FAQ
I've been poring through documentation and haven't found anything yet, so
I'll throw the question out here.

With puppet, is there a way to define a resource in such a way that when
applied to a client for the first time it is created, but if the resource
already exists on the client nothing is changed? Specifically, I'd like to
do this with users.

Here is my situation: in the past my organization has poorly managed user
UIDs across machines (multiple users in puppet with the same UID, creating
users in puppet that conflict with system users' UIDs, etc). This resulted
in numerous, frustrating UID conflicts. I've been working on cleaning this
up, but the mass renumbering of important existing users has all sorts of
production-impacting risks. What I'd like to do is tell puppet to create
these users with their new, conflict-free UIDs on new machines but have it
not touch users that are already created on existing machines. This will
allow us to use a slow, methodical approach to fixing the UIDs on old
machines to help mitigate the risks.

Any thoughts are appreciated.

Kris

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b64d9e28-e58d-46de-b1ea-a5db0b2890fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Doug Forster at Nov 13, 2014 at 5:21 pm
    The best option I have found is creating a custom fact for local users.

    # This custom fact pulls out all local users from the /etc/passwd file
    # and returns the collection as a comma-separated list.

    Facter.add(:local_users) do
       setcode do
         users = Array.new
         File.open("/etc/passwd").each do |line|
           next if line.match(/^\s|^#|^$/)
           users << line.split(':').first
         end
         users.join(',')
       end
    end

    Then you can find out if the user is on the box in your manifest with:
    $user_exists = $name in split($::local_users, ',')

    The other added benefit is you now have a custom fact for all servers that
    gets stored in puppetdb.

    On Thu, Nov 13, 2014 at 10:00 AM, Kris Knigga wrote:

    I've been poring through documentation and haven't found anything yet, so
    I'll throw the question out here.

    With puppet, is there a way to define a resource in such a way that when
    applied to a client for the first time it is created, but if the resource
    already exists on the client nothing is changed? Specifically, I'd like to
    do this with users.

    Here is my situation: in the past my organization has poorly managed user
    UIDs across machines (multiple users in puppet with the same UID, creating
    users in puppet that conflict with system users' UIDs, etc). This resulted
    in numerous, frustrating UID conflicts. I've been working on cleaning this
    up, but the mass renumbering of important existing users has all sorts of
    production-impacting risks. What I'd like to do is tell puppet to create
    these users with their new, conflict-free UIDs on new machines but have it
    not touch users that are already created on existing machines. This will
    allow us to use a slow, methodical approach to fixing the UIDs on old
    machines to help mitigate the risks.

    Any thoughts are appreciated.

    Kris

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/puppet-users/b64d9e28-e58d-46de-b1ea-a5db0b2890fd%40googlegroups.com
    <https://groups.google.com/d/msgid/puppet-users/b64d9e28-e58d-46de-b1ea-a5db0b2890fd%40googlegroups.com?utm_medium=email&utm_source=footer>
    .
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOwhAcqOajQYuREMsxC2kUcyPWC2_vCthJ2EQ39VMYOOHOhJaA%40mail.gmail.com.
    For more options, visit https://groups.google.com/d/optout.
  • Doug Forster at Nov 13, 2014 at 5:24 pm
    Sorry that fact tells you the users with set passwords. You get the idea
    though.
    On Thu, Nov 13, 2014 at 10:21 AM, Doug Forster wrote:

    The best option I have found is creating a custom fact for local users.

    # This custom fact pulls out all local users from the /etc/passwd file
    # and returns the collection as a comma-separated list.

    Facter.add(:local_users) do
    setcode do
    users = Array.new
    File.open("/etc/passwd").each do |line|
    next if line.match(/^\s|^#|^$/)
    users << line.split(':').first
    end
    users.join(',')
    end
    end

    Then you can find out if the user is on the box in your manifest with:
    $user_exists = $name in split($::local_users, ',')

    The other added benefit is you now have a custom fact for all servers that
    gets stored in puppetdb.

    On Thu, Nov 13, 2014 at 10:00 AM, Kris Knigga wrote:

    I've been poring through documentation and haven't found anything yet, so
    I'll throw the question out here.

    With puppet, is there a way to define a resource in such a way that when
    applied to a client for the first time it is created, but if the resource
    already exists on the client nothing is changed? Specifically, I'd like to
    do this with users.

    Here is my situation: in the past my organization has poorly managed user
    UIDs across machines (multiple users in puppet with the same UID, creating
    users in puppet that conflict with system users' UIDs, etc). This resulted
    in numerous, frustrating UID conflicts. I've been working on cleaning this
    up, but the mass renumbering of important existing users has all sorts of
    production-impacting risks. What I'd like to do is tell puppet to create
    these users with their new, conflict-free UIDs on new machines but have it
    not touch users that are already created on existing machines. This will
    allow us to use a slow, methodical approach to fixing the UIDs on old
    machines to help mitigate the risks.

    Any thoughts are appreciated.

    Kris

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/puppet-users/b64d9e28-e58d-46de-b1ea-a5db0b2890fd%40googlegroups.com
    <https://groups.google.com/d/msgid/puppet-users/b64d9e28-e58d-46de-b1ea-a5db0b2890fd%40googlegroups.com?utm_medium=email&utm_source=footer>
    .
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOwhAcrHbzYond1rqTr2BbJcB-NetmXZXu1oBAVow3u%3DHY2W7A%40mail.gmail.com.
    For more options, visit https://groups.google.com/d/optout.
  • Kris Knigga at Nov 13, 2014 at 6:13 pm
    That's actually another good point, Doug. It would be awesome to have
    puppet create users with an initial password hash, but then ignore future
    changes to the hash (as when a user updates his own password).

    I have a feeling that there are a number of situations where it would be
    nice to have puppet create resources with some initial set of settings, but
    then ignore when the on-machine configuration diverges from what's
    configured in puppet.

    Perhaps this needs a new feature request?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/79803362-86cc-463a-aff5-70c75a08dee0%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Felix Frank at Nov 15, 2014 at 11:12 pm
    Hi,

    you can work around your issue with the following evil-ish construct:

    define my_user($uid,...)
         exec {
             "newly-create-user-$name":
                 command => "useradd -u $uid $name",
                 unless => "getent passwd $name",
         }
         ->
         user { $name:
             # do NOT manage uid here
             ...
         }
    }

    It's not ideal, but then situations in which you cannot declare the full
    final state for Puppet to sync to never are.

    I imagine that a feature request towards implementing a means to change
    properties to creation-time parameters will be quite controversial. I
    would recommend taking the scenario to the puppet-dev list as well, or
    perhaps instead of opening the request outright.

    Cheers,
    Felix
    On 11/13/2014 06:00 PM, Kris Knigga wrote:
    I've been poring through documentation and haven't found anything yet,
    so I'll throw the question out here.

    With puppet, is there a way to define a resource in such a way that
    when applied to a client for the first time it is created, but if the
    resource already exists on the client nothing is changed?
    Specifically, I'd like to do this with users.

    Here is my situation: in the past my organization has poorly managed
    user UIDs across machines (multiple users in puppet with the same UID,
    creating users in puppet that conflict with system users' UIDs, etc).
    This resulted in numerous, frustrating UID conflicts. I've been
    working on cleaning this up, but the mass renumbering of important
    existing users has all sorts of production-impacting risks. What I'd
    like to do is tell puppet to create these users with their new,
    conflict-free UIDs on new machines but have it not touch users that
    are already created on existing machines. This will allow us to use a
    slow, methodical approach to fixing the UIDs on old machines to help
    mitigate the risks.

    Any thoughts are appreciated.

    Kris
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5467DE21.8070004%40Alumni.TU-Berlin.de.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 13, '14 at 5:02p
activeNov 15, '14 at 11:12p
posts5
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase