Puppet users - Nov 2008 - puppet newbie

Hi ,

just starting off with Puppet on Macs. initially we are planning for a
small group of machines. If successfull we plan to span it to entire
environment in a phased manner.

I have a couple of  newbie questions.

Do i have to use custom script to create and maintain user/group
accounts as far as i have read i can manage passwords ?

Can i use puppet fileserver also as sourcedir for pushing packages ?

Can anyone enumerate the advanatages/disadvantages between using
Templates  and Classes for defining
Nodes ?



Thanks
yogesh

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yogesh,

You clearly have a lot of reading to do. Take a look at the
documentation available on the Puppet website:
http://reductivelabs.com/trac/puppet/wiki/DocumentationStart is a
great place to start. I say you have a lot of reading to do because a
couple of your questions don''t really make sense; you don''t
use
templates *or* classes to define nodes. A node is a node, and it may
or may not include classes and/or use templates. I recommend you read
through the documentation, then start off managing a single,
conceptually-isolated part of your infrastructure; the canonical
example is managing SSH.

Good luck!

--Paul

On Fri, Nov 14, 2008 at 9:13 AM, yogesh.bhanu@googlemail.com
<yogesh.bhanu@googlemail.com> wrote:
>
> Hi ,
>
> just starting off with Puppet on Macs. initially we are planning for a
> small group of machines. If successfull we plan to span it to entire
> environment in a phased manner.
>
> I have a couple of  newbie questions.
>
> Do i have to use custom script to create and maintain user/group
> accounts as far as i have read i can manage passwords ?
>
> Can i use puppet fileserver also as sourcedir for pushing packages ?
>
> Can anyone enumerate the advanatages/disadvantages between using
> Templates  and Classes for defining
> Nodes ?
>
>
>
> Thanks
> yogesh
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Nov 14, 2008 at 9:13 AM, yogesh.bhanu@googlemail.com
<yogesh.bhanu@googlemail.com> wrote:
>
> Hi ,
>
> just starting off with Puppet on Macs. initially we are planning for a
> small group of machines. If successfull we plan to span it to entire
> environment in a phased manner.
>
> I have a couple of  newbie questions.
>
> Do i have to use custom script to create and maintain user/group
> accounts as far as i have read i can manage passwords ?
(ditto Paul''s comment about reading the docs a bit more as some of
this may not make sense until you do)

The Mac user provider as of the current stable build supports
specifying passwords in the actual puppet manifests, unlike all other
local directoryservice providers.

Most people don''t want this. It exposes your passwords in all sorts of
places that you probably don''t want.

A patch has just been submitted for this, and once it''s fully
committed, I''ll be providing back-ports of other Puppet versions on my
site that are marked as using either the clear text password provider,
or the new version that just allows you to specify the password hash
instead.

Groups aren''t changing.

An alternative to managing users and groups via User and Group
resources in Puppet if you''re using OS X 10.5 is to use two File
resources and an Exec resource.

1 File resource to define the user at
/var/db/dslocal/nodes/Default/users/username.plist

1 File resource to define the password at
/var/db/shadow/hash/useruuid

1 Exec resource to send a HUP signal to DirectoryServices.

You set the Exec resource to be "refreshonly" so it only runs when
triggered by another resource. You then notify the Exec resource in
each of the 2 File resources above, so if you modify the user account
or the password, you''re telling DirectoryServices to refresh.

Jeff McCune and I are actually working on our Puppet talk for Macworld
09 in the next week, so I''m particularly interested to hear what the
major conceptual stumbling blocks were for getting started so that we
make sure we''re smoothing that path out.

Puppet is quite different to most of the standard Mac config
management tools, but it''s far more powerful and flexible.
>
> Can i use puppet fileserver also as sourcedir for pushing packages ?
>
> Can anyone enumerate the advanatages/disadvantages between using
> Templates  and Classes for defining
> Nodes ?
>
>
>
> Thanks
> yogesh
>
> >
>


-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi ,
I ''m going thru the Wiki.
I''m sorry about the confusion. What I meant by  using Templates or
Classes to define nodes nodes .

I do understand that nodes define nodes. While going thru wiki I
stumbled on the Fact with Templates and Classes.
and was wondering when the former makes more sense than later.

Since the wiki does not discuss this.

Cheers
yogesh

On Nov 16, 1:24 am, "Paul Lathrop" <p...@tertiusfamily.net>
wrote:
> Yogesh,
>
> You clearly have a lot of reading to do. Take a look at the
> documentation available on the Puppet
website:http://reductivelabs.com/trac/puppet/wiki/DocumentationStartis a
> great place to start. I say you have a lot of reading to do because a
> couple of your questions don''t really make sense; you
don''t use
> templates *or* classes to define nodes. A node is a node, and it may
> or may not include classes and/or use templates. I recommend you read
> through the documentation, then start off managing a single,
> conceptually-isolated part of your infrastructure; the canonical
> example is managing SSH.
>
> Good luck!
>
> --Paul
>
> On Fri, Nov 14, 2008 at 9:13 AM, yogesh.bh...@googlemail.com
>
> <yogesh.bh...@googlemail.com> wrote:
>
> > Hi ,
>
> > just starting off with Puppet on Macs. initially we are planning for a
> > small group of machines. If successfull we plan to span it to entire
> > environment in a phased manner.
>
> > I have a couple of  newbie questions.
>
> > Do i have to use custom script to create and maintain user/group
> > accounts as far as i have read i can manage passwords ?
>
> > Can i use puppet fileserver also as sourcedir for pushing packages ?
>
> > Can anyone enumerate the advanatages/disadvantages between using
> > Templates  and Classes for defining
> > Nodes ?
>
> > Thanks
> > yogesh
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yogesh,

I don''t understand what you are asking.

Classes in Puppet provide a mechanism for semantic grouping and templates
provide a mechanism to parametrize the generation of files.  Both can use
''facts''.

The templates complement the classes, they are not mutually exclusive.

Regards,
Andrew



On Mon, Nov 17, 2008 at 8:38 AM, yogesh.bhanu@googlemail.com <
yogesh.bhanu@googlemail.com> wrote:
>
> Hi ,
> I ''m going thru the Wiki.
> I''m sorry about the confusion. What I meant by  using Templates or
> Classes to define nodes nodes .
>
> I do understand that nodes define nodes. While going thru wiki I
> stumbled on the Fact with Templates and Classes.
> and was wondering when the former makes more sense than later.
>
> Since the wiki does not discuss this.
>
> Cheers
> yogesh
>
> On Nov 16, 1:24 am, "Paul Lathrop" <p...@tertiusfamily.net>
wrote:
> > Yogesh,
> >
> > You clearly have a lot of reading to do. Take a look at the
> > documentation available on the Puppet website:
> http://reductivelabs.com/trac/puppet/wiki/DocumentationStartis a
> > great place to start. I say you have a lot of reading to do because a
> > couple of your questions don''t really make sense; you
don''t use
> > templates *or* classes to define nodes. A node is a node, and it may
> > or may not include classes and/or use templates. I recommend you read
> > through the documentation, then start off managing a single,
> > conceptually-isolated part of your infrastructure; the canonical
> > example is managing SSH.
> >
> > Good luck!
> >
> > --Paul
> >
> > On Fri, Nov 14, 2008 at 9:13 AM, yogesh.bh...@googlemail.com
> >
> > <yogesh.bh...@googlemail.com> wrote:
> >
> > > Hi ,
> >
> > > just starting off with Puppet on Macs. initially we are planning
for a
> > > small group of machines. If successfull we plan to span it to
entire
> > > environment in a phased manner.
> >
> > > I have a couple of  newbie questions.
> >
> > > Do i have to use custom script to create and maintain user/group
> > > accounts as far as i have read i can manage passwords ?
> >
> > > Can i use puppet fileserver also as sourcedir for pushing
packages ?
> >
> > > Can anyone enumerate the advanatages/disadvantages between using
> > > Templates  and Classes for defining
> > > Nodes ?
> >
> > > Thanks
> > > yogesh
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Nov 15, 2008, at 8:46 PM, Nigel Kersten wrote:
> so I''m particularly interested to hear what the
> major conceptual stumbling blocks were for getting started so that we
> make sure we''re smoothing that path out.
Terminology, type/provider development, and best practices.

How to selectively include classes when you aren''t using nodes.

The whole client side cert generation using uuidgen.

Puppet is a lot to grok at once.  I think the approach of starting  
small and just managing something simple as you have recommended is a  
good way to start and an eye opener to puppet''s power.

Learning file and exec are important for getting things done since  
some of the resources aren''t fully implemented yet for Mac.

Kyle

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I think I should read the complete WIKI thru and then start with
Puppet.Clearly there are lot of OO concepts here.
When I was talking about Template and Classes I meant was a scenario
where I want to override a variable in  my node definition which is
also
defined in my Template. (I know I have to cover lot of ground).


Cheers
Yogesh
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Nov 17, 2008 at 8:33 PM, Crawford Kyle <kcrwfrd@gmail.com>
wrote:
>
>
> On Nov 15, 2008, at 8:46 PM, Nigel Kersten wrote:
>
>> so I''m particularly interested to hear what the
>> major conceptual stumbling blocks were for getting started so that we
>> make sure we''re smoothing that path out.
>
> Terminology, type/provider development, and best practices.
>
> How to selectively include classes when you aren''t using nodes.
>
> The whole client side cert generation using uuidgen.
>
> Puppet is a lot to grok at once.  I think the approach of starting
> small and just managing something simple as you have recommended is a
> good way to start and an eye opener to puppet''s power.
>
> Learning file and exec are important for getting things done since
> some of the resources aren''t fully implemented yet for Mac.
>
> Kyle

Much appreciated Kyle.

What resources do you currently have to model with file and exec that
you''d like to see native types for?

I''m working on the launchd service type and an /etc/authorization db
type at the moment, and have some spare time over the next 2 weeks
while my family is overseas....


-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Nov 18, 2008, at 11:17 AM, Nigel Kersten wrote:
>
> On Mon, Nov 17, 2008 at 8:33 PM, Crawford Kyle <kcrwfrd@gmail.com>  
> wrote:
>>
>>
>> On Nov 15, 2008, at 8:46 PM, Nigel Kersten wrote:
>>
>>> so I''m particularly interested to hear what the
>>> major conceptual stumbling blocks were for getting started so that
>>> we
>>> make sure we''re smoothing that path out.
>>
>> Terminology, type/provider development, and best practices.
>>
>> How to selectively include classes when you aren''t using
nodes.
>>
>> The whole client side cert generation using uuidgen.
>>
>> Puppet is a lot to grok at once.  I think the approach of starting
>> small and just managing something simple as you have recommended is a
>> good way to start and an eye opener to puppet''s power.
>>
>> Learning file and exec are important for getting things done since
>> some of the resources aren''t fully implemented yet for Mac.
>>
>> Kyle
>
>
> Much appreciated Kyle.
>
> What resources do you currently have to model with file and exec that
> you''d like to see native types for?
>
> I''m working on the launchd service type and an /etc/authorization
db
> type at the moment, and have some spare time over the next 2 weeks
> while my family is overseas....

defaults/plists:  the mac-defaults type doesn''t do nesting and array  
checking well.  I use exec with PlistBuddy, for some things but I  
don''t like it.  I started looking into CFPreferences via RubyCocoa,  
but didn''t have time to get very far.  Is there a Ruby module as good  
as python''s plistlib?

mcx:  not sure what I want here yet:  currently we push a computer  
account using a template based on a custom fact of whether it is a  
laptop or desktop and computer group plists as files.  I''d rather  
implement more mcx at the group level, but because of apple''s  
restriction of only applying mcx to a single group, that isn''t  
practical.

group membership: I implemented some simple membership checking in  
directoryservice.rb, which was all commented out for 10.5 so it wasn''t
doing anything.  groups just calls `groups` and splits it into an  
array.  and membership is changed using dseditgroup.  I didn''t bother  
submitting this since it is not very clean and I thought we were  
moving to using RubyCocoa bridge to talk directly to the APIs rather  
than shell commands, but maybe that is more of a long-term goal.

passwords:  currently we distribute the hash file, but will change to  
your new method

launchd:  I know you are working on this for services. Do we also need  
this for all of the other capabilities of launchd (agents, contexts,  
schedules)?  perhaps the "cron" type should be renamed something more
generic like "jobs" and include these other capabilities like  
WatchPaths, etc.

user accounts, computer accounts, and other directoryservice record  
types : currently we just push plists, we may want to manage just  
certain properties of the account,  we may want to augment the  
accounts.  I supposed we could use an improved mac-defaults for  
managing anything in plist format, including dslocal, but again I  
thought we were moving to using APIs rather than manipulating the  
datastore.

AD plugin:  I currently just exec dsconfigad to turn on/off mobile  
accounts based on the laptop fact.  This is just stored in a plist  
though, so the plist manipulation would potentially work except  
DirectoryService would need to be killed -9 to prevent it from  
overwriting the direct change to the config file.  Maybe services need  
different methods for restarting themselves (notify with  signal => -9)

Packages: I generally don''t like Apple''s package installer
system, nor
software update for lots of reasons so we don''t use them, but when I  
did look into some of the package providers, they didn''t check the  
receipts database and/or relied on tracking what was already installed  
in a text file.  We still use radmind for most of our machines.  I''ve  
yet to take the time to somehow integrate puppet with radmind.  I''ve  
already built a system for managing radmind, but I''m thinking some of  
that could be implemented with puppet.   I do need to figure out some  
way of patching the machines not managed by radmind or just bring them  
into radmind until there is a better package story.

the authorization db work sounds great.  I''m sure we will use that.

I expect we will be relying on Puppet more and more over the coming  
months to implement our new self-induced security compliance  
requirements and hopefully I''ll have time to delve deeper into puppet  
and be of more help.

Enjoy your free time.  I know how that is, though I''m sure you miss  
them too.

Kyle

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, Nov 18, 2008 at 8:00 PM, Crawford Kyle <kcrwfrd@gmail.com>
wrote:
>
>
> On Nov 18, 2008, at 11:17 AM, Nigel Kersten wrote:
>
>>
>> On Mon, Nov 17, 2008 at 8:33 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>> wrote:
>>>
>>>
>>> On Nov 15, 2008, at 8:46 PM, Nigel Kersten wrote:
>>>
>>>> so I''m particularly interested to hear what the
>>>> major conceptual stumbling blocks were for getting started so
that
>>>> we
>>>> make sure we''re smoothing that path out.
>>>
>>> Terminology, type/provider development, and best practices.
>>>
>>> How to selectively include classes when you aren''t using
nodes.
>>>
>>> The whole client side cert generation using uuidgen.
>>>
>>> Puppet is a lot to grok at once.  I think the approach of starting
>>> small and just managing something simple as you have recommended is
a
>>> good way to start and an eye opener to puppet''s power.
>>>
>>> Learning file and exec are important for getting things done since
>>> some of the resources aren''t fully implemented yet for
Mac.
>>>
>>> Kyle
>>
>>
>> Much appreciated Kyle.
>>
>> What resources do you currently have to model with file and exec that
>> you''d like to see native types for?
>>
>> I''m working on the launchd service type and an
/etc/authorization db
>> type at the moment, and have some spare time over the next 2 weeks
>> while my family is overseas....
>
>
> defaults/plists:  the mac-defaults type doesn''t do nesting and
array
> checking well.  I use exec with PlistBuddy, for some things but I
> don''t like it.  I started looking into CFPreferences via
RubyCocoa,
> but didn''t have time to get very far.  Is there a Ruby module as
good
> as python''s plistlib?
Depends what you mean by "as good as" :) If you''re running a
recent
Facter, you have ''facter/util/plist'' which is close to
equivalent to
plistilb.

Both have the problem of not being able to parse binary format plists.
You can get around this by using not CFPreferences, but Foundation to
instantiate dictionaries from plists, which works with both xml and
binary1.

The other option is PlistBuddy, but if you have 10.4 clients it isn''t
in a predictable location by default.

I''m a bit torn on this. It would be useful to have a generic plist
module I suppose, but what is it that you''re doing that you wanted
nested values and arrays for ?

It almost seems better to model those individually if they''re complex?

>
> mcx:  not sure what I want here yet:  currently we push a computer
> account using a template based on a custom fact of whether it is a
> laptop or desktop and computer group plists as files.  I''d rather
> implement more mcx at the group level, but because of apple''s
> restriction of only applying mcx to a single group, that isn''t
> practical.
You know you can nest groups though, and then MCX flows through?

We do direct twiddling of a localhost computer account too. I''m not
sure where this should be done, but am meaning to look at whether the
host type could perhaps support it.

>
> group membership: I implemented some simple membership checking in
> directoryservice.rb, which was all commented out for 10.5 so it
wasn''t
> doing anything.  groups just calls `groups` and splits it into an
> array.  and membership is changed using dseditgroup.  I didn''t
bother
> submitting this since it is not very clean and I thought we were
> moving to using RubyCocoa bridge to talk directly to the APIs rather
> than shell commands, but maybe that is more of a long-term goal.
I think Puppet needs to support 10.4 out of the box at this stage
imho. It''s still widely in use, and so unless people are willing to
install RubyCocoa to get this stuff working... maybe it''s not an
option yet.

I need to look at groups again actually. Thanks for reminding me.


>
> passwords:  currently we distribute the hash file, but will change to
> your new method
>
> launchd:  I know you are working on this for services. Do we also need
> this for all of the other capabilities of launchd (agents, contexts,
> schedules)?  perhaps the "cron" type should be renamed something
more
> generic like "jobs" and include these other capabilities like
> WatchPaths, etc.
Currently I have this, which is everything working apart from autorequire.

http://github.com/nigelkersten/puppet/commit/7466c0bde497b02a729772c392a9c378686fb252

That will get done today. It covers the primary LaunchDaemons and LaunchAgents.

Would you really like to be able to model a launchd job completely in
puppet? It can be quite a complicated format which would result in
hideous manifests I think. currently that patch above just manages
whether the job is enabled at boot and the current state. Once it
autorequires the appropriate file it should end up being quite
flexible.

>
> user accounts, computer accounts, and other directoryservice record
> types : currently we just push plists, we may want to manage just
> certain properties of the account,  we may want to augment the
> accounts.  I supposed we could use an improved mac-defaults for
> managing anything in plist format, including dslocal, but again I
> thought we were moving to using APIs rather than manipulating the
> datastore.

Yep, so users should be fine soon, computers I''m still unsure about.
Then when you''re talking about MCX policy, where do you define that so
you can also automatically require the appropriate object for it to be
attached to?

Having DirectoryServices handle so much stuff in OS X is a bit of a
problem for where to model all this in Puppet.
>
> AD plugin:  I currently just exec dsconfigad to turn on/off mobile
> accounts based on the laptop fact.  This is just stored in a plist
> though, so the plist manipulation would potentially work except
> DirectoryService would need to be killed -9 to prevent it from
> overwriting the direct change to the config file.  Maybe services need
> different methods for restarting themselves (notify with  signal => -9)
>
> Packages: I generally don''t like Apple''s package
installer system, nor
> software update for lots of reasons so we don''t use them, but when
I
> did look into some of the package providers, they didn''t check the
> receipts database and/or relied on tracking what was already installed
> in a text file.  We still use radmind for most of our machines. 
I''ve
> yet to take the time to somehow integrate puppet with radmind. 
I''ve
> already built a system for managing radmind, but I''m thinking some
of
> that could be implemented with puppet.   I do need to figure out some
> way of patching the machines not managed by radmind or just bring them
> into radmind until there is a better package story.
I''m actually talking to Greg Neagle at the moment about building a
framework for third party pkg repositories, and then eventually have a
puppet package provider so we can just do stuff like:

package { "python":
  provider => pkgrepo, # or something
  ensure => latest,
}


>
> the authorization db work sounds great.  I''m sure we will use
that.
>
> I expect we will be relying on Puppet more and more over the coming
> months to implement our new self-induced security compliance
> requirements and hopefully I''ll have time to delve deeper into
puppet
> and be of more help.
>
> Enjoy your free time.  I know how that is, though I''m sure you
miss
> them too.
cheers :)

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Nov 19, 2008, at 10:56 AM, Nigel Kersten wrote:
>
> On Tue, Nov 18, 2008 at 8:00 PM, Crawford Kyle <kcrwfrd@gmail.com>  
> wrote:
>>
>>
>> On Nov 18, 2008, at 11:17 AM, Nigel Kersten wrote:
>>
>>>
>>> On Mon, Nov 17, 2008 at 8:33 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>>> wrote:
>>>>
>>>>
>>>> On Nov 15, 2008, at 8:46 PM, Nigel Kersten wrote:
>>>>
>>>>> so I''m particularly interested to hear what the
>>>>> major conceptual stumbling blocks were for getting started
so that
>>>>> we
>>>>> make sure we''re smoothing that path out.
>>>>
>>>> Terminology, type/provider development, and best practices.
>>>>
>>>> How to selectively include classes when you aren''t
using nodes.
>>>>
>>>> The whole client side cert generation using uuidgen.
>>>>
>>>> Puppet is a lot to grok at once.  I think the approach of
starting
>>>> small and just managing something simple as you have
recommended
>>>> is a
>>>> good way to start and an eye opener to puppet''s power.
>>>>
>>>> Learning file and exec are important for getting things done
since
>>>> some of the resources aren''t fully implemented yet for
Mac.
>>>>
>>>> Kyle
>>>
>>>
>>> Much appreciated Kyle.
>>>
>>> What resources do you currently have to model with file and exec  
>>> that
>>> you''d like to see native types for?
>>>
>>> I''m working on the launchd service type and an
/etc/authorization db
>>> type at the moment, and have some spare time over the next 2 weeks
>>> while my family is overseas....
>>
>>
>> defaults/plists:  the mac-defaults type doesn''t do nesting and
array
>> checking well.  I use exec with PlistBuddy, for some things but I
>> don''t like it.  I started looking into CFPreferences via
RubyCocoa,
>> but didn''t have time to get very far.  Is there a Ruby module
as good
>> as python''s plistlib?
>
> Depends what you mean by "as good as" :) If you''re
running a recent
> Facter, you have ''facter/util/plist'' which is close to
equivalent to
> plistilb.
>
> Both have the problem of not being able to parse binary format plists.
> You can get around this by using not CFPreferences, but Foundation to
> instantiate dictionaries from plists, which works with both xml and
> binary1.
>
> The other option is PlistBuddy, but if you have 10.4 clients it
isn''t
> in a predictable location by default.
>
> I''m a bit torn on this. It would be useful to have a generic plist
> module I suppose, but what is it that you''re doing that you wanted
> nested values and arrays for ?
>
> It almost seems better to model those individually if they''re
complex?
>
With arrays, the grep -x doesn''t work because it a read returns the  
whole array.  I removed the -x, but that could lead to false  
positives.  I noticed the array issue for HiddenUsersList key in / 
Library/Preferences/com.apple.loginwindow.plist, but I''ve since  
changed to Hide500Users, which is a bool.
For deep nesting I only have one case where I am ensuring that a  
particular key is removed from two AD plugin plists.

These are the only places I''ve run into it so far, so I can''t
say yet
how much I''d use a plist puppet module, but my hunch is quite a bit.

>
>>
>> mcx:  not sure what I want here yet:  currently we push a computer
>> account using a template based on a custom fact of whether it is a
>> laptop or desktop and computer group plists as files.  I''d
rather
>> implement more mcx at the group level, but because of apple''s
>> restriction of only applying mcx to a single group, that isn''t
>> practical.
>
> You know you can nest groups though, and then MCX flows through?
I''ve had issues with this not behaving the way it is documented.  And  
if you aren''t using the combine setting, a user in more than one group
gets prompted to pick a group rather than obey the precedence rules.   
So in practice we''d need to ensure that any given user is only a  
member of a single MCX group, which would lead to exponential creation  
of groups to account for every combination of settings we''d need.  Not
really a Puppet topic though, so we can take this offline or to the  
client management or macenterprise list if you have more to add.
>
>
> We do direct twiddling of a localhost computer account too. I''m
not
> sure where this should be done, but am meaning to look at whether the
> host type could perhaps support it.
>
>
>>
>> group membership: I implemented some simple membership checking in
>> directoryservice.rb, which was all commented out for 10.5 so it  
>> wasn''t
>> doing anything.  groups just calls `groups` and splits it into an
>> array.  and membership is changed using dseditgroup.  I didn''t
bother
>> submitting this since it is not very clean and I thought we were
>> moving to using RubyCocoa bridge to talk directly to the APIs rather
>> than shell commands, but maybe that is more of a long-term goal.
>
> I think Puppet needs to support 10.4 out of the box at this stage
> imho. It''s still widely in use, and so unless people are willing
to
> install RubyCocoa to get this stuff working... maybe it''s not an
> option yet.
We still run a lot of 10.4, but we are specifically targeting puppet  
for 10.5+ machines.  People needing to support 10.4 machines could  
still run an older version of puppet or install RubyCocoa.  I say  
leave 10.4 behind.  Long live 10.6.
>
>
> I need to look at groups again actually. Thanks for reminding me.
>
>
>
>>
>> passwords:  currently we distribute the hash file, but will change to
>> your new method
>>
>> launchd:  I know you are working on this for services. Do we also  
>> need
>> this for all of the other capabilities of launchd (agents, contexts,
>> schedules)?  perhaps the "cron" type should be renamed
something more
>> generic like "jobs" and include these other capabilities like
>> WatchPaths, etc.
>
> Currently I have this, which is everything working apart from  
> autorequire.
>
>
http://github.com/nigelkersten/puppet/commit/7466c0bde497b02a729772c392a9c378686fb252
>
> That will get done today. It covers the primary LaunchDaemons and  
> LaunchAgents.
>
> Would you really like to be able to model a launchd job completely in
> puppet? It can be quite a complicated format which would result in
> hideous manifests I think. currently that patch above just manages
> whether the job is enabled at boot and the current state. Once it
> autorequires the appropriate file it should end up being quite
> flexible.
>
Yes, I''m still trying to get a feel for how each situation should be  
handled with puppet.  There is a conflict between the practical  
implementation and the goal of resource abstraction and using APIs  
rather than direct manipulation of datastores.  I got the initial  
impression that the exec and file types shouldn''t be relied on, but on
the other hand, they get the job done.  I guess I need some guidance  
here philosophically as a newbie myself.
>
>>
>> user accounts, computer accounts, and other directoryservice record
>> types : currently we just push plists, we may want to manage just
>> certain properties of the account,  we may want to augment the
>> accounts.  I supposed we could use an improved mac-defaults for
>> managing anything in plist format, including dslocal, but again I
>> thought we were moving to using APIs rather than manipulating the
>> datastore.
>
>
> Yep, so users should be fine soon, computers I''m still unsure
about.
> Then when you''re talking about MCX policy, where do you define
that so
> you can also automatically require the appropriate object for it to be
> attached to?
>
> Having DirectoryServices handle so much stuff in OS X is a bit of a
> problem for where to model all this in Puppet.
Sounds like these aren''t simple decisions, so I guess it isn''t
just me.
>
>
>>
>> AD plugin:  I currently just exec dsconfigad to turn on/off mobile
>> accounts based on the laptop fact.  This is just stored in a plist
>> though, so the plist manipulation would potentially work except
>> DirectoryService would need to be killed -9 to prevent it from
>> overwriting the direct change to the config file.  Maybe services  
>> need
>> different methods for restarting themselves (notify with  signal =>
>> -9)
>>
>> Packages: I generally don''t like Apple''s package
installer system,
>> nor
>> software update for lots of reasons so we don''t use them, but
when I
>> did look into some of the package providers, they didn''t check
the
>> receipts database and/or relied on tracking what was already  
>> installed
>> in a text file.  We still use radmind for most of our machines. 
I''ve
>> yet to take the time to somehow integrate puppet with radmind. 
I''ve
>> already built a system for managing radmind, but I''m thinking
some of
>> that could be implemented with puppet.   I do need to figure out some
>> way of patching the machines not managed by radmind or just bring  
>> them
>> into radmind until there is a better package story.
>
> I''m actually talking to Greg Neagle at the moment about building a
> framework for third party pkg repositories, and then eventually have a
> puppet package provider so we can just do stuff like:
>
> package { "python":
>  provider => pkgrepo, # or something
>  ensure => latest,
> }
>
I''d like to hear more about this.  I know he was looking into macports
and other options.  If it can provide a viable alternative to radmind,  
I''m interested and willing to help.
>
>
>>
>> the authorization db work sounds great.  I''m sure we will use
that.
>>
>> I expect we will be relying on Puppet more and more over the coming
>> months to implement our new self-induced security compliance
>> requirements and hopefully I''ll have time to delve deeper into
puppet
>> and be of more help.
>>
>> Enjoy your free time.  I know how that is, though I''m sure you
miss
>> them too.
>
> cheers :)
>
> -- 
> Nigel Kersten
> Systems Administrator
> Tech Lead - MacOps
If you have any new wisdom or guidance into the inner workings of  
puppet to share from all this provider work you are doing, that would  
be appreciated.  I need to reread the docs on provider development,  
but I remember on first read I was pretty lost.

Kyle




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---