How about (for this specific situation) leaving an empty file? You could do:
file { "/tmp/secret":
replace => false,
}
exec { "do-the-install":
command => do the install,
onlyif => only do the install if some condition met or unmet,
notify => Exec["cleanup"],
require => File["/tmp/secret"],
}
exec { "cleanup":
command => "echo '' > /tmp/secret",
refreshonly => true,
}
Thijs
On Wed, Nov 19, 2008 at 2:51 AM, <[EMAIL PROTECTED]> wrote:
>
> "Paul Lathrop" writes:
>>> Unfortunately, this leaves the seed file, required only for the command
>>> to run, lying around on disk. Now, I can protect the file with mode
>>> 0400, or I can tidy it with a dependency on the exec command, but what
>>> I really want is something like "refreshonly" for files; only copy the
>>> file over if something is being evaluated that explicitly requires it.
>
> Note that I haven't actually tried the "tidy" approach, and it may meet
> my needs. Just before we go further. I only thought of it as I was
> writing my previous email.
>
>>I'm not sure you understand that I'm not arguing *against* 'onlyif' as
>>a metaparameter. I'm focusing on how to do what you want, now, with
>>Puppet as it is today. I do think it is slightly odd the way people
>>choose to model things, but flexibility is one of Puppet's strong
>>points.
>
> :) Yes, understood.
>
>>Why not wrap the process of fetching the seed file, generating the
>>"password alias", and then securely deleting the seed file into a
>>script, which you would then put in your exec with an appropriate
>>'onlyif'?
>
> That's an excellent question.
>
> I think the reason I don't want to do that is twofold:
>
> 1. That Puppet gives me idempotency for free; if my script gets
> interrupted in the middle, I have to have recovery logic (not
> complicated in this case, admittedly, but I believe still obscures
> what I'm trying to do for maintenance coders, and sets a "bad"
> precedent). There's a natural barrier to going "outside" the tool,
> if you like.
>
> 2. Puppet has secure file transfer, and setting up a secure rsync
> between puppet server and client hasn't been required so far.
> This objection could be easily overcome if there was a way of
> accessing Puppet file transfer from "outside" Puppet. Is there?
>
> For another example of where this pattern of behaviour
> (dealing with small files containing sensitive data, where
> you don't want to inline the data into your manifest), see
> http://reductivelabs.com/trac/puppet/wiki/Recipes/FirmwarePassword.
>
> -- michael.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
