1

I am trying to figure out how to run a Puppet configuration on a newly bootstrapped node, and then, from then onwards, only run as noop in order to collect reports on infrastructure changes / drifts.

So... let's say I have this simple manifest:

node puppeta1, puppeta2 {    
  file { "/var/tmp/testfile2":
    noop => true,
    ensure => "present",
    owner => "root",
    group => "root",
    mode => "664",
    content => "This is a test file created using puppet.
                Puppet is really cool",
  }

..

In this case, I only want to have the /var/tmp/testfile2 file created the first time when the puppeta1 and puppeta2 nodes are created. From then onwards, I just want to run it in noop mode to detect whether the file was modified.

James
  • 123
  • 6

2 Answers2

1

With the file resource type, would adding replace => false achieve what you need? Then Puppet will create the file if it's missing, but won't overwrite any possible changed made to that file if the file contents have been changed afterwards.

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
  • This works for new files, but what about more critical configuration files such as `/etc/hosts` and similar files that already exist in the system? – James Jan 18 '19 at 12:14
  • @JamesJ. Puppet won't log changes, even in noop, for files it does not manage. Are you sure you don't want to use [something like AIDE](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-aide)? That's fine if you also have file resources for `/etc/hosts`, etc. But your comment reads like maybe not. – Aaron Copley Jan 18 '19 at 20:51
1

I would personally keep your resource declarations as they are without noop, and run Puppet out-of-band using puppet apply or puppet agent on-boot, then configure the Puppet system service to use --noop by editing /etc/puppetlabs/puppet/puppet.conf:

[agent]
noop = true

Or, disable the system service entirely, and add --noop to your cron entry.

Reference: https://puppet.com/docs/puppet/5.4/configuration.html#noop

Craig Watson
  • 9,575
  • 3
  • 32
  • 47