[Puppet Users] Re: Workstations and Certs
here you go, its fetched from a much bigger website, so I didnt really test it, but worth a shot :) http://gist.github.com/140457 cheers, Ohad On Fri, Jul 3, 2009 at 9:12 PM, Gary Larizza wrote: > > I love where this thread is going, I too share in this problem. > > Kurt: Puppet is still being run on the client because the client is > using a cached config (am I right on this guys?). > > I love the scripted ssh key, but ALSO love the PHP script that could > be CURL-ed from the client. Will a PHP script be able to capture the > hostname of a connecting client? From there, the php script could > call puppetca to clean the cert and create a new one...would this be > cleaner than bundling a cert with your base-image? Unfortunately, I'm > not that versed in PHP to hash a script out from scratch. Does anyone > have a rough outline that we could steal? > > -Gary > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Influencing a class from another one?
On Jul 3, 9:56 am, David Schmitt wrote: > The rsyslog class needs to setup a way to include "foreign" > configuration statements, like by using a directory include or a > concatenated_file. Then any other class can put configuration there and > rsyslog will pick it up easily. What is a concatenated_file? > Take care to get the notifications right, so the service reloads as > neccessary. Probably best done with a rsyslog::config_file define. > > Regards, DavidS --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Influencing a class from another one?
On Jul 3, 12:38 am, Allan Marcus wrote: > Can you create fact that determines your condition (if ossec server is > to be or is installed I take it)? You can then refer to the fact in > your rsyslog code. Hm, no, whether or not ossec::server is installed is decided in my puppet config file, it doesn't strike me as very logical to go check on the machine. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Debugging external node scripts
On Fri, Jul 3, 2009 at 12:05 PM, Martin Wheldon wrote: > > Hi Curt, > > Did you manage to resolve this issue? If not I think it may be the > format of your yaml output. > >>--- >>classes: >>- custom >>- monitoring::base > > Should be this > > --- > classes: > - custom > - monitoring::base > > Note the indentation. Having said that I have been unable to persuade > the python yaml module to produce this > as yet. > > Hope this helps Hey Martin, Thanks for the response. I did indeed get this working, it turns out it wasn't Puppet at all. The path for finding Python was incorrect, so while I was pointing it at /usr/local/bin/python it wasn't finding it and using /usr/bin/python which for some reason this script can't use (version issues). How and why this is, I don't know, but that's about as close to the reason as I was able to get. I think YAML is white space agnostic due to the '-' and ':' syntax. I could be wrong though. I hope to get some time and send in a patch to update the output on errors for executing external nodes, 4 days trying to figure out this issue was quite annoying and the error did little to help remedy the issue. Thanks again for the reponse, -- # Curt Micol --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Workstations and Certs
On Jul 3, 12:51 pm, Christopher Webber wrote: > I am currently working on doing a very similar thing with kickstart. > There are two ways you can deal with the hostname... have PHP do an > nslookup for the ipaddress that is connecting (prefered for security > reasons), or just pass it as an argument to the PHP script. > > Chris nslookup wouldn't work if you're talking about clients that AREN'T listed in dns...such as lab machines or the like. I see what you mean, though - there are other methods for pulling that data. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Workstations and Certs
I am currently working on doing a very similar thing with kickstart. There are two ways you can deal with the hostname... have PHP do an nslookup for the ipaddress that is connecting (prefered for security reasons), or just pass it as an argument to the PHP script. Chris On Jul 3, 2009, at 6:12 AM, Gary Larizza wrote: > > I love where this thread is going, I too share in this problem. > > Kurt: Puppet is still being run on the client because the client is > using a cached config (am I right on this guys?). > > I love the scripted ssh key, but ALSO love the PHP script that could > be CURL-ed from the client. Will a PHP script be able to capture the > hostname of a connecting client? From there, the php script could > call puppetca to clean the cert and create a new one...would this be > cleaner than bundling a cert with your base-image? Unfortunately, I'm > not that versed in PHP to hash a script out from scratch. Does anyone > have a rough outline that we could steal? > > -Gary > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Forcing puppetd ask puppemasterd for new changes
I also turn on reporting back to puppetmaster via --report and have found that very useful for debugging and figuring out state centrally. On 7/3/09, Sam Rowe wrote: > > FYI puppetd --test or puppetd -t is shorter than all of that > --one-time --no-daemonize etc stuff and is basically the same. > > > > -- Sent from my mobile device --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Debugging external node scripts
Hi Curt, Did you manage to resolve this issue? If not I think it may be the format of your yaml output. >--- >classes: >- custom >- monitoring::base Should be this --- classes: - custom - monitoring::base Note the indentation. Having said that I have been unable to persuade the python yaml module to produce this as yet. Hope this helps Martin On Mon, Jun 29, 2009 at 10:39 AM, Curt Micol wrote: > > 2009/6/29 Nicolas Szalay : >> Le lundi 29 juin 2009 à 01:09 -0700, Curt Micol a écrit : >> Did you try running it as the "puppet" user ? permissions on NODEFILE & >> LOGFILE could be source of errors. > > Yes, sorry, I get the same results with running as the puppet user. > Just tested once more to verify and received the same error. > > -- > # Curt Micol > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Forcing puppetd ask puppemasterd for new changes
FYI puppetd --test or puppetd -t is shorter than all of that --one-time --no-daemonize etc stuff and is basically the same. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Workstations and Certs
Gary Larizza wrote: > I love where this thread is going, I too share in this problem. > > Kurt: Puppet is still being run on the client because the client is > using a cached config (am I right on this guys?). > > I love the scripted ssh key, but ALSO love the PHP script that could > be CURL-ed from the client. Will a PHP script be able to capture the > hostname of a connecting client? From there, the php script could > call puppetca to clean the cert and create a new one...would this be > cleaner than bundling a cert with your base-image? Unfortunately, I'm > not that versed in PHP to hash a script out from scratch. Does anyone > have a rough outline that we could steal? > Also be great if this discussion and any resulting configuration or code could end up on the wiki somewhere too... Regards James Turnbull -- Author of: * Pro Linux Systems Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) signature.asc Description: OpenPGP digital signature
[Puppet Users] Re: Workstations and Certs
I love where this thread is going, I too share in this problem. Kurt: Puppet is still being run on the client because the client is using a cached config (am I right on this guys?). I love the scripted ssh key, but ALSO love the PHP script that could be CURL-ed from the client. Will a PHP script be able to capture the hostname of a connecting client? From there, the php script could call puppetca to clean the cert and create a new one...would this be cleaner than bundling a cert with your base-image? Unfortunately, I'm not that versed in PHP to hash a script out from scratch. Does anyone have a rough outline that we could steal? -Gary --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Extending the storeconfigs database
I'm not sure I understand. Do you mean create a new database? Ciao, Sheldon. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Influencing a class from another one?
niczar wrote: > I can't figure how to do this cleanly, here's the story: > > I have an rsyslog class with a template generating /etc/rsyslog.conf > > I have some other classes (namely, ossec::server, does what it says) > that need to influence what's going on inside rsyslog.conf, in > particular I want local0.* not to be logged in /var/log/messages on > the machines that include ossec::server > > How can I do that? I can't seem to be able to do it with variables. > > Any help appreciated. > The rsyslog class needs to setup a way to include "foreign" configuration statements, like by using a directory include or a concatenated_file. Then any other class can put configuration there and rsyslog will pick it up easily. Take care to get the notifications right, so the service reloads as neccessary. Probably best done with a rsyslog::config_file define. Regards, DavidS --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Generating a file from a set of fragments on the puppetmaster
Paul Gear wrote: > David Schmitt wrote: >> ... >>> I'd rather not distribute the entire directory from the server, since it >>> contains custom content for each node. Is there a way i can do this >>> with templates that include other files? (Or templates that are plain >>> text rather than .erb?) I'd really like to find a technique that >>> doesn't require separately copying the file fragments to the client also... >>> >>> ... >> My approach in the CompleteConfiguration repos is to use the >> concatenated_file_part define to put file parts onto the client and then >> locally concatenated them all on the client with the concatenated_file >> define which does some shell magic internally. >> >> You seem to try to use a server side function ( file() ) to create a >> similar effect. You just have to be aware that functions always run on >> the server. > > I knew i must be overcomplicating it somehow. :-) So if i give the > file() function the full pathname of the directory on the server, i > should be able to achieve what i'm wanting without needing to distribute > a local copy of the files? From http://reductivelabs.com/trac/puppet/wiki/FunctionReference#file : > Return the contents of a file. Multiple files can be passed, and the first > file that exists will be read in. You probably should use template() (which concatenates its parameters; be aware of ERB expansion though) or create a local concat_file() function that works as intended or use generate() to call a server-side script. > Are there any drawbacks of doing this? (Such as having to pull down the > content every time to check its MD5 sum, perhaps?) Exactly. content=> is compiled into the configuration which is sent to the client. Also, it is hard to add to these files from other clients, like with export/collect: you need a component on the puppetmaster and a third puppetd run. Regards, DavidS --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---