Re: [Puppet Users] Re: Puppet Certificate Issues

I had difficulties with the stock puppetdb entrypoint script. I wound up changing it thusly: #!/bin/bash if [ ! -d "/etc/puppetlabs/puppetdb/ssl" ]; then set -e /opt/puppetlabs/bin/puppet config set certname ${HOSTNAME} if [ ! -f "/etc/puppetlabs/puppet/ssl/certs/ca.pem" ]; th

Re: [Puppet Users] Puppet 4 open source EOL

On Wednesday, August 15, 2018 at 12:54:02 PM UTC-4, Branan Purvine-Riley wrote: > > That's correct. At this point we have no more scheduled PC1 releases, and > would only do one for a security issue. In October we will stop releasing > it entirely. > > The new PE LTS release is based on puppet-a

[Puppet Users] Re: exec resource stuck during the install of an Oracle Client on Windows

If I recall, you should be able to do something similar with the "start" command under cmd.exe: start /wait Which is effectively what you're doing under powershell. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this gr

[Puppet Users] Re: How to Orchestrate State, such as use IPs of new systems for config other systems

On Friday, April 27, 2018 at 9:31:24 PM UTC-4, Joaquin Menchaca wrote: > > Hello Puppeteers, > > Relearning Puppet (converting Ansible, Chef knowledge), not sure best > approach for this. How can I configure systems based on state of another > system? Essentially, I would use a tool like Terra

[Puppet Users] Re: puppet "package" resource type for multi-file installer

refreshonly and notify are your friends. file { 'zipfile': notify Exec['unzip'], source => 'file:///downloads/someZipFile.zip' } exec { 'unzip zipfile -d /some/file': alias => 'unzip', refreshonly => true, notify => Exec['installer'] } exec { '/some/file/setup.exe /a': alias => 'ins

Re: [Puppet Users] Re: Unable to run source using 'exec' resource

jcbollinger has it right. You're setting environment variables, and then exiting the environment. Here's what is effectively happening: # bash # source ./opensh.rc echo $OS_TOKEN fbed3beb36960f2b3e1b # exit # echo $OS_TOKEN # When you tell Puppet to do an exec, it spawns a new instance of th

[Puppet Users] Re: Can I use Puppet to run system updates?

On Monday, April 13, 2009 at 2:23:06 PM UTC-4, thierry.th...@gmail.com wrote: > > Hello, > > Reading the doc I could not find if Puppet could help running system > updates. > Help, yes. But I'd advise against trying to do them directly in puppet. > I would like to get started with several V

[Puppet Users] Re: Puppet Agent Hang when PuppetServer Crashes...

On Monday, January 1, 2018 at 5:52:10 PM UTC-5, Matt Wise wrote: > > *Puppet Agent: 5.3.2* > *Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS* > I'm running a docker-compose based puppet setup, and had the same problem. Short version was to increase the java heap size for the JR

[Puppet Users] Re: Conditional actions based on result of other actions?

Most of your examples we handle through something like ossec and a monitoring package, but you could theoretically do something like: require pkg::wget if (! defined(Package['wget'])) { exec 'command': { } } ... which *should* require the resource 'pkg::wget' to be compiled first, and t

[Puppet Users] Re: Can puppet master and agent communicate with certificates

On Friday, December 15, 2017 at 8:22:34 AM UTC-5, Harish Kothuri wrote: > > Hi, > > Is there a way, we can disable puppet CA completely and have PM and PA > communicates seamlessly? > What's the point in using certificates if you're going to disable the only mechanism for verifying them? -- Y

[Puppet Users] Re: Disable Puppet Agent SSL Authentication

We solved a similar problem by copying the host's cert and keys off to a separate server, and then as part of the build process, we (re)downloaded the client's cert/keys. All of ours was done with scp and host keys, since it was linux based, but no reason you can't do something similar with wi

[Puppet Users] Re: Creating a user without a shadow entry

On Monday, July 24, 2017 at 5:33:09 PM UTC-4, William Korb wrote: > > Hello fellow Puppeteers and thanks in advance for any assistance you may > be able to offer. > > We have a rather non-standard requirement on our Puppet-managed Linux > systems, and I'm trying to figure out if/how Puppet can sa

[Puppet Users] Re: Patch Automation By Puppet

Having been foolish enough to say "Sure, we can do that" in response to the relatively complicated patch scenario my supervisor wanted us to implement, I can offer advice, if not code-- Our code is heavily dependent on our environment, and probably wouldn't make much sense. It's also fairly h

Re: [Puppet Users] stop service after install

On Wednesday, May 17, 2017 at 5:06:33 PM UTC-4, Poil wrote: > > I'm agree with "Debian is just by design stupid, thinks starting all > services" > All other integration are really fine, but auto-starting after install is > terrible for all configuration management : > Change a path (mysql binary

[Puppet Users] Re: Have Puppet remove a user when the associated class which created it is removed

On Friday, May 5, 2017 at 2:22:27 PM UTC-4, James Perry wrote: > > As I keep tweaking our Puppet/Foreman setup, I was wondering if it was > somehow possible to auto-magically remove uses when the associated class is > removed from the server. All of our Puppet code is under source code > manage

Re: [Puppet Users] stop service after install

On Monday, May 15, 2017 at 8:16:38 AM UTC-4, R.I. Pienaar wrote: > > > debian will not overwrite configs on package install - suggest you put a > config down that does what you want first. > Or, I dunno, maybe he could could tie the service to the config file, and restart apache when the config

[Puppet Users] Re: Need to put iterative value in a file

The two ways I can think of, you can use ssh_authorized_key as part of a defined type, or you can create a file resource with a template, and use iteration within the template. Iteration within the template requires "future parser" or Puppet 4.x. -- You received this message because you are su

Re: [Puppet Users] How to dynamically change sudoers

I use a template for a single /etc/sudoers: # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # Of course, if you do, Puppet will completely rewrite it 30 minutes later. # Defaultsenv_reset <% unless @cmd_aliases.empty? -%> # Cmnd alias specificati

[Puppet Users] Re: removing "minimum_uid=1000" value from all my pam config files

On Thursday, March 30, 2017 at 1:58:46 PM UTC-4, Peter K wrote: > > I'm trying to remove a specific configuration value, "minimum_uid=1000", > from multiple lines in several files (currently 5 files) in /etc/pam.d/. > A typical line looks like this: > auth [success=1 default=ignore] pam_l

Re: [Puppet Users] Subscribe for external module resources

On Tuesday, March 14, 2017 at 11:40:26 AM UTC-4, Warron French wrote: > > Gleb, you are running a cronjob to control the interval at which your > Puppet Clients are checking in? > > Did you know that you could instead use the option of *runinterval *within > the /etc/puppet/puppet.conf file inste

[Puppet Users] Re: Configure Puppet master as a universal caching proxy server

On Monday, March 13, 2017 at 10:23:28 AM UTC-4, Patryk Bęza wrote: > > I'm Puppet's new user and I have a simple question regarding Puppet > design: *is it possible to configure Puppet master as a universal, OS > agnostic >

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

On Monday, March 6, 2017 at 9:16:45 AM UTC-5, jcbollinger wrote: > > > On Sunday, March 5, 2017 at 6:56:11 PM UTC-6, John Gelnaw wrote: > >> I created a second "mount point" in puppet via fileserver.conf, pointing >> to a location outside the puppet gi

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

On Friday, March 3, 2017 at 8:31:00 AM UTC-5, Michael Watters wrote: > > This would be the ideal but you *can* use the rpm provider when needed. > For example: > > package { 'jdk': > ensure => installed, > provider => 'rpm', > source => '/pub/oracle/jdk-8-linux-x64.rpm', > } > > >

[Puppet Users] Re: Could not find class defined for specific environment when running puppet agent

I would ignore everything past "Using cached catalog from environment 'ops'" in your debugging, as it's cached and therefore probably represents a previous state of the puppet master catalog. Especially for testing, you can replace your puppet run with: service puppet stop && puppet agent --te

[Puppet Users] Re: Specifying dependency ordering inside of lambda functions

I can think of three options: 1) Break the user / group definitions into their own classes, and "require" the group class in your user definition class. 2) In some cases, Puppet does an implicit require-- it's possible your code would work as-is, and the catalog would recognize the need to crea

[Puppet Users] Re: Why do my SERVER certs get revoked?

On Tuesday, February 14, 2017 at 11:56:27 AM UTC-5, Dayton Jones wrote: > > I'm intermittently getting > Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify failed: [certificate revoked for > /CN=my.puppet.master] > > when clients try to conn

[Puppet Users] Re: MCollective server cannot connect to ActiveMQ broker

On Tuesday, January 31, 2017 at 3:36:20 AM UTC-5, Isabell Cowan wrote: > > I've been trying all do to set up MCollective on my puppet cluster. No > matter what I do, I can't seem to get the MCollective server to connect. > The MCollective server(s) are running mostly on Ubnutu Xenial. The > A

Re: [Puppet Users] How to read in file into array of hashes to use build start script template

On Friday, January 20, 2017 at 12:28:02 PM UTC-5, James Perry wrote: > > Thanks. > > The reason I have a CSV is that is what is provided from the users out of > their own private database where they keep this data. I have to take the > detail as it is given. Now I can manually process the data to

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

Set up hiera correctly, add a yaml file to your hierarchy, and and translate the CSV file to YAML: I'm a perl geek, so: #!/bin/perl while(<>) { chomp; tr/A-Z/a-z/; my @a = split(/\,/); push(@{$hash{$a[0]}}, $a[1]); } for my $srv (sort(keys(%hash))) { print "startup::$srv\n"; for m

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

Set up hiera correctly, add a yaml file to your hierarchy, and and translate the CSV file to YAML: I'm a perl geek, so: #!/bin/perl while(<>) { chomp; tr/A-Z/a-z/; my @a = split(/\,/); push(@{$hash{$a[0]}}, $a[1]); } for my $srv (sort(keys(%hash))) { print "startup::$srv\n"; for

Re: [Puppet Users] Over-engineering rant

On Tuesday, January 10, 2017 at 3:19:45 PM UTC-5, Eric Sorenson wrote: > > > I'd like to point out that this ntp module is also deliberately a test > case for *all* of the puppet 4 language features, and as such is kind of a > "reference module", so it certainly could be simpler but is intended t

Re: [Puppet Users] Over-engineering rant

On Tuesday, January 10, 2017 at 12:37:14 AM UTC-5, R.I. Pienaar wrote: > > So how many times have you verified you didn't talk to an evil CA when > you > > originally connected an agent? > > Every time? I logged into my known CA using a non Puppet means, I know > it's > the known CA because

Re: [Puppet Users] Over-engineering rant

On Monday, January 9, 2017 at 2:39:38 PM UTC-5, R.I. Pienaar wrote: > > > Because if i can convince your client to connect to $evil_ca, then what? > How's it to know its a new legit ca and not a new bad ca? > The same way it "knew" when you originally provisioned it-- It didn't. In fact, the a

Re: [Puppet Users] Over-engineering rant

On Monday, January 9, 2017 at 10:10:08 AM UTC-5, R.I. Pienaar wrote: > > > so we're on the same page are you just saying in general the NTP module > has too much > going on and its too huge for a "simple" piece of software? > Mostly, it was the unexpected syntax. Somehow, I completely missed a

Re: [Puppet Users] Over-engineering rant

On Sunday, January 8, 2017 at 2:31:33 PM UTC-5, Rob Nelson wrote: > > There are a lot of very valid issues and concerns you bring up here. I do > want to start by saying, however, that puppet 4 is more than 6 months old - > about 20 months to be precise - and most of the significant language > c

Re: [Puppet Users] lspci via facter

I've been using the following code for a really long time now-- I think I 'borrowed' it from someone else. # videocards.rb controllers = [] output = %x{lspci} output.each_line {|s| controllers.push($1) if s =~ /VGA compa

Re: [Puppet Users] Array Iteration for Community Edition of Puppet(3.8)

On Sunday, January 1, 2017 at 2:41:16 AM UTC-5, R.I. Pienaar wrote: > > > Puppet 3 is now dead, upgrade to Puppet 4 - it's free - and you too can > enjoy > features designed to solve your problem > While understandable, that's something of an irritating answer-- It underlies a problem I've fel

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

Hate replying to myself. As you noticed, "profile" and "datacenter" are also not defined. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubsc

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

On Wednesday, December 21, 2016 at 11:37:38 AM UTC-5, Denny Fuchs wrote: > > hi, > > I try to understand the example from > https://rnelson0.com/2015/02/02/deploying-mysql-with-puppet-without-disabling-selinux/comment-page-1/ > > with MySQL. > > At this moment, most parts are working, except rol

[Puppet Users] Re: r10k, git and .gitignore

We used Gavin's approach and created a "downloads" mount within Puppet, so Puppet still handles the file transfer, but it's from a different set of directories outside of the git repo(s). Also, for anyone creating .deb / .rpm package files, if you aren't using 'fpm', you should be. -- You re

Re: [Puppet Users] puppet does not like ~ in file name

On Thursday, November 10, 2016 at 12:55:21 PM UTC-5, Fabrice Bacchella wrote: > > > > Le 10 nov. 2016 à 18:22, Rob Nelson > a > écrit : > > > > That said, who decided a tilde to start a file name was good for > anything but a temp file??? I understand you have no choice as a user, but > someo

[Puppet Users] Re: Very frequent "Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key." on Windows

On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote: > > Thanks for your reply Andrew, sadly I guess that wont be an option as the > pain of resigning the actual certificate for erroneous hosts are less the > re-signing every certificate for all existing hosts. After all we

[Puppet Users] Re: Warning: Unable to fetch my node definition, but the agent run will continue:

Some things to keep in mind for successful ENC scripts... First, on the agent, run: # facter fqdn This is the node name that will be reported to the puppet master (equivalent to 'hostname -f'). If it doesn't match expectations, fix that first-- preferably via DNS, but /etc/hosts is a valid so

Re: [Puppet Users] Moment of duhh.... Trying to wrap my head around some condition statements.

if ($productname =~ /Z640/) { file { ... } exec { ... } } 'productname' is a fact which usually represents your system model. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from

[Puppet Users] Re: How to handle predictable network interface names

I went the other direction-- we deploy all of our servers (and most of our workstations) via cobbler, so all new RHEL 7 and CentOS 7 boxes have "net.ifnames=0" in the default profile, both pre and post install. I don't agree with upstream's complaint... udev-persistent rules, while a bit of a

Re: [Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

You can also use: # openssl x509 -in ca_cert.pem -text -noout to see all the fields of the SSL cert. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-us

[Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

Many thanks for the re-signing of the CA idea. I can report that it worked for me, although I had to run the webrick version of puppetmaster to regenerate the puppet master's certificate. Since I have a full mcollective deployment as well, I was able to use the following steps to automate the

[Puppet Users] Re: puppet agent heartbeat

On Wednesday, February 17, 2016 at 10:37:46 AM UTC-5, moons...@gmail.com wrote: > > is there any way we can check the heartbeat of puppet agents? > > and if agent is down can puppet try to bring up the server. > It may be a bit primitive, but I've been using crontab to "manually" run the puppet

[Puppet Users] Re: mcollective setup question

Was there ever a solution to this issue? I appear to be having a similar (if not the same) issue: By adding some debug code to client.rb, it appears that the replies I'm getting have no requestid at all. < Log.warn("Ignoring a message that did not pass security validations") --- >