Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a scoping question
On Thu, 25 Feb 2010, Marcello de Sousa wrote:
IF homedir exists = deploy .ssh/authorized_keys , else do nothing
If you don't mind errors when you attempt to apply the manifest and the
homedir does not exist, then you could make the authorized_keys file
depend on something that fails if the homedir does not exist.
Here's an untested example:
# If the directory exists, then the unless clause in the exec
# is satisfied, so the command does not run; but the overall
# exec resource behaves as if it was successful, and anything that
# requires this exec is happy.
#
# If the directory does not exist, then the unless fails, so the
# command runs; but the command is /bin/false, so the command
# reports a failure, the overall exec resource fails, and anything
# that requires this exec will have a failed dependency and will
# therefore not be evaluated.
#
exec { fail if $homedir does not exist:
command = /bin/false,
unless = /usr/bin/test -d $homedir,
}
file { $homedir/.ssh/authorized_keys:
source = puppet:///wherever,
require = Exec[fail if $homedir does not exist],
}
--apb (Alan Barrett)
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Issue with '|'
On Thursday 25 Feb 2010 23:19:33 Andrew Hamilton wrote:
unlessIf this parameter is set, then this exec will run unless the
command returns 0
I interpret this to be the return value of the command and not the output
of the command. So if the return value of my command is 0 then the
command will not run, yet I can verify that the return value of the
command is 0, yet it still runs. Unless I have this backwards and my
interpretations are incorrect.
Yes, that's right, it's the return value that matters. And since grep returns
0 if match was found and 1 otherwise, this really should work.
For reference here's how my exec for creating users looks like (after
expanding some parameters):
exec { psql:${name}:
command = psql -c \CREATE ROLE \\\${name}\\\,
unless = psql -P format=unaligned -tc '\\du ${name}' |grep '^ *${name}',
user = 'postgres',
path = ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin',
'/usr/local/sbin'],
logoutput = on_failure,
require = [Service['postgresql'], User['postgres'],
}
Basically '-P format=unaligned' makes psql print tuples without spaces used to
align their width, it uses the default separator (|) but that can be changed
with fieldsep option. And the '-t' option makes it print tuples only (without
headers and footer). That should produce exactly one line if the user already
exists or none otherwise, the grep is mostly used to get that return value
right.
If that doesn't work for you, maybe try changing the field separator (i.e. '-P
fieldsep=,' or sth) and see if you can work with that.
Regards,
Michael
--
Michael Gliwinski
Henderson Group Information Services
9-11 Hightown Avenue, Newtownabby, BT36 4RT
Phone: 028 9034 3319
**
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee and access to the email by anyone else
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it, is prohibited and
may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail
are subject to the terms and conditions expressed in the governing client
engagement leter or contract.
If you have received this email in error please notify
supp...@henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland,
BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Magazine article comparing CPU usage of Puppet vs. Cfengine
The version of CFEngine he is running is 3.0.1b3 (released ??? Jan or Feb '09, sometime, maybe?) The version of Puppet he is running is 0.24.7 (released 16-Dec-2008) So, even though this article was just released, I think it was written a year ago. The author said these were the latest stable versions at the time of writing. The author also mentions that: In Puppet a server component is mandatory [...] (probably he missed out the puppet interpreter) but that Cfengine’s configuration agent is independent of a server component. I suppose the benchmarks were made on a machine running puppetmaster + puppetd, but cfengine was run in stand-alone mode. Probably puppet would have performed a bit better if the manifests would have been run in stand-alone mode too. Marc -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a scoping question
That sounds like a path to solution indeed :)
Thanks for the tip.
I'll also be testing it on CentOS 5, hopefully shortly, I'll get back when I
have some feedback.
On Thursday 25 Feb 2010 23:02:51 Marcello de Sousa wrote:
Dant,
The ssh_config trick could be indeed the key for a workaround:
AuthorizedKeysFile/etc/ssh/authorized_keys/%u
But I've tested it with a Centos 5 machine and it didn't work. I suspect
the problem is the expansion of %u to the username (our usernames have the
mydomain\myuser format). I wonder how I can debug that and see what's
trying to find as user name.
I've tried the following names without success:
/etc/ssh/authorized_keys/myuser
/etc/ssh/authorized_keys/mydomain\myuser
/etc/ssh/authorized_keys/MYDOMAIN\myuser
I'm still curious though if someone has a 'native' puppet workaround for
this 'conditional' situation, just in case this doesn't work on a specific
OS/ssh version or we face a similar problem in the future.
I also wonder if there's a way to use a user list instead of one hardcoded
class per user.
Thanks a lot for the tip!
Cheers,
Marcello
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-
us...@googlegroups.com] On Behalf Of dan trainor
Sent: donderdag 25 februari 2010 23:16
To: puppet-users@googlegroups.com
Subject: Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a
scoping question
On Thu, Feb 25, 2010 at 12:52 PM, Patrick kc7...@gmail.com wrote:
On Feb 25, 2010, at 11:23 AM, Marcello de Sousa wrote:
Patrick,
If you do that you would put all the public keys together,
wouldn't you ?
That means users would be able to login as any other user. That
is of course
not what you want.
We need to deploy a single specific public key per user.
Gr,
Marcello
I guess I misunderstood your question. I thought you had a
really strange setup where you were doing just that.
Hi, Guys -
I've been following this thread for a bit here, and I was faced with a
similar problem. Since we only have a small admin team for some 400+
machines, this worked out well for us. However, your mileage certainly
will vary. This is assuming that you're already pulling auth
information from LDAP, as well.
What I've done is, maintained /etc/ssh/sshd_config with a few choice
options, namely the AuthorizedKeyFile directive. Here's an excerpt
from sshd_config, which is a template in my puppet config - you'll see
why, down at the bottom:
Port 22
...
PermitRootLogin without-password (or no, depending on the machine)
...
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile/etc/ssh/authorized_keys/%u
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
...
DenyGroupsall
AllowGroups Domain?Admins wheel % if environment == 'dev' %
Domain?Users % end %
ClientAliveInterval300
I then have a manifest like this:
class sshd::config {
File {
require= Class[sshd::install],
notify= Class[sshd::service]
}
file { /etc/ssh/sshd_config:
owner= root,
group= root,
mode= 440,
#source= puppet:///sshd/sshd_config,
content= template('sshd/sshd_config')
}
file { /etc/ssh/authorized_keys:
ensure = directory,
owner = root,
group = root,
mode= 0755,
require= Class[ldap]
}
}
Further, I maintain that /etc/ssh/authorized_keys/dtrainor file (my
key) with a class similar to this:
class sshd::users::dtrainor {
include sshd
file { /etc/ssh/authorized_keys/dtrainor:
owner= 2690, // pulled from LDAP
group= root,
mode= 0600,
source= puppet:///sshd/authorized_keys/dtrainor,
require= Class[sshd::config]
}
}
Now, I'm no programmer, and I'm certainly not a Puppet expert. But
I've gotten around the chicken-and-the-egg problem by just being able
to apply sshd::users::dtrainor to a node that this key should be
implemented on, and there it is.
Of course I'm open to suggestion and would appreciate some feedback,
but moreover I hope this gets you pointed in the right direction.
sshd_config has many options - unfortunately RHEL uses an older sshd
version that even limits those :)
Thanks
-dant
--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send
Re: [Puppet Users] ensuring a file is copied in before evaluating another class.
I dont think there's a way to enforce this because you need to reload
puppetd to activate the changes. If you use puppetrun you could
distribute only the tag for your puppet module and restart the
service. Hope this helps
On Fri, Feb 26, 2010 at 12:53 AM, Greg Retkowski g...@rage.net wrote:
Thanks! That sounds like the right way to do it! How to I ensure puppet
copies out a new puppet.conf with the changes before evaluating the class
that uses 'case $customfact'?
Cheers,
-- Greg
Daniel wrote:
Don't distribute your facter plugin via manifest. Use puppet's sync
which is described her:
http://reductivelabs.com/trac/puppet/wiki/PluginsInModules
This will distribute your facter addons at the beginning of your run
and you can use them in like any normal fact.
On Thu, Feb 25, 2010 at 10:25 PM, Greg Retkowski g...@rage.net wrote:
Hello Everyone,
I have a case where I'm depending on custom facter rules in my puppet
config, and those custom facter rules come from a ruby library that
puppet
installs. I need to know how I can ensure that library is installed by
puppet before classes that depend on those facts are evaluated..
To illustrate...
class facter_rules {
file {
/usr/lib/ruby/site_ruby/1.8/facter/custom.rb:
source = puppet://$server/dist/custom.rb;
}
}
class sitestuff {
include facter_rules
case $customfact {
value-a: {
# do stuff
}
value-b: {
# do other stuff
}
}
}
...
Using this, often class sitestuff gets evaluated before my facter_rules
file
copy is done - which results in puppet exiting without putting custom.rb
in
place. I'm using puppet vers. 0.24.4.
I've considered using 'before =' in my facter_rules file definition, but
class 'sitestuff' may be defined or not defined depending on what
services/classes are defined on the host.
Any ideas on how I can get around this chicken and egg problem?
Cheers,
-- Greg
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Cheers,
Daniel
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Augeas type: Removing an entry from /etc/hosts
On Feb 24, 2010, at 6:32 PM, David Lutterkort wrote: On Tue, 2010-02-23 at 14:02 -0500, Rob McBroom wrote: I’d love to hear there’s a way (in 0.24.8). I'd wager that the problem was that you were missing an onlyif that would keep the changes from being applied when the entries are there already. I know that, and in theory you’re right. But bug #2141 has prevented so many of my `onlyif`s from working in 0.24.8 that I don’t even bother trying. I’m basically waiting until EPEL gets 0.25.x to really use Augeas. -- Rob McBroom http://www.skurfer.com/ Because it screws up the order in which people normally read text. Original message: Why is it bad to top-post your reply? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Foreman environments vs. Puppet Environments
Does anybody know or have a Howto on how to use Foreman environments and their relationship and interaction with puppet environments ? If they are not related, is there a way to assign a machine to a puppet environment via Foreman's interface ? Cheers, Marcello -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Using --no-client option in puppet.conf
Hey, is there a way to use the puppetd command line option --no-client in the puppet.conf file? Things like no-client = true or noclient = true don't seem to work...just want to get rid off the mandatory puppet run after restarting the daemon. christian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Y[es] on Upgrade whith puppet
Hi everyone,
I'm newer in use of puppet.
I have installed the puppet-master with this manifest site.pp
*class update_class {
Exec { path = /usr/bin:/bin:/usr/sbin:/sbin }
exec { aptitude update aptitude upgrade -s | mail -s 'Puppet
master-update on $mycomputer' tatatat...@yahoo.com: }
}
node puppet-client.localhost.loc {
$mycomputer=Calavero Development workstation
include update_class
}*
What I would like to understand is:
1. Why my client (puppet-client) run periodicly the command *puppetd --test
*? Does someone know how to desactivate it or where can I configure this. [I
do not have any cron scheduled on puppet-client].
2. The client *send me an email:
*
*Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
The following packages will be upgraded:
foomatic-filters libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0
libpurple-bin libpurple0 linux-firmware openoffice.org-base-core
openoffice.org-calc openoffice.org-common openoffice.org-core
openoffice.org-draw openoffice.org-emailmerge openoffice.org-gnome
openoffice.org-gtk openoffice.org-impress openoffice.org-math
openoffice.org-style-human openoffice.org-writer python-uno
ttf-opensymbol uno-libs3 ure
24 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 74.6MB of archives. After unpacking 8192B will be used.*
*Do you want to continue? [Y/n/?] Abort.
2. Question:
How can I do to tell [Y] to puppet-master or to the puppet-client to
install these packages.
Thx for your help!
Ghislain.
*
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Using --no-client option in puppet.conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/02/10 5:58 AM, christian wrote: Hey, is there a way to use the puppetd command line option --no-client in the puppet.conf file? Things like no-client = true or noclient = true don't seem to work...just want to get rid off the mandatory puppet run after restarting the daemon. - --client ==client=true - --no-client ==client=false http://docs.reductivelabs.com/references/stable/configuration.html Regards James Turnbull - -- Author of: * Pro Linux System Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS4gApSFa/lDkFHAyAQKWVggAqMHoezgxXUBuoNUKeXAp5oGPZrZb4f+g fotbaLUEXsctDooeY/2sB7c/H4X/8LcExEScuDM9vCAgBgVAELGREwQSnkEf5Ujk VWdyXQWJgcFrbGm3J+I4ABeXysMEfdauMpOZ4VJsMS3GgiyTaDu718D9IB9olIap 7oiCII9UhpaRIyn+BARBf++7ROfY67+da2zlXALdQiXrr+OG8b21aacGXoOOhPGP 7QFVo70dXIrvLzPHyVUa3Nvw3L5qes8qeyXvuey6Tv1dyjPldUb9GEUd4PJhJcyY EchJVXYGl4d+JNtf+RNTcr2jOSwnjtR5ju9ERQotm0ceaLBMHQAnhQ== =89NE -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Using tags in custom classes, and their scope
Hey,
Hope someone can help shed some light on this. I'm written a class
that installs various software packages that we use in our
organisation, and configures them to how we like. I'm trying to use a
tag to determine which type of config to apply, so we can just tag a
load of nodes with one thing, and have the right software and config
automatically applied.
The class is structured like so (simplified):
class my_class
{
class my_software
{
if tagged(my_tag_1)
{
notify{Tagged as my_tag_1: }
Install config A
}
else if tagged(my_tag_2)
{
notify{Tagged as my_tag_2: }
Install config B
}
else
{
notify{Not tagged: }
Install default config
}
}
}
Then on a node you'd do the following to have a particular software
package installed and configured based on the tag:
In site.pp
node 'servername.com' inherits default
{
tag(my_tag_1)
include my_class::my_software
}
After running Puppet through a catalog, the software is installed
correctly
Now the software installs properly, but it logs that it is using the
default config, so the tag being assigned in the site.pp is obviously
not being detected right?
If anyone can shed any light on this that would be really
appreciated :)
Thanks in advance!
Ryan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: How to conditionally include classes based on environment?
On Feb 25, 10:01 am, ascodemus ascode...@gmail.com wrote: I thought also before that this could do the trick, but as indicated on the web (http://docs.reductivelabs.com/references/stable/ function.html#generate) the generate executes a command on the puppet MASTER-server (not on the client), so this does not work as such - Indeed. All the information the Puppetmaster has about any client comes ultimately from the facts that client presents to it and the manifests you write. Even if you use storeconfigs to retain and share client information, that information is still originally derived from those same sources. If you want the Puppetmaster to know about the result of running a command on the client, then you need to write a custom fact. Tim already referred you to some docs on that. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Foreman environments vs. Puppet Environments
Foreman can manage puppet environment assignments to hosts if you use external nodes mode (http://theforeman.org/wiki/foreman/External_Nodes). Foreman can scan your existing modules assigning the right classes to the relevant environments. there is another environment settings in foreman (e.g. if you start the server in the command line) - this is rails environment and is not related to puppet at all. hope this helps, Ohad On Fri, Feb 26, 2010 at 6:56 PM, Marcello de Sousa li...@area151.comwrote: Does anybody know or have a Howto on how to use Foreman environments and their relationship and interaction with puppet environments ? If they are not related, is there a way to assign a machine to a puppet environment via Foreman's interface ? Cheers, Marcello -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How to determine what puppetmasterd is using its memory on?
Does anyone have any pointers on how to determine where puppetmasterd 0.24.9 is using the bulk of its memory? A couple of gigs of RAM usage is getting a bit excessive. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Using tags in custom classes, and their scope
while its possible to use tags, I would recommend you using variables
(either with external nodes or extlookup).
cheers,
Ohad
On Fri, Feb 26, 2010 at 7:23 PM, RyanC r...@rjc.cc wrote:
Hey,
Hope someone can help shed some light on this. I'm written a class
that installs various software packages that we use in our
organisation, and configures them to how we like. I'm trying to use a
tag to determine which type of config to apply, so we can just tag a
load of nodes with one thing, and have the right software and config
automatically applied.
The class is structured like so (simplified):
class my_class
{
class my_software
{
if tagged(my_tag_1)
{
notify{Tagged as my_tag_1: }
Install config A
}
else if tagged(my_tag_2)
{
notify{Tagged as my_tag_2: }
Install config B
}
else
{
notify{Not tagged: }
Install default config
}
}
}
Then on a node you'd do the following to have a particular software
package installed and configured based on the tag:
In site.pp
node 'servername.com' inherits default
{
tag(my_tag_1)
include my_class::my_software
}
After running Puppet through a catalog, the software is installed
correctly
Now the software installs properly, but it logs that it is using the
default config, so the tag being assigned in the site.pp is obviously
not being detected right?
If anyone can shed any light on this that would be really
appreciated :)
Thanks in advance!
Ryan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How to determine what puppetmasterd is using its memory on?
Thats the main reason why people use passenger (IMHO) that doesnt allow the processes to grow too much; the other alternative is to use something to restart the process if they grow too much (e.g. monit), if you are interested in the internals a bit more, you can read a bit here - http://www.masterzen.fr/2010/01/28/puppet-memory-usage-not-a-fatality/ cheers, Ohad On Fri, Feb 26, 2010 at 8:00 PM, Trevor Vaughan tvaug...@onyxpoint.comwrote: Does anyone have any pointers on how to determine where puppetmasterd 0.24.9 is using the bulk of its memory? A couple of gigs of RAM usage is getting a bit excessive. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] ensuring a file is copied in before evaluating another class.
I also tried this in my top-level puppet config:
if $defined_after_bootstrap_var {
import definitions/*.pp
} else {
import bootstrap.pp
}
However it looks like the 'import definitions/*.pp' is still evaluated
even though $defined_after_bootstrap_var isn't defined. Is there a way
to conditionally use import?
-- Greg
Daniel wrote:
I dont think there's a way to enforce this because you need to reload
puppetd to activate the changes. If you use puppetrun you could
distribute only the tag for your puppet module and restart the
service. Hope this helps
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How to determine what puppetmasterd is using its memory on?
Thanks Ohad. I've been meaning to look at Passenger but I haven't had the time. Trevor On Fri, Feb 26, 2010 at 1:27 PM, Ohad Levy ohadl...@gmail.com wrote: Thats the main reason why people use passenger (IMHO) that doesnt allow the processes to grow too much; the other alternative is to use something to restart the process if they grow too much (e.g. monit), if you are interested in the internals a bit more, you can read a bit here - http://www.masterzen.fr/2010/01/28/puppet-memory-usage-not-a-fatality/ cheers, Ohad On Fri, Feb 26, 2010 at 8:00 PM, Trevor Vaughan tvaug...@onyxpoint.com wrote: Does anyone have any pointers on how to determine where puppetmasterd 0.24.9 is using the bulk of its memory? A couple of gigs of RAM usage is getting a bit excessive. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Y[es] on Upgrade whith puppet
HiGhislain,
On Fri, Feb 26, 2010 at 5:37 AM, Ghislain Mokolomboka mokolomb...@gmail.com
wrote:
Hi everyone,
I'm newer in use of puppet.
I have installed the puppet-master with this manifest site.pp
*class update_class {
Exec { path = /usr/bin:/bin:/usr/sbin:/sbin }
exec { aptitude update aptitude upgrade -s | mail -s 'Puppet
master-update on $mycomputer' tatatat...@yahoo.com: }
}
node puppet-client.localhost.loc {
$mycomputer=Calavero Development workstation
include update_class
}*
What I would like to understand is:
1. Why my client (puppet-client) run periodicly the command *puppetd
--test *? Does someone know how to desactivate it or where can I configure
this. [I do not have any cron scheduled on puppet-client].
--test implies --one-time which means that puppet should run one time and
exit. this should not fire off puppet as a daemon. Most likely you
previously ran without this option.
I would kill the running puppet process, run with --test again, and verify
with `ps` that a process does not start in the background.
2. The client *send me an email:
*
*Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
The following packages will be upgraded:
foomatic-filters libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0
libpurple-bin libpurple0 linux-firmware openoffice.org-base-core
openoffice.org-calc openoffice.org-common openoffice.org-core
openoffice.org-draw openoffice.org-emailmerge openoffice.org-gnome
openoffice.org-gtk openoffice.org-impress openoffice.org-math
openoffice.org-style-human openoffice.org-writer python-uno
ttf-opensymbol uno-libs3 ure
24 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 74.6MB of archives. After unpacking 8192B will be used.*
*Do you want to continue? [Y/n/?] Abort.
2. Question:
How can I do to tell [Y] to puppet-master or to the puppet-client to install
these packages.
Thx for your help!
Ghislain.
*
I had a look at the man page for aptitude, there is a -y option that should
fix this.
You can always try piping the linux command `yes` to the command, its a
little hackish, but its another option.
hope this helps,
Dan
**
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Correct user management across modules
On Feb 25, 6:37 am, Michael Gliwinski michael.gliwin...@henderson-
group.com wrote:
Do you define your virtual users in global scope? I.e. in site.pp or in some
module/class? The reason I'm asking is because I had some trouble overriding
parameters of resources (even virtual) declared in another class or especially
a define.
To the best of my knowledge, you can only override resource parameters
in a subclass of the class that declares the resource. Perhaps you
can also override properties of resources declared at global scope,
but I don't generally recommend global resources, even virtual ones.
You might be able to achieve what you want something like this
(completely untested):
# A class containing virtual declarations of all your users
class user::virtual {
# ...
@user { apache:
uid = 48,
gid = 48,
groups = apache,
}
# ...
}
# A class in your nagios module that
# exists solely to override User[apache]
class nagios::apache::user inherits user::virtual {
User[apache] { groups + nagios }
}
# Apache-related nagios settings
class nagios::apache {
include nagios::apache::user
realize User[apache]
# ...
}
Good luck,
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] ssh_authorized_key - same key, different accounts?
Puppet 0.24.8... I am trying to use ssh_authorized_key to create
passwordless logins for a couple of accounts. The important thing to
note is I'm trying to get the source (r...@somehost below) as part of
the key, and the same key needs to be added to two different accounts on
the system.
It appears that the resource name is the only place I can set the
originating source (whatever the correct term is) for the key.
ssh_authorized_key { r...@somehost:
ensure = present,
type= ssh-rsa,
target = '/home/xx/.ssh/authorized_keys',
key = ' removed for brevity xxx',
user= xx,
require = User[xx]
}
So the above will create an authorized_keys value like:
ssh-rsa removed for brevity xxx r...@somehost
But if I need the same key installed for a different user, I'm stuck --
I can't use the same resource name to create the r...@somehost
restriction. And I can't see another way to specify that value.
Is there any way to accomplish this, without abandoning
ssh_authorized_key? Thanks in advance.
-Alan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] ssh_authorized_key - same key, different accounts?
On Fri, Feb 26, 2010 at 11:58 AM, Alan Sparks aspa...@doublesparks.net wrote:
Puppet 0.24.8... I am trying to use ssh_authorized_key to create
passwordless logins for a couple of accounts. The important thing to
note is I'm trying to get the source (r...@somehost below) as part of
the key, and the same key needs to be added to two different accounts on
the system.
It appears that the resource name is the only place I can set the
originating source (whatever the correct term is) for the key.
ssh_authorized_key { r...@somehost:
ensure = present,
type = ssh-rsa,
target = '/home/xx/.ssh/authorized_keys',
key = ' removed for brevity xxx',
user = xx,
require = User[xx]
}
So the above will create an authorized_keys value like:
ssh-rsa removed for brevity xxx r...@somehost
But if I need the same key installed for a different user, I'm stuck --
I can't use the same resource name to create the r...@somehost
restriction. And I can't see another way to specify that value.
Is there any way to accomplish this, without abandoning
ssh_authorized_key? Thanks in advance.
-Alan
Abandon ssh_authorized_key - it is terrible.
My $.02
Regards, Paul
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] tidy -- ignoring sockets?
I've a tidy resource for /tmp under 0.24.8, which throws errors each run due to a socket file created by xfs under /tmp/.font-unix/. It's relatively harmless, but it fills the logs with error messages... /var/log/messages.4:Jan 31 04:01:34 vm03 puppetd[15362]: (//Node[vm03]/Tidy::Olderthan[/tmp]/Tidy[/tmp/.font-unix/fs7100]/ensure) change from /tmp/.font-unix/fs7100(age)1264176925 to anything failed: Cannot tidy files of type socket Since tidy does not have a parameter for directories or files to ignore, and there's no option to specify the types of files to consider, is there any way short of hacking the code to eliminate these errors? -Alan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Foreman environments vs. Puppet Environments
Hi Ohad, On your forum I've posted a bit more extensive question (http://theforeman.org/boards/2/topics/show/119) just in case this is a bit offtopic here. I'm already using Foreman for a while with external node mode. But I've configured now puppet with environments like this: == (...) [development] modulepath = /etc/puppet/development/modules:/etc/puppet/modules [testing] modulepath = /etc/puppet/testing/modules:/etc/puppet/modules == But I don't see these environments showing up on the Foreman interface. I've also tried to create an environment inside foreman and assign it to a host, but I don't see it having any effect on the class assignment. In other words, foreman's environments are not working here and not relating to puppet's, and I can't find documentation about it in foreman's wiki or anywhere. It might be worth mentioning that I'm not using foreman to deploy new machines yet. I'm managing existing machines and now they are all assigned to production, and I would like now to assign some of them to development and testing to be able to develop and deploy new modules/classes to them without affecting production. Pls Help ? :) Thanks! Cheers, Marcello -Original Message- From: puppet-users@googlegroups.com [mailto:puppet- us...@googlegroups.com] On Behalf Of Ohad Levy Sent: vrijdag 26 februari 2010 18:55 To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Foreman environments vs. Puppet Environments Foreman can manage puppet environment assignments to hosts if you use external nodes mode (http://theforeman.org/wiki/foreman/External_Nodes). Foreman can scan your existing modules assigning the right classes to the relevant environments. there is another environment settings in foreman (e.g. if you start the server in the command line) - this is rails environment and is not related to puppet at all. hope this helps, Ohad On Fri, Feb 26, 2010 at 6:56 PM, Marcello de Sousa li...@area151.com wrote: Does anybody know or have a Howto on how to use Foreman environments and their relationship and interaction with puppet environments ? If they are not related, is there a way to assign a machine to a puppet environment via Foreman's interface ? Cheers, Marcello -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet- us...@googlegroups.com. To unsubscribe from this group, send email to puppet- users+unsubscr...@googlegroups.com mailto:puppet- users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet- users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet certificate problems
i have puppet distributed site: [*] separate puppet-ca, [*] puppet-master rules distribution point, [*] puppet-master file-server [*] puppet reports and noticed the following : 1. client does not re-requests new certificate on certificate revocation\expiration 2. puppetmaster on rules distrubution point does not recognize client's revoked certificate until puppetmaster is restarted (CRL is syncronized) i want the puppetd do following: 1) client generation new CSR on certificate expiration\revokation (optionally by config file) including new key pair 2) client autocleaning\moving expired\revoked certificates (including keys) to revoked folder on the client 3) client automatic re-requesting new certificate from puppet- CA on certificate revocation\expiration (optionally by config file option) is there any version supports these features? i'm currently running puppet version 0.24.4 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Finding the source of errors
Hello, How are people locating the host that is having problems? Is everyone getting reports via email? I'm only using store, log and unfortunately the log messages don't identify the source host (I haven't investigated the stored reports yet). Curious how others are solving this problem. --Paul -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
