[Spacewalk-list] how to block yum usage on client systems

Mon Jun 11 18:54:52 UTC 2012

On 6/11/12 10:42 AM, "Musayev, Ilya" <imusayev at webmd.net> wrote:

>I'm not working with puppet and curios - does puppet snapshots entire
>filesystem and reverts back or does it snapshot configs only?
>
>If you do kernel upgrade via yum while bypassing spacewalk (since host is
>locked) - puppet will roll back the change?
>
>There is a puppet and yum plugin I saw posted under yum plugin repo - I'm
>not certain what it does - but take a look - maybe it will help resolve
>your issue.

These questions are probably out-of-scope for the Spacewalk list, but it's
significantly more complex than just "snapshots". (Actually since there's
always more than one way to do things, LVM snapshots could be utilized to
roll back your user's changes if they're not supposed to be making them.
There's more than one way to skin a cat.)

Even just chattr -i can be utilized on files, which many people never
figure out, even if they have root.  (Total "security by obscurity" and a
hack, but it'll slow down the kidsŠ so they have to come talk to you and
get a lesson on why their changes aren't appropriate.  Because ultimately
at the end of the day, people installing things they shouldn't is a human
problem, not a technical one.)

For Puppet, a "manifest" of items required to be on a machine is created
and puppet can be set up to continually enforce it.  The manifest can be
as elaborate or simple as you feel like writing.  You get to choose.

An example might be:

package { "screen":
  ensure => installed,
}

As far as "will puppet roll back changes" question goes, it can, if you
set it up that way.  It all depends on how far down the rabbit hole you
wish to go.  Or how many external requirements you may have from outside
the organization to enforce specific things.  (Because enforcement of
staff behavior within an organization isn't a technical problem, that's a
human management problem.  Technology can catch it, and/or put it back the
way it was, but the root-cause people management problem is still there.)

Spacewalk doing automated errata package updates in a co-environment with
Puppet, might lead to a mess if it's not engineered correctly.  Proper
planning and testing would be required to make them play nicely in a
sandbox together.

Nate Duehr
Sr. Linux Engineer

--------------------------------------------------------------------------
Alpine Access |  http://www.alpineaccess.com
Phone: 303.850.3736 |  Mobile: 303.594.5444

This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail and destroy all copies of the original message.