[Puppet Users] Managing private key files; content=file vs. binary content.
Hi all,
Hi all,
We use puppet for, amongst other things, managing the private-key
files needed for things like SSL certificates for HTTPS web servers.
We have a few constraints on how these are handled, and changes in
recent versions of puppet are making this harder than it perhaps ought
to be to implement, so I'm curious to know how others are handling it.
A site's private key file should obviously be kept private, and only
those nodes which are running the site should have access to it. This
would seem to rule out using something like
file{/path/to/foo.key: source=puppet:///keys/foo.key} , because
any valid puppet client could access foo.key.
It's possible to secure the file server, but not (as far as I can see)
in a way which is aware of the node's manifest. So either we'd have to
keep updating auth.conf with a list of nodes that were allowed to
access each key file (error-prone, we have hundreds of both, and the
node=required keys relationship is many-to-many ), or accept that
other nodes could access keys that they shouldn't be able to.
So, we currently do this:
file{/path/to/foo.key: content=file(/keys/foo.key)}
Since (AIUI) nodes can only access the catalog for the FQDN which
matches their certificate, the puppetmaster will ensure that the key
is available only to the hosts that need it.
All good, except that in 0.25 and up (which we're slowly migrating
to), this often doesn't work. The rest APIs require UTF-8 content, and
keys are binary, so catalog requests fail if the key happens to
contain bytes which aren't valid UTF-8. (http://
projects.puppetlabs.com/issues/4832 talks about this a bit, and
includes the observation that So there’s a design decision after all:
If PSON is to be JSON compatible – no binary data..
How are other people getting around this? Do you just allow all
clients to access all keys? Is there a native type, or an auth.conf
trick, that I'm missing? Or a more binary-friendly encoding than JSON/
PSON ?
thanks!
Chris
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing private key files; content=file vs. binary content.
Hi Chris,
2010/11/10 Chris chrisma...@gmail.com
[...]
file{/path/to/foo.key: source=puppet:///keys/foo.key} , because
any valid puppet client could access foo.key.
[...]
you are not sticked to the puppet file server, you can also use something
like this:
file {
/path/to/file:
source = /nfs/$host/file;
}
Make an export for each connected server and restrict access to this one.
Put all private files on the NFS server and you're done.
Kind regards, Thomas
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: agent needs to make two runs before master compiles new catalog
I've seen the same issue as well. I just tested then, adding a simple notify resource to a node and it took three consecutive runs of puppetd before the message appeared: # puppetd --test info: Retrieving plugin info: Caching catalog for puppet-master-01 info: Applying configuration version '1289376693' notice: Finished catalog run in 30.24 seconds # puppetd --test info: Retrieving plugin info: Caching catalog for puppet-master-01 info: Applying configuration version '1289377768' notice: Finished catalog run in 24.98 seconds # puppetd --test info: Retrieving plugin info: Caching catalog for puppet-master-01 info: Applying configuration version '1289379786' notice: foo notice: /Stage[main]//Node[puppet-master-01]/Notify[test]/message: defined 'message' as 'foo' notice: Finished catalog run in 26.46 seconds # /opt/ruby-enterprise/bin/gem list *** LOCAL GEMS *** facter (1.5.8) fastthread (1.0.7) mysql (2.8.1) passenger (2.2.9) puppet (2.6.2) rack (1.1.0) rake (0.8.7) On Nov 9, 9:08 pm, Jeremy Carroll phobos...@gmail.com wrote: I am having the same issue, and am running about the same stack. CentOS 5.5 facter (1.5.8) fastthread (1.0.7) passenger (2.2.15) puppet (2.6.2) puppet-module (0.3.0) rack (1.1.0) rake (0.8.7) stomp (1.1.6) On Tue, Nov 9, 2010 at 2:50 PM, Kent kentmshu...@gmail.com wrote: Patrick, thanks for the speedy reply once again. I'm using RHEL5 and Puppet 2.6.1, Passenger 2.2.7, Rack 1.1.0. From what I've read in this group and in Puppet Labs docs/wikis, Debian/Ubuntu users do seem to have an easier time generally than CentOS/Red Hat :-\ Can I pass my command-line options to Puppetmasterd in the config.ru file? -Kent On Nov 9, 10:53 am, Patrick kc7...@gmail.com wrote: On Nov 9, 2010, at 9:34 AM, Kent wrote: On Nov 8, 11:07 am, Patrick kc7...@gmail.com wrote: On Nov 8, 2010, at 9:10 AM, Kent wrote: Hi all, I'm a new puppet user and new to the forum. I just switched my Puppetmaster to running inside Apache (via Passenger). When I make a change to a resource on the master, it sometimes takes a given node TWO runs before the master will realize the resource has changed and recompile a new catalog version for the node. For example, say my puppetmaster is serving configuration version '123' to a node. I change the file permissions for a file resource that's part of that catalog and then do a puppet run on the node. If I'm running with Passenger, the master serves config version '123' one more time (the agent makes no changes). The next time I run the node's agent, the master compiles new catalog version '456' and the agent makes the permission change. A few items of note: 1. This is not a problem with all changes to puppet module content. For example, if I change the source contents of a file in the 'files' directory of a module, the master will notice this immediately and the puppet agent on the node will grab the new file on the first run following the change on the master. Fact: Files sent using source aren't part of the catalog. Instead, the client asks the server for them while the client is using the catalog and not during the compilation done on the server. Speculation: I would guess this is because the problem you are having is happening during the compilation on the server. 2. At first I thought maybe this was a timing issue (e.g. I was doing the puppet run too quickly after making the resource change) but it's not; whether I wait 5 seconds or 5 minutes before making the first puppet run, the master still doesn't notice the change. I set the 'filetimeout' setting in /etc/puppet/puppet.conf to 0 and it didn't help. Any ideas on what's going on here? (thanks in advance for your help) Ahh, Ok, that makes sense. The source files are not part of the manifests, just pointed to by them. However, I am still having a problem with changed manifests not getting noticed by the Puppetmaster until the second run after it's been changed. This is only a problem when running puppetmaster as a rack app inside Apache. Of course, if I restart Apache it will serve up the most recent manifests on the first puppet run that connects to it, but it would be irritating to have to restart httpd every time I want to make a change to a module/manifest. I also tried setting the puppet.conf option 'ignorecache = true' to no avail. (side note: on the servertype option in puppet.conf, official documentation still states that the only valid modes are 'webrick' and 'mongrel'. What is the appropriate mode for running with passenger?) My puppetmaster is working fine and that option isn't set which means it's defaulting to webrick. Final note: The puppetmaster always logs that it has compiled a catalog and expired the cached one, even on the first runs where the
[Puppet Users] Re: Managing private key files; content=file vs. binary content.
Hi Thomas
On Nov 10, 12:44 pm, Thomas Bendler thomas.bend...@cimt.de wrote:
Hi Chris,
2010/11/10 Chris chrisma...@gmail.com
[...]
file{/path/to/foo.key: source=puppet:///keys/foo.key} , because
any valid puppet client could access foo.key.
[...]
you are not sticked to the puppet file server, you can also use something
like this:
file {
/path/to/file:
source = /nfs/$host/file;
}
Make an export for each connected server and restrict access to this one.
Put all private files on the NFS server and you're done.
Yes, except that approach suffers from the same administrative
problems as using puppet:/// and auth.conf. HTTPS certs aren't
specific to hosts. If I have 20 servers all requiring foo.key (because
they all have the foo-application class in their manifest), then
either I have to copy foo.key into 20 different directories, or else
have one export with 20 allowed hosts. And every time I add the foo-
application class to another host, I need to remember to also expose
the key to that host. With large numbers of keys and hosts, and
moderate levels of churn, this becomes difficult to manage and prone
to errors.
The puppetmaster knows which hosts are allowed foo.key - i.e. all
the hosts which include the foo-application class. It seems wrong that
I should have to manually duplicate that information somewhere else,
be it in an NFS exports list or an auth.conf file.
I suppose I could do something hacky with storeconfigs to update the
exports on the NFS server when a new host is brought online - but it
doesn't seem like a very nice solution. It would lead to the first
puppet run failing because the exports weren't yet updated, for one
thing.
Thanks!
Chris
Kind regards, Thomas
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] use current array element when declaring multiple resources using an array
Hi list,
When declaring multiple resources at once with an array like this:
file { [ foo, bar ]: ... }
Is there a way to access the current array element so as to pass this
value as a parameter? So the foo resource has a parameter value
foo and bar with a parameter value bar?
This is a broken example showing that Puppet looks to be evaluating
owner = $array1 in it's entirety (and perhaps only taking the first
element for a File resource?):
$array1 = [ /tmp/one, /tmp/two, /tmp/three ]
file { $array1:
ensure = present,
owner = $array1,
}
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
What I want to see is:
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/three
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/two
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
Is there an equivalent of Perl's $_ variable? Perhaps with some
inline_template Ruby magic? This would make some config I'm trying to
write a great deal more concise.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing private key files; content=file vs. binary content.
All good, except that in 0.25 and up (which we're slowly migrating to), this often doesn't work. The rest APIs require UTF-8 content, and keys are binary, so catalog requests fail if the key happens to contain bytes which aren't valid UTF-8. (http:// projects.puppetlabs.com/issues/4832 talks about this a bit, and includes the observation that So there’s a design decision after all: If PSON is to be JSON compatible – no binary data.. How are other people getting around this? Do you just allow all clients to access all keys? Is there a native type, or an auth.conf trick, that I'm missing? Or a more binary-friendly encoding than JSON/ PSON ? I also suffer from this problem distributing binary GPG private keys. I would propose Puppet automatically base-64 encode/decode when a parameter's value (in this case a file's content but it could be anything) does not contain valid UTF-8 bytes. Would that fix the problem completely? Would it break anything? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Custom facts in current and old environments
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello,
I read that there is several problems about custom facts on this list.
However, none is serving my task exactly so I start another. (Topic
»custom facts in legacy puppet 0.24.[89]« is the might be the same issue
but that gets no answer.)
My problem is that I have to serve clients with different versions of
puppet. The systems running ubuntu with 0.25.4 work perfect but I have
problems to bring custom facts to the systems running silly SLES 11.1
with puppet version 0.24.8.
The first think that I recognise, is, that puppet itself deletes
/var/lib/puppet/lib/facter at the very begin of all puppet run:
debug: /File[/var/lib/puppet/lib]: Changing checksum
debug: /File[/var/lib/puppet/lib]: 1 change(s)
debug: /File[/var/lib/puppet/lib]/checksum: Replacing /var/lib/puppet/lib
checksum {mtime}Wed Nov 10 15:51:11 +0100 2010 with {mtime}Wed Nov 10 16:27:14
+0100 2010
notice: /File[/var/lib/puppet/lib]/checksum: checksum changed '{mtime}Wed
Nov 10 15:51:11 +0100 2010' to '{mtime}Wed Nov 10 16:27:14 +0100 2010'
debug: /File[/var/lib/puppet/lib/facter]: Changing ensure
debug: /File[/var/lib/puppet/lib/facter]: 1 change(s)
debug: /File[/var/lib/puppet/lib/facter]: Removing existing directory for
replacement with absent
notice: /File[/var/lib/puppet/lib/facter]/ensure: removed
As that is alarming me I did no find any location where the file
/var/lib/puppet/lib/facter is defined in all manifest, modules or source
of puppet. So my first question is, where do puppet get this file
resource from? And why do it means that it has to remove it? (By the
way, it seems that this path is only purged when »factsync = true« is in
/etc/puppet/puppet.conf.)
When I try to ensure that directory to exist it will be deleted on
every begin of the run and created at the end. But it will always be
empty.
An other point that I found in debug log is that sometimes there is an
error about not existing (not mounted) /facts on the puppetmaster. (The
client prints that, the master work fine.) I tried with or without
»[facts]« section in /etc/puppet/fileserver.conf. Both work well with
clients version 0.25.4 but none work with version 0.24.8. (Well. the
error message is different. But the result is the same.)
err: /File[/var/lib/puppet/facts]: Failed to generate additional resources
during transaction: Fileserver module 'facts' not mounted
and/or
err: /File[/var/lib/puppet/facts]: Failed to retrieve current state of
resource: Fileserver module 'facts' not mounted Could not describe /facts:
Fileserver module 'facts' not mounted
For now I tried many to debug this stuff, puttin several .instpect to
the ruby code but did not find any anchor where to search exactly or how
to get ridge of this problem.
As I told, with the ubuntu machines that all worked instantly from the
description.
Anybody a hint what to try else?
Regards
Klaus Ethgen
- --
Klaus Ethgenhttp://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen kl...@ethgen.de
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
iQEVAwUBTNq9up+OKpjRpO3lAQoOJAf/RuVP5f+lepoNWPatoLfgyEDDqIA9GWaz
iAnHcufW0zisuxEIDU5IORKIt2zJ1C1Yy1ZppeYRtT7kRqJH3LLa1P3JwNQJHqYo
bWK1t1MnCugr925trYliunv5a2MYcmrKESxoeUIa6LTEVDDRaPfg6a9np+sDQmNA
USm96Z8/07GXdrg2TdCsE2RCVLm3tqHhwRvekiN+VqxYtoJMhvMbfrCFzO7dJmJb
GYNJZ4PmaQV5nnEUBNAaMqgRPNSsDulEdAR6yCRUnW1YGuXoV85F05Gdl4InLUQC
oTuSkKeCEd9RaC38ZTN+OF+3zDOprnq05wEJ/qtYaFi7Mizl3gZR7g==
=NUpx
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] use current array element when declaring multiple resources using an array
What you are looking for is a loop which does not exist in puppet, except
for templates.
I've never tried it but I've speculated it could be possible to create a
manifest template and then use puppet to generate that manifest file in a
similar fashion you are looking to do.
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com]
On Behalf Of luke.bigum
Sent: Wednesday, November 10, 2010 10:19 AM
To: Puppet Users
Subject: [Puppet Users] use current array element when declaring multiple
resources using an array
Hi list,
When declaring multiple resources at once with an array like this:
file { [ foo, bar ]: ... }
Is there a way to access the current array element so as to pass this
value as a parameter? So the foo resource has a parameter value
foo and bar with a parameter value bar?
This is a broken example showing that Puppet looks to be evaluating
owner = $array1 in it's entirety (and perhaps only taking the first
element for a File resource?):
$array1 = [ /tmp/one, /tmp/two, /tmp/three ]
file { $array1:
ensure = present,
owner = $array1,
}
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
What I want to see is:
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/three
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/two
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
Is there an equivalent of Perl's $_ variable? Perhaps with some
inline_template Ruby magic? This would make some config I'm trying to
write a great deal more concise.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] use current array element when declaring multiple resources using an array
On 11/10/2010 10:18 AM, luke.bigum wrote:
Hi list,
When declaring multiple resources at once with an array like this:
file { [ foo, bar ]: ... }
Is there a way to access the current array element so as to pass this
value as a parameter? So the foo resource has a parameter value
foo and bar with a parameter value bar?
I think what you want is to use $name. it corresponds to the resource
name that is currently being worked on.
file { [ foo, bar ]: path = /blah/${name}.txt, ... }
--
Gabriel Filion
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Custom facts in current and old environments
On Wed, Nov 10, 2010 at 7:43 AM, Klaus Ethgen klaus+pup...@ethgen.de wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello,
I read that there is several problems about custom facts on this list.
However, none is serving my task exactly so I start another. (Topic
»custom facts in legacy puppet 0.24.[89]« is the might be the same issue
but that gets no answer.)
My problem is that I have to serve clients with different versions of
puppet. The systems running ubuntu with 0.25.4 work perfect but I have
problems to bring custom facts to the systems running silly SLES 11.1
with puppet version 0.24.8.
There were some major changes between the two versions in this regard.
Are you using environments? Are you using plugins in modules to deliver facts?
The first think that I recognise, is, that puppet itself deletes
/var/lib/puppet/lib/facter at the very begin of all puppet run:
debug: /File[/var/lib/puppet/lib]: Changing checksum
debug: /File[/var/lib/puppet/lib]: 1 change(s)
debug: /File[/var/lib/puppet/lib]/checksum: Replacing /var/lib/puppet/lib
checksum {mtime}Wed Nov 10 15:51:11 +0100 2010 with {mtime}Wed Nov 10
16:27:14 +0100 2010
notice: /File[/var/lib/puppet/lib]/checksum: checksum changed '{mtime}Wed
Nov 10 15:51:11 +0100 2010' to '{mtime}Wed Nov 10 16:27:14 +0100 2010'
debug: /File[/var/lib/puppet/lib/facter]: Changing ensure
debug: /File[/var/lib/puppet/lib/facter]: 1 change(s)
debug: /File[/var/lib/puppet/lib/facter]: Removing existing directory for
replacement with absent
notice: /File[/var/lib/puppet/lib/facter]/ensure: removed
As that is alarming me I did no find any location where the file
/var/lib/puppet/lib/facter is defined in all manifest, modules or source
of puppet. So my first question is, where do puppet get this file
resource from? And why do it means that it has to remove it? (By the
way, it seems that this path is only purged when »factsync = true« is in
/etc/puppet/puppet.conf.)
When I try to ensure that directory to exist it will be deleted on
every begin of the run and created at the end. But it will always be
empty.
An other point that I found in debug log is that sometimes there is an
error about not existing (not mounted) /facts on the puppetmaster. (The
client prints that, the master work fine.) I tried with or without
»[facts]« section in /etc/puppet/fileserver.conf. Both work well with
clients version 0.25.4 but none work with version 0.24.8. (Well. the
error message is different. But the result is the same.)
err: /File[/var/lib/puppet/facts]: Failed to generate additional resources
during transaction: Fileserver module 'facts' not mounted
and/or
err: /File[/var/lib/puppet/facts]: Failed to retrieve current state of
resource: Fileserver module 'facts' not mounted Could not describe /facts:
Fileserver module 'facts' not mounted
For now I tried many to debug this stuff, puttin several .instpect to
the ruby code but did not find any anchor where to search exactly or how
to get ridge of this problem.
As I told, with the ubuntu machines that all worked instantly from the
description.
Anybody a hint what to try else?
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen kl...@ethgen.de
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
iQEVAwUBTNq9up+OKpjRpO3lAQoOJAf/RuVP5f+lepoNWPatoLfgyEDDqIA9GWaz
iAnHcufW0zisuxEIDU5IORKIt2zJ1C1Yy1ZppeYRtT7kRqJH3LLa1P3JwNQJHqYo
bWK1t1MnCugr925trYliunv5a2MYcmrKESxoeUIa6LTEVDDRaPfg6a9np+sDQmNA
USm96Z8/07GXdrg2TdCsE2RCVLm3tqHhwRvekiN+VqxYtoJMhvMbfrCFzO7dJmJb
GYNJZ4PmaQV5nnEUBNAaMqgRPNSsDulEdAR6yCRUnW1YGuXoV85F05Gdl4InLUQC
oTuSkKeCEd9RaC38ZTN+OF+3zDOprnq05wEJ/qtYaFi7Mizl3gZR7g==
=NUpx
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Nigel Kersten - Puppet Labs - http://www.puppetlabs.com
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Could not retrieve catalog from remote server - random
I have one of 18+ servers in an environment that just started having a problem when attempting to do an update. On the node I enter the command 'puppetd -t --debug --trace'. I don't see anything obvious but the error is: Could not retrieve catalog from remote server I set the puppetmaster into debug mode with command 'puppetmasterd -- no-daemonize --debug -v'. When the node attempts to update there is no output by the PM. I therefore setup tcpdump to watch the traffic and there is in fact traffic as shown below. Therefore I know that there is communications. On occasions it will update but is completely random. Any suggestions? Thanks, John tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:31:02.253921 IP (tos 0x0, ttl 64, id 59181, offset 0, flags [DF], proto: TCP (6), length: 60) devcas1.domain.local.41082 util3.domain.local.8140: S, cksum 0xb458 (correct), 297236183:297236183(0) win 5840 mss 1380,sackOK,timestamp 666800634 0,nop,wscale 7 11:31:02.254422 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) util3.domain.local.8140 devcas1.domain.local.41082: S, cksum 0x7cda (correct), 1623860666:1623860666(0) ack 297236184 win 5792 mss 1460,sackOK,timestamp 3608730031 666800634,nop,wscale 7 11:31:02.255511 IP (tos 0x0, ttl 64, id 59182, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc215 (correct), ack 1 win 46 nop,nop,timestamp 666800637 3608730031 11:31:02.357588 IP (tos 0x0, ttl 64, id 64523, offset 0, flags [DF], proto: TCP (6), length: 52) util3.domain.local.8140 devcas1.domain.local.41082: F, cksum 0xc1ad (correct), 1:1(0) ack 1 win 46 nop,nop,timestamp 3608730134 666800637 11:31:02.358933 IP (tos 0x0, ttl 64, id 59183, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc146 (correct), ack 2 win 46 nop,nop,timestamp 666800740 3608730134 11:31:02.450472 IP (tos 0x0, ttl 64, id 59184, offset 0, flags [DF], proto: TCP (6), length: 157) devcas1.domain.local.41082 util3.domain.local.8140: P 1:106(105) ack 2 win 46 nop,nop,timestamp 666800831 3608730134 11:31:02.450498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) util3.domain.local.8140 devcas1.domain.local.41082: R, cksum 0xee79 (correct), 1623860668:1623860668(0) win 0 11:33:11.491647 IP (tos 0x0, ttl 64, id 44612, offset 0, flags [DF], proto: TCP (6), length: 334) devcas1.domain.local.55540 util3.domain.local.ldaps: P 3058489015:3058489297(282) ack 81338168 win 128 nop,nop,timestamp 666929878 3608244168 11:33:11.492744 IP (tos 0x0, ttl 64, id 48557, offset 0, flags [DF], proto: TCP (6), length: 446) util3.domain.local.ldaps devcas1.domain.local.55540: P 1:395(394) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.492818 IP (tos 0x0, ttl 64, id 48558, offset 0, flags [DF], proto: TCP (6), length: 142) util3.domain.local.ldaps devcas1.domain.local.55540: P 395:485(90) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.493585 IP (tos 0x0, ttl 64, id 44613, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x102d (correct), ack 395 win 142 nop,nop,timestamp 666929880 3608859274 11:33:11.493595 IP (tos 0x0, ttl 64, id 44614, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x0fd3 (correct), ack 485 win 142 nop,nop,timestamp 666929880 3608859274 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not retrieve catalog from remote server - random
Let me also add that I have several servers that have the same exact role in their node definitions and don't have any problem with updates. On Nov 10, 11:40 am, PBWebGuy pbweb...@gmail.com wrote: I have one of 18+ servers in an environment that just started having a problem when attempting to do an update. On the node I enter the command 'puppetd -t --debug --trace'. I don't see anything obvious but the error is: Could not retrieve catalog from remote server I set the puppetmaster into debug mode with command 'puppetmasterd -- no-daemonize --debug -v'. When the node attempts to update there is no output by the PM. I therefore setup tcpdump to watch the traffic and there is in fact traffic as shown below. Therefore I know that there is communications. On occasions it will update but is completely random. Any suggestions? Thanks, John tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:31:02.253921 IP (tos 0x0, ttl 64, id 59181, offset 0, flags [DF], proto: TCP (6), length: 60) devcas1.domain.local.41082 util3.domain.local.8140: S, cksum 0xb458 (correct), 297236183:297236183(0) win 5840 mss 1380,sackOK,timestamp 666800634 0,nop,wscale 7 11:31:02.254422 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) util3.domain.local.8140 devcas1.domain.local.41082: S, cksum 0x7cda (correct), 1623860666:1623860666(0) ack 297236184 win 5792 mss 1460,sackOK,timestamp 3608730031 666800634,nop,wscale 7 11:31:02.255511 IP (tos 0x0, ttl 64, id 59182, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc215 (correct), ack 1 win 46 nop,nop,timestamp 666800637 3608730031 11:31:02.357588 IP (tos 0x0, ttl 64, id 64523, offset 0, flags [DF], proto: TCP (6), length: 52) util3.domain.local.8140 devcas1.domain.local.41082: F, cksum 0xc1ad (correct), 1:1(0) ack 1 win 46 nop,nop,timestamp 3608730134 666800637 11:31:02.358933 IP (tos 0x0, ttl 64, id 59183, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc146 (correct), ack 2 win 46 nop,nop,timestamp 666800740 3608730134 11:31:02.450472 IP (tos 0x0, ttl 64, id 59184, offset 0, flags [DF], proto: TCP (6), length: 157) devcas1.domain.local.41082 util3.domain.local.8140: P 1:106(105) ack 2 win 46 nop,nop,timestamp 666800831 3608730134 11:31:02.450498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) util3.domain.local.8140 devcas1.domain.local.41082: R, cksum 0xee79 (correct), 1623860668:1623860668(0) win 0 11:33:11.491647 IP (tos 0x0, ttl 64, id 44612, offset 0, flags [DF], proto: TCP (6), length: 334) devcas1.domain.local.55540 util3.domain.local.ldaps: P 3058489015:3058489297(282) ack 81338168 win 128 nop,nop,timestamp 666929878 3608244168 11:33:11.492744 IP (tos 0x0, ttl 64, id 48557, offset 0, flags [DF], proto: TCP (6), length: 446) util3.domain.local.ldaps devcas1.domain.local.55540: P 1:395(394) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.492818 IP (tos 0x0, ttl 64, id 48558, offset 0, flags [DF], proto: TCP (6), length: 142) util3.domain.local.ldaps devcas1.domain.local.55540: P 395:485(90) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.493585 IP (tos 0x0, ttl 64, id 44613, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x102d (correct), ack 395 win 142 nop,nop,timestamp 666929880 3608859274 11:33:11.493595 IP (tos 0x0, ttl 64, id 44614, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x0fd3 (correct), ack 485 win 142 nop,nop,timestamp 666929880 3608859274 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ?
Hello, I'm really kind of newbie in the Puppet's world but this tool is quite impressive. So I wish to thank the authors first and all people participating to this amazing project. Now get straight to business :) I'm responsible of a platform containing almost 100 servers all managed by Puppet in version 0.24.8 (clients and server). I know this is an outdated version and I'm in the process of upgrading to the latest version. Hence what should be the best approach to upgrade ? For information, servers run centos 5.5 64bit Sincerly, ThomaS -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not create PID file: /var/lib/puppet/run/puppetd.pid
What is the contents of your /etc/puppet/puppet.conf and what are the permissions on the /var/lib/puppet/run directory? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ?
On Wednesday 10 Nov 2010 10:30:02 nemo wrote: Hello, I'm really kind of newbie in the Puppet's world but this tool is quite impressive. So I wish to thank the authors first and all people participating to this amazing project. Now get straight to business :) I'm responsible of a platform containing almost 100 servers all managed by Puppet in version 0.24.8 (clients and server). I know this is an outdated version and I'm in the process of upgrading to the latest version. Hence what should be the best approach to upgrade ? For information, servers run centos 5.5 64bit If you've got Epel installed, pull puppet from there instead of rpmforge - it's 0.25.$something and we're running it without issue here. The only caveat as far as I am aware is to upgrade the server first, then the clients, but I'm sure I'll be corrected on that if I'm wrong! :) We're not looking to upgrade to 0.26 any time soon because we don't need any of the fancy features (yet!). Cheers, M. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
On Nov 10, 2010, at 6:52 AM, Chris wrote:
Hi Thomas
On Nov 10, 12:44 pm, Thomas Bendler thomas.bend...@cimt.de wrote:
Hi Chris,
2010/11/10 Chris chrisma...@gmail.com
[...]
file{/path/to/foo.key: source=puppet:///keys/foo.key} , because
any valid puppet client could access foo.key.
[...]
you are not sticked to the puppet file server, you can also use something
like this:
file {
/path/to/file:
source = /nfs/$host/file;
}
Make an export for each connected server and restrict access to this one.
Put all private files on the NFS server and you're done.
Yes, except that approach suffers from the same administrative
problems as using puppet:/// and auth.conf. HTTPS certs aren't
specific to hosts. If I have 20 servers all requiring foo.key (because
they all have the foo-application class in their manifest), then
either I have to copy foo.key into 20 different directories, or else
have one export with 20 allowed hosts. And every time I add the foo-
application class to another host, I need to remember to also expose
the key to that host. With large numbers of keys and hosts, and
moderate levels of churn, this becomes difficult to manage and prone
to errors.
The puppetmaster knows which hosts are allowed foo.key - i.e. all
the hosts which include the foo-application class. It seems wrong that
I should have to manually duplicate that information somewhere else,
be it in an NFS exports list or an auth.conf file.
I suppose I could do something hacky with storeconfigs to update the
exports on the NFS server when a new host is brought online - but it
doesn't seem like a very nice solution. It would lead to the first
puppet run failing because the exports weren't yet updated, for one
thing.
The best solution I can come up with is creating a hack that uses a define and
a custom ruby function that will Base64Encode and then have the client
Base64Decide (using an exec or custom provider) on the other end. This comes
from something I'lm building, but probably won't be done for a long while.
This is pesudecode which is missing the encode function, decode function, and
some of the glew code.
class binary_embedded_file::setup
{
$temp = '/var/lib/puppet/binary_embedded_file'
file { '/var/lib/puppet/binary_embedded_file':
ensure = directory,
mode = 750,
owner = root,
group = root,
}
file { '/usr/local/bin/base64_decode':
ensure = present,
owner = root,
group = root,
mode = 755,
}
}
define binary_embedded_file($ensure = present,
$server_location = nil, $client_location = nil ) {
include binary_embedded_file::setup
#Syntax might be wrong
require( Class['binary_embedded_file::setup'] )
#Look at puppet_concat example for how to finish these
$client_temp_path =
$client_temp_path_converted =
file { ${name}:
ensure = $ensure,
#Add a mode, owner, and group variable
#This syntax might be wrong
source = $client_temp_path_converted
}
file { ${client_temp_path}:
ensure = $ensure,
content = Base64Encode(file($server_location)),
}
#There might be an unintended line wrap here
exec { '/usr/local/bin/base64_decode \$client_temp_path\
\$client_temp_path_converted\':
subscribe_only = true,
subscribe = File[${client_temp_path}],
before = File[${name}]
}
}
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ?
There was a big change from 0.25 to 2.6 and I believe you need to upgrade both client and server from what I remember. The best way to do is get a remote execution daemon like func and you could issue a command to all servers like yum upgrade puppet. -Original Message- From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com] On Behalf Of Matt Wallace Sent: Wednesday, November 10, 2010 11:56 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ? On Wednesday 10 Nov 2010 10:30:02 nemo wrote: Hello, I'm really kind of newbie in the Puppet's world but this tool is quite impressive. So I wish to thank the authors first and all people participating to this amazing project. Now get straight to business :) I'm responsible of a platform containing almost 100 servers all managed by Puppet in version 0.24.8 (clients and server). I know this is an outdated version and I'm in the process of upgrading to the latest version. Hence what should be the best approach to upgrade ? For information, servers run centos 5.5 64bit If you've got Epel installed, pull puppet from there instead of rpmforge - it's 0.25.$something and we're running it without issue here. The only caveat as far as I am aware is to upgrade the server first, then the clients, but I'm sure I'll be corrected on that if I'm wrong! :) We're not looking to upgrade to 0.26 any time soon because we don't need any of the fancy features (yet!). Cheers, M. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing private key files; content=file vs. binary content.
On Nov 10, 2010, at 4:29 AM, Chris wrote: How are other people getting around this? Do you just allow all clients to access all keys? Is there a native type, or an auth.conf trick, that I'm missing? Or a more binary-friendly encoding than JSON/ PSON ? I send a different message with a rather long hack as a workaround, but I would also file a bug for this. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not retrieve catalog from remote server - random
A few more findings: 1. I removed the /var/lib/puppet/clientbucket and ran update manually it worked one time. Repeating this does not work. 2. Here is the Trace of the puppetd command: /usr/lib/ruby/1.8/net/http.rb:586:in `connect' /usr/lib/ruby/1.8/net/http.rb:586:in `connect' /usr/lib/ruby/1.8/net/http.rb:553:in `do_start' /usr/lib/ruby/1.8/net/http.rb:542:in `start' /usr/lib/ruby/1.8/net/http.rb:1035:in `request' /usr/lib/ruby/1.8/net/http.rb:772:in `get' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:208:in `retrieve_new_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:207:in `retrieve_new_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:104:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/sbin/puppetd:160 3. I'm using .25.5. Any help or suggestions are much appreciated. Thanks, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not retrieve catalog from remote server - random
On Nov 10, 2010, at 8:40 AM, PBWebGuy wrote: I have one of 18+ servers in an environment that just started having a problem when attempting to do an update. On the node I enter the command 'puppetd -t --debug --trace'. I don't see anything obvious but the error is: Could not retrieve catalog from remote server I set the puppetmaster into debug mode with command 'puppetmasterd -- no-daemonize --debug -v'. When the node attempts to update there is no output by the PM. Make sure that you get output from the puppetmaster for some things. It's easy to look at the wrong log if you are using passenger. I've seen a similar error problem when the puppetmaster is overloaded so the client times out. For me, this is when It gets all 50 clients ask for a catalog at the same time (don't ask). Could this be the problem? I therefore setup tcpdump to watch the traffic and there is in fact traffic as shown below. Therefore I know that there is communications. On occasions it will update but is completely random. Any suggestions? Thanks, John tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:31:02.253921 IP (tos 0x0, ttl 64, id 59181, offset 0, flags [DF], proto: TCP (6), length: 60) devcas1.domain.local.41082 util3.domain.local.8140: S, cksum 0xb458 (correct), 297236183:297236183(0) win 5840 mss 1380,sackOK,timestamp 666800634 0,nop,wscale 7 11:31:02.254422 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) util3.domain.local.8140 devcas1.domain.local.41082: S, cksum 0x7cda (correct), 1623860666:1623860666(0) ack 297236184 win 5792 mss 1460,sackOK,timestamp 3608730031 666800634,nop,wscale 7 11:31:02.255511 IP (tos 0x0, ttl 64, id 59182, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc215 (correct), ack 1 win 46 nop,nop,timestamp 666800637 3608730031 11:31:02.357588 IP (tos 0x0, ttl 64, id 64523, offset 0, flags [DF], proto: TCP (6), length: 52) util3.domain.local.8140 devcas1.domain.local.41082: F, cksum 0xc1ad (correct), 1:1(0) ack 1 win 46 nop,nop,timestamp 3608730134 666800637 11:31:02.358933 IP (tos 0x0, ttl 64, id 59183, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.41082 util3.domain.local.8140: ., cksum 0xc146 (correct), ack 2 win 46 nop,nop,timestamp 666800740 3608730134 11:31:02.450472 IP (tos 0x0, ttl 64, id 59184, offset 0, flags [DF], proto: TCP (6), length: 157) devcas1.domain.local.41082 util3.domain.local.8140: P 1:106(105) ack 2 win 46 nop,nop,timestamp 666800831 3608730134 11:31:02.450498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) util3.domain.local.8140 devcas1.domain.local.41082: R, cksum 0xee79 (correct), 1623860668:1623860668(0) win 0 11:33:11.491647 IP (tos 0x0, ttl 64, id 44612, offset 0, flags [DF], proto: TCP (6), length: 334) devcas1.domain.local.55540 util3.domain.local.ldaps: P 3058489015:3058489297(282) ack 81338168 win 128 nop,nop,timestamp 666929878 3608244168 11:33:11.492744 IP (tos 0x0, ttl 64, id 48557, offset 0, flags [DF], proto: TCP (6), length: 446) util3.domain.local.ldaps devcas1.domain.local.55540: P 1:395(394) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.492818 IP (tos 0x0, ttl 64, id 48558, offset 0, flags [DF], proto: TCP (6), length: 142) util3.domain.local.ldaps devcas1.domain.local.55540: P 395:485(90) ack 282 win 155 nop,nop,timestamp 3608859274 666929878 11:33:11.493585 IP (tos 0x0, ttl 64, id 44613, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x102d (correct), ack 395 win 142 nop,nop,timestamp 666929880 3608859274 11:33:11.493595 IP (tos 0x0, ttl 64, id 44614, offset 0, flags [DF], proto: TCP (6), length: 52) devcas1.domain.local.55540 util3.domain.local.ldaps: ., cksum 0x0fd3 (correct), ack 485 win 142 nop,nop,timestamp 666929880 3608859274 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Realizing wrong ssh key for the wrong user
On Nov 9, 2:47 pm, Tobias Lott tl...@ebel-syste.ms wrote: Problem isn't Directories not getting created but every user is getting ALL ssh keys I see the error messages appearing to indicate attempts to distribute keys to users who should not have them. The attempts seem not to be successful, however. Do the correct keys successfully get distributed to the correct users, or do all key distribution attempts fail? Are there circumstances under which Puppet genuinely does install keys for users that should not have them? I can imagine that the provider for ssh_authorized_keys may boneheadedly attempt to read authorized_keys files that it doesn't actually need to read (or write). If you have Puppet installed in a manner that prevents puppetd from successfully accessing those files, then the error messages may simply signal inefficiency, rather than a bona fide attempt to distribute keys incorrectly. Note also that there appears to be a typo in your manifest fragment: key peto is assigned to user petov (not peto). It would be very strange, but within the realm of possibility, if your problem disappeared after you correct that. Regards, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not retrieve catalog from remote server - random
Make sure that you get output from the puppetmaster for some things. It's easy to look at the wrong log if you are using passenger. I've seen a similar error problem when the puppetmaster is overloaded so the client times out. For me, this is when It gets all 50 clients ask for a catalog at the same time (don't ask). Could this be the problem? Hi Patrick, I'm running PM in --no-daemonize so I see all output. I'm not using passenger and the server is only being hit by manual invocations by nodes so it is not being overtaxed. It seems completely random in that it will work one out of 20 tries. I don't have any other nodes having an issue. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple package installation at same location
On Nov 9, 10:13 am, Bakul bakul.ghug...@gmail.com wrote: I know that would be better option but it's not possible to do it at this point (due to some non-technical issue). Is there anyway this can be handled in puppet. Your manifests cannot directly specify command line parameters to be passed to yum. As I already wrote, however, you can configure yum (in /etc/yum.conf) so that -y is always assumed. (man yum.conf) Alternatively, you can create a new or modified yum package provider that does this, and install it into Puppet. That would narrow the scope to which the -y default would apply. (http:// docs.puppetlabs.com/guides/custom_types.html) I reiterate, however, that these options are not just _worse_ than building proper packages: they are BAD. If the jboss-fix package contains only a few files then it might be better all around to just manage those files directly, instead of distributing them in RPM form. Especially so if the changes are all in config files. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Lenny and lenny-backports
Which isn't terrible, but you loose init scripts and the like. Zach On Tue, Nov 9, 2010 at 4:43 PM, bobics bob...@gmail.com wrote: I get around this issue by installing Puppet as a gem. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not retrieve catalog from remote server - random
I have continued troubleshooting this and have gone as far as: 1. Removed all code from the nodes.pp for this particular node. 2. Deleted the /var/lib/puppet directory on the node and resigned with the PM. Note that the signing failed repeatedly as well where the PM did not report any messages in debug mode. The tcpdump showed traffic for every request from the node. Regards, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
Hi Chris,
2010/11/10 Chris chrisma...@gmail.com
[...]
Yes, except that approach suffers from the same administrative
problems as using puppet:/// and auth.conf. HTTPS certs aren't
specific to hosts. If I have 20 servers all requiring foo.key (because
they all have the foo-application class in their manifest), then
either I have to copy foo.key into 20 different directories, or else
have one export with 20 allowed hosts. And every time I add the foo-
application class to another host, I need to remember to also expose
the key to that host. With large numbers of keys and hosts, and
moderate levels of churn, this becomes difficult to manage and prone
to errors.
got the point, thought that you need one specific key on each server. So
that should be even simpler, use file with content and put the key in the
content field:
$myKey = -BEGIN RSA PRIVATE
KEY-\nMIICXgIBAAKBgQDTqkVS4/iwKx8LngXQrEShlfSRtcSyOB1IjC5AIGUAJvapq9lz\n...
file {
/path/to/keyFile:
content = $myKey;
}
Put this into your Webserver class and assign the class only to the
Webservers.
Kind regards, Thomas
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Module Repository
Hi Experts, I am just wondering is there anything like a Puppet Module Repository in production yet? For the Puppet Module Repository I am looking for two main features: 1. Versioning control of each individual module 2. automatic dependency resolution, one module will be able to say which module (at which version) this module depend on. Basically, something like python easy_install or ruby gems will be the best. Thanks a lot! -Yushu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
got the point, thought that you need one specific key on each server. So
that should be even simpler, use file with content and put the key in the
content field:
$myKey = -BEGIN RSA PRIVATE
KEY-\nMIICXgIBAAKBgQDTqkVS4/iwKx8LngXQrEShlfSRtcSyOB1IjC5AIGUAJvapq9lz\n...
file {
/path/to/keyFile:
content = $myKey;
}
Put this into your Webserver class and assign the class only to the
Webservers.
This works perfectly for PEM-formatted keys because they're ASCII,
which is a subset of UTF-8. Binary keys are not (usually) valid UTF-8
and thus can't be crammed into a catalog without some encoding.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Module Repository
On 11/10/2010 01:14 PM, Yushu Yao wrote: Hi Experts, I am just wondering is there anything like a Puppet Module Repository in production yet? For the Puppet Module Repository I am looking for two main features: 1. Versioning control of each individual module 2. automatic dependency resolution, one module will be able to say which module (at which version) this module depend on. Basically, something like python easy_install or ruby gems will be the best. Thanks a lot! -Yushu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. http://forge.puppetlabs.com/ -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode When the going gets weird, the weird turn pro. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
2010/11/10 Richard Crowley r...@rcrowley.org [...] This works perfectly for PEM-formatted keys because they're ASCII, which is a subset of UTF-8. Binary keys are not (usually) valid UTF-8 and thus can't be crammed into a catalog without some encoding. And why don't you convert the key to a PEM key before putting it into puppet? You can use OpenSSL to convert the binary key to a PEM key: openssl enc -in some-bin.key -out some-pem.key -a Kind regards, Thomas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
On Wed, Nov 10, 2010 at 10:39 AM, Thomas Bendler thomas.bend...@cimt.de wrote: 2010/11/10 Richard Crowley r...@rcrowley.org [...] This works perfectly for PEM-formatted keys because they're ASCII, which is a subset of UTF-8. Binary keys are not (usually) valid UTF-8 and thus can't be crammed into a catalog without some encoding. And why don't you convert the key to a PEM key before putting it into puppet? You can use OpenSSL to convert the binary key to a PEM key: In my particular case because its unclear if ASCII encodings of trusted.gpg and trustdb.gpg are indeed possible. In the general case, even completely legitimate (and common) Latin-1 text files can cause Puppet problems because some Latin-1 bytes are not valid UTF-8. In my opinion, the content parameter of a file resource should be able to handle these cases. Richard -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
On Nov 10, 2010, at 11:48 AM, Richard Crowley wrote: On Wed, Nov 10, 2010 at 10:39 AM, Thomas Bendler thomas.bend...@cimt.de wrote: 2010/11/10 Richard Crowley r...@rcrowley.org [...] This works perfectly for PEM-formatted keys because they're ASCII, which is a subset of UTF-8. Binary keys are not (usually) valid UTF-8 and thus can't be crammed into a catalog without some encoding. And why don't you convert the key to a PEM key before putting it into puppet? You can use OpenSSL to convert the binary key to a PEM key: In my particular case because its unclear if ASCII encodings of trusted.gpg and trustdb.gpg are indeed possible. In the general case, even completely legitimate (and common) Latin-1 text files can cause Puppet problems because some Latin-1 bytes are not valid UTF-8. In my opinion, the content parameter of a file resource should be able to handle these cases. I think you should file a bug then. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not retrieve catalog from remote server - random
After 6 hours of troubleshooting, we found that there was a process (Alfresco/Tomcat) running on the node that was consuming large amounts of the CPU. Running 'top', there was a sustained load of 2.x. As soon as I killed the process, Puppet started running perfectly! This node is a VM in a VMWare cloud. Hope that this will help someone else someday... Regards, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Module Repository
This is not exactly what you're looking for but may be a solution. We are using the multiple environment functionality (http:// projects.puppetlabs.com/projects/1/wiki/Using_Multiple_Environments) to manage version control to prevent changes from impacting production while we're implementing and testing in DEV. We basically have a checkout/working copy of the puppet modules for each environment. When we want to upgrade production, we snap a new tag, and then update the working directory on the PM to the new version. Our tree looks like: /etc/puppet/env |-- dev | |-- manifests | `-- modules |-- preprod | |-- manifests | `-- modules `-- prod |-- manifests `-- modules This gives us version control at the environment level instead of at the module level. I don't know of any dependency resolution solution. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Default ownership for static files
On Mon, Nov 8, 2010 at 8:29 AM, Patrick kc7...@gmail.com wrote:
On Nov 8, 2010, at 8:03 AM, R.I.Pienaar wrote:
- Markus Falb markus.f...@fasel.at wrote:
Hi,
I try to serve a file
file { /root/test3.txt:
ensure = file,
source = puppet:///yum/test.txt,
}
On the puppetmaster this files look like this
#$ ls -n test.txt
-rw-r--r-- 1 502 301 4 8 Nov 16:25 test.txt
Finally, here is my question: What ownership may I expect on the
resulting file ?
Do not rely on this behavior, specify the owner and mode in your file{}
resources.
That is the only reliable way.
To expand on this, one way you can rely on a default is to set the default
by putting this in site.pp (Not in any class)
File {
mode = '644',
owner = '502',
group = '301,
}
This would generally be a bad idea IMHO. If you put a File{} in site.pp, it
stops you from being able to put a File{} anywhere else, say in a module. If
you _do_ put a File{} in a module (which I do all the time), it disregards
the global File{} in site.pp. Same applies to any resource default.
That's unless of course puppet has a plusignment operator for resource types
that I wasn't aware of.
Doug.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Default ownership for static files
On Mon, Nov 8, 2010 at 9:36 AM, Markus Falb markus.f...@fasel.at wrote:
On 08.11.10 17:03, R.I.Pienaar wrote:
- Markus Falb markus.f...@fasel.at wrote:
Hi,
I try to serve a file
file { /root/test3.txt:
ensure = file,
source = puppet:///yum/test.txt,
}
On the puppetmaster this files look like this
#$ ls -n test.txt
-rw-r--r-- 1 502 301 4 8 Nov 16:25 test.txt
Finally, here is my question: What ownership may I expect on the
resulting file ?
Do not rely on this behavior, specify the owner and mode in your file{}
resources.
That is the only reliable way.
It seems so, but do we want things this way ? I knew that I can specify
owner explicitly, instead I wanted to question the defaults.
When puppetd runs as root and without defined otherwise files should be
created with owner root in my opinion. Why should one assume that uids
on puppetmaster and client are synchronised ? Forget to define one
ownership in your manifests and possibly unrelated users on the client
can access these files unintentionally.
I think thats a security flaw. I would like to rely on reasonable
defaults. I think about opening a ticket for this.
I try in other words: A file on puppetmaster belongs to user x with uid
y and it is created on the client with uid y whatever user this
translates to. Is this intended ?
When no owner or group is specified for the file, the default owner and
group on the target system seems to default to the same as the owner and
group on the puppetmaster, if that user exists on the target system. Ie, all
our files under /etc/puppet are owned by the puppet user, and if I don't
specify a use/group on a file, they end up being owned by puppet on the
target.
Doug
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: unable to get puppet client to work
How did you fix this? On 19 Okt., 12:48, mar...@fearless.nl mar...@fearless.nl wrote: 0.25.4 (Ubuntu repository) However, i got it working now. Seemed the reverse DNS was causing issues. Cheers, Marcel On 18 okt, 18:42, Mohit Chawla mohit.chawla.bin...@gmail.com wrote: Hi, What's the client version ? On Mon, Oct 18, 2010 at 9:36 PM, mar...@fearless.nl mar...@fearless.nlwrote: Hi All, first off, i'm new to puppet. I've started playing with it for a few days now and it seems to be perfectly matching my needs. I've created two labs, one at home (working) and one in the office (not working). Now as you can gather, i would like some help on find the reason the the office-lab not to work. The puppetmaster works as expected, starts good and without issue. Starting it in debug mode says : r...@master:/etc/puppet# puppetmasterd --no-daemonize -d -v debug: Failed to load library 'selinux' for feature 'selinux' debug: Failed to load library 'ldap' for feature 'ldap' debug: Puppet::Type::User::ProviderLdap: feature ldap is missing debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: /File[/var/puppet/yaml]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ puppet/ssl/certs] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/ssl/public_keys/master.pem]: Autorequiring File[/etc/puppet/ssl/public_keys] debug: /File[/var/puppet/log/masterhttp.log]: Autorequiring File[/var/ puppet/log] debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/var/puppet/rrd]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File[/etc/puppet/ssl] debug: /File[/var/puppet/bucket]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/reports]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/ puppet/manifests] debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/ puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/ssl/certs/master.pem]: Autorequiring File[/ etc/puppet/ssl/certs] debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/etc/puppet/ssl/private_keys/master.pem]: Autorequiring File[/etc/puppet/ssl/private_keys] debug: /File[/var/run/puppetmasterd.pid]: Autorequiring File[/var/run] debug: Finishing transaction -610961228 with 0 changes debug: /File[/etc/puppet/ssl/ca/private]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/serial]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/ etc/puppet/ssl/ca/private] debug: /File[/etc/puppet/ssl/ca/requests]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/inventory.txt]: Autorequiring File[/ etc/puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/signed]: Autorequiring File[/etc/ puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/etc/ puppet/ssl/ca] debug: Finishing transaction -611217558 with 0 changes debug: Using cached certificate for ca, good until Fri Oct 16 14:58:50 UTC 2015 debug: Using cached certificate for ca, good until Fri Oct 16 14:58:50 UTC 2015 debug: Using cached certificate for master, good until Fri Oct 16 14:58:50 UTC 2015 notice: Starting Puppet server version 0.25.4 Which seems good to me. Now when i start a client, this happens : r...@ubuntu:~# puppetd --no-daemonize --verbose --server master --fqdn ubuntu.lab --waitforcert 60 -o err: Could not retrieve catalog from remote
Re: [Puppet Users] Re: Managing private key files; content=file vs. binary content.
On Wed, Nov 10, 2010 at 6:26 PM, Richard Crowley r...@rcrowley.org wrote:
got the point, thought that you need one specific key on each server. So
that should be even simpler, use file with content and put the key in the
content field:
$myKey = -BEGIN RSA PRIVATE
KEY-\nMIICXgIBAAKBgQDTqkVS4/iwKx8LngXQrEShlfSRtcSyOB1IjC5AIGUAJvapq9lz\n...
file {
/path/to/keyFile:
content = $myKey;
}
Put this into your Webserver class and assign the class only to the
Webservers.
This works perfectly for PEM-formatted keys because they're ASCII,
which is a subset of UTF-8. Binary keys are not (usually) valid UTF-8
and thus can't be crammed into a catalog without some encoding.
Indeed. I made a mistake in my original post; it's not the key files for
apache (which are PEM-formatted ASCII) , but rather those in Java's JKS
keystore format, that cause problems for me. I could probably create a
workaround by transferring the keys as .PEM format and then converting to
JKS on the client, but it would be a pretty fiddly solution compared to the
option of a binary-safe file() function.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing components in an high availability environment?
Maciej Skrzetuski m.skrzetu...@gmail.com writes:
we would like to create and/or modify resources in our environment with the
help of puppet. The problem is that the software components may fail over
from node A to node B. We are planning to write our own modules for puppet
but we have no idea how to handle the fail over thing. Is there a popular
pattern for s.th. like this? S.th. like: if the component is not on node A
then look on node B and then if this fails report a failure.
I wrote a custom fact to determine which node in our HA database pair was
currently active, and used:
if $database_blah_blah == 'active' {
# manage the stuff here
}
For most of the resources, though, I worked fairly hard to make sure that all
the administrative changes could apply on *both* nodes, so that I didn't have
to introduce that sort of dependency.
This is, in my experience, the far better (but harder) way to achieve the
results.
Writing custom facts is actually pretty trivial, FWIW, so doesn't add too much
overhead to the whole process. (At least, nothing notable compared to the
effort of getting an HA system in the first place. ;)
Regards,
Daniel
--
✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Query facter 'facts' from webapp
On Nov 9, 6:06 am, Pieter Baele pieter.ba...@gmail.com wrote: Hi, I would like to query the puppetmaster (or the puppet nodes...) for some facts and display/use these in an external web application (written django) using the certificates from Puppet. What's the correct (nice) way to do this? REST? Can I find some code examples for this? Met vriendelijke groeten, Pieter Baelewww.pieterb.be Pieter, It's not a solution today but it sounds like you're looking for the Inventory Service[1]. The basic idea is to collect, and export, the client facts using a REST interface from a central service. There's a push to get this in to 2.7[2], so some of your work may be done for you already. The mcollective registration method also works great, if you want to go that route. [1] http://projects.puppetlabs.com/projects/1/wiki/InventoryServiceArchitecture [2] http://groups.google.com/group/puppet-dev/browse_thread/thread/4fa1c3dc34725004/5e822ab9c65dadee -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
