bastelfreak
commented
3 months ago This is not what I desire in certain use-cases.
Hi! This sounds a bit like an antipattern. Can you explain your usecase?
Open datorr2 opened 3 months ago
bastelfreak
commented
3 months ago This is not what I desire in certain use-cases.
Hi! This sounds a bit like an antipattern. Can you explain your usecase?
datorr2
commented
3 months ago Hi! This sounds a bit like an antipattern. Can you explain your usecase?
For patching/compliance. If a software is installed, ensure it is the latest available version. Otherwise, leave it absent.
I had to write a custom facter to enumerate installed packages, and then basically achieved this with:
if $facts['choco_packages']['packagename'] {
package { 'packagename':
ensure => latest,
provider => 'chocolatey',
source => 'chocolatey',
}
}But providing this functionality out-of-the-box would be beneficial. It could look something like:
package { 'packagename':
ensure => latest,
provider => 'chocolatey',
source => 'chocolatey',
unless => absent,
}or
package { 'packagename':
ensure => latest,
provider => 'chocolatey',
source => 'chocolatey',
onlyif => present,
}
rismoney
commented
3 months ago This doesn't make sense. Example- how did the package get there in the 1st place, if onlyif were to be present? The answer? It wouldn't, because of this broken logic pattern.
Your fact logic is the right approach. If you wanted some other workable approach, you could use exec resource with command "choco install packagename" and creates => 'c:\programdata\chocolatey\lib\packagename'
datorr2
commented
3 months ago This doesn't make sense. Example- how did the package get there in the 1st place, if onlyif were to be present? The answer? It wouldn't, because of this broken logic pattern.
Are you saying the only way to install a package with chocolatey is to do so with puppet? 😄
User manually installs a package, and then the puppet code would say that if the package is present, make sure it is the latest package.
This is a simple compliance control vulnerability management. If the software is installed, patch/upgrade it. If the software is not installed, ignore.
rismoney
commented
3 months ago if you had compliance control, I would think a user does not manually install a package in the first place.
bastelfreak
commented
3 months ago For patching/compliance. If a software is installed, ensure it is the latest available version. Otherwise, leave it absent.
This approach is wrong in my opinion. Puppet defines the desired state, not the system. Either you want a specific package installed via puppet or not. And Puppet is a configuration management system, not a patch tool. You can use facts to identify available updates or all packages that are installed but not managed by Puppet. But for patching, you should use orchestration tools like Bolt.
Use Case
I would like to be able to ensure that certain packages are the latest version only if they are currently installed. If they are not installed, allow them to remain absent.
Describe the Solution You Would Like
Currently,
ensure => latestwill install the package if it is absent, and then ensure it is the latest version. This is not what I desire in certain use-cases.In light of this, one possible solution would be to add an additional option that could be paired with
ensure => present|1.0.0|etc.that would change the behavior to only correct if the package already exists/is currently installed.Describe Alternatives You've Considered
I could write some conditional code to determine if the package is already installed before applying this condition, but that would require enumerating existing packages. As far as I know, this functionality does not currently exist in this module, which would mean having to either hack together an Exec statement to determine if the package is installed, or write a custom Facter to enumerate installed packages.