0

Windows Server environment. We have servers with a Puppet role that installs a specific Choco package. It was decided that the package should not be installed on new servers. The simplest way would be just removing the package statement from the manifest. The problem is, the package creates a local user during installation, and that user should be additionally granted rights in the local OS via Puppet.

If the package was never installed, that user doesn't exists in the OS and the statement assigning rights for it fails. However, if we remove that right assignment from the role, it'd be also removed on all servers with that package already installed, and the application will fails.

Is there a way to check in the manifest if that package is currently installed? Something like "if PACKAGE is_present {do something}". Or check for existence of that user? "if USER exists {do something}" I know that it can be resolved by a custom fact but it's a complex application with multiple common components with other applications. I can't identify neither typical files nor a typical service for it, and the price of a mistake is very high (200 servers, mission critical, several thousand users...). The only things known for sure are the Choco package name and the user name.

Evgeny
  • 43
  • 1
  • 8

1 Answers1

0

Found a solution.

In fact, this is a special user "NT Authority\BrokerService". Such users always correspond to a service in the OS. So we can check not the presence of the user but the presence of the service. We already use a custom fact that builds a list of all services on the server, so actually it's easy:

if 'BrokerAgent' in $::sr_services {
    user_right_assignment { 'sesystemtimeprivilege for BrokerAgent':
        right => 'sesystemtimeprivilege',
        sid   => ['NT SERVICE\BrokerAgent'],
    }
}

Of course, it can be further parametrized with variables.

The question about detecting the presence of the Choco package still remains open, though.

Evgeny
  • 43
  • 1
  • 8