Can Puppet run a shell script (that it downloads from the master) without saving it?

puppet

I have a step in a Puppet module that roughly does the following to set up some application keys:

file { '/root/setup_app_keys.sh':
  ensure => file,
  owner  => 'root',
  group  => 'root',
  mode   => '0700',
  source => 'puppet:///modules/app_module/setup_app_keys.sh',
}

exec { 'setup_app_keys':
  unless  => '/etc/pki/tls/private/app-foo.key',
  command => '/root/setup_app_keys.sh',
  user    => 'root',
  group   => 'root',
}

The setup_app_keys.sh script is a little too long to be made into a (readable) one-liner, so I save it to the machine's filesystem and execute it from there. It creates its files in /etc/pki... and it works well enough.

The annoying thing is, the shell script is basically a one-time use thing. It shouldn't ever run again for the lifetime of the machine, and yet it must stay on the filesystem where Puppet stored it. If it is deleted, Puppet helpfully recreates it again.

I'm thinking there must be a way to rewrite this using exec exclusively, which will allow me to download the script from the puppetmaster when needed, execute it once, then discard the script (or not store it in the first place). But everything I've tried has been of the form:

command => 'puppet:///modules/app_module/setup_app_keys.sh',

or

command => 'curl http://__[various puppetmaster URLs]__ | sh',

and neither approach seems to work. Am I asking too much, or is this approach flawed?


You can try and put your file in a transitional state of existence prior to execution. The final state would be

ensure => absent

This is cutting age material at the time of writing. Your mileage may vary.


you can add in your 'exec'

require => File["/root/setup_app_keys.sh"],
refreshonly => true,

so it will only run again if you change the script

or you can add in your 'file', after last run

ensure  => purged,

for that i think is better you use ansible or mcollective, for this kind of thing, i use ansible.

For more information about it.

http://docs.ansible.com/intro_getting_started.html

You can run command from template:

exec { 'my-command':
     command     => template('template-for-my-command.erb')
}

Related

Can BIND alter a response based on requesting IP address?
Fail2ban doesn't start [closed]
Is there a way to run PsExec specifying a user name and password (-u -p) when running as Local System?
What does "localhost | FAILED => Missing become password" mean? How do I get past it?
How to publish environment specific appsettings in .Net core app?
How to fix 'Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
Can I revert commits directly on GitHub?
Where is nuget.exe?
Best practices for using and persisting enums
What's the difference between the new netstandardapp and netcoreapp TFMs?
FragmentTransaction animation to slide in over top
What you can do with a data.frame that you can't with a data.table?