During this blog post, I will show you how to edit the sshd_config file and restart sshd if necessary. For the sake of completeness and since this blog post is part of the comparison series “Cfengine 3 vs. Puppet”, I want to point you to the Cfengine 3 code snippet which does exactly the same. […]

Author:

During this blog post, I will show you how to edit the sshd_config file and restart sshd if necessary. For the sake of completeness and since this blog post is part of the comparison series “Cfengine 3 vs. Puppet”, I want to point you to the Cfengine 3 code snippet which does exactly the same.

Writing the Puppet manifest for configuring sshd

package	{ "openssh-server":	ensure => "installed" }

service	{ "ssh":		ensure => "running",
				enable => "true",
				require => Package["openssh-server"]
}

augeas { "configure_sshd":
	context	=> "/files/etc/ssh/sshd_config",
	changes	=>	[ 	"set PasswordAuthentication yes",
				"set UsePam yes"
			],
	require	=> Package["openssh-server"],
	notify	=> Service["ssh"]
}

Save the code snippet above as /etc/puppet/manifests/xenuser_org-007-configuring_ssh_or_any_other_service.pp and apply it:

cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.BAK

puppet apply xenuser_org-007-configuring_ssh_or_any_other_service.pp
Warning: Could not retrieve fact fqdn
Notice: /Stage[main]//Augeas[configure_sshd]/returns: executed successfully
Notice: /Stage[main]//Service[ssh]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 1.19 seconds

diff /etc/ssh/sshd_config.BAK /etc/ssh/sshd_config
51c51
< PasswordAuthentication no
---
> PasswordAuthentication yes
87c87
< UsePam no
---
> UsePam yes

As you can see, Puppet just changed some config values in sshd_config and took care of /etc/init.d/ssh.

Analyzing the Puppet manifest
At first we define that there is a package which should be installed. “openssh-server” will be used later as a dependency for editing sshd_config:

package	{ "openssh-server":	ensure => "installed" }

Afterwards, we define that the ssh service should always be running. Please note that we use “ssh” and not “sshd” so Puppet is able to find the init.d script:

service	{ "ssh":		ensure => "running",
				enable => "true",
				require => Package["openssh-server"]
}

Now here comes to most interesting part. We use augeas, a tool which was added after Puppet was already used for a couple of years, for editing the sshd_config file. Please note that we use the “set” command in the “changes” method. Last but not least, we define a dependency (package “openssh-server”) and let augeas trigger a reload of sshd if any changes were applied to the config file:

augeas { "configure_sshd":
	context	=> "/files/etc/ssh/sshd_config",
	changes	=>	[ 	"set PasswordAuthentication yes",
				"set UsePam yes"
			],
	require	=> Package["openssh-server"],
	notify	=> Service["ssh"]
}

Summary
When I compary both the Cfengine 3 and the Puppet snippets with each other, I find the Puppet manifest to be shorter, better readable and somehow more accurate. Everything is linked in the manifest while in Cfengine 3, we simply defined a couple of promised which were processed from line to line.

A disadvantage of Puppet (at least in my eyes) is that there is no direct ability to edit files; in Cfengine 3, you simply do it and have not to use another tool like augeas here.

However, both code snippets do the job. As usual, you can download today’s Puppet manifest here.

Comments on this entry (1 comment)

Did you like this post? You can share your opinion with us! Simply click here.

Add Your Comment

Powered by sweet Captcha


two − 2 =