[Labs-l] running cron jobs as (puppet) system users

[Daniel Zahn]

Hi,

for your info, if you plan to setup system users and cron jobs on labs
instances via puppet

in labs, if you create a new system user via puppet, in a class
applied to your instance, and then add cron jobs into this user's
crontab, this does not mean they are executed yet.

you will see the jobs with "crontab -u <user> -l", you will be able to
execute the exact commands,
also as that user with sudo, like "sudo -u <user> -s
"/full/path/command/from/crontab foo" and that will work,
but they will not be executed due to access.conf

if you check auth.log you will see "CRON[22045]:
pam_access(cron:account): access denied for user `foo' from `cron'"
this is for security and config in /etc/security/access.conf

it looks like this:

# Disallow access to all forms of login to all
# users except for members of the nova project
# that this instance is a member of:
-:ALL EXCEPT (project-foo) root:ALL

and since "crond" is a form of login in this context, it disallows
users who are not in the "project-foo" group.

This file should not be changed manually though, it is defined in puppet ldap.pp
/puppet/templates/ldap/access.conf.erb

So either (system) users would have to members of the project- group
or only add cron jobs to human labs user's crontabs.

(for completeness: or we would have to make changes to access.conf.erb, "crond"
can be allowed seperately from other forms of login, but that's
probably not the best option)
http://linux.die.net/man/5/access.conf

P.S. an example for creating multiple cron jobs from array of values
is in manifests/misc/wikistats.pp

Best regards,

-- 
--
Daniel Zahn <dzahn at wikimedia.org>