Multiple conflicts with Puppet Enterprise

[gitkodak]

Puppet Enterprise 2016.1 (at least, maybe before) is now resolving the actual resource and not allowing "aliases" to those resources.

This is manifesting itself in several ways. For one, as I reported before, Puppet manages /usr/local/bin, so os_hardening managing /usr/local/bin results in a duplicate resource declaration error.

As well, if you create a system user in a manifest PE will also declare a resource conflict because os_hardening tries to manage those users.

For example, in a manifest I have:

user { 'ocoe':
  ensure => present,
  uid    => 350,
}

You will receive an error message similar to this:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: User[ocoe] is already declared in file /etc/puppetlabs/code/environments/development/modules/classify_oc/manifests/init.pp:109; cannot redeclare at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63 at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63:3 on node cncdxocea1001.xxx.com

I tried to work around this by declaring a custom resource type:

define os_hardening::lockdown_users {
  user { "osh_user_${title}":
    ensure   => present,
    name     => $title,
    shell    => '/usr/sbin/nologin',
    password => '*',
  }
}

And calling that from minimize_access.pp:

os_hardening::lockdown_users { $target_system_users: }

But puppet now 'helpfully' resolves osh_user_${title} to the actual user and slaps you on the wrist:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Cannot alias User[osh_user_ocoe] to ["ocoe"] at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/lockdown_users.pp:3; resource ["User", "ocoe"] already declared at /etc/puppetlabs/code/environments/development/modules/classify_oc/manifests/init.pp:109 at /etc/puppetlabs/code/environments/development/modules/os_hardening/manifests/lockdown_users.pp:3:3 at /etctc/puppetlabs/code/environments/development/modules/os_hardening/manifests/minimize_access.pp:63 on node cncdxocsr1001.xxx.com

I have no suggestions yet on how to handle this. Since the unique resource name 'trick' isn't working anymore, the only thing I can do is lock down the user when I create it and then add it to the ignore users array.

For the folders I think an 'ignore directory' needs to be added, similar to the ignore users.

Additionally, it appears the internal API has changed again, we get this:

ERROR puppetlabs.facter - error while resolving custom facts in /opt/puppetlabs/puppet/cache/lib/facter/retrieve_system_users.rb: uninitialized constant Puppet

Which corresponds to:

Facter.add(:retrieve_system_users) do 
  sys_users = [] 
  Puppet::Type.type('user').instances.find_all do |user|
    user_value = user.retrieve
    sys_users.push(user.name) unless user_value[user.property(:uid)].to_i > su_maxid
  end
  setcode do 
    sys_users.join(',')
  end
end

I suspect that this rabbit hole goes pretty deep.

[mcgege]

@gitkodak Is this problem still present? I'm using PE 2017.2.1 and administrate many users with the user ressource, no such problem here ... and at least the conflict with /usr/local/bin was solved with #83

[artem-sidorenko]

@gitkodak I'm closing this, as it seems to be resolved by @mcgege in #83. Please reopen if you still see this problem

@mcgege thanks for picking this up:)