Re: [Puppet Users] Separating puppetmaster file serving and catalogs
Sorry for the late answer, my provider had a downtime this weekend. Tough call. There is no such thing as a transparent SSL proxy afaik, because without decrypting requests, the proxy cannot make any header based decisions. This may well be a dead end then. Ah. See below for a different idea then. If such an approach is at all possible, the complete implementation would include giving the proxy the means to recognize valid client certificates. The proxy can and is recognizing valid certificates. The problem is passing that information on to the puppetmaster because I really don't know how to do that. I also don't know exactly which headers the puppetmaster uses. I'm thinking that if I do this, I need to remove the SSL from the file server VirtualHost and just pass the information directly through. Hm, no good. This is just the transparent SSL proxying I'm afraid is not at all possible (at least while still making use of the request URI to decide on the backend HTTP server). Even if this should work - is it work all that hassle? This is a much better question. I'm going to work on it a little more though. The weird thing is: This might as well work, because you proxy pass to https://localhost... That means that your proxy actually reencrypts the requests (or should do that, at least). Are you seeing requests at the backend Apache now? Does puppet show any reaction to that? Are you performing basic tests using wget on distinct URLs that should be served by this setup? Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Serving files while ignoring some (e.g. .svn)
On Dec 20, 12:13 am, Don Jackson puppet-us...@clark- communications.com wrote: I make user of the puppet fileserving capability to serve up configs and smaller executables I need on my deployed servers. Sometimes I populate directories to be served on the puppetmaster via subversion. When I recursively populate this kind of directory via puppet, it brings over the .svn directory, etc, which is not what I want. How can I configure either the puppet file server, or modify my manifest, to prevent pulling over the .svn directory also? If you export from subversion rather than doing a checkout you will not get the .svn directories. Bill Proud -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] foreman issue
Hello! I try to use foreman. It's successfuly import current nodes from puppet storeconfig. Nodes hostname stored in short form, without domain. After that, i run puppet on newly created additional 5 nodes. They shows in foreman with full fqdn. Os, environment, architecture for this nodes not shown. How can i fix this issue? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Update time in template file.
On 12/19/2010 10:16 PM, rjl wrote: Hi all, How can I put in an update time in a template file? The problem I am running it to is this... Here is my file to update the timestamp snmp.conf.erb # HEADER: [ %= Time.now.gmtime % ] Modified by puppet. defVersion 2c devCommunity somecommunity The problem is that everytime puppet runs, it updates the time stamp. I only want it to update if there was an actual change to the content of the file Thanks in advace. rjl Hi, a template probably won't do this for you. Whenever puppet generates your client's catalog, the template text is put into that. So if the master generates the header, it will produce a different catalog each time. The most simple thing would be for you to rely on the mtime instead. This has some drawbacks, of course. If the template is simple enough (and, unlike me, you know some ruby), it may be feasible to write a simple plugin instead. That way, you *can* limit header generation to times when there are actual changes. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: file: ensure =gt; present, purge =gt; true
CraftyTech hmmedina at gmail.com writes: I'm using puppet 0.25.5 On Dec 16, 10:26 am, CraftyTech hmmed...@gmail.com wrote: Hello All, I'm not sure what I'm missing here, but when defining a file resource, to use as my yum repo, I can't seem to be able to purge other files in the directory. For instance, I just want to have base.repo under /etc/yum.repos.d/, so I'm using: file { /etc/yum.repos.d/base.repo: owner = root, group = root, mode = 0644, purge = true, recurse = true, force = true, replace = true, content = template(yum/base.repo.erb) } The code creates the file, but fails to purge the rest of the data in that dir. Can anyone see what I'm missing here? Thanks, I think you should do the following: 1- Put base.repo on Puppet master file server to be shared then 2- file { /etc/yum.repos.d: owner = root, group = root, mode = 0644, purge = true, recurse = true, source = puppet:///location_folder_which_contains_base.repo } It will delete all files other than base.repo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] erb template and variable check
On 12/20/2010 05:03 AM, Nicolas Aizier wrote: Hi everyone, I'm actually working on implementing templates as it is a very convenient and powerfull way to configure files properly. But I'm actually meeting a little problem, not a blocking one but a strange thing. Basically my module is configuring the ntp client, no big deal. manifest/init.pp of the module define a simple variable from facts to know if it's a VM or not code : *** $HardwareType = $manufacturer ? { 'VMware, Inc.' = 'VM', default = 'PHYSICAL' } Hi, this slipped me too at first, but do take note of the $virtual fact. (E.g. facter virtual) $ntpserver = 'time.au.fcl.internal' class ntp { package { 'ntp': ensure = present, } file { '/etc/ntp.conf': owner = root, group = root, mode= 644, content = template('/etc/puppet/modules/ntp/templates/ ntp.conf.erb'), notify = Service['ntpd'], require = Package['ntp'], } service { 'ntpd': ensure = running, enable = true, hasrestart = true, require = Package['ntp'], } } *** err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to parse template /etc/puppet/modules/ntp/templates/ ntp.conf.erb: Could not find value for 'ntpserver' at /etc/puppet/ modules/ntp/manifests/init.pp:25 on node foo.fqdn As Patrick noted, the $ntpserver variable is biting you here, which is indeed strange. You may want to try and include its declaration in the ntpserver class proper. Also, it appears valid to include a default value in your template, see http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Templating on the topic of undefined variables. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppetd stops after RH patches
We have several RedHat systems that were patched this weekend where puppetd is quietly going away. I'm still gathering info, but all 64-bit RH 5 systems I've checked are OK, the failing systems seem to be limited to 32 bit systems but both RH4 and 5. We don't have many RH 4 systems left.. Puppet version is 25.5-1 Patches applied (from yum.log) Dec 19 00:13:48 Updated: krb5-libs-1.6.1-36.el5_5.6.i386 Dec 19 00:13:52 Updated: openssl-0.9.8e-12.el5_5.7.i686 Dec 19 00:13:53 Updated: 30:bind-libs-9.3.6-4.P1.el5_5.3.i386 Dec 19 00:13:54 Updated: openldap-2.3.43-12.el5_5.3.i386 Dec 19 00:13:57 Updated: nss_ldap-253-25.el5_5.3.i386 Dec 19 00:14:10 Updated: gtk2-2.10.4-21.el5_5.6.i386 Dec 19 00:14:13 Updated: augeas-libs-0.7.4-1.el5.i386 Dec 19 00:14:16 Updated: m2crypto-0.16-6.1.el5_5.1.i386 Dec 19 00:14:17 Updated: 30:bind-utils-9.3.6-4.P1.el5_5.3.i386 Dec 19 00:14:19 Updated: krb5-workstation-1.6.1-36.el5_5.6.i386 I ran puppetd -Ddv on a sample failing system and got these messages (host names xx'd): Dec 19 15:25:27 x puppetd[16494]: Finished catalog run in 3.15 seconds Dec 19 15:55:28 x puppetd[16494]: Caching catalog for tsm-admin-62.missouri.edu Dec 19 15:55:29 x puppetd[16494]: Applying configuration version '1292753209' Dec 19 15:55:31 x puppetd[16494]: Finished catalog run in 1.98 seconds Dec 19 16:25:33 x puppetd[16494]: Caching catalog for xxx Dec 19 16:25:34 x puppetd[16494]: nss_ldap: could not get LDAP result - Can't contact LDAP server So, at the next hour, puppet dies. We aren't trying to use LDAP with puppet as far as I know. Looking back in /var/log/messages to before the maintenance, I find similar, but non fatal errors: Dec 12 05:03:02 xx ruby: nss_ldap: could not get LDAP result - Can't contact LDAP server Dec 12 05:03:02 xx ruby: nss_ldap: reconnected to LDAP server ldaps://some-dc:3269 after 1 attempt Dec 12 05:03:17 xx nss_ldap: could not get LDAP result - Timed out Dec 12 05:33:24 xx ruby: nss_ldap: could not get LDAP result - Can't contact LDAP server Dec 12 05:33:24 xx ruby: nss_ldap: could not get LDAP result - Can't contact LDAP server Dec 12 05:33:24 xx ruby: nss_ldap: reconnected to LDAP server ldaps://some-dc:3269 after 1 attempt Dec 12 05:33:38 xx ruby: nss_ldap: could not get LDAP result - Timed out Dec 12 06:03:43 xx ruby: nss_ldap: could not get LDAP result - Can't contact LDAP server Dec 12 06:03:43 xx ruby: nss_ldap: could not get LDAP result - Can't contact LDAP server Dec 12 06:03:43 xx ruby: nss_ldap: reconnected to LDAP server ldaps://some-dc:3269 after 1 attempt The LDAP server is a Windows domain controller, ldap.conf has a list of several alternates. Any thoughts? Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] foreman issue
You need to run the rake again. Setup a cronjob to execute it every so often if you need new hosts regularly (e.g. Auto scaling) -Mark On Dec 20, 2010, at 6:58 AM, walexey wale...@gmail.com wrote: Hello! I try to use foreman. It's successfuly import current nodes from puppet storeconfig. Nodes hostname stored in short form, without domain. After that, i run puppet on newly created additional 5 nodes. They shows in foreman with full fqdn. Os, environment, architecture for this nodes not shown. How can i fix this issue? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] tmz repo
Hi all, maybe it's a little OT... anyone knows if old puppet version from tmz repos are still available somewhere? TIA, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] [puppet-users] run without puppet master
i'm relatively new to puppet and have not found an examples of running without a puppet master. i want to use red hat satellite server to deliver to the clients of puppet an rpm containing puppet content a a few different packages. 1 for base lockdown, in this case STIG 1 for project customization 1 for applications or something along those lines. the idea is to eliminate the need for a puppet master and in a sorts replace that with satellite server. this way we can use satellite in a disconnected configuration and deploy those to isolated networks, shipboard, etc and not need extra infrastructure to manage. does anyone have any examples of a disconnected configuration, not using a puppet master? Regards, -- aaron -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Difficulty Migrating to Mongrel
Just wanted to report to say that I have still been unsuccessful with this. Any thoughts regarding the issue would be greatly appreciated. Thanks. On Dec 14, 12:54 pm, jkois jeffrey.k...@gmail.com wrote: Hello, After running the puppetmaster on Webrick and struggling with clients dropping regularly, I have decided to migrate my install to Mongrel. I have followed the documentation posted on the Puppet wiki but continue to receive the following errors on the client: err: Could not call puppetmaster.getconfig: #RuntimeError: HTTP- Error: 502 Proxy Error err: Could not retrieve configuration: HTTP-Error: 502 Proxy Error On the server log, the error is represented as the following: (20014)Internal error: proxy: error reading status line from remote server 127.0.0.1 proxy: NOT Closing connection to client although reading from backend server 127.0.0.1 failed. Here is the rundown of my environment: Debian 5.0 (Lenny) Apache 2.2.9 with all of the required modules (proxy, proxy_http, proxy_balancer) Puppet 0.24.5 installed using apt My Apache config is virtually identical to the one shown athttp://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel, with the proper changes made. My /etc/default/puppetmaster configuration includes the following: START=yes SERVERTYPE=mongrel PUPPETMASTERS=2 PORT=18140 It is apparent that this is not so much of a puppetmaster issue as it is an Apache proxy issue, but I cannot seem to find anything regarding this particular issue when using puppet. Please let me know if there is any other information I can provide and I would be happy to do so. Thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Update time in template file.
Thanks to everyone for all of your input. It was very helpful. I like Felix's suggestion about writing a plugin. rjl On Dec 20, 5:03 am, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 12/19/2010 10:16 PM, rjl wrote: Hi all, How can I put in an update time in a template file? The problem I am running it to is this... Here is my file to update the timestamp snmp.conf.erb # HEADER: [ %= Time.now.gmtime % ] Modified by puppet. defVersion 2c devCommunity somecommunity The problem is that everytime puppet runs, it updates the time stamp. I only want it to update if there was an actual change to the content of the file Thanks in advace. rjl Hi, a template probably won't do this for you. Whenever puppet generates your client's catalog, the template text is put into that. So if the master generates the header, it will produce a different catalog each time. The most simple thing would be for you to rely on the mtime instead. This has some drawbacks, of course. If the template is simple enough (and, unlike me, you know some ruby), it may be feasible to write a simple plugin instead. That way, you *can* limit header generation to times when there are actual changes. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Node syntax error
Hi all, I am having an issue with the syntax for a node definition. I want to use a facter variable in my definition but I get a syntax error. Here is the code node ${fqdn} { include adm } Here is the error. Could not parse for environment production: Syntax error at ''; expected '}' at /etc/puppet/manifests/nodes.pp:16 I test to make sure that ${fqdn} is set before defining the node. I have used static strings and regexes and they all work but, for some reason, the variable will not be expanded. Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not evaluate: 'test' is not executable
On Friday, December 10, 2010 11:34:15 AM UTC+1, luke.bigum wrote: file called 'grep'... Removing this stray file and puppet now runs fine :) Hi Luke. Yes you are right! I had a file called test in /root ! thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Node syntax error
On 12/20/2010 05:23 PM, rjl wrote: Hi all, I am having an issue with the syntax for a node definition. I want to use a facter variable in my definition but I get a syntax error. Here is the code node ${fqdn} { include adm } Here is the error. Could not parse for environment production: Syntax error at ''; expected '}' at /etc/puppet/manifests/nodes.pp:16 I test to make sure that ${fqdn} is set before defining the node. I have used static strings and regexes and they all work but, for some reason, the variable will not be expanded. Hi, what are you trying to solve? Seeing as this node definition will apply to each and every client, you can as well put that include to the general scope (outside any node). Is that line 16 you posted there? Because that error seems weird to me. Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Node syntax error
I have take it out of the case statement to try to resolve the problem. Here is an example. I receive the same error from this... $tmp = deving0109.cdntools.nsatc.net node ${tmp} { include adm } But this works just fine... node deving0109.cdntools.nsatc.net { include adm } On Dec 20, 9:51 am, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 12/20/2010 05:46 PM, rjl wrote: Hi Felix, Actually, it will not apply to each client. Each of my clients knows what role it plays. That is set in a facter variable ($osp_type) on the client. So, the entire code block looks like this... case $osp_type { adm: { node ${fqdn} { include adm } } ing: { node ${fqdn} { include ing } } rep: { node ${fqdn} { include rep } } oss: { node ${fqdn} { include oss } } mds: { node ${fqdn} { include mds } } default: { notice(Could not resolve role for ${fqdn}) } } Those node declarations are still spurious. Also, I don't think nodes can be declared in case branches like that, so this is probably the error? Just write case $osp_type { adm: { include adm } ... } HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Node syntax error
On 12/20/2010 05:55 PM, rjl wrote: I have take it out of the case statement to try to resolve the problem. Here is an example. I receive the same error from this... $tmp = deving0109.cdntools.nsatc.net node ${tmp} { include adm } But this works just fine... node deving0109.cdntools.nsatc.net { include adm } Well, I'm stumped. Maybe variable substition is just not meant to work for node declarations. I still don't see what you need it for. Your earlier post is a very good depiction of how to choose a node's role based on a fact: Do it by selecting the class(es) to include based on the fact value. Do not try and select a node declaration based on a fact instead. Or am I still missing part of your intent? Cheers, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Node syntax error
Felix, I have made the changes base on your feedback and it works well. Thanks for your assistance...rjl On Dec 20, 10:00 am, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 12/20/2010 05:55 PM, rjl wrote: I have take it out of the case statement to try to resolve the problem. Here is an example. I receive the same error from this... $tmp = deving0109.cdntools.nsatc.net node ${tmp} { include adm } But this works just fine... node deving0109.cdntools.nsatc.net { include adm } Well, I'm stumped. Maybe variable substition is just not meant to work for node declarations. I still don't see what you need it for. Your earlier post is a very good depiction of how to choose a node's role based on a fact: Do it by selecting the class(es) to include based on the fact value. Do not try and select a node declaration based on a fact instead. Or am I still missing part of your intent? Cheers, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] RFC: Puppet Docs
Hi all Some time ago we created a new project called Puppet Docs. This took our existing reference documentation (which is auto-generated from the Puppet Core source code) and added together some pages from the Wiki and some new content. That content was published at http://docs.puppetlabs.com. We're now discussing whether it is a good idea to separate our documentation from the Puppet Core. What we're proposing is to move all the content from Puppet Docs (barring MCollective - which will stay in the Mcollective repository) into the Puppet Core repository, probably under a directory called docs. The documentation will still be published onto the Puppet Docs site when updates occur but the code itself will be maintained in the same repository as the Puppet core code. The advantages to this we see as: 1. It's simpler to have the code and the docs in the same place 2. It lowers the barrier to entry for contributors - only having to maintain one repository and work from one repository. 3. We hope it'll encourage people to update Docs more when they make changes if they have to only commit code to one repository. 4. One project/place to log documentation tickets rather than two separate Redmine projects. We're seeking feedback on this idea from the community before we proceed. Regards James Turnbull -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Appending to Variables in a global context
On Sun, Dec 19, 2010 at 4:26 PM, Daniel Pittman dan...@rimspace.net wrote: On Mon, Dec 20, 2010 at 01:34, Spenser Gilliland spenser...@gmail.com wrote: That's still ugly but I see how it works. I think I'll give it a shot that way see how it goes I still need to do something to make sure that the class is instantiated after the tables are instantited. Run stages maybe? Uhh, still ugly. I wish there was just some kind of syntactical element for this. For that, file a feature request bug report. :) FWIW, I think this overlaps with a similar problem that I faced, and which we used the 'concat' system to work around. Having a standard puppet solution would be good. Regards, Daniel -- ✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. I added feature #5416 for this. I suggested two possible syntax styles. If anyone can think of any others I think we should add them to the bug. Spenser -- Spenser Gilliland Computer Engineer Illinois Institute of Technology -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] RFC: Puppet Docs
Hi James, Sounds very pragmatic and adds some aforementioned structure continuity for the project. Just wondering if there were any disadvantages thought of during the brainstorming to implement this change? I can't think of any off-hand but I'd guess you and others at Puppet Labs spent more than the last 3 minutes contemplating this change. ;) Thanks, -Mark On Dec 20, 2010, at 12:38 PM, James Turnbull wrote: Hi all Some time ago we created a new project called Puppet Docs. This took our existing reference documentation (which is auto-generated from the Puppet Core source code) and added together some pages from the Wiki and some new content. That content was published at http://docs.puppetlabs.com. We're now discussing whether it is a good idea to separate our documentation from the Puppet Core. What we're proposing is to move all the content from Puppet Docs (barring MCollective - which will stay in the Mcollective repository) into the Puppet Core repository, probably under a directory called docs. The documentation will still be published onto the Puppet Docs site when updates occur but the code itself will be maintained in the same repository as the Puppet core code. The advantages to this we see as: 1. It's simpler to have the code and the docs in the same place 2. It lowers the barrier to entry for contributors - only having to maintain one repository and work from one repository. 3. We hope it'll encourage people to update Docs more when they make changes if they have to only commit code to one repository. 4. One project/place to log documentation tickets rather than two separate Redmine projects. We're seeking feedback on this idea from the community before we proceed. Regards James Turnbull -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] classes being assigned twice
I am running puppet 0.25.5 on puppet client and server (still testing rollout of the newest upgrade). For all my nodes, I see all classes listed twice in the /var/lib/puppet/classes.txt on the node. Anyone know why that might be? When I run my external node classifier, I only see the classes assigned once. On a puppetd -t run on the client, I also see my custom facts being evaluated twice which makes me think the work is being done twice over. Anyway, the classes being assigned twice is a problem because I am trying to iterate over them using this example from the puppet docs: % classes.each do |klass| -% The class %= klass % is defined % end -% I am not a ruby developer. Perhaps, as a short term fix, someone can tell me how to uniq the classes array in this example? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Enhancement for puppetmaster init script to balance puppetmaster instances across CPU cores - RFC
Hi all, I've been asked to get comments on this proposed patch to /etc/init.d/puppetmaster: https://projects.puppetlabs.com/issues/5465 Alex Giurgiu modified the puppetmaster init script to balance puppetmaster instances across CPU cores. I updated his modification to use facter to get the no. of available cores, and to display the core used when each instance starts. Anyone got any thoughts/comments on this? R. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Yum Repos - Best Practice?
Hi all, I'm wondering how other people mange yum repositories using the yumrepo type. At the moment, we have a class called repos which has all of our repos defined in it. This class is included in our 'base' class which sets up things common to all servers such as puppet, mcollective, nrpe etc. The down side of this is that all of our repos are included on all of our servers, leading to a complete mess in /etc/yum.repos.d/ I'm now thinking that I need to only call in the various repos for the servers which require them, i.e. CentosBase and others would be included in the 'base' class, however those which provide things such as php 5.3 would only be included on webservers etc. What would be even nicer would be if there was a way to override certain aspects of existing repos, for example: class base{ # other yumrepo defines... ... ... # stick with the php 5.1 in Centos Base yumrepo{epel: excludepkgs=php*, } } class webserverphp52 { # include php5.2 from epel yumrepo{epel: excludepkgs = , } } Is this possible with 0.25 (we're installing from Epel and we're nowhere near ready to upgrade to 2.6!)? How are other people managing this kind of situation? Cheers, M. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] [puppet-users] run without puppet master
i want to use red hat satellite server to deliver to the clients of puppet an rpm containing puppet content a a few different packages. 1 for base lockdown, in this case STIG 1 for project customization 1 for applications or something along those lines. Aaron, you should check out CLIP, the Certifiable Linux Integration Platform, from Tresys. http://oss.tresys.com/projects/clip/ It uses puppet without a puppetmaster, to lock down a RHEL system. I believe the lockdown they do is a superset of what the STIG requires. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Enhancement for puppetmaster init script to balance puppetmaster instances across CPU cores - RFC
On Mon, Dec 20, 2010 at 11:47 PM, Robin Bowes robin-li...@robinbowes.comwrote: I updated his modification to use facter to get the no. of available cores, and to display the core used when each instance starts Using facter seems clean enough, but I was wondering if getting the information from cpuinfo instead would make it, so to say, foolproof. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] # Only restart if we're actually running
I'd like to know the best way to fix the refresh/restart behavior of Service resources without using ensure = running. I know that this is an unpopular requirement, but I do not want puppet to restart dying services before my monitoring system notices. If a service is fragile, I want to be woken up at 3am. In the worst case, ensure = running could restart my service every ten minutes, nagios could check it a few seconds after, and it could die again a few seconds past that. With the right harmonics a service could be effectively 99% downtime and ensure = running would prevent me from finding out. I looked into writing a provider to fix this, but it appears that the provider.restart doesn't even get *called* by the core service type unless we're ensure = running or status comes back as running. Now I *do* want the system to enforce the running state at the moment a configuration change has sent a refresh to the service, but not otherwise! So how can I best do this? Ideally I'd like for the ensure = running behavior to obey something like the Exec resource's refreshonly parameter. It seems like this is up at the type level, but is there a simple way to monkey-patch this for now? -- Hey, how come nobody here in the future has a time machine except me? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Call for talks for the Configuration Management DevRoom at fosdem 2011
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 **Call for talks for the Configuration Management DevRoom at fosdem 2011** FOSDEM 2011 - http://fosdem.org/2011/ 6 February 2011, 09:00 to 17:00, Brussels, Belgium Contact: fosdem2...@puppetlabs.com We will be holding a Configuration Management DevRoom at fosdem 2011 and are requesting abstracts for structured presentations now. Important information, dates: ? Submission deadline for abstracts: 2011-01-08 ? Notification of accepted speakers: 2011-01-10 ? Final schedule: 2011-01-11 **About this DevRoom** Configuration Management is exciting! It is. Really. There is huge interest in automation, configuration management and especially PAAS, SAAS, IAAS and the cloud generally. We're seeking people who are working the field, interested in the field, or just interested in learning more about how to make their lives easier with automation and configuration management. We invite you to submit talks on these topics: * Configuration Management theory principles * Configuration Management tools - real world use cases * Tools, techniques and case studies * Configuration Management and the Cloud * Configuration Management, Compliance and Security NOTE: Puppet Labs is helping organise this room but we're looking for talks on more than Puppet! We're looking for CFengine, Chef, bcfg2, AutomateIT, and the myriad of other tools out there. ** Your submission must include:** * Your name * The title of your talk * A short abstract of one to two paragraphs (150 words, max.) * A short biography * Links to related websites/blogs etc. Send the abstracts to: fosdem2...@puppetlabs.com Presentations are to be formal and not longer than 30 minutes, plus 15 extra for questions (45 in total). Panels with more than one speaker are something we're also seeking, a My configuration management tools is the awesomest and I'll debate that! is possible, as are shorter presentations of 20 minutes. We're also exploring some un-conference style presentations too. The deadline for submissions is January 8th 2011 December 2010. If your proposal has been accepted, you will be informed by email by January 10th 2011. Please feel free to forward this call for abstracts and papers to relevant lists, people and sites. We're looking forward to seeing lots of interested folks, have lots of spirited presentations, debates, discussion and ... quite possibly drinking. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQ+nECFa/lDkFHAyAQLAkAgAn0/kRQUnDETXMAkGDA8mexVP4d0p/qLX bRa1LGAqSdpKFCm6k6dUvWpgoEThiIXpQCZyvPnAWu/b25u+UcUFwllE7gJb4Ydu tGZ5N7ubP4Lp6BIj49k5efQdXF0MoEtSK0kdmQD9xcuhLV4FdrETRreYzQnW+64W /pSssvLpj1GaVfulTiJsXWVyFiQqnewRpz7Ap/UjNKHvAJrUlXmMqNkDVpqa4gGw gRL9EznlCBb+k39piIVjsuvhpS4mG2Cc6Vq9gGhZYDowvRMLWZ/7uZiknnUjZnDf mHDbkMhlovPZCYlRKmZnmxu6LYqB/QIiaxH4yc1q5afKZYxHB/dnvQ== =oror -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] # Only restart if we're actually running
Nick, I would recommend using Nagios event handlers for this if you want Nagios to essentially take the reigns of this problem. That way you will get your alerts and Nagios can react by starting the service again after x number of failures. I understand you may want to do this through Puppet for architecture reasons but that's just the way I'd do it per your desire. Good luck! -Mark On Dec 20, 2010, at 1:57 PM, Nick Moffitt wrote: I'd like to know the best way to fix the refresh/restart behavior of Service resources without using ensure = running. I know that this is an unpopular requirement, but I do not want puppet to restart dying services before my monitoring system notices. If a service is fragile, I want to be woken up at 3am. In the worst case, ensure = running could restart my service every ten minutes, nagios could check it a few seconds after, and it could die again a few seconds past that. With the right harmonics a service could be effectively 99% downtime and ensure = running would prevent me from finding out. I looked into writing a provider to fix this, but it appears that the provider.restart doesn't even get *called* by the core service type unless we're ensure = running or status comes back as running. Now I *do* want the system to enforce the running state at the moment a configuration change has sent a refresh to the service, but not otherwise! So how can I best do this? Ideally I'd like for the ensure = running behavior to obey something like the Exec resource's refreshonly parameter. It seems like this is up at the type level, but is there a simple way to monkey-patch this for now? -- Hey, how come nobody here in the future has a time machine except me? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] # Only restart if we're actually running
Mark Stanislav: I would recommend using Nagios event handlers for this if you want Nagios to essentially take the reigns of this problem. That way you will get your alerts and Nagios can react by starting the service again after x number of failures. Actually, this is kind of the opposite of what I want. I want a human to have to restart the service, because otherwise it doesn't present enough pain for the problem to be fixed more permanently. I have situations where I semi-regularly restart a bloating service, but that's about as heinous as I'll get. Once you get used to automated systems propping up your daemons, the decay spreads until you encounter a serious intractable downtime event. I need the relevant people to feel panic when this happens. -- 01234567 - The amazing* Indent-O-Meter! ^ *: Indent-O-Meter may not actually amaze. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] # Only restart if we're actually running
On Dec 20, 2010, at 2:24 PM, Nick Moffitt wrote: Mark Stanislav: I would recommend using Nagios event handlers for this if you want Nagios to essentially take the reigns of this problem. That way you will get your alerts and Nagios can react by starting the service again after x number of failures. Actually, this is kind of the opposite of what I want. I want a human to have to restart the service, because otherwise it doesn't present enough pain for the problem to be fixed more permanently. I have situations where I semi-regularly restart a bloating service, but that's about as heinous as I'll get. Once you get used to automated systems propping up your daemons, the decay spreads until you encounter a serious intractable downtime event. I need the relevant people to feel panic when this happens. Fault tolerant infrastructure should be the point. Nagios will still blow up their e-mail, pager, phone, IMs until a threshold is hit and when the service restarted because of the event handler, they will get another e-mail. Why not just take a downtime (soft + hard states) report and if it breaches a given threshold a fix obviously needs to be implemented? That or the number of failures to reach a hard state should be reduced so that it's very apparent a PROBLEM beyond a dead service once a year is happening. Appears that you are trying to solve a training problem rather than an infrastructure automation problem, which is probably why Puppet Nagios aren't an 'easy' solution to fix it with. But I digress, perhaps someone will have a Puppet answer for you nonetheless. Good luck Nick! -Mark -- 01234567 - The amazing* Indent-O-Meter! ^ *: Indent-O-Meter may not actually amaze. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How to ensure at least one of possibly many prerequisites is installed?
Hi All, I would like to use puppet to install a tool which requires java on a linux machine. I could do that quite easily by depending on a specific java package (say OpenJDK), then I would simply do: package { java-1.6.0-openjdk: ensure = installed } ... { require = Package[java-1.6.0-openjdk] } But as the tool is pretty basic and can be run with just about any java 1.5 implementation around, I would prefer not to install the OpenJDK if there is already any other java 1.5 (even gcj) installed on the target machine. What would be the best approach to achieve that with puppet? I should add that I'm quite new to puppet, so please bear with me if the solution is obvious ... Thanks, Michal -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How to ensure at least one of possibly many prerequisites is installed?
add a fact which checks if java is installed? Ohad On Mon, Dec 20, 2010 at 10:00 PM, michal ruzicka michal.r...@gmail.comwrote: Hi All, I would like to use puppet to install a tool which requires java on a linux machine. I could do that quite easily by depending on a specific java package (say OpenJDK), then I would simply do: package { java-1.6.0-openjdk: ensure = installed } ... { require = Package[java-1.6.0-openjdk] } But as the tool is pretty basic and can be run with just about any java 1.5 implementation around, I would prefer not to install the OpenJDK if there is already any other java 1.5 (even gcj) installed on the target machine. What would be the best approach to achieve that with puppet? I should add that I'm quite new to puppet, so please bear with me if the solution is obvious ... Thanks, Michal -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Difficulty Migrating to Mongrel
You make a good case for simply upgrading to the backport version and using passenger - I had it working flawlessly within minutes. I had considered doing the upgrade but didn't realize how big of a difference it would make. Thanks for the push required to take the leap! Just as a quick summary: I used the lenny backports to upgrade puppet to 2.6.x and followed the instructions at http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger. Did not run into any unexpected issues that wasn't covered in the documentation. Thanks again, Jeff On Dec 20, 10:34 am, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 12/20/2010 04:17 PM, jkois wrote: Just wanted to report to say that I have still been unsuccessful with this. Any thoughts regarding the issue would be greatly appreciated. First off, why not Passenger? Second, the puppet in lenny is really a bug-ridden old rag. Consider a) using a backport package b) rolling your own package or even c) installing your master by hand All are far superior to the lenny package. That being said, On Dec 14, 12:54 pm, jkois jeffrey.k...@gmail.com wrote: Hello, After running the puppetmaster on Webrick and struggling with clients dropping regularly, I have decided to migrate my install to Mongrel. I have followed the documentation posted on the Puppet wiki but continue to receive the following errors on the client: err: Could not call puppetmaster.getconfig: #RuntimeError: HTTP- Error: 502 Proxy Error err: Could not retrieve configuration: HTTP-Error: 502 Proxy Error On the server log, the error is represented as the following: (20014)Internal error: proxy: error reading status line from remote server 127.0.0.1 proxy: NOT Closing connection to client although reading from backend server 127.0.0.1 failed. Here is the rundown of my environment: Debian 5.0 (Lenny) Apache 2.2.9 with all of the required modules (proxy, proxy_http, proxy_balancer) Puppet 0.24.5 installed using apt My Apache config is virtually identical to the one shown athttp://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel, with the proper changes made. My /etc/default/puppetmaster configuration includes the following: START=yes SERVERTYPE=mongrel PUPPETMASTERS=2 PORT=18140 Have you tried and found out what the puppetmaster actually responds when sent an HTTP request? It's obviously not what apache expects, so it is probably reporting some kind of error instead. It would go a long way to know what that response actually is. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] # Only restart if we're actually running
Mark Stanislav: Fault tolerant infrastructure should be the point. Absolutely, but the granularity of nagios and puppet (Every half hour? Every ten minutes? Every five?) is simply too coarse to qualify as fault-tolerance. Propping a broken service back on its feet at this frequency is worse than nothing, in my opinion. We absolutely design properly highly-available services, but patching over serious crashes at even a one minute resolution would give us false confidence in our architecture. -- No, I ain't got a fax machine! I also ain't got an Apple IIc, polio, or a falcon! -- Ray, Achewood 2006-11-22 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Enhancement for puppetmaster init script to balance puppetmaster instances across CPU cores - RFC
On Dec 20, 12:51 pm, Mohit Chawla mohit.chawla.bin...@gmail.com wrote: On Mon, Dec 20, 2010 at 11:47 PM, Robin Bowes robin-li...@robinbowes.comwrote: I updated his modification to use facter to get the no. of available cores, and to display the core used when each instance starts Using facter seems clean enough, but I was wondering if getting the information from cpuinfo instead would make it, so to say, foolproof. Is the task scheduler for some reason unable to move puppetmasterd tasks between CPUs if this is not done? In other words, is there even a problem here to be solved? The patch appears to constrain each puppetmasterd to be scheduled only on a specific core, which in many cases could be more of a problem than a solution. For instance, if one core is loaded down with a heavy computation, then the scheduler would be unable to migrate that core's puppetmaster tasks to a different one. Only if the scheduler is already unable to do that does it make sense to me to accept this patch. If the general concept is adopted then I, too, have reservations about running Facter from the initscript. The scope of the script is narrow enough that I think it would be more appropriate to retrieve the information more directly, i.e. from /proc/cpuinfo. Also, it would assuage my sense of efficiency to move the determination of the number of cores outside the loop. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: RFC: Puppet Docs
On Dec 20, 11:38 am, James Turnbull ja...@puppetlabs.com wrote: We're now discussing whether it is a good idea to separate our documentation from the Puppet Core. What we're proposing is to move all the content from Puppet Docs (barring MCollective - which will stay in the Mcollective repository) into the Puppet Core repository, probably under a directory called docs. [...] We're seeking feedback on this idea from the community before we proceed. I am all in favor of maintaining the documentation together with the code. That's the way it ought to be, as far as I'm concerned. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Separating puppetmaster file serving and catalogs
On Dec 20, 2010, at 2:43 AM, Felix Frank wrote: Sorry for the late answer, my provider had a downtime this weekend. Tough call. There is no such thing as a transparent SSL proxy afaik, because without decrypting requests, the proxy cannot make any header based decisions. This may well be a dead end then. Ah. See below for a different idea then. If such an approach is at all possible, the complete implementation would include giving the proxy the means to recognize valid client certificates. The proxy can and is recognizing valid certificates. The problem is passing that information on to the puppetmaster because I really don't know how to do that. I also don't know exactly which headers the puppetmaster uses. I'm thinking that if I do this, I need to remove the SSL from the file server VirtualHost and just pass the information directly through. Hm, no good. This is just the transparent SSL proxying I'm afraid is not at all possible (at least while still making use of the request URI to decide on the backend HTTP server). Even if this should work - is it work all that hassle? This is a much better question. I'm going to work on it a little more though. The weird thing is: This might as well work, because you proxy pass to https://localhost... That means that your proxy actually reencrypts the requests (or should do that, at least). Are you seeing requests at the backend Apache now? Does puppet show any reaction to that? Are you performing basic tests using wget on distinct URLs that should be served by this setup? Actually I've gotten a lot farther. At first, I spent a lot of time fumbling around until I finally gave up because I didn't have enough information to debug the problems. Here's what I did as a hack to give me more information: Added this to config.ru: # if you want debugging: ARGV --debug # Log to a file in addition to syslog ARGV --logdest /var/log/puppet/puppetpassenger.log Added this to near the end of /usr/lib/ruby/1.8/puppet/network/http/rack/rest.rb. Make sure you know where to add this. Do not blindly add this at the end of the file: if dn.nil? dn=nil end status = request.env[Puppet[:ssl_client_verify_header]] if status.nil? status = nil end Puppet.debug Custom: client_name=\+dn+\ status=\+status+\ #Print out all headers request.env.each { |elem| Puppet.debug #{elem[1]}, #{elem[0]} } After this I found out that apache was adding a prefix of HTTP_ to the beginning of all custom headers. So, I was able to get the puppet client to connect if I added: RequestHeader set SSL_CLIENT_S_DN /CN=Simba.Outer RequestHeader set SSL_CLIENT_VERIFY SUCCESS to the apache config and add: ssl_client_header = HTTP_SSL_CLIENT_S_DN ssl_client_verify_header = HTTP_SSL_CLIENT_VERIFY to the [master] section of puppet.conf. Obviously, this is not suitable in a production environment. Now I'm trying to get the second apache instance to resend the header it receives from the first instance. I haven't actually started on this yet. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Separating puppetmaster file serving and catalogs
On Wed, Dec 15, 2010 at 8:36 PM, Nigel Kersten ni...@puppetlabs.com wrote: This is a backup plan, but I would like to do this automatically without needing to change the manifests. You can use a fact here in the place of the server name, then it can be automatic. If you have your own conditions client-side for working out what host is best to get files from, then you can get quite effective load distribution. I like this sort of self-organizing principle. I'm re-posting this as it seemed to get lost in the noise, and in my experience is a far simpler and immensely scalable option for distributing the load of file serving. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] # Only restart if we're actually running
On Mon, Dec 20, 2010 at 1:33 PM, Nick Moffitt n...@zork.net wrote: Mark Stanislav: Fault tolerant infrastructure should be the point. Absolutely, but the granularity of nagios and puppet (Every half hour? Every ten minutes? Every five?) is simply too coarse to qualify as fault-tolerance. Propping a broken service back on its feet at this frequency is worse than nothing, in my opinion. We absolutely design properly highly-available services, but patching over serious crashes at even a one minute resolution would give us false confidence in our architecture. Can you use the basic service provider with fully-specified start/stop/restart commands to achieve what you need? -- No, I ain't got a fax machine! I also ain't got an Apple IIc, polio, or a falcon! -- Ray, Achewood 2006-11-22 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Node syntax error
On Mon, Dec 20, 2010 at 2:43 PM, jcbollinger john.bollin...@stjude.orgwrote: On Dec 20, 11:00 am, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 12/20/2010 05:55 PM, rjl wrote: Well, I'm stumped. Maybe variable substition is just not meant to work for node declarations. I could easily believe that. It doesn't make much sense to me to use variable substitution in that context. I still don't see what you need it for. Your earlier post is a very good depiction of how to choose a node's role based on a fact: Do it by selecting the class(es) to include based on the fact value. Do not try and select a node declaration based on a fact instead. Exactly. You hit it on the head earlier when you said this node definition will apply to each and every client. You can express that in Puppet by just putting the code at top level, outside any node definition. If it were me, though, I'd do it slightly differently: node default { case $osp_type { adm: { include adm } ... } } That way you can easily sidestep the whole $osp_type selection business if you need to do. rjl didn't say specifically how he solved his problem, but I'm guessing it was in one of those two ways. I actually like to even abstract this even more away from the node itself. node default { include base } and then the base class does all logic around class/module inclusion. This means your environments are entirely self-contained, and you can pretty much ignore site.pp. You can do the same thing with your external node classifier as well. Always include base and set parameters there, then consult those values in your base module. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.