onlyif return code
1,087 views
Skip to first unread message
Björn
Oct 2, 2013, 7:15:53 AM10/2/13
to puppet...@googlegroups.com
Hello,
I try to ensure our password policies using /etc/login.defs and PAM cracklib.
class pci_policy::password(
$cracklib = $pci_policy::params::cracklib,
$pam_password = $pci_policy::params::pam_password,
) inherits pci_policy::params {
package{$cracklib:
ensure => installed,
}
file{'/etc/login.defs':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/pci_policy/login.defs.$::operatingsystem",
require => Package[$cracklib],
}
exec{'ensure password policy for pci':
cwd => '/bin/',
command => "/bin/sed -i 's/^password.*cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
exec{'ensure password policy for pci when nothing is present':
cwd => '/bin/',
command => "echo 'password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' >> $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
}
My problem are the exec commands.
With the first exec I try to change an existing line with sed.
With the second exec I try to add the rule if no line with "password.*cracklib" is existing.
Unfortunately, this exec run when the return code of onlyif is 0. I don't know a command which return 0 when the line isn't available and return 1 when the line is available.
May be I'm thinking to complicated? Do you have another solution?
Thanks a lot!
Björn
I try to ensure our password policies using /etc/login.defs and PAM cracklib.
class pci_policy::password(
$cracklib = $pci_policy::params::cracklib,
$pam_password = $pci_policy::params::pam_password,
) inherits pci_policy::params {
package{$cracklib:
ensure => installed,
}
file{'/etc/login.defs':
ensure => present,
owner => root,
group => root,
mode => 0644,
source => "puppet:///modules/pci_policy/login.defs.$::operatingsystem",
require => Package[$cracklib],
}
exec{'ensure password policy for pci':
cwd => '/bin/',
command => "/bin/sed -i 's/^password.*cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
exec{'ensure password policy for pci when nothing is present':
cwd => '/bin/',
command => "echo 'password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' >> $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
}
My problem are the exec commands.
With the first exec I try to change an existing line with sed.
With the second exec I try to add the rule if no line with "password.*cracklib" is existing.
Unfortunately, this exec run when the return code of onlyif is 0. I don't know a command which return 0 when the line isn't available and return 1 when the line is available.
May be I'm thinking to complicated? Do you have another solution?
Thanks a lot!
Björn
Mike Delaney
Oct 2, 2013, 8:35:46 PM10/2/13
to puppet...@googlegroups.com
On Wed, Oct 2, 2013 at 4:15 AM, Björn <bbecke...@googlemail.com> wrote:
exec{'ensure password policy for pci':
cwd => '/bin/',
command => "/bin/sed -i 's/^password.*cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
exec{'ensure password policy for pci when nothing is present':
cwd => '/bin/',
command => "echo 'password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' >> $pam_password",
path => "/usr/bin:/usr/sbin:/bin",
onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
require => Package[$cracklib],
}
}
My problem are the exec commands.
With the first exec I try to change an existing line with sed.
With the second exec I try to add the rule if no line with "password.*cracklib" is existing.
Unfortunately, this exec run when the return code of onlyif is 0. I don't know a command which return 0 when the line isn't available and return 1 when the line is available.
May be I'm thinking to complicated? Do you have another solution?
Off the top of my head, I can't think of a way to invert grep's exit status like you want (at least not a way
that will work in an onlyif), however the use of two execs to modify a file is probably not the ideal solution.
Indeed, once the cracklib entry is present in the file, that first exec will fire every time puppet runs, which
is probably not what you want either.
that will work in an onlyif), however the use of two execs to modify a file is probably not the ideal solution.
Indeed, once the cracklib entry is present in the file, that first exec will fire every time puppet runs, which
is probably not what you want either.
If you don't want to manage the entire file, you could use either the native augeas type or the file_line
type from the stdlib module to accomplish what you want (file_line is probably easier):
type from the stdlib module to accomplish what you want (file_line is probably easier):
file_line { 'ensure password policy for pci':
path => $pam_password,
match => '^password.*cracklib\.so',
line => 'password requisite
pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1'
}
-Mike
james.e...@fasthosts.com
Oct 3, 2013, 4:44:52 AM10/3/13
to puppet...@googlegroups.com
The exec resource has an unless parameter too which I think is what you need.
From: http://docs.puppetlabs.com/references/latest/type.html#exec
From: http://docs.puppetlabs.com/references/latest/type.html#exec
onlyif
If this parameter is set, then thisexec will only run if
the command returns 0unless
If this parameter is set, then thisexec will run unless
the command returns 0Björn
Oct 4, 2013, 9:04:26 AM10/4/13
to puppet...@googlegroups.com, mde...@computer.org
Hello Mike,
thanks a lot, file_line works great! I not remember why I don't use file_line for such things.
Björn
thanks a lot, file_line works great! I not remember why I don't use file_line for such things.
Björn
Björn
Oct 4, 2013, 9:05:32 AM10/4/13
to puppet...@googlegroups.com
Unless was also a good hint! But my sed solution was running every time puppet agent run. So I use file_line now.
Thanks!
Thanks!
Reply all
Reply to author
Forward
0 new messages