On Fri, Apr 26, 2013 at 4:08 PM, David Reagan <jer...@gmail.com> wrote:
> I'm pretty much brand new to Puppet. I've read the tutorials on puppet > labs, and most of Pro Puppet. But there's still a lot I don't get. So I > figured I'd learn by doing. > > My current goal is to write a user account wrapper. It would only be for > local Linux accounts only, only on Ubuntu for now. > > I'm not just using the user type because I want to manage ssh authorized > keys as well. > > I did find https://github.com/dcsobral/puppet-users, and a few others. > But I'm not fond of the use of csv files, and it seems like a simple enough > module to learn with. > > Wrapping user and ssh_authorized_key is simple, just pass in the > information. But I do have a couple questions I couldn't find answers to in > the docs, here, or Google. > > *Questions*: > > - What happens when a group listed in the user type does not exist on > the server? > > Generally speaking you shouldn't let that happen! The user resource will fail because it wants the group to exist first. Create a group{} resource and in the user{} resource add something like require => Group['users'], or whatever, so that this doesn't happen. > > - > - How do I figure out what hash to use for the password when creating > a new user? > > There's several ways to handle this. Generally the way it's done is via a "custom function" that executes on the puppetmaster and injects the results of that run into the catalog for the client. This way you can use a hash generator. Something like https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb > > - Do I just copy the hash directly into the password property? No need > to tell puppet what kind of hash it is? > > It basically takes the contents of password and shovels it into the appropriate /etc/shadow column. > > - ssh_authorized_key: name has to be unique. So how do I add a key to > more than one user? > > You'd want to structure this as a kind of custom_user{} define that was able to take keys as a parameter and those can be an array or hash of info. This way you're basically listing all the keys per user rather than trying to assign keys to multiple users. Because you'll have custom_user{ 'blah': } you'll be able to refer to the blah as $name in the define and then you can make your ssh_authorized_key names like: ssh_authorized_key { "${name}-key": } so that they have unique names, I'll leave the rest of this up to your imagination as you'd need a unique -key bit per key you pass in. That's one reason I suggested the keys param be a hash, so that you can have a name and then value and use that to build up the name cleanly. > > - I'd like to simply pass in an array of links(?) to pub key files to > my wrapper instead of the actual ssh key. How would I tell Puppet to split > the contents at the spaces so I can get the key, type, and name properties > out of it? > > This stuff is tricky with the language as it stands. The way I've solved this (and seen others solve this) in the past is that rather than trying to pass in arrays you build a hash in hiera for your users and then pass the entire hash to create_resources('mycustomusersdefine', hashname) to have it create a call to the define for each element of the hash. If you google create_resources you should find some examples. > Future plans would be to manage shell configuration as well. But for now, > all I need is what I've described above. > > Oh, when implementing this, does making a > /etc/puppet/manifests/accounts/username.pp file per user, then including > that file on the nodes that need that user, raise any "bad idea" flags for > you? > It does, but only because even at this early stage you should start thinking "is this how to do a task, or the data the task needs?" if it's data you should be thinking of 'hiera' and how you can use that to seperate your data from your manifests. Good luck! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
