[Puppet Users] Ordering dependencies and accessing state created earlier *in the same run*

Fri, 23 Jan 2015 04:16:33 -0800 

Hello All!

I was hoping you could help me with the following scenario, which is 
replicated in the code below:

$username = 'whatuidwillthisuserget'

user { $username:
    ensure => present,
}

$uid = generate('/usr/bin/id', '--user', $username)

notify {'showuid':
    message => "The uid for user $username is $uid"
}

User<||> -> Notify<||>

This will fail if $username does not exist. If it does, it goes OK. Now, 
our real scenario is the following:

We install Openstack components (cinder, nova and neutron) via their Puppet 
modules. These modules install the packages nova-common, cinder-common and 
neutron-common. These packages create the users nova, neutron and cinder, 
if not already in the system.

Then, we need to get the uids of these users before we apply our Linux's 
auditd module, so we can filter out all the sudo calls those users make 
(after we make sure sudo configuration is sane). Unfortunally, auditd in 
Ubuntu 12.04.4 does not let us use usernames, only udis. We apply these 
types of rules:

exit,always watch=/usr/bin/sudo perm=x auid!=108 (0x6c) uid!=108 (0x6c) 
auid!=106 (0x6a) uid!=106 (0x6a) auid!=107 (0x6b) uid!=107 (0x6b) 
key=privilege_escalation

So, we have something along these lines:

class{ 'nova': }
class {'cinder': }
class {'neutron': }
class {'auditd'}

Class['nova', 'cinder, 'neutron'] -> Class['auditd']

My question: Is there any way to make it work *in a single run*?

This works very well in multiple runs, but in a single run, *when the users 
do not exist* fails.

We have tried the following approaches:

o Puppet functions written in Ruby

o Facts

o A more complicated version of the generate function shown earlier, to 
avoid the error it causes when /usr/bin/id returns 1.

We are currently using Puppet 3.4.2 and Facter 1.7.3.

Thank you all! I hope I made myself understood!

Giovanni

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2f73b055-cb62-4dca-93a4-7186ad79e084%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to