Simon,
It seems like you are trying to work with puppet as though it were a
procedural language, not a declarative one. You should try to think of
a way of expressing your user abstraction in terms of declarative
statements instead of as a series of steps. If you must do a series of
steps, you might consider writing a custom resource type for your
needs.
--Paul
On Mon, May 18, 2009 at 11:31 AM, Simon Kuhn <simon.k...@gmail.com> wrote:
>
> I'm trying to approach ssh authorized_keys distribution from another
> angle. It seems like the standard method is to either put the ssh
> public key into a variable in a puppet manifest or to place the file
> within the puppet file hierarchy. I'm not happy with either of these
> options, because I would like to create a user from start to finish as
> hands-off as possible (including ssh key generation and propagation).
>
> So I want the following to happen:
>
> - Define a user in a puppet class
> - Have puppet create that user's home directory and ssh public/private
> keys on the main server
> - Export public keys into that user's authorized_keys file on every
> server
>
> I have a method that does this (or so it seems), but the main problem
> is that without some tomfoolery I can't figure out how to read a
> file's contents into a variable only AFTER that file is created by an
> exec command.
>
> I have the following (after 'user' has been called):
>
> if $hostname == puppet {
> exec { "create-ssh-key-$n...@$domain":
> command => "ssh-keygen -t rsa -C '$name@
> $domain' -N '' -q -f /home/$name/.ssh/id_rsa",
> path => "/usr/bin:/bin",
> creates => ["/home/$name/.ssh/id_rsa","/home/
> $name/.ssh/id_rsa.pub"],
> require => [ User["$name"], File["/home/
> $name/.ssh/"] ],
> before => Ssh_authorized_key["$n...@$domain"],
> user => $name,
> }
>
> @@ssh_authorized_key { "$n...@$domain":
> ensure => present,
> key => generate("/usr/bin/cut","-f2","-d ","/
> home/$name/.ssh/id_rsa.pub"),
> target => "/home/$name/.ssh/authorized_keys",
> type => ssh-rsa,
> user => $name,
> name => "$n...@$domain",
> require => User["$name"],
> }
> }
>
> Ssh_authorized_key <<| name == "$n...@$domain" |>>
>
> However, unless I completely remove the ssh_authorized_key call until
> the user exists, I wind up with this error:
>
> May 16 00:44:12 puppet puppetmasterd[22843]: Failed to execute
> generator /usr/bin/cut: Execution of '/usr/bin/cut -f2 -d /home/
> user/.ssh/id_rsa.pub' returned 1: /usr/bin/cut: /home/user/.ssh/
> id_rsa.pub: No such file or directory at /etc/puppet/modules/users/
> manifests/init.pp:34 on node puppetmaster
>
> I've tried a number of different requires, befores, and splitting
> things into multiple files/classes/defines to try to force the
> execution order that I want but to no avail. It seems like 'generate'
> is always run early, and so the user and id_rsa.pub file haven't been
> made yet.
>
> I finally used the following tactic:
>
> key => file("/home/$name/.ssh/id_rsa.pub","/etc/ssh/ssh_host_key.pub")
>
> so that the first execution puts the host's public key into
> authorized_keys (which serves no purpose, but it's the same format and
> that file will always exist) and the second execution does the right
> thing. But it's pretty gross, and it means users will take a longer
> time than necessary to fully propagate.
>
> Is there some method that I'm overlooking to force puppet to schedule
> 'ssh_authorized_key' after 'exec' in this case?
>
> --
> Simon Kuhn
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
