Re: [Puppet Users] certificate problem ; puppetca can't find cert request ?

[Nan Liu]

On Fri, Oct 1, 2010 at 2:50 AM, Daniel Maher  wrote:
>
> Thank you for the advice ; unfortunately, as i had already revoked the
> certificate, cleaning and re-issuing was not a possibility.  I ended up
> biting the bullet and just wiping out and re-initialising the certificates
> across the board.  Thank god for clusterssh.
>

Ah, I'm a step too late for you. I suppose this would be helpful if
someone run across this problem again.

Here's the steps to recover an accidental revocation:

List revoked certs in CRL to find the serial number:
# openssl crl -in /var/lib/puppet/ca/ca_crl.pem -noout -text
openssl crl -in ca/ca_crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
...

Revoked Certificates:
Serial Number: 11
Revocation Date: Sep 25 14:50:35 2010 GMT
...
Key Compromise
Serial Number: 19
Revocation Date: Sep 24 20:51:22 2010 GMT
...
Key Compromise

This matches with the history in inventory.txt:
# Inventory of signed certificates
# SERIAL NOT_BEFORE NOT_AFTER SUBJECT
...
0x0011 2010-09-22T11:03:55GMT 2015-09-21T11:03:55GMT /CN=foo
...
0x0019 2010-09-23T20:50:28GMT 2015-09-22T20:50:28GMT /CN=puppetmaster.training

In this case 0x0019 was a mistake:
Remove both the ca_crl.pem and crl.pem, revoke all compromised certs
and skip the ones that was a mistake and you are set:
# rm /var/lib/puppet/ca/ca_crl.pem
# rm /var/lib/puppet/crl.pem
# puppet cert --revoke foo
# openssl crl -in /var/lib/puppet/ca/ca_crl.pem -noout -text

At this point 0x0019 will no longer be in the list.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] certificate problem ; puppetca can't find cert request ?

[Jeff McCune]

On Oct 1, 2010, at 2:50 AM, Daniel Maher wrote:

> On 09/30/2010 05:49 PM, Nan Liu wrote:
>> On Thu, Sep 30, 2010 at 6:20 AM, Daniel Maher  wrote:
>>> I removed /var/lib/puppet/ssl/certs/.pem , then ran
>>> puppetd with --waitforcert.  Unfortunately, when i run a
>>> puppetca --list --all ,  is not listed, even though there
>>> is very clearly a request pem in /var/lib/puppet/ssl/certificate_requests .
>> 
>> So first bbackup you ssl dir, then try the following command:
>> 
>> puppetca --clean
>> puppetca --generate  --certdnsname="puppet;puppetmaster"
>> 
>> In certdnsname, provide a list of DNS cname to puppet master, and
>> include puppet for convenience.
>> 
> 
> Thank you for the advice ; unfortunately, as i had already revoked the 
> certificate, cleaning and re-issuing was not a possibility.  I ended up 
> biting the bullet and just wiping out and re-initialising the certificates 
> across the board.  Thank god for clusterssh.

You can re-issue a certificate with the same name as a revoked certificate 
without any issues.  You should never, ever have to wipe out certificates 
across the board.  If you do this, there's a solution to the problem you've 
likely overlooked.

> The moral of the story here, i suppose, is that /var/lib/puppet/ssl/ should 
> be backed up and set aside for every client (including the puppetmaster), and 
> that if certificates need to be re-issued from the ground-up, it's going to 
> be trouble.  This, i suppose, is why some people opt to move to an external 
> certificate provider within their organisation - it's really not a bad idea.

Again, you don't need to backup /var/lib/puppet/ssl on the clients, and in fact 
it's "best practice" from an SSL key management point of view not to do so 
because it fundamentally means copying the private keys somewhere else.

Consider host "jeff"  If I do puppetca --revoke jeff on the puppet ca, then 
ensure $cadir/certs/jeff.pem is not present on the ca, then wipe out $ssldir on 
the node "jeff" only (it's certificate is revoked and invalid), you'll be able 
to go through the certificate signing process just as if "jeff" were a brand 
new node unknown to puppet.

> Finally, is "--certdnsname" documented anywhere ?  In 0.25.5, at least, 
> puppetca --help doesn't mention it, and neither does the manpage.  On the 
> puppet website, a search for "certdnsname" only leads to a reference in 
> Release_Notes.  If you already know to search for it, google will give you 
> some hits from the mailing list, and some blogs, but you have to know to look 
> for it in the first place. :P

certdnsnames (Note the plural form) is documented in the Configuration 
Reference at:

http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames

Hope this helps,
-Jeff

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Nagios Module and use of the @@ and <<||>> notation

[Jeff McCune]

On Sep 30, 2010, at 3:04 PM, Greg Haase wrote:
> I believe that in the past I was able to view this information on my puppet
> server with 
> 
> ralsh nagios_host
> 
> It would give me a listing of what was stored in nagios_host.  Now when I do
> this I see nothing.

I'm not sure if you mean that you expect ralsh nagios_host to return what has 
been exported and stored in the "storedconfig" SQL database, but if you do this 
isn't accurate.

ralsh nagios_host will use the resource abstraction layer to query the current 
state of all resources of type nagios_host as they exist, not as they're stored 
in the database.

Does the distinction make sense?  It might help to run "ralsh user" or "ralsh 
group" to see how the ouput compares to the resources as they exist on the 
system.

Hope this helps,
--
Jeff McCune

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Nagios Module and use of the @@ and <<||>> notation

[Daniel Pittman]

Greg Haase  writes:

> I am exporting my resources to the database. I can verify that this is
> occurring.  Yet I am not getting all of the the
>
> Nagios_host <<|target ==nagios_hosts.${fqdn}.cfg|>>
>
> files written to my nagios server and I am interested in finding out how to
> trace down this functionality of the collection and exportation of resources
> so I can properly identify how/why it is not working in all of the cases.
>
> I guess if someone could point me to a basic model of this exportation and
> collection process I could work from there.  Is there any detailed writing
> about this?

Not other than what folks have pointed to already, I think.  I use this:

,[ client.pp ]
| @@file { "/etc/backuppc/${fqdn}.pl":
|   owner   => 'backuppc', group => 'www-data', mode => 0444,
|   content => template('backuppc/backuppc-client-config.pl.erb'),
|   tag => "backuppc-client-${backuppc_server}"
| }
`

,[ server.pp ]
|   File <<| tag == "backuppc-client-${fqdn}" |>> {
| require => [Package["backuppc"], File["/etc/backuppc/SDBackupPC.pm"]],
| notify  => Service["backuppc"],
|   }
`

...which works fine for our infrastructure.  It looks pretty much identical to
your code, but just in case. :)

Daniel
-- 
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
   ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Duplicating web servers

[Daniel Pittman]

James Turnbull  writes:
> Kikanny wrote:
>
>> Thank you all for taking your time to explain it to me. I guess I'll give
>> it a whirl and see how it goes. Another question I have is what if the
>> person managing a web server does not have full knowledge of whatever is
>> installed in a server or there was some other configuration management in
>> place. How would I bring that under puppet's control? I'm asking this
>> because we do have servers like that. Thanks!

Write down what you need the new server to do.  Then build something to do
that, using puppet, on a new system.

When that doesn't work (which, inevitably, it won't the first time) work out
what went wrong — was it your "what it does" notes, or the puppet side?

Fix that, and go back to the first step until it works. :)

> In the lack of full knowledge instance, "ralsh" is definitely your friend.
> It's a good tool to get the basics about a host.
>
> In the latter instance, I don't see that it matters if another configuration
> management system was in place - just remember to turn it off so you don't
> get conflicting management of resources!

*nod*  You might be able to read the "instructions" in the other configuration
management tool, though, to head-start building the puppet side of things.

Daniel
-- 
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
   ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Nagios Module and use of the @@ and <<||>> notation

[Greg Haase]

Avi, 

I am exporting my resources to the database. I can verify that this is
occurring.  Yet I am not getting all of the the

Nagios_host <<|target ==nagios_hosts.${fqdn}.cfg|>>

files written to my nagios server and I am interested in finding out how to
trace down this functionality of the collection and exportation of resources
so I can properly identify how/why it is not working in all of the cases.

I guess if someone could point me to a basic model of this exportation and
collection process I could work from there.  Is there any detailed writing
about this?

Greg




On 9/30/10 3:48 PM, "Avi Miller"  wrote:

> Greg Haase wrote:
>> Are you aware of any documentation that clearly explains how this
>> collect/export functionality works?
> 
> Exporting and collecting resources relies on stored configuration[1]
> being enabled on your Puppet Master. You should ensure that the database
> is configured and working before trying to export and collect resources.
> 
> Cheers,
> Avi
> 
> [1] 
> http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: How to check if a parameter is defined

[Héctor Rivas Gándara]

>> I think that add assertions would be a good idea. They could check
>> True/False conditions, if variables are defined or not, if objects are
>> defined... Is there any proposal about this?
>
> I think the problem with such things is that they are dependent on the
> order puppet evaluates the catalogue in, which is undefined. See
>
> http://docs.puppetlabs.com/references/stable/function.html#defined
>
> which does what you propose wrt. resources. An assert would be
>
> if !defined(Resource[...]) { fail "message" }
> but should not be used due to the order limitation.

Well, I suppose that the assert function that I propose is just
"syntax sugar", since it can be always expressed as an 'if' sentence.
But it could be useful to check the parameters needed in a module, for instance.

--
Atentamente
Héctor Rivas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] mount type attempting remount when ensure => present

[Bruce Richardson]

On Fri, Oct 01, 2010 at 08:55:34AM -0400, Rob McBroom wrote:
> I've added a use case to the bug report.
> 
> On Oct 1, 2010, at 4:30 AM, Bruce Richardson wrote:
> 
> > According to the online documentation (which is autogenerated), "Set to
> > present to add to fstab but not change mount/unmount status "
> 
> Where are you seeing that? For as long as I've used Puppet, the type 
> reference has said: “Set this attribute to present to make sure the 
> filesystem is in the filesystem table but not mounted (if the filesystem is 
> currently mounted, it will be unmounted).”

http://docs.puppetlabs.com/references/latest/type.html#mount

> 
> See 

Some inconsistency on the site, then.


-- 
Bruce

Remember you're a Womble.


signature.asc
Description: Digital signature

[Puppet Users] Re: Duplicating web servers

[Kikanny]

I really appreciate your response Matt. It gave me a good insight on
the different steps I would have to do to get this working! Hopefully
I'll be able to go to the pub one day !!

On Oct 1, 11:34 am, Matt Wallace  wrote:
> On Friday 01 Oct 2010 15:01:25 Kikanny wrote:
>
> > Thank you all for taking your time to explain it to me. I guess I'll
> > give it a whirl and see how it goes. Another question I have is what
> > if the person managing a web server does not have full knowledge of
> > whatever is installed in a server or there was some other
> > configuration management in place. How would I bring that under
> > puppet's control? I'm asking this because we do have servers like
> > that. Thanks!
>
> 1) Get a list of running services/open ports
> 2) Get all the relevant configuration files for those services/ports
> 3) Get a list of all the cronjobs on that system and the commands that are run
> 4) Get a copy of all the scripts that are run by Cron
> 5) Create your puppet manifests using the crontab entries, scripts and config
> files as a reference
> 6) Put all your puppet manifests into git/svn/mercurial/etc.
> 7) Create a staging platform to test your manifests (just because puppet
> parses them correctly doesn't mean that they work!)
> 8) Test your manifests
> 9) Test your manifests
> 10) Test your manifests
> .
> 102) Test Your manifests
> 103) Checkout your manifests to your puppet master (provided they have passed
> the tests!)
> 104) run puppet on a single server and check that your manifests give the
> required results
> 105) Compare the server with one that is already working (but was not built by
> puppet) and try to discover why your puppet manifests aren't working in
> production when they worked in staging
> 106) Fix the issues
> 107) Run puppet again and check that everything now works
> 108) Lock down access to all your servers so the only way a change can be made
> is via GIT/SVN/Mercurial etc
> 109) Force commit messages for any changes to the config files
> 110) Use a web interface to git to track any changes
> 111) Go down the pub and by your entire team a beer for helping you achieve
> the impossible.
>
> If it's of any help, after approx nine months, I'm at various stages of this
> process between 1 and 110 for the different services that we have here... 
> we've
> still not made it down the pub yet... :(
>
> Cheers,
>
> M.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Duplicating web servers

[Hunter Haugen]

Also of note, if you're using Puppet 2.6.x then the command `ralsh`
from 0.25.x has been superseded by the `puppet resource` command.

-Hunter



On Fri, Oct 1, 2010 at 08:34, Matt Wallace  wrote:
> On Friday 01 Oct 2010 15:01:25 Kikanny wrote:
>> Thank you all for taking your time to explain it to me. I guess I'll
>> give it a whirl and see how it goes. Another question I have is what
>> if the person managing a web server does not have full knowledge of
>> whatever is installed in a server or there was some other
>> configuration management in place. How would I bring that under
>> puppet's control? I'm asking this because we do have servers like
>> that. Thanks!
>
> 1) Get a list of running services/open ports
> 2) Get all the relevant configuration files for those services/ports
> 3) Get a list of all the cronjobs on that system and the commands that are run
> 4) Get a copy of all the scripts that are run by Cron
> 5) Create your puppet manifests using the crontab entries, scripts and config
> files as a reference
> 6) Put all your puppet manifests into git/svn/mercurial/etc.
> 7) Create a staging platform to test your manifests (just because puppet
> parses them correctly doesn't mean that they work!)
> 8) Test your manifests
> 9) Test your manifests
> 10) Test your manifests
> .
> 102) Test Your manifests
> 103) Checkout your manifests to your puppet master (provided they have passed
> the tests!)
> 104) run puppet on a single server and check that your manifests give the
> required results
> 105) Compare the server with one that is already working (but was not built by
> puppet) and try to discover why your puppet manifests aren't working in
> production when they worked in staging
> 106) Fix the issues
> 107) Run puppet again and check that everything now works
> 108) Lock down access to all your servers so the only way a change can be made
> is via GIT/SVN/Mercurial etc
> 109) Force commit messages for any changes to the config files
> 110) Use a web interface to git to track any changes
> 111) Go down the pub and by your entire team a beer for helping you achieve
> the impossible.
>
> If it's of any help, after approx nine months, I'm at various stages of this
> process between 1 and 110 for the different services that we have here... 
> we've
> still not made it down the pub yet... :(
>
> Cheers,
>
> M.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Duplicating web servers

[Matt Wallace]

On Friday 01 Oct 2010 15:01:25 Kikanny wrote:
> Thank you all for taking your time to explain it to me. I guess I'll
> give it a whirl and see how it goes. Another question I have is what
> if the person managing a web server does not have full knowledge of
> whatever is installed in a server or there was some other
> configuration management in place. How would I bring that under
> puppet's control? I'm asking this because we do have servers like
> that. Thanks!

1) Get a list of running services/open ports
2) Get all the relevant configuration files for those services/ports
3) Get a list of all the cronjobs on that system and the commands that are run
4) Get a copy of all the scripts that are run by Cron
5) Create your puppet manifests using the crontab entries, scripts and config 
files as a reference
6) Put all your puppet manifests into git/svn/mercurial/etc.
7) Create a staging platform to test your manifests (just because puppet 
parses them correctly doesn't mean that they work!)
8) Test your manifests
9) Test your manifests
10) Test your manifests
.
102) Test Your manifests
103) Checkout your manifests to your puppet master (provided they have passed 
the tests!)
104) run puppet on a single server and check that your manifests give the 
required results
105) Compare the server with one that is already working (but was not built by 
puppet) and try to discover why your puppet manifests aren't working in 
production when they worked in staging
106) Fix the issues
107) Run puppet again and check that everything now works
108) Lock down access to all your servers so the only way a change can be made 
is via GIT/SVN/Mercurial etc
109) Force commit messages for any changes to the config files
110) Use a web interface to git to track any changes
111) Go down the pub and by your entire team a beer for helping you achieve 
the impossible.

If it's of any help, after approx nine months, I'm at various stages of this 
process between 1 and 110 for the different services that we have here... we've 
still not made it down the pub yet... :(

Cheers,

M.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Duplicating web servers

[James Turnbull]

Kikanny wrote:

Thank you all for taking your time to explain it to me. I guess I'll
give it a whirl and see how it goes. Another question I have is what
if the person managing a web server does not have full knowledge of
whatever is installed in a server or there was some other
configuration management in place. How would I bring that under
puppet's control? I'm asking this because we do have servers like
that. Thanks!



In the lack of full knowledge instance, "ralsh" is definitely your 
friend.  It's a good tool to get the basics about a host.


In the latter instance, I don't see that it matters if another 
configuration management system was in place - just remember to turn it 
off so you don't get conflicting management of resources!


Regards

James Turnbull

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Duplicating web servers

[Kikanny]

Thank you all for taking your time to explain it to me. I guess I'll
give it a whirl and see how it goes. Another question I have is what
if the person managing a web server does not have full knowledge of
whatever is installed in a server or there was some other
configuration management in place. How would I bring that under
puppet's control? I'm asking this because we do have servers like
that. Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Duplicating web servers

[Matt Wallace]

On Friday 01 Oct 2010 14:27:38 Daniel Pittman wrote:
> On the plus side: it will make the *next* web server, after this one,
> really easy.  Like, five minutes of work easy.

I have to agree with this.  It's taken me the better part of two months (on 
and off) to get a mailserver manifest to mirror the manual (source based!) 
build process that we used to use working correctly.

Building from source used to take up to 6 hours.

Puppet and Cobbler take 11 minutes from bare metal to working server.

> Basically, what you need to do is go through your existing web server and
> for every single thing that is custom — every package, every path, every
> repo — and tell puppet how to put it in place.
> 
> Which means that you get to do all the work you would have to do for
> creating a new one by hand, only now you also get to tell puppet how to do
> it and build a bit of stuff around that.

Checkout "ralsh" as suggested and try to "normalise" your manifests in the 
same way you would a database - if it looks like it's duplicated across 
various systems, move it into a separate module.

Cheers,

 M.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

RE: [Puppet Users] Duplicating web servers

[Byron Pezan]

the ralsh command may be of use in this situation.  ralsh will produce 
minimalist puppet code based on the existing configuration.  something like 
this may at least give you a good starting point, though i wouldn't recommend 
blindly running this code on another system.  you will want to verify and most 
likely edit the code first.

`ralsh -t` will list all available types
`ralsh $type` will spit out puppet code based on what it sees on the current 
system.

so on your existing webserver you could run something like this to see what 
puppet can model from the current systems config:

for x in `ralsh -t `; do echo "${x}"; code=$(ralsh "${x}"); if [ $? -eq 0 ]; 
then echo "${code}" >/root/"${x}".puppet; fi; echo; done

this isn't the ideal solution, but within the puppet paradigm it will work.

HTH and good luck


byron

-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com] On 
Behalf Of Kikanny
Sent: Friday, October 01, 2010 9:07 AM
To: Puppet Users
Subject: [Puppet Users] Duplicating web servers

Hi all. I'm a puppet noob and I've been tinkering with it for the past
couple of weeks. What I would like to do now is duplicate a web
server. So I have a web server running. I would like to make puppet to
duplicate this web server on another machine. This includes installing
the same packages, have the same directory structure, have the same
repository, etc., on the new server. I'm really not sure how to
proceed with this. Any starting tips would be greatly appreciated!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Duplicating web servers

[Daniel Pittman]

Kikanny  writes:

> I'm a puppet noob and I've been tinkering with it for the past couple of
> weeks. What I would like to do now is duplicate a web server. So I have a
> web server running.

...and not built with puppet, right?

> I would like to make puppet to duplicate this web server on another
> machine. This includes installing the same packages, have the same directory
> structure, have the same repository, etc., on the new server. I'm really not
> sure how to proceed with this. Any starting tips would be greatly
> appreciated!

Well, the sad thing is that puppet is going to make this specific job harder
than just sitting down and doing it all by hand.  Which, I imagine, is not the
news you wanted to hear. :)

On the plus side: it will make the *next* web server, after this one, really
easy.  Like, five minutes of work easy.


Basically, what you need to do is go through your existing web server and for
every single thing that is custom — every package, every path, every repo —
and tell puppet how to put it in place.

Which means that you get to do all the work you would have to do for
creating a new one by hand, only now you also get to tell puppet how to do it
and build a bit of stuff around that.


There isn't any much shortcut to getting through this[1], and it usually takes
about ten or twenty percent more time than just doing it would once you know
puppet.  Budget a little more on top of that for learning puppet.


What you really get benefits from is that a whole bunch of that work will be
the same stuff you want on a file server, or a database server, or whatever.

So, building one of those, or reusing it to build another web server after
this one, is super-easy and much faster.

Daniel

Plus, now you can make *both* web servers run the same puppet stuff, so when
you fix a problem or make a new website on one you can have the other pick it
up exactly the same (or as different) as you want.

Footnotes: 
[1]  ...though you might want to investigate the ralsh tool, shipped with
 puppet, which might make some of the manual work easier.

-- 
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
   ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Duplicating web servers

[Felix Frank]

On 10/01/2010 03:07 PM, Kikanny wrote:
> Hi all. I'm a puppet noob and I've been tinkering with it for the past
> couple of weeks. What I would like to do now is duplicate a web
> server. So I have a web server running. I would like to make puppet to
> duplicate this web server on another machine. This includes installing
> the same packages, have the same directory structure, have the same
> repository, etc., on the new server. I'm really not sure how to
> proceed with this. Any starting tips would be greatly appreciated!
> 

Hi,

step one is to build a puppet manifest that "mirrors" you existing
server in that puppet will, when run on your server, do nothing. The
tricky part is to include everything you really need. There is no
automatism that will tell if you have.

Once the manifest is complete, run puppet on a fresh machine so that
puppet will take care to set everything up. This fresh server is your
"duplicate" then.

Typically, you will not puppet to manage the web contents of your
application. There are solutions that are fitted better for such things
(source control systems, network file systems etc.)

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Installing puppet 0.25.5 on SLES 9 64bit

[Thorsten Biel]

Hi,

I have a self-packaged Ruby 1.8.7 running on SLES9 64bit. If you wish, I can 
send you the binary RPMs (rather large), if building the package isn't your cup 
of tea.

Anybody else interested in the Spec file or binaries?

Cheers,
-Thorsten


On 1 Oct 2010, at 13:27, Christian  wrote:

> Sandor,
> 
> I'm not sure if it is a SUSE problem. As described the same setup
> works perfectly on SLES 9 32 bit workstations. I more think there is
> something wrong with the 64 bit rpms or the 64 bit ruby version.
> 
> I used now the ldd command to list the libraries ruby is linked
> against.
> As you recognized already the openssl is actually not linked to ruby.
> 
> libdl.so.2 => /lib64/libdl.so.2 (0x002a9566d000)
> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x002a9577)
> libm.so.6 => /lib64/tls/libm.so.6 (0x002a958a8000)
> libc.so.6 => /lib64/tls/libc.so.6 (0x002a95a0)
> /lib64/ld-linux-x86-64.so.2 (0x002a95556000)
> 
> Your solution suggestion i don't understand completely ...
> $ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'
> 
> Which term i should use to replace "foo"? Sorry i'm not (yet) a ruby
> expert.
> 
> Christian
> 
> 
> 
> 
> On Oct 1, 8:50 am, Sandor Szuecs  wrote:
>> On Oct 1, 2010, at 10:29 AM, Christian wrote:
>> 
>>> Some idea how to solve that problem and how i can make the ./
>>> openssl.so loadable?
>> 
>> You can try the following:
>> $ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'
>> 
>> Is you ruby installation linked against openssl.so?
>> 
>> I am not sure if it should be, because on my system it's not linked or I
>> just do not understand how it is working.
>> $ otool -L /usr/bin/ruby   /usr/bin/ruby:
>> 
>> /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/libruby.1.dylib
>>  (compatibility version 1.8.0, current version 1.8.7)
>> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current 
>> version 125.2.0)
>> 
>> Anyway in my opinion this should be fixed by the SuSe team.
>> 
>> All the best, Sandor Szücs
>> --
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: How to check if a parameter is defined

[Felix Frank]

On 10/01/2010 02:30 PM, Héctor Rivas Gándara wrote:
>> How can I check wether a parameter is defined or not. For instance a
>> function that would fail (with a parser error) if the variable is not
>> defined:
>>
>> check_defined($avar) or check_defined("$avar")
> 
> I answer myself, one way would be:
> 
>if $avar == undef { fail("'avar' not defined") }
> 
> I think that assertions would be even better:
> 
>assert($avar != undef)
> 
> or
>assert($avar)
> 
> 
> I think that add assertions would be a good idea. They could check
> True/False conditions, if variables are defined or not, if objects are
> defined... Is there any proposal about this?

I think the problem with such things is that they are dependent on the
order puppet evaluates the catalogue in, which is undefined. See

http://docs.puppetlabs.com/references/stable/function.html#defined

which does what you propose wrt. resources. An assert would be

if !defined(Resource[...]) { fail "message" }

but should not be used due to the order limitation.

Regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Duplicating web servers

[Kikanny]

Hi all. I'm a puppet noob and I've been tinkering with it for the past
couple of weeks. What I would like to do now is duplicate a web
server. So I have a web server running. I would like to make puppet to
duplicate this web server on another machine. This includes installing
the same packages, have the same directory structure, have the same
repository, etc., on the new server. I'm really not sure how to
proceed with this. Any starting tips would be greatly appreciated!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] mount type attempting remount when ensure => present

[Rob McBroom]

I've added a use case to the bug report.

On Oct 1, 2010, at 4:30 AM, Bruce Richardson wrote:

> According to the online documentation (which is autogenerated), "Set to
> present to add to fstab but not change mount/unmount status "

Where are you seeing that? For as long as I've used Puppet, the type reference 
has said: “Set this attribute to present to make sure the filesystem is in the 
filesystem table but not mounted (if the filesystem is currently mounted, it 
will be unmounted).”

See 

-- 
Rob McBroom


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: How to check if a parameter is defined

[Héctor Rivas Gándara]

> How can I check wether a parameter is defined or not. For instance a
> function that would fail (with a parser error) if the variable is not
> defined:
>
> check_defined($avar) or check_defined("$avar")

I answer myself, one way would be:

   if $avar == undef { fail("'avar' not defined") }

I think that assertions would be even better:

   assert($avar != undef)

or
   assert($avar)


I think that add assertions would be a good idea. They could check
True/False conditions, if variables are defined or not, if objects are
defined... Is there any proposal about this?

--
Atentamente
Héctor Rivas



2010/10/1 Héctor Rivas Gándara :
> Fast question:
>
> How can I check wether a parameter is defined or not. For instance a
> function that would fail (with a parser error) if the variable is not
> defined:
>
> check_defined($avar) or check_defined("$avar")
>
> --
> Atentamente
> Héctor Rivas
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Installing puppet 0.25.5 on SLES 9 64bit

[Sandor Szuecs]

On Oct 1, 2010, at 1:27 PM, Christian wrote:
> 
> Your solution suggestion i don't understand completely ...
> $ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'
> 
> Which term i should use to replace "foo"? Sorry i'm not (yet) a ruby
> expert.

Sorry it was not a solution suggestion. I thought you should test, if
you can use ruby's openssl bindings. The oneliner just test this. I 
should be more explicit in my last e-mail. If this line does not return 
an error, then the openssl part of your 64 bit ruby installation seems 
to be ok.

I really have no idea to fix your issue. Maybe you can e-mail the 
maintainer of your package. He/She should know how to fix it.

All the best, Sandor Szücs
--

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] How to check if a parameter is defined

[Héctor Rivas Gándara]

Fast question:

How can I check wether a parameter is defined or not. For instance a
function that would fail (with a parser error) if the variable is not
defined:

check_defined($avar) or check_defined("$avar")

--
Atentamente
Héctor Rivas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Installing puppet 0.25.5 on SLES 9 64bit

[Christian]

Sandor,

I'm not sure if it is a SUSE problem. As described the same setup
works perfectly on SLES 9 32 bit workstations. I more think there is
something wrong with the 64 bit rpms or the 64 bit ruby version.

I used now the ldd command to list the libraries ruby is linked
against.
As you recognized already the openssl is actually not linked to ruby.

libdl.so.2 => /lib64/libdl.so.2 (0x002a9566d000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x002a9577)
libm.so.6 => /lib64/tls/libm.so.6 (0x002a958a8000)
libc.so.6 => /lib64/tls/libc.so.6 (0x002a95a0)
/lib64/ld-linux-x86-64.so.2 (0x002a95556000)

Your solution suggestion i don't understand completely ...
$ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'

Which term i should use to replace "foo"? Sorry i'm not (yet) a ruby
expert.

Christian




On Oct 1, 8:50 am, Sandor Szuecs  wrote:
> On Oct 1, 2010, at 10:29 AM, Christian wrote:
>
> > Some idea how to solve that problem and how i can make the ./
> > openssl.so loadable?
>
> You can try the following:
> $ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'
>
> Is you ruby installation linked against openssl.so?
>
> I am not sure if it should be, because on my system it's not linked or I
> just do not understand how it is working.
> $ otool -L /usr/bin/ruby               /usr/bin/ruby:
>         
> /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/libruby.1.dylib
>  (compatibility version 1.8.0, current version 1.8.7)
>         /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current 
> version 125.2.0)
>
> Anyway in my opinion this should be fixed by the SuSe team.
>
> All the best, Sandor Szücs
> --

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] certificate problem ; puppetca can't find cert request ?

[Daniel Maher]

On 09/30/2010 05:49 PM, Nan Liu wrote:

On Thu, Sep 30, 2010 at 6:20 AM, Daniel Maher  wrote:

I removed /var/lib/puppet/ssl/certs/.pem , then ran
puppetd with --waitforcert.  Unfortunately, when i run a
puppetca --list --all ,  is not listed, even though there
is very clearly a request pem in /var/lib/puppet/ssl/certificate_requests .


So first bbackup you ssl dir, then try the following command:

puppetca --clean
puppetca --generate  --certdnsname="puppet;puppetmaster"

In certdnsname, provide a list of DNS cname to puppet master, and
include puppet for convenience.



Thank you for the advice ; unfortunately, as i had already revoked the 
certificate, cleaning and re-issuing was not a possibility.  I ended up 
biting the bullet and just wiping out and re-initialising the 
certificates across the board.  Thank god for clusterssh.


The moral of the story here, i suppose, is that /var/lib/puppet/ssl/ 
should be backed up and set aside for every client (including the 
puppetmaster), and that if certificates need to be re-issued from the 
ground-up, it's going to be trouble.  This, i suppose, is why some 
people opt to move to an external certificate provider within their 
organisation - it's really not a bad idea.


Finally, is "--certdnsname" documented anywhere ?  In 0.25.5, at least, 
puppetca --help doesn't mention it, and neither does the manpage.  On 
the puppet website, a search for "certdnsname" only leads to a reference 
in Release_Notes.  If you already know to search for it, google will 
give you some hits from the mailing list, and some blogs, but you have 
to know to look for it in the first place. :P


Thanks again.

--
Daniel Maher 
"The Internet is completely over." -- Prince

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Installing puppet 0.25.5 on SLES 9 64bit

[Sandor Szuecs]

On Oct 1, 2010, at 10:29 AM, Christian wrote:

> Some idea how to solve that problem and how i can make the ./
> openssl.so loadable?


You can try the following:
$ ruby -e 'require "openssl"; puts OpenSSL::Digest::MD5.digest "foo"'

Is you ruby installation linked against openssl.so?

I am not sure if it should be, because on my system it's not linked or I
just do not understand how it is working.
$ otool -L /usr/bin/ruby   /usr/bin/ruby:

/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/libruby.1.dylib 
(compatibility version 1.8.0, current version 1.8.7)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current 
version 125.2.0)


Anyway in my opinion this should be fixed by the SuSe team.


All the best, Sandor Szücs
--

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] mount type attempting remount when ensure => present

[Bruce Richardson]

On Thu, Sep 30, 2010 at 02:13:08PM -0400, Rob McBroom wrote:
> 
> According to the documentation, that's how `ensure => present` is
> supposed to work, though I can't imagine the use case for “put it in
> fstab but make sure it's never mounted”.

According to the online documentation (which is autogenerated), "Set to
present to add to fstab but not change mount/unmount status "

Which is the opposite of what you say it is doing.  But I believe you,
because I know I've seen this behaviour reported before, although it may
have been on this list and not in a bug report.

-- 
Bruce

I see a mouse.  Where?  There, on the stair.  And its clumsy wooden
footwear makes it easy to trap and kill.  -- Harry Hill


signature.asc
Description: Digital signature

[Puppet Users] Re: Installing puppet 0.25.5 on SLES 9 64bit

[Christian]

Thanks to Sandor's suggestion i was able to run facter. By running
puppetd with the right ruby path a new error message appeared.

It seems that it can't be found the ./openssl.so library.

Following message appears:
Cannot open shared object file: No such file or directory - ./
openssl.so (LoadError)

The file openssl.so i was able to find on the system so i pointed also
a second ruby loadpath on that folder. However without success...

Some idea how to solve that problem and how i can make the ./
openssl.so loadable?

Christian

On 30 Sep., 10:26, Sandor Szuecs  wrote:
> On Sep 29, 2010, at 3:45 PM, Christian wrote:
>
> > /usr/sbin/puppetd:159:in `require': No such file to load -- puppet/
> > application/puppetd (LoadError)
> >        from /usr/sbin/puppetd:159
>
> > What went wrong here? Is there a bug in the rpm? Or do i have to set a
> > path somewhere?
>
> It seems you have to set the ruby loadpath, $:, yourself to the folder
> where the files puppet.rb and facter.rb are.
> You can add a load path with `ruby -Ipath/to/load` or add it to GEM_PATH
> env variable. You can add a path to $GEM_PATH separated with ':', like
> bash/zsh $PATH.
>
> All the best, Sandor Szücs
> --

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] mount type attempting remount when ensure => present

[Felix Frank]

On 10/01/2010 02:41 AM, John Warburton wrote:
> http://projects.puppetlabs.com/issues/4904

Thanks.

> Can Felix & Rob update the ticket with your use cases and requests?

Done. I hope I could generalize the problem somewhat (yes, in this case
that's a good thing ;-)

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.