Augeas-based Puppet types

Infrastructure – Actualités

17 juillet 2012 camptocamp

A few weeks ago, I was working on a Puppet definition to manage sshd_config entries. It looked quite simple:

define ssh::config::sshd (
  $ensure='present',
  $value=''
) {

case $ensure {
  'present': {
    $changes = "set ${name} ${value}"
  }

  'absent': {
    $changes = "rm ${name}"
  }

  'default': { fail("Wrong value for ensure: ${ensure}") }
}

augeas {"Set ${name} in /etc/ssh/sshd_config":
  context => '/files/etc/ssh/sshd_config',
  changes => $changes,
  }
}

Unfortunately, sshd_config turned out to be more complex than this. It uses Match groups, AcceptEnv, (Allow|Deny)(Groups|Users) and MACs arrays, as well as Subsystem entries, all of which could not be simply managed with this definition. Worse yet, managing them with Augeas seemed quite impossible using the Puppet language.

Some time ago, Dominic Cleal had started a new project called augeasproviders whose aim was to write new providers for native Puppet types, using Augeas internaly. sshd_config could probably benefit from getting a custom type based on Augeas.

I began writing the code as a proof-of-concept to be presented during the Puppetcamp which took place at the RMLL in Geneva. The prototype I presented then (see the video) already allowed to make sure new parameters were added before Match groups, and allowed to manage parameters inside Match groups, too.

The sshd_config type and provider are available on camptocamp’s augeasproviders fork on github (pull requests are pending). It can now also be used to manage parameters using arrays of values:

sshd_config {
  # A top-level parameter
  'RSAAuthentication':
    value  => 'yes';

  # Use default value for PermitEmptyPasswords
  'PermitEmptyPasswords':
    ensure => absent;

  'Set PermitRootLogin for example.com':
    ensure    => present,
    key       => 'PermitRootLogin',
    condition => 'Host example.com',
    value     => 'yes';

  'AcceptEnv':
    ensure => present,
    value  => ['LANG', 'LC_*', 'FOO_BAR'];
}

In addition, the Subsystem entries can be managed using a new sshd_config_subsystem type:

sshd_config_subsystem {'sftp':
  command => '/usr/lib/openssh/sftp-server'
}

Using Augeas as a base block to write custom types allowed to make a very flexible provider. In addition, it greatly increased the performance, since Augeas is loaded specifically for the target file using the Sshd.lns, instead of getting loaded for all files on the system using all known lenses.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

*

Mots clés