On Feb 22, 7:55 pm, Kent <kentmshu...@gmail.com> wrote:
> I don't want to use a File resource or templates, as we do for most
> everything else. I considered augeas and have played around with it a
> bit, but in so many cases it is clumsy and a little dangerous, i.e.
> items in config files are often referenced by file line number or some
> other possibly-volatile key. This uncertainty with augeas sorta
> defeats the whole purpose of avoiding File and templates. Line numbers
> can change from one version of the file to the next, and if I hardcode
> changes to specific line numbers, that seems like a recipe for
> incorrect config files in the future.
Agreed, augeas is a bit convoluted at times, definitely a tool for a
specific job. As you've seen, it all depends on the lense
for the file in question. File lenses with fully unique keys are
great, lenses for files that allow multiple, duplicate keys, or
are line order dependent (think /etc/hosts and /etc/pam.d/) then
things become more annoying, but I haven't run across many cases
that I'd consider terribly volatile to consider not using it, except
maybe /etc/logrotate.conf, can you give me any examples?
While we're talking Augeas, I've attached some examples people might
find helpful.
One of my augeas edits to add one of the lines for Kerberos to /etc/
pam.d/system-auth-ac, an order dependent file. This one inserts the
line after "auth required pam_env.so", if that line's missing then the
augeas resource will fail, in which case the format of this
PAM file has seriously changed and I'd want to manually intervene
anyway:
#Edit PAM system-auth-ac and add auth line for kerberos.
#Eg:
#auth sufficient pam_krb5.so try_first_pass
augeas { "add kerberos auth to ${system_auth_file}":
context => "/files${system_auth_file}",
changes => [
"rm *[type='auth'][module='pam_krb5.so']",
"ins 1000000 after *[type='auth'][control='required']
[module='pam_env.so']",
"set 1000000/type auth",
"set 1000000/control sufficient",
"set 1000000/module pam_krb5.so",
"set 1000000/argument try_first_pass",
],
onlyif => "match *[type='auth'][control='sufficient']
[module='pam_krb5.so'][argument='try_first_pass'] size == 0",
}
#====Define: insert_comment
#
#Insert a comment at the top of a file using Augeas.
#
#This is a wrapper around an Augeas function that inserts a comment at
the top
#of any file with a given comment if that comment doesn't exist. You
can override
#the Augeas 'comment' node name but it defaults to '\#comment'. The
'description'
#parameter is only used in the name of the Augeas resource, so it's
for information
#purposes only.
#
#====Parameters
#
#comment:: The contents of the comment to be added.
#file:: The file to comment, must be supported by Augeas.
#description:: Description of the Augeas resource which translates to
it's namevar.
#aug_comment:: The comment node name for this file. Defaults to
'#comment', you need to change this if your augeas lense describes
it's comment nodes differently, like ';comment' or '//comment'.
#load_path:: Load any additional Augeas lense paths.
define insert_comment($comment, $file, $description,
$aug_comment="#comment", $load_path=undef) {
augeas { "comment ${file} for ${description}":
context => "/files${file}",
changes => [
"ins ${aug_comment} before *[1]",
"set ${aug_comment}[1] '${comment}'",
],
onlyif => "match ${aug_comment}[.='${comment}'] size == 0",
load_path => $load_path,
}
}
#====Define: exports_entry
#
#This define is a shortcut for other classes to use Augeas to make
inline edits on
#/etc/exports. To add multiple clients with the same path then just
create multiple
#exports_entry resources. This define also notifies the
Exec[reload_exportfs_file]
#resource to have the NFS server reload the exports file.
#
#This define only uses Augeas 'set' commands, so it can only ADD to /
etc/exports,
#it will not clean up old entries or change NFS server options from
clients.
#
#====Parameters
#path:: The file system path to export.
#client:: The hostname or IP address of the NFS client.
#ro:: Boolean to turn on the 'ro' NFS mount option. Defaults to false.
#async:: Boolean to turn on the 'async' NFS mount option. Defaults to
false.
#no_root_squash:: Boolean to turn on the 'no_root_squash' NFS mount
option. Defaults to false.
define exports_entry($path, $client, $ro = false, $async = false,
$no_root_squash = false) {
#The basic set of Augeas changes to set up an NFS export.
$base_changes = [ "set dir[.='$path'] $path",
"set dir[.='$path']/client[.='${client}'] ${client}" ]
#additional augeas changes are defined as separate variables.
Unfortunately
#we can't append to the array above (Puppet "design feature").
if ($ro) {
$ro_change = "set dir[.='$path']/client[.='${client}']/option[1]
ro"
}
if ($no_root_squash) {
$no_root_squash_change = "set dir[.='$path']/client[.='${client}']/
option[2] no_root_squash"
}
if ($async) {
$async_change = "set dir[.='$path']/client[.='${client}']/
option[3] async"
}
#Use Augeas to add an NFS export for the given client to the given
path. The
#'changes' array also lists all optional variables that get defined
when the
#optional parameters to this define are made True.
augeas { "/etc/exports add $client to $path":
context => "/files/etc/exports",
changes => [ $base_changes, $ro_change, $no_root_squash_change,
$async_change, ],
notify => Exec["reload_exportfs_file"],
}
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
