[Puppet Users] Re: File resource type: critical chmod security issue
2009/7/28 Judd juddmal...@gmail.com: In any case it's VERY misleading to have an explicit command completely ignored by an unstated policy. Personally, I'm not too worried about the security aspects of this, but I would certainly expect Puppet to do what its told. If I fluff my permissions, more fool me. However if I do, for whatever reason, want a particular mode then Puppet should respect that. With the current operation, there's very little flexibility. If we add a 'dirmode' or something similar, as suggested by Luke in Bug #2451, then Puppet can handle both cases. This seems like a no brainer to me? Cheers, Bryan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: File resource type: critical chmod security issue
Hi
On a slight tangent, how about having 755 on a directory but (for
example) having 700 or 600 recursively on all the managed directories
and files underneath it (and maybe different ownership as well). There
are valid reasons for wanting to do this but the last time I tried it, I
found it impossible with puppet. Maybe I should look again to see what
I missed.
it is possible, but not that directly in one statement:
file{
'/a':
ensure = directory,
mode = 0755;
[ '/a/b', '/a/c' ]:
ensure = directory,
recurse = true
owner = user1, mode = 0600;
[ '/a/d', '/a/e' ]:
ensure = directory,
recurse = true,
owner = user2, mode = 0600;
}
and this is exactly the case where this automatic x-bit is really
nice. Do you envision any easier/more direct way to do it?
For sure you have to manage the content of each subdirectory
separately as they're managed on their own. But every other behavior
would simply lead to a too big headache.
cheers pete
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---
[Puppet Users] Re: File resource type: critical chmod security issue
On Tue, Jul 28, 2009 at 10:27:57AM +0200, Peter Meier wrote: For sure you have to manage the content of each subdirectory separately as they're managed on their own. I'm sorry, but that fails as far as I'm concerned. I shouldn't be having to specify common behaviour multiple times. -- Bruce Those who cast the votes decide nothing. Those who count the votes decide everything. -- Joseph Stalin --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: File resource type: critical chmod security issue
Trevor Vaughan wrote: Personally, I don't see the default behavior as a security flaw. Perhaps, I'm missing somethingJames? I tend to agree that the current behaviour meets 99% of the functional requirements but I do understand where the original poster is coming from. Like Luke, I don't see why an additional attribute can't be added but I don't see it as a critical security issue. Not to say it should not be developed but IMHO I see the risk of a compromise through this as low and hence feel there is a low ROI in fixing it. If someone wants to pony up some code and tests... Regards James Turnbull -- Author of: * Pro Linux Systems Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) signature.asc Description: OpenPGP digital signature
[Puppet Users] Re: File resource type: critical chmod security issue
Hi For sure you have to manage the content of each subdirectory separately as they're managed on their own. I'm sorry, but that fails as far as I'm concerned. I shouldn't be having to specify common behaviour multiple times. well either your managing a resource or you're not. Something between will just lead to too many problems and conflicts. or which easier way do you envision without having these problems? cheers pete --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: File resource type: critical chmod security issue
On Tue, Jul 28, 2009 at 10:47:07AM +0200, Peter Meier wrote: Hi For sure you have to manage the content of each subdirectory separately as they're managed on their own. I'm sorry, but that fails as far as I'm concerned. I shouldn't be having to specify common behaviour multiple times. well either your managing a resource or you're not. Something between will just lead to too many problems and conflicts. or which easier way do you envision without having these problems? OK, maybe I didn't express it clearly enough. Puppet won't let me specify one behaviour for /a and another for /a/**. As I said, there are valid reasons for wanting that. -- Bruce A problem shared brings the consolation that someone else is now feeling as miserable as you. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Custom fact errors
A worthwhile exercise anyways, I guess the embarrassment of a stupid question is what I get for diving in without fully understanding Facter! I remain confused about the error message (non-sh interpreters sounds to me like it's complaining about the first line, so I tried all manner of /usr/bin/ruby, /usr/bin/env ruby, simply commenting with the name as in the example, etc). Can you file a Facter issue to improve the error reporting on this and I'll try fix that up (and the documentation). Paul --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: File resource type: critical chmod security issue
After all the Regex magic that has just ensued on the Dev list, this
should be pretty easy :-) (magic, I say!).
Having a regex match on the File type would actually be useful in a
lot of cases. *But* it needs to be able to be sped up.
Something like forking to the native tools to do the match and perms
might work, but at least something that gets rid of the 'recursive
directory management nightmare' where you checksum and/or record
millions of files just because you wanted to only change the
permissions.
In any case, you could then do thing like:
foo/ - 755
foo/*.conf - 640
foo/*.user - 644
But, I could see ordering becoming quite important in this case.
Extremely low priority even if people do decide that it is a good idea.
Trevor
On Tue, Jul 28, 2009 at 05:47, Peter Meierpeter.me...@immerda.ch wrote:
Hi
OK, maybe I didn't express it clearly enough. Puppet won't let me
specify one behaviour for /a and another for /a/**. As I said, there
are valid reasons for wanting that.
I understood it that way and I also understand the reasons. My problem
is to see a valid way to describe that within the (existing or future)
puppet language, as well to fit it into the resource model, which
puppet is committed to.
so something like?
file{
'/a:
mode = 0755;
/a/**:
mode = 0600;
}
but I'm not sure whether this wildcard resource is a good idea.
cheers pete
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---
[Puppet Users] puppet vs cron vs x86_64
I have following trouble on x86_64 machines. On i686 machines all ok. [awasil...@hyperic ~]$ sudo puppetd -t err: Could not create puppet: Could not find a default provider for cron warning: Not using cache on failed catalog warning: Configuration could not be instantiated: Could not find a default provider for cron [awasil...@hyperic ~]$ ls /usr/lib/ruby/site_ruby/1.8/puppet/provider/cron crontab.rb [awasil...@hyperic ~]$ rpm -q puppet puppet-0.24.8-1.fc10.noarch [awasil...@hyperic ~]$ uname -a Linux hyperic. 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Alexey Wasilyev Systems Administrator Grid Dynamics --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] storeconfigs storms?
Howdy: Does anybody else see in storeconfigs spikes *after* you've been up and running with storeconfigs for a while? Twice in the past month our puppetmaster has been slammed by storeconfigs activity. We're running 25b2 but not (yet) puppetqd. Our mysql questions, com_select and com_insert stats spike first. com_select and com_update are normally at around 5 and spike to 40; questions is normally around 150 and spikes to 600. Threads connected goes from around 15 to 30. After that it looks like everything queues up behind MySQL and we start getting timeouts on our ~450 clients. The storm lasts less than an hour. Of course nothing special is going on with our clients (that we know of!) when the storm hits. I *think* but am not positive that our first storm happened while we were running mod_proxy + Mongrel. Our second happened with Passenger. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: storeconfigs storms?
On Tue, 2009-07-28 at 08:50 -0400, Mark Plaksin wrote: Howdy: Does anybody else see in storeconfigs spikes *after* you've been up and running with storeconfigs for a while? Twice in the past month our puppetmaster has been slammed by storeconfigs activity. We're running 25b2 but not (yet) puppetqd. Our mysql questions, com_select and com_insert stats spike first. com_select and com_update are normally at around 5 and spike to 40; questions is normally around 150 and spikes to 600. Threads connected goes from around 15 to 30. After that it looks like everything queues up behind MySQL and we start getting timeouts on our ~450 clients. The storm lasts less than an hour. Of course nothing special is going on with our clients (that we know of!) when the storm hits. I *think* but am not positive that our first storm happened while we were running mod_proxy + Mongrel. Our second happened with Passenger. The only reason for a storeconfig storm is that Puppet deletes all the resources/tags belonging to a particular host and then recreates them, so you see a lots of Inserts. Now the real question is why Puppet thinks there is such discrepencies between the database and the live compilation. Are you sure you're not removing hosts from the database? What would be interesting is to activate the mysql general query log (warning it will increase your load), and dig in the large log around the timeframe you see the storm (you can also activate the rails log for the same effect). Or I remember reading that maatkit now contains a query log extractor from tcpdump captures files; it is worth capturing the traffic between Puppet and mysql and analyze the queries performed. Maybe you'll find the issue. Good luck :-) -- Brice Figureau My Blog: http://www.masterzen.fr/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] sequential change implementation
How do I prevent the following: I have several web servers behind the load balancer, how do I make sure that when something changes and web servers need to be restarted that they are not all restarted at the same time but rather one by one. Is there a way to configure sequential push of some kind? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Custom fact errors
On Jul 28, 5:22 am, Paul Nasrat pnas...@googlemail.com wrote: Can you file a Facter issue to improve the error reporting on this and I'll try fix that up (and the documentation). Paul Done, it's filed as Facter issue 2455 (http:// projects.reductivelabs.com/issues/2455). Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Cry for Augeas grub.conf help!
All, I'm trying to figure out the best way to use augeas to manage grub.conf. The issue is that I want users to be able to do whatever they like but: 1) The active, running, kernel should be the default *fallback* 2) I need to be able to set the 'default' to the last entry added I've tried something like: set default /files/etc/grub.conf/count(title) But, I'm obviously missing something. Any hints? Thanks, Trevor --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: puppet vs cron vs x86_64
Alexey Wasilyev wrote: I have following trouble on x86_64 machines. On i686 machines all ok. [awasil...@hyperic ~]$ sudo puppetd -t err: Could not create puppet: Could not find a default provider for cron warning: Not using cache on failed catalog warning: Configuration could not be instantiated: Could not find a default provider for cron [awasil...@hyperic ~]$ ls /usr/lib/ruby/site_ruby/1.8/puppet/provider/cron crontab.rb [awasil...@hyperic ~]$ rpm -q puppet puppet-0.24.8-1.fc10.noarch [awasil...@hyperic ~]$ uname -a Linux hyperic. 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Alexey Wasilyev Systems Administrator Grid Dynamics Is the crontab binary available on your system? -- Joe McDonagh Operations Engineer www.colonfail.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] template flapping / classes lost?
I was just about to move my first Puppet-built box into production, and
I'm getting a terribly troublesome error. I'm using an external node
classifier and am not using storedconfigs.
We have a more-or-less generic httpd config for all of our boxen -
except this one. I'm generating httpd.conf from a template, so in the
template I have something like:
% if scope.compiler.classlist.include?(edu_rutgers_css_resnet) then -%
# PUPPET: set due to presence of class 'edu_rutgers_css_resnet'
ServerAdmin f...@bar.com
# END PUPPET
% else %
# PUPPET: default value
ServerAdmin r...@localhost
# END PUPPET
% end -%
I also generate /etc/sysconfig/iptables from a template, which includes:
% if scope.compiler.classlist.include?(httpd) then -%
# accept port 80, added by Puppet template with httpd class
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
% else -%
# puppet doesn't see the class 'httpd' defined, NOT opening port 80...
% end -%
It seems that Puppet is missing the httpd class. When Puppet runs
every half hour, flaps between the if and else values for these two
statements, causing it to replace the config files and restart the
associated services. I originally thought that this was happening at
exactly each cycle, but it seems somewhat intermittent:
Jul 28 02:19:56 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}654732a5f76e975e1fef1907ce6c5b46' to
'{md5}fffc88c34693d4ee67a22c4190d1e608'
Jul 28 02:19:57 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 04:20:20 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}fffc88c34693d4ee67a22c4190d1e608' to
'{md5}654732a5f76e975e1fef1907ce6c5b46'
Jul 28 04:20:20 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 06:50:44 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}654732a5f76e975e1fef1907ce6c5b46' to
'{md5}fffc88c34693d4ee67a22c4190d1e608'
Jul 28 06:50:44 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 07:50:56 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}fffc88c34693d4ee67a22c4190d1e608' to
'{md5}654732a5f76e975e1fef1907ce6c5b46'
Jul 28 07:50:56 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 04:20:18 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}e20ffe121bc385871c43c1c8d4c83376' to
'{md5}d42e551de04a44d8e9121de93795ad33'
Jul 28 04:20:19 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 06:20:39 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}d42e551de04a44d8e9121de93795ad33' to
'{md5}e20ffe121bc385871c43c1c8d4c83376'
Jul 28 06:20:40 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 06:50:45 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}e20ffe121bc385871c43c1c8d4c83376' to
'{md5}d42e551de04a44d8e9121de93795ad33'
Jul 28 06:50:46 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 07:50:58 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}d42e551de04a44d8e9121de93795ad33' to
'{md5}e20ffe121bc385871c43c1c8d4c83376'
Jul 28 07:50:58 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Any ideas on why this is happening? I've been running Puppet on a
non-critical network for a month now, with storedconfigs, and no major
problems. It seemed time to move it over to the production boxes (as the
new ones are built) but this seems like a serious issue...
Thanks for any advice,
Jason
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---
[Puppet Users] Re: Notifying a service when exported resources go away
On Fri, Jul 24, 2009 at 04:09:22PM -0700, Teyo Tyree wrote:
On Fri, Jul 24, 2009 at 12:47 PM, Eric Gerlach
egerl...@feds.uwaterloo.cawrote:
Hi,
I'm working with nagios, and if I'm de-configuring a server manually, I'd
like
to have the monitoring system not complain about it vanishing.
So, for each host I have:
@@nagios_host { $fqdn:
use = generic-host,
address = $fqdn,
contact_groups = itstaff,
notify = Service[nagios3]
}
and then on the Nagios server I have:
resources { nagios_host:
purge = true,
notify = Service[nagios3]
}
Nagios_host | |
If I don't have a notify on the resources entry, the nagios host entries go
away, but nagios doesn't refresh. If I have it on the resources entry, it
makes the service depend on it, and so won't purge:
Service[nagios3] still depends on me -- not purging
Is it possible to accomplish what I'm trying to do? If so, how?
Eric the most straight forward mechanism is to purge all the resources
associated with the host that is being decommissioned. There is a script to
do this attached to the wiki page for storedconfigs.
http://reductivelabs.com/trac/puppet/attachment/wiki/UsingStoredConfiguration/kill_node_in_storedconfigs_db.rb
But if I do this, it still doesn't notify the nagios service, so it will
continue to monitor them (and complain to me that they're gone) until I restart
it. So though that's a nice way to purge the DB, it doesn't really help my
problem.
Cheers,
--
Eric Gerlach, Network Administrator
Federation of Students
University of Waterloo
p: (519) 888-4567 x36329
e: egerl...@feds.uwaterloo.ca
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---
[Puppet Users] Re: Notifying a service when exported resources go away
On Tue, Jul 28, 2009 at 11:19:07AM -0400, Eric Gerlach wrote: But if I do this, it still doesn't notify the nagios service, so it will continue to monitor them (and complain to me that they're gone) until I restart it. So though that's a nice way to purge the DB, it doesn't really help my problem. I have to say, I'm unconvinced by the whole storedconfigs mechanism, particularly for this kind of thing. If you're using puppet to configure most or all aspects of your hosts on the network, then your central puppet config already stores enough information about all your hosts to generate a nagios config centrally and push it to the monitoring host. Pushing all this information back from the clients to the puppetmaster and then out again seems to me to be desperately fragile and just asking for trouble. -- Bruce I object to intellect without discipline. I object to power without constructive purpose. -- Spock --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Rails is missing; cannot store configurations - Puppet 0.24.8 / Rails 2.3.2 / Gentoo
Hi, I'm having trouble getting storeconfigs to work, namely there's an error initializing rails. Here's the trace from puppetmasterd. err: Rails is missing; cannot store configurations /usr/lib64/ruby/site_ruby/1.8/puppet/parser/interpreter.rb:43:in `initialize' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 80:in `new' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 80:in `create_interpreter' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 37:in `interpreter' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 68:in `compile' /usr/lib64/ruby/site_ruby/1.8/puppet/util.rb:180:in `benchmark' /usr/lib64/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/ core_ext/benchmark.rb:10:in `realtime' /usr/lib64/ruby/site_ruby/1.8/puppet/util.rb:179:in `benchmark' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 66:in `compile' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 21:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:210:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector.rb:49:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/network/handler/master.rb:65:in `getconfig' /usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `to_proc' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor' /usr/lib64/ruby/1.8/xmlrpc/server.rb:338:in `call' /usr/lib64/ruby/1.8/xmlrpc/server.rb:338:in `dispatch' /usr/lib64/ruby/1.8/xmlrpc/server.rb:325:in `each' /usr/lib64/ruby/1.8/xmlrpc/server.rb:325:in `dispatch' /usr/lib64/ruby/1.8/xmlrpc/server.rb:368:in `call_method' /usr/lib64/ruby/1.8/xmlrpc/server.rb:380:in `handle' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb: 68:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib64/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:82:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:293:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:144:in `newthread' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `initialize' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `new' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `newthread' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:291:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:290:in `each' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:290:in `start' /usr/bin/puppetmasterd:285 err: Rails is missing; cannot store configurations I've tried using both Gentoo's packages for Rails along with installing via Gem. Both yield the same results. Has anyone seen this before or have any pointers on getting past it? Thanks, -E --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: sequential change implementation
On Jul 28, 2009, at 9:16 AM, mmalamud wrote: How do I prevent the following: I have several web servers behind the load balancer, how do I make sure that when something changes and web servers need to be restarted that they are not all restarted at the same time but rather one by one. Is there a way to configure sequential push of some kind? schedule metatype option or splay might be random enough. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Rails is missing; cannot store configurations - Puppet 0.24.8 / Rails 2.3.2 / Gentoo
Hrm. Downgrading to rails-2.2.2 fixed this. On Jul 28, 12:43 pm, Evan Borgstrom e...@fatbox.ca wrote: Hi, I'm having trouble getting storeconfigs to work, namely there's an error initializing rails. Here's the trace from puppetmasterd. err: Rails is missing; cannot store configurations /usr/lib64/ruby/site_ruby/1.8/puppet/parser/interpreter.rb:43:in `initialize' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 80:in `new' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 80:in `create_interpreter' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 37:in `interpreter' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 68:in `compile' /usr/lib64/ruby/site_ruby/1.8/puppet/util.rb:180:in `benchmark' /usr/lib64/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/ core_ext/benchmark.rb:10:in `realtime' /usr/lib64/ruby/site_ruby/1.8/puppet/util.rb:179:in `benchmark' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 66:in `compile' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb: 21:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:210:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/indirector.rb:49:in `find' /usr/lib64/ruby/site_ruby/1.8/puppet/network/handler/master.rb:65:in `getconfig' /usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `to_proc' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `call' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:52:in `protect_service' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:85:in `setup_processor' /usr/lib64/ruby/1.8/xmlrpc/server.rb:338:in `call' /usr/lib64/ruby/1.8/xmlrpc/server.rb:338:in `dispatch' /usr/lib64/ruby/1.8/xmlrpc/server.rb:325:in `each' /usr/lib64/ruby/1.8/xmlrpc/server.rb:325:in `dispatch' /usr/lib64/ruby/1.8/xmlrpc/server.rb:368:in `call_method' /usr/lib64/ruby/1.8/xmlrpc/server.rb:380:in `handle' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:44:in `process' /usr/lib64/ruby/site_ruby/1.8/puppet/network/xmlrpc/webrick_servlet.rb: 68:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib64/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib64/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib64/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib64/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib64/ruby/1.8/webrick/server.rb:82:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:293:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:144:in `newthread' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `initialize' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `new' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:143:in `newthread' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:291:in `start' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:290:in `each' /usr/lib64/ruby/site_ruby/1.8/puppet.rb:290:in `start' /usr/bin/puppetmasterd:285 err: Rails is missing; cannot store configurations I've tried using both Gentoo's packages for Rails along with installing via Gem. Both yield the same results. Has anyone seen this before or have any pointers on getting past it? Thanks, -E --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: sequential change implementation
I have application and configuration versions stored so that my puppet node classifier can spit them back out. I then change versions for the servers that I want to upgrade and then force a puppet run. The remaining servers won't change until I change their application / configuration versions. Lather, rinse, repeat. I also monitor the results so that if an upgrade doesn't go through it won't continue to upgrade the rest of the servers. Pete On Tue, Jul 28, 2009 at 10:10 AM, Larry Ludwig la...@reductivelabs.comwrote: On Jul 28, 2009, at 9:16 AM, mmalamud wrote: How do I prevent the following: I have several web servers behind the load balancer, how do I make sure that when something changes and web servers need to be restarted that they are not all restarted at the same time but rather one by one. Is there a way to configure sequential push of some kind? schedule metatype option or splay might be random enough. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: puppet recipes
Hi Teyo,
I seem to be lost in your explanations. BTW, I do not need to use fqdn.
I realized, I started looking for a recipe that will be very
complicated for a beginner like me.
So I think I should start small and simple and it may grow to a
solution that will be really useful to others.
Lets start w/ real basic.
I have 300 hosts. I like a push a user to about 100 hosts (dns
resolver type hosts) out of 300 total.
How do I set that up within puppet ?
(sorry for the top post. I like to ignore the complex recipe, at least
for me, and may go back to it eventually but gradually)
On Wed, Jul 15, 2009 at 5:39 PM, Teyo Tyreet...@reductivelabs.com wrote:
Hey Asif,
On Wed, Jul 15, 2009 at 12:51 PM, Asif Iqbal vad...@gmail.com wrote:
Hi
I am looking for recipe or some hints to a recipe that can help me
achieve the following
I have about 300 servers of different functions. To make it easy I
decided to keep multiple group dirs based on the
function and have hosts,passwd,users,sudoers file located inside those
function dirs, like the following.
What do you mean by group dirs in this context? I am assuming you me host
groups base on node function. For clarity, I will call them functional
groups.
In this
example dns is the function of the hosts listed w/ fqdn in the hosts
file. The passwd and shadow are going to be
same as the /etc/passwd and /etc/shadow file for all these hosts, same
for sudeors. users is list of users. may have no purpose
right now.
So, we are talking about a dns functional group based on the FQDN. In
general, I avoid using metadata in the FQDN as a means to classify a given
node. Classification is a human assignment, so I just classify using my
node tool (site.pp or external) as the database instead of some conditional
statement base on FQDN. I know this is unorthodox, but I have good reason
for despising metadata based hostnames. ( Hostnames make a sorry
database! Rant available upon request. )
Secondly, just for a simplification you can use a single sudoers file for
all of your host. You can specify access based on host groups in the
sudoers file itself. There are some cases (security domains) where you may
want to avoid this, but in general I use one sudoers to rule them all.
(root)@puppetmaster:/path/to/groups# ls -lR dns/
dns/:
total 11
-rw--- 1 root other 1 Aug 23 2005 hosts
-r--r--r-- 1 root other 33 Aug 22 2005 passwd
-r 1 root other 31 Aug 22 2005 shadow
-r--r- 1 root root 546 Aug 27 2005 sudoers
-rw-r--r-- 1 root other 152 Feb 21 2006 users
Ok, here is the Puppety part and it is really about organization and reuse.
Forget this host group organizational structure. It is going to be nothing
but trouble in the long run. Lets think of classes instead as a way to
specify configurations via composition and inheritance and lets use modules
exclusively. Explicitly lets create two module paths:
/path/to/modules/dist:
Is where you will build small reusable modules that will be used to compose
class that classify your services. And...
/path/to/modules/site
is where you will build larger modules and create complex composite
configurations. Here you will include classes from the dist path. I would
avoid including site classes in the classes defined in the dist path. I
like to have the dependencies flow one way.
Ok, so in the site module path lets create a module called acme. And
reorganize based on this structure:
/path/to/modules/site/acme
currently, I have a test site.pp like this
# site.pp
node basenode {
case $hostname {
puppet-test: {}
default: {}
}
}
K, I would avoid doing the condition stuff here. Instead if we have a
node foo lets just assign it the base class acme from our acme module. This
will make our site.pp compatible with an external nodes tool.
node foo { acme: }
On a side note, no need for client server when if we are testing. Just
checkout the dev branch of your puppet modules on the test node, use the
puppet executable and pass it a test.pp that includes the classes that you
want to test like so:
puppet --debug --modulepath=/path/to/modules/dist:/path/to/modules/site
test.pp
This is how I training people to develop their puppet code in our classes.
Try it; you'll like it!
Alright, so here we go refactoring this we would have a acme::dns class in
our acme module that would include or inherit all the smaller classes that
are needed to setup a DNS host.
node 'puppet-test' {
include dns
include sudo
}
So our node definition would now look like...
node 'puppet-test.fqdn.org' { include acme::dns }
Again, I prefer simple assignment. Essentially, one class included per
node. I do all the specification that is role based in classes. If an
individual host needs specific
[Puppet Users] Exported resources, sshkey (was Re: Notifying a service when exported resources go away)
On 28 Jul 2009, at 9:39 AM, Bruce Richardson wrote: I have to say, I'm unconvinced by the whole storedconfigs mechanism, particularly for this kind of thing. If you're using puppet to configure most or all aspects of your hosts on the network, then your central puppet config already stores enough information about all your hosts to generate a nagios config centrally and push it to the monitoring host. Pushing all this information back from the clients to the puppetmaster and then out again seems to me to be desperately fragile and just asking for trouble. For me, the killer app for storeconfigs is exported SSH host keys. That's information that my puppetmaster *doesn't* have in its manifests, and needs to collect from clients. That said, sshkey resources are giving me trouble in 0.24.8, with puppetd logging errors such as: puppetd[6170]: Got an uncaught exception of type ArgumentError: Field 'name' is required And unusual messages like: puppetd[6170]: Sshkey absent found in both parsed and parsed; skipping the parsed version I've not yet had time to track down this issue (and should probably do so in the 0.25 beta, anyway), but I wonder if anyone else has seen this. -- Ian Ward Comfort icomf...@rescomp.stanford.edu System Administrator, Student Computing, Stanford University --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Moving puppetmaster
What is involved in switching to a new puppetmaster? I'm guessing the client will need a new cert, but it looks like I have to rm the old one in /var/lib/puppet/... on the client. Our puppet FQDN is an alias pointing to the current server, as it probably will be on the future server. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Moving puppetmaster
2009/7/28 Len Rugen lenru...@gmail.com: What is involved in switching to a new puppetmaster? I'm guessing the client will need a new cert, but it looks like I have to rm the old one in /var/lib/puppet/... on the client. Our puppet FQDN is an alias pointing to the current server, as it probably will be on the future server. If you're just going to flip the CNAME to the new server, you can 'cheat' and just move the puppetmaster SSL certs on over to the new system. A more ?correct? way is to manage the $SSLDIR/certs/ca.pem on all hosts. Just combine the two puppetmaster's ca.pem, push them out to the clients and masters, and you'll be golden. Once you move over to the new server you can remove the old puppetmaster's ca.pem from the clients, but you'll still need it on the new master as long as there are any of the old client certs out there. .r' --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: template flapping / classes lost?
I tried using the same check in a template of mine and I got it to
work
I found that the closures for the if and end statements are % and not
-%
so your statement would look like this.
% if scope.compiler.classlist.include?(edu_rutgers_css_resnet) then
%
# PUPPET: set due to presence of class 'edu_rutgers_css_resnet'
ServerAdmin f...@bar.com
# END PUPPET
% else %
# PUPPET: default value
ServerAdmin r...@localhost
# END PUPPET
% end %
give that a try.
On Jul 28, 11:37 pm, Jason Antman ja...@jasonantman.com wrote:
I was just about to move my first Puppet-built box into production, and
I'm getting a terribly troublesome error. I'm using an external node
classifier and am not using storedconfigs.
We have a more-or-less generic httpd config for all of our boxen -
except this one. I'm generating httpd.conf from a template, so in the
template I have something like:
% if scope.compiler.classlist.include?(edu_rutgers_css_resnet) then -%
# PUPPET: set due to presence of class 'edu_rutgers_css_resnet'
ServerAdmin f...@bar.com
# END PUPPET
% else %
# PUPPET: default value
ServerAdmin r...@localhost
# END PUPPET
% end -%
I also generate /etc/sysconfig/iptables from a template, which includes:
% if scope.compiler.classlist.include?(httpd) then -%
# accept port 80, added by Puppet template with httpd class
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
% else -%
# puppet doesn't see the class 'httpd' defined, NOT opening port 80...
% end -%
It seems that Puppet is missing the httpd class. When Puppet runs
every half hour, flaps between the if and else values for these two
statements, causing it to replace the config files and restart the
associated services. I originally thought that this was happening at
exactly each cycle, but it seems somewhat intermittent:
Jul 28 02:19:56 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}654732a5f76e975e1fef1907ce6c5b46' to
'{md5}fffc88c34693d4ee67a22c4190d1e608'
Jul 28 02:19:57 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 04:20:20 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}fffc88c34693d4ee67a22c4190d1e608' to
'{md5}654732a5f76e975e1fef1907ce6c5b46'
Jul 28 04:20:20 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 06:50:44 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}654732a5f76e975e1fef1907ce6c5b46' to
'{md5}fffc88c34693d4ee67a22c4190d1e608'
Jul 28 06:50:44 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 07:50:56 resnet2 puppetd[24046]:
(//iptables/File[/etc/sysconfig/iptables]/content) content changed
'{md5}fffc88c34693d4ee67a22c4190d1e608' to
'{md5}654732a5f76e975e1fef1907ce6c5b46'
Jul 28 07:50:56 resnet2 puppetd[24046]: (//iptables/Service[iptables])
Triggering 'refresh' from 2 dependencies
Jul 28 04:20:18 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}e20ffe121bc385871c43c1c8d4c83376' to
'{md5}d42e551de04a44d8e9121de93795ad33'
Jul 28 04:20:19 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 06:20:39 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}d42e551de04a44d8e9121de93795ad33' to
'{md5}e20ffe121bc385871c43c1c8d4c83376'
Jul 28 06:20:40 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 06:50:45 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}e20ffe121bc385871c43c1c8d4c83376' to
'{md5}d42e551de04a44d8e9121de93795ad33'
Jul 28 06:50:46 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Jul 28 07:50:58 resnet2 puppetd[24046]:
(//httpd/File[/etc/httpd/conf/httpd.conf]/content) content changed
'{md5}d42e551de04a44d8e9121de93795ad33' to
'{md5}e20ffe121bc385871c43c1c8d4c83376'
Jul 28 07:50:58 resnet2 puppetd[24046]: (//httpd/Service[httpd])
Triggering 'refresh' from 1 dependencies
Any ideas on why this is happening? I've been running Puppet on a
non-critical network for a month now, with storedconfigs, and no major
problems. It seemed time to move it over to the production boxes (as the
new ones are built) but this seems like a serious issue...
Thanks for any advice,
Jason
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
[Puppet Users] Re: storeconfigs storms?
Brice Figureau brice-pup...@daysofwonder.com writes: Our mysql questions, com_select and com_insert stats spike first. com_select and com_update are normally at around 5 and spike to 40; questions is normally around 150 and spikes to 600. Threads connected goes from around 15 to 30. After that it looks like everything queues up behind MySQL and we start getting timeouts on our ~450 clients. ... The only reason for a storeconfig storm is that Puppet deletes all the resources/tags belonging to a particular host and then recreates them, so you see a lots of Inserts. Now the real question is why Puppet thinks there is such discrepencies between the database and the live compilation. Are you sure you're not removing hosts from the database? Yes. Hosts that no longer exist are still in the database :) What would be interesting is to activate the mysql general query log (warning it will increase your load), and dig in the large log around the timeframe you see the storm (you can also activate the rails log for the same effect). I meant to ask whether some MySQL expert could look at our binary logs and figure out what happened :) Oh, I see there's a mysqlbinlog command! Who knew? Some quick greps of its output say the total number of updates and inserts from yesterday is about the same as any other day. Same for various hours yesterday--the hour that we got slammed doesn't seem to have more updates or inserts than other hours when we didn't get slammed. Or I remember reading that maatkit now contains a query log extractor from tcpdump captures files; it is worth capturing the traffic between Puppet and mysql and analyze the queries performed. Maybe you'll find the issue. Maybe there's a tool which reads binary logs and tells you what caused the storm :) Good luck :-) Heh, thanks :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Yum issues
Hi, We have majority of RHEL5 servers in our environment. I have noticed in the process of trying to deploy puppet, that i am getting errors when yum is trying to install packages. Most of the time it works flawlessly, however sometime the following will be reported: change from absent to present failed: Execution of '/usr/bin/yum -d 0 - e 0 -y install modcluster' returned 1: This system is not registered with RHN. RHN support will be disabled. Error Downloading Packages: modcluster-0.12.1-2.el5.x86_64: failure: modcluster-0.12.1-2.el5.x86_64.rpm from core-1: [Errno 256] No more mirrors to try. The only way to correct the issue is to run yum clean all on the client and then rerun the puppet catalogue. Does anyone have any information as to what is going wrong here? Or what can be done to stop this from happening. The repo's i am using are local mirrors I have configured for our company. Cheers, Josh --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: puppet recipes
Asif Iqbal wrote:
So I think I should start small and simple and it may grow to a
solution that will be really useful to others.
Lets start w/ real basic.
I have 300 hosts. I like a push a user to about 100 hosts (dns
resolver type hosts) out of 300 total.
How do I set that up within puppet ?
The very simplest stuff:
| node dns1, ..., dns100 {
| user { foo: ... }
| }
That's of course very trivial. The next steps would be to put the user
into his own class/module where you can encapsulate the user and his
environment (ssh key, shell configuration, ...) and use an external
nodes classifier[1] to find your nodes instead of typing them all out.
You can read many more examples on the wiki [2] and [3]. Also look at
the references linked from the documentation main page[4].
Regards, DavidS
[1] http://reductivelabs.com/trac/puppet/wiki/ExternalNodes
[2] http://reductivelabs.com/trac/puppet/wiki/PuppetModules
[3] http://reductivelabs.com/trac/puppet/wiki/Recipes
[4] http://reductivelabs.com/trac/puppet/wiki/DocumentationStart
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---
