Puppet users - Nov 2013 - file resource calling a 'define'd exec syntax?

Hi;

This one should be easy; but, so far, it''s eluding me.

I would like to configure ssh to use a different directory for authorized 
keys files.  I have the file resource which that works on its own.  I want 
the file resource to call the exec to set the selinux type on the directory 
when needed.  Here''s what I have:

class ssh::config
{   
    define sshdir_selinux() {
        exec {  "/usr/bin/chcon -R -t ssh_home_t 
$ssh::params::ssh_authkey_dir": }
    }   
#     exec { ''sshdir_selinux'':
#         command => "chcon -R -t ssh_home_t
$ssh::params::ssh_authkey_dir",
#         path    => ''/usr/bin'',
#         require => File["$ssh::params::ssh_authkey_dir"],
#     }
    file {  $ssh::params::ssh_authkey_dir:
            ensure   => directory,
            owner    => root,
            group    => root,
            mode     => ''0755'',
    }
    file {  $ssh::params::ssh_rootkeys:
            ensure   => present,
            owner    => root,
            group    => sys,
            mode     => ''0750'',
            source   =>
''puppet:///modules/ssh/authorized_keys.root'',
            sshdir_selinux { },
    }
}

My searches 
(particularly:https://support.mayfirst.org/wiki/how-to/puppet/layout#defines) 
 seem to indicate this is the right syntax; but I keep getting:

# ptest 
Error: Syntax error at ''{''; expected ''}'' at 
/root/modules/ssh/manifests/config.pp:62 on node puppet.olearycomputers.com
Error: Syntax error at ''{''; expected ''}'' at 
/root/modules/ssh/manifests/config.pp:62 on node puppet.olearycomputers.com

when I run it.

I have made the process work by using the straight exec that''s
commented in
the code above; but, that''ll call chcon every time that
puppet''s run (as I
understand it).  I would rather have it called only when a key file is 
added.

Appreciate any hints/tips/suggestions.

Doug O''Leary

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e40a6bc4-170f-4be6-bacb-73e13c483ce9%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hello
First up the file type supports selinux roles etc so you might not need any
of that.
If you did make the exec resource refreshonly and notify it from the file
resource.
Anyway the parser is right the syntax is bad. Inside the curly its always
like
type{''name'':
  var => value,
Followed by more of the same pairs
}
Neil
On 17 Nov 2013 20:34, "dkoleary" <dkoleary@olearycomputers.com>
wrote:
> Hi;
>
> This one should be easy; but, so far, it''s eluding me.
>
> I would like to configure ssh to use a different directory for authorized
> keys files.  I have the file resource which that works on its own.  I want
> the file resource to call the exec to set the selinux type on the directory
> when needed.  Here''s what I have:
>
> class ssh::config
> {
>     define sshdir_selinux() {
>         exec {  "/usr/bin/chcon -R -t ssh_home_t
> $ssh::params::ssh_authkey_dir": }
>     }
> #     exec { ''sshdir_selinux'':
> #         command => "chcon -R -t ssh_home_t
> $ssh::params::ssh_authkey_dir",
> #         path    => ''/usr/bin'',
> #         require => File["$ssh::params::ssh_authkey_dir"],
> #     }
>     file {  $ssh::params::ssh_authkey_dir:
>             ensure   => directory,
>             owner    => root,
>             group    => root,
>             mode     => ''0755'',
>     }
>     file {  $ssh::params::ssh_rootkeys:
>             ensure   => present,
>             owner    => root,
>             group    => sys,
>             mode     => ''0750'',
>             source   =>
''puppet:///modules/ssh/authorized_keys.root'',
>             sshdir_selinux { },
>     }
> }
>
> My searches (particularly:
> https://support.mayfirst.org/wiki/how-to/puppet/layout#defines)  seem to
> indicate this is the right syntax; but I keep getting:
>
> # ptest
> Error: Syntax error at ''{''; expected
''}'' at
> /root/modules/ssh/manifests/config.pp:62 on node
> puppet.olearycomputers.com
> Error: Syntax error at ''{''; expected
''}'' at
> /root/modules/ssh/manifests/config.pp:62 on node
> puppet.olearycomputers.com
>
> when I run it.
>
> I have made the process work by using the straight exec that''s
commented
> in the code above; but, that''ll call chcon every time that
puppet''s run (as
> I understand it).  I would rather have it called only when a key file is
> added.
>
> Appreciate any hints/tips/suggestions.
>
> Doug O''Leary
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/puppet-users/e40a6bc4-170f-4be6-bacb-73e13c483ce9%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAAohVBdUM7fxVh_JJAupoPx7U9Y%3DsuhEZ9wVjR0VGxNU-qcvBw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Sunday, November 17, 2013 2:33:54 PM UTC-6, dkoleary
wrote:
>
> Hi;
>
> This one should be easy; but, so far, it''s eluding me.
>
> I would like to configure ssh to use a different directory for authorized 
> keys files.  I have the file resource which that works on its own.  I want 
> the file resource to call the exec to set the selinux type on the directory
> when needed.
>

That is not the Puppet way.

You seem to be approaching Puppet as if it were a script engine.  It is 
not.  One resource does not call another; in fact no resource, not even one 
of defined type, is "called" by anything.  Your manifests simply
describe
the target state you want Puppet to enforce.  Where one aspect of the 
target state depends on another, your manifests may also direct the agent 
to synchronize some resources before others.  Whatever the state you 
describe, however, Puppet figures out most of the details of what to do on 
its own.

Moreover, I suspect you are confusing Puppet defined types with macros.  
Puppet DSL does not have a macro facility.  The "define" keyword
introduces
a user-defined *resource type*, with substantially the same usage rules as 
any of the built-in resource types.

 
>  Here''s what I have:
>
[...]
 
>
>     file {  $ssh::params::ssh_rootkeys:
>             ensure   => present,
>             owner    => root,
>             group    => sys,
>             mode     => ''0750'',
>             source   =>
''puppet:///modules/ssh/authorized_keys.root'',
>             sshdir_selinux { },
>

Right there ^^^^ is the syntax error Puppet is complaining about.  A 
resource declaration''s parameter list may contain only parameters. 
Even if
you could declare another resource there, your syntax is incorrect for 
that, too, because it is missing a resource title.

As Neil suggested, do look into the SELinux support built directly into the 
File type.  Puppet splits the context information across several parameters 
(selrole, etc.), and it will probably be much easier and more consistent to 
use those than to set up an Exec to modify the context after the fact.  It 
will likely be a lot faster, too, when the file already exists with the 
correct context.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3811c406-3693-40e2-8030-4f816bdf37ba%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hey, all;

Thanks for the responses.  I appreciate it.  I was unaware that the file 
resource handles selinux.  I seem to remember one of my searches saying 
puppet didn''t support selinux.  Maybe an old version of puppet or a 
misread, either way, I''ll take that route.

I know my attempt at executing the chcon command was wrong - that was the 
last attempt of probably 10 or more that didnt'' work and was more out
of
shere frustration.  I was basing my original feeble attempts on a 
compilation of the recipes in the puppet cookbook.  

Unfortunately, I haven''t had time to get back to this since I posted
the
original question.  I''m hoping to get back to it tonight during which I
can
reexamine the recipes I was looking at and maybe post a more coherent 
question.  While the file type supports selinux, the functionality I''m 
looking for would be good to know.

Thanks again for your help and responses.

Doug O''Leary

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5529b99c-e6e5-475c-b536-cb47facfbc5e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.