You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Puppet Enterprise 2016.1 (at least, maybe before) is now resolving the actual resource and not allowing "aliases" to those resources.
This is manifesting itself in several ways. For one, as I reported before, Puppet manages /usr/local/bin, so os_hardening managing /usr/local/bin results in a duplicate resource declaration error.
As well, if you create a system user in a manifest PE will also declare a resource conflict because os_hardening tries to manage those users.
For example, in a manifest I have:
user { 'ocoe':
ensure => present,
uid => 350,
}
You will receive an error message similar to this:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: User[ocoe] is already declared in file /etc/puppetlabs/code/environments/development/modules/classify_oc/manifests/init.pp:109; cannot redeclare at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63 at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63:3 on node cncdxocea1001.xxx.com
I tried to work around this by declaring a custom resource type:
define os_hardening::lockdown_users {
user { "osh_user_${title}":
ensure => present,
name => $title,
shell => '/usr/sbin/nologin',
password => '*',
}
}
But puppet now 'helpfully' resolves osh_user_${title} to the actual user and slaps you on the wrist:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Cannot alias User[osh_user_ocoe] to ["ocoe"] at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/lockdown_users.pp:3; resource ["User", "ocoe"] already declared at /etc/puppetlabs/code/environments/development/modules/classify_oc/manifests/init.pp:109 at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/lockdown_users.pp:3:3 at /etctc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63 on node cncdxocsr1001.xxx.com
I have no suggestions yet on how to handle this. Since the unique resource name 'trick' isn't working anymore, the only thing I can do is lock down the user when I create it and then add it to the ignore users array.
For the folders I think an 'ignore directory' needs to be added, similar to the ignore users.
Additionally, it appears the internal API has changed again, we get this:
ERROR puppetlabs.facter - error while resolving custom facts in /opt/puppetlabs/puppet/cache/lib/facter/retrieve_system_users.rb: uninitialized constant Puppet
@gitkodak Is this problem still present? I'm using PE 2017.2.1 and administrate many users with the user ressource, no such problem here ... and at least the conflict with /usr/local/bin was solved with #83
Puppet Enterprise 2016.1 (at least, maybe before) is now resolving the actual resource and not allowing "aliases" to those resources.
This is manifesting itself in several ways. For one, as I reported before, Puppet manages
/usr/local/bin
, so os_hardening managing/usr/local/bin
results in a duplicate resource declaration error.As well, if you create a system user in a manifest PE will also declare a resource conflict because os_hardening tries to manage those users.
For example, in a manifest I have:
You will receive an error message similar to this:
I tried to work around this by declaring a custom resource type:
And calling that from minimize_access.pp:
os_hardening::lockdown_users { $target_system_users: }
But puppet now 'helpfully' resolves osh_user_${title} to the actual user and slaps you on the wrist:
I have no suggestions yet on how to handle this. Since the unique resource name 'trick' isn't working anymore, the only thing I can do is lock down the user when I create it and then add it to the ignore users array.
For the folders I think an 'ignore directory' needs to be added, similar to the ignore users.
Additionally, it appears the internal API has changed again, we get this:
ERROR puppetlabs.facter - error while resolving custom facts in /opt/puppetlabs/puppet/cache/lib/facter/retrieve_system_users.rb: uninitialized constant Puppet
Which corresponds to:
I suspect that this rabbit hole goes pretty deep.
The text was updated successfully, but these errors were encountered: