On Thursday, August 9, 2012 3:32:40 PM UTC-5, banjer wrote:
>
> I am attempting to remove an old ssh host key from
> /etc/ssh/ssh_known_hosts. In my manifest, I have the following:
>
> # add keys
> @@sshkey { $hostname:
> ensure => present,
> type => "rsa",
> key => $sshrsakey,
> }
>
> # remove key
> @@sshkey { "foohost":
> ensure => absent,
> type => "rsa",
> }
>
> Sshkey <<| |>>
>
>
> But I get this error on puppet agents:
>
>
> root@harper~> puppet agent -t
> info: Retrieving plugin
> info: Loading facts in datacenter
> info: Loading facts in datacenter
> err: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Another local or imported resource exists with the type and title
> Sshkey[foohost] on node harper
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
>
Yes, exported resources need to be unique across the site, where "unique"
is determined based on type and title. Also, you cannot collect an
exported resource whose type and title are the same as a local resource.
If the node that exported Sshkey[foohost] has been decommissioned then
cleaning its configuration from your storeconfigs DB should get you 90% of
the way to where you want to be. For the other 10%, change the explicit
Sshkey[foohost] declaration from an exported to a local one, else every
node will try to export it. That might not be a deal killer, now that I
think about it, but it's certainly ugly.
>
> The "add keys" piece above has always worked great for dynamically adding
> to/managing the ssh_known_hosts file, but this is the first time I've tried
> to do 'ensure => absent' for a specific host's old key. I should note that
> the old host "foohost" had its OS rebuilt (was SLES, now CentOS) and I used
> the old IP on the new host. Not sure if that would affect it.
>
If there is a new foohost that is exporting a new key, then none of this
should be necessary. Puppet ought to replace the old ssh_known_hosts entry
with the new one.
>
> The best I could find via Google was
> http://projects.puppetlabs.com/issues/11629, but it doesn't provide any
> clues as to what needs to be cleaned out or if my manifest syntax is off.
> I also tried adding "Sshkey <<| |>>" after "add keys" AND after "remove
> key".
>
Collecting the same resources twice, or collecting them at a different
place in your manifest still leaves you with duplicate resource
declarations.
>
> I think I need to clean out stale something-or-other for foohost on all my
> nodes. Any ideas? Thank you thank you.
>
>
If there is a new "foohost" client then you may not need to do anything.
If not, then yes, you should clear its configuration out of your
storeconfigs DB.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/7ofQk9-yt4oJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
