puppet-augeas | narrabilis.com

By thomas, Thu, 07/30/2009 - 11:50

Help on using puppet-augeas is available on the puppet-augeas wikipage. After you have worked out the commands you need with augtool, you can rewrite them to work in puppet. From our previous example, we used set a few times to make a new entry in /etc/hosts. In puppet we'll use the augeas type and call set the same way.

augeas{ "server0":
	context => "/files/etc/hosts",
	changes => [
		"set 4/ipaddr 192.168.0.1",
		"set 4/canonical server0.example.com",
		"set 4/alias[1] server0",
		"set 4/alias[2] puppet-augeas.example.com",
	],
}

[root@client15 augeas-play]# puppetd --fqdn=$HOSTNAME --test --no-splay --server=server0.example.com --onetime --verbose --factsync
info: Retrieving facts
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
notice: //Node[default]/base/Augeas[server0]/returns: executed successfully
notice: Finished catalog run in 1.87 seconds
[root@client15 augeas-play]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
192.168.0.31		client15.example.com client15
192.168.0.1	server0.example.com server0 puppet-augeas.example.com
[root@client15 augeas-play]#

We replaced the alias puppet.example.com with puppet-augeas.example.com using puppet-augeas. Trying to make this change with a combination of sed or awk would be possible, but with augeas it is much more clear what we are trying to achieve and it is safer also.

For a more concrete example, we'll modify ssh to deny password access. We'll use the puppet nofity system to have ssh restart after we make the change with augeas.
Added to base.pp

service { sshd: ensure => true, enable => true, hasrestart => true }
augeas{ "ssh":
	context => "/files/etc/ssh/sshd_config",
	changes => [
		"set PasswordAuthentication no"
	],
	notify => Service["sshd"]
}

Now when we run puppet again sshd_config will be updated which will cause sshd to be restarted (triggered).

[root@client15 augeas-play]# puppetd --fqdn=$HOSTNAME --test --no-splay --server=server0.example.com --onetime --verbose --factsync
info: Retrieving facts
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
notice: //Node[default]/base/Augeas[ssh]/returns: executed successfully
info: //Node[default]/base/Augeas[ssh]: Scheduling refresh of Service[sshd]
notice: //Node[default]/base/Service[sshd]: Triggering 'refresh' from 1 dependencies
notice: Finished catalog run in 3.04 seconds
[root@client15 augeas-play]# exit
Connection to client15.example.com closed.
[root@server0 manifests]# ssh root@client15.example.com
Permission denied (publickey,gssapi-with-mic).

Using a combination of kickstart, puppet and puppet-augeas, you can configure just about every change you need to make on a machine. But for those occasions where you need to make the change immediately, there is a solution, func. We'll talk about that next.