Editing fstab with Augeas

[Kim Scarborough]

I'm trying to get Puppet to add "nosuid" to all my nfs or nfs4 mount entries in /etc/fstab. I'm currently using this:

augeas { "fstab-nosuid":
           context => "/files/etc/fstab/*[vfstype = 'nfs' or vfstype = 'nfs4'][count(opt[. = 'nosuid']) = 0]",
 
           changes => [
               "ins opt after opt[last()]",
               "set opt[last()] nosuid"
           ],
 
           onlyif => "match /files/etc/fstab/*[vfstype = 'nfs' or vfstype = 'nfs4'][count(opt[. = 'nosuid']) = 0] size > 0",
}

This works, but it only edits a single line per run. How can I change it to do all of the relevant lines at once?

[Pete Brown]

Is there a reason you aren't using the builtin mount type?
I believe it can do everything you require.

http://docs.puppetlabs.com/references/stable/type.html#mount

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/a3163d8a-ed0c-4472-b201-54dfd4b68d95%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Kim Scarborough]

Hmm. I don't believe mount will do what I want, as every server has different NFS mounts I need to modify. Can I say "modify every NFS mount so that it's nosuid" without actually specifying the mountpoints?

[jcbollinger]

On Tuesday, July 8, 2014 10:22:41 AM UTC-5, Kim Scarborough wrote:

Hmm. I don't believe mount will do what I want, as every server has different NFS mounts I need to modify. Can I say "modify every NFS mount so that it's nosuid" without actually specifying the mountpoints?

No, you cannot do that via Mount resources.  Instead, the idiomatic approach here would be to put each mount for each server under individual Puppet management.  If you wished, you could also use the Resources resource to purge Mounts that Puppet is not otherwise managing, so that you could be sure that there were no fstab entries without 'nosuid'.  (Note, however, that a privileged user can mount filesystems that are not listed in fstab, with whatever options they choose.)


John

[Kim Scarborough]

No, you cannot do that via Mount resources.  Instead, the idiomatic approach here would be to put each mount for each server under individual Puppet management.  If you wished, you could also use the Resources resource to purge Mounts that Puppet is not otherwise managing, so that you could be sure that there were no fstab entries without 'nosuid'.  (Note, however, that a privileged user can mount filesystems that are not listed in fstab, with whatever options they choose.)

My Augeas approach works, I'm just having the one problem where I can't get it to apply to more than one mount line per run.

[Pete Brown]

It might work but it is probably better to manage the whole mount with puppet.

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/puppet-users/cc43ac0c-64f5-409a-abf6-0d50bba2a79d%40googlegroups.com.

[Kim Scarborough]

>> My Augeas approach works, I'm just having the one problem where I can't get

> it to apply to more than one mount line per run.

It might work but it is probably better to manage the whole mount with puppet.

I have hundreds of servers, many with several NFS mounts, and neither the source or the mountpoint is consistent anywhere. It would be faster for me to hand-edit every server's fstab than to enter them all into puppet.

[Pete Brown]

Sounds like a job for a class with variables backed with hiera.
Infinitely more configurable and less prone to the potential errors
you might introduce from hand editing each fstab.

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/puppet-users/1bc07614-3a9a-4650-b3ce-d531a8caba3c%40googlegroups.com.

[Trevor Vaughan]

Pete is definitely on to one good approach here.

Other approaches may include using automount and placing all of your mounts into LDAP or using a custom fact to gather the mounts on each system and then manipulating them accordingly with a define.

Trevor

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJ8DPF77ixMAm8BFe%2BLHcgcraj6iRYWJzgNE8sO1s5TZY7UvDQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvau...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

[Christopher Wood]

I've been in that situation, and choosing to hand-edit on the host rather than in puppet only works if you're going to build a unique node once.

Once you've dealt with fstab backups, hardware failure, and a rebuild with manual portions, you might also favour just stuffing the whole lot into puppet once instead of into fstab each time a host fails.

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to [1]puppet-users...@googlegroups.com.

> To view this discussion on the web visit

> [2]https://groups.google.com/d/msgid/puppet-users/1bc07614-3a9a-4650-b3ce-d531a8caba3c%40googlegroups.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users...@googlegroups.com
> 2. https://groups.google.com/d/msgid/puppet-users/1bc07614-3a9a-4650-b3ce-d531a8caba3c%40googlegroups.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout

[Kim Scarborough]

I feel like I've got a reasonably good solution with that augeas recipe, it's just that it requires multiple runs to work. If anybody familiar with augeas could take a look at it and help me, I would be most grateful.