[Puppet Users] class include order

[walexey]

puppet 2.6.3

How i can make this work?

class a {
 if ($b::x) { notify "yeah!" }
}

class b {
 $x=true
}

node base {
 include a
}

node test inherits base {
 include b
}

currently i got  "Could not look up qualified variable 'b::x'; class b
has not been evaluated"

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] class include order

[Peter Meier]

> currently i got  "Could not look up qualified variable 'b::x'; class b
> has not been evaluated"

Node Inheritance isn't working the way you are assuming it should work [1].

I would generally get rid off of any node inheritance.

~pete

[1]
http://projects.puppetlabs.com/projects/1/wiki/Frequently_Asked_Questions#Node+Inheritance+and+Variable+Scope

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: class include order

[Bill Proud]

The following would work:

class a {
if $x { notify "yeah!" }
}

node base {
$x = true
}

node test inherits base {
include a
}


On Nov 29, 12:21 pm, walexey  wrote:
> puppet 2.6.3
>
> How i can make this work?
>
> class a {
>  if ($b::x) { notify "yeah!" }
>
> }
>
> class b {
>  $x=true
>
> }
>
> node base {
>  include a
>
> }
>
> node test inherits base {
>  include b
>
> }
>
> currently i got  "Could not look up qualified variable 'b::x'; class b
> has not been evaluated"

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Class inheritance

[jcbollinger]

On Nov 24, 9:37 am, Chris C  wrote:
> I was able to get override to work correctly.

I'm glad to hear it.

> My classes are inheriting each other.  prac inherits all_hosts_redhat which
> inherits all_hosts.
> I cleaned up some unnecessary duplicate checks like chmod and own.
> I changed the definition to the overided file to File['/etc/motd'] { 
> I also set a variable at the top of the class so I can easily override
> content source

A class defining the common elements for all managed systems seems a
relatively common practice.  It works for many people, but the devil
is in the details.

[...]

> > >   When I do a puppetd --test the content of motd flip flops
> > > between the two classes.
>
> > That's surprising, because
>
> > a) unless its hostname changes or your manifests change, each node
> > will get only one definition of File["/etc/motd"], and besides,
> > b) both definitions you have shown point to the same file. (*)
>
> > (*) Filesystem paths are resolved on the client, and it looks like in
> > your case the file is remote, so you might be getting changes either
> > because a different remote filesystem is mounted at different times or
> > because the remote file is changing.
>
> Maybe I found a bug.  Does Puppetlabs pay like Mozilla pays?  ;)

Not like Mozilla pays, no.  Puppetlabs pays for accepted bug reports
by giving you the fixed version, when it's ready, free of charge.  In
fact, you could consider filing good bug reports to be a quid pro quo
for Puppetlabs having given you Puppet in the first place.

> > 1) Organize your manifests into modules.  It is never too early to do
> > this.
>
> What do you mean by this?  I thought my manifest was modular?

I mean "module" in its Puppet-specific sense.  See
http://docs.puppetlabs.com/guides/modules.html.

> > 3) Where you want Puppet to manage individual files (such as /etc/
> > motd), use its built-in file server.  Refer clients to this by using a
> > "source" URL of the form "puppet:".
>
> Is using the puppet fileserver high performance?  I'm expecting to have
> 300-500 clients.  These VM's just keep popping up like daisy's in my lawn.

If you anticipate that many clients then you should be running Puppet
itself behind Apache httpd, via Passenger.

Whether Puppet's file serving performance suffices depends on many
parameters, some of them external to Puppet itself.  I think the file
server's inherent efficiency is reasonably good, but you should be
aware that however files are served, Puppet uses checksumming (MD5 by
default) when managing them to determine which need to be synced.  You
can instruct Puppet to use modification time instead, which will
greatly speed it up at the cost of reducing its reliability for
detecting out-of-sync files.

> My intention is to use Puppet to manage the content of our public website.
> Our website is extensive.

Honestly, I don't think that's a great idea.  Puppet will be good for
managing the servers themselves, but not so much for directly managing
their extensive web content.  Have you considered instead using a
version control system, such as Subversion or git?  Puppet can easily
manage a cron job to periodically pull down changes, or you could use
an exec to have Puppet pull down changes itself on every run.  Among
the advantages of doing it this way:

a) easy reversion of errors

b) content changes are traceable to specific users

c) web developers don't interact with Puppet


Cheers,

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Class inheritance

[Nigel Kersten]

On Mon, Nov 29, 2010 at 6:46 AM, jcbollinger  wrote:
>
>
> On Nov 24, 9:37 am, Chris C  wrote:
>> I was able to get override to work correctly.
>
> I'm glad to hear it.
>
>> My classes are inheriting each other.  prac inherits all_hosts_redhat which
>> inherits all_hosts.
>> I cleaned up some unnecessary duplicate checks like chmod and own.
>> I changed the definition to the overided file to File['/etc/motd'] { 
>> I also set a variable at the top of the class so I can easily override
>> content source
>
> A class defining the common elements for all managed systems seems a
> relatively common practice.  It works for many people, but the devil
> is in the details.
>
> [...]
>
>> > >   When I do a puppetd --test the content of motd flip flops
>> > > between the two classes.
>>
>> > That's surprising, because
>>
>> > a) unless its hostname changes or your manifests change, each node
>> > will get only one definition of File["/etc/motd"], and besides,
>> > b) both definitions you have shown point to the same file. (*)
>>
>> > (*) Filesystem paths are resolved on the client, and it looks like in
>> > your case the file is remote, so you might be getting changes either
>> > because a different remote filesystem is mounted at different times or
>> > because the remote file is changing.
>>
>> Maybe I found a bug.  Does Puppetlabs pay like Mozilla pays?  ;)
>
> Not like Mozilla pays, no.  Puppetlabs pays for accepted bug reports
> by giving you the fixed version, when it's ready, free of charge.  In
> fact, you could consider filing good bug reports to be a quid pro quo
> for Puppetlabs having given you Puppet in the first place.
>
>> > 1) Organize your manifests into modules.  It is never too early to do
>> > this.
>>
>> What do you mean by this?  I thought my manifest was modular?
>
> I mean "module" in its Puppet-specific sense.  See
> http://docs.puppetlabs.com/guides/modules.html.
>
>> > 3) Where you want Puppet to manage individual files (such as /etc/
>> > motd), use its built-in file server.  Refer clients to this by using a
>> > "source" URL of the form "puppet:".
>>
>> Is using the puppet fileserver high performance?  I'm expecting to have
>> 300-500 clients.  These VM's just keep popping up like daisy's in my lawn.
>
> If you anticipate that many clients then you should be running Puppet
> itself behind Apache httpd, via Passenger.
>
> Whether Puppet's file serving performance suffices depends on many
> parameters, some of them external to Puppet itself.  I think the file
> server's inherent efficiency is reasonably good, but you should be
> aware that however files are served, Puppet uses checksumming (MD5 by
> default) when managing them to determine which need to be synced.  You
> can instruct Puppet to use modification time instead, which will
> greatly speed it up at the cost of reducing its reliability for
> detecting out-of-sync files.
>
>> My intention is to use Puppet to manage the content of our public website.
>> Our website is extensive.
>
> Honestly, I don't think that's a great idea.  Puppet will be good for
> managing the servers themselves, but not so much for directly managing
> their extensive web content.  Have you considered instead using a
> version control system, such as Subversion or git?  Puppet can easily
> manage a cron job to periodically pull down changes, or you could use
> an exec to have Puppet pull down changes itself on every run.  Among
> the advantages of doing it this way:
>
> a) easy reversion of errors
>
> b) content changes are traceable to specific users
>
> c) web developers don't interact with Puppet

I often have trouble convincing people of this, but if you've got a
good automated package build environment, I'm a big fan of packaging
content like websites based upon tags, and then using Puppet to ensure
those packages are installed.


>
>
> Cheers,
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
>
>



-- 
Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] custom functions in standalone mode

[Gergely Paljak]

Hi,

I am fairly new to puppet, and my question would be:

- is it possible to write new function and use them in standalone mode?
According to
http://projects.puppetlabs.com/projects/1/wiki/Writing_Your_Own_Functionsfunctions
can only be executed on a server, is there any possibility to
overcome this in standalone?

- and is it possible to save the output of an exec resource to a puppet
variable? My workaround is to print the stdout to a file and read the file
into a puppet variable (with the file function). It works, but not the
nicest...

Thanks for you help in advance!

Cheers,
Gergely

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: pkgutil package provider (solaris)

[Dominic Cleal]

Hi Peter et al,

Sorry for arriving rather late to this thread!

On 16/11/10 10:17, Rudy Gevaert wrote:
> On Nov 12, 4:54 pm, Peter Bonivart  wrote:
>> I think the issue with "Not installed" vs. "notinst" is probably from
>> converting the pkg-get provider, if I'm not mistaken pkg-get prints
>> "Not installed" so that should just be "notinst" instead. I'm thinking
>> about adding an option for machine parseable output to make these
>> things better.
> 
> Pachine parseable output would be very nice, but in my opinion not
> that 'urgent'.  We can parse it like it is.

As Rudy said, we are able to parse the pkgutil output as-is, though it
would be great if there was a "quieter" mode for pkgutil as it can be
quite noisy.  It's difficult to determine where the noise ends and the
package listings begin.

For example, with use_gpg checked, pkgutil outputs "Checking integrity"
messages and gpg itself outputs key information.  If a catalog has to be
fetched (say catalog_update is 0, or expiry has been reached), then we
get information about which files are being fetched, plus wget output
(if -q isn't used).

I intend to start up a patch thread soon on puppet-dev with the combined
commits from James, Maciej, Rudy and me to begin the process of getting
the provider included.

Regards,

-- 
Dominic Cleal
Red Hat Consulting
m: +44 (0)7818 512168

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Puppet replaces deleted files

[Os]

Hi,

I am using puppet 2.6.2 and stepped over a situation, I cannot explain
to myself. So here is the deal:
- I want to source several directories and files one time to a client
- with the first puppet run, puppet should copy the files and
directories to the client to the specified location
- if files are changed in their content, puppet does not replace them

Up to this point everything works fine, but here comes the problem:
- if files are deleted, puppet "restores" them and copies them back
from the master

And thats what I do not want, I have tried several things but did not
get the trick how to prevent puppet from being so thoughtful. Can
anyone give me a hint how to stop puppet from replacing deleted files?

Here is my puppet construct:
file { "/oracle/files/":
source => "puppet:///modules/oracle_prereq/ORACLE_BASE",
ensure => "directory",
recurse => "true",
replace => "false",
checksum => "none",
}

I think one problem might be the checksums, I have no clue how to
prevent puppet from checkuming those files!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Puppet replaces deleted files

[ZipKid]

You should propably package these files. Then you will not have this
problem.
The replace option for the file type is NOT intended for what you are
trying.

Regards,

Stefan.

On Nov 29, 4:34 pm, Os  wrote:
> Hi,
>
> I am using puppet 2.6.2 and stepped over a situation, I cannot explain
> to myself. So here is the deal:
> - I want to source several directories and files one time to a client
> - with the first puppet run, puppet should copy the files and
> directories to the client to the specified location
> - if files are changed in their content, puppet does not replace them
>
> Up to this point everything works fine, but here comes the problem:
> - if files are deleted, puppet "restores" them and copies them back
> from the master
>
> And thats what I do not want, I have tried several things but did not
> get the trick how to prevent puppet from being so thoughtful. Can
> anyone give me a hint how to stop puppet from replacing deleted files?
>
> Here is my puppet construct:
>     file { "/oracle/files/":
>         source => "puppet:///modules/oracle_prereq/ORACLE_BASE",
>         ensure => "directory",
>         recurse => "true",
>         replace => "false",
>         checksum => "none",
>     }
>
> I think one problem might be the checksums, I have no clue how to
> prevent puppet from checkuming those files!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet replaces deleted files

[Mohit Chawla]

On Mon, Nov 29, 2010 at 9:21 PM, ZipKid  wrote:

> You should propably package these files. Then you will not have this
> problem.
> The replace option for the file type is NOT intended for what you are
> trying.
>

Sorry for barging in, but "package" the files, in the sense... ?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Combine multiple CA certificates into a bundle

[Alan Barrett]

I am struggling with using multiple puppet CAs.  I think I am missing
information about which files are used for which purposes by different
parts of puppetmasterd, puppetd, puppetca, and the apache/passenger
frontend.

I have an old puppetmaster (and CA), which signed certificates for old
clients.  I want to add a new puppetmaster (and CA) and let it sign
certificates for new clients.  I want any client (old or new) to be able
to work with any master (old or new).  I would prefer not to have to set
up a centralised CA hierarchy; the self-signed CA certificates would be
good enough if I could just figure out how to combine them into usable
bundles.

It seems to me that I should be able to take the $ssldir/ca/ca_crt.pem
files from the two puppetmasters, concatenate them to create a
ca-bundle.pem file, and place the bundle in some suitable place where
any client or server can use the bundle to verify certificates from any
CA.  I haven't been able to figure out where that suitable place is.
Help?

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet replaces deleted files

[Adam Gibbins]

On Mon, Nov 29, 2010 at 3:54 PM, Mohit Chawla  wrote:

> On Mon, Nov 29, 2010 at 9:21 PM, ZipKid  wrote:
>
>> You should propably package these files. Then you will not have this
>> problem.
>> The replace option for the file type is NOT intended for what you are
>> trying.
>>
>
> Sorry for barging in, but "package" the files, in the sense... ?
>

As in using your operating systems package management.  If you're running
Debian/Ubuntu that'll be a .deb, if you're using RedHat/CentOS/Fedora
that'll be a .rpm.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Alan Barrett]

On Mon, 29 Nov 2010, Alan Barrett wrote:
> I am struggling with using multiple puppet CAs.  I think I am missing
> information about which files are used for which purposes by different
> parts of puppetmasterd, puppetd, puppetca, and the apache/passenger
> frontend.

For example, which file on the puppetmaster ends up being copied
to $localcacert on the client?  Neither of the files referred
to by the puppet.conf variables [puppetmasterd].cacert or
[puppetmasterd].localcacert seems to be copied to the client.

(Running puppet 0.25.5 on all masters and clients.)

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Multiple CA / Puppet master environment

[CraftyTech]

 I'm only using one master for CA (following 
http://bodepd.com/wordpress/?p=7).
But When I run puppetd -t from a client, against an alternate master
(puppetd -t --server alt_master.domain.com), I get "err: Could not
retrieve catalog from remote server: hostname not match with the
server certificate".  Shouldn't I be able to run puppet against any of
the masters?

Thanks,



On Nov 18, 3:43 pm, Nigel Kersten  wrote:
> On Thu, Nov 18, 2010 at 12:01 PM, Scott Smith  wrote:
> > Puppetmasters (the puppetmasterds serving catalogs) don't need access to the
> > same SSL dir the Puppet CA (the puppetmasterd signing and revoking certs).
> > But, they do need to share the private key for presenting thecertificate
> > for puppet.domain.com. And the CRL as well, if you use it. That directory
> > doesn't have to be shared via NFS. You could rsync the ssl directory between
> > your puppetmasters.
>
> Absolutely. I just try to avoid NFS where possible.
>
>
>
>
>
>
>
>
>
>
>
> > On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten  wrote:
>
> >> I think it's a bad idea to deal with the overhead of an NFS mount when
> >> you have a dedicated puppet CA, as on your non-CA servers there should
> >> be no need to ever write to that directory.
>
> >> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith  wrote:
> >> > Oh, that's for sharing the puppetmaster SSL keypair between each other,
> >> > that's all.
>
> >> > On Nov 17, 2010 3:53 PM, "Nigel Kersten"  wrote:
> >> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith  wrote:
> >> >>> nfs mount the puppetmaster ssl dir. seperate puppetca (set on clients)
> >> >>> play
> >> >>> with it and you'll figure it out :)
>
> >> >> Why do you need to nfs mount the puppetmaster SSL dir in this case
> >> >> Scott?
>
> >> >> There's no state to be shared if you're operating with a dedicated
> >> >> puppetca.
>
> >> >>> On Nov 11, 2010 9:18 AM, "luke.bigum" 
> >> >>> wrote:
> >>  Hi,
>
> >>  Does anyone know if this document is up to date (besides the comment
> >>  at the top saying it's not):
>
> >> http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
>
> >>  Or does anyone who has a load balanced multi puppet master with some
> >>  kind of shared CA confirm that the procedure is accurate?
>
> >>  --
> >>  You received this message because you are subscribed to the Google
> >>  Groups
> >>  "Puppet Users" group.
> >>  To post to this group, send email to puppet-us...@googlegroups.com.
> >>  To unsubscribe from this group, send email to
> >>  puppet-users+unsubscr...@googlegroups.com.
> >>  For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
>
> >> >>> --
> >> >>> You received this message because you are subscribed to the Google
> >> >>> Groups
> >> >>> "Puppet Users" group.
> >> >>> To post to this group, send email to puppet-us...@googlegroups.com.
> >> >>> To unsubscribe from this group, send email to
> >> >>> puppet-users+unsubscr...@googlegroups.com.
> >> >>> For more options, visit this group at
> >> >>>http://groups.google.com/group/puppet-users?hl=en.
>
> >> >> --
> >> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> >> >> --
> >> >> You received this message because you are subscribed to the Google
> >> >> Groups
> >> >> "Puppet Users" group.
> >> >> To post to this group, send email to puppet-us...@googlegroups.com.
> >> >> To unsubscribe from this group, send email to
> >> >> puppet-users+unsubscr...@googlegroups.com.
> >> >> For more options, visit this group at
> >> >>http://groups.google.com/group/puppet-users?hl=en.
>
> >> > --
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to puppet-us...@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscr...@googlegroups.com.
> >> > For more options, visit this group at
> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> --
> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to puppet-us...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscr...@googlegroups.com.
> >> For more options, visit this group at
> >>http://groups.google.com/group/puppet-users?hl=en.
>
> > --
> >http://about.me/scoot
> >http://twitter.com/ohlol
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-us...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> --
> Nigel Kersten - Puppet Labs -  http://www.puppet

[Puppet Users] Re: Managing a "complex" directory structure

[jcbollinger]

On Nov 25, 6:22 pm, Lars Francke  wrote:
> I don't understand how I'd convert the definitions from my original
> mail into virtual resources.

You wouldn't convert the definitions themselves, but rather their
instantiations.  Alternatively, you might convert the definitions to
*use* virtual resources, but instantiate them non-virtually.  For
example,

define foo() {
@file { "${name}/foo": }
}

define bar(...) {
realize File["${name}/foo"]
...
}

class baz {
   foo { "bat": }
   bar { "bat": }
}


Having now looked a little more deeply at your problem, however, I
think that's putting the cart before the horse.  You need to
redesign / refactor (more on that below).

> Simplified:
> $disks = ['/a', '/b']
>
> define foo() {
>   file { "${name}/foo": }}
>
> foo { $disks: }
>
> define bar($path) {
>   file { "${name}/foo/${path}":
>     require => Foo[$name],
>   }}
>
> bar { $disks:
>   path => "bar",
>
> }
>
> And I require those things in multiple classes.
> I think this works but apart from being ugly it does not work when
> requiring foo from multiple classes. I also cannot require bar
> multiple times with different paths because the name is the same (the
> array) and I don't know how to get around that. Which kinda defeats
> the variability of the define.


You should not think of defines as macros or functions, or even as a
special kind of class.  They are essentially custom resource types,
akin to File and Service.  As such, (a) the titles provided in their
instantiations must each identify a specific logical object to manage,
(b) you cannot instantiate a define multiple times with the same
title, and thus (c) one set of their parameters must provide all the
needed details for one object.  All that is just like any other
resource declaration.


> I also don't understand how to convert foo to a virtual resource
> definition. I need to change it to this:
> @foo { $disks: }
>
> and then in bar just add this: Foo <| |> ?

Yes, that's about right.  You can also put selection predicates inside
the brackets to limit which Foos are realized.  Alternatively, you can
use the "realize" function instead of bracket notation if you know
exactly which virtual Foos you want to realize.

But none of that is going to solve your particular problem, because
even if you instantiate your defines virtually, you still can provide
only one set of parameters for each title within the scope of each
node.  Basically, this part of your design concept (define "bar") does
not fit the Puppet model.

I think the bar / hadoop_sub_directory define needs to be removed
altogether.  You may be able to replace some or all of its intended
function with ordinary File resources in conjunction with suitably-
scoped File property defaults.  You may simply need to be a little
more verbose and / or repetitious in your manifests.  You may need or
want to refactor some of the classes that use these defines.


> Any help would be really appreciated. I must have read the
> documentation four bajillion times now but parts of it it still make
> no sense to me. I especially have trouble understanding Virtual
> resources,

Getting your head around virtual resources can take some effort, but
once you've got it, they're really not that hard.  A virtual resource
declaration (including a virtual definition instantiation) is
identical to an ordinary one except

1) it has an @ sigil in front of it, and

2) its effect is only to set the properties of the declared resource,
not to instruct Puppet (as non-virtual declarations do) to *apply* the
resource to the current node.

To make that useful in light of (2), a set of manifests in which a
virtual declaration is included can instruct Puppet to apply the
resource either by means of the <| |> notation or by calling the
"realize" function.  The two realization methods have identical
effects on affected resources.  Each realization is an instruction to
Puppet that the specified resource should be included, once only, in
the catalog for the relevant node.  Multiple realizations are thus
redundant, but consistent, as each one tells Puppet the same thing.

> calling a define/resource with an array

You may help yourself by thinking in terms of "declaring" a resource
or definition instance, rather than in terms of "calling" these.
"Calling" is associated (at least for me) with functions, and these
don't work like functions.

In any event, declaring a resource or definition instance using an
array for the title is just shorthand for multiple declarations, one
for each element of array, each with identical properties except for
the title.  In the body of a definition, the title may be referenced
as $name, and therefore it may influence the properties of resources
declared within.  That in no way changes the semantics and
requirements of resource declarations.

> and requiring
> virtual resources and defines.

If you mean "realizing" virtual declarations, I've covered that above
as best I can.  If you actually d

[Puppet Users] Re: User management

[jcbollinger]

> Basically what I'm asking, does this seem sane to more experienced people, or 
> am I setting myself up for pain?

I do it pretty much like that, and it works for me.  A couple things,
though:

1) unless you intend for your user::admins and user::notadmins classes
to override properties of your virtual users, they should "include"
the user::virtual class instead of inheriting from it (the BP example
notwithstanding)

2) your virtual User declarations should each "require" the
appropriate Group to ensure that it is present before any of its users
are managed.  (The relative order in which you declare or realize them
cannot ensure this.)  The groups being declared virtually does not
pose a problem for that.


Cheers,

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Alan Barrett]

On Mon, 29 Nov 2010, Alan Barrett wrote:
> It seems to me that I should be able to take the $ssldir/ca/ca_crt.pem
> files from the two puppetmasters, concatenate them to create a
> ca-bundle.pem file, and place the bundle in some suitable place where
> any client or server can use the bundle to verify certificates from
> any CA.  I haven't been able to figure out where that suitable place
> is.  Help?

I have a ca-bundle.pem file which contains the concatenation of the ca.pem
files from the two CAs.

I make both cacert and localcacert on the puppetmaster refer to that file:

   # extract frmo pupept.conf
   [puppetmasterd]
   cacert = $ssldir/certs/ca-bundle.pem
   localcacert = $ssldir/certs/ca-bundle.pem

The first time I run puppetd on the client it creates
/etc/puppet/ssl/certs/ca.cert with the wrong contents (the cert from
the master that it's talking to atthe moment, not the bundle that I want).

I manually replace the client's /etc/puppet/ssl/certs/ca.cert with a
copy of the bundle.

Now the openssl tests described near the end of 

work.  On the master, I run

cd /etc/puppet/ssl
openssl s_server -Verify 10 \
-cert ./certs/${server_fqdn}.pem \
-key ./private_keys/${server_fqdn}.pem \
-CAfile ./certs/ca-bundle.pem

On the client, I run:

cd /etc/puppet/ssl
openssl s_client -connect ${serevr_fqdn}:4433 -verify 10 \
-cert ./certs/${client_fqdn}.pem \
-key ./private_keys/${client_fqdn}.pem \
-CAfile ./certs/ca.pem # a copy of ca-bundle.pem

and the client successfully connects to the server, and they like
each other's keys and certificates.

If I keep exactly the same openssl s_server running on the pupeptmaster,
and run puppetd instead of openssl s_client on teh client side, it fails.
I run this command:

puppetd --onetime --test --debug \
--server=${server_fqdn} --masterport=4433

and it prints several messages about "debug: /File[foo]: Autorequiring
File[bar]", then this:

debug: Using cached certificate for ca
debug: Using cached certificate for ${server_fqdn}
debug: Using cached certificate_revocation_list for ca
debug: catalog supports formats [blah blah]; using pson
err: could not retrieve catalog from remote server: \
SSL_connect returned=1 errno=0 \
state=SSLv3 read server certificate B: certificate verify failed

On the server side (the openssl s_server process, not puppet), I see this:

ACCEPT
ERROR
29884:error:14094418:SSL routines:SSL3_READ_BYTES:\
tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48
shutting down SSL
CONNECTION CLOSED

So, it seems that the puppetd client is doing something different from
the "openssl s_client" command used for testing.  What certificate is
the puppetd client attempting to present, and how can I change that?

There's no apache+passenger in this test, but in reality I would be
using that on the server.  This is puppet 0.25.5.

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Thoughts on dropping 0.24.x client support in Puppet 2.7?

[Stefan Schlesinger]

On Nov 25, 2010, at 07:43 , Patrick wrote:

> On Nov 24, 2010, at 3:50 PM, Nigel Kersten wrote:
> I mentioned this in an earlier thread, but here's a dedicated one.
>> 
>> We made a big change between 0.24.x and 0.25.x where we moved from
>> XMLRPC to REST.
>> 
>> How do people feel about us dropping all XMLRPC support from 2.7.x,
>> such that it only supported Puppet clients 0.25.x and higher?
> 
> I don't need it, but at the very least, I think that doing that before Debian 
> stable picks up 0.25.x is probably a terrible idea.

Guys, I'm a bit confused ... Debian/stable won't pick up 0.25.x
anymore anyways.

A list of Puppet versions in Debian:

lenny (stable): 0.24.5-3
backports:  2.6.2-1~bpo50+1
squeeze:2.6.2-1
sid:2.6.2-2
experimental:   2.6.3-1

So the upcoming stable release will at least include 2.6.2. I'm
not sure yet, whether they will even be trying to get 2.6.3 into
squeeze, since they also got 2.6.2 into it after the official
freeze.

So if you are still running lenny boxes as soon as 2.7 will be out
and you are going to mix *lenny* puppet agents with *sid* puppet
masters you could still use the 2.6.2 packages which are already
in backports.


Basically, at least for Debian, I see no reason why it would be a
bad idea for Puppetlabs to drop the support for pre 0.25.x
clients.


Regards,

Stefan.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] easy to way to track clients checking in?

[David Birdsong]

I've been wrestling to get the puppet ca server to sign client certs
and have them successfully reconnect later.  I think I've done:
find /var/lib/puppet/ -type f  -delete ; sudo find /etc/puppet/ssl
-type f -delete ;  sudo /usr/sbin/puppetd --server puppet -d -o
--no-daemonize  --waitforcert 2
...to all my hosts at least 10 times now.

Occasionally I get the:
err: Could not retrieve catalog from remote server: undefined method
`closed?' for nil:NilClass

...which, if I simply restart puppetmasterd, resolves the issue for a
given host.

In debugging all of this, I had to come up with a way to detect hosts
out of sync--ie hosts that should have had an update, but for whatever
reason are unable to fetch or apply their catalog.  What I've been
doing is to distribute /etc/sudoers via puppet, make a change to
sudoers (which happens naturally anyway), wait for the client poll
interval to pass(actually 2x the poll interval), then run through the
fleet looking for out of date md5sums of /etc/sudoers to flag a host
that is having puppet agent problems.

I am in cert hell, but I'm faithful that I can climb out of this hell.
 Is there any tool on the server side that could help indicate failing
puppet agents?  cfengine had --last-seen and displayed how long since
an agent had successfully pulled down cf files.  If not tools, what in
the logs could I use to write my own tool?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] easy to way to track clients checking in?

[Brian Gallew]

Personally, I like Foreman for doing that, especially once I've patched it
to make certain Foreman-specific variables set by the report processor.  In
theory Dashboard will do the same thing, though I've never been able to get
it to work reliably (incompatible gem set).

And of course, there's always the old standby of looking in
/var/lib/puppet/reports for directories that haven't been updated in a
while.

On Mon, Nov 29, 2010 at 12:55 PM, David Birdsong
wrote:

> I've been wrestling to get the puppet ca server to sign client certs
> and have them successfully reconnect later.  I think I've done:
> find /var/lib/puppet/ -type f  -delete ; sudo find /etc/puppet/ssl
> -type f -delete ;  sudo /usr/sbin/puppetd --server puppet -d -o
> --no-daemonize  --waitforcert 2
> ...to all my hosts at least 10 times now.
>
> Occasionally I get the:
> err: Could not retrieve catalog from remote server: undefined method
> `closed?' for nil:NilClass
>
> ...which, if I simply restart puppetmasterd, resolves the issue for a
> given host.
>
> In debugging all of this, I had to come up with a way to detect hosts
> out of sync--ie hosts that should have had an update, but for whatever
> reason are unable to fetch or apply their catalog.  What I've been
> doing is to distribute /etc/sudoers via puppet, make a change to
> sudoers (which happens naturally anyway), wait for the client poll
> interval to pass(actually 2x the poll interval), then run through the
> fleet looking for out of date md5sums of /etc/sudoers to flag a host
> that is having puppet agent problems.
>
> I am in cert hell, but I'm faithful that I can climb out of this hell.
>  Is there any tool on the server side that could help indicate failing
> puppet agents?  cfengine had --last-seen and displayed how long since
> an agent had successfully pulled down cf files.  If not tools, what in
> the logs could I use to write my own tool?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Patrick]

On Nov 29, 2010, at 10:13 AM, Alan Barrett wrote:

> On Mon, 29 Nov 2010, Alan Barrett wrote:
>> It seems to me that I should be able to take the $ssldir/ca/ca_crt.pem
>> files from the two puppetmasters, concatenate them to create a
>> ca-bundle.pem file, and place the bundle in some suitable place where
>> any client or server can use the bundle to verify certificates from
>> any CA.  I haven't been able to figure out where that suitable place
>> is.  Help?
> 
> So, it seems that the puppetd client is doing something different from
> the "openssl s_client" command used for testing.  What certificate is
> the puppetd client attempting to present, and how can I change that?

Run this on the client for the config puppet is using:
puppetd --genconfig

Technically this won't actually use information passed to the puppet executable 
using flags what ever starts the service, but this usually doesn't matter.

If that is too much information try:
puppetd --genconfig | grep host | grep .pem

You will probably need to run these as root to get the correct config.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] easy to way to track clients checking in?

[Patrick]

On Nov 29, 2010, at 12:55 PM, David Birdsong wrote:

> I've been wrestling to get the puppet ca server to sign client certs
> and have them successfully reconnect later.  I think I've done:
> find /var/lib/puppet/ -type f  -delete ; sudo find /etc/puppet/ssl
> -type f -delete ;  sudo /usr/sbin/puppetd --server puppet -d -o
> --no-daemonize  --waitforcert 2
> ...to all my hosts at least 10 times now.
> 
> Occasionally I get the:
> err: Could not retrieve catalog from remote server: undefined method
> `closed?' for nil:NilClass

This error is a bug that is fixed in later versions of puppet.  It means, 
something went wrong (this might be your fault) and the cleanup code failed 
(this part isn't your fault).

More information at:
http://projects.puppetlabs.com/issues/3101

Fixed in 0.25.5 and 2.6.x.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] 2.6.3 differs in behavior from 2.6.1

[Brian Gallew]

Before I go and write yet another custom fact, I just want to be sure that
the behavior I'm seeing is "as designed" rather than a regression.

When I ran 2.6.1, I had the following snippets working as expected:
base/manifests/minimal.pp:

  class {"ssh::sshd_config": stage => post}


ssh/manifests/init.pp:

class ssh::sshd_config {
  service{"sshserver":
name => $operatingsystem ? {
  Solaris => "/network/ssh",
  default => "sshd"
},
ensure => running
  }

  file{"/etc/ssh/sshd_config":
content => template("ssh/sshd_config.erb"),
notify => Service["sshserver"],
owner => root, group => root, mode => 0644,
  }
}


ssh/template/sshd_config.erb:

<%
my_login_groups = ['root', 'wheel', 'sysadmin']
my_login_groups << 'netdb' if classes.index('bind::server') != nil
my_login_groups << 'jira' if classes.index('jira') != nil
my_login_groups << 'archiva' if classes.index('archiva') != nil
my_login_groups << 'maven' if classes.index('maven') != nil
my_login_groups << 'oinstall' if classes.index('oracle') != nil
my_login_groups << 'dba' if classes.index('oracle') != nil
my_login_groups << 'puppet' if classes.index('puppet::master') != nil
my_login_groups << 'jboss' if classes.index('jboss') != nil
my_login_groups << 'nagios' if classes.index('nagios::server') != nil
%>
AllowGroups <%= my_login_groups.join(' ') %>


IN 2.6.1, this generated an AllowGroup stanza based on the complete set of
classes assigned to any given puppet client.  In 2.6.3, however, when the
template is parsed classes contains *only* the classes that were included in
minimal.pp before the ssh:sshd_config stanza.  I was under the impression
that the intention was that evaluation order wasn't supposed to matter, so
toplevel variables like classes should be *complete* before any templates
are evaluated.

If this *is* the desired behavior then I'll just create a custom fact that
will extract the data from the classes.txt file on the client which will be
fugly but functional.  If it's not, let me know and I'll open a bug report.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Multiple CA / Puppet master environment

[John Warburton]

Only if all your servers use the *same* certificate and are listed as
alternate DNS names in certdnsnames. (Search the group for certdnsnames for
examples - including mine)

John

On 30 November 2010 04:24, CraftyTech  wrote:

> I'm only using one master for CA (following
> http://bodepd.com/wordpress/?p=7).
> But When I run puppetd -t from a client, against an alternate master
> (puppetd -t --server alt_master.domain.com), I get "err: Could not
> retrieve catalog from remote server: hostname not match with the
> server certificate".  Shouldn't I be able to run puppet against any of
> the masters?
>
> Thanks,
>
>
>
> On Nov 18, 3:43 pm, Nigel Kersten  wrote:
> > On Thu, Nov 18, 2010 at 12:01 PM, Scott Smith  wrote:
> > > Puppetmasters (the puppetmasterds serving catalogs) don't need access
> to the
> > > same SSL dir the Puppet CA (the puppetmasterd signing and revoking
> certs).
> > > But, they do need to share the private key for presenting
> thecertificate
> > > for puppet.domain.com. And the CRL as well, if you use it. That
> directory
> > > doesn't have to be shared via NFS. You could rsync the ssl directory
> between
> > > your puppetmasters.
> >
> > Absolutely. I just try to avoid NFS where possible.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > On Thu, Nov 18, 2010 at 9:00 AM, Nigel Kersten 
> wrote:
> >
> > >> I think it's a bad idea to deal with the overhead of an NFS mount when
> > >> you have a dedicated puppet CA, as on your non-CA servers there should
> > >> be no need to ever write to that directory.
> >
> > >> On Wed, Nov 17, 2010 at 7:55 PM, Scott Smith  wrote:
> > >> > Oh, that's for sharing the puppetmaster SSL keypair between each
> other,
> > >> > that's all.
> >
> > >> > On Nov 17, 2010 3:53 PM, "Nigel Kersten" 
> wrote:
> > >> >> On Wed, Nov 17, 2010 at 1:29 PM, Scott Smith 
> wrote:
> > >> >>> nfs mount the puppetmaster ssl dir. seperate puppetca (set on
> clients)
> > >> >>> play
> > >> >>> with it and you'll figure it out :)
> >
> > >> >> Why do you need to nfs mount the puppetmaster SSL dir in this case
> > >> >> Scott?
> >
> > >> >> There's no state to be shared if you're operating with a dedicated
> > >> >> puppetca.
> >
> > >> >>> On Nov 11, 2010 9:18 AM, "luke.bigum"  >
> > >> >>> wrote:
> > >>  Hi,
> >
> > >>  Does anyone know if this document is up to date (besides the
> comment
> > >>  at the top saying it's not):
> >
> > >> 
> http://projects.puppetlabs.com/projects/1/wiki/Multiple_Certificate_A...
> >
> > >>  Or does anyone who has a load balanced multi puppet master with
> some
> > >>  kind of shared CA confirm that the procedure is accurate?
> >
> > >>  --
> > >>  You received this message because you are subscribed to the
> Google
> > >>  Groups
> > >>  "Puppet Users" group.
> > >>  To post to this group, send email to
> puppet-us...@googlegroups.com.
> > >>  To unsubscribe from this group, send email to
> > >>  puppet-users+unsubscr...@googlegroups.com
> .
> > >>  For more options, visit this group at
> > >> http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >>> --
> > >> >>> You received this message because you are subscribed to the Google
> > >> >>> Groups
> > >> >>> "Puppet Users" group.
> > >> >>> To post to this group, send email to
> puppet-us...@googlegroups.com.
> > >> >>> To unsubscribe from this group, send email to
> > >> >>> puppet-users+unsubscr...@googlegroups.com
> .
> > >> >>> For more options, visit this group at
> > >> >>>http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >> --
> > >> >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
> >
> > >> >> --
> > >> >> You received this message because you are subscribed to the Google
> > >> >> Groups
> > >> >> "Puppet Users" group.
> > >> >> To post to this group, send email to puppet-users@googlegroups.com
> .
> > >> >> To unsubscribe from this group, send email to
> > >> >> puppet-users+unsubscr...@googlegroups.com
> .
> > >> >> For more options, visit this group at
> > >> >>http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> > --
> > >> > You received this message because you are subscribed to the Google
> > >> > Groups
> > >> > "Puppet Users" group.
> > >> > To post to this group, send email to puppet-us...@googlegroups.com.
> > >> > To unsubscribe from this group, send email to
> > >> > puppet-users+unsubscr...@googlegroups.com
> .
> > >> > For more options, visit this group at
> > >> >http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> --
> > >> Nigel Kersten - Puppet Labs -  http://www.puppetlabs.com
> >
> > >> --
> > >> You received this message because you are subscribed to the Google
> Groups
> > >> "Puppet Users" group.
> > >> To post to this group, send email to puppet-us...@googlegroups.com.
> > >> To unsubscribe from this group, send email to
> > >> puppet-users+unsubscr...@googlegroups.com
> .
> > >> For more options, visit this group at
> > >>http://groups.google.com/group

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Alan Barrett]

On Mon, 29 Nov 2010, Patrick wrote:
> > So, it seems that the puppetd client is doing something different from
> > the "openssl s_client" command used for testing.  What certificate is
> > the puppetd client attempting to present, and how can I change that?
> 
> Run this on the client for the config puppet is using:
> puppetd --genconfig

I use that all the time.  The file names that I passed to "openssl
s_client" are identical to those reported by "puppetd --genconfig".

Whether or not the clientcrl file (ca_crl.pem) exists seems to have
something to do with the problem but I haven't figured out the details.
If I delete that file, then the puppetd client can connect, and it
downloads a fresh copy of the CRL, after which it can no longer connect.
I have configured certificate_revocation=false on the server, but it
nevertheless sends the CRL file to the client.

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Eric Sorenson]

Have you perhaps revoked a certificate off one CA that matched the serial 
number issued by another? And perhaps the second CA issued that particular 
serial number to the puppet server itself?  

No, I haven't done this myself, why do you ask?  *whistles tunelessly*

https://projects.puppetlabs.com/issues/4948


On Nov 29, 2010, at 1:44 PM, Alan Barrett wrote:

> On Mon, 29 Nov 2010, Patrick wrote:
>>> So, it seems that the puppetd client is doing something different from
>>> the "openssl s_client" command used for testing.  What certificate is
>>> the puppetd client attempting to present, and how can I change that?
>> 
>> Run this on the client for the config puppet is using:
>> puppetd --genconfig
> 
> I use that all the time.  The file names that I passed to "openssl
> s_client" are identical to those reported by "puppetd --genconfig".
> 
> Whether or not the clientcrl file (ca_crl.pem) exists seems to have
> something to do with the problem but I haven't figured out the details.
> If I delete that file, then the puppetd client can connect, and it
> downloads a fresh copy of the CRL, after which it can no longer connect.
> I have configured certificate_revocation=false on the server, but it
> nevertheless sends the CRL file to the client.
> 
> --apb (Alan Barrett)
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

 - Eric Sorenson - N37 17.255 W121 55.738  - http://twitter.com/ahpook  -

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] config settings for environments

[John Warburton]

One important thing I missed out is that I get my server name passed as an
environment variable ($SSL_CLIENT_S_DN_CN no less) because I run
puppetmaster from passenger.

John

On 29 November 2010 17:34, John Warburton  wrote:

> I am guessing this feature request didn't get submitted (well not on
> keyword config_version), and I just hit it
>
> The way I do it is that my config_version script shells out a call to the
> node classifier (I'm one of the lucky ones who has one!) and greps for the
> environment
>
> I have filed http://projects.puppetlabs.com/issues/5404
>
> John
>
>
> On 14 March 2010 04:10, Alan Barrett  wrote:
>
>> On Wed, 10 Mar 2010, Rob McBroom wrote:
>> > Hello. The documentation on using multiple environments says there are
>> > only a couple of settings that make sense per-environment (modulepath,
>> > templatedir, manifest) but it=??s not clear to me whether or not those
>> > are the only ones supported.
>>
>> I believe that those three are the only variables that may
>> be changed per environment.
>>
>> > Specifically, I=??m trying to set config_version. Each of my
>> > environments are clones of the same git repo at different points in
>> > its history, so using git to determine a config_version should yield
>> > different results in different environments.
>>
>> Sorry, you are out of luck.  I suggest filing a feature request for the
>> environment name and/or other relevant variables to be passed to the
>> config_version script.
>>
>> --apb (Alan Barrett)
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
>
> --
> John Warburton
> Ph: 0417 299 600
> Email: jwarbur...@gmail.com
>



-- 
John Warburton
Ph: 0417 299 600
Email: jwarbur...@gmail.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Managing a "complex" directory structure

[Lars Francke]

Hello,

> But none of that is going to solve your particular problem, because
> even if you instantiate your defines virtually, you still can provide
> only one set of parameters for each title within the scope of each
> node.  Basically, this part of your design concept (define "bar") does
> not fit the Puppet model.

That's what I suspected: My brain has not yet been able to comprehend
the Puppet model completely.

> I think the bar / hadoop_sub_directory define needs to be removed
> altogether.  You may be able to replace some or all of its intended
> function with ordinary File resources in conjunction with suitably-
> scoped File property defaults.  You may simply need to be a little
> more verbose and / or repetitious in your manifests.  You may need or
> want to refactor some of the classes that use these defines.

This is the part I don't understand. The more verbose I've been the
more errors I got because of duplicate definitions etc. Which only
supports the point that I still don't "get" the Puppet model :)

> HTH,

I really do appreciate that you took the time to write such a detailed
response. I will try once more to understand what I'm doing wrong and
I'll re-read your mail a few times but I've spent so much time on this
seemingly simple directory issue that I might just have to revert to a
simple script or fabric to do this job.

But as I said: Thank you for the help - I'll try to learn something from it now.

Cheers,
Lars

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Alan Barrett]

On Mon, 29 Nov 2010, Eric Sorenson wrote:
> Have you perhaps revoked a certificate off one CA that matched the serial 
> number issued by another? And perhaps the second CA issued that particular 
> serial number to the puppet server itself?  

No, neither CA has ever revoked a certificate.  "openssl crl -text"
reports that the ca_crl.pem file contains no revocations.

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Combine multiple CA certificates into a bundle

[Ohad Levy]

Hi,

I think you are facing https://projects.puppetlabs.com/issues/3640#note-11

which would hopefully
be resolved in https://projects.puppetlabs.com/issues/3770.

I must admit that I did not have time to continue troubleshooting this
further...
Ohad

On Mon, Nov 29, 2010 at 11:44 PM, Alan Barrett  wrote:

> On Mon, 29 Nov 2010, Patrick wrote:
> > > So, it seems that the puppetd client is doing something different from
> > > the "openssl s_client" command used for testing.  What certificate is
> > > the puppetd client attempting to present, and how can I change that?
> >
> > Run this on the client for the config puppet is using:
> > puppetd --genconfig
>
> I use that all the time.  The file names that I passed to "openssl
> s_client" are identical to those reported by "puppetd --genconfig".
>
> Whether or not the clientcrl file (ca_crl.pem) exists seems to have
> something to do with the problem but I haven't figured out the details.
> If I delete that file, then the puppetd client can connect, and it
> downloads a fresh copy of the CRL, after which it can no longer connect.
> I have configured certificate_revocation=false on the server, but it
> nevertheless sends the CRL file to the client.
>
> --apb (Alan Barrett)
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.