On Tuesday, December 3, 2013 2:18:25 AM UTC-6, Stuart Cracraft wrote: > > > The rationale expressed to me has to do with non-specific > auditing/security requirements... > > My requirement is to research and contradict with prima face evidence or > report and confirm > or some mixture thereof, which is not the simplest of assignments. > >
So, you intend to use Puppet to *detect* variances from nodes' expected configuration without bringing the target nodes into compliance? This is possible. However, you do need to be aware of the limitations of noop mode. Chief among these is that when running in noop mode, Puppet has to proceed as if it were successful in syncing each out-of-sync resource, without knowing whether it actually would be successful and without having any actual effect on the target node. This may produce anomalies when one resource depends on another, either because the analysis of whether a dependent resource is in sync might depend on its dependency being synced, or in some cases because success of one resource can serve as a condition for whether another is even considered for syncing. You should also be aware that even when running in noop mode, Puppet will still execute commands on the target node to determine the current state of each resource in the catalog. Generally speaking, these do not alter the target node's state, but in principle they might trigger a security alert or otherwise be logged, which would be a form of state change. Moreover, Puppet cannot guarantee that the state-inspection commands executed by third-party custom resource types or by Exec resources do not alter the target node in other ways. > If anyone at Puppet Labs and the community can think of a way to > contradict the first paragraph, send it over. > > Stuart > > *P.S. Thanks for your input that puppet agent need not be a daemon and can > be run with:* > > * puppet agent -t --noop* > > *I will put that in place tomorrow.* > > In fact, just about any configuration option can be specified on the command line as well, overriding the config file. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6efa300b-1155-4f15-86ef-85d592b2a2ed%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
