On May 2, 3:02 am, Luke Bigum wrote:
Theoretically that's the way to do it in Puppet,
I missed your referent. Are you talking about Brian's suggestion of a
but as other people
point out it would be much simpler to block things from being installed
in the first place. "ensure => purged" might get you better results from
providers that handle dependencies, however I have mixed results with
yum when doing this. The problem with ensure => absent with dependency
driven package providers is it won't be able to figure out which order
to uninstall them. Lastly, any time the OS provider changes the
dependencies in one of your white listed packages you have to go and
re-check your list, so I'd really concentrate on stopping any extra
software being installed in the first place - save yourself the
The problems with ensure => absent and ensure => purged include:
1) They only affect packages that you actually declare. Setting one
of those as a resource default does not change that.
2) As Luke discussed, making these work reliably requires you to keep
track of package dependencies. It is easy to wind up with ensure =>
absent failing or with ensure => purged removing packages that you
don't want removed.
I'm with Brian: the best way to whitelist packages is via the package
repositories that are configured on your nodes. The contents of the
repositories effectively become your whitelist. Depending on your
package manager, you may be able to detect (and then remove) rogue
packages via a cron job. Detecting unpackaged software is harder and
more costly, but some package managers can support that, too.
Alternatively, if you are willing to declare EVERY package that each
node is supposed to have installed, then your manifests can serve as
the whitelist. To accomplish that, use the Resources meta-resource to
force all undeclared resources absent or purged. That overcomes
problem (1) above, but it doubles down on problem (2).
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to email@example.com.
To unsubscribe from this group, send email to firstname.lastname@example.org.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.