Setting mountpoints as immutable

[nix]

I would like puppet be able to set the immutable attribute on selected directory mount points before mounting on CentOS. 

I already have the mountpoints managed by puppet, so their existence is ensured prior to the mount, but how do I add the immutable flag?

I know puppet does not natively support extended attributes, what is a decent work-around?

[jcbollinger]

On Tuesday, May 27, 2014 3:04:50 PM UTC-5, nix wrote:

I would like puppet be able to set the immutable attribute on selected directory mount points before mounting on CentOS. 

That's not gonna happen unless you can be certain that Puppet will run only when there isn't yet anything mounted on the mount points in question, or unless you're willing for Puppet to force the relevant file system unmounted in order to check and possibly change the attributes of the mount point directory.

If you're going to rely on Puppet to create the mountpoint directory, however, then you can approximate that by setting the desired attributes when Puppet does so, and otherwise not managing them.

 

I already have the mountpoints managed by puppet, so their existence is ensured prior to the mount, but how do I add the immutable flag?

The issue here is that the OS actively obscures the distinction between the mount point directory and the root of the file system mounted on it.  When anything is mounted on the mount point, you cannot touch the mount point itself -- its path refers instead to the mounted filesystem root.  That's outside Puppet's control.

 

I know puppet does not natively support extended attributes, what is a decent work-around?

Generally speaking, you can use an Exec to run chattr.  That Exec's 'unless' parameter can and should be used to run lsattr to check whether any attribute change is needed.

For example:

file { '/mnt/foo':
  ensure => 'directory'
}

exec { 'immutable /mnt/foo':
  command => 'chattr +i /mnt/foo',
  unless => 'lsattr -d /mnt/foo | grep -q "^[A-Za-z-]i"',
  path => '/usr/sbin:/sbin:/usr/bin:/bin',
  refreshonly => true,
  subscribe => File['/mnt/foo']
}


That Exec's command will run (ensuring that 'i' is among the directory's attributes) only if Puppet creates /mnt/foo or replaces a file of that name with a directory, and in that case, only if the directory's attributes do not already include 'i'.


John