Aug. 9th, 2017

gushi: (Bitey Gushi)

So, you have a puppet problem: You want to add a line to inetd.conf The thing is, inetd.conf is complicated. It's sort-of a key value store, but it's really like six fields, and the last of those fields is multiple words.

Since, on most of our systems, we dont use inetd at all, we could just as easily stomp down a whole entire inetd.conf:

file "inetd.conf": {
  ensure => present,
  source => 'puppet:///files/mymodule/inetd.conf',
  owner => root,
  mode => '0755'
  notify => Service['inetd'],
service "inetd": {
  ensure => running.

But that locks us out of any future changes we want to make. We could in turn use puppet's "file_line" resource type, but formatting that string gets really annoying.

file_line { 'inetd_tacplus':
  ensure => present,
  path => '/etc/inetd.conf',
  line => "tacacs\tstream\ttcp\tnowait\troot\t/usr/local/sbin/tac_plus tac_plus -i -C /usr/local/etc/tac_plus.conf -U root",

But that's a long line that's a nightmare to read and maintain. And if we change it even a little, it's no longer idempotent. We'd have to keep the old one around, exactly, with an ensure => absent. It turns out that the real answer here is Augeas. Augeas can be complex to figure out, but using the example in puppet's Augeas Docs, we're able to set this all up in a self-defined array. Augeas will create the resource if it doesn't exist, and modify it if it does.

It turns out looking something like this:

  augeas { 'inetd_tacacs':
    context => '/files/etc/inetd.conf',
    notify  => Service['inetd'],
    changes => [
      "set /service[. = 'tacacs'] tacacs",
      "set /service[. = 'tacacs']/socket stream",
      "set /service[. = 'tacacs']/protocol tcp",
      "set /service[. = 'tacacs']/wait nowait",
      "set /service[. = 'tacacs']/user root",
      "set /service[. = 'tacacs']/command /usr/local/sbin/tac_plus",
      "set /service[. = 'tacacs']/arguments/1 tac_plus",
      "set /service[. = 'tacacs']/arguments/2 -i",
      "set /service[. = 'tacacs']/arguments/3 -C",
      "set /service[. = 'tacacs']/arguments/4 /usr/local/etc/tac_plus.conf",
      "set /service[. = 'tacacs']/arguments/5 -U",
      "set /service[. = 'tacacs']/arguments/6 root",

Plus the usual bits to tell this to notify inetd when it's running, and the like. Is this more complex than it needs to be? Maybe, but I couldn't find a good example of this online so I decided to blog it.

August 2017

678 9101112
27 28293031  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 18th, 2017 01:41 am
Powered by Dreamwidth Studios