[Puppet Users] Slides TDD with puppet - puppetcamp paris yesterday

[Johan De Wit]

Hi,

http://www.slideshare.net/johandw/20140408-tdd-puppetcampparis

Comments are welcome

Grts


Johan


--
Johan De Wit

Open Source Consultant

Red Hat Certified Engineer  (805008667232363)
Puppet Certified Professional 2013/2014 (PCP006)
_
 
Open-Future Phone +32 (0)2/255 70 70

Zavelstraat 72  Fax   +32 (0)2/255 70 71
3071 KORTENBERG Mobile+32 (0)474/42 40 73
BELGIUM http://www.open-future.be
_
 


Next Events:
Puppet Introduction Course | 
http://www.open-future.be/puppet-introduction-course-14th-april
Puppet Advanced Training | 
http://www.open-future.be/puppet-advanced-training-15-till-17th-april
Linux Training | https://www.open-future.be/linux-training-5-till-9th-may
Puppet Introduction Course | 
https://www.open-future.be/puppet-introduction-course-12th-may
Subscribe to our newsletter | http://eepurl.com/BUG8H

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/53451EBC.3090608%40open-future.be.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Slides TDD with puppet - puppetcamp paris yesterday

[Julien Deloubes]

Hi Johan,
congrats for for presentation yesterday, very interesting, i miss the end 
because i had to pass the cert at 3PM, so i will finish it on slideshare :)
Bye

Le mercredi 9 avril 2014 12:19:40 UTC+2, Johan De Wit a écrit :
>
> Hi, 
>
> http://www.slideshare.net/johandw/20140408-tdd-puppetcampparis 
>
> Comments are welcome 
>
> Grts 
>
>
> Johan 
>
>
> -- 
> Johan De Wit 
>
> Open Source Consultant 
>
> Red Hat Certified Engineer  (805008667232363) 
> Puppet Certified Professional 2013/2014 (PCP006) 
> _ 
>   
> Open-Future Phone +32 (0)2/255 70 70 
> Zavelstraat 72  Fax   +32 (0)2/255 70 71 
> 3071 KORTENBERG Mobile+32 (0)474/42 40 73 
> BELGIUM http://www.open-future.be 
> _ 
>   
>
> Next Events: 
> Puppet Introduction Course | 
> http://www.open-future.be/puppet-introduction-course-14th-april 
> Puppet Advanced Training | 
> http://www.open-future.be/puppet-advanced-training-15-till-17th-april 
> Linux Training | https://www.open-future.be/linux-training-5-till-9th-may 
> Puppet Introduction Course | 
> https://www.open-future.be/puppet-introduction-course-12th-may 
> Subscribe to our newsletter | http://eepurl.com/BUG8H 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ab13878e-50a6-44b9-ba9b-53508d1743e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Emergency Certificate Revocation Procedure

[Tom]

Hi Matthew,

Use your imagination.  Puppet is not directly accessible to the 
internet, but there are puppet clients which are.  Shared web servers, 
mail servers etc.  I'm paid to be paranoid..


Thanks.  Tom.

On 08/04/14 20:43, Matthew Burgess wrote:



On 8 Apr 2014 09:29, "Tom" mailto:t...@t0mb.net>> wrote:
>
> Hi,
>
> In light of the recently publicised vulnerability in OpenSSL 
versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have 
any recommendations on a procedure to regenerate new master 
certificates and then revoke, clean and re-sign all client SSL 
certificates?


Whilst I can't offer any direct answer to your question, and agree 
that it's a generally useful thing to have in the toolbox, I'm 
slightly inquisitive as to why you feel that action is necessary for 
this vulnerability. Is your Puppet Master accessible publically via 
the Internet and if so, why is that? If it isn't directly accessible 
via the Internet who/what is it that you think could have exploited 
the vulnerability?


Thanks,

Matt

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5344F7EC.4040807%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Emergency Certificate Revocation Procedure

[Tom]

Thank you Nan,

It looks like Puppet Labs have recognised the importance of this, and I 
guess this thread should defer to the guidance that Eric Sorenson just 
posted to the list!


Thank you for your help!

Tom.

On 08/04/14 15:01, Nan Liu wrote:
On Tue, Apr 8, 2014 at 12:57 AM, Tom > wrote:



In light of the recently publicised vulnerability in OpenSSL
versions provided on RHEL6/CentOS6http://heartbleed.com/
, do you have any recommendations on a
procedure to regenerate new master certificates and then revoke,
clean and re-sign all client SSL certificates?

I think it'd be great in my organisation to have a bullet proof
procedure for the future, as well as getting around this currently
problem.

Thanks for any assistance.


Puppet Labs had a CVE around a puppet master certificate issue. It 
only replaces the master cert, but from what I recall a module 
automates this step. You can see if the remediation tool kit is still 
suitable for this purpose:


http://puppetlabs.com/security/cve/cve-2011-3872

http://puppetlabs.com/security/cve/cve-2011-3872/faq#q9
http://puppetlabs.com/security/cve/cve-2011-3872/faq#q11

Thanks,

Nan
--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5344F71D.5070106%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: chaining of create_resources

[jcbollinger]

On Tuesday, April 8, 2014 9:18:30 AM UTC-5, Baptiste wrote:
>
>
>
> Le mardi 8 avril 2014 15:27:13 UTC+2, jcbollinger a écrit :
>
>>
>> No, that's very mixed up.
>>
>> There are three different, but related, things that are being commingled 
>> there: the 'require' statement/function of Puppet DSL, a hash key 'require' 
>> in the hiera data describing a resource, and, by context and implication, 
>> the 'require' metaparameter that all resource types have.
>>
>> The first form given, "require ", can only be a use of the 
>> 'require' function (
>> http://docs.puppetlabs.com/references/3.stable/function.html#require).  
>> That function is for declaring classes (and simultaneously declaring a 
>> relationship to declared classes), therefore its argument must be a class 
>> name or an array of them.  It does not accept resource references, so that 
>> form will not work.
>>
>> In this context, the second form given, "require: > string>" can be only a key/value pair appearing in an Hiera data file.  It 
>> may be valid YAML, but to YAML the value is just a string.  Notwithstanding 
>> one claim in one (wrong) answer to that ask.puppetlabs.com question, all 
>> reports from the field -- including this very thread -- are consistent that 
>> that approach does not work.  Hiera does not automagically coerce the 
>> string value to a resource reference.
>>
>> Not only will *neither* of those work, but it is misleading to compare 
>> them as if they were direct alternatives.  One is a function call that (if 
>> it worked) would need to appear in an appropriate place in a Puppet 
>> manifest file, whereas the other is a YAML fragment that could make sense 
>> only in an Hiera data file.  They are not different forms of the same thing.
>>
>
> OK, so there is something that I should do wrong. I did some tests prior 
> to post this message as it was causing me troubles while trying to do a 
> nodeless setup using hiera, with classes, defines and resources assigned 
> using hiera.
>
> I have a vagrant-based public project of a "node-less" project you can 
> check/test to see how it behaves, and from what I can see, in the graph 
> generated using the agent, the dependency is present in the 
> relationship.dot: 
> https://github.com/gnubila-france/puppet-vagrant-playground . (before 
> generating the graph I removed the classes declaration from the 
> hieradata/common.yaml file to simplify the graph output)
>  
> Here is the png of the generated relationships.dot for the client VM: 
> https://files.bapt.name/relationships.png . It contains the relationship 
> between mysql service and package.
>
> Am I mis-interpreting this code and graph?
>
>

Other reports suggest so, but there are other possibilities, such as the 
graph not going with the version of the manifests and/or data presented.  I 
am not inclined to set up a test environment for your code, but all past 
reports -- of which there have been several -- are consistent that resource 
references cannot be expressed in Hiera data.  And that's perfectly 
sensible.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1f840776-8363-4367-8e89-1bc393ea9667%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Remove certificate requests

[jcbollinger]

On Tuesday, April 8, 2014 7:01:14 AM UTC-5, Felix.Frank wrote:
>
> Hi, 
>
> this approach to working around the issue is pretty horrible IMHO. I 
> would recommend to go ahead and use Tim's approach of just removing the 
> CSR files manually. That is both less error prone and more secure. 
>
>
Yes, and if there are enough of these to be tedious/inconvenient, or if you 
need to do the job often, then it ought to be reasonably simple to write a 
script to collect the certificate names via "puppet cert list" and convert 
them directly into 'rm' commands for the certificate request files.  That 
could make it easier on you while still avoiding ever signing the cert 
requests.

Something along these lines (untested!) might do the trick:

#!/bin/bash
puppet cert list |
while read line; do
  head=${line%\"*}
  name=${head:1}
  rm /var/lib/puppet/ssl/ca/requests/"${name}".pem
done


Or (also untested):
#!/bin/bash
rm_request() {
  pems=(${@/%/.pem})
  rm ${pems[*]/#/\/var\/lib\/puppet\/ssl\/ca\/requests\/}
}
puppet cert list \
  | sed 's/"\([^"]\+\)"/\1/0' \
  | xargs rm_request


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1fea3ffb-6bbb-46bb-a276-845c95616cdf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: chaining of create_resources

[Baptiste Grenier]

Le 09/04/14 à 15:15, jcbollinger téléscripta :
> Other reports suggest so, but there are other possibilities, such as the 
> graph not going with the version of the manifests and/or data presented.

That's why I provided a complete vagrant project allowing to easily and
confidently test such things.

> I am not inclined to set up a test environment for your code, but all past 
> reports -- of which there have been several -- are consistent that resource 
> references cannot be expressed in Hiera data.  And that's perfectly 
> sensible.

OK.

As it is very easy with vagrant, I did destroy the VM and restart from
scratch (I am using a debian base box from puppetlabs, with puppetlabs
and plopopertaions puppet modules) and added two more resources
(postgresql package and service) and the dependency are present in the
graphs files:
https://github.com/gnubila-france/puppet-vagrant-playground/blob/master/graphs/relationships.png

In case anyone is interested in checking or testing this I added the graphs
files (.dot and .png) to the github repository
https://github.com/gnubila-france/puppet-vagrant-playground

The README should be sufficient, only vagrant and builder/ruby/rubygems
(or puppet and r10k) are needed, and most of the things are documented
and automatized, there is just a documented workaround for an annoying
bug with VirtualBox 4.3.10.

> John

Best,
Baptiste




-- 
\,,/_[-_-]_\,,/

There was a young lady named Riddle
Who had an untouchable middle.
She had many friends
Because of her ends,
Since it isn't the middle you diddle.


pgp66zP19q8ow.pgp
Description: PGP signature

Re: [Puppet Users] Windows puppet agent SSL cert revocation woes.

[Rob Reynolds]

On Mon, Apr 7, 2014 at 4:57 PM, Charlie Baum  wrote:

> I have 8 or 9 Windows 2012 servers with latest puppet client 3.4.3.  Out
> of those, 4 of them have experienced issues with the SSL cert.  Here is
> what my event log contains: (each line is a different entry in the event
> log, all within about 1.5 seconds)
>
>
> *Unable to fetch my node definition, but the agent run will continue:*
>
>
> *SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A:
> sslv3 alert certificate revoked*
>
>
> */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Failed to generate
> additional resources using 'eval_generate': SSL_connect returned=1 errno=0
> state=SSLv3 read server session ticket A: sslv3 alert certificate revoked*
>
>
> */File[C:/ProgramData/PuppetLabs/puppet/var/lib]: Could not evaluate:
> SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A:
> sslv3 alert certificate revoked Could not retrieve file metadata for
> puppet://autopuppet.sys.comcast.net/plugins
> : SSL_connect returned=1 errno=0
> state=SSLv3 read server session ticket A: sslv3 alert certificate revoked*
>
> *Could not retrieve catalog from remote server: SSL_connect returned=1
> errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate
> revoked*
>


Is the cert actually revoked on the master? If one exists, then it could be
you created it from a non-privileged user and then later tried to connect
with a privileged user. If you have a certificate already created and
accepted from a non-privileged user, when the privileged user attempts to
connect, it is going to attempt to send a new certificate request (due to
~/.puppet/etc/ssl versus c:/ProgramData/PuppetLabs/puppet/etc/ssl). The
non-privileged user doesn't have access to programdata, so the request
happens from another location it does have access to.

Let's start there.



>
>
> This is very frustrating for a product I would like to put into
> production.  I have searched and found resolutions to this issue, but can't
> find a discussion on the root cause.  Is it a crappy Windows agent?
>  Bug/issue on the puppet master side?  How can I avoid this from happening
> all over my prod environment if I go that route?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/031c8459-ffdf-4cf0-b7f6-144d3aa43424%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Rob Reynolds
Developer, Puppet Labs

*Join us at **PuppetConf 2014**, September 23-24 in San Francisco
- http://puppetconf.com *

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAMJiBK6%2B6%2Bb%2BTn9nEiOu9cL070S08fUcCbvzpD2VSZ%3DWGhofvQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Slides TDD with puppet - puppetcamp paris yesterday

[Gareth Rushgrove]

Ha.

Snap.

A talk I gave at Puppetcamp London:
https://speakerdeck.com/garethr/test-driven-development-for-puppet

And another talk from Loaddays by Garrett:
http://www.slideshare.net/gh/20140406-loa-daystddwithpuppettutorial

That's three talks with the same title in less than a week. I believe
we're on to something.

Gareth

On 9 April 2014 11:19, Johan De Wit  wrote:
> Hi,
>
> http://www.slideshare.net/johandw/20140408-tdd-puppetcampparis
>
> Comments are welcome
>
> Grts
>
>
> Johan
>
>
> --
> Johan De Wit
>
> Open Source Consultant
>
> Red Hat Certified Engineer  (805008667232363)
> Puppet Certified Professional 2013/2014 (PCP006)
> _
>  Open-Future Phone +32 (0)2/255 70 70
> Zavelstraat 72  Fax   +32 (0)2/255 70 71
> 3071 KORTENBERG Mobile+32 (0)474/42 40 73
> BELGIUM http://www.open-future.be
> _
>
> Next Events:
> Puppet Introduction Course |
> http://www.open-future.be/puppet-introduction-course-14th-april
> Puppet Advanced Training |
> http://www.open-future.be/puppet-advanced-training-15-till-17th-april
> Linux Training | https://www.open-future.be/linux-training-5-till-9th-may
> Puppet Introduction Course |
> https://www.open-future.be/puppet-introduction-course-12th-may
> Subscribe to our newsletter | http://eepurl.com/BUG8H
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/53451EBC.3090608%40open-future.be.
> For more options, visit https://groups.google.com/d/optout.



-- 
Gareth Rushgrove
@garethr

devopsweekly.com
morethanseven.net
garethrushgrove.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAFi_6y%2B9CbwHCpSwO17OVdNh%2Bga06e2aaV6j95CSVDv3LkcRAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Upgrade PE Enterprise agents using repo

[Eric Wu]

So I've upgraded the master to 3.2.1

I'm running a local repo and I'm using Oracle Linux 6.5

What do they mean when they say:  simplest way to upgrade agents is to 
upgrade the pe-agent package in the repo your package manager (e.g., 
Satellite)

I've looked through our repo and I don't find a pe-agent rpm.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8689d633-4f21-4d92-a3c3-65444ad77125%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Please Help with HAProxy + Puppet

[ryrowi]

Did you ever figure this out? I'm having the same trouble and all my 
googling is leading back to this same unanswered question of yours on 
google groups, stackoverflow, etc.

On Monday, April 29, 2013 12:04:14 AM UTC-4, max.bri...@gmail.com wrote:
>
> Hi,
>
> I am trying to get HAProxy running. I have the puppet master setup serving 
> configurations to two agents. One is the HAproxy server and the other is a 
> simple web server (certname=webserver2). HAproxy is being deployed by 
> puppet on the proxy server as expected. But the generated HAProxy 
> configuration is what i don't understand. I do not see any single reference 
> to the IP address of webserver2 to which the traffic should be forwarded. 
> All IPs included in the haproxy config are those of the HAProxy server 
> itsself.
>
> I am likely misunderstanding something or missing something that should be 
> done. Please help me through this. My goal is to balance (round robin) 
> traffic to  two servers webserver1 and webserver2
> Thanks alot.
>
> Here is my puppet master site.pp:
>
> node /^haproxy.*/ {
>   Haproxy::Balancermember <<| listening_service == 'puppet00' |>>
>   class { 'haproxy': }
>   haproxy::listen {
>   'puppet00': ipaddress => $::ipaddress,
>   ports => ['55672','5672'], }
>   }
>  node 'webserver2' {
>   @@haproxy::balancermember {
> $fqdn: listening_service => 'puppet00',
> server_names => $::hostname,
> ipaddresses => $::ipaddress,
> ports => ['55672','5672'],
> options => 'check' 
>   } 
> }
>
> Here is the haproxy.cfg that is generated:
> # This file managed by Puppet
> global
>   chroot  /var/lib/haproxy
>   daemon
>   group  haproxy
>   log  10.28.92.145 local0
>   maxconn  4000
>   pidfile  /var/run/haproxy.pid
>   stats  socket /var/lib/haproxy/stats
>   user  haproxy
>
> defaults
>   log  global
>   maxconn  8000
>   option  redispatch
>   retries  3
>   stats  enable
>   timeout  http-request 10s
>   timeout  queue 1m
>   timeout  connect 10s
>   timeout  client 1m
>   timeout  server 1m
>   timeout  check 10s
>
> listen puppet00 10.28.92.145:55672,10.28.92.145:5672
>   balance  roundrobin
>   option  tcplog
>   option  ssl-hello-chk
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bbfeeddf-c61e-4a3a-ab31-2efefa9177cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Please Help with HAProxy + Puppet

[Christopher Wood]

Not that I've ever had this issue, but it might be helpful to check that 
storeconfigs is set on the puppetmaster and the simplest of exported resources 
are functioning. Maybe try with ssh host keys?

  @@sshkey { $::fqdn:
host_aliases => $::hostname,
key  => $::sshrsakey,
target   => '/tmp/ssh_known_hosts',
type => ssh-rsa,
  }

Then on the collecting host:

  Sshkey <<| |>>

If you see a file with your host keys then you know exported resources are 
working and you can take a closer look at the HAProxy bit.

On Wed, Apr 09, 2014 at 11:44:43AM -0700, ryr...@gmail.com wrote:
>Did you ever figure this out? I'm having the same trouble and all my
>googling is leading back to this same unanswered question of yours on
>google groups, stackoverflow, etc.
> 
>On Monday, April 29, 2013 12:04:14 AM UTC-4, max.bri...@gmail.com wrote:
> 
>  Hi,
> 
>  I am trying to get HAProxy running. I have the puppet master setup
>  serving configurations to two agents. One is the HAproxy server and the
>  other is a simple web server (certname=webserver2). HAproxy is being
>  deployed by puppet on the proxy server as expected. But the generated
>  HAProxy configuration is what i don't understand. I do not see any
>  single reference to the IP address of webserver2 to which the traffic
>  should be forwarded. All IPs included in the haproxy config are those of
>  the HAProxy server itsself.
> 
>  I am likely misunderstanding something or missing something that should
>  be done. Please help me through this. My goal is to balance (round
>  robin) traffic to  two servers webserver1 and webserver2
>  Thanks alot.
> 
>  Here is my puppet master site.pp:
> 
>  node /^haproxy.*/ {
>    Haproxy::Balancermember <<| listening_service == 'puppet00' |>>
>    class { 'haproxy': }
>    haproxy::listen {
>    'puppet00': ipaddress => $::ipaddress,
>    ports => ['55672','5672'], }
>    }
>   node 'webserver2' {
>    @@haproxy::balancermember {
>              $fqdn: listening_service => 'puppet00',
>              server_names => $::hostname,
>              ipaddresses => $::ipaddress,
>              ports => ['55672','5672'],
>              options => 'check'
>        }
>  }
> 
>  Here is the haproxy.cfg that is generated:
>  # This file managed by Puppet
>  global
>    chroot  /var/lib/haproxy
>    daemon
>    group  haproxy
>    log  10.28.92.145 local0
>    maxconn  4000
>    pidfile  /var/run/haproxy.pid
>    stats  socket /var/lib/haproxy/stats
>    user  haproxy
> 
>  defaults
>    log  global
>    maxconn  8000
>    option  redispatch
>    retries  3
>    stats  enable
>    timeout  http-request 10s
>    timeout  queue 1m
>    timeout  connect 10s
>    timeout  client 1m
>    timeout  server 1m
>    timeout  check 10s
> 
>  listen puppet00 [1]10.28.92.145:55672,[2]10.28.92.145:5672
>    balance  roundrobin
>    option  tcplog
>    option  ssl-hello-chk
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [3]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/bbfeeddf-c61e-4a3a-ab31-2efefa9177cd%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. http://10.28.92.145:55672/
>2. http://10.28.92.145:5672/
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/bbfeeddf-c61e-4a3a-ab31-2efefa9177cd%40googlegroups.com?utm_medium=email&utm_source=footer
>5. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20140409191710.GA22043%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] fileserving in parser function

[Rob Reynolds]

One of the reasons you might see this could be a check on the path in 3.4.x
to verify that volumes are NTFS.

I think we may have already fixed this for 3.5.x with
https://tickets.puppetlabs.com/browse/PUP-1450.

Another thing to verify is that you have all of the correct gems (and
versions) loaded with puppet for use on Windows.
https://github.com/puppetlabs/puppetlabs-acl/blob/master/Gemfile#L26-L40




On Tue, Apr 8, 2014 at 9:17 AM, Rich Siegel  wrote:

> I am getting this error in rpec using the puppet gem 3.4.3
>
>
> On Monday, April 7, 2014 10:43:38 AM UTC-4, Rob Reynolds wrote:
>
>> Rich,
>>  What version is the puppet agent?
>>
>>
>> On Fri, Apr 4, 2014 at 3:51 PM, Rich Siegel  wrote:
>>
>>> In my  loadcsv parser function I do (I stripped out all non-relevant
>>> parts)
>>>
>>> ```
>>> require 'puppet/file/serving/configuration'
>>> # on windows this fails - path is the args[0]:
>>> # path  = 'puppet:///modules/name/myfile.csv'
>>> content = Puppet::FileServing::Content.indirection.find(path)
>>> ```
>>>
>>> just trying to do this:
>>> $niccsv = loadcsv ('puppet:///modules/network/ise-lld/ise-nic.csv')
>>>
>>>
>>> Puppet::Error:
>>>Could not create resources for managing Puppet's files and
>>> directories in sections [:main, :ssl]: undefined method `supports_acl?' fo
>>> r #
>>>undefined method `supports_acl?' for #>> ProviderWindows:0x00082399e0> at /home/rismoney/puppet/modules/
>>> dns/spe
>>> c/fixtures/modules/dns/manifests/windows.pp:10 on node dev.example.com
>>>
>>> L10 is just
>>> $niccsv = loadcsv ('puppet:///modules/network/lld/ise-nic.csv')
>>>
>>> Am I missing something to use the File API on windows?
>>>
>>>  --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users...@googlegroups.com.
>>>
>>> To view this discussion on the web visit https://groups.google.com/d/
>>> msgid/puppet-users/11260c1c-fafe-4d87-b1b9-5dcfae8aa060%
>>> 40googlegroups.com
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Rob Reynolds
>> Developer, Puppet Labs
>>
>> *Join us at **PuppetConf 2014**, September 23-24 in San Francisco
>> - http://puppetconf.com *
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/30d3c0da-b893-4566-97ba-83a5359e77b7%40googlegroups.com
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Rob Reynolds
Developer, Puppet Labs

*Join us at **PuppetConf 2014**, September 23-24 in San Francisco
- http://puppetconf.com *

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAMJiBK7w4sLBnKqvZxQxK93vV5CEYfhRbz2VpnJa3M7E_OrqUw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: facter-1.7.3 and puppet-3.3.1 on OS X Mavericks 10.9

[Brian Auron]

Hello,

I came looking for this exact error, but specifying "--server 
puppetmaster.domain" or setting "server = puppetmaster.domain" in 
puppet.conf doesn't allow a successful run of puppet. The error is the same 
as Paul had above:

Error: Could not request certificate: SSL_connect returned=1 errno=0 
state=SSLv2/v3 read server hello A: (null)

But `openssl s_client -connect puppetmaster.domain:8140` works just fine. 
There are no DNS alternative names and we only have one puppetmaster. Does 
anybody have an idea? Thanks!

-Brian

On Tuesday, February 11, 2014 1:56:25 PM UTC-6, Paul Tötterman wrote:
>
> Paul, that ssl error looks like the following post on puppet-users: 
>> https://groups.google.com/forum/#!topic/puppet-users/4-6EimF_-NY/discussion, 
>> which relates to SNI.
>>
>
> Thank you for pointing me in the right direction.
>  
>
>> Adding a server alias to your puppetmaster vhost may resolve your 
>> problem. This is a change in ruby after 1.9.0, so it wouldn't have been in 
>> system ruby on OSX before mavericks.
>>
>
> I can run the agent with --server puppet.$domain or by setting the server 
> in the config file. But I had no success in adding aliases to my 
> puppet/passenger/apache config. After trying to add the required apache 
> directives (NameVirtualHost, ServerName and ServerAlias) and restarting 
> apache, no puppet agents would communicate properly with the master.
>
> So I guess I'm going to go with server in puppet.conf for now.
>
> Thanks,
> Paul
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0bcc83a0-d9b7-4cca-adfb-66289c418be1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Please Help with HAProxy + Puppet

[ryrowi]

I think you're right Chris, I am not using puppet enterprise and I had not 
set up puppetdb or storeconfigs so no exporting or collecting is going to 
work without that. I guess most puppet users would realize this but for 
newbs like me it might be nice if the plugin doc mentioned that dependency.

On Monday, April 29, 2013 12:04:14 AM UTC-4, max.bri...@gmail.com wrote:
>
> Hi,
>
> I am trying to get HAProxy running. I have the puppet master setup serving 
> configurations to two agents. One is the HAproxy server and the other is a 
> simple web server (certname=webserver2). HAproxy is being deployed by 
> puppet on the proxy server as expected. But the generated HAProxy 
> configuration is what i don't understand. I do not see any single reference 
> to the IP address of webserver2 to which the traffic should be forwarded. 
> All IPs included in the haproxy config are those of the HAProxy server 
> itsself.
>
> I am likely misunderstanding something or missing something that should be 
> done. Please help me through this. My goal is to balance (round robin) 
> traffic to  two servers webserver1 and webserver2
> Thanks alot.
>
> Here is my puppet master site.pp:
>
> node /^haproxy.*/ {
>   Haproxy::Balancermember <<| listening_service == 'puppet00' |>>
>   class { 'haproxy': }
>   haproxy::listen {
>   'puppet00': ipaddress => $::ipaddress,
>   ports => ['55672','5672'], }
>   }
>  node 'webserver2' {
>   @@haproxy::balancermember {
> $fqdn: listening_service => 'puppet00',
> server_names => $::hostname,
> ipaddresses => $::ipaddress,
> ports => ['55672','5672'],
> options => 'check' 
>   } 
> }
>
> Here is the haproxy.cfg that is generated:
> # This file managed by Puppet
> global
>   chroot  /var/lib/haproxy
>   daemon
>   group  haproxy
>   log  10.28.92.145 local0
>   maxconn  4000
>   pidfile  /var/run/haproxy.pid
>   stats  socket /var/lib/haproxy/stats
>   user  haproxy
>
> defaults
>   log  global
>   maxconn  8000
>   option  redispatch
>   retries  3
>   stats  enable
>   timeout  http-request 10s
>   timeout  queue 1m
>   timeout  connect 10s
>   timeout  client 1m
>   timeout  server 1m
>   timeout  check 10s
>
> listen puppet00 10.28.92.145:55672,10.28.92.145:5672
>   balance  roundrobin
>   option  tcplog
>   option  ssl-hello-chk
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/12492585-2fe8-4060-93ac-4795c268a87f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Please Help with HAProxy + Puppet

[Christopher Wood]

Having been there, definitely give the puppetlabs puppetdb module a go:

http://forge.puppetlabs.com/puppetlabs/puppetdb

Puppetdb and storeconfigs are easier than they look, and once these are set up 
you'll get the result you want.

On Wed, Apr 09, 2014 at 03:10:47PM -0700, ryr...@gmail.com wrote:
>I think you're right Chris, I am not using puppet enterprise and I had not
>set up puppetdb or storeconfigs so no exporting or collecting is going to
>work without that. I guess most puppet users would realize this but for
>newbs like me it might be nice if the plugin doc mentioned that
>dependency.
>On Monday, April 29, 2013 12:04:14 AM UTC-4, max.bri...@gmail.com wrote:
> 
>  Hi,
> 
>  I am trying to get HAProxy running. I have the puppet master setup
>  serving configurations to two agents. One is the HAproxy server and the
>  other is a simple web server (certname=webserver2). HAproxy is being
>  deployed by puppet on the proxy server as expected. But the generated
>  HAProxy configuration is what i don't understand. I do not see any
>  single reference to the IP address of webserver2 to which the traffic
>  should be forwarded. All IPs included in the haproxy config are those of
>  the HAProxy server itsself.
> 
>  I am likely misunderstanding something or missing something that should
>  be done. Please help me through this. My goal is to balance (round
>  robin) traffic to  two servers webserver1 and webserver2
>  Thanks alot.
> 
>  Here is my puppet master site.pp:
> 
>  node /^haproxy.*/ {
>    Haproxy::Balancermember <<| listening_service == 'puppet00' |>>
>    class { 'haproxy': }
>    haproxy::listen {
>    'puppet00': ipaddress => $::ipaddress,
>    ports => ['55672','5672'], }
>    }
>   node 'webserver2' {
>    @@haproxy::balancermember {
>              $fqdn: listening_service => 'puppet00',
>              server_names => $::hostname,
>              ipaddresses => $::ipaddress,
>              ports => ['55672','5672'],
>              options => 'check'
>        }
>  }
> 
>  Here is the haproxy.cfg that is generated:
>  # This file managed by Puppet
>  global
>    chroot  /var/lib/haproxy
>    daemon
>    group  haproxy
>    log  10.28.92.145 local0
>    maxconn  4000
>    pidfile  /var/run/haproxy.pid
>    stats  socket /var/lib/haproxy/stats
>    user  haproxy
> 
>  defaults
>    log  global
>    maxconn  8000
>    option  redispatch
>    retries  3
>    stats  enable
>    timeout  http-request 10s
>    timeout  queue 1m
>    timeout  connect 10s
>    timeout  client 1m
>    timeout  server 1m
>    timeout  check 10s
> 
>  listen puppet00 [1]10.28.92.145:55672,[2]10.28.92.145:5672
>    balance  roundrobin
>    option  tcplog
>    option  ssl-hello-chk
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [3]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/12492585-2fe8-4060-93ac-4795c268a87f%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. http://10.28.92.145:55672/
>2. http://10.28.92.145:5672/
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/12492585-2fe8-4060-93ac-4795c268a87f%40googlegroups.com?utm_medium=email&utm_source=footer
>5. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20140409223436.GA23265%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Heartbleed and Puppet-Supported Operating Systems

[Eric Sorenson]

Like you, we are still learning about the full extent of the OpenSSL security 
bug dubbed Heartbleed, and what we need to do to help Puppet users remediate 
the vulnerability. We published step-by-step documentation for remediating 
yesterday 
[http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users], and 
we will continue to update you as we learn more and develop new resources.  

We've finalized a list of vulnerable operating systems supported by Puppet 
Enterprise, noting the versions of OpenSSL they shipped with. If you are also 
running open source Puppet, be aware that the range of operating systems you 
can use is much wider, so not every vulnerable OS is on this list.

Keep in mind, regardless of the OS involved, you must check whether you are 
running OpenSSL versions 1.0.1 and 1.0.2 on your systems. Both are vulnerable. 

Documentation for remediating the Heartbleed issue is linked below the lists. 
For more help, check out the Heartbleed and certificate discussions here on the 
email list
Vulnerable Operating Systems and their versions of OpenSSL
Debian Wheezy (stable)
* OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 (precise) LTS
* OpenSSL 1.0.1-4ubuntu5.11
RHEL / CentOS / Scientific 6.5
* OpenSSL 1.0.1e-15
Operating Systems that are Not Vulnerable
* RHEL / CentOS / OEL / Scientific 6 (other than 6.5)
* RHEL / CentOS / OEL / Scientific 5 (all versions)
* RHEL / CentOS 4
* SLES 11
* AIX 5, 6, 7
* Solaris 10, 11
* Windows (all)
* Debian Squeeze (old-stable)
* Ubuntu 10.04 (Lucid)

Step-by-Step Documentation for Remediating the Vulnerability 

Puppet Enterprise 3.x:  Regenerating Certs and Security Credentials in Split 
Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/3.2/trouble_regenerate_certs_split.html

Puppet Enterprise 3.x:  Regenerating Certs and Security Credentials in 
Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/latest/trouble_regenerate_certs_monolithic.html

Puppet Enterprise 2.x:  Regenerating Certs and Security Credentials in Split 
Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_split.html

Puppet Enterprise 2.x:  Regenerating Certs and Security Credentials in 
Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_monolithic.html

Puppet SSL:  Regenerating All Certificates in a Puppet Deployment
http://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/86C75987-61F4-4205-AFF5-5AD25A7946F6%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Case Trouble w/ Boolean

[Jeremy Frady]

Hey there,

Thanks for taking the time to read this.  My end objective is to utilize a 
yaml boolean, in this case couchDbServer, as an entry for a case that 
dictates whether a file is present or not.  I do not want to use stdlib to 
achieve this.

Following is the code:

class datadog {

$datadogApiKey = hiera('datadogApiKey', nil)
$couchDbServer = hiera('couchDbServer', nil)

yumrepo { 'datadog':
baseurl => 'http://yum.datadoghq.com/rpm/',
descr   => 'Datadog, Inc.',
enabled => 1,
gpgcheck=> 0,
} ->
package { 'datadog-agent':
ensure  => 'installed',
} ->
file { 'datadog.conf':
path=> '/etc/dd-agent/datadog.conf',
ensure  => 'present',
content => template('datadog/datadog.conf.erb'),
} ->
file { 'couchdb.yaml':
path=> '/etc/dd-agent/conf.d/couchdb.yaml',
ensure  => 'present',
content => template('datadog/couchdb.yaml.erb'),
} ->
service { 'datadog-agent':
ensure  => 'running',
enable  => 'true',
subscribe   => File[
'/etc/dd-agent/datadog.conf',
'/etc/dd-agent/conf.d/couchdb.yaml'
   ],
}
}

I've tried a ton of things, but none of it works.  Can someone please 
advise the proper solution?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a4cd98db-8bef-430f-a466-e2d3b25fcf6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] New Puppet Master install not creating packages when adding Class

[aspo73]

Hi all.

I've just installed Puppet Master for the first time.  Everything seems to 
be up and running OK on Centos 6.5.

I don't have a local Yum repo so was hoping to use PE Package Management 
method as outlined here: 
 http://docs.puppetlabs.com/pe/latest/install_basic.html#installing-agents 
(Installing 
Agents Using PE Package Management),

I've added the required Class for the node I'm hoping to install the Agent 
on (pe_repo::platform::el_5_x86_64) and set off a Puppet Run, but I'm not 
seeing any new packages in /opt/puppet/packages/public.  I'm also not 
seeing any errors adding the Class, or performing the Run.

I have a feeling I'm missing something quite fundamental here, but as this 
is Puppet Day One I was hoping someone could point me in the right 
direction.

As I have no packages, running curl -k https://:8140/packages/current/install.bash | bash. results in the 
following 

Please classify puppet.no.genbook.com with the 
pe_repo::platform::el_5_x86_64 class in the Puppet Enterprise console in 
order to add support for installing el-5-x86_64 agents

Any assistance much appreciated.




-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/de4df1d0-c1d0-4609-bfc6-c1a9c90a7250%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.