Puppet users - Jul 2010 - Distributing passwd/group/shadow

Hi,
I am trying to figure out a good "puppet" way to do this. In our old
configuration, we were using cfengine and distributing passwd, group
and shadow files by first running a command on the server that would
filter these files to have just the team users (since we are using
hosting services) into a master file that would get distributed to all
the clients and the clients would apply the master file to its local
passwd, group and shadow files.

In puppet, as far as I can see, there is no way to run a command to
prep the files on the master, before a puppet client asks for the
catalog or is there?

We are doing things in this complicated way, because this allows us to
continue use the useradd, usermod commands on the master servers, and
the client servers automatically get the configuration. Plus we dont
have to store the files in version control. Is there a better way to
do this in puppet?

Thanks,
NP

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jul 19, 2010, at 6:11 PM, noob-puppeteer wrote:
> Hi,
> I am trying to figure out a good "puppet" way to do this. In our
old
> configuration, we were using cfengine and distributing passwd, group
> and shadow files by first running a command on the server that would
> filter these files to have just the team users (since we are using
> hosting services) into a master file that would get distributed to all
> the clients and the clients would apply the master file to its local
> passwd, group and shadow files.
> 
> In puppet, as far as I can see, there is no way to run a command to
> prep the files on the master, before a puppet client asks for the
> catalog or is there?
> 
> We are doing things in this complicated way, because this allows us to
> continue use the useradd, usermod commands on the master servers, and
> the client servers automatically get the configuration. Plus we dont
> have to store the files in version control. Is there a better way to
> do this in puppet?
Usually I find that putting user accounts in version control is a good idea.

Unless you have a reason not to, I would just create the user accounts and group
accounts using puppet''s "user" and "group"
resources.  Any reason not to?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

noob-puppeteer <rahul.pilani@gmail.com> writes:
> I am trying to figure out a good "puppet" way to do this.
Use LDAP, or maybe NIS, to distribute the data.  No, seriously, that usually
fits in about point three or four of the usual infrastructure building
checklist, right after getting puppet installed and the manifests in version
control.

Anyway, to answer your question:
> In our old configuration, we were using cfengine and distributing passwd,
> group and shadow files by first running a command on the server that would
> filter these files to have just the team users (since we are using hosting
> services) into a master file that would get distributed to all the clients
> and the clients would apply the master file to its local passwd, group and
> shadow files.
>
> In puppet, as far as I can see, there is no way to run a command to
> prep the files on the master, before a puppet client asks for the
> catalog or is there?
Sure: you can use the functions that grab stuff externally, like
''generate'',
to do this.  That will run a command and process it externally.

Alternately, a template is erb code run on the *puppetmaster* system, not on
the client.  So, that can do anything Ruby can do, including filtering stuff
out rather than adding it in, during the run.

> We are doing things in this complicated way, because this allows us to
> continue use the useradd, usermod commands on the master servers, and
> the client servers automatically get the configuration. Plus we dont
> have to store the files in version control. Is there a better way to
> do this in puppet?
Personally, I would first prefer to use LDAP.

Then I would pick up the sync-accounts tool from chiark-scripts[1] and use
that to do the hard work for me, since I don''t have to write it myself.

Failing that, I would code my user stanzas into the puppet language to
provision them that way.

Then I would use a tool to generate the user stanzas into puppet from the
content of the files in /etc and include that in the system with generate.


Anyway, ''generate'': the answer to your question is the
generate function.
http://docs.puppetlabs.com/references/latest/function.html#generate

Regards,
        Daniel

Footnotes: 
[1] 
http://the-doors.enix.org/pipermail/daily-debian-package/2008-April/001311.html

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Use LDAP, or maybe NIS, to distribute the data.  No, seriously, that
usually
> fits in about point three or four of the usual infrastructure building
> checklist, right after getting puppet installed and the manifests in
version
> control.
In the case of LDAP, how would this work? Would you store your entire
puppet config in LDAP or just the user information? I am looking
documentation for storing all puppet info in LDAP, and that is a bit
unwieldy, since all configuration is stored as key-value pairs. Its
almost another language on top of puppet.
> Sure: you can use the functions that grab stuff externally, like
''generate'',
> to do this.  That will run a command and process it externally.
>
> Alternately, a template is erb code run on the *puppetmaster* system, not
on
> the client.  So, that can do anything Ruby can do, including filtering
stuff
> out rather than adding it in, during the run.
>
Thanks, will also look into functions and templates.

Regards,
Rahul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>
> Usually I find that putting user accounts in version control is a good
idea.
>
> Unless you have a reason not to, I would just create the user accounts and
group accounts using puppet''s "user" and "group"
resources.  Any reason not to?
I wouldnt want to put the shadow file in vcs. We dont have access
restrictions in our vcs and anyone with an account can see the entire
repo, so they would have access to the shadow file too.



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jul 20, 2010, at 9:15 AM, noob-puppeteer wrote:
> In the case of LDAP, how would this work? Would you store your entire
> puppet config in LDAP or just the user information? I am looking
> documentation for storing all puppet info in LDAP, and that is a bit
> unwieldy, since all configuration is stored as key-value pairs. Its
> almost another language on top of puppet.
I think he was referring to using LDAP to define users and groups centrally,
which doesn’t really have anything to do with Puppet other than simplifying your
manifests and speeding up each run. Some advice though: Set up multiple LDAP
servers with replication and failover right away. We ran with just one for a
while based on capacity needs alone, but you’d be amazed at all the unexpected
things that go to hell when LDAP becomes unavailable. Contact me off-list if you
want more information.

As for using LDAP to configure Puppet, you don’t have to store everything there.
As a general rule, you just assign classes to nodes in LDAP, then define the
class in your manifests to do XYZ to those nodes. You can use all of the other
LDAP attributes to make decisions and you can assign variables, but I’ve been
able to do most of what I need just using classes.

-- 
Rob McBroom
<http://www.skurfer.com/>


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Rob McBroom <mailinglist0@skurfer.com> writes:
> On Jul 20, 2010, at 9:15 AM, noob-puppeteer wrote:
>
>> In the case of LDAP, how would this work? Would you store your entire
>> puppet config in LDAP or just the user information?
You can do both — nodes in LDAP, at least — but I meant only the user and
group information.
>> I am looking documentation for storing all puppet info in LDAP, and
that is
>> a bit unwieldy, since all configuration is stored as key-value pairs.
Its
>> almost another language on top of puppet.
I don''t use it, because I don''t much like it either. :)
> I think he was referring to using LDAP to define users and groups
centrally,
> which doesn’t really have anything to do with Puppet other than simplifying
> your manifests and speeding up each run.
Well, not strictly, although I would suggest you configure hosts to use LDAP
through puppet.  It does answer the question of how I would do this with
puppet though — I wouldn''t. ;)
> Some advice though: Set up multiple LDAP servers with replication and
> failover right away. We ran with just one for a while based on capacity
> needs alone, but you’d be amazed at all the unexpected things that go to
> hell when LDAP becomes unavailable.
FWIW, once you have puppet working it isn''t too hard to have every host
acting
as an LDAP slave, so you don''t have cross-machine dependencies.  If you
really
need that level of capability.

Regards,
        Daniel

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.