[Puppet Users] Dynamically generate array of system accounts
I've written a define to replace the shell of system accounts with /
dev/null:
define preventLogin2systemaccts (){
user{ $title:
shell => "/dev/null" ,
}
}
Invoking this define like this works:
$systemAccts = ["daemon", "bin"]
preventLogin2systemaccts{ $systemAccts : }
However, I'd like to dynamically generate an array of system accounts
with UIDs < 500 (and UID != 0).
I tried
$systemAccts = generate("/etc/puppet/scripts/
list.system.accounts.sh" )
but, no matter how the output of this script is formatted, it doesn't
work.
I'm a newbie. Should this approach work? Am I missing something
here? Is there a better approach?
-bonobo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Dynamically generate array of system accounts
I may have answered by own question, but it still seems like there
might be a better way.
Here's what I came up with:
# Secure Configuration Control 1.
# Change the shell for system accounts to /dev/null. System accounts
# are accounts with UIDs less than 500 but greater than 0.
#
# Exceptions:
#- Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
halt.
#- The nx account (used by FreeNX for remote deskttop access).
define preventLogin2SystemAccts (){
user{ $title:
shell => "/dev/null" ,
}
}
$systemAccts = generate("/etc/puppet/scripts/
list.system.accounts.sh" )
$systemAcctsArray = split( $systemAccts, '[,]')
preventLogin2SystemAccts{ $systemAcctsArray : }
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Dynamically generate array of system accounts
I was under the impression that "generate" is run on the puppetmaster, but I'm
not sure. You might want to check to see if your user list is coming from the
server.
On Aug 29, 2010, at 12:27 PM, bonobo wrote:
> I may have answered by own question, but it still seems like there
> might be a better way.
>
> Here's what I came up with:
>
> # Secure Configuration Control 1.
>
> # Change the shell for system accounts to /dev/null. System accounts
> # are accounts with UIDs less than 500 but greater than 0.
> #
> # Exceptions:
> #- Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
> halt.
> #- The nx account (used by FreeNX for remote deskttop access).
>
> define preventLogin2SystemAccts (){
> user{ $title:
>shell => "/dev/null" ,
> }
> }
>
> $systemAccts = generate("/etc/puppet/scripts/
> list.system.accounts.sh" )
> $systemAcctsArray = split( $systemAccts, '[,]')
> preventLogin2SystemAccts{ $systemAcctsArray : }
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Dynamically generate array of system accounts
Patrick writes:
'generate' is run on the puppetmaster; there isn't actually an easy way to
query this on the client other than using a custom fact.
Daniel
> I was under the impression that "generate" is run on the puppetmaster, but
> I'm not sure. You might want to check to see if your user list is coming
> from the server.
>
> On Aug 29, 2010, at 12:27 PM, bonobo wrote:
>
>> I may have answered by own question, but it still seems like there
>> might be a better way.
>>
>> Here's what I came up with:
>>
>> # Secure Configuration Control 1.
>>
>> # Change the shell for system accounts to /dev/null. System accounts
>> # are accounts with UIDs less than 500 but greater than 0.
>> #
>> # Exceptions:
>> #- Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
>> halt.
>> #- The nx account (used by FreeNX for remote deskttop access).
>>
>> define preventLogin2SystemAccts (){
>> user{ $title:
>>shell => "/dev/null" ,
>> }
>> }
>>
>> $systemAccts = generate("/etc/puppet/scripts/
>> list.system.accounts.sh" )
>> $systemAcctsArray = split( $systemAccts, '[,]')
>> preventLogin2SystemAccts{ $systemAcctsArray : }
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
--
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Dynamically generate array of system accounts
I have used a simple fact to (very) naively determine "real" users. It runs on
each client:
$ cat localusers.rb
Facter.add("localusers") do
setcode do
%x{USERS=`/bin/getent passwd | /bin/grep /home | /bin/awk -F: \'{print
$1}\'`; echo $USERS | sed -e \'s/ /,/g\'}.chomp
end
end
And is then accessed in Puppet like so:
$users = split($localusers, ",")
provision_user { $users: }
Cheers.
--
bdha
cyberpunk is dead. long live cyberpunk.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: quoting special characters in puppet.conf
I tried that: diff_args = -ubB -I \\\$HeadURL and still get: err: ...: Failed to retrieve current state of resource: Could not find value for $HeadURL Does anyone knows what kind of code parses this? Is it passed through the shell? How many "levels of quoting" does it go through before reaching "diff" and by which programs? Thanks, --Amos On Aug 27, 9:42 pm, Darren Chamberlain wrote: > * Amos Shapira [2010/08/27 01:06]: > > > e.g. here is what I tested again right now: > > > diff_args = -ubB -I \$HeadURL > > > and here are the errors that I get: > > > err: /File[/usr/lib64/nagios/plugins/check_state_file.pl]: Failed to > > retrieve current state of resource: Could not find value for $HeadURL > > In many config files, such as mutt's, you need to double all the > backslashes, to protect them from the dereferencing that happens > during parsing. So, in \\\$HeadURL, the first \ would escape the > second \, and the third \ would escape the $, so that what gets > passed through is \$HeadURL. > > Thus, this is untested speculation, but it can't hurt to try: > > diff_args = -ubB -I \\\$HeadURL > > -- > Darren Chamberlain -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Definitions in External Nodes
On Thu, Aug 26, 2010 at 9:58 AM, Douglas Garstang wrote: > Anyone know if there's a plan to allow definitions to be used in > external nodes? Not having that ability is a major pain in the ass. It > really means that all that really works with external nodes is really > simple cases of a single piece of software being installed and > configured, like apache for example. This is feature [#2408]. Please watch the ticket and paste your use cases there. http://projects.puppetlabs.com/issues/2408 Thanks, -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] parameterized class, external nodes?
On Fri, Aug 27, 2010 at 2:12 PM, Frederik Wagner wrote:
>
> Alternatively: It seems not to be possible to set the stage
> metaparameter with a default value in a class definition?!
>
> something like this wont run in Stage "pre":
>
> stage{ pre: before => Stage[main] }
> class someclass ($stage=pre ) { ... }
> class { someclass: }
Please file this as a bug.
http://projects.puppetlabs.com/issues
Thanks,
-Jeff McCune
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Dynamically generate array of system accounts
Bryan Horstmann-Allen writes:
> I have used a simple fact to (very) naively determine "real" users. It runs on
> each client:
>
> $ cat localusers.rb
> Facter.add("localusers") do
> setcode do
> %x{USERS=`/bin/getent passwd | /bin/grep /home | /bin/awk -F: \'{print
> $1}\'`; echo $USERS | sed -e \'s/ /,/g\'}.chomp
If you don't mind a couple of nits:
You probably want to note that this will collect users from, for example, NIS
or LDAP directories when run, not just "local" /etc/passwd users. Different
people have different views on what "local" means in that case and I have been
caught by that before.
You can replace the grep, awk, echo, sed set with the more efficient:
/bin/getent passwd | /bin/awk -F: '/\/home/ {printf $1 ","}'
Regards,
Daniel
--
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
