4

Cross posting this from Ask@PuppetLabs. (There simply isn't enough traffic there.)

I've seen a number of examples for adding users to %wheel with Augeas. These are all variations of the same thing; inserting a user node at the end.

What I need to do is also remove users that are added outside of configuration management. For Puppet to manage the group, only users defined in my Puppet class should be present and any others removed.

Seems like exec'ing a simple Sed command would be much easier, but so many people say to try to stay away from exec. Is it such a bad solution in this case?

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67

2 Answers2

1

Defining wheel users this way causes them to be added, but if you remove jane from the class, she will not be removed from the wheel group on the next Puppet run.

class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

The only way I have found around this is to purge the wheel group and re-add them each time. 

class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'rm user',
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

I considered an onlyif to match my defined users to prevent this from running on each Puppet run. However, this is also the only way to remove users added outside of Puppet to ensure that %wheel is managed solely by Puppet.

This solution also doesn't lend well to parametrization for reuse.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • 1
    Augeas manipulates a tree representation of the file, not the file itself. If the tree remains unchanged the file is left unchanged so removing nodes and then re-inserting them isn't so bad. – Ian Nov 04 '14 at 22:12
  • The downside is that it still takes about 10x longer to execute and doesn't lend well to parametrization. – Aaron Copley Nov 04 '14 at 23:44
  • @AaronCopley It shouldn't be slow, unless you're using Puppet < 2.7.19. As for parametrization, I'd encourage you to make a defined resource type around the `augeas` resource. – raphink Nov 06 '14 at 08:17
  • We are using 2.7.something (the EPEL build.) So maybe we are subject to what you describe. It's a relief to hear that there is significant performance improvements ahead. (Upgrading to 3.latest is one of about 1,200 tasks on my plate.) Good call on a defined resource type. I am pretty new to Puppet, but I think know what you're getting at. Something like what [Herculesteam](https://forge.puppetlabs.com/herculesteam) has published in the Forge? – Aaron Copley Nov 06 '14 at 19:43
  • Annnddd I just noticed you are 50% of the Hercules Team. :) – Aaron Copley Nov 06 '14 at 20:05
0

It might be possible to use the Group members type to specifically set the members of the group. You may need to use the forcelocal option.

mxroo
  • 41
  • 4
  • 1
    The `manages_members` feature is not available for the `groupadd` provider. You're supposed to set this in the `user` type using the `groups` attribute, which is what OP is trying to avoid here. – raphink Nov 04 '14 at 23:28
  • He's not entirely wrong. But, it should be noted that for Linux, this requires a [custom provider](https://github.com/pdxcat/puppet-module-group). – Aaron Copley Nov 04 '14 at 23:38