Puppet users - Oct 2010 - Augeas type to edit/append to /etc/pam.d/sshd

Hi all,

I''m trying to do something that should be pretty simple but
can''t
figure it out.

I want to append a line to /etc/pam.d/sshd if a line with a certain
module doesn''t exist.

What I would like to work is this:

  augeas { sshd_pam_mkhomedir:
    context => "/files/etc/pam.d/sshd",
    changes => [
      "set *[module = ''pam_mkhomedir.so'']/type
session",
      "set *[module = ''pam_mkhomedir.so'']/control
required",
      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
      "set *[module = ''pam_mkhomedir.so'']/argument[1]
umask=0022",
    ],
}

That "*[module = foo]" fails to match and create a new line, even in
augtool. This doesn''t work either:

augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
Failed

Nor can I get an insert to work, as to do that I''d need to know the
number of entries that already exist in the file in order to create
the next one.

If no one''s already got a solution to this I''ll have to ask on
augeas-
devel.

Thanks,

-Luke

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Oct 4, 2010, at 9:00 AM, luke.bigum wrote:
> Hi all,
> 
> I''m trying to do something that should be pretty simple but
can''t
> figure it out.
> 
> I want to append a line to /etc/pam.d/sshd if a line with a certain
> module doesn''t exist.
> 
> What I would like to work is this:
> 
>  augeas { sshd_pam_mkhomedir:
>    context => "/files/etc/pam.d/sshd",
>    changes => [
>      "set *[module = ''pam_mkhomedir.so'']/type
session",
>      "set *[module = ''pam_mkhomedir.so'']/control
required",
>      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
>      "set *[module = ''pam_mkhomedir.so'']/argument[1]
umask=0022",
>    ],
> }
> 
> That "*[module = foo]" fails to match and create a new line, even
in
> augtool. This doesn''t work either:
> 
> augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
> Failed
> 
> Nor can I get an insert to work, as to do that I''d need to know
the
> number of entries that already exist in the file in order to create
> the next one.
> 
> If no one''s already got a solution to this I''ll have to
ask on augeas-
> devel.
> 
> Thanks,
> 
> -Luke
For people trying to help, here''s an example:

augtool> ls /files/etc/pam.d/sshd/
#comment[1] = PAM configuration for the Secure Shell service
#comment[2] = Read environment variables from /etc/environment and
#comment[3] = /etc/security/pam_env.conf.
1/ = (none)
#comment[4] = In Debian 4.0 (etch), locale-related environment variables were
moved to
#comment[5] = /etc/default/locale, so read that as well.
2/ = (none)
#comment[6] = Standard Un*x authentication.
include[1] = common-auth
#comment[7] = Disallow non-root logins when /etc/nologin exists.
3/ = (none)

augtool> ls /files/etc/pam.d/sshd/3
type = session
control = required
module = pam_limits.so

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Oct 4, 2010, at 12:00 PM, luke.bigum wrote:
>    changes => [
>      "set *[module = ''pam_mkhomedir.so'']/type
session",
>      "set *[module = ''pam_mkhomedir.so'']/control
required",
>      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
>      "set *[module = ''pam_mkhomedir.so'']/argument[1]
umask=0022",
>    ],
Have you tried re-arranging these so the value for module is the first one set?
I think you have to do it that way so the other three ''set''
statements can find the path.

-- 
Rob McBroom
<http://www.skurfer.com/>

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Rob,

Thanks for the suggestion but it seems to make no difference. Even
that set command in augtool doesn''t work, you get a very helpful
"failed" message and no recorded error I can find. I hoped someone had
come across this before and had an Augeas solution (would be so easy
to use an exec type to do it). I''ll try ask the Augeas community and
come back with what they say.

On Oct 4, 7:31 pm, Rob McBroom <mailingli...@skurfer.com>
wrote:
> On Oct 4, 2010, at 12:00 PM, luke.bigum wrote:
>
> >    changes => [
> >      "set *[module = ''pam_mkhomedir.so'']/type
session",
> >      "set *[module =
''pam_mkhomedir.so'']/control required",
> >      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
> >      "set *[module =
''pam_mkhomedir.so'']/argument[1] umask=0022",
> >    ],
>
> Have you tried re-arranging these so the value for module is the first one
set? I think you have to do it that way so the other three
''set'' statements can find the path.
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Luke,

I do something similar for a different module, give the following a try:

augeas { "mod_mkhomedir_for_pam_sshd":
    context => "/files/etc/pam.d/sshd",
    changes => ["ins 1000000 before *",
                    "set 1000000/type session",
                    "set 1000000/control required",
                    "set 1000000/module pam_mkhomedir.so",
                    "set 1000000/argument umask=0022"],
    onlyif => "match
*[type=''session''][module=''pam_mkhomedir.so''][argument=''umask=0022'']
size == 0"
}

Cheers,
Tim

On 5 October 2010 03:00, luke.bigum <luke.bigum@fasthosts.co.uk>
wrote:
> Hi all,
>
> I''m trying to do something that should be pretty simple but
can''t
> figure it out.
>
> I want to append a line to /etc/pam.d/sshd if a line with a certain
> module doesn''t exist.
>
> What I would like to work is this:
>
>  augeas { sshd_pam_mkhomedir:
>    context => "/files/etc/pam.d/sshd",
>    changes => [
>      "set *[module = ''pam_mkhomedir.so'']/type
session",
>      "set *[module = ''pam_mkhomedir.so'']/control
required",
>      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
>      "set *[module = ''pam_mkhomedir.so'']/argument[1]
umask=0022",
>    ],
> }
>
> That "*[module = foo]" fails to match and create a new line, even
in
> augtool. This doesn''t work either:
>
> augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
> Failed
>
> Nor can I get an insert to work, as to do that I''d need to know
the
> number of entries that already exist in the file in order to create
> the next one.
>
> If no one''s already got a solution to this I''ll have to
ask on augeas-
> devel.
>
> Thanks,
>
> -Luke
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Tim,

Thanks a lot, I never would have thought of trying to cludge Augeas
like that. Your specific insert line didn''t work for my environment,
what did work was a slight variation:

"ins 1000000 after *[last()]"

I''ll still try chase up the Augeas people to see if there is a more
elegant solution, but for now that works great and should translate to
all all Augeas lenses that present nodes as array indexes.

Thanks,

-Luke

On Oct 5, 11:43 am, Tim Sharpe <t...@sharpe.id.au>
wrote:
> Hi Luke,
>
> I do something similar for a different module, give the following a try:
>
> augeas { "mod_mkhomedir_for_pam_sshd":
>     context => "/files/etc/pam.d/sshd",
>     changes => ["ins 1000000 before *",
>                     "set 1000000/type session",
>                     "set 1000000/control required",
>                     "set 1000000/module pam_mkhomedir.so",
>                     "set 1000000/argument umask=0022"],
>     onlyif => "match
>
*[type=''session''][module=''pam_mkhomedir.so''][argument=''umask=0022'']
> size == 0"
>
> }
>
> Cheers,
> Tim
>
> On 5 October 2010 03:00, luke.bigum <luke.bi...@fasthosts.co.uk>
wrote:
>
> > Hi all,
>
> > I''m trying to do something that should be pretty simple but
can''t
> > figure it out.
>
> > I want to append a line to /etc/pam.d/sshd if a line with a certain
> > module doesn''t exist.
>
> > What I would like to work is this:
>
> >  augeas { sshd_pam_mkhomedir:
> >    context => "/files/etc/pam.d/sshd",
> >    changes => [
> >      "set *[module = ''pam_mkhomedir.so'']/type
session",
> >      "set *[module =
''pam_mkhomedir.so'']/control required",
> >      "set *[module = ''pam_mkhomedir.so'']/module
pam_mkhomedir.so",
> >      "set *[module =
''pam_mkhomedir.so'']/argument[1] umask=0022",
> >    ],
> > }
>
> > That "*[module = foo]" fails to match and create a new line,
even in
> > augtool. This doesn''t work either:
>
> > augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
> > Failed
>
> > Nor can I get an insert to work, as to do that I''d need to
know the
> > number of entries that already exist in the file in order to create
> > the next one.
>
> > If no one''s already got a solution to this I''ll have
to ask on augeas-
> > devel.
>
> > Thanks,
>
> > -Luke
>
> > --
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Just for the info, I''ve gotten the answer at why lines like these
error:

set *[module = ''pam_mkhomedir.so'']/type session

or a similar example for /etc/hosts:

set /files/etc/hosts/*/ipaddr[.=''10.1.1.1''] 10.1.1.1

To quote from the augeas-devel list: "The issue is where there is no
node matching /files/etc/hosts/*/ipaddr[.=''10.1.1.1''], Augeas
tries to
create one, but it doesn''t know what to use for
''*''."

To handle the cases where you don''t know if a line containing an IP
address exists or not, you need to use two Augeas types; one to fix an
existing entry and one to add an entry if it doesn''t exist.

There''s a feature request to support conditionals in the Augeas type
here: http://projects.puppetlabs.com/issues/2696

On Oct 5, 12:21 pm, "luke.bigum" <luke.bi...@fasthosts.co.uk>
wrote:
> Tim,
>
> Thanks a lot, I never would have thought of trying to cludge Augeas
> like that. Your specific insert line didn''t work for my
environment,
> what did work was a slight variation:
>
> "ins 1000000 after *[last()]"
>
> I''ll still try chase up the Augeas people to see if there is a
more
> elegant solution, but for now that works great and should translate to
> all all Augeas lenses that present nodes as array indexes.
>
> Thanks,
>
> -Luke
>
> On Oct 5, 11:43 am, Tim Sharpe <t...@sharpe.id.au> wrote:
>
> > Hi Luke,
>
> > I do something similar for a different module, give the following a
try:
>
> > augeas { "mod_mkhomedir_for_pam_sshd":
> >     context => "/files/etc/pam.d/sshd",
> >     changes => ["ins 1000000 before *",
> >                     "set 1000000/type session",
> >                     "set 1000000/control required",
> >                     "set 1000000/module pam_mkhomedir.so",
> >                     "set 1000000/argument umask=0022"],
> >     onlyif => "match
> >
*[type=''session''][module=''pam_mkhomedir.so''][argument=''umask=0022'']
> > size == 0"
>
> > }
>
> > Cheers,
> > Tim
>
> > On 5 October 2010 03:00,luke.bigum<luke.bi...@fasthosts.co.uk>
wrote:
>
> > > Hi all,
>
> > > I''m trying to do something that should be pretty simple
but can''t
> > > figure it out.
>
> > > I want to append a line to /etc/pam.d/sshd if a line with a
certain
> > > module doesn''t exist.
>
> > > What I would like to work is this:
>
> > >  augeas { sshd_pam_mkhomedir:
> > >    context => "/files/etc/pam.d/sshd",
> > >    changes => [
> > >      "set *[module =
''pam_mkhomedir.so'']/type session",
> > >      "set *[module =
''pam_mkhomedir.so'']/control required",
> > >      "set *[module =
''pam_mkhomedir.so'']/module pam_mkhomedir.so",
> > >      "set *[module =
''pam_mkhomedir.so'']/argument[1] umask=0022",
> > >    ],
> > > }
>
> > > That "*[module = foo]" fails to match and create a new
line, even in
> > > augtool. This doesn''t work either:
>
> > > augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
> > > Failed
>
> > > Nor can I get an insert to work, as to do that I''d need
to know the
> > > number of entries that already exist in the file in order to
create
> > > the next one.
>
> > > If no one''s already got a solution to this I''ll
have to ask on augeas-
> > > devel.
>
> > > Thanks,
>
> > > -Luke
>
> > > --
> > > You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
> > > To post to this group, send email to
puppet-users@googlegroups.com.
> > > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.