Re: [Puppet Users] Managing SSH host private keys
Hi Jonathan,
On Thu, Jan 26, 2012 at 5:40 AM, Jonathan Gazeley
wrote:
> Hi all,
>
> I already use Puppet to collect and distribute SSH host public keys between
> machines I manage. I now want to collect private host keys from each node
> and store them on the puppetmaster, so when I rebuild a node it receives the
> same key.
Sure.
> Is there an easy way of doing this?
I don't know about "easy", but here is what I am doing:
Set up a "private" fileserver for your nodes. This is where I put
sensitive node data (like ssh host keys). Then configure your manifest
to pull in the files from there. Here are some of the relevant files:
$ cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[private]
path /etc/puppet/private/%h
allow *
$ cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh::install {
package { "ssh":
ensure => present,
}
}
class ssh::service {
service { "ssh":
ensure => running,
enable => true,
hasrestart => true,
require=> Class["ssh::install"],
}
}
class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
owner => "root",
group => "root",
mode=> 0644,
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key":
owner => "root",
group => "root",
mode=> 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
owner => "root",
group => "root",
mode=> 0644,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
owner => "root",
group => "root",
mode=> 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
owner => "root",
group => "root",
mode=> 0644,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}
class ssh($sshd_config_source = "puppet:///modules/ssh/etc/ssh/sshd_config") {
include ssh::install, ssh::service
class { "ssh::config": sshd_config_source => $sshd_config_source }
}
$ ls -alh /etc/puppet/private/nodehostname/etc/ssh
total 24K
drwxr-xr-x 2 root root 4.0K Jan 18 11:35 .
drwxr-xr-x 5 root root 4.0K Jan 18 11:35 ..
-rw-r--r-- 1 root root 668 Jan 18 11:35 ssh_host_dsa_key
-rw-r--r-- 1 root root 598 Jan 18 11:35 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 1.7K Jan 18 11:35 ssh_host_rsa_key
-rw-r--r-- 1 root root 390 Jan 18 11:35 ssh_host_rsa_key.pub
HTH,
-Matt Zagrabelny
--
"This space was intentionally left blank as to not advertise to you
what cellular provider nor what iDevice was used to send you an
email."
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing SSH host private keys
On Thu, Jan 26, 2012 at 9:35 AM, Jonathan Gazeley wrote: > On 26/01/12 15:22, Matt Zagrabelny wrote: >> >> I don't know about "easy", but here is what I am doing: > > > Thanks Matt, that's helpful. > > This addresses how to distribute keys to node from the fileserver, but I > wonder if there is a mechanism where if the key doesn't exist on the > fileserver, the key that currently exists on the node is pulled in and saved > for future reference - i.e. when new nodes are created. > > I'm trying to avoid any situation where I have to remember to do anything > manually, you see. It always leads to failure down the line! I think the consensus is that puppet drives the state of a node. It is somewhat unconventional to have the node drive the state of the node. Remember, there is always some amount of manual stuff to do. 1) Install the OS (or clone your VM.) 2) Set the IP/hostname 3) Install puppet 4) Have the puppetmaster sign the cert Adding on scp'ing the host keys to your puppetmaster isn't too big of a deal. -mz -- "This space was intentionally left blank as to not advertise to you what cellular provider nor what iDevice was used to send you an email." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] default "notify" directive for files in a directory
Hi,
I know there is a way to have global options using things like:
site.pp:
File {
owner => "root",
group => "root",
mode => 0644,
}
--
Is there a way to have something like:
File[/etc/daemon/config.d/*] {
notify => Class["daemon::service"],
}
??
I would like to have the same "notify" directive for any file resource
that falls under the path "/etc/daemon/config.d".
The reason why I would like to do it this way is that I have config
files (/etc/daemon/config.d/config_option_1) for said daemon spread
out. For instance, some of them live within modules, others are in the
private fileserver namespace. It would reduce directive clutter if
there was a way to say, "Any file living under /etc/daeomn/config.d"
has a default notify of 'Class["daemon::service"],'.
Thanks for the advice.
Sincerely,
-matt zagrabelny
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] per host/node ssl key cert info
Hi, Are people using puppet to store/deploy SSL key/cert info? My scenario is that I've got a bunch of nodes/hosts that are using Shibboleth with each host having its own SSL cert and key. I know I can ensure the relevant packages are installed and that the configs are consistent across said nodes, but I don't know: A) If people are using puppet to store the certs/keys for various applications (apache, shib, syslog w/ TLS, etc.) within specific hosts B) If so, how best to do it with having puppet deploy those certs and keys to said hosts Thanks for any hints or info! -matt zagrabelny -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] passing parameters to templates
Hi, Is it possible to pass parameters to use in templates? Or do you just set "global" variables in the class and then reference that in the template? Thanks, -matt zagrabelny -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: passing parameters to templates
On Tue, Oct 18, 2011 at 12:11 PM, Steve Snodgrass wrote:
> To be a little more explicit about what Nan said, if you use a
> parameterized class, any parameters you passed into the class will
> also be available in the template. The same things goes for a define.
I've got a class:
class libapache2_mod_shib2::config($environment = "production") {
if ($environment == "production") {
$idp_server= "idp2.shib.umn.edu"
$metadata_provider = "UofM-IDP-metadata.xml"
} elsif ($environment == "testing") {
$idp_server= "idp-test.shib.umn.edu"
$metadata_provider = "UofM-IDP-test-metadata.xml"
} else {
fail("ensure parameter must be production or testing")
}
file { "/etc/shibboleth/shibboleth2.xml":
owner => "root",
group => "root",
mode=> 0644,
content =>
template("libapache2_mod_shib2/etc/shibboleth/shibboleth2.xml.erb"),
require => Class["libapache2_mod_shib2::install"],
notify => Service["shibd"],
}
}
In the template it seems that:
$libapache2_mod_shib2::config::environment
didn't work. However,
scope.lookupvar('libapache2_mod_shib2::config::envirnoment')
did.
Should the former mechanism work?
Thanks,
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] is_virtual fact
Hi,
I've got a question regarding a fact. I'm trying to use the
'is_virtual' fact in a class manifest:
class io_scheduler {
if $is_virtual {
file { "/etc/default/grub":
owner => "root",
group => "root",
mode=> 0644,
source => "puppet:///modules/io_scheduler/etc/default/grub",
}
}
}
However, on one of my physical systems:
$ facter | grep is_virtual
is_virtual => false
The file mentioned above gets installed:
Nov 23 14:22:50 hostname puppet-agent[1838]:
(/Stage[main]/Io_scheduler::Config/File[/etc/default/grub]/content)
content changed '{md5}01de0bd1b00e2ca04ebb873ace6f20fe' to
'{md5}a882618adcb31667cbab22731f8f16e2'
Any ideas what is wrong here?
Thanks for the help!
-matt zagrabelny
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] is_virtual fact
> Facter facts are all strings, not true booleans. You'll need to check > for whether or not $is_virtual == 'true'. Thanks for the prompt reply, Jacob! Things look good now. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] installing packages from debian backports?
Hi Puppet Users, I am trying to install a package (request-tracker4) from Debian backports onto a stable (squeeze) Debian system using puppet. I've googled around and didn't find anything concrete about the best way going about this. Does anyone have advice regarding this? The crux is that apt-get (or aptitude) currently is called like: /usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install request-tracker4 However to resolve dependencies contained within the backports repo, we need to add the '-t squeeze-backports' option: /usr/bin/apt-get -q -y -t squeeze-backports -o DPkg::Options::=--force-confold install request-tracker4 I was thinking of making a custom provider. Is that sane? Thanks for the hints! -matt zagrabelny -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] installing packages from debian backports?
On Wed, Dec 21, 2011 at 5:37 PM, Walter Heck wrote: > Look into apt pinning, that is the way to pin specific packages to come from > a specific origin. It's done in /etc/apt/preferences, the deep inner > workings are a tad voodoo, but nothing too crazy :) Thanks for the advice, Walter. There are a couple of options: 1) Pin all of squeeze-backports higher than squeeze. The drawback here is that more of squeeze-backports will get pulled in than just the dependencies of "request-tracker4". 2) Pin the dependent packages from s-b-p higher than squeeze. The drawback here is that I'll need to manually enter all of the dependencies of rt4 into the pinning stanzas. Ideally, I'd like to use the -t option for apt-get/aptitude - that provides the cleanest package install process. Thanks for jogging my memory about pinning though, it should suffice if there is not clean way to use the '-t' option with puppet. Any other advice is (equally) welcome. Thanks, -mz > On Thu, Dec 22, 2011 at 00:50, Matt Zagrabelny wrote: >> >> Hi Puppet Users, >> >> I am trying to install a package (request-tracker4) from Debian >> backports onto a stable (squeeze) Debian system using puppet. I've >> googled around and didn't find anything concrete about the best way >> going about this. >> >> Does anyone have advice regarding this? >> >> The crux is that apt-get (or aptitude) currently is called like: >> >> /usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install >> request-tracker4 >> >> However to resolve dependencies contained within the backports repo, >> we need to add the '-t squeeze-backports' option: >> >> /usr/bin/apt-get -q -y -t squeeze-backports -o >> DPkg::Options::=--force-confold install request-tracker4 >> >> I was thinking of making a custom provider. Is that sane? >> >> Thanks for the hints! >> >> -matt zagrabelny >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > > > -- > Walter Heck > > -- > follow @walterheck on twitter to see what I'm up to! > -- > Check out my new startup: Server Monitoring as a Service @ > http://tribily.com > Follow @tribily on Twitter and/or 'Like' our Facebook page at > http://www.facebook.com/tribily > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] installing packages from debian backports?
On Thu, Dec 22, 2011 at 3:31 AM, Walter Heck wrote:
>
>
> On Thu, Dec 22, 2011 at 11:19, Tom De Vylder wrote:
>>
>> How about this:
>>
>> package { 'puppetmaster/squeeze-backports':
>> ensure => installed,
>> }
>>
>> Looks a lot easier to me. It takes all the dependencies it needs from
>> squeeze when available.
>> If it can't find any suitable dependencies it will try to use backports
>> instead, but only for the requested package.
>
>
> Is that documented behaviour?
It is documented in apt(-get/itude). From the man page:
install pkg [ { =pkg_version_number | /target_release } ]
Thanks for the good hints Tom and Walter.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] installing packages from debian backports?
On Thu, Dec 22, 2011 at 7:32 AM, Matt Zagrabelny wrote:
> On Thu, Dec 22, 2011 at 3:31 AM, Walter Heck wrote:
>>
>>
>> On Thu, Dec 22, 2011 at 11:19, Tom De Vylder wrote:
>>>
>>> How about this:
>>>
>>> package { 'puppetmaster/squeeze-backports':
>>> ensure => installed,
>>> }
>>>
>>> Looks a lot easier to me. It takes all the dependencies it needs from
>>> squeeze when available.
>>> If it can't find any suitable dependencies it will try to use backports
>>> instead, but only for the requested package.
>>
>>
>> Is that documented behaviour?
>
> It is documented in apt(-get/itude). From the man page:
>
> install pkg [ { =pkg_version_number | /target_release } ]
>
>
> Thanks for the good hints Tom and Walter.
>
> -mz
Unfortunately, no dice.
Dec 22 10:03:15 acasupport-web puppet-agent[32729]:
(/Stage[main]/Request_tracker4::Install/Package[request-tracker4/squeeze-backports]/ensure)
change from purged to present failed: Execution of '/usr/bin/apt-get
-q -y -o DPkg::Options::=--force-confold install
request-tracker4/squeeze-backports' returned 100: Reading package
lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
request-tracker4 : Depends: libdbix-searchbuilder-perl (>= 1.59) but
1.56-1 is to be installed
Depends: liblog-dispatch-perl (>= 2.23) but 2.22-1
is to be installed
Depends: libhtml-rewriteattributes-perl (>= 0.04)
but 0.03-1 is to be installed
Depends: libplack-perl (>= 0.9971) but 0.9941-1 is
to be installed
E: Broken packages
Dec 22 10:03:15 acasupport-web puppet-agent[32729]:
(/Stage[main]/Request_tracker4::Install/Package[rt4-db-postgresql/squeeze-backports])
Dependency Package[request-tracker4/squeeze-backports] has failures:
true
Dec 22 10:03:15 acasupport-web puppet-agent[32729]:
(/Stage[main]/Request_tracker4::Install/Package[rt4-db-postgresql/squeeze-backports])
Skipping because of failed dependencies
>From Martin Krafft's Debian book:
apt-get install package/release
apt-get install package=version
"Both of these methods have the inherit problem that the release or
version selection only applies to the package for which has been
specified. If the package defines dependencies that can only be
satisfied from the same source, APT gives up."
Later on Krafft reports:
"A better way to control the source archive to be used for
installations and upgrades is to override the default (or target)
release... provide the --target-release (-t) switch for this
purpose.)"
Thus,
apt-get -t target install package
is different from
apt-get install package/target
Back to the drawing board...
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] exec subscribe debugging?
Hi!
I've got a simple file and exec resource coupling that does not seem
to be working as expected:
file { "/etc/postfix/transport":
source => "puppet:///private/etc/postfix/transport",
}
exec { "rebuild_transport_index_for_mailman":
command => "postmap /etc/postfix/transport",
path=> "/bin:/sbin:/usr/bin:/usr/sbin",
subscribe => File["/etc/postfix/transport"],
refreshonly => true,
}
The above postmap command should create the file "/etc/postfix/transport.db".
I restart puppet on the node and the exec is not run:
Aug 10 09:16:11 lists puppet-agent[1099]: Starting Puppet client version 2.6.2
Aug 10 09:16:13 lists puppet-agent[1099]:
(/Stage[main]/Mailman::Service/Service[mailman]/ensure) ensure changed
'stopped' to 'running'
Aug 10 09:16:18 lists puppet-agent[1099]: Finished catalog run in 5.43 seconds
Of course the "transport.db" does not get created:
% ls -alhrt /etc/postfix
total 84K
drwxr-xr-x 2 root root 4.0K May 4 2011 sasl
-rwxr-xr-x 1 root root 24K May 4 2011 post-install
-rwxr-xr-x 1 root root 8.6K May 4 2011 postfix-script
-rw-r--r-- 1 root root 19K May 4 2011 postfix-files
-rw-r--r-- 1 root root 318 Aug 9 14:57 dynamicmaps.cf
drwxr-xr-x 77 root root 4.0K Aug 9 15:35 ..
-rw-r--r-- 1 root root 1.7K Aug 9 16:26 main.cf
-rw-r--r-- 1 root root 31 Aug 9 16:52 transport
-rw-r--r-- 1 root root 4.0K Aug 9 16:52 master.cf
drwxr-xr-x 3 root root 4.0K Aug 10 09:11 .
Any ideas of how to debug this?
Thanks!
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] exec subscribe debugging?
On Fri, Aug 10, 2012 at 9:53 AM, David Schmitt wrote:
> On 10.08.2012 16:19, Matt Zagrabelny wrote:
>>
>> Hi!
>>
>> I've got a simple file and exec resource coupling that does not seem
>> to be working as expected:
>>
>>file { "/etc/postfix/transport":
>> source => "puppet:///private/etc/postfix/transport",
>>}
>>
>>exec { "rebuild_transport_index_for_mailman":
>> command => "postmap /etc/postfix/transport",
>> path=> "/bin:/sbin:/usr/bin:/usr/sbin",
>> subscribe => File["/etc/postfix/transport"],
>> refreshonly => true,
>>}
>>
>> The above postmap command should create the file
>> "/etc/postfix/transport.db".
>>
>> I restart puppet on the node and the exec is not run:
>>
>> Aug 10 09:16:11 lists puppet-agent[1099]: Starting Puppet client version
>> 2.6.2
>> Aug 10 09:16:13 lists puppet-agent[1099]:
>> (/Stage[main]/Mailman::Service/Service[mailman]/ensure) ensure changed
>> 'stopped' to 'running'
>> Aug 10 09:16:18 lists puppet-agent[1099]: Finished catalog run in 5.43
>> seconds
>>
>> Of course the "transport.db" does not get created:
>>
>> % ls -alhrt /etc/postfix
>> total 84K
>> drwxr-xr-x 2 root root 4.0K May 4 2011 sasl
>> -rwxr-xr-x 1 root root 24K May 4 2011 post-install
>> -rwxr-xr-x 1 root root 8.6K May 4 2011 postfix-script
>> -rw-r--r-- 1 root root 19K May 4 2011 postfix-files
>> -rw-r--r-- 1 root root 318 Aug 9 14:57 dynamicmaps.cf
>> drwxr-xr-x 77 root root 4.0K Aug 9 15:35 ..
>> -rw-r--r-- 1 root root 1.7K Aug 9 16:26 main.cf
>> -rw-r--r-- 1 root root 31 Aug 9 16:52 transport
>> -rw-r--r-- 1 root root 4.0K Aug 9 16:52 master.cf
>> drwxr-xr-x 3 root root 4.0K Aug 10 09:11 .
>>
>> Any ideas of how to debug this?
Hi David,
> You already have all the information. "/etc/postfix/transport" didn't
> change, and thus didn't notify the exec, which didn't run.
Thanks for the pointer. I had a disconnect between a resource not
existing (supposing in my head /etc/postfix/transport.db was a file
resource) and the fact that it resulted from an exec resource.
Thanks for helping me see that.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] exec subscribe debugging?
On Fri, Aug 10, 2012 at 10:14 AM, Matt Zagrabelny wrote:
> On Fri, Aug 10, 2012 at 9:53 AM, David Schmitt wrote:
>> On 10.08.2012 16:19, Matt Zagrabelny wrote:
>>>
>>> Hi!
>>>
>>> I've got a simple file and exec resource coupling that does not seem
>>> to be working as expected:
>>>
>>>file { "/etc/postfix/transport":
>>> source => "puppet:///private/etc/postfix/transport",
>>>}
>>>
>>>exec { "rebuild_transport_index_for_mailman":
>>> command => "postmap /etc/postfix/transport",
>>> path=> "/bin:/sbin:/usr/bin:/usr/sbin",
>>> subscribe => File["/etc/postfix/transport"],
>>> refreshonly => true,
>>>}
>>>
>>> The above postmap command should create the file
>>> "/etc/postfix/transport.db".
>>>
>>> I restart puppet on the node and the exec is not run:
>>>
>>> Aug 10 09:16:11 lists puppet-agent[1099]: Starting Puppet client version
>>> 2.6.2
>>> Aug 10 09:16:13 lists puppet-agent[1099]:
>>> (/Stage[main]/Mailman::Service/Service[mailman]/ensure) ensure changed
>>> 'stopped' to 'running'
>>> Aug 10 09:16:18 lists puppet-agent[1099]: Finished catalog run in 5.43
>>> seconds
>>>
>>> Of course the "transport.db" does not get created:
>>>
>>> % ls -alhrt /etc/postfix
>>> total 84K
>>> drwxr-xr-x 2 root root 4.0K May 4 2011 sasl
>>> -rwxr-xr-x 1 root root 24K May 4 2011 post-install
>>> -rwxr-xr-x 1 root root 8.6K May 4 2011 postfix-script
>>> -rw-r--r-- 1 root root 19K May 4 2011 postfix-files
>>> -rw-r--r-- 1 root root 318 Aug 9 14:57 dynamicmaps.cf
>>> drwxr-xr-x 77 root root 4.0K Aug 9 15:35 ..
>>> -rw-r--r-- 1 root root 1.7K Aug 9 16:26 main.cf
>>> -rw-r--r-- 1 root root 31 Aug 9 16:52 transport
>>> -rw-r--r-- 1 root root 4.0K Aug 9 16:52 master.cf
>>> drwxr-xr-x 3 root root 4.0K Aug 10 09:11 .
>>>
>>> Any ideas of how to debug this?
>
> Hi David,
>
>> You already have all the information. "/etc/postfix/transport" didn't
>> change, and thus didn't notify the exec, which didn't run.
>
> Thanks for the pointer. I had a disconnect between a resource not
> existing (supposing in my head /etc/postfix/transport.db was a file
> resource) and the fact that it resulted from an exec resource.
A followup to this discussion. Is there a more optimal way to ensure
the file (/etc/postfix/transport.db) is created by the exec and is
subscribed to the source file?
file { "/etc/postfix/transport":
source => "puppet:///private/etc/postfix/transport",
}
exec { "build_transport_index_for_mailman_if_it_doesnt_exist":
command => "postmap /etc/postfix/transport",
path=> "/bin:/sbin:/usr/bin:/usr/sbin",
unless => "test -f /etc/postfix/transport.db",
}
exec { "rebuild_transport_index_for_mailman":
command => "postmap /etc/postfix/transport",
path=> "/bin:/sbin:/usr/bin:/usr/sbin",
subscribe => File["/etc/postfix/transport"],
refreshonly => true,
}
Thanks for any hints.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] merging iptables rules with puppet
Perhaps put them in a chain of their own? I am not sure if puppet with delete chains. -mz On Wed, Aug 15, 2012 at 1:48 PM, Geoff Galitz wrote: > > I'm still a bit noobish with puppet... > > In short what I want to do is merge puppet managed iptables with dynamically > added rules added by some scripts. We have a basic config setup with a > template (iptables.erb) and we can add rules to that in manifests. But of > course puppet will wipe any changes made from the OS. Any advice on how to > get puppet to respect the dynamically loaded rules? > > Thanks. > -G > > > -- > --- > Geoff Galitz, ggal...@shutterstock.com > WebOps > Shutterstock Images > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Warning: Phish?] Re: [Puppet Users] Can puppet add repositories to nodes?
On Mon, Sep 17, 2012 at 8:55 AM, Joe Topjian wrote: > Hi Sandra, > > The Puppet Apt module should be of some use: > > http://puppetlabs.com/blog/module-of-the-week-puppetlabs-apt-pull-apt-strings-with-puppet/ What I've done is use use file resources and the following apt locations: /etc/apt/sources.list.d /etc/apt/trusted.gpg.d and and exec resource to "apt-get update" when subscribed to the above files. Cheers, -mz > On Mon, Sep 17, 2012 at 7:51 AM, Sandra Schlichting > wrote: >> >> Hi all, >> >> I would like to add two repositories to Ubuntu nodes >> >> apt-add-repository "deb http://archive.canonical.com/ $(lsb_release -sc) >> partner" >> >> deb http://dl.google.com/linux/chrome/deb/ stable main >> >> >> and then import the key >> >> >> apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 16126D3A3E5C1192 >> >> >> Can this be done in a clever way with puppet? >> >> >> Hugs, >> >> Sandra >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/lkxkivCib8YJ. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > > > > -- > Joe Topjian > Systems Administrator > Cybera Inc. > > www.cybera.ca > > Big data is coming to Canada. Join the welcome wagon. > Cyber Summit 2012 > October 1-3, Banff > www.cybera.ca/summit2012 > > Cybera is a not-for-profit organization that works to spur and support > innovation, for the economic benefit of Alberta, through the use of > cyberinfrastructure. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Variables and autoloading
On Mon, Oct 15, 2012 at 9:38 AM, jcbollinger wrote: > > > On Monday, October 15, 2012 9:03:50 AM UTC-5, jcbollinger wrote: >> >> [...] parametrized classes still have serious deficiencies in Puppet 3 >> (and worse deficiencies in Puppet 2). Do write them. >> > > I meant do not write them, of course. John, Can you suggest an alternative to parameterized classes? -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Change Tab behavior in 3.0+
On Mon, Oct 15, 2012 at 10:57 AM, Tom Swartz wrote: > Hey all, > > I have a question regarding the choice to move to spaces (rather than tabs) > in the editor. > > May I ask the reasoning behind this? Tabs render to different number of spaces depending on the program or user preference. There are a truckload of reasons to not use them. http://www.yaml.org/faq.html http://flylib.com/books/en/2.146.1.26/1/ -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] set File defaults inside node?
Greetings,
I have the global file defaults set up:
site.pp
File {
owner => "root",
group => "root",
mode => 0644,
}
In general this works well. I do have a node with numerous file
resources that do not conform to the above defaults. Is there an
elegant way to say something like:
server.pp
node server {
file { "/some/file/with/above/defaults-01.txt":
source => ...
}
file { "/some/file/with/above/defaults-02.txt":
source => ...
}
.
.
.
file { "/some/file/with/above/defaults-N.txt":
source => ...
}
# CHANGE SCOPE
{
File {
owner => "gitolite",
group => "gitolite",
mode => 0640,
}
file { "/gitolite/file-01.txt":
source => ...
}
file { "/gitolite/file-02.txt":
source => ...
}
file { "/gitolite/file-N.txt":
source => ...
}
}
# END OF SCOPE CHANGE
}
Thanks for the help!
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Defining dynamic cron jobs
On Mon, Nov 5, 2012 at 4:23 AM, Alexander Holte-Davidsen
wrote:
> Hi all,
>
> I have a application that I schedule via cron. This is a application that
> runs once a week, either on Tuesday or Thursday. The scheduling is now done
> via Puppet.
>
> I now see that I need to redefine this, on some nodes the application should
> for example only run the 3. Tuesday each month, not each Tuesday.
> I want to do the scheduling using puppet and parameterized classes. For
> example I want to be able to define:
>
> foo {'Tuesday':
>week => '3',
>hour => '18',
>minute => '00',
> }
>
> This should generate a cron job ( that changes every month). For November it
> should look like this:
> 00 18 20 11 * /usr/bin/foo
>
> Next month the crontab entry should be changed to:
> 00 18 18 20 * /usr/bin/foo
Hmmm. Should that be:
00 18 18 12 *
?
20 is an invalid month.
> Has anyone done anything similar and are willing to give me some input on
> how to solve this?
Instead of using the wildcard ('*') month, could you (simply) specify
the months?
0 18 20 1 *
0 18 18 2 *
0 18 20 3 *
0 18 18 4 *
0 18 20 5 *
0 18 18 6 *
0 18 20 7 *
0 18 18 8 *
0 18 20 9 *
0 18 18 10 *
0 18 20 11 *
0 18 18 12 *
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How do you manage SSL/TLS certificates and private keys?
On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis wrote:
> Hi People,
>
> I would like some insight from you on how to easily manage SSL certs/keys.
>
> My puppet infrastructure is pretty straight forward:
> puppet3+puppetdb+hiera+hiera-gpg.
>
> I am in the process of writing tons of modules, which are pretty general
> modules with no hardcoded dependencies between them. As I am going forward
> with building modules and stuff I came across an issue how to manage SSL
> certs.
>
> Let me give you an example scenario:
> I have a node named "node.example.com" which gets some apps configured by
> puppet by 3 different modules, let's call them app1, app2 and app3. Those
> application require SSL certificates to function properly. The CN of the
> cert needs to reflect the hostname of the node.
>
> What options do I have here? From my opinion I could:
>
> 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a
> variable something like: "ssl_cert_node.example.com" and
> "ssl_key_node.example.com" and then reference this variable inside a module
> using variables so nothing is hardcoded.
> 2. Build an SSL module which would distribute certs/keys taken from
> hiera/hiera-gpg.
>
> Any other ideas? I do not want to use module dependencies and I hate
> hardcoding stuff into modules.
I use the "private" area in the puppet file server.
$ cat /etc/puppet/fileserver.conf
[private]
path /etc/puppet/private/%h
allow *
For example:
file { "/etc/ssh/ssh_host_dsa_key":
mode=> 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing ssh server's keys?
On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic wrote:
> Hi.
>
> I'm wondering is there a way to manage ssh servers, in a way that every
> machine has it's own key?
I've used the "private" file server mechanism to serve out node sensitive files.
The following snippet shows this:
class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/pam.d/sshd":
source => "puppet:///modules/ssh/etc/pam.d/sshd",
require => [ Class["ssh::install"], Class["libpam_radius_auth"] ],
}
file { "/etc/ssh/ssh_host_dsa_key":
mode=> 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
mode=> 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing ssh server's keys?
On Mon, Nov 26, 2012 at 4:05 PM, Jakov Sosic wrote:
> On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:
>
>> file { "/etc/ssh/ssh_host_rsa_key.pub":
>> source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
>
> I didn't know about this one, do I need any special configuration of the
> puppetmaster for this to work, or is this a builtin?
Hi Jakov,
Here is my fileserver.conf:
root@puppet:/etc/puppet# cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[private]
path /etc/puppet/private/%h
allow *
You would then put stuff at:
/etc/puppet/private/node-01/etc/ssh/ssh_host_rsa_key
.
.
etc.
When node-01 connects your puppetmaster, it can only "see" its private
file space.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing ssh server's keys?
On Wed, Nov 28, 2012 at 1:50 PM, Jakov Sosic wrote:
> On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:
>> On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic wrote:
>>> Hi.
>>>
>>> I'm wondering is there a way to manage ssh servers, in a way that every
>>> machine has it's own key?
>>
>> I've used the "private" file server mechanism to serve out node sensitive
>> files.
>
>
> Thank you for the idea. Now only problem that is left is how to call a
> script to generate keys if files are not accessible in private section :-/
>
> I know one can do something like this:
>
> file { '/etc/ssh/ssh_host_rsa_key.pub':
> ensure => file,
> mode=> 0644,
> source => [
> 'puppet:///private/etc/ssh/ssh_host_rsa_key.pub',
> 'puppet:///modules/sshd/ssh_host_rsa_key.pub',
> ],
> require => Package['openssh-server'],
> notify => Service['sshd'],
> }
>
> and put some blank default files in there, but I would much prefer to
> build the keys if they are not there, and I presume I need some puppet
> magic here :-/
>
> Any ideas?
Part of our server bootstrapping process is to copy over the ssh keys
to the puppetmaster after puppet has installed openssh-server.
As far as generating the keys, that should be pretty straightforward
using ssh-keygen.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing ssh server's keys?
On Wed, Nov 28, 2012 at 2:14 PM, Jakov Sosic wrote: > On 11/28/2012 09:10 PM, Matt Zagrabelny wrote: > >> Part of our server bootstrapping process is to copy over the ssh keys >> to the puppetmaster after puppet has installed openssh-server. > > So how do you do that with puppet? Or you use cobbler/FAI or that kind > of tool for that particular task? Copy+paste. Not all of our processes are automated...yet. > >> As far as generating the keys, that should be pretty straightforward >> using ssh-keygen. > > I know that but I want to generate it only if keys are not in folder... Whatever is generating your node manifest (on the master) could also perform either: 1) scp ssh keys from the node to master or 2) run ssh-keygen on master Unless you are using the "default" node, this should work. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Exec command timeout
Note: I didn't follow this thread from the beginning, so this comment
might be out of place.
On Thu, Jan 3, 2013 at 8:59 AM, Anthony BRODARD
wrote:
> Hi list,
>
> I've writed this module to deploy the public key of our debian repository :
>
>> file
>> {
>> "/etc/apt/repos-public.key":
>> ensure => present,
>> mode => 440,
>> owner => root,
>> group => root,
>> source => "puppet://puppet/apt/repos-public.key",
>> notify => Exec[install-key];
>> }
>> exec
>> {
>> "install-key":
>> command => "/usr/bin/apt-key add /etc/apt/repos-public.key &&
>> /usr/bin/apt-get update",
>> unless => "/usr/bin/apt-key list | /bin/grep 'Private Repos'",
>> }
>
>
> So, it works fine, the key is correctly installed on all the nodes, but,
> randomly, during the compilation, the command isn't executed and lock the
> system during the timeout period (300s). It appear on all puppet compilation
> of the node, and the only way to resolve it is to reboot. This issue affect
> the nodes randomly, with an average of 1/month.
>
> I've launch a manual compilation on a node actually impacted, with debug
> option, and I only have this error :
>
>> debug: /Stage[main]/Apt/Exec[install-key]: Executing check
>> '/usr/bin/apt-key list | /bin/grep 'Private Repos''
>> debug: Executing '/usr/bin/apt-key list | /bin/grep 'Private Repos''
>> err: /Stage[main]/Apt/Exec[install-key]/unless: Check "/usr/bin/apt-key
>> list | /bin/grep 'Private Repos'" exceeded timeout
>
>
> If I try to exec the apt-key list command, it will works correctly :
>
>> [toad2]~ # time /usr/bin/apt-key list | /bin/grep 'Private Repos'
>> uid Private Repos (priv)
>>
>> real 0.023 user 0.000 sys 0.000 pcpu 0.00
>
>
> I don't see any error in the system log files.
> Have you any idea about this issue ?
>
> For information, puppetmaster and the clients runs on Debian Squeeze. Puppet
> version is 2.6.2 .
For our Squeeze installs, I perform the following:
class apt::config {
file { "/etc/apt/sources.list.d/umd.list":
source => "puppet:///modules/apt/etc/apt/sources.list.d/umd.list",
}
file { "/etc/apt/trusted.gpg.d/umd.gpg":
source => "puppet:///modules/apt/etc/apt/trusted.gpg.d/umd.gpg",
}
exec { "update_apt_for_new_sources":
command => "apt-get -q=2 update",
refreshonly => true,
subscribe => [
File["/etc/apt/sources.list.d/umd.list"],
File["/etc/apt/trusted.gpg.d/umd.gpg"],
],
}
}
Perhaps that will help.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] include statement not being "seen"
Greetings,
I am getting a perplexing message on a client:
Mar 8 11:49:06 matlab puppet-agent[2028]: Could not run Puppet
configuration client: Could not find dependency Class[Matlab] for
File[/usr/local/MATLAB/R2012a/etc/license.dat] at
/etc/puppet/manifests/debian/matlab.pp:24
In my node manifest I have the "include matlab" line:
root@neptune:/etc/puppet/modules# cat /etc/puppet/manifests/debian/matlab.pp
node matlab {
include base
include nfs_systeam_client
include libnss_db
include set_root_environment
include postfix
include sun_java6
include matlab
# This package is needed so that certain executables will work.
# Such as: /usr/local/MATLAB/R2012a/etc/glnxa64/lmhostid
package { "lsb": ensure => present, }
file { "/usr/tmp":
owner => "daemon",
ensure => directory,
mode => 0755,
}
file { "/usr/local/MATLAB/R2012a/etc/license.dat":
source => "puppet:///private/usr/local/MATLAB/R2012a/etc/license.dat",
require => Class["matlab"],
notify => Service["matlab"],
}
file { "/etc/fw-skel/start.d/700-allow-matlab-flex-lm":
source =>
"puppet:///private/etc/fw-skel/start.d/700-allow-matlab-flex-lm",
require => Class["fw_skel::install"],
notify => Service["fw-skel"],
}
}
And my module seems simple enough:
root@neptune:/etc/puppet/modules# cat
/etc/puppet/modules/matlab/manifests/init.pp
# Install the proprietary software outside of puppet.
class matlab::install {
file { "/etc/init.d/matlab":
mode=> 0755,
source => "puppet:///modules/matlab/etc/init.d/matlab",
}
exec { "install_matlab_service":
command => "insserv matlab",
unless => "grep --quiet matlab /etc/init.d/.depend.*",
require => File["/etc/init.d/matlab"],
}
}
class matlab::service {
service { "matlab":
ensure => running,
enable => true,
hasrestart => true,
# This is needed because we are "ensuring that matlab is 'running'".
# I believe that this version of puppet (currently 2.6) greps the ps
# table for the service name, but the actual matlab binary is the
# following.
# TODO check to see if the following pattern line is needed for puppet
# 2.7.
pattern=> "/var/tmp/lm_TMW.ld",
require=> Class["matlab::install"],
}
}
class matlab {
include matlab::install
include matlab::service
}
Is there something I am missing?
I am running:
Debian Testing for puppetmaster: 2.7.18-2
Debian Stable for puppet: 2.6.2-5+squeeze6
Thanks for any help!
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] include statement not being "seen"
Thanks guys for clue-ing me in.
-mz
On Fri, Mar 8, 2013 at 1:23 PM, llowder wrote:
>
>
> On Friday, March 8, 2013 12:42:21 PM UTC-6, Stefan Goethals wrote:
>>
>> I think you might have a conflict problem between the node and class name
>> as they are both the same
>
>
> It's #1372. http://projects.puppetlabs.com/issues/1372
>
> It's a nasty one, and a few ideas are being discussed to fix it, but it'll
> likely be 3.2 or 3.3, and possibly 4.x before it can be addressed.
>
>>
>>
>> Stefan - Zipkid - Goethals
>>
>>
>> On Fri, Mar 8, 2013 at 6:54 PM, Matt Zagrabelny wrote:
>>>
>>> Greetings,
>>>
>>> I am getting a perplexing message on a client:
>>>
>>> Mar 8 11:49:06 matlab puppet-agent[2028]: Could not run Puppet
>>> configuration client: Could not find dependency Class[Matlab] for
>>> File[/usr/local/MATLAB/R2012a/etc/license.dat] at
>>> /etc/puppet/manifests/debian/matlab.pp:24
>>>
>>> In my node manifest I have the "include matlab" line:
>>>
>>> root@neptune:/etc/puppet/modules# cat
>>> /etc/puppet/manifests/debian/matlab.pp
>>> node matlab {
>>> include base
>>> include nfs_systeam_client
>>> include libnss_db
>>> include set_root_environment
>>> include postfix
>>>
>>> include sun_java6
>>> include matlab
>>>
>>> # This package is needed so that certain executables will work.
>>> # Such as: /usr/local/MATLAB/R2012a/etc/glnxa64/lmhostid
>>> package { "lsb": ensure => present, }
>>>
>>> file { "/usr/tmp":
>>> owner => "daemon",
>>> ensure => directory,
>>> mode => 0755,
>>> }
>>> file { "/usr/local/MATLAB/R2012a/etc/license.dat":
>>> source =>
>>> "puppet:///private/usr/local/MATLAB/R2012a/etc/license.dat",
>>> require => Class["matlab"],
>>> notify => Service["matlab"],
>>> }
>>> file { "/etc/fw-skel/start.d/700-allow-matlab-flex-lm":
>>> source =>
>>> "puppet:///private/etc/fw-skel/start.d/700-allow-matlab-flex-lm",
>>> require => Class["fw_skel::install"],
>>> notify => Service["fw-skel"],
>>> }
>>>
>>> }
>>>
>>> And my module seems simple enough:
>>>
>>> root@neptune:/etc/puppet/modules# cat
>>> /etc/puppet/modules/matlab/manifests/init.pp
>>> # Install the proprietary software outside of puppet.
>>> class matlab::install {
>>> file { "/etc/init.d/matlab":
>>> mode=> 0755,
>>> source => "puppet:///modules/matlab/etc/init.d/matlab",
>>> }
>>> exec { "install_matlab_service":
>>> command => "insserv matlab",
>>> unless => "grep --quiet matlab /etc/init.d/.depend.*",
>>> require => File["/etc/init.d/matlab"],
>>> }
>>> }
>>>
>>> class matlab::service {
>>> service { "matlab":
>>> ensure => running,
>>> enable => true,
>>> hasrestart => true,
>>> # This is needed because we are "ensuring that matlab is
>>> 'running'".
>>> # I believe that this version of puppet (currently 2.6) greps the
>>> ps
>>> # table for the service name, but the actual matlab binary is the
>>> # following.
>>> # TODO check to see if the following pattern line is needed for
>>> puppet
>>> # 2.7.
>>> pattern=> "/var/tmp/lm_TMW.ld",
>>> require=> Class["matlab::install"],
>>> }
>>> }
>>>
>>> class matlab {
>>> include matlab::install
>>> include matlab::service
>>> }
>>>
>>> Is there something I am missing?
>>>
>>> I am running:
>>>
>>> Debian Testing for puppetmaster: 2.7.18-2
>>> Debian Stable for puppet: 2.6.2-5+squeeze6
>>>
>>> Thanks for any help!
>>>
>>> -mz
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to puppet-users...@googlegroups.com.
>>> To post to this group, send email to puppet...@googlegroups.com.
>>>
>>> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] include statement not being "seen"
On Sun, Mar 10, 2013 at 6:30 PM, Jakov Sosic wrote:
> On 03/08/2013 06:54 PM, Matt Zagrabelny wrote:
>>
>> Greetings,
>>
>> I am getting a perplexing message on a client:
>>
>> Mar 8 11:49:06 matlab puppet-agent[2028]: Could not run Puppet
>> configuration client: Could not find dependency Class[Matlab] for
>> File[/usr/local/MATLAB/R2012a/etc/license.dat] at
>> /etc/puppet/manifests/debian/matlab.pp:24
>>
>> In my node manifest I have the "include matlab" line:
>>
>> root@neptune:/etc/puppet/modules# cat
>> /etc/puppet/manifests/debian/matlab.pp
>> node matlab {
>> include matlab
>> }
>
>
> Try include ::matlab
Thanks, Jarkov. I've already renamed the class to matlab_software.
Lame. I know. I'll keep your suggestion in mind for future scenarios.
Thanks!
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] What is ActiveMQ Broker?
On Wed, Mar 13, 2013 at 12:47 AM, wrote: > Can anybody tell me what exactly ActiveMQ does? Is it a storage of messages > produced by producer and ready to consume by consumer? M i understanding it > correctly or not? Please tell me? http://docs.puppetlabs.com/mcollective/screencasts.html#message_flow -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Experiences migrating from SCCM to Puppet
On Mon, Apr 15, 2013 at 3:31 AM, Francisco Martinez wrote: > Hello, > > I would like to know if there are any resources (success stories, > comparisons, blogs...) regarding the use of puppet as a substitute to SCCM > in Windows platforms. Would also love to hear success stories from Windows > administrators using puppet. I'm somewhat skilled with puppet but not with > SCCM, so I don't even know if the scope of the products is really similar. +1 -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] module namespace?
Greetings, When writing modules are people namespacing them to avoid collisions with puppetlabs' modules? I wrote some (very simple) modules: mysql postgresql that now have namespace conflicts when I am trying to install the puppetlabs modules of the same name. Is there a best practice or style guide that people follow when namespacing their in-house modules? For instance: site::umn::duluth::postgresql ?? Thanks for any hints or feedback! -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] mco puppet status returns twice the same node
On Tue, Oct 1, 2013 at 1:56 AM, wrote: > Hi everyone > > I'm having a strange behavior. The mco puppet status and count commands > return that 3 agents are known, but 2 are the same node (epd9023). > > When trying to disable/enable the epd9023, then only 1 is detected... > > Has someone any idea? Thanx in advance I believe that mcollective is running twice on that node. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppet dashboard with \n\n\n
Greetings, I've setup puppet dashboard 1.2.23 along with puppetmaster 2.7.18. I am seeing many \n strings all over the place when looking at reports. Specifically the \n's are in the Metrics, Log, Events links. My nodes are showing up okay, and it seems just to be a problem with the reports. For instance, a Metrics page starts with: \n \n Metrics \n \n Events \n\n\n\n\n\n\n\n\n Any advice on where to dig? /usr/share/puppet-dashboard/log/* does not yield any hints. Thanks! -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet dashboard with \n\n\n
On Thu, Oct 3, 2013 at 5:45 PM, Juan Sierra Pons wrote: > > El 03/10/2013 14:00, "Matt Zagrabelny" escribió: > > >> >> Greetings, >> >> I've setup puppet dashboard 1.2.23 along with puppetmaster 2.7.18. >> >> I am seeing many \n strings all over the place when looking at >> reports. Specifically the \n's are in the Metrics, Log, Events links. >> >> My nodes are showing up okay, and it seems just to be a problem with >> the reports. For instance, a Metrics page starts with: >> >> \n >> \n >> Metrics >> \n >> \n >> Events >> >> \n\n\n\n\n\n\n\n\n >> >> Any advice on where to dig? /usr/share/puppet-dashboard/log/* does not >> yield any hints. >> >> Thanks! >> >> -mz >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. > Hi > > I had the same problem and the problem was in the ruby version > > Which one are you using? realpath =ruby /usr/bin/ruby1.9.1 > Check the dashboard webpage to find out wich one is the right one. Looks like 1.8 is what is needed. Looks like that worked! Thanks! -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] MySql: allow user root to access from any host
On Sat, Dec 14, 2013 at 7:04 AM, Felix Gläske wrote:
> Hey,
> I'm doing my first steps with puppet right now and I'm trying to set up a
> dev machine.
> For this I'm installing MySql and want to do some initial set up.
> The server is up and running and also my database is created.
> Now I want to allow the user root to login from any host because I want to
> connect with a tool to my database.
>
> I've tried this:
>
> mysql_grant { 'root@%/*.*':
> table => '*.*',
> privileges => ['ALL'],
> user => 'root@%'
> }
>
> and modified in I dozen ways bit it will just not work.
> I hope you can help me.
>
> How do I grant the user root access from any host!?
Sorry for the lame reply of RTFM - it's what I've done in the past.
Both the MySQL and PostgreSQL puppet modules are pretty readable and
you can divine how their puppet resource parameters map to SQL
statements.
HTH,
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Vci4FwyryoHOpFAMQXRmfuGMhNtvMM2v4-HcDZT%2Bj2zA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet run interval
Jose, Would you please be willing to include some context into your replies? Thanks, -mz On Tue, Jan 28, 2014 at 11:46 AM, Jose Luis Ledesma wrote: > It is the default behavior, so if you did not especify otherwise it will run > every 30 minutes. > > Regards, > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/4974b835-4a1a-4091-928b-3bf17412fd1e%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XiQCsh23bd2onxMz%2BRiFQdZeozShHSJ_mP0tDPc8X_eQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet run interval
Hi Andy, On Wed, Jan 29, 2014 at 5:07 AM, Andy Spiegl wrote: >> Would you please be willing to include some context into your replies? > > Would YOU please NOT use fullquotes into your replies? Yes, I will. However, my earlier email wasn't a "reply" in the traditional sense. It was a question to José and the content of his message was pertinent. Thanks, -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U_wK1O9xfmnK8cB3%3DNWM_6Mc7NrXfuUyUrSeKgW_rWaw%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet kick
On Mon, Feb 17, 2014 at 11:00 AM, kavya reddy wrote: > Hi all, > I just started working with puppet.i want a simple push mechanism from > puppet master on to agent.i tried using "puppet kick" though its running and > displaying message "successfully exited" the changes are not being reflected > on agent. > I got to know puppet kick got deprecated in version 3.0 and later. > Iam using 2.7 version > can anyone tell me whats wrong. > Thanks in advance :) Hi Kavya, Are your nodes listening? node$ cat /etc/puppet/puppet.conf [...] [agent] listen = true [...] Firewall allowing that port? node# lsof -i -n -P | grep 8139 puppet 2582 root5u IPv47214 0t0 TCP *:8139 (LISTEN) node# iptables -L -v -n | grep 8139 2 120 ACCEPT tcp -- * * 10.1.1.1 0.0.0.0/0 tcp dpt:8139 -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Uzkrxwoqxh1C0pB8Pc0yt2oSEUZ3c9UpC7HQi9jxr%2B9g%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] what the mx mean in case
On Sun, Mar 9, 2014 at 5:58 PM, Teoh khah swee wrote:
> HI all,
>
> I just come across an case statement for puppet. I would like to know what
> the means of the mx for below sample code?
>
> case $::operatingsystem {
>/(?-mx:AIX)/ :{
From:
http://perldoc.perl.org/perlre.html
(?adlupimsx-imsx)
(?^alupimsx)
One or more embedded pattern-match modifiers, to be turned on (or
turned off, if preceded by - ) for the remainder of the pattern or the
remainder of the enclosing pattern group (if any).
(?adluimsx-imsx:pattern)
m:
Treat string as multiple lines. That is, change "^" and "$" from
matching the start or end of line only at the left and right ends of
the string to matching them anywhere within the string.
x:
Extend your pattern's legibility by permitting whitespace and comments.
I would then say that puppet is looking for AIX without capturing it
and has turned off the m and x options for this pattern match.
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UqiaJdUNkCwBQvq83LG8-mqeHaCJkiMd7MU4%2BC0pXmdQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Enable puppet agent by default
Hi! On Tue, Apr 29, 2014 at 9:13 AM, Marc wrote: > Hello > > I am trying puppet 3.5.1 on a Debian Jessie. > > How can I enable Puppet by default on new installations ? It looks like it is. > I need to do that, for Debian deployment. I use Debian FAI to install Debian > on my workstations. After the deployment, Puppet is launched. I just have to > sign them on Puppet Master in order to launch the post install with puppet > (AD integration, CUPS configuration...). > > So now, I can't do that because the /etc/default/puppet file is not read by > the system. I don't think there is any need to read /etc/default/puppet on Debian Jessie. The Jessie puppet package does not install /etc/default/puppet and the init script doesn't make use of anything in the file either - thought it does make an attempt to read it: [ -r /etc/default/puppet ] && . /etc/default/puppet > The only solution I see, is to add a cron task @reboot. Am I wrong ? I don't follow what you want to have done. What exactly would you put in the cron task? -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VA77zDVbXW0wN%3Dg%2Bj9jznGKoxKUtd9LQB-N1chM-_jRg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] list all resources of given type
Greetings, I've done some grepping of the puppet-users list and cannot find a definitive answer. I am running a puppet 2.6/2.7 environment. Is there a way to query the master to get a list of agents/clients that have (in their computed catalog) a certain resource (cron for instance) ? It looks like this can be achieved with PuppetDB, but that is a long way off for our installation. Thanks for any hints! -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VDY3HiQm6cc51ewRZz3yVA%2BT-yJV1R%2B1JqpSCGo-%2BHCA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] service config file validation?
What is the community's opinion/experience with performing some sort of validation check before puppet drives out a config and restarts a service? I'm thinking of things like ISC DHCP where you can test the correctness of a config: dhcpd -t -q -cf /etc/dhcp/dhcpd.conf && cp /some/staging/area/dhcpd.conf /etc/dhcp/dhcpd.conf Thanks for any hints! -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XP9NpGs8NMPR7AeLybfTpfSjud3HaCi8s1%2B-zozsQD9g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Best Practice - replacing /etc/passwd and +@netgroups
On Sun, Jul 13, 2014 at 3:01 PM, Betsy Schwartz wrote: > Is this, indeed, a Solved Problem? What is everyone else doing? > thanks Betsy Disclaimer: I am not doing this. Yet. Have you looked at FreeIPA? -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W6wqS3QRwLHwCauXF59Oez2goRmDH5mZF%3DzTsf2u7g6Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Best Practice - replacing /etc/passwd and +@netgroups
> On Wed, Jul 16, 2014 at 10:24:26AM -0400, Betsy Schwartz wrote: >>I'm still sort of boggled that nobody seems to be using puppet for >>/etc/passwd. That always seemed to us to be the *first* thing we'd want to >>get under centralized control. We use nsswitch. % man nsswitch.conf % aptitude -F '%p' search '^libnss-' libnss-cache libnss-db libnss-extrausers libnss-gw-name libnss-ldap libnss-ldapd libnss-lwres libnss-mdns libnss-myhostname libnss-mysql libnss-mysql-bg libnss-pgsql1 libnss-pgsql2 libnss-rainbow2 libnss-sss libnss-winbind libnss-wrapper -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wip3vdHG16KL7O6jV4FrdFJU8s5Lc1OWPg2-tkky%3DoHg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] HA puppetmaster in AWS
On Fri, Jul 18, 2014 at 1:37 AM, Dejan Golja wrote: > We tried with yas3fs, but we abandoned that solution because was just not > reliable enough. Also we considered GlusterFS, but again on some other > projects the experience wasn't great. > > So my question is how you guys manage that ? DRBD? -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VQugnNH2KubmoXyVXNHqUBtW7UiVL6H9G7K2ZRfOX9NQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Announce: Puppet Server 0.2.0
On Tue, Sep 23, 2014 at 2:03 PM, Gabriel Filion wrote: > On 23/09/14 12:11 PM, Nate Wolfe wrote: >> We are thrilled to announce the preview release of Puppet Server, our >> newest open source project. >> Puppet Server is a next-generation alternative to our current Puppet >> master, which builds on the >> successful Clojure technology stack underlying projects like PuppetDB. > > so... is it the long term goal to phase out the ruby-based puppet master > when the clojure-based one is mature enough? Hopefully someone closer to the situation (and with more authority) will respond, but "yes" that is what I was told at a Puppet training in March. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W6zzYtDFEVi_BE85WHbVZ-pf9qppANDOudG8SogdXSUA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Sidedoor - Puppet Module
Hi! On Thu, Jun 2, 2016 at 9:24 AM, Warron French wrote: > Is there a limit to the number of questions that I can post to Google Groups > or this list... in a single day? Nope. :) -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3X%3DBE3f0%2BXbbAFdFixXC%3DtVdg2SQ_P_Pqx3VX8nLFXFBQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Trigger apt-get update if packages are to be installed
On Mon, Jun 6, 2016 at 9:46 AM, Simon Weald wrote:
> Hi everyone
>
> I've got a little bit of an issue which I'm currently fighting with. At the
> moment, we pass an array of packages to be installed to the package
> resource, however I need to call an apt-get update prior to the package
> installation (in case we add a new repo etc). My snippet below should
> probably give you a good idea of what I want to achieve:
>
> $installpackages = hiera_array('installed-packages')
>
> exec { "apt-update":
> command => "/usr/bin/apt-get update",
> refreshonly => true,
> }
>
> package { $installpackages:
> ensure => 'present',
> require => Exec['apt-update'],
> }
>
> Obviously my goal is to have the update only run if any packages are
> actually going to be installed - I can't use empty() against the array as it
> will always contain content.
>
> Can anyone suggest how I can achieve this?
We're using the puppetlabs apt resource and a line like:
Apt::Source <| |> -> Package <| |>
to ensure that any Apt::Source is processed before any package installation.
I know this doesn't quite do the updating - we do that daily via cron,
but it does demonstrate the global dependency ordering of sources and
packages.
Hope that helps!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3We9%3DYap2uT93vLzfN5k0VyS%3DJ%2BshC1KnTXDNBFP6xr_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: most idiomatic way to set resource defaults
On Tue, Jul 12, 2016 at 3:28 PM, Matthew Pounsett wrote: > > > On Monday, 11 July 2016 10:31:45 UTC-4, R.I. Pienaar wrote: >> >> >> best avoid create_resources in puppet 4 :) > > > Why is that? I can't speak for R.I., but I believe puppet 4 has "first class" looping constructs. Thus, create_resource "hacks" won't be necessary. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Uv_UKmrG2W8oMYMLxu4OnSE9Kwv-h1fvDvmNaM8bjK8A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] variable scoping and erb templates
Greetings!
I am hitting a curious question and couldn't find an answer.
I can access variables from other classes when using an erb template.
Here is my minimal example:
# puppet apply variable_scope_test.pp
Notice: Compiled catalog for puppet.example.com in environment
production in 0.12 seconds
Notice: A variable from a different class:
Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a
different class: ]/message: defined 'message' as 'A variable from a
different class: '
Notice: Finished catalog run in 0.11 seconds
# cd /tmp
# head -n -0 variable_scope_test.pp template.erb template_output
==> variable_scope_test.pp <==
class scope_example {
$variable = "THIS IS A TEST!"
include scope_example::sub_class
}
class scope_example::sub_class {
file { '/tmp/template_output':
content => template('/tmp/template.erb'),
}
notify { "A variable from a different class: $variable": }
}
node 'puppet.example.com' {
include scope_example
}
==> template.erb <==
<%= @variable %>
==> template_output <==
THIS IS A TEST!
So why is the template allowed to see variables in other classes?
I would have ad expected to need to use the variable like:
<%= @scope_example::variable %>
But it clearly works without adjusting its namespace.
Thoughts?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] variable scoping and erb templates
Hi Lowe,
On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt wrote:
> What version of Puppet are you running?
Debian Jessie:
3.7.2-4
-m
> --
> Lowe Schmidt | +46 723 867 157
>
> On 15 August 2016 at 20:48, Matt Zagrabelny wrote:
>>
>> Greetings!
>>
>> I am hitting a curious question and couldn't find an answer.
>>
>> I can access variables from other classes when using an erb template.
>>
>> Here is my minimal example:
>>
>> # puppet apply variable_scope_test.pp
>> Notice: Compiled catalog for puppet.example.com in environment
>> production in 0.12 seconds
>> Notice: A variable from a different class:
>> Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a
>> different class: ]/message: defined 'message' as 'A variable from a
>> different class: '
>> Notice: Finished catalog run in 0.11 seconds
>>
>> # cd /tmp
>> # head -n -0 variable_scope_test.pp template.erb template_output
>> ==> variable_scope_test.pp <==
>> class scope_example {
>> $variable = "THIS IS A TEST!"
>> include scope_example::sub_class
>> }
>>
>> class scope_example::sub_class {
>> file { '/tmp/template_output':
>> content => template('/tmp/template.erb'),
>> }
>> notify { "A variable from a different class: $variable": }
>> }
>>
>> node 'puppet.example.com' {
>> include scope_example
>> }
>>
>> ==> template.erb <==
>> <%= @variable %>
>>
>> ==> template_output <==
>> THIS IS A TEST!
>>
>> So why is the template allowed to see variables in other classes?
>>
>> I would have ad expected to need to use the variable like:
>>
>> <%= @scope_example::variable %>
>>
>> But it clearly works without adjusting its namespace.
>>
>> Thoughts?
>>
>> Thanks!
>>
>> -m
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAC-wWcSmcHxSC5h169UOBiqq0HJTRtN7C4WfRbmnW02rHgx_OA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XcZQ3ck7ZN8BWf27OT8Oc-suk-hBXZ01v1uXLANQoxGA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] variable scoping and erb templates
On Tue, Aug 16, 2016 at 8:04 AM, jcbollinger wrote: >> >> On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt wrote: >> > What version of Puppet are you running? >> >> Debian Jessie: >> >> 3.7.2-4 >> > > > That looks like bug PUP-1220. Note that although the ticket is marked as > being fixed in Puppet 3.5, commentary on the ticket and details of the > associated commit make me think that the fix only applies when you use the > future parser. Thanks for clearing my confusion, John! Best, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W4DAqi9%3D63pwxGUO_jYQkcL6bnSMx_cePPN3z1dVyuyA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Tue, Oct 18, 2016 at 1:34 PM, Ugo Bellavance wrote: > Hi, > > I've seen tutorials where they add the role as a fact in an client and then > can use the role for hiera data. Is there a better way to do so (ie without > having to configure anything on the client)? As a matter of fact there is a better way. If you use an ENC, then you can return the role as a top scope variable and your hiera configs can leverage those top scope variables. Here is an example where I've scrubbed any of our site data: # puppet-enc ldap.example.com --- classes: role::directory_server: null environment: production parameters: context: production role: role::directory_server The "classes" at the top and its "role" are for the classifying of the ENC, but the "context" and "role" in the "parameters" near the bottom are variables that get exposed - hiera is one of the things that can use those variables. This works super slick for us. For what it is worth, we also use a notion of context that allows our ENC to describe whether a node is a "testing" or "production" type system - we have hiera lookups based on that data, too. Let me know if you want the hiera configs. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VHj6PVSUp0qYbvdR-yF8yhuchbEA%3D57FbUpK0E%3D3AKjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Tue, Oct 25, 2016 at 2:09 PM, Ugo Bellavance wrote: > Hi, > > I was actually wondering if it could be done without an ENC as we don't have > one for now. Not sure. I don't think so, though. I would work on getting an ENC set up. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3V9JQiVUre%2BS43ZYWK2iCVtCBVN9wBEuQ6%2BtnXj2cra4Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] QUESTION: How can I iterate through the whole list of facters in an erb template?
On Thu, Nov 10, 2016 at 6:25 AM, Victor Martinez wrote: > Hi there, > >I've been looking for a way of creating an erb file which contains all > the facter values. Any ideas how I can accomplish it? Reason: I'd like to > generate custom facters per module and populate those facter values as > Jenkins Labels Untested: <% @facts.each do |key, value| %-> <%= key %> and <%= value %> <% end -%> -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WWQ%3DfESunVMb3JyM2%3Dhr5%2BStyUQp58t0tV%3D01EKyvTdg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Sat, Nov 19, 2016 at 2:27 PM, Martijn wrote:
> Op dinsdag 18 oktober 2016 21:50:37 UTC+2 schreef Matt Zagrabelny:
>>
>>
>> If you use an ENC, then you can return the role as a top scope
>> variable and your hiera configs can leverage those top scope
>> variables.
>>
>
>>
>> Let me know if you want the hiera configs.
>>
>> -m
>
>
> Hi Matt,
>
> That's interesting. What are you using for ENC?
Custom python script that uses a custom database to hold node names,
roles, and "production" vs "testing" status.
Since puppet has already claimed the "environment" noun for the
filesystem serving space, I use "context" as the variable name that
holds the "production" vs. "testing" status.
In hiera, we have the following hierarchy, which is repeated in the
hiera.yaml config further down.
1. Node specific hiera data is closest to the node.
2. Whatever role a node is has the next priority for hiera data.
3. The "context" (production vs. testing) is closer to the global
(common) hiera space - so context comes after role.
4. Lastly, the global (common) hiera lookup file.
The 3rd item on the list allows us to have a single place for
application/database passwords with different passwords for testing
and production systems without having to duplicate the password in
some.fqdn.node.yaml files.
Pretend that the following 2-D grid are nodes that have their
respective roles and contexts.
Context
prod | test
roleapp_0_server | app_0_server
roledb_0_server | db_0_server
roleapp_1_server | app_1_server
roledb_1_server | db_1_server
role. | .
role. | .
role. | .
Thus the production app_0_server and db_0_server can easily have a
shared password that is different from the testing app_0_server and
db_0_server due to the vertical slicing of the hierarchy.
> And I'd love to see your hiera configs, please.
% cat /etc/puppet/hiera.yaml
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hiera
:hierarchy:
- "environments/%{::environment}/node/%{clientcert}"
- "environments/%{::environment}/role/%{role}"
- "environments/%{::environment}/context/%{context}"
- "environments/%{::environment}/common"
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VN0-_LpkWAtAzpOrLLzYa92cGvh-b3z_36hp_ivHGkOA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] using variables with manifests
On Tue, Apr 4, 2017 at 4:41 PM, warron.french
wrote:
> Hello, I need some guidance/direction on what to lookup and where I can
> find an example of how to provide values to a class so that they will be
> used by the class (and the ERBtemplate within).
>
> I want to be able to provide the variable *collector_id* to my class and
> from the Red Hat Satellite Puppet Master provide collector_id =
> mycollector.some.net so that it will be used to generate text and then
> populate -mycollector.some.net in the file after some other text.
>
> I figured something like this is needed; but I am not sure and cannot find
> an example to confirm I am on the correct track:
>
> *class* rsyslog_mgmt (collector_id) {
> file { '/etc/rsyslog.conf':
>ensure => 'present',
>content => template('rsyslog_mgmt/syslog.conf.erb'),
> }
> }
>
> Then the content of my file syslog.conf.erb would look something like this:
>
> ...snippet...
> *.info;authpriv.*;mail.none;news.none <%= @collector_id %>
> ...EOF...
>
> Am I on the correct track? Do I need a $ symbol in front of the
> collector_id within the () at the top in front of the first curly brace
> that starts the class definition?
>
You need the dollar sign:
class blah(
$parameter_1,
) {
..do stuff
}
Search for "parameterized class puppet" for further reading.
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WbVqcH9KMQ-9mcrcDTshfAHDejtd3GZw7%3DHhjwCrXDqg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] What's difference between roles and profiles, ENC and Hiera
On Tue, Mar 31, 2015 at 10:16 AM, Dhaval wrote: > Hello, > > I am starting learning puppet, i want to understand what is the difference > between roles and profiles and ENV and Hiera ? are all different ways of > assigning classes or data to host ? can you help to give me brief comparison > and what's best suited ? I'd start with googling and watch some videos and then ask more specific questions. https://puppetlabs.com/presentations/designing-puppet-rolesprofiles-pattern http://www.craigdunn.org/2012/05/239/ http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/ https://www.youtube.com/watch?v=z9TK-gUNFHk Enjoy! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Ue3Hj4Yc_Th_Kx_CriFUNwSM0QBN8dJDtOwR7EjM%3DGLg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] enabling facts hash
Greetings, I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie) and was reading about the top level $facts hash that holds the client's facts. The puppet documentation states that it is off by default in the open source version [1]. "Drawbacks: Only works with Puppet 3.5 or later. Disabled by default in open source releases prior to Puppet 4.0." I grepped the configs on my puppet master and didn't see what config I need to change to enable this feature. # puppet config print | grep fact cfacter = false facts_terminus = facter inventory_terminus = facter stringify_facts = true node_name_fact = dynamicfacts = memorysize,memoryfree,swapsize,swapfree pluginfactdest = /var/lib/puppet/facts.d pluginfactsource = puppet://puppet/pluginfacts factpath = /var/lib/puppet/lib/facter Any ideas on how to enable this feature? Thanks! -m [1] https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#the-factsfactname-hash -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WpEdFdyxoOGCPiqoN_stv%2BAaCUmbYUrn_hzm6PMdmxjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: enabling facts hash - SOLVED
On Wed, Nov 11, 2015 at 9:42 AM, Matt Zagrabelny wrote: > Greetings, > > I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie) > and was reading about the top level $facts hash that holds the > client's facts. The puppet documentation states that it is off by > default in the open source version [1]. > > "Drawbacks: Only works with Puppet 3.5 or later. Disabled by default > in open source releases prior to Puppet 4.0." > > I grepped the configs on my puppet master and didn't see what config I > need to change to enable this feature. > > # puppet config print | grep fact > cfacter = false > facts_terminus = facter > inventory_terminus = facter > stringify_facts = true > node_name_fact = > dynamicfacts = memorysize,memoryfree,swapsize,swapfree > pluginfactdest = /var/lib/puppet/facts.d > pluginfactsource = puppet://puppet/pluginfacts > factpath = /var/lib/puppet/lib/facter > > Any ideas on how to enable this feature? >From [2]: trusted_node_data = true (Puppet master/apply only) — This enables the $trusted and $facts hashes, so you can start using them in your own code. Cheers, -m [2] http://docs.puppetlabs.com/puppet/3.8/reference/config_important_settings.html -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VznC2qM_NGQ_%2Bi9LPqQ7giv1%3DSwKjEFZ7GfZ5KWuVR4w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] ENC
On Fri, Dec 11, 2015 at 11:54 AM, Sergiu Cornea wrote: > Hello guys, > > I have an ENC which is producing the right data as far as I could have test > it (copy and paste it in a yaml file), however, when I am using Puppet > directly Puppet seems to do nothing with it. Try running something like: puppet master --no-daemonize --debug and read the output. You should see something like: Debug: Executing '/var/lib/puppet/fetch_enc.sh yournode.example.com' Try running that same command: /var/lib/puppet/fetch_enc.sh yournode.example.com and see what the output is. Also, there should be plenty of debugging information in the output of puppet master --no-daemonize --debug. Cheers, -m > This is my Puppet.conf file and logging shows that this script is being > executed by the Puppet master, like I've said Puppet doesn't seem to be > using the data. > > [master] > node_terminus = exec > external_nodes = /var/lib/puppet/fetch_enc.sh > > Thank you, > > Regards, > Sergiu > > This message and its attachments are private and confidential. If you have > received this message in error, please notify the sender and remove it and > its attachments from your system. > > The University of Westminster is a charity and a company limited by > guarantee. Registration number: 977818 England. Registered Office: 309 > Regent Street, London W1B 2UW. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/8cee2af7-cc5a-4a0b-a941-06a070df6f72%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XHodQUQ5thV9MCco80-XqmT-Suzuoa4HrDab5p0iyA7Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet cert list yields no certs
Greetings,
I am attempting to get a puppet 3.7 install off the ground. Please
don't ask me to upgrade to 4.X series. :)
On the puppet master (puppet-3-7.example.net):
# puppet master --no-daemonize --debug
[...]
Info: Not Found: Could not find certificate puppet-client.example.net
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/certificate/puppet-client.example.net")
Debug: Evaluating match for Route /.*/
Info: Not Found: Could not find certificate puppet-client.example.net
On the puppet client:
# puppet agent -t --server puppet-3-7 --debug
[...]
Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
Debug: Finishing transaction 10544780
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Exiting; no certificate found and waitforcert is disabled
Then on the master:
# puppet cert list
#
I have a 2.7 puppet environment that works very well and I am well
accustomed to dealing with the certs.
The auth.conf file looks okay, too:
# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
Can anyone help interpret the debug messages above? Or point me in the
correct direction?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XzboPFXEWW0usdh5miV1AcC5cKfQL045ppokPjdOBcFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hey Peter,
On Thu, Jan 7, 2016 at 5:28 PM, Peter Kristolaitis wrote:
> 'puppet cert list' only shows unsigned certs.
>
> 'puppet cert list --all' will show all certs.
I failed to mention it explicitly:
The client does not have a signed cert. I'm try to get the master to
"accept" the CSR from the client.
-m
>
> On 1/7/2016 6:17 PM, Matt Zagrabelny wrote:
>>
>> Greetings,
>>
>> I am attempting to get a puppet 3.7 install off the ground. Please
>> don't ask me to upgrade to 4.X series. :)
>>
>> On the puppet master (puppet-3-7.example.net):
>> # puppet master --no-daemonize --debug
>> [...]
>> Info: Not Found: Could not find certificate puppet-client.example.net
>> Debug: Routes Registered:
>> Debug: Route /^\/v2\.0/
>> Debug: Route /.*/
>> Debug: Evaluating match for Route /^\/v2\.0/
>> Debug: Did not match path
>> ("/production/certificate/puppet-client.example.net")
>> Debug: Evaluating match for Route /.*/
>> Info: Not Found: Could not find certificate puppet-client.example.net
>>
>> On the puppet client:
>> # puppet agent -t --server puppet-3-7 --debug
>> [...]
>> Debug:
>> /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/private_keys]
>> Debug:
>> /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/public_keys]
>> Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
>> File[/var/lib/puppet/ssl/certs]
>> Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
>> Debug: Finishing transaction 10544780
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Exiting; no certificate found and waitforcert is disabled
>>
>> Then on the master:
>> # puppet cert list
>> #
>>
>> I have a 2.7 puppet environment that works very well and I am well
>> accustomed to dealing with the certs.
>>
>> The auth.conf file looks okay, too:
>>
>> # allow nodes to request a new certificate
>> path /certificate_request
>> auth any
>> method find, save
>> allow *
>>
>> Can anyone help interpret the debug messages above? Or point me in the
>> correct direction?
>>
>> Thanks!
>>
>> -m
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W63er4xJMjhosc6z9fqJhcGTHoMJme%3DCM-4A5LekcrRg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: > Apparently I was a little too quick on the send button. :( > > To continue my previous email: > > Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WFFhbbZTGrwC1bLDYLtSYxTN3XwU-RTNPtAEAYz-7U7g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)
On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny wrote: > On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: >> Apparently I was a little too quick on the send button. :( >> >> To continue my previous email: >> >> Does 'puppet cert list --all' show any certs at all? > > Yep: > > # puppet cert list --all > + "puppet-client-1.example.net" (SHA256) > A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 > + "puppet-3-7.example.net" (SHA256) > E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 > (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") > > I don't remember what I did to get the master to accept the CSR of > puppet-client-1 earlier, but I did have similar issues where I ran the > client and the master didn't show any unsigned certs when running > "puppet cert list". > > That was a few weeks ago. I'm just coming back to puppet 3.7 now. Regenerating the client cert and connecting to the master seems to get me one step further. client: find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete server: puppet cert clean puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug server: puppet cert list "puppet-client.example.net" (SHA256) E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB puppet cert sign puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug [...] Error: Could not request certificate: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-3-7.example.net] Exiting; failed to retrieve certificate and waitforcert is disabled Then performing the above steps, but clearing out all .pem files on the client seemed to fix the issue. Cheers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XrqYOYVQrizt-DddNR8ggtBp-fyqmc0N4XnH_DG2i3wQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Greetings, I've searched a bit and found some hits for the subject, but nothing that helps. I'm using an ENC to drive the environment of my nodes. I don't have "production" defined anywhere in my puppet.conf: # grep production /etc/puppet/puppet.conf || echo "not there" not there and it is not defined on my command-line run: puppet agent -t --server puppet-3-7 --debug but I still get a warning about the local environment: Warning: Local environment: "production" doesn't match server specified node environment "apt", switching agent to "apt". Where else (besides the /etc/puppet/puppet.conf and the command-line option --environment) do I look for the local environment being set? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U3AFz%2BZzTvHXzLmodL8Tcw6QX1PwPvCDRtAN5fw-3SVw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Hi Alfredo, Thanks for the reply. On Wed, Jan 27, 2016 at 4:47 PM, Alfredo De Luca wrote: > Hi Matt. > AFAIK production is the default environment assigned to all the nodes. Sure. > try > puppet config print environment Yep, production: # puppet config print environment production So how do I get the warning to go away? Warning: Local environment: "production" doesn't match server specified node environment "apt", switching agent to "apt". Any ideas? -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UAMWc4dEWsspDnkGNkbiEYKSR5vN-CmxTFbP0RhfLAtQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Hi Martin, On Sat, Jan 30, 2016 at 5:03 AM, Martin Alfke wrote: > Hi Matt, > > an ENC can set an environment for a node. Yep. I'm using an ENC to set the environment to 'apt'. > In case that a node does not specify an environment it will make use of > environment production. > You can specify node environment on the node in puppet.conf in agent section: > > [agent] > environment = apt Sure. I'd like to avoid setting any environment in the puppet.conf and only use the ENC *and* not get the warning. Any ideas? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UifksMBs-UEnBitWdf3HF0b1o6R_Vadwg7%3DFkYmgM%3DeQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet.conf documentation
Greetings, I know that the puppet.conf documentation exists in extreme detail: http://docs.puppetlabs.com/puppet/3.7/reference/configuration.html What that page doesn't tell me is if the config items map to the [agent] or [master] sections of the config file. Does anyone know if that data exists in an easy to consume location? On my puppet master system I have the following puppet.conf snippet: [main] logdir = /var/log/puppet vardir = /var/lib/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter dns_alt_names= puppet-3-7,puppet-3-7.d.umn.edu stringify_facts = false ordering = manifest environmentpath = $confdir/environments basemodulepath = $confdir/modules:$confdir/profiles:/usr/share/puppet/modules Should I also have the same configs on my clients? For instance, should stringify_facts be set on the clients? Thanks for any help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UdKoBuApY8XNsztWQqNRKGJER3LWj9QVJLF-EWdA6FCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] DRY duplicated manifest code
Greetings Puppet Users,
I have a chuck of code I'd like to centralize - you know DRY.
I've looked into a custom function, but I'm uncertain how to get at
the the puppet resources inside of ruby.
Here is the verbatim copy of the chuck in a puppet manifest:
if defined(Service['apache2']) {
$services_to_notify = [
Service['apache2'],
]
}
else {
$services_to_notify = []
}
and here is some hand-wavy pseudocode:
function return_service_array_if_defined($service) {
if defined(Service[$service]) {
return [
Service[$service],
]
}
else {
return []
}
}
Any suggestions or ideas for implementation?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V6i82smoDO2kwOYJTiurqdD3O_bt%2BaR4RYUGMsqCPgSw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] DRY duplicated manifest code
On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugen wrote:
> Given the resource you want to apply this pattern to, it can be turned into
> a one-liner with a collector:
>
> file { '/tmp/something':
> ensure => file,
> }
> File['/tmp/something'] ~> Service <| title == 'apache2' |>
>
> This means that if there is a service with a title of apache2 EVER added to
> the catalog, it'll be refreshed on file changes. If the service doesn't
> exist, then the dependency does nothing.
>
> Now, this isn't exactly what you asked since you wanted the variable
> $services_to_notify and didn't say what you're going to do with it, but I
> assume this is what you want? Because collectors are not parse-order
> specific, you can't do variable assignments like $services_to_notify =
> Service <| title == 'apache2' |> (because variables are evaluated in parse
> order and collectors are not).
>
> If you really want to make a function that searches the catalog and returns
> references, it can be done with something like
> `scope.catalog.resource('Service[apache2]')` inside the function I believe,
> though that may not be the exact call.
Thanks for the reply, Hunter. I'll dig in and report back if I've got issues.
Cheers!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XuVMK_xSWvCQ33qmR0Bywyo5xPaa6fJDannH%2BL5ymBZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] DRY duplicated manifest code
On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugen wrote:
> Given the resource you want to apply this pattern to, it can be turned into
> a one-liner with a collector:
>
> file { '/tmp/something':
> ensure => file,
> }
> File['/tmp/something'] ~> Service <| title == 'apache2' |>
Can you combine the two steps?
file { '/tmp/something':
ensure => file,
} ~> Service <| title == 'apache2' |>
or is that frowned upon, or just not possible?
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WNnW8p09_Da88VcC5oPXMaKt4rV1R4QL3Verva8ap%2BNw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet.conf ini heading
Greetings, I'm running puppet 5.5.6 (Debian testing.) I'm seeing some curious and inconsistent results from where I put config settings in /etc/puppet/puppet.conf. When I use the [master] heading, the "external_nodes" setting is read by the puppet master: # cat /etc/puppet/puppet.conf [master] node_terminus = exec external_nodes = /opt/bin/my-enc # systemctl restart puppet-master.service # puppet config print external_nodes none However, if I remove the "master" section heading in the puppet.conf file, I get the results I expect: # cat /etc/puppet/puppet.conf node_terminus = exec external_nodes = /opt/bin/my-enc # systemctl restart puppet-master.service # puppet config print external_nodes /opt/bin/my-enc Should I file a bug or is this somehow expected? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UsJHY%2BpFMXUpM1H4%2BL6FajzPj01x09EqfAcWHnkSqb1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet.conf ini heading
On Tue, Oct 30, 2018 at 5:10 PM Justin Stoller wrote: > > > On Tue, Oct 30, 2018 at 2:34 PM Matt Zagrabelny > wrote: > >> Greetings, >> >> I'm running puppet 5.5.6 (Debian testing.) >> >> I'm seeing some curious and inconsistent results from where I put config >> settings in /etc/puppet/puppet.conf. When I use the [master] heading, the >> "external_nodes" setting is read by the puppet master: >> >> # cat /etc/puppet/puppet.conf >> [master] >> node_terminus = exec >> external_nodes = /opt/bin/my-enc >> # systemctl restart puppet-master.service >> # puppet config print external_nodes >> none >> >> [...] > When your master run it uses only certain sections of the config file > (mainly "master" and "main"[1]), while config print will by default use the > section "main". You can use the `--section ` flag to act on a > specific section. If you don't specify a section in the puppet.conf the > setting will be applied to the "main" section. > > eg `puppet config print --section master external_nodes` should give you > want you want. > Indeed it does! Thanks, Justin! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wb3CDDv1CUA-UpWL7Jnr2NK7k_5-UJRqoHiv-1Ws6AYA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet master not seeing certificate signing request from agent
Greetings, I'm running puppet 5.5.6 (Debian testing). I'm having issues getting the master to see the cert signing request from an agent. The firewall isn't an issue. I see the packets hit an "allow" rule on the master, but I've also turned the firewall off. tcpdump shows the packets reaching the server: 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2607::2a = agent 2607::20 = master I'm not seeing anything from the server: # puppet master --no-daemonize Warning: Accessing 'ca' as a setting is deprecated. (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in `issue_deprecation_warning') Warning: The WEBrick Puppet master server is deprecated and will be removed in a future release. Please use Puppet Server instead. See http://links.puppet.com/deprecate-rack-webrick-servers for more information. (location: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') Notice: Starting Puppet master version 5.5.6 Adding --debug or --verbose didn't seem to yield any extra log messages after the "Starting Puppet master..." for when I expected a cert signing request message. and the agent just shows an expiration: # puppet agent -t --server puppet-5-5 Warning: Setting cadir is deprecated. (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in `issue_deprecation_warning') Error: Could not request certificate: execution expired Exiting; failed to retrieve certificate and waitforcert is disabled Any ideas where to look next? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3X4NnJKpQiKoB4gW%3D4BctUBHOBHVWCdWcF6U6wembgbig%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: puppet master not seeing certificate signing request from agent
On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny wrote: > Greetings, > > I'm running puppet 5.5.6 (Debian testing). > > I'm having issues getting the master to see the cert signing request from > an agent. > > The firewall isn't an issue. I see the packets hit an "allow" rule on the > master, but I've also turned the firewall off. > > tcpdump shows the packets reaching the server: > > 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > > 2607::2a = agent > 2607::20 = master > > I'm not seeing anything from the server: > > # puppet master --no-daemonize > Warning: Accessing 'ca' as a setting is deprecated. >(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in > `issue_deprecation_warning') > Warning: The WEBrick Puppet master server is deprecated and will be > removed in a future release. Please use Puppet Server instead. See > http://links.puppet.com/deprecate-rack-webrick-servers for more > information. >(location: > /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') > Notice: Starting Puppet master version 5.5.6 > > Adding --debug or --verbose didn't seem to yield any extra log messages > after the "Starting Puppet master..." for when I expected a cert signing > request message. > > and the agent just shows an expiration: > > # puppet agent -t --server puppet-5-5 > Warning: Setting cadir is deprecated. >(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Error: Could not request certificate: execution expired > Exiting; failed to retrieve certificate and waitforcert is disabled > > Any ideas where to look next? > > > No new updates, but I wanted to add that lsof reports puppet listening: puppet25053 puppet8u IPv4 125393 0t0 TCP *:8140 (LISTEN) puppet25053 puppet9u IPv6 125394 0t0 TCP *:8140 (LISTEN) and I'm not seeing anything in the master log file: [2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted on /. [2018-10-31 16:05:35] INFO WEBrick::HTTPServer#start: pid=25053 port=8140 Confused... -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent
Hey Justin, Thanks for the reply! On Wed, Oct 31, 2018 at 10:49 PM Justin Stoller wrote: > What happens on the agent that is running on the master? > Works as expected. Thus indicting the firewall. Digging deeper... it looks like Debian testing bit me. But I don't blame them - I know I'm tracking a moving target. iptables upgraded from 1.6 to 1.8 (and I didn't reboot after). There are new semantics (iptables-legacy) and the firewall was still blocking 8140 in the legacy mode. I've rebooted and cleared the legacy chains/tables. Things work as expected now. Thanks for the help and hints. It is very appreciated! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W0ooT3P2PKbqHqLyPFN5KDEUXrTieUWvOgEn7-wzo3xg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] serving per-node private data in puppet 5
Greetings!
I'm working on migrating my puppet 3.7 environment to puppet 5.5 (Debian
testing.)
How are folks serving private per-node data in puppet 5? (i.e. ssh keys,
apache cert and key, etc.)
In both puppet 2.7 and 3.7 I've used:
$ cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
[private]
path /etc/puppet/environments/production/private/%H
allow *
Have things changed since then? Are there better (or more idiomatic) ways
of serving up private per-node files?
Ideally I would also be able to use the environment to adjust the mount
point. Hand-wavy magic:
path /etc/puppet/environments/%E/private/%H
Hiera has support for top level variables. Our ENC exposes the environmentt:
"environments/%{::environment}/node/%{clientcert}"
Thanks for any hints, help, or discussion!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V1Ff9%3DQo%2BAUO72_UEvJE%2BakR6eKgTmW_PVr021Y8zcvg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] leading double colons (::) for class instances
Greetings puppet-users!
For many years I have been using the following convention for including my
classes:
class foo() {
include ::profile::bar
}
I know I don't need the leading double colon for including profile::bar,
but at one point in time I thought it may have been a best practice or it
would help prevent some sort of future pain point.
Is that still true? Was I ever correct?
What is the current best practice for namespacing included classes?
Thanks for any feedback!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XQRV0HpRLMK%2B_POuPpAwSAz8zObvoWNZ6GMvOMea%3DbRw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: leading double colons (::) for class instances
On Mon, Jan 7, 2019 at 3:31 PM Matt Zagrabelny wrote:
> Greetings puppet-users!
>
> For many years I have been using the following convention for including my
> classes:
>
> class foo() {
> include ::profile::bar
> }
>
> I know I don't need the leading double colon for including profile::bar,
> but at one point in time I thought it may have been a best practice or it
> would help prevent some sort of future pain point.
>
> Is that still true? Was I ever correct?
>
>
Needed to spend 30 more seconds reading before hitting send. Sorry for the
noise!
https://github.com/voxpupuli/puppet-lint-absolute_classname-check/issues/3
Thanks for any additional feedback!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3X9J%3DA%3DQNNSc9ipExGOv%2B9O_Rd5-u1dfmc1DCbetXf-0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] relationships, ordering, and defined types
Greetings!
I'm running puppet 5.5 on Debian Buster.
This exists:
define bar::baz() {
file { "/tmp/$name": }
}
...somewhere else...
bar::baz { 'qux': }
file { '/tmp/foo':
before => Bar::baz['qux'],
}
But when the catalog gets compiled I get an error:
Evaluation Error: Error while evaluating a Resource Statement, Illegal
class reference
Is it possible to use a defined type with a "before" (or any other
relationship metaparameter) ?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V7E47VzhjNSznYTC_UuH%3DK44GsgLuH9y4vnTFy70i5QA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] relationships, ordering, and defined types
On Tue, Jan 22, 2019 at 4:22 PM Ben Ford wrote: > Caps all segments in a defined type name: > > before => Bar::Baz['qux'], > > > Huzzah! Thanks Ben! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U-L7%2BjSqMn3iZJ3aUJk%3Dbqr2jjc%2BXXnAJRoKQymJmWYg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] accessing out of class/scope variables in template
Hello,
I'm running puppet 5.5 OSE.
I've got a class foo:
class foo {
$bar = 'hi'
}
class foo::configure {
file { '/tmp/foo.conf':
content => template('foo/foo.conf.erb'),
}
}
and then in the template:
<%= scope['foo::bar'] %>
but suppose I want to access an out of class variable:
<%= scope['baz::qux'] %>
That does not seem to work. Is there any way to access out of class
variables in a template?
Thanks for any help!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wwt7%3D3oD%3DJeS%3Dm-fiDeOWBdempVzn13CN1ZYUj8QF-9Q%40mail.gmail.com.
[Puppet Users] puppet catalog find --terminus json on puppet master
Greetings, I'm using puppet 5.5.10 (Debian Buster). >From the puppet master system, I'm trying to get all the resources in a catalog for a given node. On a node "foo.example.com" I can with: foo# puppet catalog find --terminus json | wc -l 6271 but on the master I've tried: puppet# puppet catalog find --terminus json foo.example.com | wc -l 0 If I try a rest terminus I get: puppet# puppet catalog find --terminus rest foo.example.com | wc -l Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find] Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find] Error: Try 'puppet help catalog find' for usage Any ideas on how to get a node's catalog from the master? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Xf8ePFU33PoOv4w55DYnuLOw7qN7RYVjSE20ZUJKAvyw%40mail.gmail.com.
Re: [Puppet Users] puppet catalog find --terminus json on puppet master
Hey David, Thanks for the reply! On Tue, Sep 17, 2019 at 5:58 AM David Schmitt wrote: > The most recent releases of puppetserver have an API endpoint specifically > designed for this usecase: > https://puppet.com/docs/puppetserver/latest/puppet-api/v4/catalog.html > Okay. I'm only on puppet 5.5. > > You'll also need to enable access to that endpoint in auth.conf for the > server you want to access that API from. > > You can experiment with the certless catalog indirector from > https://github.com/puppetlabs/ace/blob/master/lib/puppet/indirector/catalog/certless.rbto > integrate into the CLI you're asking about, but that'll likely require some > work to pass through the required fields. > Hmmm... So for 5.5 using this ruby file is about the only option to generate the catalog on the master? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WRHRWeWFmpp5sOpdi%2BBcZcHAPQwEoOq_J5ucQAO51nYg%40mail.gmail.com.
[Puppet Users] vcsrepo with specific identity?
Greetings,
I am attempting to specify an identity with a vcsrepo resource. Such as:
vcsrepo { '/opt/src/repository':
ensure => present,
provider => git,
revision => 'stable',
source => 'ssh://gitol...@git.example.com/repository.git',
identity => '/root/.ssh/id_rsa__gitolite_access__non_private',
}
I'm running puppet 5.5 (Debian Buster).
I've tried with both the (Debian) packaged version of puppetlabs vcsrepo
(1.3.2) and the most recent source release from the forge (3.0.0) and I am
getting the same results for both:
Error: Execution of '/usr/bin/git clone ssh://
gitol...@git.example.com/repository.git /opt/src/repository' returned 128:
Cloning into '/opt/src/repository'...
Permission denied, please try again.
Permission denied, please try again.
gitol...@git.example.com: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Error:
/Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure:
change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone
ssh://gitol...@git.example.com/repository.git /opt/src/repository' returned
128: Cloning into '/opt/src/repository'...
Permission denied, please try again.
Permission denied, please try again.
gitol...@git.example.com: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I can get the vcsrepo to work if I utilize the default identity file
(~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config.
That is, by not specifying the "identity" parameter things work as expected.
Additionally, I can successfully clone the repo using git using the desired
identity file:
# GIT_SSH_COMMAND="/usr/bin/ssh -i
/root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch
--branch stable ssh://gitol...@git.example.com/repository.git
Cloning into 'repository'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 8 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (8/8), done.
Resolving deltas: 100% (1/1), done.
Has anyone had success with specifying the identity file with vcsrepo?
Any hints, tips, or suggestions are very welcome!
Thanks,
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBecdGjVVH3uBrcVd0KHzB90aAR1xob4m3utdjAH3cpw%40mail.gmail.com.
Re: [Puppet Users] vcsrepo with specific identity?
On Tue, Dec 3, 2019 at 11:23 AM Yvan Broccard
wrote:
> Don't forget the "user", "group" and "owner" parameter. For example, from
> one of my manifests :
>
Hmmm
> -> vcsrepo {'oracle-scripts':
> ensure => 'latest',
> path => "${hvs_oracle::oradb::admindir}/oracle-scripts",
> provider => 'git',
> source => 'ssh://git@git:7999/infra/oracle-scripts.git',
> identity => "${oraclehome}/.ssh/id_ed25519",
> revision => 'master',
> user => 'oracle',
> owner=> 'oracle',
> group=> 'oinstall',
> }
>
>
When I don't use the "identity" parameter things work okay (even without
the user, owner, and group parameters.)
The errors I'm seeing are directly related to git (via puppet) not using
the specified key for authenticating. I don't think I'm seeing issues with
the user, owner, group.
Thank you for the reply,
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XqfD0ywR4wz2oWsj4M21p252MiEJQN_mGz3sXv8_cq5g%40mail.gmail.com.
[Puppet Users] Re: vcsrepo with specific identity? - SOLVED
My usage of the GIT_SSH_COMMAND environment variable was leaking into the
"puppet agent -t" environment and was short-circuiting vcsrepo's use of
GIT_SSH.
I've patched my local copy of the vcsrepo module and have created a PR:
https://github.com/puppetlabs/puppetlabs-vcsrepo/pull/435
Cheers!
-m
On Tue, Dec 3, 2019 at 10:56 AM Matt Zagrabelny wrote:
> Greetings,
>
> I am attempting to specify an identity with a vcsrepo resource. Such as:
>
> vcsrepo { '/opt/src/repository':
> ensure => present,
> provider => git,
> revision => 'stable',
> source => 'ssh://gitol...@git.example.com/repository.git',
> identity => '/root/.ssh/id_rsa__gitolite_access__non_private',
> }
>
> I'm running puppet 5.5 (Debian Buster).
>
> I've tried with both the (Debian) packaged version of puppetlabs vcsrepo
> (1.3.2) and the most recent source release from the forge (3.0.0) and I am
> getting the same results for both:
>
>
> Error: Execution of '/usr/bin/git clone ssh://
> gitol...@git.example.com/repository.git /opt/src/repository' returned
> 128: Cloning into '/opt/src/repository'...
> Permission denied, please try again.
> Permission denied, please try again.
> gitol...@git.example.com: Permission denied (publickey,password).
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
> Error:
> /Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure:
> change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone
> ssh://gitol...@git.example.com/repository.git /opt/src/repository'
> returned 128: Cloning into '/opt/src/repository'...
> Permission denied, please try again.
> Permission denied, please try again.
> gitol...@git.example.com: Permission denied (publickey,password).
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
>
>
> I can get the vcsrepo to work if I utilize the default identity file
> (~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config.
> That is, by not specifying the "identity" parameter things work as expected.
>
> Additionally, I can successfully clone the repo using git using the
> desired identity file:
>
> # GIT_SSH_COMMAND="/usr/bin/ssh -i
> /root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch
> --branch stable ssh://gitol...@git.example.com/repository.git
> Cloning into 'repository'...
> remote: Enumerating objects: 8, done.
> remote: Counting objects: 100% (8/8), done.
> remote: Compressing objects: 100% (6/6), done.
> remote: Total 8 (delta 1), reused 0 (delta 0)
> Receiving objects: 100% (8/8), done.
> Resolving deltas: 100% (1/1), done.
>
> Has anyone had success with specifying the identity file with vcsrepo?
>
> Any hints, tips, or suggestions are very welcome!
>
> Thanks,
>
> -m
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XZr49%2Brck_kdFcgeBtt59e4J8fHbpx%2B_%2BQ%2BonxrXe_zw%40mail.gmail.com.
[Puppet Users] puppetdb query return values
Greetings,
I've looked through the puppetdb docs, in particular the PQL docs, to find
out if I can extract a single parameter in the return value(s).
I have as a PQL:
resources[parameters] { type = "Postgresql::Server::Pg_hba_rule" and
parameters.address ~ "."}
I'd like to get the "address" parameter. So some pseudocode like:
resources[parameters.address]
I know I can post process the results, but is there a way to get a single
parameter in PQL?
Thanks,
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UZuh5jvdFjq5giQbifcM5RU6--oL-KDoLo0SuPMCu2KQ%40mail.gmail.com.
[Puppet Users] puppet catalog security?
Greetings, Suppose I have a class foo that host A gets via its catalog. Suppose host B does not have foo in its catalog. Can host B do anything malicious to obtain the sensitive data in foo? My puppet master is using an ENC to generate the classification of each host and then a roles + profiles design pattern and hiera for specific data. Thanks for any hints or answers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com.
Re: [Puppet Users] puppet catalog security?
On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg wrote: > On 2020-03-28 02:42, Matt Zagrabelny wrote: > > Greetings, > > > > Suppose I have a class foo that host A gets via its catalog. Suppose > > host B does not have foo in its catalog. Can host B do anything > > malicious to obtain the sensitive data in foo? > > > > My puppet master is using an ENC to generate the classification of each > > host and then a roles + profiles design pattern and hiera for specific > data. > > > > Thanks for any hints or answers! > > > > It is important that your server side logic uses $trusted when > classifying on node since other facts cannot be trusted. > > If B is compromised a malicious user could spoof facts in a request and > pretend to be A. It cannot however spoof the certificate - and it > contains the information that is in $trusted. > > Hey Henrik, Thanks for the reply! Suppose I don't use any facts for classification, but only the ENC assigns a role to the node via its fqdn. Class foo which comes through the role and profiles via the ENC has sensitive files in its "modules/foo/files/" path. Can B obtain those files if B is not classified to have foo in its catalog? Thank you for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com.
Re: [Puppet Users] puppet catalog security?
On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg wrote: > On 2020-03-28 14:36, Matt Zagrabelny wrote: > > > > > > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg > > mailto:henrik.lindb...@puppet.com>> wrote: > > > > On 2020-03-28 02:42, Matt Zagrabelny wrote: > > > Greetings, > > > > > > Suppose I have a class foo that host A gets via its catalog. > Suppose > > > host B does not have foo in its catalog. Can host B do anything > > > malicious to obtain the sensitive data in foo? > > > > > > My puppet master is using an ENC to generate the classification > > of each > > > host and then a roles + profiles design pattern and hiera for > > specific data. > > > > > > Thanks for any hints or answers! > > > > > > > It is important that your server side logic uses $trusted when > > classifying on node since other facts cannot be trusted. > > > > If B is compromised a malicious user could spoof facts in a request > and > > pretend to be A. It cannot however spoof the certificate - and it > > contains the information that is in $trusted. > > > > > > Hey Henrik, > > > > Thanks for the reply! > > > > Suppose I don't use any facts for classification, but only the ENC > > assigns a role to the node via its fqdn. > > > > You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed. > The ENC gets the fqdn on the command line. I'd presume this is trusted from the certificate since communication between the master and client is predicated on the SSL. The ENC then "assigns" a class to A. Is there anything B can do to get module foo added to its catalog if only the ENC adds module foo to node's catalogs? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com.
[Puppet Users] hiera resources in puppetdb
Greetings,
I use lookup to get data out of hiera:
node some-host {
class { 'foo':
$bar = lookup('bar')
}
}
I'd like to be able to query puppetdb to find out what hosts use various
hiera keys.
So in the above example. Given bar return some-host.
I know I can write a parser to get the class "foo" that contains the hiera
key "bar". Then using that class (foo in this case), I could query puppetdb
with a class and get the host.
I know the hiera keys wouldn't show up in the facts report. I know that the
hiera keys wouldn't show up in the catalog reports.
Is it possible to create a custom function like so:
my_lookup(key) {
# somehow create a resource that I can query with puppetdb
# and then use the real lookup:
return lookup(key);
}
Any ideas about querying puppetdb to get used hiera keys in given hosts?
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/10f366cf-3c51-4956-8e83-c20fcf61226cn%40googlegroups.com.
[Puppet Users] boolean like operation for puppetdb query
Greetings,
I have a puppetdb installation that I leverage by querying from my
manifests.
I'd like to have a boolean-like operation for puppetdb that pretty much
tests if the current node has a given class as part of the catalog. Here is
my current code:
$query = [
'resources[certname] {',
'type = "Class"',
'and',
"title = \"fail2ban\"",
'and',
"certname = \"${trusted['certname']}\"",
'}',
]
$this_host_has_fail2ban = puppetdb_query(
$query.join(' ')
).map |$entity| {
$entity["certname"]
}
if "${trusted['certname']}" in $this_host_has_fail2ban {
$shall_allow_from_internet = true
}
else {
$shall_allow_from_internet = false
}
Is there a simpler mechanism to find out if a node has a given class in its
catalog?
Thanks for any help!
-m
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/bc6d5bf6-df6f-4850-ab35-59edc49e13c6n%40googlegroups.com.
Re: [Puppet Users] boolean like operation for puppetdb query
Hey Daniel,
Thanks for the reply and hints about "defined".
I ended up putting the puppetdb code into a function and calling the
function:
$ cat modules/util/functions/does_host_have_class.pp
function util::does_host_have_class(
String $class
) >> Boolean {
$func_name = "util::does_host_have_class()"
$query = [
'resources[certname] {',
'type = "Class"',
'and',
"title = \"${class}\"",
'order by certname',
'}',
]
$hosts_with_class = puppetdb_query(
join($query, ' ')
).map |$entity| {
$entity["certname"]
}
"${trusted['certname']}" in $hosts_with_class
}
Cheers!
-m
On Tuesday, February 15, 2022 at 3:22:32 AM UTC-6 daniel.kr...@gmail.com
wrote:
> Hi,
>
> no answer yet? Or did miss them? I'm not a puppet professional but i may
> provide some other approaches and an opinion.
>
> There is the function defined()
> https://puppet.com/docs/puppet/7/function.html#defined , but it's tricky
> because you need to be 100% sure that in your example class fail2ban is
> included before the function call.
> Here is an example:
>
> ❯ cat profile/manifests/test.pp
> class profile::test (
> ) {
> notify {"this is test.": }
> }
>
> ❯ cat profile/manifests/test2.pp
> class profile::test2 {
> if defined(Class["profile::test"]) {
> notify { "This ist test2. test is also here.": }
> } else {
> notify { "This ist test2. i'm alone. i'm cold.": }
> }
> }
>
> ❯ cat profile/manifests/wrapper1.pp
> class profile::wrapper1 {
> include profile::test
> include profile::test2
> }
>
> ❯ cat profile/manifests/wrapper2.pp
> class profile::wrapper2 {
> include profile::test2
> include profile::test
> }
>
> Performing puppet runs with ('profile::wrapper1',)
> Info: Using configured environment 'production'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Info: Loading facts
> Info: Caching catalog for bullseye.local
> Info: Applying configuration version '1644913701'
> Notice: this is test.
> Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined
> 'message' as 'this is test.'
> Notice: This ist test2. test is also here.
> Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. test is also
> here.]/message: defined 'message' as 'This ist test2. test is also here.'
> Notice: Applied catalog in 16.16 seconds
>
> Performing puppet runs with ('profile::wrapper2',)
> Reading package lists...
> Info: Using configured environment 'production'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Info: Loading facts
> Info: Caching catalog for bullseye.local
> Info: Applying configuration version '1644913738'
> Notice: This ist test2. i'm alone. i'm cold.
> Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. i'm alone. i'm
> cold.]/message: defined 'message' as 'This ist test2. i\'m alone. i\'m
> cold.'
> Notice: this is test.
> Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined
> 'message' as 'this is test.'
> Notice: Applied catalog in 15.80 seconds
>
> For me this wouldn't be reliable enough to use.
>
>
> Another approach would be to create a fact.
> https://puppet.com/docs/puppet/7/external_facts.html
>
> ❯ cat profile/facts.d/fail2ban.sh
> #!/bin/sh
> FAIL2BAN="/usr/bin/fail2ban-client"
> [ -x ${FAIL2BAN} ] && echo fail2ban_version=$(/usr/bin/fail2ban-client
> --version)
>
> ❯ cat profile/manifests/test3.pp
> class profile::test3 {
> if $facts["fail2ban_version"] {
> notify {"The fail2ban version is ${facts['fail2ban_version']}":}
> }
> }
>
> But this solution has the same drawbacks as yours, it adds to execution
> time and it can only be true on the second puppetrun.
>
> Imho you should find the point where you include fail2ban and do your
> stuff there. Or you can wrap fail2ban.
>
>
> I'm sure there are puppetnerds out there with way better advice.
>
> Greetings,
> Daniel
>
>
>
> Am Fr., 11. Feb. 2022 um 22:29 Uhr schrieb 'Matt Zagrabelny' via Puppet
> Users :
>
>> Greetings,
>>
>> I have a puppetdb installation that I leverage by querying from my
>> manifests.
>>
>> I&
[Puppet Users] hiera 5 postgresql backend
Greetings, I'm running puppet 5.5. Is anyone aware of a hiera 5 Pg backend? I've tried getting the hiera 3 module [0] working, but am struggling. I'm hoping a native hiera 5 will be a smoother experience. Thanks for the help! -m [0] https://github.com/rogeduardo/hiera-psql -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com.
Re: [Puppet Users] hiera 5 postgresql backend
Hi Martin, Thanks for the email. I understand your concerns about using other backends. We have a reasonably small puppet deployment, so I think I will try a DB based backend and see how it performs. In that light, I've downloaded a hiera-mysql2 module from github and installed it at: # tree /usr/share/puppet/modules/hiera-mysql2 /usr/share/puppet/modules/hiera-mysql2 ├── CHANGELOG.md ├── lib │ └── puppet │ └── functions │ └── mysql2_lookup_key.rb ├── LICENSE ├── metadata.json └── README.md I've updated my /etc/puppet/hiera.yaml to include an entry for looking up data using hiera-mysql2: # head /etc/puppet/hiera.yaml version: 5 defaults: datadir: /etc/puppet/code/hiera data_hash: yaml_data hierarchy: - name: "MySQL lookup" lookup_key: mysql2_lookup_key options: And I've restarted my puppetmaster. When I attempt a lookup, either locally on the puppet master (or on an client system via puppet agent -t), I get: # puppet lookup foo::bar --explain Searching for "lookup_options" Global Data Provider (hiera configuration version 5) Using configuration "/etc/puppet/hiera.yaml" Hierarchy entry "MySQL lookup" Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file: /etc/puppet/hiera.yaml) I did not use "puppet module" to install the module, I just copied the files to the directory. My module path looks good. Notice the last entry in the following path output... # puppet config print modulepath /etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules Can anyone help me understand why the puppetmaster isn't seeing the hiera-mysql2 module (and function contained therein) ? Thank you for your consideration. -m On Thu, Apr 14, 2022 at 1:21 AM Martin Alfke wrote: > Hi, > > We usually recommend to not use any other backend, except for file based > backends, due to performance. > Any other backend must be able to deliver the same lookup speed. > We did a calculation at a customer and we saw hiera answering 8000 queries > in less than 1 second using the yaml file backend. > > With hiera5 you can of course write new backends. > Please note that the hiera3 backends are not compatible with hiera5! > https://puppet.com/docs/puppet/7/hiera_custom_backends.html > > Hth, > Martin > > > On 14. Apr 2022, at 04:30, 'Matt Zagrabelny' via Puppet Users < > puppet-users@googlegroups.com> wrote: > > Greetings, > > I'm running puppet 5.5. > > Is anyone aware of a hiera 5 Pg backend? > > I've tried getting the hiera 3 module [0] working, but am struggling. I'm > hoping a native hiera 5 will be a smoother experience. > > Thanks for the help! > > -m > > [0] https://github.com/rogeduardo/hiera-psql > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com > <https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W3cJx00gwP%3Do0yyWHRMu%2BvV4fvu28L%3DikNORF8K6FH8Q%40mail.gmail.com.
Re: [Puppet Users] hiera 5 postgresql backend
On Fri, Apr 15, 2022 at 12:34 PM Matt Zagrabelny wrote: > Hi Martin, > > Thanks for the email. I understand your concerns about using other > backends. We have a reasonably small puppet deployment, so I think I will > try a DB based backend and see how it performs. > > In that light, I've downloaded a hiera-mysql2 module from github and > installed it at: > > # tree /usr/share/puppet/modules/hiera-mysql2 > /usr/share/puppet/modules/hiera-mysql2 > ├── CHANGELOG.md > ├── lib > │ └── puppet > │ └── functions > │ └── mysql2_lookup_key.rb > ├── LICENSE > ├── metadata.json > └── README.md > > I've updated my /etc/puppet/hiera.yaml to include an entry for looking up > data using hiera-mysql2: > > # head /etc/puppet/hiera.yaml > version: 5 > > defaults: > datadir: /etc/puppet/code/hiera > data_hash: yaml_data > > hierarchy: > - name: "MySQL lookup" > lookup_key: mysql2_lookup_key > options: > > And I've restarted my puppetmaster. > > When I attempt a lookup, either locally on the puppet master (or on an > client system via puppet agent -t), I get: > > # puppet lookup foo::bar --explain > Searching for "lookup_options" > Global Data Provider (hiera configuration version 5) > Using configuration "/etc/puppet/hiera.yaml" > Hierarchy entry "MySQL lookup" > Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file: > /etc/puppet/hiera.yaml) > > I did not use "puppet module" to install the module, I just copied the > files to the directory. > > My module path looks good. Notice the last entry in the following path > output... > > # puppet config print modulepath > > /etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules > > Can anyone help me understand why the puppetmaster isn't seeing the > hiera-mysql2 module (and function contained therein) ? > A little bit more information... puppet module list does not list the module: # puppet module list | tail /usr/share/puppet/modules ├── crayfishx-hiera_mysql (v3.0.1) ├── nanliu-staging (v1.0.4) ├── puppetlabs-apt (v6.1.1) invalid ├── puppetlabs-concat (v5.1.0) invalid ├── puppetlabs-mysql (v5.3.0) ├── puppetlabs-postgresql (v5.4.0) ├── puppetlabs-stdlib (v5.0.0) invalid ├── puppetlabs-translate (v1.1.0) └── puppetlabs-vcsrepo (v3.0.0) However, it exists on disk: # ls -1 /usr/share/puppet/modules apt concat hiera_mysql hiera-mysql2 mysql postgresql staging stdlib translate vcsrepo Any ideas how to get puppet to see the modules that exist "on disk" ? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W-m12adKYAzLSS%2B-1PvE_ytMA6Mue2rqPr0qoYux%2BPBg%40mail.gmail.com.
