Jira (PUP-11375) Cannot ensure user absent and purge its ssh keys in same manifest

4 views
Skip to first unread message

Luchian Nemes (Jira)

unread,
Dec 9, 2021, 9:45:02 AM12/9/21
to puppe...@googlegroups.com
Luchian Nemes created an issue
 
Puppet / Bug PUP-11375
Cannot ensure user absent and purge its ssh keys in same manifest
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2021/12/09 6:44 AM
Priority: Normal Normal
Reporter: Luchian Nemes

How to reproduce:

➜ cat create_user.pp
 
user {'luchi':
 
  ensure => present,
 
  managehome => true,
 
  purge_ssh_keys => true
 
}
 
➜ cat add_ssh_key.pp
 
ssh_authorized_key { 'lu...@example.com':
 
  ensure => present,
 
  user   => 'luchi',
 
  type   => 'ssh-rsa',
 
  key    => 'my-key'
 
}
 
➜ cat remove_user.pp
 
user {'luchi':
 
  ensure => absent,
 
  purge_ssh_keys => true
 
}
 
➜ puppet apply create_user.pp
 
...
 
➜ puppet apply add_ssh_key.pp
 
...
 
➜ puppet apply remove_user.pp --debug --trace
 
...
 
Debug: User[luchi] parsed for purging Ssh_authorized_key[lu...@example.com]
 
Debug: /Stage[main]/Main/User[luchi]: Nothing to manage: no ensure and the resource doesn't exist
 
Debug: Prefetching parsed resources for ssh_authorized_key
 
Notice: /Stage[main]/Main/Ssh_authorized_key[lu...@example.com]/ensure: removed
 
Error: /Stage[main]/Main/Ssh_authorized_key[lu...@example.com]: Could not evaluate: User 'luchi' does not exist
 
/etc/puppetlabs/code/modules/sshkeys_core/lib/puppet/provider/ssh_authorized_key/parsed.rb:71:in `flush'
 
/root/puppet/lib/puppet/type.rb:1022:in `flush'
 
/root/puppet/lib/puppet/transaction/resource_harness.rb:25:in `evaluate'
 
/root/puppet/lib/puppet/transaction.rb:267:in `apply'
 
/root/puppet/lib/puppet/transaction.rb:287:in `eval_resource'
 
...

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Atlassian logo

Josh Cooper (Jira)

unread,
Dec 9, 2021, 2:39:03 PM12/9/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11375
 
Re: Cannot ensure user absent and purge its ssh keys in same manifest

I think this is the "puppet doesn't reverse the dependency order when ensure=absent" as described in the registry module, see PUP-2451. When ensure=absent, generated or eval_generated resources children need to be processed before the parent. In this case, we need to purge the authorized_key entries before deleting the user.
Reply all
Reply to author
Forward
0 new messages