Using Puppet + Augeas to turn off usb ports

Augeas and Puppet can team up to modify the modprobe config files

My blog posts always seem to start with a question asked on stackexchange or ask.puppetlabs.com. This is no exception.

Danilo asked if puppet was able to block access to usb ports on linux machines. I decided to flex the Augeas muscle.

 

tl;dr Here is a working solution

class blockusb {

   augeas {'block usb-storage':
    context   =>"/files/etc/modprobe.d/blacklist.conf/",
    changes =>["set blacklist[last()+1] usb-storage",],
    onlyif =>"match blacklist[.='usb-storage'] size == 0 ",
  }
}
include blockusb

 

The match functionality in augeas is very non intuitive. Instinct would suggest that the following solution should work:

onlyif =>"match blacklist not_include 'usb-storage' ",

However as pointed out by Dominic in the user list, match returns a list of paths, not the values of those paths.  While you *can* see the values of the path when using augtool from the command line, those values are not included in Augeas’s API call.

 augtool> match /files/etc/modprobe.d/blacklist.conf/blacklist
/files/etc/modprobe.d/blacklist.conf/blacklist[1] = evbug
/files/etc/modprobe.d/blacklist.conf/blacklist[2] = usbmouse
/files/etc/modprobe.d/blacklist.conf/blacklist[3] = usbkbd
....
/files/etc/modprobe.d/blacklist.conf/blacklist[16] = amd76x_edac
/files/etc/modprobe.d/blacklist.conf/blacklist[17] = usb-storage

 

By requesting the actual usb-storage value in the tree and then checking it’s length we are able to return a boolean. The result is that puppet will only modify the blacklist.conf file once.