validate_cmd in Puppet: supporting older versions - puppet

I have the following Puppet code:
file { "/etc/sudoers.d/${name}":
content => template('sudo/sudoers.erb'),
owner => 'root',
group => 'root'
mode => '0440',
validate_cmd => '/usr/sbin/visudo -c -f %',
}
However, validate_cmd was only added in Puppet > 3.5, and I have to support some systems running 3.2 and older.
Is there some clever way of monkey-patching this into older versions of Puppet, or should I just resign to using the puppetlabs-stdlib validate_cmd statement?
Which does a similar thing, but won't revert the file if it does not validate correctly (the main benefit of the validate_cmd parameter on a fle).
EDIT: Using Felix's overwrite syntax, I ended up with the following code:
file { "/etc/sudoers.d/${name}":
content => template('sudo/sudoers.erb'),
owner => 'root',
group => 'root',
mode => '0440',
}
if versioncmp($::puppetversion, '3.5') >= 0 {
File["/etc/sudoers.d/${name}"] { validate_cmd => '/usr/sbin/visudo -c -f %' }
}
else {
validate_cmd(template('sudo/sudoers.erb'), '/usr/sbin/visudo -c -f', 'Visudo failed to validate sudoers content')
}
It's a bit fiddly to test in puppet-rspec, I ended up going with this:
if (Puppet.version >= '3.5.0')
context "validating content with puppet #{Puppet.version}" do
let(:params) { { :users => ['joe'] } }
let(:facts) {{ :puppetversion => Puppet.version }}
it { should contain_file('/etc/sudoers.d/worlddomination').with_validate_cmd('/usr/sbin/visudo -c -f %') }
end
else
context "validating content with puppet #{Puppet.version}" do
let(:params) { { :users => ['joe'] } }
let(:facts) {{ :puppetversion => Puppet.version }}
it { should contain_file('/etc/sudoers.d/worlddomination').with_validate_cmd(nil) }
end
end

Your manifest can adjust its behavior to the agent version.
file { "/etc/sudoers.d/${name}":
content => template('sudo/sudoers.erb'),
owner => 'root',
group => 'root'
mode => '0440',
}
if versioncmp($puppetversion, '3.5') >= 0 {
File["/etc/sudoers.d/${name}"] { validate_cmd => '/usr/sbin/visudo -c -f %' }
}
else {
# your workaround here
}
This will work courtesy of the puppetversion fact, of course.
The override syntax File[<name>] { ... } can be used like this because the actual resource declaration specifies no value for the validate_cmd attribute.

Related

How to clean up files created by Exec resources?

I am trying to write a puppet class that will create a cirros image with OpenStacks Glance.
I have this puppet class. It downloads the image file and converts it to raw.
It then creates the glance image using the raw image format file.
I also want to remove the downloaded image file and the raw image file from
local disk.
Here is the manifest I tried:
class create_glance_cirros_image (
$cirrosver = '0.3.5',
$cirros_download_url = 'http://download.cirros-cloud.net',
$curl = '/usr/bin/curl',
$download_dir = '/root',
$qemu_img = '/usr/bin/qemu-img',
$qemu_img_args = 'convert -f qcow2 -O raw',
$image_name = 'cirros',
$is_public = 'no',
$container_format = 'bare',
$disk_format = 'raw',
$min_ram = '1024',
$min_disk = '1',
$properties = { 'img_key' => img_value },
$ensure = 'present',
) {
$cirros_image = "cirros-${cirrosver}-x86_64-disk.img"
$raw_cirros_image = "cirros-${cirrosver}-x86_64-disk.raw"
$image_url = "${cirros_download_url}/${cirrosver}/${cirros_image}"
$target_file = "${download_dir}/${cirros_image}"
$raw_target_file = "${download_dir}/${raw_cirros_image}"
$curl_args = "--output ${target_file}"
$download_command = "${curl} ${curl_args} ${image_url}"
$convert_command = "${qemu_img} ${qemu_img_args} ${target_file} ${raw_target_file}"
exec { $download_command:
creates => $target_file,
refreshonly => true,
}
exec { $convert_command:
creates => $raw_target_file,
refreshonly => true,
require => Exec[$download_command],
}
glance_image { $image_name:
ensure => $ensure,
name => $image_name,
is_public => $is_public,
container_format => $container_format,
disk_format => $disk_format,
source => $raw_target_file,
min_ram => $min_ram,
min_disk => $min_disk,
properties => $properties,
require => Exec[$convert_command],
}
file { $target_file:
ensure => 'absent',
}
file { $raw_target_file:
ensure => 'absent',
}
}
When I run it I get this error:
Error: Execution of '/usr/bin/openstack image create --format shell cirros --private --container-format=bare --disk-format=raw --min-disk=1 --min-ram=1024 --property img_key=img_value --file=/root/cirros-0.3.5-x86_64-disk.raw' returned 1: [Errno 2] No such file or directory: '/root/cirros-0.3.5-x86_64-disk.raw'
Error: /Stage[main]/Create_glance_cirros_image/Glance_image[cirros]/ensure: change from absent to present failed: Execution of '/usr/bin/openstack image create --format shell cirros --private --container-format=bare --disk-format=raw --min-disk=1 --min-ram=1024 --property img_key=img_value --file=/root/cirros-0.3.5-x86_64-disk.raw' returned 1: [Errno 2] No such file or directory: '/root/cirros-0.3.5-x86_64-disk.raw'
Why didn't the require cause the exec's to execute?
Update: Based on Matt's suggestions I modified my manifest to look like this:
exec { $download_command:
creates => $target_file,
unless => "/usr/bin/openstack image list --format=value | cut -d' ' -f2 | grep \"^${image_name}$\"",
notify => Exec[$convert_command],
}
exec { $convert_command:
creates => $raw_target_file,
refreshonly => true,
}
glance_image { $image_name:
ensure => present,
name => $image_name,
is_public => $is_public,
container_format => $container_format,
disk_format => $disk_format,
source => $raw_target_file,
min_ram => $min_ram,
min_disk => $min_disk,
properties => $properties,
}
exec { "/bin/rm -f ${target_file}":
subscribe => Exec[$convert_command],
refreshonly => true,
}
file { $raw_target_file:
ensure => 'absent',
require => Glance_image[$image_name],
}
Setting your exec resources to refreshonly means that they require a refresh signal to trigger and be applied. This can be done with a subscribe or a notify. Since your second exec depends upon the first, you can do this as:
exec { $download_command:
creates => $target_file,
refreshonly => true,
notify => Exec[$convert_command],
}
or:
exec { $convert_command:
creates => $raw_target_file,
refreshonly => true,
subscribe => Exec[$download_command],
}
The first one is trickier since it does not establish a relationship with anything. If you want the file download to be idempotent, I would recommend using a file resource instead.
file { $target_file:
source => $image_url,
}
This would cause both of your resources to be idempotent and apply when only when you want them to, thus achieving your goal.
You would need to modify your image file removal to be an exec though. Something like this would work:
exec { "/bin/rm -f ${target_file}":
subscribe => Exec[$convert_command]
refreshonly => true,
}
Your raw image file removal also needs to be applied after its creation and usage:
file { $raw_target_file:
ensure => 'absent',
require => Glance_image[$image_name],
}

fail when a file exist in puppet

I am trying to write a puppet script which will install a module by un-tar. I want puppet to fail if it is already un tar. I tried to do below code but it always fails even if directory is absent.
I am checking if /opt/sk is present then fail otherwise proceed on installation.
define splunk::fail($target)
{
$no = 'true'
case $no {
default : { notice($no) }#fail('sk is already installed.')}
}
}
define splunk::forwarder( $filename , $target )
{
file{"$target/sk":
ensure => present
}
splunk::fail{"NO":
target => '/opt/',
require => File[$target],
}
file{"$target/A.tgz":
source => $filename ,
replace => false ,
}
exec{"NO1":
command => "tar xzvf A.tgz" ,
cwd => $target ,
require => File["$target/A.tgz"] ,
}
exec{"Clean":
command => "rm -rf A.tgz" ,
cwd => target ,
require => Exec["NO1"],
}
}
splunk::forwarder {"non":
filename => 'puppet:///modules/splunk/files/NO.tgz' ,
target => '/opt/',
}
Thanks
Define custom_fact and use it combined with fail resource.
In your ruby directory e.g /usr/lib/ruby/vendor_ruby/facter define file tmp_exist.rb with content:
# tmp_exist.rb
Facter.add('tmp_exist') do
setcode do
File.exist? '/root/tmp'
end
end
Next use it in puppet manifest. E.g I combined it with str2bool function from stdlib:
class test {
if !str2bool($::tmp_exist) {
fail('TMP NOT EXIST')
}
if !str2bool($::foo_exist) {
fail('FOO NOT EXIST')
}
}
include test
In /root create only tmp file.
In result you will have:
Error: FOO NOT EXIST at /etc/puppet/deploy/tests/test.pp:8 on node dbmaster
UPDATED: I updated my answer. Chris Pitman was right, my previous solution works only on puppet master or with puppet apply.
I have also found an article describing how to define custom function file_exists in puppet. That also might be helpful.
You should use "creates" attribute of exec, for example:
exec { 'install':
command => "tar zxf ${package}",
cwd => $some_location,
path => $path,
creates => "${some_location}/my_package",
}
Puppet will only execute 'install' if "${some_location}/my_package" doesn't exist.

How can i install a local rpm using puppet

I am trying to install a particular rpm using puppet, my init.pp is:
class nmap {
package {'nmap':
provider => 'rpm',
source => "<Local PATH to the RPM>",
}
}
and the rpm is in ...modules/nmap/files
If i move the rpm to manifests, and provide the rpm name in source => ''
class nmap {
package {'nmap':
provider => 'rpm',
source => "rpm-name.rpm",
}
}
it works, but how can i specify source path with ../files/ and do puppet apply successfully
When i use :
source => 'puppet:///files/nmap-6.45-1.x86_64.rpm',
i get an error:
Debug: Executing '/bin/rpm -i puppet:///files/nmap-6.45-1.x86_64.rpm'
Error: Execution of '/bin/rpm -i puppet:///files/nmap-6.45-1.x86_64.rpm' returned 1: error: open of puppet:///files/nmap-6.45-1.x86_64.rpm failed: No such file or directory
Error: /Stage[main]/Nmap/Package[nmap]/ensure: change from absent to present failed: Execution of '/bin/rpm -i puppet:///files/nmap-6.45-1.x86_64.rpm' returned 1: error: open of puppet:///files/nmap-6.45-1.x86_64.rpm failed: No such file or directory
`
when running the command:
sudo puppet apply --modulepath=/home/user1/qa/puppet_qa/modules/ -e "include nmap" --debug
Unlike the file resource type, the package type has no support for Puppet fileserver URLs. You will need to use a file resource to download the rpm prior to installing it. If this is a recurring problem for you, make a defined type that does those in one go (think macros), e.g.
define fileserver_package($source, $ensure='installed') {
file { "/my/tmp/dir/$name.rpm": source => $source }
package { $name:
ensure => $ensure,
provider => 'rpm',
source => "/my/tmp/dir/$name.rpm",
require => File["/my/tmp/dir/$name.rpm"],
}
}
Edit: it is generally advisable to use a local yum repo instead, see also the first comment by #rojs below.
The RPM package can be installed this way:
package { 'epel-release-6':
provider => 'rpm',
ensure => 'present',
source => '/usr/local/rpms/epel-release-latest-6.noarch.rpm',
}
It seems the module name you are using is nmap. You can use the same source parameter like this,
source => 'puppet:///modules/nmap/nmap-6.45-1.x86_64.rpm',
The syntax to access a file under a module goes like this,
puppet:///modules/<modulename>/<file you want to access>
See this link here, http://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html#files
Lets start from start :
on server:
$rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
$yum -y install puppetserver
$vi /etc/sysconfig/puppetserver #change JAVA args
$systemctl start puppetserver
$systemctl enable puppetserver
$vi /etc/puppetlabs/puppet/puppet.conf #Add “dns_alt_names” in [master]
On Agent:
$rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
$yum -y install puppet-agent
$systemctl start puppet
$systemctl enable puppet
$vi /etc/puppetlabs/puppet/puppet.conf # Add “server = pupmaster” in [main]
puppet cert list
puppet cert sign
/etc/puppetlabs/code/environments/production/manifests/site.pp:
node webserver {
class { 'apache': }
}
node dbserver {
class { ‘mysql’: }
}
mkdir –p /etc/puppetlabs/code/environments/production/modules/apache/{manifests, files}
apacheinstall.pp:
class apache::apacheinstall {
if $osfamily == 'redhat' {
package { 'httpd':
ensure => 'latest'
}
service {'httpd':
ensure => 'running',
require => Package["httpd"],
}
file { '/var/www/html/ndex.html':
mode => "0644",
owner => 'root',
group => 'root',
source => 'puppet:///modules/apache/index.html',
}
}
elsif $osfamily == 'debian' {
package { 'apache2':
ensure => 'latest'
}
service {'httpd':
ensure => 'running',
require => Package["httpd"],
}
}
}
INIT.pp
class apache {
notify { 'Installing and Configuring Webserver for $osfamily': }
include apache::mysqlinstall
}
Mysqlinstall.pp:
class apache::mysqlinstall {
exec { 'wget':
path => [ "/bin/", "/sbin/", "/usr/bin/", "/usr/sbin/" ],
command => "/usr/bin/wget https://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm && rpm -ivh /tmp/mysql57-community-release-el7-9.noarch.rpm",
cwd => '/tmp/',
creates => '/etc/firstruns/p1.done',
}
}

Puppet - Install PHP with LibXML module, with the XSLT extension enabled (--with-xsl)

I need to ensure puppet installs Php with LibXML with the '--with-xsl' flag.
I have the following class for all things php:
class php {
package { "php5-cli": ensure => present }
package { "php5-dev": ensure => present }
package { "php5-mysql": ensure => present }
package { "php-pear": ensure => present }
package { "php5-common": ensure => present}
package { "php5-fpm": ensure => present}
package { "php5-cgi": ensure => present}
package { "php-apc": ensure => present}
exec { "pear upgrade":
command => "/usr/bin/pear upgrade",
require => Package["php-pear"],
}
}
Not sure how to use flags here.
Many thanks in advance.
You can try this if you want to install with --with-xsl flag for all of them :
all_php_packages = ["php5-cli","php5-dev","php5-mysql","php-pear",
"php5-common","php5-fpm","php5-cgi","php-apc"]
package{ $all_php_packages :
ensure => present,
install_options => ["--with-xsl","--some-other-option",],
}

enabling fastcgi mod in lighttpd through puppet

Hi guys am new to puppet and I want to execute the following command on client using puppet so that the fast cgi mod is enabled on the puppet client.
lighttpd-enable-mod fastcgi
Both puppet server and client are ubuntu machines and my lighttpd module's init.pp file is as follows:
class lighttpd::install {
package { "lighttpd":
ensure => present,
}
}
class lighttpd::conf {
file { "/etc/lighttpd/lighttpd.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/lighttpd.conf",
require => Class["lighttpd::install"],
}
}
class lighttpd::fastcgi {
file { "/etc/lighttpd/conf-available/10-fastcgi.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/10-fastcgi.conf",
require => Class["lighttpd::install"],
}
}
class lighttpd {
include lighttpd::install, lighttpd::conf, lighttpd::fastcgi
}
Please help me execute this command on the puppet client.
Thanks
So if you modify your lighttpd::fastcgi class to be something like:
class lighttpd::fastcgi {
file { "/etc/lighttpd/conf-available/10-fastcgi.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/10-fastcgi.conf",
require => Class["lighttpd::install"],
notify => Exec["enable-mod-fastcgi"],
}
exec { "enable-mod-fastcgi":
command => "/usr/bin/lighttpd-enable-mod fastcgi",
refreshonly => true,
}
}
(sorry - the path may be wrong to lighttpd-enable-mod - I don't have lighttpd here).
This should notify the 'exec' correctly. The exec will only get called when notified because of the 'refreshonly' parameter being true.

Resources