[ale] Working with Puppet (Was: Re: checking for interest for a free intro class "Introduction to Automating Linux System Administration using CFEngine 3")

Jim Kinney jim.kinney at gmail.com
Thu Feb 16 14:40:24 EST 2012


Cool!

I used a series of postinstall kickstart scripts that accomplished the
security lockdown when I was at GTRI. I did not write them but was happy to
see the powers that be that performed security analysis were very happy
with their output. That entire process should be fairly easy to dump into
puppet for change control.

When I left, RHEL6 was under development for similar treatment.

On Thu, Feb 16, 2012 at 2:17 PM, George Allen <glallen01 at gmail.com> wrote:

> There is a project on Forge.mil to build configs for Puppet to apply
> the DISA STIGs and NSA Guides. So far they're only setup to apply to a
> RHEL 5.x box from what I understand, and I haven't played with them
> yet... but I would definitely like to start learning puppet as soon as
> I get some time.
>
> On Tue, Feb 14, 2012 at 1:38 PM, mike at trausch.us <mike at trausch.us> wrote:
> > On 02/14/2012 09:56 AM, mike at trausch.us wrote:
> >> I am finding myself somewhat happy with it.  I'm still allergic to
> >> things written in Ruby, of course.  If there were a drop-in Puppet clone
> >> in Python, I'd be all over that like white on rice, and I may not stay
> >> with puppet forever, but for the time being, I am rather liking it.  I
> >> have a master on Linode, a server here at the house, and a VM on my
> >> desktop that I am using to play with it for the time being.
> >
> > At this point, I have a working setup that manages SSH and NTP
> > configuration (yeah, I know, stupid easy for those who do Puppet in
> > their sleep) for both Gentoo and Debian systems, including handling some
> > interesting differences between the two distributions.
> >
> > One thing that I am finding that is annoying is that it seems that you
> > can say things like "debian" in selectors, but if you use a regex it
> > refuses to allow it (because it won't match "Debian").  There is a bug
> > in Puppet's Redmine instance (#3229), but it seems to have been
> > summarily closed without action.
> >
> > It seems that the "case" command matches case-insensitive whereas
> > selectors using regular expressions do not.  Of course a character class
> > can be used to work around that, but I don't see a way to tell Puppet's
> > regular expression system to simply match case-insensitive.
> >
> > I think that it may be possible for me to Puppet-ize my production
> > domain within the next day or two.  That in itself is fascinating to me.
> >
> > One thing I would like to do, though I haven't quite figured out how it
> > would fit into Puppet's framework, would be to enforce certain types of
> > policy, like "ensure that all systems have run their updates once per
> > week".  There are other ways of doing that, of course, but I think it'd
> > be nice to have _all_ my configuration in a single system, and not just
> > most of it.
> >
> > Another thing I would like to be able to do is somehow give Puppet a
> > whitelist of packages that are allowed to be on various systems, such
> > that any package that (a) isn't in the whitelist and (b) isn't a
> > dependency of something in the whitelist will be removed by Puppet
> > automagically.
> >
> > Both of the last two things, though, seem to be outside of the scope of
> > Puppet's capabilities.
> >
> >        --- Mike
> >
> > --
> > A man who reasons deliberately, manages it better after studying Logic
> > than he could before, if he is sincere about it and has common sense.
> >                                   --- Carveth Read, “Logic”
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120216/1a3c86c2/attachment-0001.html 


More information about the Ale mailing list