On Wednesday 24 Feb 2010 18:12:18 Andrew Schulman wrote:
> > Hi Andrew,
> >
> > Just noticed that ssh::auth::server doesn't require the resource for
> > ~/.ssh directory. Considering the documentation says it does (in
> > Examples -> 1. With account management at the bottom mentions that
> > 'require => [User[$title], File["$home/.ssh"]]' is implicitly included in
> > both client and server), I thought I'll report it.
> >
> > This works fine for ssh::auth::server because it uses a file resource for
> > the ~/.ssh/$filename file, so ~/.ssh is autorequired by puppet (if
> > defined).
>
> OK, thanks for pointing this out. Looking back at it now, I think I was
> probably counting on ssh_authorized_key requiring File[$home/.ssh]. But
> that doesn't seem to be explicit anywhere, so I'll add it in explicitly for
> the next point release. And the user too, while I'm at it.
Actually, the user dependency is already there. But now that you mention it,
do you think it would be OK to make it optional, e.g. as in `if
defined(User[foo]) { ... }`? I actually had to disable it as I don't manage
users in puppet (I use nss_ldap and users are in AD).
I realize this can lead to failures when user's home directory doesn't exist,
but it's not critical, i.e. the key will simply be installed when the
directory is created (in case of nss_ldap that is after the first time a user
logged on). I haven't found a better way to deal with that yet, if you have
better ideas, please share :)
> > Also, while I'm at it, I wanted to ask a question related to scoping.
> > Don't know if it's another difference between puppet 0.24.8 and 0.25.x,
> > can't find any docs mentioning that. Anyway the problem manifests itself
> > in that simple manifest:
> >
> > ----
> > import "auth.pp"
> >
> > include ssh::auth
> >
> > Ssh::Auth::Key { length => 4096 }
> >
> > ssh::auth::key { 'foo': }
> >
> > include ssh::auth::keymaster
> > file { '/home/foo/.ssh': ensure => directory, mode => 700, owner =>
> > 'foo', group => 'puppet' }
> > ssh::auth::client { 'foo': group => 'foo' }
> > ----
> >
> > this is a simplified manifest which I ran with standalone puppet and it
> > produces the following error:
> >
> > Only subclasses can override parameters at /root/puppet-
> > tests/sshauth/auth.pp:113 on node ...
> >
> > The problem here is the "group => 'foo'" param passed to
> > ssh::auth::client. It doesn't really matter which parameter it is though
> > as the issue seems to be that the ssh::auth::client (or
> > ssh::auth::server) define cannot override properties of a resource
> > declared in ssh::auth::key define.
> >
> > I searched a bit for something on defines overriding parameters of
> > resources and found a thread here on puppet-users [1] which implies this
> > isn't possible.
> >
> > Does that work in 0.25.x ?
>
> I'll have to spend a little time looking into this. The whole purpose of
> the way I set up the defines and virtual resources was to be able to
> override parameters. The last time I tried it, it worked. I guess it's a
> conflict with the file resource in your manifest? I'll see what I can
> figure out and get back to you.
AFAICS, ssh::auth doesn't declare the '${home}/.ssh' directory and it is the
only file resource in the manifest above.
Don't know, to be honest scoping and related issues in Puppet DSL have always
confused the heck out of me ;)
>
> Andrew.
>
Thanks Andrew, let me know if I can help.
--
Michael Gliwinski
Henderson Group Information Services
9-11 Hightown Avenue, Newtownabby, BT36 4RT
Phone: 028 9034 3319
**********************************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee and access to the email by anyone else
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it, is prohibited and
may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail
are subject to the terms and conditions expressed in the governing client
engagement leter or contract.
If you have received this email in error please notify
supp...@henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland,
BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
