John Chris Richards
2011-Apr-06 21:50 UTC
[Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
Hi all Firstly, I am new in configuration management and all I know about watching files is that client checks a file''s check sum every t hour and if a change has occurred then it gets the file from the server. I wonder that if a user changes a file, does the puppet client wait end of the time (t) or is there way to say client if a change occurs in a specific file then make an immediate pull? I mean, I don''t want to wait until the time is up. Is there a way to make this in puppet? Thanks in advance. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2011-Apr-06 22:54 UTC
Re: [Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
On Wed, Apr 6, 2011 at 2:50 PM, John Chris Richards <john.chris.richards@gmail.com> wrote:> Hi all > > Firstly, I am new in configuration management and all I know about > watching files is that client checks a file''s check sum every t hour > and if a change has occurred then it gets the file from the server. > > I wonder that if a user changes a file, does the puppet client wait > end of the time (t) or is there way to say client if a change occurs > in a specific file then make an immediate pull? I mean, I don''t want > to wait until the time is up. Is there a way to make this in puppet?Puppet agent runs periodically to enforce the catalog, it can replace the file if it detects any changes, but it doesn''t monitor the file to trigger runs. I suppose you can run puppet continuously (not recommended), but perhaps if you give some insight on what you are trying to accomplish would give us a better idea how to achieve it with puppet. Are you trying to trigger a puppet run when a particular file changes? Are you trying to monitor several files? Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Scott Smith
2011-Apr-07 00:46 UTC
Re: [Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
You can probably use inotify it something similar for this functionality On Apr 6, 2011 2:52 PM, "John Chris Richards" <john.chris.richards@gmail.com> wrote:> Hi all > > Firstly, I am new in configuration management and all I know about > watching files is that client checks a file''s check sum every t hour > and if a change has occurred then it gets the file from the server. > > I wonder that if a user changes a file, does the puppet client wait > end of the time (t) or is there way to say client if a change occurs > in a specific file then make an immediate pull? I mean, I don''t want > to wait until the time is up. Is there a way to make this in puppet? > > Thanks in advance. > > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email topuppet-users+unsubscribe@googlegroups.com.> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Chris Richards
2011-Apr-07 06:10 UTC
Re: [Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
Hi Nan First of all thanks for your answer> Are you trying to trigger a puppet run when a particular file changes?Yes, this is what I exactly want to do. For example, if a user changes /etc/hosts file (via vim for instance), it will be corrupted until the next run. What if I don''t want to wait until the next run? Thanks again. 2011/4/7 Nan Liu <nan@puppetlabs.com>> On Wed, Apr 6, 2011 at 2:50 PM, John Chris Richards > <john.chris.richards@gmail.com> wrote: > > Hi all > > > > Firstly, I am new in configuration management and all I know about > > watching files is that client checks a file''s check sum every t hour > > and if a change has occurred then it gets the file from the server. > > > > I wonder that if a user changes a file, does the puppet client wait > > end of the time (t) or is there way to say client if a change occurs > > in a specific file then make an immediate pull? I mean, I don''t want > > to wait until the time is up. Is there a way to make this in puppet? > > Puppet agent runs periodically to enforce the catalog, it can replace > the file if it detects any changes, but it doesn''t monitor the file to > trigger runs. I suppose you can run puppet continuously (not > recommended), but perhaps if you give some insight on what you are > trying to accomplish would give us a better idea how to achieve it > with puppet. Are you trying to trigger a puppet run when a particular > file changes? Are you trying to monitor several files? > > Thanks, > > Nan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ralf Groß
2011-Apr-07 06:17 UTC
Re: [Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
Hi,>> Are you trying to trigger a puppet run when a particular file changes? > Yes, this is what I exactly want to do. For example, if a user changes > /etc/hosts file (via vim for instance), it will be corrupted until the next > run. What if I don''t want to wait until the next run?if a user can change /etc/hosts or any other system file, he must have root privileges. There is little you can do about it. We have a similar environment and it''s nearly impossible to prevent users from doing things we don''t want them to do... Ralf -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Chris Richards
2011-Apr-07 09:26 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
> You can probably use inotify it something similar for this functionalityHi Scott I saw your post just now and I am sorry for this late answer. I also thank you very much too for your answer. Hence from your post I conclude that puppet does not handle these type problems so I should use an external solution (like inotfy). -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Apr-07 10:29 UTC
Re: [Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
Hi, Something similar and maybe easier would be monit. Cheers, On 07/04/2011, at 19:26, John Chris Richards <john.chris.richards@gmail.com> wrote:>> You can probably use inotify it something similar for this functionality > > Hi Scott > > I saw your post just now and I am sorry for this late answer. > I also thank you very much too for your answer. > > Hence from your post I conclude that puppet does not handle these type > problems so I should use an external solution (like inotfy). > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Chris Richards
2011-Apr-07 12:50 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
> Something similar and maybe easier would be monit. > > Cheers,Hi Denmat I had a quick look at monit and it looks really good. Thanks for your answer and suggestion. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Chris Richards
2011-Apr-08 06:52 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
Hi Ralf I totally agree with you. Hence with the above solution we can have a little bit more control over our systems. Thanks> if a user can change /etc/hosts or any other system file, he must have > root privileges. There is little you can do about it. We have a > similar environment and it''s nearly impossible to prevent users from > doing things we don''t want them to do... > > Ralf-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vagn scott
2011-May-05 01:41 UTC
Re: [Puppet Users] Can puppet client make immediate pull after a file''s content change by user?
It sounds like you are solving the wrong problem. Why do your users have root privs? If they need root for some things, use sudo to give them only what they need. Or use suid/sgid mechanisms to allow community access to certain resources. If you need to lock down specific files look at the immutable bit that some file systems have. -- vagn On 04/06/2011 05:50 PM, John Chris Richards wrote:> Hi all > > Firstly, I am new in configuration management and all I know about > watching files is that client checks a file''s check sum every t hour > and if a change has occurred then it gets the file from the server. > > I wonder that if a user changes a file, does the puppet client wait > end of the time (t) or is there way to say client if a change occurs > in a specific file then make an immediate pull? I mean, I don''t want > to wait until the time is up. Is there a way to make this in puppet? > > Thanks in advance. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
treydock
2011-May-05 03:08 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
It''s not ideal but this could very easily be achieved by with Zabbix. With Zabbix you can have a check, running for example every 30 seconds, that runs a checksum on a specific file. Then a trigger that is activated if the last known checksum varies from the current checksum, here''s an example from one of the default templates, "{Template - Linux Servers:vfs.file.cksum[/etc/passwd].diff(0)}>0". Then create an action for that trigger. Actions can initiate remote commands, which you specify to be a manual run of puppet. This can get extremely resource intensive, and really isn''t ideal. In my environment I personally don''t use Zabbix for this but rather OSSEC to get email notifications upon changes of key files. - Trey On Apr 7, 1:10 am, John Chris Richards <john.chris.richa...@gmail.com> wrote:> Hi Nan > > First of all thanks for your answer > > > Are you trying to trigger a puppet run when a particular file changes? > > Yes, this is what I exactly want to do. For example, if a user changes > /etc/hosts file (via vim for instance), it will be corrupted until the next > run. What if I don''t want to wait until the next run? > > Thanks again. > > 2011/4/7 Nan Liu <n...@puppetlabs.com> > > > > > > > > > On Wed, Apr 6, 2011 at 2:50 PM, John Chris Richards > > <john.chris.richa...@gmail.com> wrote: > > > Hi all > > > > Firstly, I am new in configuration management and all I know about > > > watching files is that client checks a file''s check sum every t hour > > > and if a change has occurred then it gets the file from the server. > > > > I wonder that if a user changes a file, does the puppet client wait > > > end of the time (t) or is there way to say client if a change occurs > > > in a specific file then make an immediate pull? I mean, I don''t want > > > to wait until the time is up. Is there a way to make this in puppet? > > > Puppet agent runs periodically to enforce the catalog, it can replace > > the file if it detects any changes, but it doesn''t monitor the file to > > trigger runs. I suppose you can run puppet continuously (not > > recommended), but perhaps if you give some insight on what you are > > trying to accomplish would give us a better idea how to achieve it > > with puppet. Are you trying to trigger a puppet run when a particular > > file changes? Are you trying to monitor several files? > > > Thanks, > > > Nan-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2011-May-05 19:03 UTC
Re: [Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
On Thu, Apr 7, 2011 at 23:52, John Chris Richards <john.chris.richards@gmail.com> wrote:> I totally agree with you. Hence with the above solution we can have a > little bit more control over our systems.Hey. Sorry for getting into this discussion late: if you really wanted to trigger a puppet run after a file was modified, I would probably take the approach of using an external tool to do the triggering. Linux has the inotify system, and *BSD have something similar, which do real-time event notification on files and directories. You can either write a small monitor based on those, or find one of the existing ones (inoticoming, inocron, and at least one more exist in Linux-ville). When they observe a change in the appropriate location they can trigger the puppet run for you; that gives you the desired behavior, more or less. You will still have the period between the puppet run starting and the change being backed out where the system is wrong, of course. Overall, though, I wouldn''t recommend the strategy: this is a technical solution to a social problem – if your users are making uncontrolled, or bad, changes then you need to bring them into the fold, not fight with them. The later will just make them more duplicitous: they will disable your notification tool (or puppet, if that did the monitoring), then make their changes. I would strongly encourage you to either get to the point that they are not fighting you (and puppet) for control of the system by bringing them on board to the process (eg: they update puppet, rather than hack on the machine), or by locking them out. Regards, Daniel ...and, yes, they /will/ get very upset with the "locking them out" option. :) -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <daniel@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
DaveQB
2011-May-08 23:51 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
Maybe incron is the tool you are after. On May 6, 5:03 am, Daniel Pittman <dan...@puppetlabs.com> wrote:> On Thu, Apr 7, 2011 at 23:52, John Chris Richards > > <john.chris.richa...@gmail.com> wrote: > > I totally agree with you. Hence with the above solution we can have a > > little bit more control over our systems. > > Hey. Sorry for getting into this discussion late: if you really > wanted to trigger a puppet run after a file was modified, I would > probably take the approach of using an external tool to do the > triggering. > > Linux has the inotify system, and *BSD have something similar, which > do real-time event notification on files and directories. You can > either write a small monitor based on those, or find one of the > existing ones (inoticoming, inocron, and at least one more exist in > Linux-ville). > > When they observe a change in the appropriate location they can > trigger the puppet run for you; that gives you the desired behavior, > more or less. You will still have the period between the puppet run > starting and the change being backed out where the system is wrong, of > course. > > Overall, though, I wouldn''t recommend the strategy: this is a > technical solution to a social problem – if your users are making > uncontrolled, or bad, changes then you need to bring them into the > fold, not fight with them. The later will just make them more > duplicitous: they will disable your notification tool (or puppet, if > that did the monitoring), then make their changes. > > I would strongly encourage you to either get to the point that they > are not fighting you (and puppet) for control of the system by > bringing them on board to the process (eg: they update puppet, rather > than hack on the machine), or by locking them out. > > Regards, > Daniel > > ...and, yes, they /will/ get very upset with the "locking them out" option. :) > -- > ⎋ Puppet Labs Developer –http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
DaveQB
2011-May-08 23:52 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
Maybe incron is the tool you are after. On May 6, 5:03 am, Daniel Pittman <dan...@puppetlabs.com> wrote:> On Thu, Apr 7, 2011 at 23:52, John Chris Richards > > <john.chris.richa...@gmail.com> wrote: > > I totally agree with you. Hence with the above solution we can have a > > little bit more control over our systems. > > Hey. Sorry for getting into this discussion late: if you really > wanted to trigger a puppet run after a file was modified, I would > probably take the approach of using an external tool to do the > triggering. > > Linux has the inotify system, and *BSD have something similar, which > do real-time event notification on files and directories. You can > either write a small monitor based on those, or find one of the > existing ones (inoticoming, inocron, and at least one more exist in > Linux-ville). > > When they observe a change in the appropriate location they can > trigger the puppet run for you; that gives you the desired behavior, > more or less. You will still have the period between the puppet run > starting and the change being backed out where the system is wrong, of > course. > > Overall, though, I wouldn''t recommend the strategy: this is a > technical solution to a social problem – if your users are making > uncontrolled, or bad, changes then you need to bring them into the > fold, not fight with them. The later will just make them more > duplicitous: they will disable your notification tool (or puppet, if > that did the monitoring), then make their changes. > > I would strongly encourage you to either get to the point that they > are not fighting you (and puppet) for control of the system by > bringing them on board to the process (eg: they update puppet, rather > than hack on the machine), or by locking them out. > > Regards, > Daniel > > ...and, yes, they /will/ get very upset with the "locking them out" option. :) > -- > ⎋ Puppet Labs Developer –http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
DaveQB
2011-May-08 23:53 UTC
[Puppet Users] Re: Can puppet client make immediate pull after a file''s content change by user?
Maybe incron is the tool you are after. On May 6, 5:03 am, Daniel Pittman <dan...@puppetlabs.com> wrote:> Hey. Sorry for getting into this discussion late: if you really > wanted to trigger a puppet run after a file was modified, I would > probably take the approach of using an external tool to do the > triggering.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.