Using Puppet + Augeas to turn off usb ports
May 5, 2014 1 Comment
My blog posts always seem to start with a question asked on stackexchange or ask.puppetlabs.com. This is no exception.
Danilo asked if puppet was able to block access to usb ports on linux machines. I decided to flex the Augeas muscle.
tl;dr Here is a working solution
class blockusb {
augeas {'block usb-storage':
context =>"/files/etc/modprobe.d/blacklist.conf/",
changes =>["set blacklist[last()+1] usb-storage",],
onlyif =>"match blacklist[.='usb-storage'] size == 0 ",
}
}
include blockusb
The match functionality in augeas is very non intuitive. Instinct would suggest that the following solution should work:
onlyif =>"match blacklist not_include 'usb-storage' ",
However as pointed out by Dominic in the user list, match returns a list of paths, not the values of those paths. While you *can* see the values of the path when using augtool from the command line, those values are not included in Augeas’s API call.
augtool> match /files/etc/modprobe.d/blacklist.conf/blacklist
/files/etc/modprobe.d/blacklist.conf/blacklist[1] = evbug
/files/etc/modprobe.d/blacklist.conf/blacklist[2] = usbmouse
/files/etc/modprobe.d/blacklist.conf/blacklist[3] = usbkbd
....
/files/etc/modprobe.d/blacklist.conf/blacklist[16] = amd76x_edac
/files/etc/modprobe.d/blacklist.conf/blacklist[17] = usb-storage
By requesting the actual usb-storage value in the tree and then checking it’s length we are able to return a boolean. The result is that puppet will only modify the blacklist.conf file once.
Or even simpler:
augeas {‘block usb-storage’:
context => “/files/etc/modprobe.d/blacklist.conf/”,
changes => “set blacklist[.=’usb-storage’] usb-storage”,
}