Forge Home


Remctl configuration module


9,964 latest version

3.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Mar 25th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'nmtcc-remctl', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add nmtcc-remctl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install nmtcc-remctl --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



nmtcc/remctl — version 0.1.1 Mar 25th 2014


Current build status for master branch: Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - Getting started with remctl
  4. Usage - Configuration options and additional functionality
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


The remctl module installs, configures, and manages the command definitions and Access Control Lists for remctl.

Module description

The remctl module handles installing remctl with relatively standard defaults. It also installs xinetd to handle the daemon. Lastly, it allows for easy ACL and command definition.


If any nonstandard configuration is needed, the remctl class may be invoked with any required options; however, just applying an ACL or command will implicitly install the server and daemon. Standard usage might look like this:

remctl::acl { 'accounts':
  principals => [
      'principal' => 'baduser@EXAMPLE.ORG',
      'deny'      => true,
      'file'      => '/etc/remctl/acl/admins',
      'principal' => 'service/admin@EXAMPLE.ORG',

remctl::command { 'accounts':
  executable_path => '/usr/local/bin',
  commands        => [
       'subcommand' => 'create',
       'executable' => 'doaccount',
       'acl'        => ['/etc/acl/group1','/etc/acl/group3'],

       'subcommand' => 'delete',
       'executable' => 'doaccount',
       'acl'        => '/etc/acl/group3',

       'subcommand' => 'view',
       'executable' => 'doaccount',
       'acl'        => 'ANYUSER',

       'subcommand' => 'password',
       'executable' => 'dopasswd',
       'options'    => { 'logmask' => '3', },
       'acl'        => '/etc/acl/group1',

       'command'    => 'printing',
       'subcommand' => 'ALL',
       'executable' => '/usr/bin/printthing',
       'acl'        => '/etc/acl/group2',

    'other do /usr/local/bin/otherthing /etc/acl/group1',

Note that the commands and ACL definitions may include hashes, allowing verbosity, or strings, allowing compactness. The strings must be valid lines for the respective listing; see man remctld(8) for proper syntax.


Class ::remctl

For the remctl base class, each of the options for the puppetlabs/xinetd class is broken out as xinetd_{optionname}. Additionally, each option for puppetlabs/xinetd::service is broken out as remctl_xinetd_{optionname}. Aside: perhaps this naming scheme isn't the best. If you'd like to change it, see the contribution guide at the bottom of this document!

The unique options for the base class follow. The defaults are all based on RHEL6; similar defaults are in place for other distributions. If your distro isn't included, feel free to contribute! Again, just see the end of the document for more info.



String: defaults to '/etc/remctl/acl'. The directory that remctl ACLs are stored in.


String: defaults to '/etc/remctl/conf.d'. The directory the command module's command listing files are stored in.


String: defaults to '/etc/remctl.conf'. The file that the remctl daemon reads from; this file only contains an 'include $remctl::confdir'.


Boolean: defaults to true. Whether to install the 'remctl' package(s).


(optionally Array of) String: defaults to 'remctl'. The name of the package for remctl.


String: defaults to 'latest'. The ensure state of the remctl package.


Array of String: defaults to ['/etc/remctl']. A list of folders to ensure exist for this class; used for the parent folders of $remctl::acldir and $remctl::confdir.

Definition ::remctl::acl

There is only one, required, parameter for the acl definition. The title of the remctl::acl{} is the filename for the ACL under the directory $remctl::acldir.



Array of ( String | Hash ). Required. An ordered list of principals to insert into the ACL. Valid hash options below. Note that there are no required parameters, but at least one of ( file | principal | gput | pcre | regex ) should be declared. Deny is used against one of these other types as well. If a string is used, it must be a valid line as per man remctld(8).

Hash keys for principals


Boolean: false if unset. If set and set to true, deny this principal access.


String. Filename of ACL to additionally include.


String. Global Privileged User Table type. See man remctld(8). Unsupported in standard RHEL6 install; use only if you know your version supports it.


Regex|String. A Perl-compatible regular expression. See man remctld(8) for more info.


String. The name of a specific principal to allow (the most common option). If allowing all users, use '


Regex|String. Likely an alias for pcre, this is, just as it says on the tin, a regular expression.

Definition ::remctl::command

There are two parameters for the command definition. The title of the remctl::command{} is the filename for the configuration file under $remctl::configdir that these commands are inserted into.



String. Optional. The default path for the executables. Note that if no executable_path is given, and a command listing's executable isn't a fully qualified path, the manifest fails. Note that this is not a search path, but a single directory.


Array of ( String | Hash ). Required. An ordered list of commands to insert into the command listing. Valid hash options below. If using a string, it must be a valid line as per man remctld(8).

Hash keys for commands


String: defaults to the title of the remctl::command{} call. Required. The name of the command to allow from the remote client.


String. Required. A subcommand name that can allow for different command options upon calling. To expect no subcommand, use 'EMPTY', and to allow any subcommand, use 'ALL'.


String. Required. If not a fully qualified path, defaults to "$remctl::command::executable_path/$executable" if $remctl::command::executable_path is set; otherwise (if it's not a fully qualified path), the manifest fails. This is the executable called by remctl when this command and subcommand are encountered.


Hash of 'option'=>value | String. Optional. For the list of valid option=value pairs, see man remctld(8). String is not parsed for validity, but should be valid, as 'option1=value1 option2=value2'.


String | Array of String. Required. Fully-qualified path(s) for the ACL file(s) that list principals to allow for this command. Note that this may also be a single 'princ:someuser' or 'ANYUSER'. Basically, any valid line for an acl, as in man remctld(8).


This module has only been tested on RHEL6 so far; to add support for your distribution, contribute sane defaults as per the contribution note, below.


To request a feature or report a bug, use the project's Github issue tracker.

If you want to take a stab at the feature or bug yourself, or one that's already in the tracker, fork the repo, do some stuff, make sure that the specs are updated (and that rspec doesn't fail), and submit a pull request.