Maybe if you don't mind sussing out all the required capabilities to tie to the binary not to mention the possible SELinux bits. And you'll have to redo the capabilities whenever you upgrade.

IF the agent can use them.

Most of the content in the Puppet ecosystem is written with the assumption the agent is running as

root

--- so non-root agents isn’t something I’d recommend as it’s pretty much signing up for a perpetual uphill push.

For sure - and that's what I've told the client. I hadn't seen anything online but wanted to reach out here in case I was missing something.

It's not at all something I actual want to try and implement.

I use puppet as normal user but the usecase is.. limited

you can do it, but everything that puppet manages has to be readable and writable by whatever user puppet runs as

which more or less rules out any system level configuration

the question should be: what does the customer want to manage

if that doesnt require root, but doesnt require root

Security wants nothing running as root is what the customer wants. 😄

glwt

Yup.

It’s more than just readable+writable by a particular user. There’s plenty of cases where

admin_command

won’t work, but

<pick your sudo> admin_command

would work. However, making that decision is extra complexity which means extra work for module authors. In the grand scheme of things, the number of folks running non-root agents rounds to 0 — so module authors reasonably assume

root

and skip the extra work.

How much of

capabilities(7)

can the agent use?

Yeah it's never been anything I've ever had to work around/through so I'm hoping that if I can show them that we can move on.

How much of

capabilities(7)

can the agent use?

Doesn't SCCM run as

system

? If you can get the security team to see it in terms of a product that they've accepted the risk on, maybe you can get them to budge on puppet. I assume any windows configuration management tools are running as the equivalent of root.

This message was deleted.

Also I'm sorry if this should've been put in office-hours, slack novice.

Nope, right spot. #CFD8Z9A4T is only active during particular hours for specific topics.

This message was deleted.

I have mailalias_core listed in a Puppetfile, I don't believe that one gets vendored in the puppet-agent

I have mailalias_core listed in a Puppetfile, I don't believe that one gets vendored in the puppet-agent

Hi Everyone, Thanks for your answers on puppet task to upgrade debian 9-11 Instead of tasks, Will it be a good idea if I use any puppet module to upgrade the debian 9 to debian 11 ? Do we have any of it on forge?

no

the same we said yesterday applies to that as well

we recommend provisioning new boxes instead

This message was deleted.

We don't have any debian systems yet, if puppet finds new debian system created then it will perform actions on those debian 11 with case statements