Ask Your Question

Removing users not known to puppet

asked 2016-04-19 11:42:13 -0600

kevin_thorpe gravatar image

Here's an interesting one. Puppet takes the stance of ignoring things it doesn't know about. How would I run through the list of users on a machine and remove the ones not known to puppet? What has happened a couple of times is that someone has added users to a server which are then not managed.

This is not as dangerous as it seems as we run puppet in noop mode and have a central web server which requests authorisation before executing modifications. That way we have an audit trail of changes.

I have written custom facts to iterate the passwd and group files but would it be possible to generate resources from all those facts with present/absent being dependent on hiera details?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2016-04-20 10:23:06 -0600

The idiomatic solution is via resources meta type.

Typically you write:

resources { 'user':
  purge => true,
  unless_system_user => true,

There are reports out there, however, that the feature still has bugs that haven't been completely resolved, e.g. PUP-1153.

I have not used this feature, and personally, I don't think I ever will. It "feels" to me that this is going outside of the remit of config management. If you really need to do this, you may find there are more specialised tools that could be used in conjunction with Puppet to obtain a cleaner solution.

edit flag offensive delete link more


What are some good solutions for producing an audit of such resources, and getting that information that you can tie into either a monitoring or reporting system? I saw that you can write your own report generators, but there isn't a lot of detail about how to use/access the reports

DarylW gravatar imageDarylW ( 2016-04-21 09:03:46 -0600 )edit

Well the whole idea of a custom report handler is that it's custom, so how you would use it is up to you. I don't use the reporting at all. As for auditing, how about auditd? :)

Alex Harvey gravatar imageAlex Harvey ( 2016-04-22 23:21:29 -0600 )edit

answered 2016-04-20 07:49:21 -0600

DarylW gravatar image

Anything is possible with code... If you have custom facts generating a list of present users, you could have your list of expected/intended users defined on the puppet side (in hiera, etc..). You could either use some of the array manipulations that are provided by puppet to filter the list of expected users from the list of actual users and you are left with the list of unexpected users... OR write a custom function and do all of the filtering in ruby, and return that array.

The above could get passed into a user{ $unintendedusersarray: ensure => 'absent' } resource. The same could be done for groups.

Also be sure to account for any users/groups that your modules are creating for their software... either disable the module's management of the user and move it into your own custom management, or have an additional list of users to ignore from the above filtering (apache / tomcat users, etc...)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-04-19 11:42:13 -0600

Seen: 428 times

Last updated: Apr 20 '16