Search code examples
configurationpuppetaugeas

puppet, augeas and properties lens: file not saved because no difference detected

I want to edit a java properties file using puppet and augeas. I'm using this code which seems to be correct but actually this do not modify the file.

$disabledalgo = "SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224"

$incl = "/tmp/java.security"

augeas { "tlsconf":
 lens           => "Properties.lns",
 incl           => "$incl",
 changes        => "set 'jdk.tls.disabledAlgorithms' '$disabledalgo'",
 onlyif         => "get 'jdk.tls.disabledAlgorithms' != '$disabledalgo'",
}

the properties file is like that

grep jdk.tls.disabledAlgorithms -A 1 /tmp/java.security
jdk.tls.disabledAlgorithms=TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 768, \
    EC keySize < 224

When I launch puppet I have this output.

Debug: Augeas[tlsconf](provider=augeas): Opening augeas with root /, lens path , flags 64
Debug: Augeas[tlsconf](provider=augeas): Augeas version 1.4.0 is installed
Debug: Augeas[tlsconf](provider=augeas): Will attempt to save and only run if files changed
Debug: Augeas[tlsconf](provider=augeas): sending command 'set' with params ["/files/tmp/java.security/jdk.tls.disabledAlgorithms", "SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224"]
Debug: Augeas[tlsconf](provider=augeas): Skipping because no files were changed

I expect jdk.tls.disabledAlgorithms to contain SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224

edit: I observed the same problem when the values are in a totally different order like

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, \
    EC keySize < 224

and even when I remove RC4 from the file it does not change it.

Before creating the question I read augeas in puppet does not change file but the problem doesn't apply as the context parameter seems to correct.

thanks

Solution

  • The Properties lens has a peculiar way of parsing multi line entries, in that it creates sub-nodes with no label, making it impossible to manage them.

    What I'd recommend is to remove the key before modifying it:

    augeas { "tlsconf":
 lens           => "Properties.lns",
 incl           => $incl,
 changes        => [
                     'rm jdk.tls.disabledAlgorithms',
                     "set jdk.tls.disabledAlgorithms '$disabledalgo'",
                   ],
}

    It won't preserve the location of the entry in the file, but it should work. Note also that onlyif is not necessary here.