passwd_min is an Ohai plugin that parses /etc/passwd and /etc/group and returns user and group information in a format that matches the passwd plugin shipped in Ohai.
This plugin may be useful to Chef users who have alternate password databases (such as LDAP or NIS) configured and have had to disable the default passwd plugin to avoid storing their organization’s entire LDAP directory in their node objects.
Background
The passwd plugin shipped in Ohai uses Ruby’s Etc module to popular
the node['etc']['passwd']
and node['etc']['group']
attributes.
If one follows the code for the Etc module far enough, she will find that this information is obtained by calling the getpwent() system call:
1 2 3 4 5 6 7 8 9 10 |
|
According to the Linux Manual Page for getwpent():
The getpwent() function returns a pointer to a structure containing the broken-out fields of a record from the password database (e.g., the local password file /etc/passwd, NIS, and LDAP). The first time getpwent() is called, it returns the first entry; thereafter, it returns successive entries.
Thus, for users who have have LDAP or NIS configured,
node['etc']['passwd']
will contain more than simply the contents of
/etc/passwd
. For some users, the data the default passwd plugin
collects will produce large node objects. These large node objects
place additional load on the Chef Server and other chef clients that
have to process those objects later.
Using the passwd_min plugin
The easiest way to distribute the passwd_min plugin is via the Opscode Ohai cookbook. From your Chef Repository:
1 2 3 4 5 6 7 |
|
You will also want to disable the default passwd plugin by placing the following in /etc/chef/client.rb on the node:
Ohai::Config[:disabled_plugins] = ["passwd"]
Note that if you use the Chef-client Cookbook, this can be done via an attribute.
Bug reports and improvements happily accepted on Github.