostA? > > puppetrun --host <hostA> --tags stopapache > > In other words, does puppet look for the tagged resources in the entire > config codebase or just the stuff that is applicable to the node by > virtue of node classification.You could use conditionals, right? Though that might be a little weird, and seems like it could result in a Apache that restarts /often/ if you have it configured with puppetd. I''m not sure I like the idea of something that requires that puppetd *not* be in use to work as you intend it. Anyway, see conditional docs: http://docs.reductivelabs.com/guides/more_language.html However it''s a little bit of a fringe usage to use the model to do this presently. I''d much rather just be able to use ralsh remotely to call the exec. That being said, I''d *love* for this kind of thing to be possible. I''d like to describe my power management configuration for a class of hardware in Puppet, for instance. ( Example: https://fedorahosted.org/cobbler/wiki/PowerManagement )> > Hope this makes sense. > > > > > > > -----Original Message----- > From: puppet-users@googlegroups.com > [mailto:puppet-users@googlegroups.com] On Behalf Of Michael DeHaan > Sent: Monday, April 19, 2010 11:07 AM > To: puppet-users@googlegroups.com > Subject: Re: [Puppet Users] ad hoc tasks with puppet > > On Mon, Apr 19, 2010 at 12:42 PM, Sukh Khehra <skhehra@proofpoint.com> > wrote: >> I have a need to audit user accounts on all of my puppet clients. >> Essentially, I need to collect the password and shadow file from all > of my >> clients to one central location and analyze them. How would someone do > this >> using puppet. Is there any mechanism to ship files to the master from > the >> client? From the recent Fabric vs ControlTier thread, it sounds like > people >> end up using other tools to do stuff like this but I was wondering if > I can >> use puppet for this... > > There is a backup facility, though it''s probably not want you want in > this case. Currently it''s not highly instrumented for combing > through backups and finding what you want to look at, and stores > things > named after md5sums. > > http://docs.reductivelabs.com/guides/types/file.html > > You could use Puppet to execute something like rdiff-backup ? > >> >> >> >> Another, unrelated, question I have is regarding tags. Can I do > "puppetrun >> --host <hostA> --tags <classA>" if classA is not otherwise assigned to >> hostA? > > Tags are really not about classes, tags are a seperate concept. > --tags means "run resources tagged with this value". > > Puppetrun is due for some upgrades -- though these are going to wait a > bit in priority behind some other things, as we''re doing a lot of > improvements > to the way the internals of the catalog/etc behave and want to make a > puppetrun that works well with multiple sources of node information, > rather than just > LDAP, which it does now. > >> >> >> >> -- >> You received this message because you are subscribed to the Google > Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.