Puppet users - Jun 2012 - how to refresh ssh/authorized_keys file content ?

Hi all,

 How to refresh ssh/authorized_keys file content ?

 I''m trying massive loading keys. I need refresh authorized_keys file
content.

 I try delete file before call ssh_authorized_key :

     exec { "del_${user_local}_authorized_keys":
                  command => "rm /home/$user_local/.ssh/
authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown
$user_local:$user_local /home/$user_local/.ssh/authorized_keys",
                  path => ''/bin:/usr/bin'',
               }

  First run only delete file and in the second one I got desired
result.

  I think is possible create content file using template but before
leave ssh_authorized_key resource type way I want to know any other
chance.


  Regards,
   Eduardo.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On 06/12/2012 07:39 PM, eduardo wrote:
> Hi all,
> 
>  How to refresh ssh/authorized_keys file content ?
> 
>  I''m trying massive loading keys. I need refresh authorized_keys
file
> content.
> 
>  I try delete file before call ssh_authorized_key :
please don''t. This is *not* how you are supposed to interact with
authorized keys.

Either use the ssh_autherized_key type *or* fiddle with the file, but
don''t mix them.
>      exec { "del_${user_local}_authorized_keys":
>                   command => "rm /home/$user_local/.ssh/
> authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown
> $user_local:$user_local /home/$user_local/.ssh/authorized_keys",
>                   path => ''/bin:/usr/bin'',
>                }
> 
>   First run only delete file and in the second one I got desired
> result.
> 
>   I think is possible create content file using template but before
> leave ssh_authorized_key resource type way I want to know any other
> chance.
A template would work.

You can also try simply pruning all unmanaged keys, so puppet will clear
all unwanted stuff out. Take note that this will affect keys of *all*
users (I believe), so you have to manage all keys on the system in question.

resources { "ssh_authorized_key": purge => true }

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks you felix for answer me. I owe you another one.

 The bad news I tried resources { "ssh_authorized_key": purge =>
true } but don''t result.

 The good one is templates are great for it.


  I appreciate your help,
   Bests regards,
  eduardo.


On 13 jun, 03:34, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
> Hi,
>
> On 06/12/2012 07:39 PM, eduardo wrote:
>
> > Hi all,
>
> >  How to refresh ssh/authorized_keys file content ?
>
> >  I''m trying massive loading keys. I need refresh
authorized_keys file
> > content.
>
> >  I try delete file before call ssh_authorized_key :
>
> please don''t. This is *not* how you are supposed to interact with
> authorized keys.
>
> Either use the ssh_autherized_key type *or* fiddle with the file, but
> don''t mix them.
>
> >      exec { "del_${user_local}_authorized_keys":
> >                   command => "rm /home/$user_local/.ssh/
> > authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown
> > $user_local:$user_local /home/$user_local/.ssh/authorized_keys",
> >                   path => ''/bin:/usr/bin'',
> >                }
>
> >   First run only delete file and in the second one I got desired
> > result.
>
> >   I think is possible create content file using template but before
> > leave ssh_authorized_key resource type way I want to know any other
> > chance.
>
> A template would work.
>
> You can also try simply pruning all unmanaged keys, so puppet will clear
> all unwanted stuff out. Take note that this will affect keys of *all*
> users (I believe), so you have to manage all keys on the system in
question.
>
> resources { "ssh_authorized_key": purge => true }
>
> HTH,
> Felix
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Having advised :
 ''it is highly recommended to migrate work from exec to native
Puppet types as quickly as possible.''

 Is there any chance to purge keys ?

 Do nothing writing resources { "ssh_authorized_key": purge => true
}
in my init.pp module.

  Regards,
   eduardo.


On 13 jun, 13:02, eduardo <erodr...@gmail.com>
wrote:
>  Thanks you felix for answer me. I owe you another one.
>
>  The bad news I tried resources { "ssh_authorized_key": purge
=>
> true } but don''t result.
>
>  The good one is templates are great for it.
>
>   I appreciate your help,
>    Bests regards,
>   eduardo.
>
> On 13 jun, 03:34, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
>
>
>
>
>
>
>
> > Hi,
>
> > On 06/12/2012 07:39 PM, eduardo wrote:
>
> > > Hi all,
>
> > >  How to refresh ssh/authorized_keys file content ?
>
> > >  I''m trying massive loading keys. I need refresh
authorized_keys file
> > > content.
>
> > >  I try delete file before call ssh_authorized_key :
>
> > please don''t. This is *not* how you are supposed to interact
with
> > authorized keys.
>
> > Either use the ssh_autherized_key type *or* fiddle with the file, but
> > don''t mix them.
>
> > >      exec { "del_${user_local}_authorized_keys":
> > >                   command => "rm /home/$user_local/.ssh/
> > > authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ;
chown
> > > $user_local:$user_local
/home/$user_local/.ssh/authorized_keys",
> > >                   path => ''/bin:/usr/bin'',
> > >                }
>
> > >   First run only delete file and in the second one I got desired
> > > result.
>
> > >   I think is possible create content file using template but
before
> > > leave ssh_authorized_key resource type way I want to know any
other
> > > chance.
>
> > A template would work.
>
> > You can also try simply pruning all unmanaged keys, so puppet will
clear
> > all unwanted stuff out. Take note that this will affect keys of *all*
> > users (I believe), so you have to manage all keys on the system in
question.
>
> > resources { "ssh_authorized_key": purge => true }
>
> > HTH,
> > Felix
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

"ensure => absent" is the standard syntax for all Puppet types.

On Fri, Jun 15, 2012 at 6:21 AM, eduardo <erodri07@gmail.com> wrote:
>  Having advised :
>  ''it is highly recommended to migrate work from exec to native
> Puppet types as quickly as possible.''
>
>  Is there any chance to purge keys ?
>
>  Do nothing writing resources { "ssh_authorized_key": purge =>
true }
> in my init.pp module.
>
>  Regards,
>   eduardo.
>
>
> On 13 jun, 13:02, eduardo <erodr...@gmail.com> wrote:
> >  Thanks you felix for answer me. I owe you another one.
> >
> >  The bad news I tried resources { "ssh_authorized_key":
purge =>
> > true } but don''t result.
> >
> >  The good one is templates are great for it.
> >
> >   I appreciate your help,
> >    Bests regards,
> >   eduardo.
> >
> > On 13 jun, 03:34, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
> >
> >
> >
> >
> >
> >
> >
> > > Hi,
> >
> > > On 06/12/2012 07:39 PM, eduardo wrote:
> >
> > > > Hi all,
> >
> > > >  How to refresh ssh/authorized_keys file content ?
> >
> > > >  I''m trying massive loading keys. I need refresh
authorized_keys file
> > > > content.
> >
> > > >  I try delete file before call ssh_authorized_key :
> >
> > > please don''t. This is *not* how you are supposed to
interact with
> > > authorized keys.
> >
> > > Either use the ssh_autherized_key type *or* fiddle with the file,
but
> > > don''t mix them.
> >
> > > >      exec { "del_${user_local}_authorized_keys":
> > > >                   command => "rm
/home/$user_local/.ssh/
> > > > authorized_keys ; touch
/home/$user_local/.ssh/authorized_keys ;
> chown
> > > > $user_local:$user_local
/home/$user_local/.ssh/authorized_keys",
> > > >                   path =>
''/bin:/usr/bin'',
> > > >                }
> >
> > > >   First run only delete file and in the second one I got
desired
> > > > result.
> >
> > > >   I think is possible create content file using template but
before
> > > > leave ssh_authorized_key resource type way I want to know
any other
> > > > chance.
> >
> > > A template would work.
> >
> > > You can also try simply pruning all unmanaged keys, so puppet
will
> clear
> > > all unwanted stuff out. Take note that this will affect keys of
*all*
> > > users (I believe), so you have to manage all keys on the system
in
> question.
> >
> > > resources { "ssh_authorized_key": purge => true }
> >
> > > HTH,
> > > Felix
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Jun 15, 2012 at 6:21 AM, eduardo <erodri07@gmail.com>
wrote:
>  Having advised :
>  ''it is highly recommended to migrate work from exec to native
> Puppet types as quickly as possible.''
>
>  Is there any chance to purge keys ?
>
>  Do nothing writing resources { "ssh_authorized_key": purge =>
true }
> in my init.pp module.
To support purging, the puppet type need to to be able to query all
instances of the resource. In this case because ssh_authorized_keys
can write to different file locations, it does not have the ability to
detect all ssh keys that exists on the system and therefor it will not
have the ability to purge. In some cases, this is a limitation of the
provider which does not implement self.instances (for example this was
the case for a long time for mysql database type), but in this case I
don''t believe it will ever support it.

An easy way to see if a resource supports purging is simply via the
puppet resource command. If puppet resource <type> can list all
instance of that resources then it supports purging, otherwise it does
not.

# for example host supports purge
$ puppet resource host
host { ''ip6-allnodes'':
  ensure => ''present'',
  ip     => ''ff02::1'',
  target => ''/etc/hosts'',
}
...

# try this with ssh_authorized_key, and it returns nothing
$ puppet resource ssh_authorized_key

In this case, a file fragment pattern with puppet-concat will be
suitable for managing a specific ssh key file with support for
purging.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks you Nan, your answer is very clear about it.
 I''d got template way.

  Regards,
   eduardo.


On 15 jun, 11:19, Nan Liu <n...@puppetlabs.com>
wrote:
> On Fri, Jun 15, 2012 at 6:21 AM, eduardo <erodr...@gmail.com> wrote:
> >  Having advised :
> >  ''it is highly recommended to migrate work from exec to
native
> > Puppet types as quickly as possible.''
>
> >  Is there any chance to purge keys ?
>
> >  Do nothing writing resources { "ssh_authorized_key": purge
=> true }
> > in my init.pp module.
>
> To support purging, the puppet type need to to be able to query all
> instances of the resource. In this case because ssh_authorized_keys
> can write to different file locations, it does not have the ability to
> detect all ssh keys that exists on the system and therefor it will not
> have the ability to purge. In some cases, this is a limitation of the
> provider which does not implement self.instances (for example this was
> the case for a long time for mysql database type), but in this case I
> don''t believe it will ever support it.
>
> An easy way to see if a resource supports purging is simply via the
> puppet resource command. If puppet resource <type> can list all
> instance of that resources then it supports purging, otherwise it does
> not.
>
> # for example host supports purge
> $ puppet resource host
> host { ''ip6-allnodes'':
>   ensure => ''present'',
>   ip     => ''ff02::1'',
>   target => ''/etc/hosts'',}
>
> ...
>
> # try this with ssh_authorized_key, and it returns nothing
> $ puppet resource ssh_authorized_key
>
> In this case, a file fragment pattern with puppet-concat will be
> suitable for managing a specific ssh key file with support for
> purging.
>
> Thanks,
>
> Nan
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jun 15, 2012, at 8:19 AM, Nan Liu wrote:
> To support purging, the puppet type need to to be able to query all
> instances of the resource. In this case because ssh_authorized_keys
> can write to different file locations, it does not have the ability to
> detect all ssh keys that exists on the system and therefor it will not
> have the ability to purge. In some cases, this is a limitation of the
> provider which does not implement self.instances (for example this was
> the case for a long time for mysql database type), but in this case I
> don''t believe it will ever support it.
Nan, this should be easy to do.  Yes, there is a forest of authorized key files
on the host, for any given authorized_keys file you have a known list of what
keys should be there.  I know for a fact it knows about the other keys in the
file, since it sometimes logs very weird error messages about them if the
key''s comment matches another user''s name.
   http://projects.puppetlabs.com/issues/14809#change-64568

Since it reads in the authorized_keys file, and knows about the other keys, it
should be trivial to allow a purge=>true which removes any key not defined in
the manifest.

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 16.06.2012 02:42, Jo Rhett wrote:
> On Jun 15, 2012, at 8:19 AM, Nan Liu wrote:
>> To support purging, the puppet type need to to be able to query all
>> instances of the resource. In this case because ssh_authorized_keys
>> can write to different file locations, it does not have the ability to
>> detect all ssh keys that exists on the system and therefor it will not
>> have the ability to purge. In some cases, this is a limitation of the
>> provider which does not implement self.instances (for example this was
>> the case for a long time for mysql database type), but in this case I
>> don''t believe it will ever support it.
>
> Nan, this should be easy to do. Yes, there is a forest of authorized key
> files on the host, for any given authorized_keys file you have a known
> list of what keys should be there. I know for a fact it knows about the
> other keys in the file, since it sometimes logs very weird error
> messages about them if the key''s comment matches another
user''s name.
> http://projects.puppetlabs.com/issues/14809#change-64568
>
> Since it reads in the authorized_keys file, and knows about the other
> keys, it should be trivial to allow a purge=>true which removes any key
> not defined in the manifest.
There''s an issue for that:

http://projects.puppetlabs.com/issues/1581



Best Regards, David

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.