subject:"\[Puppet Users\] onlyif return code"

Re: [Puppet Users] onlyif return code

2013-10-04 Thread Björn

Hello Mike,

thanks a lot, file_line works great! I not remember why I don't use 
file_line for such things. 

Björn

On Thursday, October 3, 2013 2:35:46 AM UTC+2, Mike Delaney wrote:
>
> On Wed, Oct 2, 2013 at 4:15 AM, Björn 
> > wrote:
>
>>   exec{'ensure password policy for pci':
>> cwd => '/bin/',
>> command => "/bin/sed -i 's/^password.*cracklib.so.*/password
>> requisite   pam_cracklib.so retry=3 minlen=8 difok=5 
>> dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
>> path=> "/usr/bin:/usr/sbin:/bin",
>> onlyif  => "grep '^password.*cracklib.so.*' $pam_password",
>> require => Package[$cracklib],
>>   }
>>
>>   exec{'ensure password policy for pci when nothing is present':
>> cwd => '/bin/',
>> command => "echo 'passwordrequisite   
>> pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 
>> ocredit=-1' >> $pam_password",
>> path=> "/usr/bin:/usr/sbin:/bin",
>> onlyif  => "grep -vq '^password.*cracklib.so.*' $pam_password",
>> require => Package[$cracklib],
>>   }
>> }
>>
>> My problem are the exec commands. 
>>
>> With the first exec I try to change an existing line with sed. 
>>
>> With the second exec I try to add the rule if no line with 
>> "password.*cracklib" is existing. 
>> Unfortunately, this exec run when the return code of onlyif is 0. I don't 
>> know a command which return 0 when the line isn't available and return 1 
>> when the line is available. 
>>
>> May be I'm thinking to complicated? Do you have another solution? 
>>
>
>
> Off the top of my head, I can't think of a way to invert grep's exit 
> status like you want (at least not a way
> that will work in an onlyif), however the use of two execs to modify a 
> file is probably not the ideal solution.
> Indeed, once the cracklib entry is present in the file, that first exec 
> will fire every time puppet runs, which
> is probably not what you want either.
>
> If you don't want to manage the entire file, you could use either the 
> native augeas type or the file_line
> type from the stdlib module to accomplish what you want (file_line is 
> probably easier):
>
>   file_line { 'ensure password policy for pci':
> path=> $pam_password,
> match => '^password.*cracklib\.so',
> line => 'passwordrequisite 
>   pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 
> ucredit=-1 ocredit=-1'
> }
>
> -Mike
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] onlyif return code

2013-10-02 Thread Mike Delaney

On Wed, Oct 2, 2013 at 4:15 AM, Björn  wrote:

>   exec{'ensure password policy for pci':
> cwd => '/bin/',
> command => "/bin/sed -i 's/^password.*cracklib.so.*/password
> requisite   pam_cracklib.so retry=3 minlen=8 difok=5
> dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
> path=> "/usr/bin:/usr/sbin:/bin",
> onlyif  => "grep '^password.*cracklib.so.*' $pam_password",
> require => Package[$cracklib],
>   }
>
>   exec{'ensure password policy for pci when nothing is present':
> cwd => '/bin/',
> command => "echo 'passwordrequisite
> pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
> ocredit=-1' >> $pam_password",
> path=> "/usr/bin:/usr/sbin:/bin",
> onlyif  => "grep -vq '^password.*cracklib.so.*' $pam_password",
> require => Package[$cracklib],
>   }
> }
>
> My problem are the exec commands.
>
> With the first exec I try to change an existing line with sed.
>
> With the second exec I try to add the rule if no line with
> "password.*cracklib" is existing.
> Unfortunately, this exec run when the return code of onlyif is 0. I don't
> know a command which return 0 when the line isn't available and return 1
> when the line is available.
>
> May be I'm thinking to complicated? Do you have another solution?
>


Off the top of my head, I can't think of a way to invert grep's exit status
like you want (at least not a way
that will work in an onlyif), however the use of two execs to modify a file
is probably not the ideal solution.
Indeed, once the cracklib entry is present in the file, that first exec
will fire every time puppet runs, which
is probably not what you want either.

If you don't want to manage the entire file, you could use either the
native augeas type or the file_line
type from the stdlib module to accomplish what you want (file_line is
probably easier):

  file_line { 'ensure password policy for pci':
path=> $pam_password,
match => '^password.*cracklib\.so',
line => 'passwordrequisite
  pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
ocredit=-1'
}

-Mike

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] onlyif return code

2013-10-02 Thread Björn

Hello,

I try to ensure our password policies using /etc/login.defs and PAM 
cracklib. 

class pci_policy::password(
$cracklib = $pci_policy::params::cracklib,
$pam_password = $pci_policy::params::pam_password,
) inherits pci_policy::params {

  package{$cracklib:
ensure => installed,
  }

  file{'/etc/login.defs':
ensure  => present,
owner   => root,
group   => root,
mode=> 0644,
source  => "puppet:///modules/pci_policy/login.defs.$::operatingsystem",
require => Package[$cracklib],
  }

  exec{'ensure password policy for pci':
cwd => '/bin/',
command => "/bin/sed -i 's/^password.*cracklib.so.*/password
requisite   pam_cracklib.so retry=3 minlen=8 difok=5 
dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
path=> "/usr/bin:/usr/sbin:/bin",
onlyif  => "grep '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
  }

  exec{'ensure password policy for pci when nothing is present':
cwd => '/bin/',
command => "echo 'passwordrequisite   
pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 
ocredit=-1' >> $pam_password",
path=> "/usr/bin:/usr/sbin:/bin",
onlyif  => "grep -vq '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
  }
}

My problem are the exec commands. 

With the first exec I try to change an existing line with sed. 

With the second exec I try to add the rule if no line with 
"password.*cracklib" is existing. 
Unfortunately, this exec run when the return code of onlyif is 0. I don't 
know a command which return 0 when the line isn't available and return 1 
when the line is available. 

May be I'm thinking to complicated? Do you have another solution? 

Thanks a lot! 

Björn

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] onlyif return code

Re: [Puppet Users] onlyif return code

[Puppet Users] onlyif return code

3 matches

Site Navigation

Mail list logo

Footer information