2

My company is requiring me to implement signed time in ntpd with autokey. One of the requirements for autokey to work is to generate keys on each host. All the clients are part of the same group so they all use the same password. I'd like to not have to manually generate the key on every host, if possible. Is there a way for the file type to execute a command if puppet detects that it doesn't exist? Or are there some other alternatives I can use for managing keys via puppet?

chizou
  • 457
  • 3
  • 8
  • 15

1 Answers1

2

In Puppet, to execute a command, use exec resource. To make sure that your command gets executed only if particular file doesn't exist, specify creates option.

For example:

exec { "create_needed_directory":
    command => "/bin/mkdir -p /tmp/needed/directory",
    creates => "/tmp/needed/directory"
}

If you need to perform some more complicated check, you can use onlyif option:

exec { "run_account_purger":
    command => "/usr/local/sbin/account_purger",
    onlyif => "grep -c old_account /etc/passwd",
}

Both examples were taken from PuppetCookBook.

To be honest, I have no idea if that's the best way to generate keys for NTP. You may as well generate all the keys on one machine, put them in a puppet repo and distribute them via a file resource. That might be a bit more secure, because that way you don't need to expose the password.

grekasius
  • 2,046
  • 11
  • 15
  • thanks for the response. that was something i was thinking about too, but i wasn't sure if using a puppet file bucket is considered secure. are you saying that it is? – chizou Aug 04 '14 at 22:35
  • Well, I'm not sure if there is a well known best practice as to how to do that. However some good ideas might be, to keep your keys encrypted and in a separate repo or to keep them on some key server from which you could retrieve them in a safe way. – grekasius Aug 05 '14 at 09:03