I have a step in a Puppet module that roughly does the following to set up some application keys:
file { '/root/setup_app_keys.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0700',
source => 'puppet:///modules/app_module/setup_app_keys.sh',
}
exec { 'setup_app_keys':
unless => '/etc/pki/tls/private/app-foo.key',
command => '/root/setup_app_keys.sh',
user => 'root',
group => 'root',
}
The setup_app_keys.sh script is a little too long to be made into a (readable) one-liner, so I save it to the machine's filesystem and execute it from there. It creates its files in /etc/pki... and it works well enough.
The annoying thing is, the shell script is basically a one-time use thing. It shouldn't ever run again for the lifetime of the machine, and yet it must stay on the filesystem where Puppet stored it. If it is deleted, Puppet helpfully recreates it again.
I'm thinking there must be a way to rewrite this using exec exclusively, which will allow me to download the script from the puppetmaster when needed, execute it once, then discard the script (or not store it in the first place). But everything I've tried has been of the form:
command => 'puppet:///modules/app_module/setup_app_keys.sh',
or
command => 'curl http://__[various puppetmaster URLs]__ | sh',
and neither approach seems to work. Am I asking too much, or is this approach flawed?
You can try and put your
filein a transitional state of existence prior to execution. The final state would beThis is cutting age material at the time of writing. Your mileage may vary.
you can add in your 'exec'
so it will only run again if you change the script
or you can add in your 'file', after last run
for that i think is better you use ansible or mcollective, for this kind of thing, i use ansible.
For more information about it.
You can run command from template: