Paul Lathrop wrote:
> On Sun, Oct 19, 2008 at 11:48 PM, schickb <[EMAIL PROTECTED]> wrote:
>> * No way to specify "system" users or groups (other than hard-coded
>> ids)
>
> If you are managing users/groups with Puppet you probably *want*
> hard-coded IDs. You should specify every part of the configs you care
> about; clearly you care that system users get IDs in a certain range,
> therefore you should specify the IDs.
I disagree!
I need to create a user for a software package. I pick a uid that is
currently free in the range reserved for system users (1-500 on RedHat),
for example 493. Next, I install an RPM that creates a system user of
its own, e.g pulseaudio; that RPM will pick a free userid in the system
range, e.g 492. All is well.
Now I install a new machine with the same Puppet manifests. If the
pulseaudio RPM happens to be installed before my manifest creates my
user, it may very well pick uid 493 for its user! Suddenly we have
a collision, because I hardcoded a uid. That's bad.
You might argue that those RPMs that allocate uids dynamically are
ill-mannered. However, that's how lots and lots of RPMs work, and
that's how for instance RedHat has specified that they should work.
I for one have more productive things to do with my time than trying
to convince RedHat that all RPMs should allocate uids statically...
And by the way, below I'm attaching a recepie for managing system
users and system groups under RedHat below. It only handles a few
of the most important parameters that the normal user and group
types handle, but it should be fairly easy to extend if you need.
Share and enjoy!
/Thomas Bellman
------------------------------------------------------------------------
# Create (or remove) a system accont, i.e one with a "low" uid.
# The normal user type can't be instructed to create a system
# account without hardcoding a uid, which we don't want to do.
#
# A group with the same name as the user will be created at the
# same time.
#
# This implementation is RedHat specific.
define rh_sysuser($comment="", $home="/", $shell="/sbin/nologin",
$ensure="present")
{
rh_sysgroup {
$name:
ensure => $ensure;
}
case $ensure {
"present": {
exec {
"sysuser--$name":
command => "useradd -r -c '$comment' -M -d '$home' -s
'$shell' -g '$name' '$name'",
unless => "getent passwd '$name'",
path => "/sbin:/usr/sbin:/bin:/usr/bin",
require => Rh_sysgroup[$name];
}
}
"absent": {
exec {
"sysuser--$name":
command => "userdel -f '$name'",
onlyif => "getent passwd '$name'",
path => "/sbin:/usr/sbin:/bin:/usr/bin",
before => Rh_sysgroup[$name];
}
}
default: {
fail("Bad rh_sysuser parameter ensure: $ensure")
}
}
# These are here so we get auto-require from things that want
# user and/or group names, like the file type.
user {
"$name":
ensure => $ensure,
gid => $name, comment => $comment, home => $home, shell => $shell,
require => Exec["sysuser--$name"]
}
}
define rh_sysgroup($ensure="present")
{
case $ensure {
"present": {
exec {
"sysgroup--$name":
command => "groupadd -r '$name'",
unless => "getent group '$name'",
path => "/sbin:/usr/sbin:/bin:/usr/bin";
}
}
"absent": {
exec {
"sysgroup--$name":
command => "groupdel '$name'",
onlyif => "getent group '$name'",
path => "/sbin:/usr/sbin:/bin:/usr/bin";
}
}
default: {
fail("Bad rh_sysgroup parameter ensure: $ensure")
}
}
# This is here so we get auto-require from things that want
# group names, like the file type.
group {
"$name":
ensure => $ensure, require => Exec["sysgroup--$name"]
}
}
------------------------------------------------------------------------
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
