Fix self.instances

[raphink]

No description provided.

[ndelic0]

While trying to query pam/su module keep getting absent status. It is the same for all pam resources.

# puppet resource pam 'Pam su/auth'
pam { 'Pam su/auth':
  ensure => 'absent',
}

cat /etc/pam.d/su
#%PAM-1.0
auth    sufficient      pam_rootok.so
auth    sufficient      pam_wheel.so
auth    required        pam_deny.so
account sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account include         system-auth
password include       system-auth
session include         system-auth
session optional        pam_xauth.so

[crayfishx]

@raphink Any update to this one? This would be a really useful feature as it would allow the possibility of adding some purging capabilities but first the instances needs to return something sensible. Currently the exists? method on the instances returns false, I've been attempting to fix this today but ended up in a world of pain tracing this through all the augeas specific stuff - ping me privately if I can help with this.

[trevor-vaughan]

@crayfishx Honestly, I would deliberately cripple purging from PAM unless you set a parameter. That's about the scariest thing I can think of.

[trevor-vaughan]

Do you want to deconflict between symlinks here or just list everything?

[crayfishx]

@trevor-vaughan I wasn't meaning native purging using the resources type, that would be scary, but once instances works then there is scope for writing a pam_service type that is able to purge non managed entries within the scope of that service only by comparing the properties of the existing entries to whats in the catalog. (this is a similar approach to the purge_rich_rules attribute of the firewalld_zone type in https://github.com/crayfishx/puppet-firewalld#firewalld-zones)

I could of course write this separately but it would make more sense to use the instances method of the pam provider.

The use case we have for this is an installer that places pam.d/ entries in a service, but we want those to be different. At the moment both the Puppet added rules and installer added rules all go into the mix, I want a way to purge a specific pam service of unmanaged entries.

[trevor-vaughan]

@crayfishx So, is purging guaranteed to happen last? The problem that I always had with puppetlabs-firewall is that a failure somewhere in the catalog could leave your system inaccessible. It's one of the reasons that I keep using the simp-iptables module. There are some things that just need to be atomic.

[crayfishx]

@trevor-vaughan probably getting a bit off topic for this ticket :-) but this isn't a case that's been reported yet though it's worth looking into. If you can simulate a scenario feel free to raise a ticket over there -->

[trevor-vaughan]

@crayfishx Fair enough. I did about 2 years ago. Sorry for the noise everyone!

[raphink]

Better late than never, let's finish this…

[coveralls]

Coverage increased (+0.5%) to 87.919% when pulling 759db0b on raphink:instances into ed1e6ff on hercules-team:master.

[raphink]

@crayfishx is that good for you?