[Puppet Users] Puppet agent on debian 6
hi guys, any note on puppet agent running on debian 6. It seems that there's an error after upgrading it from debian 5 to debian 6 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet agent on debian 6
On Mon, Feb 14, 2011 at 00:02, Jli- jljohn...@gmail.com wrote: any note on puppet agent running on debian 6. It seems that there's an error after upgrading it from debian 5 to debian 6 Hey there. So, we are not aware of any particular restrictions there. Can you give us some more detail? Is there a Debian bug report for the issue, or can you post the errors you are getting here? Oh, and just to check: have you upgraded your puppet master, or just the agent? It would be good to know the versions of both. Thanks, Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman dan...@puppetlabs.com ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Check package version in order to proceed with installation (err: Could not update: package is already installed)
Hi *, no more ideas? :) Jan On 02/11/2011 10:24 PM, Jan wrote: Hi Patrick, On 02/11/2011 07:40 PM, Patrick wrote: [...] 1) So, just some random advice. If you're using the same server to serve files and catalogs, you can skip listing the server and just use 3 slashes like this: puppet:///files/rpm-sles11sp1/ruby-shadow-$myrshadowversion.x86_64.rpm I see but I've just added this during the debugging procedure of our nameservers, anyhow your advice is welcome :) 2) You sure it's not easier to just create a repository right now instead? Of course and I would really like to but for the moment we're facing some serious issues which won't fix in time. Thats the major reason for me searching a temporary solution. 3) What if you try using ensure = installed in the package? Does that work? This won't work because puppet (as of version 0.24.x) is already installed on all nodes. That's the reason why I want puppet to upgrade the package _only_ if a newer version is available. When using ensure = installed the package won't be upgraded because some version is already installed. However, I haven't checked it by myself but I think that the same error message will be thrown if using ensure = latest on other packages, right? If yes, would you say that its a bug or a feature? ;) I want to get rid of that error message to keep the log files clean maybe to let them be checked on errors by our monitoring agent at a later time. The rest of the manifest seems to work just fine also with this error message coming up. 4) I assume you're getting one of those errors for every package. Is that true? Yes, that's correct. Jan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet in the DMZ
On Feb 11, 2011, at 20:00, Daniel Pittman wrote: On Fri, Feb 11, 2011 at 00:40, Thorsten Biel thorsten.b...@porsche.de wrote: On Feb 11, 2011, at 07:25, John Warburton wrote: How do people get around the common rule that DMZ servers should not initiate network connections back to the internal network? Should we have a puppet server in the DMZ? Another approach is to use SSH tunnels. Use autossh to initiate SSH connections from your puppetmaster to each client. I am rather surprised: wouldn't your network security folks and auditors go absolutely ape when they discovered that you had punched a hole through their firewall to allow connections from the DMZ to a secure network without going through the appropriate security analysis process? That's where IT and medicine are sometimes similar : ask 3 experts and you get 3 different recommendations. :) But to get back to the point: no, they aren't going ape. Why should they? Anyway, I guess my point is that while this would probably work I can't really see why it would bring any benefit compared to just punching the hole through the firewall directly: Puppet uses SSL secured communication, and validates the identity at both ends, so you have no more or less exposure than with this mechanism, so far as I can see? It boils down to the question of whether you allow DMZ servers to initiate connections into the internal (secure) zone or not. As this could turn into a lengthy mail exchange, how about we discuss it at Puppet Camp Europe? Cheers, Thorsten -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet configuration for MySQL master-slave replication
I 'm a beginner to puppet . I know only basic stuffs about puppet. I would like to create a puppet configuration in which the master's configuration can be tweaked so as to perform replication and new mysql slave nodes will be automatically configured to become replica I'm able to perform some basic operations on MySQL server using this article [ http://bitfieldconsulting.com/puppet-and-mysql-create-databases-and-users] http://groups.google.com/group/puppet-users/browse_thread/thread/1539ad026824?tvc=2 The above thread looks like the one which I need , but I'm unable to figure out the entire details from it. Please give me links to some good articles or blogs containing such replication configurations. -- Regards Basil Kurian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppetrun :: HTTP-Error: 500 Internal Server Error (w/ Passenger)
Thanks for the replies... When I run puppetrun with either --configprint confdir or --genconfig, I only get Finished as the output, nothing else. It doesn't show me any configuration parameters... -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] fork from Collection and Realizing resources (puppet-dev)
Hi list (specifically Dan),
I was interested in the snippet you provided in the recent thread
Collection and Realizing resources and how it could be used to
safely include both 'app' and 'db' class without causing a conflict in
the user 'bob'. I can't quite see how that's possible, even using
class inheritance and the plusignment operator, you'd run into trouble
overriding the same resource twice (bob). How does the collection
syntax help?
Quoting Dan:
We have only been teaching | | in the puppetmaster training as a way
to
realize virtual resources. We do not teach that it is possible to
override
attributes with this syntax as well: | | {} (at least in part b/c
the
implications/non-determinism terrify me) , and do not teach that it
actually
effects all resources.
The common example from class is something like:
class db::users {
user { ['alice', 'bob']:
ensure = present,
gid = 'dbadmin',
}
}
class app::users {
user { ['charlie', 'bob']:
ensure = present,
gid = 'webadmin',
}
}
class app {
User| gid == 'webadmin' |
...
}
class db {
User| gid == 'dbadmin' |
...
}
so that a machine can safely be a webserver and db server without
conflict.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Check package version in order to proceed with installation (err: Could not update: package is already installed)
On Feb 14, 2:35 am, Jan j...@agetty.de wrote: Hi *, no more ideas? :) Whenever you want to use information about the state of a node to influence the catalog supplied to that node, the Puppet Way is to use facts. In this case, it would need to be a custom fact. It wouldn't be too hard to wrap a custom fact around `rpm -q puppet`, or even to draw a bunch of custom facts out of `rpm -qa`. HOWEVER, I have to second Patrick's recommendation to create a local repository. Even a temporary one could solve the immediate problem until your major problems (whatever they are) are sorted. A yum repository, at least, is very easy to create, and very easy to advertise to all your clients via Puppet. You could set it up on your Puppetmaster, where evidently you already have copies of all the RPMs you want to distribute, and which all your clients can already reach over the network. Alternatively, you could abandon your Package resources in favor of Execs of the form yum localinstall -y RPM package. That gets you out of creating either a repository or any custom facts, but it is furthest from the Way, and the most disruptive to your current manifests. Good Luck, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Collections and Realizing Resources
On Sun, Feb 13, 2011 at 9:59 PM, Dan Bode d...@puppetlabs.com wrote:
We have only been teaching | | in the puppetmaster training as a way to
realize virtual resources. We do not teach that it is possible to override
attributes with this syntax as well: | | {} (at least in part b/c the
implications/non-determinism terrify me) , and do not teach that it actually
effects all resources.
Why is using collections to override attributes non-deterministic compared
to class inheritance doing the same thing?
The common example from class is something like:
class db::users {
user { ['alice', 'bob']:
ensure = present,
gid = 'dbadmin',
}
}
class app::users {
user { ['charlie', 'bob']:
ensure = present,
gid = 'webadmin',
}
}
class app {
User| gid == 'webadmin' |
...
}
class db {
User| gid == 'dbadmin' |
...
}
so that a machine can safely be a webserver and db server without conflict.
Why is this preferred over the realize() function? I consider the realize
function much simpler to teach and understand for this class of problem.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] redirect the dashboard with apache
Hi Is it possible to configure apache to redirect to the dashboard ? I have try the config : ProxyPass/http://localhost:3000 ProxyPassReverse /http://localhost:3000 I ve got the foolowing error when I try to get the nodes pages : Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /nodes. Reason: DNS lookup failure for: localhost:3000nodes -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Splitting PuppetMaster from PuppetCA config help
Hello All,
I am running puppetmaster with nginx and unicorn. I am trying to split
puppet master from the Puppet CA. The puppetCA is running well with
the following nginx config:
user nginx;
worker_processes 10;
worker_rlimit_nofile 10;
error_log /var/log/nginx/error.log debug;
pid/var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
$request '
'$status $body_bytes_sent $http_referer '
'$http_user_agent $http_x_forwarded_for';
access_log /var/log/nginx/access.log main;
sendfileon;
# These are good default values.
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
# output compression saves bandwidth
gzipon;
gzip_http_version 1.1;
gzip_proxiedany;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 500;
gzip_types text/plain text/xml text/css text/comma-separated-
values text/javascript application/x-javascript application/atom+xml;
keepalive_timeout 65;
server {
listen IPaddr:8140;
server_name haproxy01;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/haproxy01.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/
haproxy01.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_verify_client optional;
ssl_verify_depth 1;
root /etc/puppet;
proxy_set_headerHost$host;
proxy_set_headerX-Client-DN $ssl_client_s_dn;
proxy_set_headerX-Client-Verify $ssl_client_verify;
proxy_set_headerX-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
location / {
proxy_pass http://IPofserver:8141; Running unicorn
on port 8141
proxy_redirect off;
}
}
}
Puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = haproxy01
[master]
autosign = false
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
certname = haproxy01
ca = true
Now the main puppetmaster for serving the manifests has the following
configuration:
user nginx;
worker_processes 10;
worker_rlimit_nofile 10;
error_log /var/log/nginx/error.log info;
pid/var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
$request '
'$status $body_bytes_sent $http_referer '
'$http_user_agent $http_x_forwarded_for';
access_log /var/log/nginx/access.log main;
sendfileon;
# These are good default values.
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
# output compression saves bandwidth
gzipon;
gzip_http_version 1.1;
gzip_proxiedany;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 500;
gzip_types text/plain text/xml text/css text/comma-separated-
values text/javascript application/x-javascript application/atom+xml;
keepalive_timeout 65;
server {
listen ipaddr:8140;
server_name pserver01;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/pserver01.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/
pserver01.pem;
#ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
#ssl_verify_client optional;
ssl_verify_depth 1;
root /etc/puppet;
# make sure we serve everything as raw
types { }
default_type application/x-raw;
# serve static file for the [files] mountpoint
location /production/file_content/files/ {
allow all;
alias /etc/puppet/files/;
}
# serve modules files sections
location ~ /production/file_content/[^/]+/files/ {
allow all;
root /etc/puppet/modules;
# rewrite /production/file_content/module/files/file.txt to /
module/file.text
rewrite ^/production/file_content/([^/]+)/files/(.+)$
$1/$2 break;
}
proxy_set_headerHost$host;
proxy_set_header
Re: [Puppet Users] exec: creates overrides onlyif?
On 02/10/2011 08:47 PM, Matthew Pounsett wrote: The docs are vague on how the two interact.. but it seems to me that 'creates' will override 'onlyif' in an exec clause. i.e. if the file named by 'creates' exists, then 'onlyif' is ignored. Is someone able to confirm that? I cannot positively confirm, but the opposite wouldn't make a bit of sense to me. Both are conditions that are meant to keep the exec from running if it's not necessary. Now if onlyif were named dowhenever or somesuch, that would be a different story... Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] exec: creates overrides onlyif?
On 2011/02/14, at 11:12, Felix Frank wrote: On 02/10/2011 08:47 PM, Matthew Pounsett wrote: The docs are vague on how the two interact.. but it seems to me that 'creates' will override 'onlyif' in an exec clause. i.e. if the file named by 'creates' exists, then 'onlyif' is ignored. Is someone able to confirm that? I cannot positively confirm, but the opposite wouldn't make a bit of sense to me. Sometimes files exist already but need to be updated. With 'creates' and 'onlyif' both set, I'd expect an OR behaviour: write the file if the file referenced by 'creates' doesn't exist, OR if 'onlyif' evaluates to true. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] certificate does not match
Hi, from afar, it's hard to tell what your specific problem is. Has your puppetmaster generated a new CSR for the machine? Maybe you have to sign the new certificate; the master still stores a valid, signed certificate for the machine, but the client has no use for it. You need to convince your master to sign a new certificate (for which the client actually has the private key). From the helptext: clean: Remove all files related to a host from puppet cert's storage. This is useful when rebuilding hosts, since new certificate signing requests will only be honored if puppet cert does not have a copy of a signed certificate for that host. The certificate of the host remains valid. If '--all' is specified then all host certificates, both signed and unsigned, will be removed. Be mindful of the fact that the signed certificate remains valid (until replaced?) HTH, Felix On 02/14/2011 04:34 AM, Tim Dunphy wrote: Hello list, I am having a problem with one of my puppet clients contacting the puppet server. All of my puppet nodes are working with the current manifest (such as it is, until I get a chance to develop it a little more). The server I am having issues with had to be re-provisioned. Once I did I started getting this message: [root@LCENT01:~] #puppetd --test --waitforcert 15 err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key So I rm'd the contents of the ssl directory on this client: [root@LCENT01:~] #rm -rf /var/lib/ssl/* Then I went to the puppet server and issued a puppetca --clean: [root@virtcent13:~] #puppetca --clean LCENT01.summitnjhome.com LCENT01.summitnjhome.com The puppet server responds with the name of the host indicating that it has already been cleaned. The server name I used for the clean directive matches the fqdn of the host I am attempting to re-add to the puppet servers's cert list. [root@LCENT01:~] #facter | grep fqdn fqdn = LCENT01.summitnjhome.com AFAIK the puppetca --clean command should have taken care of this error. Can someone out there recommend the next steps to resolving this error? Thanks!!! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Collections and Realizing Resources
On Mon, Feb 14, 2011 at 6:49 AM, Nigel Kersten ni...@puppetlabs.com wrote:
On Sun, Feb 13, 2011 at 9:59 PM, Dan Bode d...@puppetlabs.com wrote:
We have only been teaching | | in the puppetmaster training as a way to
realize virtual resources. We do not teach that it is possible to override
attributes with this syntax as well: | | {} (at least in part b/c the
implications/non-determinism terrify me) , and do not teach that it actually
effects all resources.
Why is using collections to override attributes non-deterministic compared
to class inheritance doing the same thing?
With the below example, the evaluation order of the overrides determines the
final value.
notify { 'foo':
message = 'bar',
}
Notify| | {
message = 'bazz'
}
Notify| | {
message = 'baz'
}
# try this example and swap the overrides
With class inheritance, any attempt to override the same attribute twice
fails:
class a {
notify { 'foo':
message = 'a',
}
}
class c inherits a {
Notify['foo'] {message = 'c'}
}
class b inherits a {
Notify['foo'] {message = 'b'}
}
include a,c,b
:!puppet apply /tmp/foo2.pp
Parameter 'message' is already set on Notify[foo] by
#Puppet::Resource::Type:0xb7a430c8 at /tmp/foo2.pp:9; cannot redefine at
/tmp/foo2.pp:12 on node mypuppetmaster.localdomain
The common example from class is something like:
class db::users {
user { ['alice', 'bob']:
ensure = present,
gid = 'dbadmin',
}
}
class app::users {
user { ['charlie', 'bob']:
ensure = present,
gid = 'webadmin',
}
}
class app {
User| gid == 'webadmin' |
...
}
class db {
User| gid == 'dbadmin' |
...
}
so that a machine can safely be a webserver and db server without
conflict.
Why is this preferred over the realize() function? I consider the realize
function much simpler to teach and understand for this class of problem.
The realize function requires that we have to know all of the names of the
resources that we are realizing. Consider the example where each group of
users has 10 members, the above syntax is way easier to manage than:
realize(User[1], User[2], User[10])
--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To post to this group, send email to puppet-...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Collections and Realizing Resources
On Mon, Feb 14, 2011 at 8:56 AM, Dan Bode d...@puppetlabs.com wrote:
On Mon, Feb 14, 2011 at 6:49 AM, Nigel Kersten ni...@puppetlabs.comwrote:
On Sun, Feb 13, 2011 at 9:59 PM, Dan Bode d...@puppetlabs.com wrote:
We have only been teaching | | in the puppetmaster training as a way to
realize virtual resources. We do not teach that it is possible to override
attributes with this syntax as well: | | {} (at least in part b/c the
implications/non-determinism terrify me) , and do not teach that it actually
effects all resources.
Why is using collections to override attributes non-deterministic compared
to class inheritance doing the same thing?
With the below example, the evaluation order of the overrides determines
the final value.
notify { 'foo':
message = 'bar',
}
Notify| | {
message = 'bazz'
}
Notify| | {
message = 'baz'
}
# try this example and swap the overrides
With class inheritance, any attempt to override the same attribute twice
fails:
class a {
notify { 'foo':
message = 'a',
}
}
class c inherits a {
Notify['foo'] {message = 'c'}
}
class b inherits a {
Notify['foo'] {message = 'b'}
}
include a,c,b
:!puppet apply /tmp/foo2.pp
Parameter 'message' is already set on Notify[foo] by
#Puppet::Resource::Type:0xb7a430c8 at /tmp/foo2.pp:9; cannot redefine at
/tmp/foo2.pp:12 on node mypuppetmaster.localdomain
Hmm. So it's order-dependent because you can do it more than once, unlike
class inheritance. Overriding the same attribute more than once via
collection feels like a code smell to me.
The common example from class is something like:
class db::users {
user { ['alice', 'bob']:
ensure = present,
gid = 'dbadmin',
}
}
class app::users {
user { ['charlie', 'bob']:
ensure = present,
gid = 'webadmin',
}
}
class app {
User| gid == 'webadmin' |
...
}
class db {
User| gid == 'dbadmin' |
...
}
so that a machine can safely be a webserver and db server without
conflict.
Why is this preferred over the realize() function? I consider the realize
function much simpler to teach and understand for this class of problem.
The realize function requires that we have to know all of the names of the
resources that we are realizing. Consider the example where each group of
users has 10 members, the above syntax is way easier to manage than:
realize(User[1], User[2], User[10])
ah, but your collection syntax requires that you have to know the gid of the
resources you are realizing :)
There are certainly cases where the collection syntax is easier, but I feel
that the vast majority of virtual resource realizations I see in the wild
are for one or two resources where the name is known.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] redirect the dashboard with apache
Hey. Your redirect lost the / between the service and the uri; add that to your ProxyPass lines and it should, I think, work. Regards, Daniel -- Puppet Labs Developer –http://puppetlabs.com Daniel Pittman dan...@puppetlabs.com Contact me via gtalk, email, or phone: +1 (877) 575-9775 Sent from a mobile device. Please forgive me if this is briefer than usual. On Feb 14, 2011 8:08 AM, Vincent vlouvi...@gmail.com wrote: Hi Is it possible to configure apache to redirect to the dashboard ? I have try the config : ProxyPass / http://localhost:3000 ProxyPassReverse / http://localhost:3000 I ve got the foolowing error when I try to get the nodes pages : Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /nodes. Reason: DNS lookup failure for: localhost:3000nodes -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] certificate does not match
On Feb 14, 2011, at 8:43 AM, Felix Frank wrote: Hi, from afar, it's hard to tell what your specific problem is. Has your puppetmaster generated a new CSR for the machine? Maybe you have to sign the new certificate; the master still stores a valid, signed certificate for the machine, but the client has no use for it. You need to convince your master to sign a new certificate (for which the client actually has the private key). From the helptext: clean: Remove all files related to a host from puppet cert's storage. This is useful when rebuilding hosts, since new certificate signing requests will only be honored if puppet cert does not have a copy of a signed certificate for that host. The certificate of the host remains valid. If '--all' is specified then all host certificates, both signed and unsigned, will be removed. Be mindful of the fact that the signed certificate remains valid (until replaced?) Actually, they remain valid almost forever (I think it's usually 10 years) unless revoked. Just replacing the certificate doesn't make the signature less valid. The only way for a certificate to stop working, if you don't change the root certificate, is to revoke it and have certificate revocation lists working. In 2.6.x I think certificates are revoked when cleaned, but I'm not sure. I know 0.25.x doesn't. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet in the DMZ
On Mon, Feb 14, 2011 at 01:35, Thorsten Biel thorsten.b...@porsche.de wrote: On Feb 11, 2011, at 20:00, Daniel Pittman wrote: = On Fri, Feb 11, 2011 at 00:40, Thorsten Biel thorsten.b...@porsche.de wrote: On Feb 11, 2011, at 07:25, John Warburton wrote: How do people get around the common rule that DMZ servers should not initiate network connections back to the internal network? Should we have a puppet server in the DMZ? Another approach is to use SSH tunnels. Use autossh to initiate SSH connections from your puppetmaster to each client. I am rather surprised: wouldn't your network security folks and auditors go absolutely ape when they discovered that you had punched a hole through their firewall to allow connections from the DMZ to a secure network without going through the appropriate security analysis process? That's where IT and medicine are sometimes similar : ask 3 experts and you get 3 different recommendations. :) But to get back to the point: no, they aren't going ape. Why should they? Because using SSH to create a tunnel that allows servers in the DMZ to connect to the internal network is often considered a problem. :) […] It boils down to the question of whether you allow DMZ servers to initiate connections into the internal (secure) zone or not. I think we are in agreement there, and I agree that this is probably the end of the value in the discussion. So, having explained why I see the issue I am happy to, if we still do, agree to disagree. :) Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman dan...@puppetlabs.com ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Master-less : What do I lose?
Wow, I'm glad this generated some discussion. I had almost given up on my post/thread. Thanks for the replies, everyone. Jordan, for context, we've been using Cfengine 2.x for 12 years now on ~180 boxes (nowadays) which I was wholly responsible for and continue to be (for lame reasons I won't get into) the person who administers/drives it. We hook a cfengine run into the end of our network installs (kickstart and Jumpstart) which does its thing, where one of those things is to add our cfengine_run wrapper script to root's crontab (nightly at 3AM + random(100secs)). We're a thinktanky place, not a public-facing web product company. SW and HW devs, researchers doing NLP stuff, etc. For more context, I'm extremely averse to shoddy-seeming architectures or software, especially for something as important as configuration management. To that topic, I had some choice words toward my screen when I came to understand the bogusness that is WEBrick+Rubythreads, and that most do the Mongrel/proxy or Passenger dance. I'm not going to do that. It's BS to me, and I'm sure there plenty of people here who will take issue with that. I'm actually pretty amazed at Puppet's adoption in agent+master form. So I'm either going masterless Puppet + git repo or something else entirely (Cfengine 3), and I'm just trying to gain a clear picture of the masterless list of cons. Going from Cfengine 2 to Cfengine 3 is almost as much effort as learning Puppet, so I figured I'd poke around with Puppet. I've read the Loggly slide deck, but don't quite know enough about Puppet terms yet to extract real meaning from most of the masterless info slides. Right now, thanks to our existing cfengine 2 setup, I've built and pushed Cfengine 3, Facter 1.5.8, Puppet 2.4.6, Ruby 1.8.7 + rubyssl, and the ruby-shadow module to all of our boxes' local disk. For Solaris 10, I tweaked ruby-shadow (patch submitted and accepted) and also include the Cfengine 3 dependencies not commonly found: PCRE and Oracle Berkeley DB. I'm not sure how relevant this is to the topic, but I'll mention it as well in case. There are two goals to this next-gen CM plan. The first is to serve our managed machine needs in way that is saner than a gigantic Cfengine 2 config file. The second is to provide a way for other ad-hoc UNIX/Linux boxes in the organization to benefit from using our tool tree + manifests/configs. There's no reason for Jim Smith to need to hand-configure the 12 things on his Ubuntu 10.x box to make it worthwhile on the corp. network... etc. This second goal is largely marketing for our group's capabilities and worth. At any rate, I think the only thing for me to do is retreat into masterless-Puppet-test-rollout-land until I understand clearly what the limitations (mentioned in the thread here) mean to our goals. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Master-less : What do I lose?
On Wednesday, February 9, 2011 8:22:02 PM UTC-5, DaveQB wrote: One thing we have is mulitple NFS mounts common to all machines. So moving to serverless was quite painless and has so far been a HUGE improvement. This is what I was planning to do as well (once I understand the other masterless losses more). Thanks On Feb 8, 4:59 am, jblaine cjbl...@gmail.com wrote: I've not found an explanation of what is lost by using Puppet without a puppetmaster. Does anyone have a link to something like that, or is anyone willing to expound on the topic? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Master-less : What do I lose?
On Wednesday, February 9, 2011 3:32:07 PM UTC-5, Kevin Beckford wrote: I think it depends on the use case. I much prefer the git method. I'm trying to do it the classic way this week, but there is a lot of decisions to deploy an efficient puppetmaster which add complexity and unwanted software to some setups. That's exactly what prompted me to start this thread. I refuse to go down that road. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Master-less : What do I lose?
On Wed, Feb 9, 2011 at 8:19 AM, Nan Liu n...@puppetlabs.com wrote: Another key difference is the agent only receives a catalog in master/agent mode. In masterless mode you must provide the puppet manifest/templates to each client system. The catalog is system specific and does not contain any configuration information about other systems, the manifests and templates would have all the configuration data for all systems. It would be non trivial to keep the configuration data isolated in masterless mode if you have a desire to segment and isolate configuration data by system, or even system roles (i.e. my website database system should not contain puppet manifest with my financial database password). This is a very important point that I'd like to reiterate. In some environments it's simply unacceptable to expose all password hashes for all services to all machines. You can work around this in masterless mode with appropriate ACLs and some custom function work, but you're going to be doing work that a master does for you. For certain patterns of usage, a masterless setup may be the way to go. It's certainly a simpler model for scaling, but you'll probably want to at least submit reports to a central location. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Master-less : What do I lose?
On 09/02/11 20:42, Kevin Beckford wrote: It would be non trivial to keep the configuration data isolated in masterless mode if you have a desire to segment and isolate configuration data by system, or even system roles (i.e. my website database system should not contain puppet manifest with my financial database password). I really am trying to understand here. To me this is the thing I love about git/merc... wait, I dont love mercurial. The thing I love about DVCS is that this seems a perfect problem domain for it. You would be the master, store the total repo on your laptop and push the branches needed, where they need to go. I suppose that the logic would be in several systems instead of one, but git does distributed versioning better, surely? Please advise. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. I use Puppet in a standalone mode. I created a templating system using Perl and TemplateToolkit to create (simple) puppet manifests and configuration files I wish to manage. These are stored in a Git repo that allows me to easily see when changes are made to a servers' configuration before pushing. Rollbacks are possible too in this scenario. Clients pull via rsync - there is definitely scope for a more robust TLS transport here. The big plus side here is that I am holding every servers' set of files in a DVCS (as well as my colleagues) so we are less dependant on backups as everyone in the team will hold a fairly recent copy of the entire server farm. Tied in mainly to CentOS, I can Kickstart a server and let it pull it's own configuration and apply it in mere minutes if I was to loose a server. As I say, manifests are fairly simple, but enough to manage files, services and other custom executables. This was inspired by some work a guy did at Oxford University. It seems to scal very well as I am managing 180+ servers this way. Tom -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] ANNOUNCE: Puppet 2.6.5 - Release Candidate 4 available!
We're back with a maintenance release: 2.6.5. This release addresses a
number of bugs in the 2.6.x branch and adds a handful of features and
documentation updates.
This release candidate includes only test, and documentation
changes.
This release candidate is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.6.5rc4.tar.gz
We're hoping this is going to be the last RC so please test it!
See the Verifying Puppet Download section at
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Report feedback via the Puppet Labs Redmine site:
http://projects.puppetlabs.com
Please select an affected version of 2.6.5rc4.
You can find the Release Notes for Puppet at:
https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes
CHANGELOG
2.6.5rc4
664ef67 (#3646) Fix the documentation fix for `puppet apply --apply`
2.6.5rc3
7ef2fbf Updated fix for #3646 - apply / compile documentation
193016d (#5977) fix spec test failure when new applications are introduced.
2.6.5rc2
1f89906 (#6257) Speed up PUT and POST requests under rack
7b3b56e (5977) Puppet::Applications can be loaded from multiple paths.
2.6.5rc1
f9e2e2b Augmentation of tests for prior commit
392504a Fix to fix for #5755 -- backref serialization issues in zaml
a732a15 Fixed #5564 - Added some more fqdn_rand documentation
f279f2c Fixed #4968 - Updated list of options turned on by --test in
documentation
ce5a2bf (#5061) - allow special hostclass/define variables to be evaluated as
defaults.
fd73874 (#6107) Fix an error when auditing a file with empty content
530496b Remove already initialized constant warning from file_spec.rb tests
76788f8 (#5566) Treat source only File checksums as syntax errors when used
with content
d657292 Rename variable used in File type validation to be more clear
3398139 Remove invalid timestamp and time, and add missing ctime File
checksum types.
6c93eb2 Remove order dependency when specifying source and checksum on File type
3a125d4 Bug #5755 -- ZAML generates extra newline in some hash backreferences.
50c12e5 bug #5681 -- code fix to handle AIX mount output
139760b Bug #5681 -- parse AIX mount command output.
2f74d83 Spec for #5681 to allow parsing of AIX mount output in mount provider
878f266 Fixed #6091 - Changed POSIX path matching to allow multiple leading
slashes
eb97aa5 Bug #6091 -- test leading double-slash in filenames are allowed.
1bfc9a0 Fixed #6071 - Fixed typo and improved exec path error message
c50a48e Fixed #6061 - Allowed -1 as password min/max age
bf44e72 Bug #6061 -- verify that negative {min,max}_password_age are accepted.
af1c1fe Feature #5855 -- fix withenv call in freebsd package provider
d871641 Feature #5855 -- undefined method 'withenv' in FreeBSD package provider.
f1ab588 Fixed #6009 - nested member list vs directory service group provider
86a2a00 (#5944) Remove documentation of define() when used on nodes, as it is
not a supported use of this function.
2b9f653 (#5944) Further edits of inline defined() documentation.
5d108e8 (#5944) Improve documentation of defined() function
7d38ab2 (#5594) Update documentation of exec resource type.
67e1bba (#5931) Prevent errors when calling insync? on audited properties
0f9d236 Maint: Removed dead code from resource harness.
0765afb Maint: Rename misleading insync? method in file provider
0084b08 (#5548) Specify return values of manual status commands in service type
description.
dd332f6 Fixed #6002 - Added note about function execution
3cfbd07 (#5045) Cleaning up some tests and code
a2036ea (#5045) External node classifiers should be able to specify params for
classes
18ca97b (#5045) Adds support to resource/type to also accept a param hash
70630b9 Fix #3165 Ralsh (bin/puppet resource) can't manage files
1fd3600 Fixed #3646 - Added documentation for compile and apply to man page
ae48634 Fixed #5914 Removed genconfig = true from genconfig output
7e7f342 Fixed #1657 - Added note about target file
069f29b Fixed #2096 - clarified option modification and tested it is working
66b442b Fixes #5916 - Cleanup of unused doc methods and documentation
9b74968 Modified rubydoc in lib/puppet/util/command_line/puppetca to fix
inaccurate description of --clean.
e58f5dc Fixed #5742 - Removed legacy fqdn option from documentation
4d1b51f Fixed #5167 - misleading documentation in the defaults of [main]
c1b5c7f (#5913) Fix Puppet::Application.find constant lookup behavior
f9bfb96 (#5900) Include ResourceStatus#failed in serialized reports
79b6332 (#5882) Added error-handling for bucketing files in puppet inspect
17843d5 (#5882) Added error-handling to puppet inspect when auditing
1a6fab2 (#5171) Made puppet inspect upload audited files to a file bucket
a7cd185 Prep for #5171: Added a missing require to inspect application.
71ac9cf Locked Puppet license to GPLv2
abc6256 (#5838) Support paths as part of file bucket requests.
002f9f1 (#5838) Improve the quality of file bucket specs.
94d7179
[Puppet Users] Re: puppet 2.6.5-rc1 Parameter type failed: type is read-only
On 9 February 2011 21:57, John Warburton jwarbur...@gmail.com wrote:
OK - I found the issue. Because 2.6.x gives us nice human readable(ish)
catalogs, I compiled mine and the 'random' hits were all for directories.
Re-reading the manifest, I see those directories in the error messages all
had type = directory, like
file { /var/empty:
ensure = 'directory',
*type = 'directory',*
mode = 755,
I was wondering how the type in the file resource for directories got in
there. Maybe too enthusiastic reading of the manual? It seems it may have
been ralsh from when it was working.
Now that https://projects.puppetlabs.com/issues/3165 is resolved, I used
ralsh on a directory with 2.6.5rc2, and it generated the same bad code!
I have raised https://projects.puppetlabs.com/issues/6314
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] fork from Collection and Realizing resources (puppet-dev)
On Mon, Feb 14, 2011 at 4:14 AM, luke.bigum luke.bi...@fasthosts.co.ukwrote:
Hi list (specifically Dan),
I was interested in the snippet you provided in the recent thread
Collection and Realizing resources and how it could be used to
safely include both 'app' and 'db' class without causing a conflict in
the user 'bob'. I can't quite see how that's possible, even using
class inheritance and the plusignment operator, you'd run into trouble
overriding the same resource twice (bob). How does the collection
syntax help?
ah, those resources should have been virtual:
Quoting Dan:
We have only been teaching | | in the puppetmaster training as a way
to
realize virtual resources. We do not teach that it is possible to
override
attributes with this syntax as well: | | {} (at least in part b/c
the
implications/non-determinism terrify me) , and do not teach that it
actually
effects all resources.
The common example from class is something like:
class db::users {
should be @user { ['alice', 'bob']:
user { ['alice', 'bob']:
ensure = present,
gid = 'dbadmin',
}
}
class app::users {
should be @user { ['charlie', 'bob']:
user { ['charlie', 'bob']:
ensure = present,
gid = 'webadmin',
}
}
class app {
User| gid == 'webadmin' |
...
}
class db {
User| gid == 'dbadmin' |
...
}
also missing:
include app::users, db::users, db, app
so that a machine can safely be a webserver and db server without
conflict.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppet 2.6.5-rc1 Parameter type failed: type is read-only
On Mon, Feb 14, 2011 at 3:30 PM, John Warburton jwarbur...@gmail.com wrote:
On 9 February 2011 21:57, John Warburton jwarbur...@gmail.com wrote:
OK - I found the issue. Because 2.6.x gives us nice human readable(ish)
catalogs, I compiled mine and the 'random' hits were all for directories.
Re-reading the manifest, I see those directories in the error messages all
had type = directory, like
file { /var/empty:
ensure = 'directory',
type = 'directory',
mode = 755,
I was wondering how the type in the file resource for directories got in
there. Maybe too enthusiastic reading of the manual? It seems it may have
been ralsh from when it was working.
Now that https://projects.puppetlabs.com/issues/3165 is resolved, I used
ralsh on a directory with 2.6.5rc2, and it generated the same bad code!
I have raised https://projects.puppetlabs.com/issues/6314
Thanks John. I'll do some clarification around your ticket, as we have
a wider problem with all read-only attributes.
I'm wondering whether it would be useful for puppet resource to have
an optional flag that did display read-only attributes? Certainly by
default we shouldn't be displaying them.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] force directory to symlink, but only if empty
I was surprised to find that
file { $foo:
ensure = symlink,
target = '/tmp/foo',
}
doesn't replace $foo if $foo is an empty directory.
Is there a particular combination of options to the file resource that
would replace the directory with the symlink if empty, but wouldn't
filebucket the contents and the directory if it wasn't empty?
recurse=false doesn't do it...
Rich
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] force directory to symlink, but only if empty
On Mon, Feb 14, 2011 at 5:17 PM, Rich Rauenzahn rraue...@gmail.com wrote:
I was surprised to find that
file { $foo:
ensure = symlink,
target = '/tmp/foo',
}
doesn't replace $foo if $foo is an empty directory.
Is there a particular combination of options to the file resource that
would replace the directory with the symlink if empty, but wouldn't
filebucket the contents and the directory if it wasn't empty?
See http://docs.puppetlabs.com/references/latest/type.html#file
force = true
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: ANNOUNCE: Puppet 2.6.5 - Release Candidate 4 available!
Jacob Helwig wrote: We're back with a maintenance release: 2.6.5. This release addresses a number of bugs in the 2.6.x branch and adds a handful of features and documentation updates. For those using Fedora or RHEL/CentOS, I've updated the yum repos at: http://tmz.fedorapeople.org/repo/puppet/ Packages for EL 4 - 6 and Fedora 13 - 14 are available for testing. Add the puppet.repo file from either the epel or fedora directories to /etc/yum.repos.d to enable. If you find problems with the packaging, please let me know. If you find other bugs, please file them in redmine: http://projects.puppetlabs.com/projects/puppet/issues I'm particularly interested in anyone updating from 0.25.x to 2.6.x and whether you run into regressions or other issues that would make this an unsuitable update to push into the stable Fedora and EPEL repositories. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Whenever you find yourself on the side of the majority, it is time to pause and reflect. -- Mark Twain pgpInubhW8oaP.pgp Description: PGP signature
[Puppet Users] Puppetmasterd not receiving certificate request
Hi: I'm trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests. Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session and yet the server never sees the request mrisher@lab2$ puppetca --list [nothing shows up] mrisher@lab2$ puppetca --sign clientname.domain.com clientname.domain.com err: Could not call sign: Could not find certificate request for clientname.domain.com There was a suggestion that autosign was happening, but that does not seem to be it. There is no autosign.conf file, and when I run `puppetmasterd --no-daemonize -d -v` I receive the following output: info: Could not find certificate for 'clientname.domain.com' every time the client says notice: Did not receive certificate I checked the certs on the server and there don't seem to be any: mrisher@lab2:~$ puppetca --list --all mrisher@lab2:~$ sudo puppetca --list --all + lab2.domain.com // this is the server (master) mrisher@lab2:~$ sudo puppetca --list [blank line] mrisher@lab2:~$ Note: This is mostly running the default install from Ubuntu, if that gives any leads. Thanks for any help out there. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] force directory to symlink, but only if empty
On Mon, Feb 14, 2011 at 5:20 PM, Nan Liu n...@puppetlabs.com wrote:
On Mon, Feb 14, 2011 at 5:17 PM, Rich Rauenzahn rraue...@gmail.com wrote:
I was surprised to find that
file { $foo:
ensure = symlink,
target = '/tmp/foo',
}
doesn't replace $foo if $foo is an empty directory.
Is there a particular combination of options to the file resource that
would replace the directory with the symlink if empty, but wouldn't
filebucket the contents and the directory if it wasn't empty?
See http://docs.puppetlabs.com/references/latest/type.html#file
force = true
That is what I'm doing. But force also empties the directory if it
has contents. I don't want that.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppetmasterd not receiving certificate request
Set the IP of puppet master as hostname puppet on /etc/hosts file of client That is something like 192.168.2.100 puppet.example.local puppet On 15 February 2011 07:25, mark risher mrisher.w...@gmail.com wrote: Hi: I'm trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests. Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session and yet the server never sees the request mrisher@lab2$ puppetca --list [nothing shows up] mrisher@lab2$ puppetca --sign clientname.domain.com clientname.domain.com err: Could not call sign: Could not find certificate request for clientname.domain.com There was a suggestion that autosign was happening, but that does not seem to be it. There is no autosign.conf file, and when I run `puppetmasterd --no-daemonize -d -v` I receive the following output: info: Could not find certificate for 'clientname.domain.com' every time the client says notice: Did not receive certificate I checked the certs on the server and there don't seem to be any: mrisher@lab2:~$ puppetca --list --all mrisher@lab2:~$ sudo puppetca --list --all + lab2.domain.com // this is the server (master) mrisher@lab2:~$ sudo puppetca --list [blank line] mrisher@lab2:~$ Note: This is mostly running the default install from Ubuntu, if that gives any leads. Thanks for any help out there. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Regards Basil Kurian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppetmasterd not receiving certificate request
Then try puppetd --test on client On 15 February 2011 09:24, Basil Kurian basilkur...@gmail.com wrote: Set the IP of puppet master as hostname puppet on /etc/hosts file of client That is something like 192.168.2.100 puppet.example.local puppet On 15 February 2011 07:25, mark risher mrisher.w...@gmail.com wrote: Hi: I'm trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests. Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session and yet the server never sees the request mrisher@lab2$ puppetca --list [nothing shows up] mrisher@lab2$ puppetca --sign clientname.domain.com clientname.domain.com err: Could not call sign: Could not find certificate request for clientname.domain.com There was a suggestion that autosign was happening, but that does not seem to be it. There is no autosign.conf file, and when I run `puppetmasterd --no-daemonize -d -v` I receive the following output: info: Could not find certificate for 'clientname.domain.com' every time the client says notice: Did not receive certificate I checked the certs on the server and there don't seem to be any: mrisher@lab2:~$ puppetca --list --all mrisher@lab2:~$ sudo puppetca --list --all + lab2.domain.com // this is the server (master) mrisher@lab2:~$ sudo puppetca --list [blank line] mrisher@lab2:~$ Note: This is mostly running the default install from Ubuntu, if that gives any leads. Thanks for any help out there. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Regards Basil Kurian -- Regards Basil Kurian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: [Puppet-dev] Re: ANNOUNCE: Puppet 2.6.5 - Release Candidate 4 available!
On Mon, 14 Feb 2011 21:00:02 -0500, Todd Zullinger wrote: Jacob Helwig wrote: We're back with a maintenance release: 2.6.5. This release addresses a number of bugs in the 2.6.x branch and adds a handful of features and documentation updates. For those using Fedora or RHEL/CentOS, I've updated the yum repos at: http://tmz.fedorapeople.org/repo/puppet/ Packages for EL 4 - 6 and Fedora 13 - 14 are available for testing. Add the puppet.repo file from either the epel or fedora directories to /etc/yum.repos.d to enable. If you find problems with the packaging, please let me know. If you find other bugs, please file them in redmine: http://projects.puppetlabs.com/projects/puppet/issues I'm particularly interested in anyone updating from 0.25.x to 2.6.x and whether you run into regressions or other issues that would make this an unsuitable update to push into the stable Fedora and EPEL repositories. Todd, Thanks for putting these together to help get these RCs tested on the RPM based systems. -- Jacob Helwig signature.asc Description: Digital signature
[Puppet Users] Re: Puppetmasterd not receiving certificate request
Thanks for the suggestion. I set the /etc/host but that doesn't appear any different from specifying --server xyz on the command line; my client definitely seems to reach the server but still no certificate is issued and the manifest file doesn't get downloaded: --- CLIENT mrisher@events1001:~$ sudo vi /etc/hosts mrisher@events1001:~$ puppetd --test warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled mrisher@events1001:~$ puppetd --test --waitforcert 60 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate --- SERVER mrisher@lab2:~$ puppetca --list mrisher@lab2:~$ sudo puppetca --list mrisher@lab2:~$ I feel like I must be missing something really obvious. Is there a way to telnet directly to the puppetmaster and issue a test that way? When I telnet to port 8140 it immediately hangs up. Thank you, /m -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppetmasterd not receiving certificate request
On Mon, Feb 14, 2011 at 11:19 PM, mark risher mris...@impermium.com wrote: Thanks for the suggestion. I set the /etc/host but that doesn't appear any different from specifying --server xyz on the command line; my client definitely seems to reach the server but still no certificate is issued and the manifest file doesn't get downloaded: --- CLIENT mrisher@events1001:~$ sudo vi /etc/hosts mrisher@events1001:~$ puppetd --test warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled mrisher@events1001:~$ puppetd --test --waitforcert 60 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate --- SERVER mrisher@lab2:~$ puppetca --list mrisher@lab2:~$ sudo puppetca --list mrisher@lab2:~$ It really feels like the puppetca command is using a different ssldir configuration setting than the puppet master process is. Could you check puppetca --configprint ssldir and compare that with the ssldir setting being used by the puppet master process? Are you running in Passenger or some other setup? I feel like I must be missing something really obvious. Is there a way to telnet directly to the puppetmaster and issue a test that way? When I telnet to port 8140 it immediately hangs up. This is because SSL is being used and your client isn't starting the handshake. Unfortunately there's not an easy way to test things without getting past the SSL layer, which is what you're having trouble with. Also, try pupeptca --list --all and see what certificates the CA _has_ signed. Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppetmasterd not receiving certificate request
If this helps, when I run `puppetd -d` I get a bunch of debug log statements that may be pertinent: http://pastebins.com/index.php?show=567 Thx, /m -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppetmasterd not receiving certificate request
On Mon, Feb 14, 2011 at 11:25 PM, mark risher mris...@impermium.com wrote: If this helps, when I run `puppetd -d` I get a bunch of debug log statements that may be pertinent: http://pastebins.com/index.php?show=567 As much information as you can provide about how you're running the puppet master, what it's configuration is (--genconfig helps here), and what puppetca --configprint ssldir says would be more helpful. -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] force directory to symlink, but only if empty
On Mon, Feb 14, 2011 at 6:08 PM, Rich Rauenzahn rraue...@gmail.com wrote:
On Mon, Feb 14, 2011 at 5:20 PM, Nan Liu n...@puppetlabs.com wrote:
On Mon, Feb 14, 2011 at 5:17 PM, Rich Rauenzahn rraue...@gmail.com wrote:
I was surprised to find that
file { $foo:
ensure = symlink,
target = '/tmp/foo',
}
doesn't replace $foo if $foo is an empty directory.
Is there a particular combination of options to the file resource that
would replace the directory with the symlink if empty, but wouldn't
filebucket the contents and the directory if it wasn't empty?
See http://docs.puppetlabs.com/references/latest/type.html#file
force = true
That is what I'm doing. But force also empties the directory if it
has contents. I don't want that.
Sorry missed the details, you can impose this behavior using an exec
and make the file resource depend on the exec. The exec will fail for
a non empty directory:
exec {
remove_empty_dir:
command = rmdir /tmp/foo,
path = /bin:/usr/bin,
onlyif = [ -d /tmp/foo ],
}
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppetmasterd not receiving certificate request
Thanks for the follow-up. Here is the puppetmasterd --genconf output: http://pastebins.com/index.php?show=568; I have not made any changes from the default, Ubuntu package installation, so the actual puppet.conf file is just the pathnames. I've been running the server using the `/etc/init.d/puppetmasterd start` command. There is very little log output in the masterhttp.log, but here's what I see: root@lab2:/var/log/puppet# more masterhttp.log [2011-02-14 22:04:57] INFO WEBrick 1.3.1 [2011-02-14 22:04:57] INFO ruby 1.8.7 (2010-01-10) [x86_64-linux] [2011-02-14 22:04:57] INFO Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=ca Validity Not Before: Feb 14 01:20:25 2011 GMT Not After : Feb 13 01:20:25 2016 GMT Subject: CN=lab2.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d5:f0:60:01:99:43:a8:d5:ce:0f:67:d1:d0:b2: snip Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Generated Certificate X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E8:82:E2:46:38:25:B8:1C:9B:89:A7:FC:7D:96:22:12:BE: 23:8E:9C X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:puppet, DNS:lab2.domain.com, DNS:puppet.domain.com Signature Algorithm: sha1WithRSAEncryption 48:f5:6a:9a:c9:8d:69:7e:5a:e6:fa:38:c4:65:a4:5a:26:1e: snip [2011-02-14 22:04:57] INFO WEBrick::HTTPServer#start: pid=20959 port=8140 [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/ 2011:22:05:03 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:03] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/ 2011:22:05:03 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:03] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:21] events.edgesentinel.com - - [14/Feb/ 2011:22:05:21 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:21] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:56] events.edgesentinel.com - - [14/Feb/ 2011:22:05:56 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:56] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:57] INFO going to shutdown ... [2011-02-14 22:05:57] INFO WEBrick::HTTPServer#start done. root@lab2:/var/log/puppet# Thanks again. /m -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppetmasterd not receiving certificate request
On Mon, Feb 14, 2011 at 10:12 PM, mark risher mris...@impermium.com wrote: Thanks for the follow-up. Here is the puppetmasterd --genconf output: http://pastebins.com/index.php?show=568; I have not made any changes from the default, Ubuntu package installation, so the actual puppet.conf file is just the pathnames. I've been running the server using the `/etc/init.d/puppetmasterd start` command. There is very little log output in the masterhttp.log, but here's what I see: Shutdown the service and run puppet master with the following flags to get debug info: puppet master --no-daemonize -v root@lab2:/var/log/puppet# more masterhttp.log [2011-02-14 22:04:57] INFO WEBrick 1.3.1 [2011-02-14 22:04:57] INFO ruby 1.8.7 (2010-01-10) [x86_64-linux] [2011-02-14 22:04:57] INFO Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=ca Validity Not Before: Feb 14 01:20:25 2011 GMT Not After : Feb 13 01:20:25 2016 GMT Subject: CN=lab2.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d5:f0:60:01:99:43:a8:d5:ce:0f:67:d1:d0:b2: snip Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Generated Certificate X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E8:82:E2:46:38:25:B8:1C:9B:89:A7:FC:7D:96:22:12:BE: 23:8E:9C X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:puppet, DNS:lab2.domain.com, DNS:puppet.domain.com Signature Algorithm: sha1WithRSAEncryption 48:f5:6a:9a:c9:8d:69:7e:5a:e6:fa:38:c4:65:a4:5a:26:1e: snip [2011-02-14 22:04:57] INFO WEBrick::HTTPServer#start: pid=20959 port=8140 [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/ 2011:22:05:03 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:03] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/ 2011:22:05:03 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:03] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:21] events.edgesentinel.com - - [14/Feb/ 2011:22:05:21 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:21] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/ 2011:22:05:50 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:50] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:56] events.edgesentinel.com - - [14/Feb/ 2011:22:05:56 PST] GET /production/certificate/events1001.domain.com HTTP/1.1 404 51 [2011-02-14 22:05:56] - - /production/certificate/ events1001.domain.com [2011-02-14 22:05:57] INFO going to shutdown ... [2011-02-14 22:05:57] INFO WEBrick::HTTPServer#start done. root@lab2:/var/log/puppet# Seems like the agent is just waiting for a certificate and you don't have the CSR on the master. I'm not sure of a way to force the agent to submit the CSR again. Since I don't have the exact directory configuration, rather than asking you to copy the CSR to the server I'm going to recommend cleaning the agent's ssl directory so it will generate and submit the certificate request again. With the master in verbose mode you should see the following: (using demo.example.lan) info: Could not find certificate for 'demo.example.lan' info: Could not find certificate_request for 'demo.example.lan' notice: demo.example.lan has a waiting certificate request info: Could not find certificate for 'demo.example.lan' info: Could not find certificate for 'demo.example.lan' At this point you should have a certificate waiting to be signed. Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to
