ReleaseEngineering/PuppetAgain/Modules/users: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the [[ReleaseEngineering/Puppet/Modules/toplevel|toplevel]] hierarchy. | This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the [[ReleaseEngineering/Puppet/Modules/toplevel|toplevel]] hierarchy. | ||
= users::global = | = Classes = | ||
== users::global == | |||
This sets up some global (/etc) defaults for user configuration, e.g. PATH. | This sets up some global (/etc) defaults for user configuration, e.g. PATH. | ||
= users::root = | == users::root == | ||
This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per {{bug|776641}}: | This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per {{bug|776641}}: | ||
* $users::root::username | * $users::root::username | ||
| Line 10: | Line 11: | ||
* $users::root::home | * $users::root::home | ||
= users::builder = | == users::builder == | ||
Installs the builder user (cltbld for releng, although this can be adjusted in <tt>manifests/settings.pp</tt>). This provides the following easy-to-use variables, per {{bug|776641}}: | Installs the builder user (cltbld for releng, although this can be adjusted in <tt>manifests/settings.pp</tt>). This provides the following easy-to-use variables, per {{bug|776641}}: | ||
* $users::root::username | * $users::root::username | ||
| Line 17: | Line 18: | ||
This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup. | This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup. | ||
== users::builder::autologin == | |||
If included, this class will arrange for the builder user to automatically login to a GUI sesssion at boot. | |||
= Implementation = | |||
== Linux == | |||
Puppet supports user management on Linux with no difficulty, via the ''user'' provider. | |||
Automatic login is not currently supported on Linux. | |||
== Darwin == | |||
On Mac OS X, user management is much more complex, and works differently on different versions. | |||
=== 10.8 (Mountain Lion) === | |||
:'''NOTE:''' no released version of Puppet currently supports setting passwords on Mountain Lion. PuppetAgain includes a ''darwinuser'' type and a ''CustomDirectoryService'' provider for that type, both based on the work of Gary Larizza in [http://projects.puppetlabs.com/issues/12833 #12833]. What is eventually available in Puppet proper should closely resemble this implementation. | |||
Authentication on Mountain Lion takes place based on three pieces of information: iterations, salt, and password (called 'entropy' by OS X). You can get this information for an existing user with ''setup/mtnlion-user-info.rb'': | |||
ruby mtnlion-user-info.rb cltbld | |||
and then add it to the ''secrets.csv'' for your installation. | |||
=== Automatic Login === | |||
Automatic login on OS X is controlled in two places: | |||
* ''/Library/Preferences/com.apple.loginwindow'' key ''autoLoginUser'' sets the username to be used to log in | |||
* ''/etc/kcpassword'' contains a lightly obfuscated cleartext password for that user. | |||
There's a handy implementation of the obfuscation algorithm at http://www.brock-family.org/gavin/perl/kcpassword.html, but the easier solution is just to set up automatic login through the GUI, and then copy the file. | |||
Note that kcpassword is binary data. It is given in binhex in secrets.csv. The easiest way to get its contents is: | |||
talos-mtnlion-r5-082:~ root# base64 < /etc/kcpassword | |||
Revision as of 15:27, 31 July 2012
This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the toplevel hierarchy.
Classes
users::global
This sets up some global (/etc) defaults for user configuration, e.g. PATH.
users::root
This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per bug 776641:
- $users::root::username
- $users::root::group
- $users::root::home
users::builder
Installs the builder user (cltbld for releng, although this can be adjusted in manifests/settings.pp). This provides the following easy-to-use variables, per bug 776641:
- $users::root::username
- $users::root::group
- $users::root::home
This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup.
users::builder::autologin
If included, this class will arrange for the builder user to automatically login to a GUI sesssion at boot.
Implementation
Linux
Puppet supports user management on Linux with no difficulty, via the user provider.
Automatic login is not currently supported on Linux.
Darwin
On Mac OS X, user management is much more complex, and works differently on different versions.
10.8 (Mountain Lion)
- NOTE: no released version of Puppet currently supports setting passwords on Mountain Lion. PuppetAgain includes a darwinuser type and a CustomDirectoryService provider for that type, both based on the work of Gary Larizza in #12833. What is eventually available in Puppet proper should closely resemble this implementation.
Authentication on Mountain Lion takes place based on three pieces of information: iterations, salt, and password (called 'entropy' by OS X). You can get this information for an existing user with setup/mtnlion-user-info.rb:
ruby mtnlion-user-info.rb cltbld
and then add it to the secrets.csv for your installation.
Automatic Login
Automatic login on OS X is controlled in two places:
- /Library/Preferences/com.apple.loginwindow key autoLoginUser sets the username to be used to log in
- /etc/kcpassword contains a lightly obfuscated cleartext password for that user.
There's a handy implementation of the obfuscation algorithm at http://www.brock-family.org/gavin/perl/kcpassword.html, but the easier solution is just to set up automatic login through the GUI, and then copy the file.
Note that kcpassword is binary data. It is given in binhex in secrets.csv. The easiest way to get its contents is:
talos-mtnlion-r5-082:~ root# base64 < /etc/kcpassword