executing from the command line

[Jeff Leggett]

So I am trying to get a simple manifest to run from the command line:

package {"cntlm":
ensure => installed,
provider => rpm,
source => "http://binford.etrade.com/CentOS5-RPMS/
cntlm-0.35.1-1.i386.rpm",
}
file {"/etc/cntlm.conf":
ensure => present,
owner => root,
mode => 644,
content => template("/opt/etrade/p6/puppet/modules/
cntlm/templates/cntlm.conf.erb"),
}

[jleggett@lxp6d4m3 templates]$ cat cntlm.conf.erb
Username <%= id %>
Domain CORP
PassNTLMv2 XXXXXX
Proxy http://<%= proxy %>:8080
Listen 3128
Auth NTLMv2

[jleggett@lxp6d4m3 templates]$
[jleggett@lxp6d4m3 manifests]$ puppet cntlm.pp
(erb):1: warning: Object#id will be deprecated; use Object#object_id
err: //File[/etc/cntlm.conf]/ensure: change from absent to present
failed: Could not set present on ensure: Permission denied - /etc/
cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
cntlm.pp:12
err: //Package[cntlm]/ensure: change from absent to present failed:
Execution of '/bin/rpm -i --oldpackage http://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm'
returned 256: error: can't create transaction lock on /var/lib/rpm/
__db.000

[jleggett@lxp6d4m3 manifests]$ sudo puppet cntlm.pp
(erb):1: warning: Object#id will be deprecated; use Object#object_id
Failed to parse template /opt/etrade/p6/puppet/modules/cntlm/templates/
cntlm.conf.erb: Could not find value for 'proxy' at /opt/etrade/p6/
puppet/modules/cntlm/manifests/cntlm.pp:11 on node lxp6d4m3
[jleggett@lxp6d4m3 manifests]$ facter proxy
10.50.79.250
[jleggett@lxp6d4m3 manifests]$ facter id
jleggett
[jleggett@lxp6d4m3 manifests]$

What am I doing wrong?

[Mike Renfro]

On 6/11/2008 2:51 PM, Jeff Leggett wrote:

> (erb):1: warning: Object#id will be deprecated; use Object#object_id
> err: //File[/etc/cntlm.conf]/ensure: change from absent to present
> failed: Could not set present on ensure: Permission denied - /etc/
> cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
> cntlm.pp:12
> err: //Package[cntlm]/ensure: change from absent to present failed:
> Execution of '/bin/rpm -i --oldpackage http://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm'
> returned 256: error: can't create transaction lock on /var/lib/rpm/
> __db.000

I'd expect these don't work if jleggett doesn't have write access to
/etc to make that puppettmp file, and if jleggett can't install an rpm
as a regular user. I don't know if anyone runs puppet as a non-root user
normally, but I don't know everyone's situation.

> [jleggett@lxp6d4m3 manifests]$ sudo puppet cntlm.pp
> (erb):1: warning: Object#id will be deprecated; use Object#object_id
> Failed to parse template /opt/etrade/p6/puppet/modules/cntlm/templates/
> cntlm.conf.erb: Could not find value for 'proxy' at /opt/etrade/p6/
> puppet/modules/cntlm/manifests/cntlm.pp:11 on node lxp6d4m3

Does 'sudo facter proxy' return something sensible? I saw it work for
jleggett, but is there something in a user-specific Ruby path or a
FACTER_proxy environment variable that lets the non-root facter find
this proxy variable?

--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

[Jeff Leggett]

Yeah - that's the problem...

I need to be my user when the template is evaluated:

[jleggett@lxp6d4m3 templates]$ cat cntlm.conf.erb
Username <%= id %>
Domain CORP
PassNTLMv2 XXXXXX
Proxy http://<%= proxy %>:8080
Listen 3128
Auth NTLMv2

So that username is jleggett...

BUT, if I do that... then user jleggett doesn't have permission to
create the temp file in /etc :( Now what's ODD is, if I run it as
root, I would expect it to add Username as root, but it doesn't it
adds as:

[jleggett@lxp6d4m3 manifests]$ sudo puppet --confdir=/opt/etrade/p6/
puppet/ cntlm.pp

(erb):1: warning: Object#id will be deprecated; use Object#object_id

notice: //File[/etc/cntlm.conf]/content: changed file contents from
{md5}d68da246d4ffba07d9c01acfa427d1cc to
{md5}2871d52d620730b4fb508f3268ba9e56
[jleggett@lxp6d4m3 manifests]$ cat /etc/cntlm.conf
Username -605483388
Domain CORP
PassNTLMv2 XXXXXX
Proxy 10.50.79.250:8080
Listen 3128
Auth NTLMv2

[jleggett@lxp6d4m3 manifests]$ sudo facter id
root
[jleggett@lxp6d4m3 manifests]$

On Jun 11, 4:32 pm, Mike Renfro <ren...@tntech.edu> wrote:
> On 6/11/2008 2:51 PM, Jeff Leggett wrote:
>
> > (erb):1: warning: Object#id will be deprecated; use Object#object_id
> > err: //File[/etc/cntlm.conf]/ensure: change from absent to present
> > failed: Could not set present on ensure: Permission denied - /etc/
> > cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
> > cntlm.pp:12
> > err: //Package[cntlm]/ensure: change from absent to present failed:

> > Execution of '/bin/rpm -i --oldpackagehttp://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm'

[Mike Renfro]

Jeff Leggett wrote:

> I need to be my user when the template is evaluated:

Is there another reason for this beyond the "id" fact being set properly
when you're jleggett and not when you're root? Any reason why cntlm has
to connect as your user (or whoever runs puppet in the general sense),
and not as a dedicated account?

I don't have a good answer to the template id variable turning numeric
when facter id is correct, though.

--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,

931 372-3601 / Tennessee Technological University -- ren...@tntech.edu

[Jeff Leggett]

Yes, because there is no way in my organization Access Control is
going to allow a machine id out the proxy... Thats setup and tracked
by User id... All sorts of compliance regulations will enforce that
one....

[Mike Renfro]

On 6/12/2008 9:24 AM, Jeff Leggett wrote:
> Yes, because there is no way in my organization Access Control is
> going to allow a machine id out the proxy... Thats setup and tracked
> by User id... All sorts of compliance regulations will enforce that
> one....

Ok. So do they all proxy out as jleggett (which really doesn't sound any
better than proxying through a separate account, but I don't have to
deal with lots of compliance regulations)? If so, hard-code the username
into the template similar to how it appears you've hard-coded the NTLMv2
hash. If they proxy out as different users, then I assume something's
missing in the template that provides a varying NTLMv2 hash.

If the stated policy goal is "whoever's running puppet, put their
credentials into cntlm.conf", then you're heading that way. If the
policy is a bit more complicated, like "for this group of servers, proxy
out as jleggett. For this other group, proxy out as bob", then I'd wrap
this up in a definition that allows the desired username and hash to be
passed as parameters to the file entry.

[Jeff Leggett]

OK my bad (and I really appreciate your answers by the way) I didn't
explain clearly enough.

I am trying to use puppet to setup and manage what we call our P8
(packaging 2008) developer workstations. These are RHAS5 based
workstations that are kickstarted, then i want Puppet to pick up the
rest (if possible) of the configuration. Automatic configuration
modules now work pretty well. Now I am working on the pieces that
apply to the individual developer that gets this workstation. In this
case, me - jleggett. so i want to run this puppet cntlm.pp manifest
and wa-la... my proxy on the box is setup, and authenticating to our
external proxy. Then all the myriad other tools that need a proxy can
just point to it in their conf files (yum, subversion etc). This
meets regulatory requirements, and has the added bonus of not having a
single cleartext password on the box.

My plan was to wrap all the individual manifest runs in a shell script
with any other shell commands (like the 'cntlm -H -u blah blah' needed
to generate the HASH - assign said HASH to a $FACTER_hash variable,
then call the manifest... similar idea with other tools. But I run
into the problem of said manifest needing to write to /etc to create
the conf file but have the user variables and facter variables from
the user space.

Make sense?

[Mike Renfro]

On 6/12/2008 10:09 AM, Jeff Leggett wrote:

> Automatic configuration modules now work pretty well. Now I am
> working on the pieces that apply to the individual developer that
> gets this workstation. In this case, me - jleggett. so i want to
> run this puppet cntlm.pp manifest and wa-la... my proxy on the box is
> setup, and authenticating to our external proxy. Then all the
> myriad other tools that need a proxy can just point to it in their
> conf files (yum, subversion etc). This meets regulatory
> requirements, and has the added bonus of not having a single
> cleartext password on the box.

Are any regulatory requirements violated if the NTLMv2 hashes already
stored on each workstation are also stored in a common location on the
puppetmaster? Are there any variables other than the developer's
username and hash that would normally be generated on the client?

If not, would something like the following work with the regular
puppetmasterd/puppetd setup (completely untested, but should be close)?

=====

class cntlm {
package { "cntlm":
...
}
file { "/etc/cntlm.conf":
content => template("puppet://server/path/to/cntlm.conf.erb"),
...
}
}

node jleggett_managed {
$developer = 'jleggett'
$ntlmhash = 'whatever'
$proxy = 'somehost' # Could be moved into a higher part of the
# manifest or into the cntlm class, too.
}

node jleggett_node inherits jleggett_managed {
include cntlm
}

- cntlm.conf.erb -

Username <%= developer %>
Domain CORP
PassNTLMv2 <%= ntlmhash %>

Proxy http://<%= proxy %>:8080
Listen 3128
Auth NTLMv2

=====

Another option would be to modify your kickstart configuration with
information about which developer will own this workstation, drop that
into a FACTER_developer environment variable, and continue with your
running puppet interactively.

[Jeff Leggett]

That's a good solution Mike! I need to think about how I could pre-
generate the hashes though.