I''d like to create a file, use it in a number of other puppetted processes, then clean it up. I can create it: file { ''bash-agent-key'' : path => "/home/${user}/.bash_keyautoload.tmp", content => template(''ssh_agent_add/bash_keyautoload.erb''), mode => 0700, owner => $user, group => $user, } but when I try to delete it with either: file { ''bash-agent-key'' : ensure => absent, } or file { ''bash-agent-key-delete'' : path => "/home/${user}/.bash_keyautoload.tmp", ensure => absent, } I get an error message: Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: File[bash-agent-key] is already declared in file /etc/puppet/modules/ssh_agent_add/manifests/init.pp at line 47; cannot redeclare on node or Error: Failed to apply catalog: Cannot alias File[bash-agent-key-delete] to ["/home/lightenn/.bash_keyautoload.tmp"] at /etc/puppet/modules/ssh_agent_add/manifests/init.pp:73; resource ["File", "/home/lightenn/.bash_keyautoload.tmp"] already declared at /etc/puppet/modules/ssh_agent_add/manifests/init.pp:47 Any guidance much appreciated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/7_kAU6lJTNQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
You''re trying something that''s essentially timing based in puppet, which is more state based. You can''t really tell puppet that a file should exist and not exist in the same run. Could you give some more info on what you''re trying to accomplish with this? That way we might offer some ideas to help. On Friday, November 16, 2012 4:04:05 AM UTC-8, Alex Stanhope wrote:> > I''d like to create a file, use it in a number of other puppetted > processes, then clean it up. > > I can create it: > file { ''bash-agent-key'' : > path => "/home/${user}/.bash_keyautoload.tmp", > content => template(''ssh_agent_add/bash_keyautoload.erb''), > mode => 0700, > owner => $user, > group => $user, > } > > but when I try to delete it with either: > file { ''bash-agent-key'' : > ensure => absent, > } > or > file { ''bash-agent-key-delete'' : > path => "/home/${user}/.bash_keyautoload.tmp", > ensure => absent, > } > > I get an error message: > Error: Could not retrieve catalog from remote server: Error 400 on SERVER: > Duplicate declaration: File[bash-agent-key] is already declared in file > /etc/puppet/modules/ssh_agent_add/manifests/init.pp at line 47; cannot > redeclare on node > or > Error: Failed to apply catalog: Cannot alias File[bash-agent-key-delete] > to ["/home/lightenn/.bash_keyautoload.tmp"] at > /etc/puppet/modules/ssh_agent_add/manifests/init.pp:73; resource ["File", > "/home/lightenn/.bash_keyautoload.tmp"] already declared at > /etc/puppet/modules/ssh_agent_add/manifests/init.pp:47 > > Any guidance much appreciated. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/e2emA3vuAhoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Friday, November 16, 2012 5:11:22 PM UTC, Ellison Marks wrote:> Could you give some more info on what you''re trying to accomplish with > this? That way we might offer some ideas to help. >Of course. I use a temporary file to store a private key passphrase. That passphrase is used to allow the client machine to load the private key, and clone repositories from github. After puppet has installed the client machine, I''d like it to delete this temporary file, so that future logins prompt the user for the password. It''s not the end of the world to leave it there, or for me to clean it up manually. I know I could use passwordless private keys, but I think it''s better security to have passphrases on them. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/W1WwX2NxqXsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Friday, November 16, 2012 11:17:23 AM UTC-6, Alex Stanhope wrote:> > On Friday, November 16, 2012 5:11:22 PM UTC, Ellison Marks wrote: > >> Could you give some more info on what you''re trying to accomplish with >> this? That way we might offer some ideas to help. >> > > Of course. I use a temporary file to store a private key passphrase. > That passphrase is used to allow the client machine to load the private > key, and clone repositories from github. After puppet has installed the > client machine, I''d like it to delete this temporary file, so that future > logins prompt the user for the password. It''s not the end of the world to > leave it there, or for me to clean it up manually. I know I could use > passwordless private keys, but I think it''s better security to have > passphrases on them. >Can you not supply the passphrase directly to your ''git clone'' command instead of storing it in a file? John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/UJfknU4WkEoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jakov Sosic
2012-Nov-21 02:03 UTC
Re: [Puppet Users] Re: delete a file created with puppet
On 11/16/2012 06:17 PM, Alex Stanhope wrote:> On Friday, November 16, 2012 5:11:22 PM UTC, Ellison Marks wrote: > > Could you give some more info on what you''re trying to accomplish > with this? That way we might offer some ideas to help. > > > Of course. I use a temporary file to store a private key passphrase. > That passphrase is used to allow the client machine to load the > private key, and clone repositories from github. After puppet has > installed the client machine, I''d like it to delete this temporary file, > so that future logins prompt the user for the password. It''s not the > end of the world to leave it there, or for me to clean it up manually. > I know I could use passwordless private keys, but I think it''s better > security to have passphrases on them.You can maybe try some mumbo jumbo magic with stages and combining two exec''s. Like, first exec gets the key: exec{''first'': command => ''cd /tmp && wget mykey'', creates => ''/tmp/mykey'', } exec{''second'': command => ''echo "" > /tmp/mykey | tee -a /tmp/mykey2'', creates => ''/tmp/mykey2'', } Put first in stage before main, second in stage after main, and that could work. Although it''s a really really ugly hack, and circumvention of Declarative Language nature -> to declare states and not to run scripts... -- Jakov Sosic www.srce.unizg.hr -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alex Stanhope
2012-Nov-21 09:57 UTC
Re: [Puppet Users] Re: delete a file created with puppet
Hi Jakov, On 21 November 2012 02:03, Jakov Sosic wrote:> > exec{''first'': > command => ''cd /tmp && wget mykey'', > creates => ''/tmp/mykey'', > } > > exec{''second'': > command => ''echo "" > /tmp/mykey | tee -a /tmp/mykey2'', > creates => ''/tmp/mykey2'', > } >...a really beautiful ugly hack. I appreciate the input because it sounds like I''m not missing anything really obvious. When coding in a new (declarative) language, I''m always mindful that I could be thinking about the problem incorrectly. I''m surprised in this case that more puppeteers haven''t had the same problem. Perhaps I should be writing some kind of secure ssh-agent based key management plugin for Puppet? Also John, thanks for the suggestion. Sending a plaintext password to the git clone call is an option, but I''ve got several git and several SVN repos, all connecting over SSH so the agent-play made more sense to me. Cheers, Alex -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/_wHDatM6yEwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
David Schmitt
2012-Nov-21 10:09 UTC
Re: [Puppet Users] Re: delete a file created with puppet
On 21.11.2012 03:03, Jakov Sosic wrote:> On 11/16/2012 06:17 PM, Alex Stanhope wrote: >> On Friday, November 16, 2012 5:11:22 PM UTC, Ellison Marks wrote: >> >> Could you give some more info on what you''re trying to accomplish >> with this? That way we might offer some ideas to help. >> >> >> Of course. I use a temporary file to store a private key passphrase. >> That passphrase is used to allow the client machine to load the >> private key, and clone repositories from github. After puppet has >> installed the client machine, I''d like it to delete this temporary file, >> so that future logins prompt the user for the password. It''s not the >> end of the world to leave it there, or for me to clean it up manually. >> I know I could use passwordless private keys, but I think it''s better >> security to have passphrases on them. > > You can maybe try some mumbo jumbo magic with stages and combining two > exec''s. > > Like, first exec gets the key: > > exec{''first'': > command => ''cd /tmp && wget mykey'', > creates => ''/tmp/mykey'', > } > > exec{''second'': > command => ''echo "" > /tmp/mykey | tee -a /tmp/mykey2'', > creates => ''/tmp/mykey2'', > } > > > Put first in stage before main, second in stage after main, and that > could work. Although it''s a really really ugly hack, and circumvention > of Declarative Language nature -> to declare states and not to run > scripts...This will put the passphrase onto the node every time puppet runs. I do not see how that will make it any more secure. To avoid putting sensitive key material into your automation, you''ll have to try and see whether you cannot access the source without this. For example, you could clone internally from a reduced security repo and then modify the remote configuration. Best Regards, David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jakov Sosic
2012-Nov-21 13:08 UTC
Re: [Puppet Users] Re: delete a file created with puppet
On 11/21/2012 11:09 AM, David Schmitt wrote:> This will put the passphrase onto the node every time puppet runs. I do > not see how that will make it any more secure.I do not think it will. Exec will run only if /tmp/mykey does not exist, and in my case it does exist all the time until you delete it manually. Take a look: # cat test.pp exec {''first'': command => ''/bin/echo "something" > /tmp/mykey'', creates => ''/tmp/mykey'', } # puppet apply test.pp /Stage[main]//Exec[first]/returns: executed successfully Finished catalog run in 0.16 seconds # cat test2.pp exec {''second'': command => ''/bin/echo "" > /tmp/mykey | /usr/bin/tee -a /tmp/mykey2'', creates => ''/tmp/mykey2'', } # puppet apply test2.pp /Stage[main]//Exec[second]/returns: executed successfully Finished catalog run in 0.30 seconds # cat /tmp/mykey # cat /tmp/mykey2 # # puppet apply test.pp Finished catalog run in 0.10 seconds # cat /tmp/mykey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Nov-26 16:52 UTC
Re: [Puppet Users] Re: delete a file created with puppet
On Wednesday, November 21, 2012 3:57:46 AM UTC-6, Alex Stanhope wrote:> > Hi Jakov, > > On 21 November 2012 02:03, Jakov Sosic wrote: >> >> exec{''first'': >> command => ''cd /tmp && wget mykey'', >> creates => ''/tmp/mykey'', >> } >> >> exec{''second'': >> command => ''echo "" > /tmp/mykey | tee -a /tmp/mykey2'', >> creates => ''/tmp/mykey2'', >> } >> > > ...a really beautiful ugly hack. I appreciate the input because it sounds > like I''m not missing anything really obvious. When coding in a new > (declarative) language, I''m always mindful that I could be thinking about > the problem incorrectly. I''m surprised in this case that more puppeteers > haven''t had the same problem. Perhaps I should be writing some kind of > secure ssh-agent based key management plugin for Puppet? >If you''re going to go with something like that then at least tidy it up: 1) Do not use run stages. It would be messy to set this up so that you could do so. Instead, declare ordinary resource relationships that capture the order you need. 2) For goodness sake, don''t leave *two* state files per repo lying around when you need only one. 3) Do put the state files somewhere other than /tmp, as putting them in /tmp implies that it is safe to remove them. The result might look something like this: define mymodule::git_repo() { exec { "get_repo_${name}_key": command => "cd /var/local && wget ${mymodule::repo_key_base}/repo_${name}_key", creates => "/var/local/repo_${name}_key", provider => ''sh'' } exec { "clone_repo_${name}": command => "git clone ...", refreshonly => true, subscribe => Exec["get_repo_${name}_key"] } exec { "clean_repo_${name}_key": command => "echo '''' > /var/local/repo_${name}_key", refreshonly => true, require => Exec["clone_repo_${name}"], subscribe => Exec["get_repo_${name}_key"], provider => ''sh'' } }> > Also John, thanks for the suggestion. Sending a plaintext password to the > git clone call is an option, but I''ve got several git and several SVN > repos, all connecting over SSH so the agent-play made more sense to me. > >If you''re saying that you envision all the repos'' keys going to go into the same file, then do be aware Jakov''s approach does not serve that objective very well. You really need one file per repo, since the approach relies on an empty version being kept around as a marker that that repo has already been cloned. Indeed, it is the requirement for marker files that turns me off to the idea. It is clever to clear the key files and leave them as markers, but I''m not very keen on storing metadata on the managed node in the first place. I much prefer techniques that are driven by the actual state of the target node, instead of indirectly by what Puppet (or someone else) has recorded about the state of the node. With that said, you should go with what makes sense to you and works for you. I just want you to make an informed decision. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/56cxhQa4DjMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.