user resource conflict with puppetlabs/apache: Duplicate declaration: User[www-data] is already declared

[juju4]

When using os_hardening along apache

https://travis-ci.org/juju4/puppet-meta-harden-linux/jobs/432286466#L3000

             sudo -E /opt/puppetlabs/bin/puppet apply /tmp/kitchen/manifests/ --modulepath=/tmp/kitchen/modules --fileserverconfig=/tmp/kitchen/fileserver.conf     --hiera_config=/tmp/kitchen/hiera.global.yaml  -v     
)
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Info: Loading facts
       Warning: The function 'hiera_hash' is deprecated in favor of using 'lookup'. See https://docs.puppet.com/puppet/5.5/reference/deprecated_language.html\n   (file & line not available)
       /tmp/kitchen/modules/osquery/lib/puppet/parser/functions/sorted_json.rb:5: warning: constant ::Fixnum is deprecated
       Warning: /tmp/kitchen/modules/rsyslog/hiera.yaml: Use of 'hiera.yaml' version 4 is deprecated. It should be converted to version 5
          (file: /tmp/kitchen/modules/rsyslog/hiera.yaml)
       Warning: Defining "data_provider": "hiera" in metadata.json is deprecated.
          (file: /tmp/kitchen/modules/rsyslog/metadata.json)
       Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: User[www-data] is already declared at (file: /tmp/kitchen/modules/os_hardening/manifests/minimize_access.pp, line: 89); cannot redeclare (file: /tmp/kitchen/modules/apache/manifests/init.pp, line: 140) (file: /tmp/kitchen/modules/apache/manifests/init.pp, line: 140, column: 5) on node default-ubuntu-1804-1537750847.lxd
D      Cleaning up local sandbox in /tmp/default-ubuntu-1804-sandbox-20180924-19022-1u48kau

I'm not sure: would renaming resource and use user attributes be enough?

[timstoop]

Are you using Puppet Enterprise? If so, do you have the pe_environment parameter set to true?

[juju4]

For now, I'm just using community puppet. I might encounter enterprise later on.
Travis testing is kitchen/free puppet based

[mcgege]

Put the user which is declared in two places into the parameter ignore_users, like this:

class { 'os_hardening':
  ignore_users => ['www-data'],
}

[juju4]

Thanks @mcgege!
exactly that and to be fair, there is a similar option manage_user in https://forge.puppet.com/puppetlabs/apache

[raphink]

A better way to fix this would be to use https://forge.puppet.com/crayfishx/purge instead of managing users manually:

purge { 'user':
  manage_property => 'shell',
  state           => $nologin_path,
  if              => ['uid', '<=', $maxid],
}

This allows to merge behavior with other modules managing their own users.

[mcgege]

@raphink I agree ... but is this solution / module still maintained?

[raphink]

@mcgege as far as I know yes. I've contributed to it recently and @crayfishx was reactive on it.

[crayfishx]

FYI - as @raphink said, it is still being maintained - a new release covering Puppet 6 testing should be out soon too

[mcgege]

Again: good idea ... I'll open a issue to implement this (either I find some time or someone else picks this up)

[mfuhrmann]

Just for documentation: The last ~2 years no reaction can be found on https://github.com/crayfishx/puppet-purge/

[mfuhrmann]

Put the user which is declared in two places into the parameter ignore_users, like this:

class { 'os_hardening':
  ignore_users => ['www-data'],
}

@mcgege But ignoring existing users is not hardening them, right? ;-) What the idea here: The existing users have to be hardened in the existing configuration code?