[ale] Working with Puppet (Was: Re: checking for interest for a free intro class "Introduction to Automating Linux System Administration using CFEngine 3")

George Allen glallen01 at gmail.com
Thu Feb 16 14:17:23 EST 2012


There is a project on Forge.mil to build configs for Puppet to apply
the DISA STIGs and NSA Guides. So far they're only setup to apply to a
RHEL 5.x box from what I understand, and I haven't played with them
yet... but I would definitely like to start learning puppet as soon as
I get some time.

On Tue, Feb 14, 2012 at 1:38 PM, mike at trausch.us <mike at trausch.us> wrote:
> On 02/14/2012 09:56 AM, mike at trausch.us wrote:
>> I am finding myself somewhat happy with it.  I'm still allergic to
>> things written in Ruby, of course.  If there were a drop-in Puppet clone
>> in Python, I'd be all over that like white on rice, and I may not stay
>> with puppet forever, but for the time being, I am rather liking it.  I
>> have a master on Linode, a server here at the house, and a VM on my
>> desktop that I am using to play with it for the time being.
>
> At this point, I have a working setup that manages SSH and NTP
> configuration (yeah, I know, stupid easy for those who do Puppet in
> their sleep) for both Gentoo and Debian systems, including handling some
> interesting differences between the two distributions.
>
> One thing that I am finding that is annoying is that it seems that you
> can say things like "debian" in selectors, but if you use a regex it
> refuses to allow it (because it won't match "Debian").  There is a bug
> in Puppet's Redmine instance (#3229), but it seems to have been
> summarily closed without action.
>
> It seems that the "case" command matches case-insensitive whereas
> selectors using regular expressions do not.  Of course a character class
> can be used to work around that, but I don't see a way to tell Puppet's
> regular expression system to simply match case-insensitive.
>
> I think that it may be possible for me to Puppet-ize my production
> domain within the next day or two.  That in itself is fascinating to me.
>
> One thing I would like to do, though I haven't quite figured out how it
> would fit into Puppet's framework, would be to enforce certain types of
> policy, like "ensure that all systems have run their updates once per
> week".  There are other ways of doing that, of course, but I think it'd
> be nice to have _all_ my configuration in a single system, and not just
> most of it.
>
> Another thing I would like to be able to do is somehow give Puppet a
> whitelist of packages that are allowed to be on various systems, such
> that any package that (a) isn't in the whitelist and (b) isn't a
> dependency of something in the whitelist will be removed by Puppet
> automagically.
>
> Both of the last two things, though, seem to be outside of the scope of
> Puppet's capabilities.
>
>        --- Mike
>
> --
> A man who reasons deliberately, manages it better after studying Logic
> than he could before, if he is sincere about it and has common sense.
>                                   --- Carveth Read, “Logic”
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



More information about the Ale mailing list