Ask Your Question
0

Wanted files being deleted automatically

asked 2017-01-17 07:44:42 -0500

Davies gravatar image

updated 2017-01-17 10:08:22 -0500

I am trying learn Puppet by setting up my various Raspberry Pis. These come with a standard user (pi) and a standard password (raspberry). Until this password is changed, a security warning appears when you log in. I want Puppet to change this for me when the machine is new, but NOT if it has already been changed. I have been trying to use a custom fact, as my plan is to have a "wanted" file with all the options as booleans. I then want a separate "done" file for each option that has been executed. So, for my password example, I intend my final file to test whether a new password is wanted (it would not be on machines other than Pis) and whether this has been done (the password should NOT be overwritten if, for whatever reason, it has been changed after the initial setup).

Installing puppet on the Pi results in only one non-home "facts.d" directory (/var/lib/puppet/facts.d). Any files I put in there get deleted, which rather defeats my object. Neither https://docs.puppet.com/puppet/latest... nor https://docs.puppet.com/facter/3.5/cu... give any clue to this behaviour. The closest I have found is https://github.com/saz/puppet-php/iss.... Where, please, are the docs describing this behaviour and how to override this default?

Regards,

John Davies

Update: The file is being created by puppet. The code is:

class pi_user::password {
  if $facts['hostname'] in ['pi245'] {
    unless $facts['pi_password_done'] {
      file { '/var/lib/puppet/facts.d/pi_password_done.txt':
        ensure => 'present',
        content => 'pi_password_done=true
',
      }
      user { 'pi':
        password => '$6$saltremoved$hashremoved',
      }
    }
  }
}

It was also my intention to start with a "wanted.txt" file, listing the things that should be done once, but that, for this learning purpose, is being achieved by the "if" statement, while the "unless" statement would have to be expanded to handle the two conditions. I'm trying to solve my problems one at a time, so the "wanted" file can wait. The suggestion that I may have misnamed the facts is probably correct, as I am unclear about the difference(s).

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2017-01-17 09:16:24 -0500

DarylW gravatar image

Puppet is designed to work in a declarative 'this is how I want the system configured' way, where your modules and your hiera data describe the system. Doing things the way you are trying to is 'not the puppet way'.

To get my understanding correct, you are trying to create a custom fact that knows that a password has been set. You then want to use that custom fact to either set or not manage the 'password' portion of a user resource?

You said you 'put' a file in facts.d... how did you do that? Was it a side-effect from an exec, or is it a puppet managed file object?

You can manage a file, but not it's contents, OR you can audit that file contents have changed without actually managing it's content, so you could notify an exec/service/other resource.

Also, I think what you want is not a 'custom fact' but an 'external fact' if you want to drop a file on the system. The custom facts directory is managed by the puppet master/client pluginsync operation (which is probably what purges the facts) where as External facts are more of standalone or key-value pairs in a file that can be used slightly differently.

edit flag offensive delete link more

Comments

I've updated my OP to try to answer your questions. I was trying to do things declaratively, but if I've failed, I would appreciate pointers to any docs that show me a better way.

Davies gravatar imageDavies ( 2017-01-17 10:10:20 -0500 )edit
1

answered 2017-01-17 12:28:03 -0500

lavaman gravatar image

So what you want is for puppet to configure an initial password for the user, but not manage it going forward. I've done something similar in the past using an exec. Create an exec that sets the password for the user (using sed/awk/etc.) then set refreshonly => true on that exec. This way, puppet will run that exec the first time, but never again, so if the password is changed by the end user, puppet will not revert it.

edit flag offensive delete link more

Comments

Also, you can use a file resource where you set initial contents (replace parameter) and puppet will create it if it's not there, but it will manage permissions but not content if it is.

DarylW gravatar imageDarylW ( 2017-01-17 19:10:20 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-01-17 07:44:42 -0500

Seen: 45 times

Last updated: Jan 17