[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Bryan Ross
2009/7/28 Judd : > > In any case it's VERY misleading to have an explicit command > completely ignored by an unstated policy. > Personally, I'm not too worried about the security aspects of this, but I would certainly expect Puppet to do what its told. If I fluff my permissions, more fool me. H

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Peter Meier
Hi > On a slight tangent, how about having 755 on a directory but (for > example) having 700 or 600 recursively on all the managed directories > and files underneath it (and maybe different ownership as well). There > are valid reasons for wanting to do this but the last time I tried it, I > fou

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Bruce Richardson
On Tue, Jul 28, 2009 at 10:27:57AM +0200, Peter Meier wrote: > For sure you have to manage the content of each subdirectory separately > as they're managed on their own. I'm sorry, but that fails as far as I'm concerned. I shouldn't be having to specify common behaviour multiple times. -- Bru

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread James Turnbull
Trevor Vaughan wrote: > Personally, I don't see the default behavior as a security flaw. > > Perhaps, I'm missing somethingJames? I tend to agree that the current behaviour meets 99% of the functional requirements but I do understand where the original poster is coming from. Like Luke, I don

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Peter Meier
Hi >> For sure you have to manage the content of each subdirectory separately >> as they're managed on their own. > > I'm sorry, but that fails as far as I'm concerned. I shouldn't be > having to specify common behaviour multiple times. well either your managing a resource or you're not. Someth

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Bruce Richardson
On Tue, Jul 28, 2009 at 10:47:07AM +0200, Peter Meier wrote: > > Hi > > >> For sure you have to manage the content of each subdirectory separately > >> as they're managed on their own. > > > > I'm sorry, but that fails as far as I'm concerned. I shouldn't be > > having to specify common behavio

[Puppet Users] correlation between metrics and events

2009-07-28 Thread Dan Bode
Hi all, I am trying to create some basic reporting with Puppet, but I don't know the best way to create a correlation between metrics and the events that they reflect. Do I have to write code to parse the log entries and try to figure out which metrics they refer to? Is there a better way(please)?

[Puppet Users] Re: Custom fact errors

2009-07-28 Thread Paul Nasrat
> A worthwhile exercise anyways, I guess the embarrassment of a stupid > question is what I get for diving in without fully understanding > Facter!  I remain confused about the error message (non-sh > interpreters sounds to me like it's complaining about the first line, > so I tried all manner of

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Peter Meier
Hi > OK, maybe I didn't express it clearly enough. Puppet won't let me > specify one behaviour for /a and another for /a/**. As I said, there > are valid reasons for wanting that. I understood it that way and I also understand the reasons. My problem is to see a valid way to describe that wi

[Puppet Users] [Infrastructure Design] Questions about Puppet behind SSL reverse proxy

2009-07-28 Thread lebgui
Hi, I have some questions about Puppet client request through a reverse SSL proxy with pache and mod_ssl. It's about pure design and IP public adress. I want to use Puppet framework on distributed environnement through pulic network with NAT and so on. We have already a reverse proxy which handl

[Puppet Users] Re: File resource type: critical chmod security issue

2009-07-28 Thread Trevor Vaughan
After all the Regex magic that has just ensued on the Dev list, this should be pretty easy :-) (magic, I say!). Having a regex match on the File type would actually be useful in a lot of cases. *But* it needs to be able to be sped up. Something like forking to the native tools to do the match a

[Puppet Users] puppet vs cron vs x86_64

2009-07-28 Thread Alexey Wasilyev
I have following trouble on x86_64 machines. On i686 machines all ok. [awasil...@hyperic ~]$ sudo puppetd -t err: Could not create puppet: Could not find a default provider for cron warning: Not using cache on failed catalog warning: Configuration could not be instantiated: Could not find a defau

[Puppet Users] storeconfigs storms?

2009-07-28 Thread Mark Plaksin
Howdy: Does anybody else see in storeconfigs spikes *after* you've been up and running with storeconfigs for a while? Twice in the past month our puppetmaster has been slammed by storeconfigs activity. We're running 25b2 but not (yet) puppetqd. Our mysql questions, com_select and com_insert st

[Puppet Users] Re: storeconfigs storms?

2009-07-28 Thread Brice Figureau
On Tue, 2009-07-28 at 08:50 -0400, Mark Plaksin wrote: > Howdy: > > Does anybody else see in storeconfigs spikes *after* you've been up and > running with storeconfigs for a while? Twice in the past month our > puppetmaster has been slammed by storeconfigs activity. We're running > 25b2 but not

[Puppet Users] sequential change implementation

2009-07-28 Thread mmalamud
How do I prevent the following: I have several web servers behind the load balancer, how do I make sure that when something changes and web servers need to be restarted that they are not all restarted at the same time but rather one by one. Is there a way to configure sequential push of some kind

[Puppet Users] Re: Custom fact errors

2009-07-28 Thread scott
On Jul 28, 5:22 am, Paul Nasrat wrote: > Can you file a Facter issue to improve the error reporting on this and > I'll try fix that up (and the documentation). > > Paul Done, it's filed as Facter issue 2455 (http:// projects.reductivelabs.com/issues/2455). Thanks! --~--~-~--~~

[Puppet Users] automatically choose between a private file and a template file

2009-07-28 Thread Sebastien Caps
Hi, I m wondering if is there a way to automatically choose between a private file and a template file for the file content source : so if a private file exist we choose to get the content from it, and if the private file doesn't exist we get the content from a template. I already do this to c

[Puppet Users] Cry for Augeas grub.conf help!

2009-07-28 Thread Trevor Vaughan
All, I'm trying to figure out the best way to use augeas to manage grub.conf. The issue is that I want users to be able to do whatever they like but: 1) The active, running, kernel should be the default *fallback* 2) I need to be able to set the 'default' to the last entry added I've tried som

[Puppet Users] Re: puppet vs cron vs x86_64

2009-07-28 Thread Joe McDonagh
Alexey Wasilyev wrote: > I have following trouble on x86_64 machines. > On i686 machines all ok. > > [awasil...@hyperic ~]$ sudo puppetd -t > err: Could not create puppet: Could not find a default provider for cron > warning: Not using cache on failed catalog > warning: Configuration could not be

[Puppet Users] template flapping / classes lost?

2009-07-28 Thread Jason Antman
I was just about to move my first Puppet-built box into production, and I'm getting a terribly troublesome error. I'm using an external node classifier and am not using storedconfigs. We have a more-or-less generic httpd config for all of our boxen - except this one. I'm generating httpd.conf fro

[Puppet Users] Re: Notifying a service when exported resources go away

2009-07-28 Thread Eric Gerlach
On Fri, Jul 24, 2009 at 04:09:22PM -0700, Teyo Tyree wrote: > On Fri, Jul 24, 2009 at 12:47 PM, Eric Gerlach > wrote: > > > > > Hi, > > > > I'm working with nagios, and if I'm de-configuring a server manually, I'd > > like > > to have the monitoring system not complain about it vanishing. > > > >

[Puppet Users] Re: Notifying a service when exported resources go away

2009-07-28 Thread Bruce Richardson
On Tue, Jul 28, 2009 at 11:19:07AM -0400, Eric Gerlach wrote: > > But if I do this, it still doesn't notify the nagios service, so it will > continue to monitor them (and complain to me that they're gone) until I > restart > it. So though that's a nice way to purge the DB, it doesn't really hel

[Puppet Users] Rails is missing; cannot store configurations - Puppet 0.24.8 / Rails 2.3.2 / Gentoo

2009-07-28 Thread Evan Borgstrom
Hi, I'm having trouble getting storeconfigs to work, namely there's an error initializing rails. Here's the trace from puppetmasterd. err: Rails is missing; cannot store configurations /usr/lib64/ruby/site_ruby/1.8/puppet/parser/interpreter.rb:43:in `initialize' /usr/lib64/ruby/site_ruby/1.8/pup

[Puppet Users] Re: sequential change implementation

2009-07-28 Thread Larry Ludwig
On Jul 28, 2009, at 9:16 AM, mmalamud wrote: > > How do I prevent the following: > > I have several web servers behind the load balancer, how do I make > sure that when something changes and web servers need to be restarted > that they are not all restarted at the same time but rather one by > on

[Puppet Users] Re: Rails is missing; cannot store configurations - Puppet 0.24.8 / Rails 2.3.2 / Gentoo

2009-07-28 Thread Evan Borgstrom
Hrm. Downgrading to rails-2.2.2 fixed this. On Jul 28, 12:43 pm, Evan Borgstrom wrote: > Hi, > > I'm having trouble getting storeconfigs to work, namely there's an > error initializing rails. Here's the trace from puppetmasterd. > > err: Rails is missing; cannot store configurations > /usr/lib64

[Puppet Users] Re: sequential change implementation

2009-07-28 Thread Pete Emerson
I have application and configuration versions stored so that my puppet node classifier can spit them back out. I then change versions for the servers that I want to upgrade and then force a puppet run. The remaining servers won't change until I change their application / configuration versions. Lat

[Puppet Users] Re: puppet recipes

2009-07-28 Thread Asif Iqbal
Hi Teyo, I seem to be lost in your explanations. BTW, I do not need to use fqdn. I realized, I started looking for a recipe that will be very complicated for a beginner like me. So I think I should start small and simple and it may grow to a solution that will be really useful to others. Lets s

[Puppet Users] Exported resources, sshkey (was Re: Notifying a service when exported resources go away)

2009-07-28 Thread Ian Ward Comfort
On 28 Jul 2009, at 9:39 AM, Bruce Richardson wrote: > I have to say, I'm unconvinced by the whole storedconfigs mechanism, > particularly for this kind of thing. If you're using puppet to > configure most or all aspects of your hosts on the network, then > your central puppet config already

[Puppet Users] Moving puppetmaster

2009-07-28 Thread Len Rugen
What is involved in switching to a new puppetmaster? I'm guessing the client will need a new cert, but it looks like I have to rm the old one in /var/lib/puppet/... on the client. Our "puppet" FQDN is an alias pointing to the current server, as it probably will be on the future server. --~--~---

[Puppet Users] Re: Moving puppetmaster

2009-07-28 Thread RijilV
2009/7/28 Len Rugen : > What is involved in switching to a new puppetmaster?  I'm guessing the > client will need a new cert, but it looks like I have to rm the old one in > /var/lib/puppet/... on the client.  Our "puppet" FQDN is an alias pointing > to the current server, as it probably will be o

[Puppet Users] Re: template flapping / classes lost?

2009-07-28 Thread Peter
I tried using the same check in a template of mine and I got it to work I found that the closures for the if and end statements are %> and not -%> so your statement would look like this. <% if scope.compiler.classlist.include?("edu_rutgers_css_resnet") then %> # PUPPET: set due to presence of c

[Puppet Users] Re: storeconfigs storms?

2009-07-28 Thread Mark Plaksin
Brice Figureau writes: >> Our mysql questions, com_select and com_insert stats spike first. >> com_select and com_update are normally at around 5 and spike to 40; >> questions is normally around 150 and spikes to 600. Threads connected >> goes from around 15 to 30. After that it looks like eve

[Puppet Users] Yum issues

2009-07-28 Thread josbal
Hi, We have majority of RHEL5 servers in our environment. I have noticed in the process of trying to deploy puppet, that i am getting errors when yum is trying to install packages. Most of the time it works flawlessly, however sometime the following will be reported: change from absent to presen

[Puppet Users] Re: puppet recipes

2009-07-28 Thread David Schmitt
Asif Iqbal wrote: > So I think I should start small and simple and it may grow to a > solution that will be really useful to others. > > Lets start w/ real basic. > > I have 300 hosts. I like a push a user to about 100 hosts (dns > resolver type hosts) out of 300 total. > > How do I set that up

[Puppet Users] Re: Notifying a service when exported resources go away

2009-07-28 Thread David Schmitt
Eric Gerlach wrote: > On Fri, Jul 24, 2009 at 04:09:22PM -0700, Teyo Tyree wrote: >> On Fri, Jul 24, 2009 at 12:47 PM, Eric Gerlach >> wrote: >> >>> Hi, >>> >>> I'm working with nagios, and if I'm de-configuring a server manually, I'd >>> like >>> to have the monitoring system not complain about i

[Puppet Users] Re: Exported resources, sshkey (was Re: Notifying a service when exported resources go away)

2009-07-28 Thread David Schmitt
Ian Ward Comfort wrote: > On 28 Jul 2009, at 9:39 AM, Bruce Richardson wrote: >> I have to say, I'm unconvinced by the whole storedconfigs mechanism, >> particularly for this kind of thing. If you're using puppet to >> configure most or all aspects of your hosts on the network, then >> your

[Puppet Users] Re: Exported resources, sshkey (was Re: Notifying a service when exported resources go away)

2009-07-28 Thread Ian Ward Comfort
On 28 Jul 2009, at 11:00 PM, David Schmitt wrote: > Ian Ward Comfort wrote: >> For me, the killer app for storeconfigs is exported SSH host keys. >> That's information that my puppetmaster *doesn't* have in its >> manifests, and needs to collect from clients. That said, sshkey >> resources