Re: [Puppet Users] Difference between Puppet agent v. apply

[Jeff Abrahamson]

On Thursday, 18 February 2016 05:18:19 UTC+1, Henrik Lindberg wrote:
>
> On 18/02/16 02:10, warron.french wrote: 
> > Can someone please clearly explain why/when to use: 
> > puppet apply versus Puppet agent? 
> > 
>
> puppet agent makes requests to the master - the master compiles the 
> catalog. 
>
> puppet apply produces the catalog locally (must have all the manifests 
> etc on the agent) - a.k.a known as running masterless. 
>

Henrik's answer is perfect.  As a relative newbie, this is a point (and 
it's follow-on: why?) that I remember was briefly difficult but that 
becomes so obvious that it's increasingly hard to remember why I thought it 
was hard.  So let me offer a a bit more (the more experienced will correct 
me) while I can still remember that it was briefly hard.

In a very old, honest, and maybe small world, you might never need a puppet 
master.  Each host has access to its configuration information and uses 
puppet apply to configure itself.  This is really simple to set up, because 
you don't need a master.  Maybe I have a cron job that periodically does a 
git pull && puppet apply.

This eventually leads to frustration.  These are some of the things I 
considered (against the simplicity of "git pull && puppet apply"):

   - Maybe some hosts have to know secrets.  There are techniques for this 
   (blackbox, puppet-decrypt, etc.).  I'm not sure if any solution is 
   canonical.  But do you want all hosts to have to know how to access those 
   secrets?
   - Is it ok for all of your hosts to have access to your git repo?  Does 
   each host have a separate key or do you have to update all hosts if you 
   need to invalidate that key in a hurry?
   - Maybe some hosts are more publicly visible than others, and you don't 
   want the more publicly visible hosts to know anything about what's behind 
   the curtain to limit discoverable attack surface
   - In case you need to revert, the master makes this a bit easier (I've 
   heard, but I am not convinced)
   - Central reporting of client state

While I'm sure you're as facile with google as the rest of us, I found this 

 
SO (SU) article quite reasonable.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f8576264-d232-4a7d-a443-b26ed9af1d92%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Connecting to https://puppet:8140

[Jeff Abrahamson]

A final note on this:

I wiped the host, reinitialized (because I'm at that stage of setting
things up that this is reasonable and required test), and these problems
went away.  It bothers me that I don't understand how and why the
certificates were messed up, but I suspect it had to do with my playing
with certname, etc.

I'm aware that this thread has become a bit helper-unfriendly.  I've
followed on really only for future readers who may find the question and
wonder whether anything further was known.

Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255<-- only when I'm in the UK
http://ml-week.com/ * prochaine edition, 2016*

http://jeff.purple.com/
http://blog.purple.com/jeff/

On 17 February 2016 at 19:40, Jeff Abrahamson  wrote:

> Restarting the puppetserver seems to sort the certificate mismatch.  Note
> that my host's A record is loire.example.com with CNAME puppet.example.com.
> In /etc/puppet/puppet.conf, I refer to the host as puppet:
>
> [main]
> logdir=/var/log/puppet
> vardir=/var/lib/puppet
> ssldir=/var/lib/puppet/ssl
> rundir=/var/run/puppet
> factpath=$vardir/lib/facter
> dns_alt_names = puppet.example.com
>
> [master]
> # These are needed when the puppetmaster is run by passenger
> # and can safely be removed if webrick is used.
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> [agent]
> server = puppet.example.com
>
> (Recall that s/example/mydomain/g.) The problem them transforms into
> certificate verification failure.
>
> Warning: Unable to fetch my node definition, but the agent run will
> continue:
> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server
> certificate B: certificate verify failed: [unable to get local issuer
> certificate for /CN=loire.example.com]
>
> Comparing certificates confirms they aren't quite the same.  Recall that
> my master and agent are running on the same host: I want puppet to handle
> configuration for the master!
>
> [T] jeff@loire:~ $ openssl s_client -connect loire.example.com:8140
> -showcerts > /tmp/cert
> [T] jeff@loire:~ $ sudo openssl verify -CAfile
> /var/lib/puppet/ssl/certs/ca.pem /tmp/cert
> /tmp/cert: CN = loire.example.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
> 2,[T] jeff@loire:~ $
>
> I tried removing all the certificates I could find and restarting the
> server.
>
> [T] jeff@loire:~ $ sudo find /var/lib/puppet/ssl -name '*.pem' -delete
> [T] jeff@loire:~ $ sudo rm -rf /etc/puppet/ssl
> [T] jeff@loire:~ $ sudo puppet cert list --all
> Notice: Signed certificate request for ca
> [T] jeff@loire:~ $ sudo puppet cert list --all
> [T] jeff@loire:~ $
>
> (I've never been clear on why certificate lists sometimes become empty on
> a second request.)  But now on restarting the server, I see this error:
>
> java.lang.IllegalArgumentException: Expected a KeyPair or PrivateKey,
> got org.bouncycastle.openssl.PEMEncryptedKeyPair@315e8e4
>
> It looks like I forgot some certificate somewhere.  O, how I would have
> liked a long entry that says "I see that /path/to/A and /path/to/B are not
> the same."
>
> I'm temporarily out of ideas and search queries.  If anyone can shed any
> light, I'd much appreciate it.  If not, this all at least serves to
> document for those who search these things later.
>
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255<-- only when I'm in the UK
> http://ml-week.com/ * prochaine edition,
> 2016*
>
> http://jeff.purple.com/
> http://blog.purple.com/jeff/
>
> On 17 February 2016 at 18:12, Jeff Abrahamson  wrote:
>
>> Aha, I can answer *half* of my own question after another hour of work.
>> The issue was the certname field in the config.  Removing it makes that all
>> work.  I also removed the short hostname from dns_alt_names, since it
>> seemed unnecessary.  That leaves me only with the famous certificate
>> mismatch problem.
>>
>> ...
>> Debug: Finishing transaction 5407140
>> Info: Creating a new SSL key for loire.example.com
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet.example.com:8140
>> Info: Caching certificate for loire.example.com
>> Error: Could not request certificate: The certificate retrieved from the
>> master does not match the agent's private key.
>> Certificate fingerprint:
>> EF:0B:DB:FD:8F:18:AB:DC:1F:82:BF:8B:A0:92:CB:D3:4F:0D:72:DC:F2:23:B8:A0:74:76:33:56:6E:32:1F:50
>> To fix this, remove the certificate from both the master and the agent
>> and then start a puppet run, which will automatically regenerate a
>> certficate.
>> On the master:
>>   puppet cert clean loire.example.com
>> On the agent:
>>   1a. On most platforms: find /var/lib/puppet/ssl -name
>> loire.example.com.pem -delete
>>   1b. On Windows: del "/var/lib/puppet/ssl/loire.example.com.

[Puppet Users] SOA Infra getting skipped while RCU creation

[meenu . singh13]

Hello everyone,

I am trying to create SOA BPEL domain and while running the puppet script, 
it is skipping creating the SOAINFRA schema. 


*Log*


Info: rcu_status compare output NotFound with prefix DEVOHPBPEL

Info: RCU present

Info: rcu statement: /u01/oracle/product/fmw1213/oracle_common/bin/rcu 
-silent -createRepository -databaseType ORACLE -connectString 
scrbdevdk003655.crb.apmoller.net:1521/OHP_SOA_DEV -dbUser sys -dbRole 
SYSDBA -schemaPrefix DEVOHPBPEL -component MDS -component IAU -component 
IAU_APPEND -component IAU_VIEWER -component OPSS -component WLS -component 
UCSCC -component UCSUMS -component UMS -component ESS -component SOAINFRA 
-component MFT  -f < /u01/install/rcu_passwords_soa_create_DEVOHPBPEL.txt

Info: RCU result:

Processing command line 

Repository Creation Utility - Checking Prerequisites

Checking Global Prerequisites

Skipping UCSCC component as config or storage file is missing for the 
component.

Skipping UMS component as config or storage file is missing for the 
component.

Skipping ESS component as config or storage file is missing for the 
component.

Skipping SOAINFRA component as config or storage file is missing for the 
component.

Skipping MFT component as config or storage file is missing for the 
component.

 


Can someone please help me why this is happening?


Thanks

Meenu

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4c3638e5-2296-4a78-bad3-31bebc217791%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Please explain need for multiple .ppm files in a single module

[jcbollinger]

On Wednesday, February 17, 2016 at 7:01:32 PM UTC-6, Warron French wrote:
>
> Where I work a great of the Puppet Modules employed are downloaded from 
> the Puppet Forge; however, some are created by my teammates.
>
> What I can't figure out is WHY are some modules written with multiple .pp 
> files in the manifest directory.
>
> Can someone please tutor me on this point, or point me to a document/link?
>


What *I* can't figure out is what you find surprising about Puppet modules 
comprising multiple manifests.  If you help me out there, then perhaps I 
can help you out in return.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e8ab98c0-64ec-4c10-8bb2-7ca833e424a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Difference between Puppet agent v. apply

[jcbollinger]

On Wednesday, February 17, 2016 at 7:10:29 PM UTC-6, Warron French wrote:
>
> Can someone please clearly explain why/when to use:
> puppet apply versus Puppet agent?
>


Responding to your specific (mis)understandings:
 

> I believe, but I want to be thoroughly corrected, the following:
> 1.  puppet apply  (with --noop) is for 'smoke' testing a specific manifest 
> .PP-file, but
>


Not really, unless you ordinarily use 'puppet apply' (*without* --noop) to 
build and apply catalogs.

Your manifests and data need to be present on the host where you build the 
catalog, but they do not necessarily need to be present on the node to 
which you apply a catalog.  If your nodes ordinarily obtain their catalogs 
via the agent, then they probably don't have the manifests and data.  
Moreover, some aspects of catalog building can produce different results 
depending on where they run.

Additionally, the community's conventional choice for testing Puppet 
modules is Rspec.

 

> 2. puppet apply will apply a single (specified on cli) module in reality; 
> but,
>


Not necessarily.  'puppet apply' will build a catalog locally, starting 
from the manifest file you specify to it, and referencing other manifests 
and data as necessary.  If successful, it will then apply the catalog to 
the node on which it is running.  To the best of my knowledge, the only 
essential difference between the catalog building process performed by the 
master and the one performed by 'puppet apply' is how the starting-point 
manifest(s) are chosen.  Note also that the manifest you specify to 'apply' 
does not have to belong to a module.

 

> 3.  a puppet agent -t searches the deltas of files tracked by the Puppet 
> Master and applies all changes for all modules wherever the modules are 
> actually appropriate candidates.
>


No, I think that's a poor characterization.  'puppet agent' requests that 
the master build a catalog for the local node, and then applies that 
catalog; together these constitute a "catalog run".  Depending on the 
options you specify, the agent may do this just once, or it may run as a 
daemon, performing catalog runs on a configurable schedule.  The second 
stage, applying the catalog received from the master, is no different when 
performed by the agent than when performed by 'puppet apply'.  The first 
stage differs mainly in where it is performed. Where a master is in use, it 
typically does far more than track files.  For its part, the agent has 
nothing to do with deciding *what* to apply; its job is to determine *how* 
to apply it.


Overall, I suspect that your misunderstandings are based, in part, on an 
idea that you would routinely have use for both 'puppet agent' and 'puppet 
apply'.  Typically, however, a Puppet shop will use either one or the 
other, not both.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/80c5bf43-87bd-4f89-b5a1-8147c4a86a7e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] SOA Infra getting skipped while RCU creation

[Lowe Schmidt]

1. How do you run puppet?
2. Please show us the code for the puppet module you are using, and the
profile/role you are using to configure the node.
3. The log does not seem to be related to Puppet, but to SOA BPEL, are you
sure this is the log from Puppet?

--
Lowe Schmidt | +46 723 867 157

On 18 February 2016 at 10:16,  wrote:

> Hello everyone,
>
> I am trying to create SOA BPEL domain and while running the puppet script,
> it is skipping creating the SOAINFRA schema.
>
>
> *Log*
>
>
> Info: rcu_status compare output NotFound with prefix DEVOHPBPEL
>
> Info: RCU present
>
> Info: rcu statement: /u01/oracle/product/fmw1213/oracle_common/bin/rcu
> -silent -createRepository -databaseType ORACLE -connectString
> scrbdevdk003655.crb.apmoller.net:1521/OHP_SOA_DEV -dbUser sys -dbRole
> SYSDBA -schemaPrefix DEVOHPBPEL -component MDS -component IAU -component
> IAU_APPEND -component IAU_VIEWER -component OPSS -component WLS -component
> UCSCC -component UCSUMS -component UMS -component ESS -component SOAINFRA
> -component MFT  -f < /u01/install/rcu_passwords_soa_create_DEVOHPBPEL.txt
>
> Info: RCU result:
>
> Processing command line 
>
> Repository Creation Utility - Checking Prerequisites
>
> Checking Global Prerequisites
>
> Skipping UCSCC component as config or storage file is missing for the
> component.
>
> Skipping UMS component as config or storage file is missing for the
> component.
>
> Skipping ESS component as config or storage file is missing for the
> component.
>
> Skipping SOAINFRA component as config or storage file is missing for the
> component.
>
> Skipping MFT component as config or storage file is missing for the
> component.
>
>
>
>
> Can someone please help me why this is happening?
>
>
> Thanks
>
> Meenu
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/4c3638e5-2296-4a78-bad3-31bebc217791%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAC-wWcTmExnegrdN1t-CQ9G5Hd019bfHfyGVFUpq1sezKG0Zjw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Difference between Puppet agent v. apply

[warron.french]

Henrik, that looks like the text straight of the man page, which is what I
can't quite wrap my head around.


I thought the purpose of the catalog is for telling the agent what modules
it needs to pull to update its files to what is specified in the modules.

--
Warron French


On Wed, Feb 17, 2016 at 10:20 PM, Henrik Lindberg <
henrik.lindb...@puppetlabs.com> wrote:

> On 18/02/16 02:10, warron.french wrote:
>
>> Can someone please clearly explain why/when to use:
>> puppet apply versus Puppet agent?
>>
>>
> puppet agent makes requests to the master - the master compiles the
> catalog.
>
> puppet apply produces the catalog locally (must have all the manifests etc
> on the agent) - a.k.a known as running masterless.
>
> - henrik
>
> --
>
> Visit my Blog "Puppet on the Edge"
> http://puppet-on-the-edge.blogspot.se/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/56C53891.4010104%40puppetlabs.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQnFb0rvuXrtyAhaeC1Vb0B5vdQ9hKbBi4oNxe2CHmy%2Bfg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Difference between Puppet agent v. apply

[Rich Burroughs]

The agent does not pull modules in a master/agent setup. They are only on
the master.

The catalog contains the info that the agent needs to get its managed
resources into the desired state. It's not a list of modules.


Rich

On Thu, Feb 18, 2016 at 12:31 PM warron.french 
wrote:

> Henrik, that looks like the text straight of the man page, which is what I
> can't quite wrap my head around.
>
>
> I thought the purpose of the catalog is for telling the agent what modules
> it needs to pull to update its files to what is specified in the modules.
>
> --
> Warron French
>
>
> On Wed, Feb 17, 2016 at 10:20 PM, Henrik Lindberg <
> henrik.lindb...@puppetlabs.com> wrote:
>
>> On 18/02/16 02:10, warron.french wrote:
>>
>>> Can someone please clearly explain why/when to use:
>>> puppet apply versus Puppet agent?
>>>
>>>
>> puppet agent makes requests to the master - the master compiles the
>> catalog.
>>
>> puppet apply produces the catalog locally (must have all the manifests
>> etc on the agent) - a.k.a known as running masterless.
>>
>> - henrik
>>
>> --
>>
>> Visit my Blog "Puppet on the Edge"
>> http://puppet-on-the-edge.blogspot.se/
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/56C53891.4010104%40puppetlabs.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAJdJdQnFb0rvuXrtyAhaeC1Vb0B5vdQ9hKbBi4oNxe2CHmy%2Bfg%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAPGcbtApFnmH6saptbLjekxQxkdM0Sv_OK%2BA13BeMTxjM4zZJg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Difference between Puppet agent v. apply

[warron.french]

jcbollinger Rspec?  I have never even heard of that, not even during my
Puppet Training (in a classroom).  That's interesting.

Jcbollinger, I think your explanation has unclouded my understanding quite
a bit - thank you.  Also, my shop uses 'puppet agent -t' on the command
line when we want to *demand* a system be updated and we know it is a good
candidate for being updated; otherwise, we do use something in the crontab
to update the system every 15 minutes or something like that.

Thank you all, JC, Henrik, and Jeff for trying to explain.

I hope not to be so dense when it comes to these questions and concepts,
but I am a sysadmin more than a software developer, and Puppet
Administration seems to be directly in the sweetspot that I can't quite
reach yet.  I am getting there, but I must keep asking the community for
its help and clarification.  *Sometimes, RTFM doesn't work.*

Thank you all again.

--
Warron French


On Thu, Feb 18, 2016 at 9:38 AM, jcbollinger 
wrote:

>
>
> On Wednesday, February 17, 2016 at 7:10:29 PM UTC-6, Warron French wrote:
>>
>> Can someone please clearly explain why/when to use:
>> puppet apply versus Puppet agent?
>>
>
>
> Responding to your specific (mis)understandings:
>
>
>> I believe, but I want to be thoroughly corrected, the following:
>> 1.  puppet apply  (with --noop) is for 'smoke' testing a specific
>> manifest .PP-file, but
>>
>
>
> Not really, unless you ordinarily use 'puppet apply' (*without* --noop)
> to build and apply catalogs.
>
> Your manifests and data need to be present on the host where you build the
> catalog, but they do not necessarily need to be present on the node to
> which you apply a catalog.  If your nodes ordinarily obtain their catalogs
> via the agent, then they probably don't have the manifests and data.
> Moreover, some aspects of catalog building can produce different results
> depending on where they run.
>
> Additionally, the community's conventional choice for testing Puppet
> modules is Rspec.
>
>
>
>> 2. puppet apply will apply a single (specified on cli) module in reality;
>> but,
>>
>
>
> Not necessarily.  'puppet apply' will build a catalog locally, starting
> from the manifest file you specify to it, and referencing other manifests
> and data as necessary.  If successful, it will then apply the catalog to
> the node on which it is running.  To the best of my knowledge, the only
> essential difference between the catalog building process performed by the
> master and the one performed by 'puppet apply' is how the starting-point
> manifest(s) are chosen.  Note also that the manifest you specify to 'apply'
> does not have to belong to a module.
>
>
>
>> 3.  a puppet agent -t searches the deltas of files tracked by the Puppet
>> Master and applies all changes for all modules wherever the modules are
>> actually appropriate candidates.
>>
>
>
> No, I think that's a poor characterization.  'puppet agent' requests that
> the master build a catalog for the local node, and then applies that
> catalog; together these constitute a "catalog run".  Depending on the
> options you specify, the agent may do this just once, or it may run as a
> daemon, performing catalog runs on a configurable schedule.  The second
> stage, applying the catalog received from the master, is no different when
> performed by the agent than when performed by 'puppet apply'.  The first
> stage differs mainly in where it is performed. Where a master is in use, it
> typically does far more than track files.  For its part, the agent has
> nothing to do with deciding *what* to apply; its job is to determine *how*
> to apply it.
>
>
> Overall, I suspect that your misunderstandings are based, in part, on an
> idea that you would routinely have use for both 'puppet agent' and 'puppet
> apply'.  Typically, however, a Puppet shop will use either one or the
> other, not both.
>
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/80c5bf43-87bd-4f89-b5a1-8147c4a86a7e%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQmzM8cLx2bpA%3DQeof1bEMKxBi_EQooD8gxkzTBDDF6XCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Difference between Puppet agent v. apply

[warron.french]

Hi Rich, thank you for the clarification.  The more we discuss this, the
more clear (granted slowly) it becomes for me.

--
Warron French


On Thu, Feb 18, 2016 at 3:36 PM, Rich Burroughs 
wrote:

> The agent does not pull modules in a master/agent setup. They are only on
> the master.
>
> The catalog contains the info that the agent needs to get its managed
> resources into the desired state. It's not a list of modules.
>
>
> Rich
>
> On Thu, Feb 18, 2016 at 12:31 PM warron.french 
> wrote:
>
>> Henrik, that looks like the text straight of the man page, which is what
>> I can't quite wrap my head around.
>>
>>
>> I thought the purpose of the catalog is for telling the agent what
>> modules it needs to pull to update its files to what is specified in the
>> modules.
>>
>> --
>> Warron French
>>
>>
>> On Wed, Feb 17, 2016 at 10:20 PM, Henrik Lindberg <
>> henrik.lindb...@puppetlabs.com> wrote:
>>
>>> On 18/02/16 02:10, warron.french wrote:
>>>
 Can someone please clearly explain why/when to use:
 puppet apply versus Puppet agent?


>>> puppet agent makes requests to the master - the master compiles the
>>> catalog.
>>>
>>> puppet apply produces the catalog locally (must have all the manifests
>>> etc on the agent) - a.k.a known as running masterless.
>>>
>>> - henrik
>>>
>>> --
>>>
>>> Visit my Blog "Puppet on the Edge"
>>> http://puppet-on-the-edge.blogspot.se/
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/56C53891.4010104%40puppetlabs.com
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAJdJdQnFb0rvuXrtyAhaeC1Vb0B5vdQ9hKbBi4oNxe2CHmy%2Bfg%40mail.gmail.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAPGcbtApFnmH6saptbLjekxQxkdM0Sv_OK%2BA13BeMTxjM4zZJg%40mail.gmail.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQmuCCFOhKgKY-UYyHxE7pUB-31vkbm9QyHkGW_k%2BxVF-w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Connecting to https://puppet:8140

[warron.french]

Jeff, I think I ran into this last weekend while setting up my own Puppet
Master.  It truly sounds like the exact same issue.

I believe I had to add an extra CNAME record for the name *puppet*, either
that or I had to go and alter the *A-record * in my DNS from *puppetmaster *to
*puppet*.

--
Warron French


On Wed, Feb 17, 2016 at 10:58 AM, Jeff Abrahamson  wrote:

> I set up a puppetserver.  It's, well, not generating errors outright.
>
> On the same host, I want to run a puppet agent.  But the agent doesn't
> seem to want to use the FQDN of the host, and so it fails to connect.
>
> [T] jeff@loire:~ $ puppet agent --debug --test
> ...
> Debug: Finishing transaction 27923380
> Debug: Creating new connection for *https://puppet:8140
> *
> Error: Could not request certificate: getaddrinfo: Name or service not
> known
> Exiting; failed to retrieve certificate and waitforcert is disabled
> 1,[T] jeff@loire:~ $
> 1,[T] jeff@loire:~ $ cat /etc/puppet/puppet.conf
> [main]
> logdir=/var/log/puppet
> vardir=/var/lib/puppet
> ssldir=/var/lib/puppet/ssl
> rundir=/var/run/puppet
> factpath=$vardir/lib/facter
> certname = puppet
> dns_alt_names = puppet,puppet.example.com
>
> [master]
> # These are needed when the puppetmaster is run by passenger
> # and can safely be removed if webrick is used.
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> [agent]
> server = puppet.example.com
> [T] jeff@loire:~ $ cat /etc/hosts
> 127.0.0.1localhost
> 127.0.1.1ubuntu
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 139.162.147.68loire.example.com loire
> [T] jeff@loire:~ $ netstat -a | grep 8140
> tcp6   0  0 [::]:8140   [::]:*
> LISTEN
> [T] jeff@loire:~ $
>
>
> Of course, s/example/my-real-domain-name/g.  Note that loire is the host's
> A record, there's a CNAME called puppet.  (Note that telnetting to
> loire.example.com 8140 connects: the tcp6 is a netstat artefact as far as
> I know.)
>
> Reflection, poking, and googling are drawing blanks for me.  Any
> suggestions ?
>
>
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255<-- only when I'm in the UK
> http://ml-week.com/ * prochaine edition,
> 2016*
>
> http://jeff.purple.com/
> http://blog.purple.com/jeff/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAM4Y7zxZJqbFo95e57fJOKjtBfXM20sEfJgYracAceoFMqrGXw%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQkHgKoxC91P_uMZtHPQuxsFQr2PwzVXAigtEXXKF9euLQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Please explain need for multiple .ppm files in a single module

[warron.french]

JCBollinger, in my training classes over the last 3 years, we always wrote
modules with a single init.pp; that's why I am surprised.

Thanks JC,

--
Warron French


On Thu, Feb 18, 2016 at 9:08 AM, jcbollinger 
wrote:

>
>
> On Wednesday, February 17, 2016 at 7:01:32 PM UTC-6, Warron French wrote:
>>
>> Where I work a great of the Puppet Modules employed are downloaded from
>> the Puppet Forge; however, some are created by my teammates.
>>
>> What I can't figure out is WHY are some modules written with multiple .pp
>> files in the manifest directory.
>>
>> Can someone please tutor me on this point, or point me to a document/link?
>>
>
>
> What *I* can't figure out is what you find surprising about Puppet
> modules comprising multiple manifests.  If you help me out there, then
> perhaps I can help you out in return.
>
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e8ab98c0-64ec-4c10-8bb2-7ca833e424a4%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQk%2BP2M8CWawowJaBdwbn06fzo19PbT%2BFg-B12qKDMfdeg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Difference between Puppet agent v. apply

[Rich Burroughs]

They would not likely have covered Rspec in Puppet Fundamentals, if you
took that. Rspec is a Ruby testing framework, and most of the Puppet
testing tools out there are based on it.

And I think your challenge you mention isn't uncommon. A lot of sysadmins
can write scripts but don't have experience with engineering practices,
like writing tests. It's a new way of looking at things.

The upside is that these kinds of skills are in demand, and in demand at
the more interesting shops out there to work at. So it's definitely in your
benefit to work through this and learn some new things :) Hang in there.


Rich
On Thu, Feb 18, 2016 at 12:48 PM warron.french 
wrote:

> Hi Rich, thank you for the clarification.  The more we discuss this, the
> more clear (granted slowly) it becomes for me.
>
> --
> Warron French
>
>
> On Thu, Feb 18, 2016 at 3:36 PM, Rich Burroughs 
> wrote:
>
>> The agent does not pull modules in a master/agent setup. They are only on
>> the master.
>>
>> The catalog contains the info that the agent needs to get its managed
>> resources into the desired state. It's not a list of modules.
>>
>>
>> Rich
>>
>> On Thu, Feb 18, 2016 at 12:31 PM warron.french 
>> wrote:
>>
>>> Henrik, that looks like the text straight of the man page, which is what
>>> I can't quite wrap my head around.
>>>
>>>
>>> I thought the purpose of the catalog is for telling the agent what
>>> modules it needs to pull to update its files to what is specified in the
>>> modules.
>>>
>>> --
>>> Warron French
>>>
>>>
>>> On Wed, Feb 17, 2016 at 10:20 PM, Henrik Lindberg <
>>> henrik.lindb...@puppetlabs.com> wrote:
>>>
 On 18/02/16 02:10, warron.french wrote:

> Can someone please clearly explain why/when to use:
> puppet apply versus Puppet agent?
>
>
 puppet agent makes requests to the master - the master compiles the
 catalog.

 puppet apply produces the catalog locally (must have all the manifests
 etc on the agent) - a.k.a known as running masterless.

 - henrik

 --

 Visit my Blog "Puppet on the Edge"
 http://puppet-on-the-edge.blogspot.se/

 --
 You received this message because you are subscribed to the Google
 Groups "Puppet Users" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/56C53891.4010104%40puppetlabs.com
 .
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/CAJdJdQnFb0rvuXrtyAhaeC1Vb0B5vdQ9hKbBi4oNxe2CHmy%2Bfg%40mail.gmail.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAPGcbtApFnmH6saptbLjekxQxkdM0Sv_OK%2BA13BeMTxjM4zZJg%40mail.gmail.com
>> 
>> .
>
>
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAJdJdQmuCCFOhKgKY-UYyHxE7pUB-31vkbm9QyHkGW_k%2BxVF-w%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAPGcbtCpc1LK%3Deu5GhFVnAfXbuvkafs_mPVBBiRAFDMq3urTUA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/

Re: [Puppet Users] Re: Please explain need for multiple .ppm files in a single module

[Denmat]

Here's what puppet docs say.
https://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html#manifests

One single .pp for complex modules are a nightmare. Better to separate into 
smaller chunks.

> On 19 Feb 2016, at 07:51, warron.french  wrote:
> 
> JCBollinger, in my training classes over the last 3 years, we always wrote 
> modules with a single init.pp; that's why I am surprised.
> 
> Thanks JC,
> 
> --
> Warron French
> 
> 
>> On Thu, Feb 18, 2016 at 9:08 AM, jcbollinger  
>> wrote:
>> 
>> 
>>> On Wednesday, February 17, 2016 at 7:01:32 PM UTC-6, Warron French wrote:
>>> Where I work a great of the Puppet Modules employed are downloaded from the 
>>> Puppet Forge; however, some are created by my teammates.
>>> 
>>> What I can't figure out is WHY are some modules written with multiple .pp 
>>> files in the manifest directory.
>>> 
>>> Can someone please tutor me on this point, or point me to a document/link?
>>> 
>> 
>> 
>> What I can't figure out is what you find surprising about Puppet modules 
>> comprising multiple manifests.  If you help me out there, then perhaps I can 
>> help you out in return.
>> 
>> 
>> John
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/e8ab98c0-64ec-4c10-8bb2-7ca833e424a4%40googlegroups.com.
>> 
>> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAJdJdQk%2BP2M8CWawowJaBdwbn06fzo19PbT%2BFg-B12qKDMfdeg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0C7EA191-B366-4C53-819E-E2A5624535FC%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] To namespace, or not to namespace, that is the question

[Micah Anderson]

Hello, puppet users

Reviewing a friend's puppet module, puppet-lint shows he didn't use the 
explicit namespace on variables. He told me that he used the Style Guide[1] 
and the Beginner's Guide to Modules[2] which are a little unclear about the 
right way to do this, so I wanted to write to clarify this issue.

The Guide to Modules describes using a params.pp file and having a class 
inherits directive to pass variables to the anchored classes, like in the 
puppetlabs' ntp module. 

The style guide says the following: "You must scope all variables except 
for local or inherited variables. Scope inherited variables, when 
appropriate, for clarity. You should not mask/shadow inherited variables." 
We interpreted this paragraph differently: he says because they are 
inherited it is not needed to scope the variables, but I say that for 
clarity they should be scoped. If it is better to scope them all the time, 
why is there the possibility of using not scoped variables with class 
inheritance in the first place? 

I've seen people on #puppet, and on this list, say that every variable 
should be scoped for consistency and clarity, but this isn't explicitly 
said in those guides. In this case, variables aren't being mixed from 
different scopes, so there isn't a clarity issue. In fact the argument is 
that if you explicitly scope every variable, but there is no other module 
where variables are coming from, then you need to read every variable to 
check to see if there is a variable coming from another scope 
(::module1::foo vs. ::module2:bar), but if everyone has the same scope then 
you are unnecessarily reading more things to check for another scope, when 
there isn't one. Technically, you can just use the variable short name when 
using 'inherits'... but its frowned on, but that frowning isn't detailed 
anywhere in the style guides or docs.

https://docs.puppetlabs.com/guides/scope_and_puppet.html#qualify-your-variables 
says: Whenever you need to refer to a variable in another class, give the 
variable an explicit namespace: instead of simply referring to 
$packagelist, use $git::core::packagelist. This is a win in readability — 
any casual observer can tell exactly where the variable is being set, 
without having to model your code in their head — and it saves you from 
accidentally getting the value of some completely unrelated $packagelist 
variable. For complete clarity and consistency you will probably want to do 
this even when it isn’t absolutely neccessary.

This last sentence seems to implore you to do it when its not necessary 
because it is more clear and consistent everywhere, but this is only really 
detailed in the context of setting variables and dynamic scope, which isn't 
there anymore, modules are different as they are always inside the class.

So, clarification needed only when you are calling it from another place, 
or clarification everywhere (eg. for someone else who is reading the code)? 

More confusing is that it seems like these types of params modules are 
sometimes discouraged on this list, although the guides seem to use these 
params and inherits models (and this style is often used by the puppetlabs 
modules). So should we avoid this type of module, or not? Can we get a more 
clarity around this issue?

If the best practices is actually different from what these guides show, 
then why aren't these updated to reflect that? Personally, because 
inheritance is tricky, dynamic scoping was problematic, and namespace 
changes have been hard to keep track of over time, I like to namespace 
everything... but I've been doing this for a while. New people might not 
think this is such a big deal now.

According to this puppet-lint issue it should not use inherited variables 
but then scope them: https://github.com/rodjek/puppet-lint/issues/304

As it works in both cases, We wonder which should be the default way of 
writing puppet modules.

The controversial part is related to the following code:

# init.pp
class myservice (
  $service_variable = $myservice::params::service_variable
) inherits myservice::params {
  anchor { 'myservice::begin': } ->
  class { '::myservice::install': } ->
  anchor { 'myservice::end': }
}

# params.pp
class myservice::params {
  $service_variable = 'variable'
}

# install.pp
class myservice::install inherits myservice {
  file { $service_variable:
  ensure => 'file'
  }
}

Should $service_variable be changed to $myservice::params::service_variable 
(or even $::myservice::params::service_variable) If that's the case, can we 
update the Guide to Modules or give more clarity to the style guide?

[1]: https://docs.puppetlabs.com/guides/style_guide.html
[2]: https://docs.puppetlabs.com/guides/module_guides/bgtm.html

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view

Re: [Puppet Users] firewall module to accept array of sources/dests

[Alex Harvey]

On 14 February 2016 at 00:30, Felix Frank 
wrote:
>
> Sure, but I feel that this case is especially confusing.
>
> The user does not remove a resource from their manifest. They change a
> parameter of one of their resources, which feels like changing a property
> value for a proper resource. The fact that this may not be sync'ed
> correctly by the agent can be surprising, and removing firewall rules is a
> highly critical operation.
>
> So, yes, I think you should go ahead and build that module, but please
> make sure to plaster its documentation with warnings ;-)
>

OK, noted.

I have decided that I will create a new Puppet Forge module for this, one
for Puppet 3 and a separate one for Puppet 4.  This way I can avoid
creating a new support burden for the team that manages Puppet Labs
firewall and still deliver the features needed.  If it proves to be
popular, I'll be happy to have it merged into the support Puppet Forge
firewall module at any time.

It will deliver just a single defined type (and the Puppet 3 version will
also deliver a private defined type to workaround the lack of iterator.).

As far as the naming is concerned I wish I could call it:

firewall::multi

That would be nice because it could be moved to the firewall module at a
later date and no one using it would need to refactor.  However that would
result in a module name clash with the Puppet Labs firewall module, which
is a dependency.

So I think I'll call it:

firewall_multi

It will basically accept any parameter that firewall accepts and pass it
straight through to the firewall resource, unless that parameter is the
source or destination, in which case it will of course loop through these
arrays, spawing one firewall resource for each.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAF0Ep4VPNKianrc8EVszyLEKAqc%2BRmtifVB59ARYRAyZoe_3iw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.