Hi, I am trying to figure out a good "puppet" way to do this. In our old configuration, we were using cfengine and distributing passwd, group and shadow files by first running a command on the server that would filter these files to have just the team users (since we are using hosting services) into a master file that would get distributed to all the clients and the clients would apply the master file to its local passwd, group and shadow files. In puppet, as far as I can see, there is no way to run a command to prep the files on the master, before a puppet client asks for the catalog or is there? We are doing things in this complicated way, because this allows us to continue use the useradd, usermod commands on the master servers, and the client servers automatically get the configuration. Plus we dont have to store the files in version control. Is there a better way to do this in puppet? Thanks, NP -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 19, 2010, at 6:11 PM, noob-puppeteer wrote:> Hi, > I am trying to figure out a good "puppet" way to do this. In our old > configuration, we were using cfengine and distributing passwd, group > and shadow files by first running a command on the server that would > filter these files to have just the team users (since we are using > hosting services) into a master file that would get distributed to all > the clients and the clients would apply the master file to its local > passwd, group and shadow files. > > In puppet, as far as I can see, there is no way to run a command to > prep the files on the master, before a puppet client asks for the > catalog or is there? > > We are doing things in this complicated way, because this allows us to > continue use the useradd, usermod commands on the master servers, and > the client servers automatically get the configuration. Plus we dont > have to store the files in version control. Is there a better way to > do this in puppet?Usually I find that putting user accounts in version control is a good idea. Unless you have a reason not to, I would just create the user accounts and group accounts using puppet''s "user" and "group" resources. Any reason not to? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
noob-puppeteer <rahul.pilani@gmail.com> writes:> I am trying to figure out a good "puppet" way to do this.Use LDAP, or maybe NIS, to distribute the data. No, seriously, that usually fits in about point three or four of the usual infrastructure building checklist, right after getting puppet installed and the manifests in version control. Anyway, to answer your question:> In our old configuration, we were using cfengine and distributing passwd, > group and shadow files by first running a command on the server that would > filter these files to have just the team users (since we are using hosting > services) into a master file that would get distributed to all the clients > and the clients would apply the master file to its local passwd, group and > shadow files. > > In puppet, as far as I can see, there is no way to run a command to > prep the files on the master, before a puppet client asks for the > catalog or is there?Sure: you can use the functions that grab stuff externally, like ''generate'', to do this. That will run a command and process it externally. Alternately, a template is erb code run on the *puppetmaster* system, not on the client. So, that can do anything Ruby can do, including filtering stuff out rather than adding it in, during the run.> We are doing things in this complicated way, because this allows us to > continue use the useradd, usermod commands on the master servers, and > the client servers automatically get the configuration. Plus we dont > have to store the files in version control. Is there a better way to > do this in puppet?Personally, I would first prefer to use LDAP. Then I would pick up the sync-accounts tool from chiark-scripts[1] and use that to do the hard work for me, since I don''t have to write it myself. Failing that, I would code my user stanzas into the puppet language to provision them that way. Then I would use a tool to generate the user stanzas into puppet from the content of the files in /etc and include that in the system with generate. Anyway, ''generate'': the answer to your question is the generate function. http://docs.puppetlabs.com/references/latest/function.html#generate Regards, Daniel Footnotes: [1] http://the-doors.enix.org/pipermail/daily-debian-package/2008-April/001311.html -- ✣ Daniel Pittman ✉ daniel@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> Use LDAP, or maybe NIS, to distribute the data. No, seriously, that usually > fits in about point three or four of the usual infrastructure building > checklist, right after getting puppet installed and the manifests in version > control.In the case of LDAP, how would this work? Would you store your entire puppet config in LDAP or just the user information? I am looking documentation for storing all puppet info in LDAP, and that is a bit unwieldy, since all configuration is stored as key-value pairs. Its almost another language on top of puppet.> Sure: you can use the functions that grab stuff externally, like ''generate'', > to do this. That will run a command and process it externally. > > Alternately, a template is erb code run on the *puppetmaster* system, not on > the client. So, that can do anything Ruby can do, including filtering stuff > out rather than adding it in, during the run. >Thanks, will also look into functions and templates. Regards, Rahul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> > Usually I find that putting user accounts in version control is a good idea. > > Unless you have a reason not to, I would just create the user accounts and group accounts using puppet''s "user" and "group" resources. Any reason not to?I wouldnt want to put the shadow file in vcs. We dont have access restrictions in our vcs and anyone with an account can see the entire repo, so they would have access to the shadow file too. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 20, 2010, at 9:15 AM, noob-puppeteer wrote:> In the case of LDAP, how would this work? Would you store your entire > puppet config in LDAP or just the user information? I am looking > documentation for storing all puppet info in LDAP, and that is a bit > unwieldy, since all configuration is stored as key-value pairs. Its > almost another language on top of puppet.I think he was referring to using LDAP to define users and groups centrally, which doesn’t really have anything to do with Puppet other than simplifying your manifests and speeding up each run. Some advice though: Set up multiple LDAP servers with replication and failover right away. We ran with just one for a while based on capacity needs alone, but you’d be amazed at all the unexpected things that go to hell when LDAP becomes unavailable. Contact me off-list if you want more information. As for using LDAP to configure Puppet, you don’t have to store everything there. As a general rule, you just assign classes to nodes in LDAP, then define the class in your manifests to do XYZ to those nodes. You can use all of the other LDAP attributes to make decisions and you can assign variables, but I’ve been able to do most of what I need just using classes. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2010-Jul-21 01:57 UTC
Re: [Puppet Users] Re: Distributing passwd/group/shadow
Rob McBroom <mailinglist0@skurfer.com> writes:> On Jul 20, 2010, at 9:15 AM, noob-puppeteer wrote: > >> In the case of LDAP, how would this work? Would you store your entire >> puppet config in LDAP or just the user information?You can do both — nodes in LDAP, at least — but I meant only the user and group information.>> I am looking documentation for storing all puppet info in LDAP, and that is >> a bit unwieldy, since all configuration is stored as key-value pairs. Its >> almost another language on top of puppet.I don''t use it, because I don''t much like it either. :)> I think he was referring to using LDAP to define users and groups centrally, > which doesn’t really have anything to do with Puppet other than simplifying > your manifests and speeding up each run.Well, not strictly, although I would suggest you configure hosts to use LDAP through puppet. It does answer the question of how I would do this with puppet though — I wouldn''t. ;)> Some advice though: Set up multiple LDAP servers with replication and > failover right away. We ran with just one for a while based on capacity > needs alone, but you’d be amazed at all the unexpected things that go to > hell when LDAP becomes unavailable.FWIW, once you have puppet working it isn''t too hard to have every host acting as an LDAP slave, so you don''t have cross-machine dependencies. If you really need that level of capability. Regards, Daniel -- ✣ Daniel Pittman ✉ daniel@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.