Pulling Strings With Puppet - James Turnbull [36]
Virtual resources are useful for users and groups. This is because a resource can only be managed once in Puppet. Hence we could not configure a user called sysadmin in both the debian and fedora classes. With virtual resources, we can create the sysadmin user as a virtual resource. We then realize the resource in both classes. We can do the same thing with groups.
Caution - Puppet is probably not ideal to populate large numbers of users and groups to provide user access for nodes and applications. Puppet is best used to populate nodes with users for running applications and services, systems administration, and management.
We're going to define two types of users. The first are users associated with functions, such as our sysadmin user, or users belonging to employees and administrators. These users will be grouped into a single class called virt_users and contained in a file called virt_users.pp. The second are those used by appliances, services, and daemons. Each of these users will be specified in their own classes, and each class will be prefixed with user_ and the name of the user being created, for example, user_apache. Each user class will be specified in its own file.
We'll divide groups into the same types and use the same model to manage them. All groups associated with people will be contained in a class called virt_groups and in a file called virt_groups. pp. Groups for applications, services, and daemons will be contained in individual classes and prefixed with group_ and the name of the group being created, for example, group_apache. Each group will be specified in its own file.
Then we need to import both the users and groups directories to our site. pp file to ensure all our users and groups are loaded.
Managing Users
In Listing 4-8, you can see part of our virt_users class, showing two of our users.
Note - When creating users, any group or groups you specify must exist, or the user creation will fail. Here we have used the group administration. This group must already exist on our target node, or a Puppet resource must exist that will create this group on the node.
With groups, we follow the same model. In Listing 4-9, you can see a selection from our virt_groups class that contains employee groups.
So how do we realize these users and groups? Well, first we're going to realize the users and one of our groups in a class called staff, which we'll store in our classes directory with the file name staff. pp. We've also included the contents of our virt_users and virt_groups classes to ensure Puppet knows where to find our users and groups.
We can then include this class in our basenode template to ensure this group and its users are created on all nodes that inherit this template node.
But we also want our administration group to be included on all nodes. So in Listing 410, we're going to create a class called administrators to realize the administration group and add one of our users to that group. We'll store our class in a file called administrators.pp in our classes directory. We'll then include that class in our basenode node in the nodes.pp file.
You can see in Listing 4-10 that we've used an override to add the administration group to the jsmith user. To achieve the override, the administrators class inherits the virt_users class. Now, the administration group will be created on all templates and nodes that inherit the basenode node template and the jsmith user added as a member of this group.
We could also realize these users in other classes; for example, if mjones was a mail administrator, we could create a class for mail administrators, stored in classes/mail_team.pp, and include it in our mailserver template node like so:
Here the mail_team group would be realized and included in the mailserver node template. We've again used an override to add the mjones user to the mail-team group. Now every node that uses this node template, in our case the