I''m trying to do something like this using puppet 0.24.8.
define removeuser() {
@ user { $name:
ensure => absent
}
realize User["$name"]
}
$removelist = ["bob", "bill", "billy"]
@ removeuser { $removelist : }
It''s failing with "err: Could not retrieve catalog: Failed to
realize
virtual resources User[bob] on node test". Is this even possible, if
not in version .24 or .25, in future versions?
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Dec 6, 1:55 pm, jokeeffe <jete.okee...@gmail.com> wrote:> I''m trying to do something like this using puppet 0.24.8. > > define removeuser() { > @ user { $name: > ensure => absent > } > > realize User["$name"] > > } > > $removelist = ["bob", "bill", "billy"] > @ removeuser { $removelist : } > > It''s failing with "err: Could not retrieve catalog: Failed to realize > virtual resources User[bob] on node test". Is this even possible, if > not in version .24 or .25, in future versions?In Puppet 0.24.8, I am able to remove a system user by realizing a virtual User resource that has ensure=>absent. Admittedly, I am using a custom user provider, but it ought to work with any of the built-in providers that support user removal (which I think is all of them). I confess to a bit of confusion about your approach, however: why are you declaring virtual users and then immediately realizing them? I''m not seeing any reason why it would make sense to do that. I would be surprised if the immediate realization were the problem, but for test purposes, at least, you should be able to declare the affected users concretely (with ensure => absent): define removeuser() { user { $name: ensure => absent, } } If that doesn''t solve the problem (as I suspect it won''t) then you will at least have removed a variable. Have you tried running with -- debug and / or --test? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks for the reply, It probably doesn''t need to be virtual but I thought I read in the documentation that it was better to do so. Basically, at my organization, admins come and go. I was hoping to use puppet to get rid of all logins of admins that no longer work for the company. So, I was hoping I could just use a simple array to add users as time goes by to ensure those user no longer have an account. On Dec 7, 1:07 pm, jcbollinger <John.Bollin...@stJude.org> wrote:> On Dec 6, 1:55 pm, jokeeffe <jete.okee...@gmail.com> wrote: > > > > > > > I''m trying to do something like this using puppet 0.24.8. > > > define removeuser() { > > @ user { $name: > > ensure => absent > > } > > > realize User["$name"] > > > } > > > $removelist = ["bob", "bill", "billy"] > > @ removeuser { $removelist : } > > > It''s failing with "err: Could not retrieve catalog: Failed to realize > > virtual resources User[bob] on node test". Is this even possible, if > > not in version .24 or .25, in future versions? > > In Puppet 0.24.8, I am able to remove a system user by realizing a > virtual User resource that has ensure=>absent. Admittedly, I am using > a custom user provider, but it ought to work with any of the built-in > providers that support user removal (which I think is all of them). > > I confess to a bit of confusion about your approach, however: why are > you declaring virtual users and then immediately realizing them? I''m > not seeing any reason why it would make sense to do that. > > I would be surprised if the immediate realization were the problem, > but for test purposes, at least, you should be able to declare the > affected users concretely (with ensure => absent): > > define removeuser() { > user { $name: > ensure => absent, > } > > } > > If that doesn''t solve the problem (as I suspect it won''t) then you > will at least have removed a variable. Have you tried running with -- > debug and / or --test?-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Dec 7, 4:13 pm, jokeeffe <jete.okee...@gmail.com> wrote:> It probably doesn''t need to be virtual but I thought I read in the > documentation that it was better to do so.The best practices documentation has at times recommended declaring users virtually. I don''t know whether it still does now, but even when it did, it was not recommending the model you showed. Virtual resources help you out mainly when you want to define a resource that multiple independent classes may need. Each resource (virtual or not) can be *declared* only once, but virtual resources can be *realized* as many times as desired (including zero). For users, the recommended model involved creating a class containing virtual User declarations for all users that Puppet need ever manage. Any class that needed any user management must then include the class of virtual users, and realize those users it cares about. The main advantage here is centralized user management.> Basically, at my organization, admins come and go. I was hoping to use > puppet to get rid of all logins of admins that no longer work for the > company. So, I was hoping I could just use a simple array to add users > as time goes by to ensure those user no longer have an account.Puppet can definitely do this job for you. I''m not certain whether the array syntax gains you anything, though, even if it can be made to work. Here are some alternatives: 1) If the objective is to minimize the amount of Puppet code required for this specific task, then I think you could do something like this: # include this class on all nodes for which the specified users need to be absent: class remove_nonusers { # defaults for user resources declared within the scope of this class User { ensure => absent } # the users that need to be absent; not much more verbose than an array declaration user { "bill": ; "billy": ; "bob": ; } } 2) If you are willing to use Puppet to manage all non-system accounts on your machines, then you can rely on user purging by putting this in an appropriate scope: resources { "user": purge => true, unless_system_user => true } In that case, Puppet removes any users not known to it and not considered system accounts (UID < 500 by default). Using this approach requires that you tell Puppet which ordinary user accounts you want to be present, so overall it may require more code than option 1. On the other hand, user management is one of the more common tasks that admins want Puppet to handle, so you may already be planning or doing this. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.