On May 2, 3:02 am, Luke Bigum <luke.bi...@lmax.com> wrote: > Theoretically that's the way to do it in Puppet,
I missed your referent. Are you talking about Brian's suggestion of a controlled repository? > but as other people > point out it would be much simpler to block things from being installed > in the first place. "ensure => purged" might get you better results from > providers that handle dependencies, however I have mixed results with > yum when doing this. The problem with ensure => absent with dependency > driven package providers is it won't be able to figure out which order > to uninstall them. Lastly, any time the OS provider changes the > dependencies in one of your white listed packages you have to go and > re-check your list, so I'd really concentrate on stopping any extra > software being installed in the first place - save yourself the > management nightmare. The problems with ensure => absent and ensure => purged include: 1) They only affect packages that you actually declare. Setting one of those as a resource default does not change that. 2) As Luke discussed, making these work reliably requires you to keep track of package dependencies. It is easy to wind up with ensure => absent failing or with ensure => purged removing packages that you don't want removed. I'm with Brian: the best way to whitelist packages is via the package repositories that are configured on your nodes. The contents of the repositories effectively become your whitelist. Depending on your package manager, you may be able to detect (and then remove) rogue packages via a cron job. Detecting unpackaged software is harder and more costly, but some package managers can support that, too. Alternatively, if you are willing to declare EVERY package that each node is supposed to have installed, then your manifests can serve as the whitelist. To accomplish that, use the Resources meta-resource to force all undeclared resources absent or purged. That overcomes problem (1) above, but it doubles down on problem (2). John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
