If I run puppet resource user on a puppet node, it lists all users defined on the machine (from /etc/password ).
All users have ensure => 'present' attribute.
Shouldn't it list only the users in the classes that apply to this node ?
The puppet resource command is a facility that helps in converting current system state into puppet dsl code.
From the output of puppet help resource:
DESCRIPTION
-----------
This command provides simple facilities for converting current system
state into Puppet code, along with some ability to modify the current
state using Puppet's RAL.
Hope this helps.
Related
We have heavily invested in writing puppet modules. Now we have a requirement to use puppet in agent less mode in one of our environment for that we are planing using puppet bolt.
My question is if we write puppet plan in puppet dsl. Can we target those plans to a remote VM if it’s not having puppet agent installed.
-Vinay
The target system needs an interpreter or it won't understand the code you're sending it. The same as if you write a Bolt task in Python, you need Python on the target machine for it to be able to run the code.
But a Bolt Plan has inbuilt tasks to handle this, here's an example plan to install git via chocolatey with a bolt plan;
plan git_install::Windows_git (
TargetSpec $targets
) {
apply_prep($targets) # This installs the PE agent temporarily so it can
include chocolatey # include and use regular Puppet class from the chocolatey module
package { git :
ensure. => 'present',
provider => 'chocolatey',
}
}
If you already have the target connecting to a PE server you probably don't need to use apply_prep though as the agent is already installed.
This is a real life saver though if you have to manage a legacy infrastructure alongside a PE managed infrastructure as at the time of writing a PE module you can create a plan only a couple of lines long that'll allow you to reuse the same class on your legacy infrastructure.
You do not need to install anything on a target upfront in order to run a plan that executes tasks on the target (if that is what you are asking). If you mean that you are using Bolt's ability to apply puppet resources then Bolt will install the puppet agent package without you having to do anything. See details in the documentation here: https://puppet.com/docs/bolt/latest/applying_manifest_blocks.html
Is there a way to extract the infrastructure details by using terraform
e.g get a list of Linux server's version, firewall policy, opened ports, software packages installed etc..
My aim is to generate a block of code to describe the current server setup, then I can use a check list if validate against the code. therefor security loopholes can be identified and fixed
Not sure if I completely understand your question. But, there is not such an "automated" way to extract all the details of your not-terraformed infrastructure. Nevertheless, there exists a terraform import command with which you can import your existing resource (here the docs) to your state file.
Btw, if you are using Oracle Cloud, the Resource Discovery could be an option.
I recently add the mysql module from puppetLabs in version 7.0 on our RHEL Satellite for managing all our MySql's servers and hold them with idempotency configuration and bloc any unwanted configuration.
In this case, a user with Granted privileges is able to create a Database (like root#localhost) and so add manually a Database with the command create database dbname; for example.
Problem, If i run my pupppet agent -t on my lab server, puppet is just ensuring that databeses defined in my smart class "Databeses" exist (or not) and do nothing...
The result expected was it can remove any modification (like database creation) when ran the agent.
Is there a way to do this ?
Thanks for replies
Since Mysql_database is an "ensurable" plugin type that implements prefetching, you should be able to use the Resources resource type to purge any unmanaged databases that are created on managed nodes. It might look something like this:
resources { 'mysql_database': purge => true }
Do this only if you're certain that you really want it!
Additionally, you might want to try some runs in --noop mode to look for issues before going live. That could help you recognize unanticipated issues, such as databases you want to keep -- belonging to MySQL itself, for example -- but are not currently managing.
I have agent connected to master in puppet and I need to copy manifest file and some other resources from maseter using agent - is this possible ?
I'm not sure what your use-case is here, but I do not believe this is possible.
In a simple master-agent setup, the agent sends facts to its configured master. In exchange, the master combines those facts, site-specific hiera data, and resource definitions in applicable manifests, compiles a catalog, and sends that catalog to the agent–by design, I don't think agents can access uncompiled manifests. However, where I am more certain is in your ability to see which resources are under puppet's management in the agent's $vardir more info here. More specifically, inside $vardir/state. If you'd like to see the compiled catalog, that's available in $vardir/catalog.
Depending on what you're trying to achieve, maybe it would be enough to see the dependency model on a given agent. You can generate the directed acyclic graph with puppet agent -t --graph which will populate $vardir/state/graphs with graphviz dot files. With graphviz installed, you could generate visuals in formats like svg by running dot expanded_relationships.dot -Tsvg -o expanded_relationships.svg
Not quite the full output of the manifests used to compile an agent's catalog, but there's a lot to chew on there.
I need to perform some action (configure something) after stopping the tomcat service. Once the configuration is complete, I need to ensure that the tomcat service is up and running again. I have written following puppet code for the same:
Service {'tomcat': ensure => stopped }
->
class {'config':}
->
Service {'tomcat': ensure => running }
On puppet apply, it is complaining that
'Error: Duplicate declaration: Service[tomcat] is already declared in
file'
How to fix this problem. What is the recipe in puppet to stop a service, perform some action and then bring back the service again?
In puppet, you can't declare same service again. that's the error you have.
With puppet, you needn't care of tomcat stop/start processes. It takes care the final status (called "idemotency"). After you define the relationship between package, config files and services, it will do all jobs for you. For example, you need to understand below processes in puppet and the differences between -> and ~>.
Package['tomcat'] -> File['server.xml'] ~> Service['tomcat']
In your case, you apply the change in tomcat config file, and puppet will restart the tomcat services automatically.
For your reference, here is the copy-paste from Introduction to Puppet blog to explain what's the meaning of idempotency:
One big difference between Puppet and most other tools is that Puppet
configurations are idempotent, meaning they can safely be run multiple
times. Once you develop your configuration, your machines will apply
the configuration often — by default, every 30 minutes — and Puppet
will only make any changes to the system if the system state does not
match the configured state.
Update 2016:
Here another official Puppet blog post on idempotency: https://puppet.com/blog/idempotence-not-just-a-big-and-scary-word
This is not directly possible with Puppet, as #BMW concludes correctly. There are some more points to note, however.
There is some promising work in progress that will add limited support for transitional state declaration. However, this will not (in its current alpha state at least) allow you to enter such a state in preparation for and during application of a whole class.
A common workaround for this kind of issue is to manage the entity in question with two or more resources. The exec type is a good catch all solution because it can manage virtually anything. The obvious drawback is that the exec will have to be tailored to your agents (what do you know - there's a point to Puppet's type system after all ;-). Assuming that the manifest will be for one platform only, this is simple:
exec {
'stop-tomcat':
command => 'service tomcat stop',
onlyif => 'service tomcat status',
before => [
Class['config'],
Service['config'],
],
}
Ordering the exec before Service['config'] is redundant (because the service requires the class), but it is good practice to express that the service resource should have the final say.