[Puppet Users] RE: pass values to puppet-lvm
It's bound to be sub-optimal, but I too found puppet-lvm hard to get started
with. Firstly, I took a long time to discover that I needed to set pluginsync
to get the module copied to all hosts:-
augeas { "puppet-pluginsync":
context => "/files/etc/puppet/puppet.conf/main",
changes => "set pluginsync true",
# notify => Service[puppet],
}
In this, the notify is commented out. It shouldn't be, but until I can upgrade
to 2.7, I think I am being bitten by an old bug which prevents the daemon being
restarted. I couldn't make parameterisation work.
Secondly, like another poster, my initial host setup creates system volumes
with kickstart. I use puppet to add subsequent data volumes which may be
required for a specific project. I have given up trying to parameterise this,
so it is less than flexible. One example, for a project-specific equivalent of
/tmp is split into two parts:-
class lvm_a3 {
import "puppet-lvm"
physical_volume { "/dev/sda3" :
ensure => present,
}
volume_group { "vga" :
ensure => present,
physical_volumes => "/dev/sda3",
}
Physical_volume["/dev/sda3"] -> Volume_Group["vga"]
}
class lvm_gypsy {
Volume_group["vga"] -> Logical_volume["gypsy"]
Logical_volume["gypsy"] -> Filesystem["/dev/vga/gypsy"]
Filesystem["/dev/vga/gypsy"]-> Mount["/export/space/gypsy"]
File["/export"] -> File["/export/space"]
File["/export/space"] -> File["/export/space/gypsy"]
File["/export/space/gypsy"] -> Mount["/export/space/gypsy"]
Mount["/export/space/gypsy"]-> File["/export/space/gypsy/tmp"]
logical_volume { "gypsy" :
ensure => present,
volume_group => "vga",
size => "50G",
}
filesystem { "/dev/vga/gypsy" :
ensure => present,
fs_type => "ext3",
}
file { "/export" :
ensure => directory,
mode => "644",
}
file { "/export/space" :
ensure => directory,
mode => "644",
}
file { "/export/space/gypsy" :
ensure => directory,
mode => "611",
}
mount { "/export/space/gypsy" :
atboot => true,
device => "/dev/vga/gypsy",
ensure => mounted,
fstype => "ext3",
options => "defaults,nofail",
name => "/export/space/gypsy",
dump => "0",
pass => "1",
}
file { "/export/space/gypsy/tmp" :
ensure => directory,
owner => "root",
mode => "1777",
}
tidy { "/export/space/gypsy/tmp":
age => "36h",
recurse => inf,
type => mtime,
}
import "puppet-lvm"
}
These two classes are one-per-file. You will see that the second one goes on to
tidy up stale scratch files...
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] -> vs => for dependency
This happed to concern the LVM module, but I don't think that is important in
this case.
What is the difference between using -> and => to enforce a requirement that
one class cannot be applied if the other fails to be asserted?
In this case I have:-
mount { "/addon/work2" :
device => "/dev/vga/work2",
ensure => mounted,
}
filesystem { "/dev/vga/work2" :
ensure => present,
}
Filesystem["/dev/vga/work2"]-> Mount["/addon/work2"]
All the stansas have additional parameters as needed, but do not have any
"require =>" statements, this being left to the ordering statements with "->".
Is this a mistake? I have just come across a machine that had failed to ensure
the existence of the file system (the disk was too small) but had then gone on
to generate a mount in /etc/fstab. As a result the machine needed manual
intervention. Would using "require =>" have behaved differently?
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] autosign
Does autosign work? I have a scratch workstation that may be rebuilt frequently and will therefore acquire a new client certificate. I was hoping that adding its certificate name to /etc/puppet/autosign.conf on the puppetmaster would allow just this one client to have its new certificates autosigned. This doesn't appear to work and I can find no logged errors telling me what is wrong. Can someone suggest where to look, please? Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] autosign
Many thanks - this is now working better. What was tripping me up was that if
the puppet agent has tried to run, and there is a certificate request on the
master, then the next run of the agent either doesn't try to get the
coresponding certificate signed or else the auto-signing is silently blocked.
Is this a bug, a feature, or just a misunderstanding on my part?
What are the security implications of allowing clients to manipulate
certificates in this way? For now at least I will restrict this to the subset
that are likely to need frequent rebuilds.
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
>-Original Message-
>From: Luke Bigum [mailto:luke.bi...@lmax.com]
>Sent: 24 April 2012 09:42
>To: puppet-users@googlegroups.com
>Cc: C R Ritson
>Subject: Re: [Puppet Users] autosign
>
>Autosigning certificates work, what you're probably running into is that
>autosigning does not clear off an old Agent's certificate, so you're
>getting certificate mismatch errors. Puppet's RESTful API allows you to
>manage certificates. It's been a long time since I tested this but I
>have this in my auth.conf:
>
>#allow hosts to manage certificates
>#path /certificate_status/([^/]+)$
>path /certificate_status/
>auth any
>allow *
>
>And then I do this in a kickstart file to have each server delete it's
>certificate before it generates a new one and contacts the Puppet Master
>for the first time:
>
>curl -k -X PUT -H "Content-Type: text/pson" --data
>'{"desired_state":"revoked"}'
>https://puppet:8140/production/certificate_status/$HOSTNAME
>curl -k -X DELETE -H "Accept: pson"
>https://puppet:8140/production/certificate_status/$HOSTNAME
>
>Check out this page for more information:
>
>http://docs.puppetlabs.com/guides/rest_api.html
>
>-Luke
>
>On 24/04/12 09:34, C R Ritson wrote:
>> Does autosign work? I have a scratch workstation that may be rebuilt
>frequently and will therefore acquire a new client certificate. I was
>hoping that adding its certificate name to /etc/puppet/autosign.conf on the
>puppetmaster would allow just this one client to have its new certificates
>autosigned. This doesn't appear to work and I can find no logged errors
>telling me what is wrong. Can someone suggest where to look, please?
>>
>>
>> Chris Ritson (Computing Officer and School Safety Officer)
>>
>> Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
>> School of Computing Science, PHONE: +44 191 222 8175
>> Newcastle University, FAX : +44 191 222 8232
>> Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
>>
>
>
>--
>Luke Bigum
>
>Information Systems
>Ph: +44 (0) 20 3192 2520
>luke.bi...@lmax.com | http://www.lmax.com
>LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
>
>
>FX and CFDs are leveraged products that can result in losses exceeding
>your deposit. They are not suitable for everyone so please ensure you
>fully understand the risks involved. The information in this email is not
>directed at residents of the United States of America or any other
>jurisdiction where trading in CFDs and/or FX is restricted or prohibited
>by local laws or regulations.
>
>The information in this email and any attachment is confidential and is
>intended only for the named recipient(s). The email may not be disclosed
>or used by any person other than the addressee, nor may it be copied in
>any way. If you are not the intended recipient please notify the sender
>immediately and delete any copies of this message. Any unauthorised
>copying, disclosure or distribution of the material in this e-mail is
>strictly forbidden.
>
>LMAX operates a multilateral trading facility. Authorised and regulated
>by the Financial Services Authority (firm registration number 509778) and
>is registered in England and Wales (number 06505809).
>Our registered address is Yellow Building, 1A Nicholas Road, London, W11
>4AN.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] autosign
Having read the scary warnings about autosign, I need to think it through some
more. However the helpful comments about allowing a client to revoke and delete
its OWN certificate will probably useful on their own. Luke said that his
addition to auth.conf was not working. It appears that the interpolation of a
substring only works when a pattern-match path specification is used. This
works for me (note the ~ ):-
#allow (some) hosts to manage certificates
path ~ /certificate_status/test([^/]+)$
auth any
allow test$1
Then in the kick-start file I use Luke's suggested:-
# Revoke and delete any previous puppet certificate
curl -k -X PUT -H "Content-Type: text/pson" \
--data '{"desired_state":"revoked"}' \
https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk
curl -k -X DELETE -H "Accept: pson" \
https://puppet:8140/production/certificate_status/${HOSTNAME}.ncl.ac.uk
I found I needed to add the domain name here to match the certificate that is
generated later.
If auto-sign is to be avoided, one possibility is a hand-crafted script to look
every so-often for new certificate requests and sign them if and only if they
match some pre-determined pattern. Doing it this way avoids the lack of pattern
matching in autosign.conf in which a * can only match a complete component of a
fully qualified domain name and not some other arbitrary substring.
Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science, PHONE: +44 191 222 8175
Newcastle University, FAX : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/
>-Original Message-
>From: Luke Bigum [mailto:luke.bi...@lmax.com]
>
>... Regarding security, I was originally trying to work with this:
>
>
>#allow a host to manage it's own certificate
>path /certificate_status/([^/]+)$
...
>allow $1
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] firewall rule moving between chains?
I am starting to experiment with the firewall module and as part of a test attempted to move a rule between two chains (INPUT and a user-defined one). The firewall module noticed that the rule had changed but then attempted to use "iptables -R" to move the rule. Because it was moving from one chain to another this rule needed deleting and reinserting. The error was reported as:- err: /Firewall[500 ssh]: Could not evaluate: Execution of '/sbin/iptables -R tests 1 -t filter -p tcp -m multiport --dports 22 -m comment --comment 500 ssh -j ACCEPT' returned 1: iptables: Index of replacement too big. Is this type of change something that the firewall module should be able to cope with, or am I misunderstanding something? This fault seems to be in both the current repository copy as well as release 0.0.4 of this module. It looks to be quite nasty, as had there already been some other rule number 1 in the target chain this would have been silently and incorrectly replaced. Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Starting puppet on fedora - mixed init.d and systemd
Fedora 15 uses a mix of init.d and systemd to start services. Our systems also use NetworkManager. When a client machine is rebooted, NetworkManager is still initialising (and has sometimes not yet updated /etc/resolv.conf) by the time puppetd is started. puppetd can then not look up its master server and end up looping without retrying the name service lookup. How is this best avoided? Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] list of all nodes in your manifests
I have a home-brewed script that seems to me to answer this part of the request. Not ruby, though... > The issue was to detect the nodes that hadn't checked in but were >defined in the manifest. I don't try to parse the manifest in any way. Instead, I compare a list of the signed certificates known to my master with a list of machines which appear to have checked in during the past 24 hours. It may not be complete, but it is a good start. I am beginning to wonder if I need a derivative of this -- just highlighting the changes in the list of puppets that are absent without leave. I can post the script I have so far if it would help. Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Can Puppet alert about dead nodes?
My solution to this is a script that enumerates the signed keys that the master
server knows about and compares this with which clients have been seen in the
past 24 hours. There's probably also a way to do it with some of puppet's
reporting facilities. My script is appended if it is of any use. You will need
to customise file names and the email address.
#!/bin/bash
TMP=/tmp/awol.$$
PATH=/usr/local/bin:/usr/bin:/bin export PATH
TODAY=$(date '+%b %e')
puppet cert --list --all | cut '-d ' -f2 >${TMP}.1
grep "^${TODAY} .*: Compiled catalog for [^ ]* in environment production"
/var/log/daemon.log \
| awk '{print $9}' \
| sort -uo ${TMP}.2
diff ${TMP}.1 ${TMP}.2 \
| grep '^[<>]' \
| tr '<>' '-+' >${TMP}.3
puppet cert --list | grep -v '^$' >${TMP}.4
if [ -s "${TMP}.4" ] ; then
cat - ${TMP}.4 >>${TMP}.3 <<-EOF
The following machines have certificates awaiting signature:-
EOF
fi
MISSING=$(wc -l <${TMP}.3)
if [ "${MISSING}" -gt 0 ] ; then
cat - ${TMP}.3 <<-EOF \
| mail -s "Some of our puppets are missing" puppet...@universtiy.ac.uk
There are some puppets missing (-) or interlopers (+).
EOF
fi
rm -f ${TMP}.?
Chris Ritson (Computing Officer and School Safety Officer)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppetlabs-lvm and --guess-fstype
I'm testing a fedora 17 deployment and am using puppet 2.7.x and puppetlabs-lvm-0.1.1. I have a problem in that a filesystem in a logical volume is continually trying to get itself created even though it already exists and is mounted. It looks as if this might be because there is no longer a "--guess-fstype" option in the mount command which the lvm module attempts to use. I'm not sure how to solve this. Chris Ritson (Computing Officer and School Safety Officer) Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk School of Computing Science, PHONE: +44 191 222 8175 Newcastle University, FAX : +44 191 222 8232 Newcastle upon Tyne, UK NE1 7RU. WEB : http://www.cs.ncl.ac.uk/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
