Specific version checking + if and else loop

2

just start puppet. As everyone else knows, starting something is always the most difficult. Well for practice I wanna do the following: I assume I am to put it in init.pp. 

if 'openssl' version == '1.0.2b' or '1.0.2d'
    upgrade to 1.1.1e
else
     do nothing

Currently my code looks like this

 package { 'openssl':
    if 'openssl' version == '1.0.2b' or '1.0.2d' {
        ensure => '1.1.1e'
    }
    else {
    }

I have several problems:

1) I don't think my syntax for the version of openssl is written correctly. When I do simple google search I see people ensuring version of openssl something like this '1.0.1e-15.el6', sometimes it's '1.0.1e-16.el6_5.7' I am confused on determining what's after the '-'

2) I don't think typing "openssl' will make puppet knows it's openssl

3) How to check version of openssl? I think my syntax if 'openssl' version == 'xxx' is not correct.

user3331457

Posted 2015-07-10T19:14:39.147

Reputation: 41

Answers

0

There are couple of things you could do to approach this problem which will make your code better in the long run.

  1. Use the stdlib library which has improved string comparison operations, such as versioncmp(). It will work properly with version strings that have decimals and letters. 
 if versioncmp($::puppetversion, '3.0.0') < 0 {
    fail("foobar requires puppet 3.0.0 or greater, found: \'${::puppetversion}\'")
  }
  1. Don't do your conditional statements inside of your resource. At the very least split them out so they are at the top of your manifest. (Untested code) 
if versioncmp( '$openssl', '1.1.3e') < 0 {
   $openssl_version = '42'
}

package {'openssl': 
  ensure => "$openssl_version",
}

Though, you have to ask yourself, is this really what you want to do? Puppet best practices are that your business requirements should not be part of your base modules. They should be abstracted to roles/profiles modules or with hiera. You may be better off with the following options.

A. Just make sure all your servers are up to date

package {'openssl':
  ensure => latest,
}

B. If you have some nodes, that just must use an older/insecure version. Then make a parameterized class, and override the openssl_version parameter with hiera or role/profile.

Additional information

https://puppetlabs.com/blog/patching-heartbleed-openssl-vulnerability-puppet-enterprise http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/

spuder

Posted 2015-07-10T19:14:39.147

Reputation: 8 755

Asked: 2015-07-10T19:14:39.147

Viewed: 1 202 times

Active: 2015-07-11T19:19:44.753