Re: [Puppet Users] puppet not working after switch to passenger - permissions issue?

[Andreas Kuntzagk]

Hi,

Nan Liu wrote:

On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
 wrote:

Hi,

as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache config as
far as I understood. I restarted apache.
Now when I run an agent I get:

/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039 [find]
at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

In the server log I find this:

May  4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at line 0
May  4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0


Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?


No. I just enabled debugging (did not see this option before). Now I get many 
more lines.

I suspect these to be the important ones:

May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding authentication 
any
May  5 08:59:36 node002 puppet-master[16796]: Inserting default '/status'(auth) 
acl because none where found in '/etc/puppet/auth.conf'
May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to no 
access for node002



[...]



It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:

# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1


Ok, auth.conf was missing. But I copied the gems default conf file and it's 
still not working.



Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
  ssl_client_header = SSL_CLIENT_S_DN
  ssl_client_verify_header = SSL_CLIENT_VERIFY


No. There is no [master] section at all. And also in all example confs there is 
no [master] section. Btw. this is version 2.6.4.


regards, Andreas

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: How to setup database for Inventory Service

[Alessandro Franceschi]

Actually I ended up creating manually the missing tables, but thanks
for the info.

On May 5, 1:31 am, James Turnbull  wrote:
> Alessandro Franceschi wrote:
> > Thank you for the feedback.
> > I've momentarily postponed theinventorysetupbut, for the chronicle,
> > just inserting the query you posted didn't work out of the box.
> > I'll get back on this when sorted out other things.
> > Al
>
> Al
>
> You should also be able to do:
>
> [master]
> dbmigrate=true
>
> In your puppet.conf and Puppet will automatically add the tables.
>
> Regards
>
> James Turnbull
>
> --
> James Turnbull
> Puppet Labs
> 1-503-734-8571

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet not working after switch to passenger - permissions issue?

[Andreas Kuntzagk]

Ok, seems that I have an authentication issue here.
when I set (for all paths) "auth no" in auth.conf, it's working again.
Maybe I set these options wrong in the apache.conf:

SSLCertificateFile  /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem

As far as I can tell these files match.

regards, Andreas

Andreas Kuntzagk wrote:

Hi,

Nan Liu wrote:

On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
 wrote:

Hi,

as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache 
config as

far as I understood. I restarted apache.
Now when I run an agent I get:

/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039 
[find]

at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

In the server log I find this:

May  4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at 
line 0

May  4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0


Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?


No. I just enabled debugging (did not see this option before). Now I get 
many more lines.

I suspect these to be the important ones:

May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding 
authentication any
May  5 08:59:36 node002 puppet-master[16796]: Inserting default 
'/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to 
no access for node002



[...]



It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:

# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1


Ok, auth.conf was missing. But I copied the gems default conf file and 
it's still not working.



Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
  ssl_client_header = SSL_CLIENT_S_DN
  ssl_client_verify_header = SSL_CLIENT_VERIFY


No. There is no [master] section at all. And also in all example confs 
there is no [master] section. Btw. this is version 2.6.4.


regards, Andreas



--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Disable class by exception (not disable service in a class)

[jcbollinger]

On May 3, 3:56 pm, Chris Phillips  wrote:
> Hi,
>
> I don't know if I'm just not getting it, but I'm struggling to find
> "the" way to elegantly disable a class in its entirety. I am aware of
> the foo::disabled conventions, but these are about the disabling of
> the end service defined by the class, not the class itself.


[...]


> So again, I just want to wipe out the impact of the class, unmanage as
> it were, replace the contents with a nice simple { } regardless of
> what it was written to do maybe, not force disabling of the end
> result, and I'm assuming there is a great and painfully simple way to
> do this with style, but it's missing me right now.


There is no way to achieve precisely what you ask.  Instead, you must
avoid including the class in the node's catalog in the first place.
Use conditional statements in your manifests (if / case) to select
based on nodes' facts whether to include it, or include it only for
certain nodes (which amounts to the same thing).

>From the perspective of designing an ENC, you should be looking to add
classes to a common base rather than subtract classes from an omnibus
configuration.  For what it's worth, I think that would still be a
better design paradigm even if Puppet could provide the alternative.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)

[Chris Phillips]

On 5 May 2011 14:04, jcbollinger  wrote:

>
>
> On May 3, 3:56 pm, Chris Phillips  wrote:
> > Hi,
> >
> > I don't know if I'm just not getting it, but I'm struggling to find
> > "the" way to elegantly disable a class in its entirety. I am aware of
> > the foo::disabled conventions, but these are about the disabling of
> > the end service defined by the class, not the class itself.
>
>
> [...]
>
>
> > So again, I just want to wipe out the impact of the class, unmanage as
> > it were, replace the contents with a nice simple { } regardless of
> > what it was written to do maybe, not force disabling of the end
> > result, and I'm assuming there is a great and painfully simple way to
> > do this with style, but it's missing me right now.
>
>
> There is no way to achieve precisely what you ask.  Instead, you must
> avoid including the class in the node's catalog in the first place.
> Use conditional statements in your manifests (if / case) to select
> based on nodes' facts whether to include it, or include it only for
> certain nodes (which amounts to the same thing).
>
> From the perspective of designing an ENC, you should be looking to add
> classes to a common base rather than subtract classes from an omnibus
> configuration.  For what it's worth, I think that would still be a
> better design paradigm even if Puppet could provide the alternative.
>
>
> John
>


Thanks John, appreciated. Whilst I totally see the logic in adding to a
base, if 99% of machines want all these classes, and only a
real exception would this be deviated from (indeed I currently have no
deviations, but don't want to be caught by it when it's sure to come along)
the base is going to be irrelevant if some of the "99%" modules aren't in
it.

I've come up with this methodology which seems to technically work...

===
class baseclass {

$classes = ["aaa", "access", "banner", "func", "hosts", "munin", "ntp",
"resolv", "rhn", "rsyslog", "ssh", "sudo"]

define include_class() {

if ($exclude_classes == undef) or ! ($name in $exclude_classes) {
include $name
}

}

include_class{ $classes: }

}

node default {

include baseclass

}

===

So under puppet dashboard I can create a variable  called "exclude_classes"
and give it in array of class names, and while iterating through a list of
defaults, if the candidate class is in the exclude_classes list it won't be
included.

Any thoughts / style tips would be very much appreciated, as this still
feels wrong, but I'd love it if it wasn't! Is it good to have a baseclass
there when that code could all be direct within the default node?

Thanks

Chris

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

RE: [Puppet Users] augeas slooow

[Jennings, Jared L CTR USAF AFMC 46 SK/CCI]

Hi, Aaron.

Aaron (quoting letter@):
> To avoid that, I added 'lens' and 'incl' parameters to the puppet type
> a while ago. If you set these, Augeas will only read a specific file,
> avoiding most of the unnecessary overhead.
> ... everything will be lightning fast, even without
> connection caching."

Me:
> I know I can avoid [Augeas populating its whole tree] by specifying 
> the lens and incl parameters in my augeas resources, but I like the
> clarity I get by not doing that, and want to preserve it.

The reason I brought the issue up is that I wanted to know why Augeas
connections are not cached. I think they should be, but someone on this
list may have tried to make that change, failed, and gained wisdom.

> lens => "Hosts.lns",

It's nice to find that I may not have to give the full path of the lens.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)

[Felix Frank]

> class baseclass {
> 
> $classes = ["aaa", "access", "banner", "func", "hosts", "munin",
> "ntp", "resolv", "rhn", "rsyslog", "ssh", "sudo"]
> 
> define include_class() {
> 
> if ($exclude_classes == undef) or ! ($name in $exclude_classes) {
> include $name
> }
> 
> }
> 
> include_class{ $classes: }
> 
> }

Sort of funky, I like it!

It may work, but $exclude_classes should not be a vairable, but a
parameter to your define instead.

This way, you can override the include_class in a subclass of baseclass
to set exclude_class to the name of the class.

You can have it easier by making this a boolean:

baseclass {
  define include_class($exclude = false) {
if !$exclude { include $name }
  }
}

class baseclass::no_rsyslog {
  Include_class["rsyslog"] { exclude => true }
}

Let me know if this works, because it would rule ;-)

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] augeas slooow

[Patrick]

On May 5, 2011, at 6:28 AM, Jennings, Jared L CTR USAF AFMC 46 SK/CCI wrote:

> Hi, Aaron.
> 
> Aaron (quoting letter@):
>> To avoid that, I added 'lens' and 'incl' parameters to the puppet type
>> a while ago. If you set these, Augeas will only read a specific file,
>> avoiding most of the unnecessary overhead.
>> ... everything will be lightning fast, even without
>> connection caching."
> 
> Me:
>> I know I can avoid [Augeas populating its whole tree] by specifying 
>> the lens and incl parameters in my augeas resources, but I like the
>> clarity I get by not doing that, and want to preserve it.
> 
> The reason I brought the issue up is that I wanted to know why Augeas
> connections are not cached. I think they should be, but someone on this
> list may have tried to make that change, failed, and gained wisdom.

I can tell you one reason why.  One of the most expensive parts of starting 
Augeas is scanning the whole filesystem (or at least all auto-included files, 
of which there are a lot) and making that into a tree.  It would need to rescan 
every file before processing each resource.  I think modern versions do this by 
checking the mtime of every file, which is expensive, though better than 
parsing all from scratch.

Still, I would make a random guess that caching the connections might actually 
be slower than using noautoinclude.  Personally, as soon as all our machines 
are 2.6.x, I'm planning to try wrapping augeas in a define that will make 
"context" the the file path be the same value. (Technically I need to add 
"/files" at the beginning too.)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] array of groups to definition?

[Alexander Swen]

hi,

I have:
define users::account($realname='', $pwd='', $uid='', $othergroups,
$gid, $key, $keytype, $name='', $ensure=present, shell='/bin/
bash') {

 19 # have to find a way to get rid of group if last member is being
removed
 20 # have to find out how to get an array in here.
 21   if ! ($othergroups == '') {
 22 group { $othergroups:
 23   ensure=> present;
 24 }
 25   }

 31  user { $name:
 32 ensure => $ensure,
 33 uid=> $uid,
 34 gid=> $group,
 35 password   => $pwd,
 36 comment=> "$realname",
 37 groups => "$othergroups",
 38 shell  => "$shell",
 39 home   => $home,
 40 require=> Group["$group"],
 41 managehome => true;
 42 }

and later :
 class users::userlist {
 96   @users::account {
 97 "dork":
 98   name=> "dork",
 99   realname=> "dorkidork",
100   pwd => '',
101   uid => 9000,
102   gid => 9000,
103   othergroups => "['blaat','dorks']",

last:
 class users::realize inherits users::userlist {
120   # have to find out how to get <| $othergroups == 'blaat' |> in
here
121   realize(Users::Account[ "dork" ])
122 }

but I can't find a way to send my array of groups from class
user::userlist (i use realize later) to this function above.
when i quote the parrams slightly different a group "blaatdorks" is
being created and that has a member dork. (so it almost worked)
but when running this as pasted above puppet agent tells me:

err: Could not run Puppet configuration client: Parameter groups
failed: Group names must be provided as an array, not a comma-
separated list at /etc/puppet/modules/users/manifests/init.pp:42

please help me out. i've got some comments in there about other issues
i have, feel free to help me woth those as well ;-)
thanks in advance for any help!

regards,
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] issue with exported resources and subscribe

[Nathan]

Hello list,

I have a situation where if I have a hosts file generated by exported
resources it does not trigger a service restart unlike if it was
subscribing on a file that gets copied over via puppet. An example
would explain it better.

it should be noted that exported resources work fine.

class dnsmasq {
  file { "/etc/hosts":
owner   => "root",
group   => "root",
mode=> "644",
source  => "puppet:///modules/dnsmasq/hosts",
  }

  ...

  service { dnsmasq:
ensure => running,
enable => true,
pattern=> "dnsmasq",
subscribe  => File["/etc/dnsmasq.conf","/etc/dnsmasq-
local.conf","/etc/hosts"],
hasrestart => true,
}

So with the above if i change the file on the master then it will push
out to all hosts that include the dnsmasq class and restart the
dnsmasq service, all is good.

How ever if I generate the data using exported resources nothing
happens

Below doesn't work

class dnsmasq {
  Host<<| tag == "all_hosts" |>>

  service { dnsmasq:
ensure => running,
enable => true,
pattern=> "dnsmasq",
subscribe  => File["/etc/dnsmasq.conf","/etc/dnsmasq-
local.conf","/etc/hosts"],
hasrestart => true,
}
}


// seperate class with /etc/hosts defined
class hosts {
  file { "/etc/hosts":
owner   => "root",
group   => "root",
mode=> "644",
  }

  host { 'localhost':
ip => '127.0.0.1',
host_aliases => 'localhost.localdomain',
  }
  ... a few default hosts...
}


So my issue is that on all machines the hosts files are managed fine,
however on my internal dns servers that collect all the IPs of all
machines in the network whilst collecting the hosts files fine, the
dnsmasq service is never restarted, meaning i need to log into each
machine and manually restart dnsmasq to pick up the changes after a
new host is added to the system.

Any ideas?

Thanks
Nathan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)

[Nan Liu]

On Thu, May 5, 2011 at 9:14 AM, Chris Phillips  wrote:
>
>
> On 5 May 2011 14:04, jcbollinger  wrote:
>>
>>
>> On May 3, 3:56 pm, Chris Phillips  wrote:
>> > Hi,
>> >
>> > I don't know if I'm just not getting it, but I'm struggling to find
>> > "the" way to elegantly disable a class in its entirety. I am aware of
>> > the foo::disabled conventions, but these are about the disabling of
>> > the end service defined by the class, not the class itself.
>>
>>
>> [...]
>>
>>
>> > So again, I just want to wipe out the impact of the class, unmanage as
>> > it were, replace the contents with a nice simple { } regardless of
>> > what it was written to do maybe, not force disabling of the end
>> > result, and I'm assuming there is a great and painfully simple way to
>> > do this with style, but it's missing me right now.
>>
>>
>> There is no way to achieve precisely what you ask.  Instead, you must
>> avoid including the class in the node's catalog in the first place.
>> Use conditional statements in your manifests (if / case) to select
>> based on nodes' facts whether to include it, or include it only for
>> certain nodes (which amounts to the same thing).
>>
>> From the perspective of designing an ENC, you should be looking to add
>> classes to a common base rather than subtract classes from an omnibus
>> configuration.  For what it's worth, I think that would still be a
>> better design paradigm even if Puppet could provide the alternative.
>>
>>
>> John
>
>
> Thanks John, appreciated. Whilst I totally see the logic in adding to a
> base, if 99% of machines want all these classes, and only a
> real exception would this be deviated from (indeed I currently have no
> deviations, but don't want to be caught by it when it's sure to come along)
> the base is going to be irrelevant if some of the "99%" modules aren't in
> it.
> I've come up with this methodology which seems to technically work...
> ===
> class baseclass {
>     $classes = ["aaa", "access", "banner", "func", "hosts", "munin", "ntp",
> "resolv", "rhn", "rsyslog", "ssh", "sudo"]
>     define include_class() {
>         if ($exclude_classes == undef) or ! ($name in $exclude_classes) {
>             include $name
>         }
>     }
>     include_class{ $classes: }
> }
> node default {
>     include baseclass
> }

Do not follow by my bad example of abusing inline_templates (write a
puppet function instead), but this should work for your use case:

$class = inline_template("<% [classes].flatten - [exclude_classes].flatten %>")
class { [$class]: }

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)

[Chris Phillips]

On 5 May 2011 14:52, Felix Frank  wrote:
>
>
> Sort of funky, I like it!


First and last time for everything!

It may work, but $exclude_classes should not be a vairable, but a
> parameter to your define instead.
>
> This way, you can override the include_class in a subclass of baseclass
> to set exclude_class to the name of the class.
>
> You can have it easier by making this a boolean:
>
> baseclass {
>  define include_class($exclude = false) {
>if !$exclude { include $name }
>  }
> }
>
> class baseclass::no_rsyslog {
>  Include_class["rsyslog"] { exclude => true }
> }
>
> Let me know if this works, because it would rule ;-)


I don't really understand the usage here. One key thing I want to do is to
be able to do all customization within dashboard, and never need to go back
to manifests for per system personalization. As I understand this take on
it, I would need to override the baseclass in a different way for every
permutation that I want to use?  baseclass::no_rsyslog_or_func_or_aaa?
Whilst I would probably feel more comfortable configuring classes as
classes, not arbitrary strings which are used as classes later, I don't see
a way to have the flexibility I'd really like any other way. I'm *very* new
to this "next level" of puppet though, and picking up things so fast I seem
to spend most of my time replacing the previous thing I did that morning.

Does the association of these overridden classes via an external node
replace the inclusion of the original baseclass in the default node? I would
expect both to be included in parallel, meaning, in this example, rsyslog
would be included and excluded seperately, so still ultimately be included.

Thanks

Chris

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)

[Chris Phillips]

On 5 May 2011 17:22, Nan Liu  wrote:

> On Thu, May 5, 2011 at 9:14 AM, Chris Phillips  wrote:
> >
> >
> > On 5 May 2011 14:04, jcbollinger  wrote:
> >>
> >>
> >> On May 3, 3:56 pm, Chris Phillips  wrote:
> >> > Hi,
> >> >
> >> > I don't know if I'm just not getting it, but I'm struggling to find
> >> > "the" way to elegantly disable a class in its entirety. I am aware of
> >> > the foo::disabled conventions, but these are about the disabling of
> >> > the end service defined by the class, not the class itself.
> >>
> >>
> >> [...]
> >>
> >>
> >> > So again, I just want to wipe out the impact of the class, unmanage as
> >> > it were, replace the contents with a nice simple { } regardless of
> >> > what it was written to do maybe, not force disabling of the end
> >> > result, and I'm assuming there is a great and painfully simple way to
> >> > do this with style, but it's missing me right now.
> >>
> >>
> >> There is no way to achieve precisely what you ask.  Instead, you must
> >> avoid including the class in the node's catalog in the first place.
> >> Use conditional statements in your manifests (if / case) to select
> >> based on nodes' facts whether to include it, or include it only for
> >> certain nodes (which amounts to the same thing).
> >>
> >> From the perspective of designing an ENC, you should be looking to add
> >> classes to a common base rather than subtract classes from an omnibus
> >> configuration.  For what it's worth, I think that would still be a
> >> better design paradigm even if Puppet could provide the alternative.
> >>
> >>
> >> John
> >
> >
> > Thanks John, appreciated. Whilst I totally see the logic in adding to a
> > base, if 99% of machines want all these classes, and only a
> > real exception would this be deviated from (indeed I currently have no
> > deviations, but don't want to be caught by it when it's sure to come
> along)
> > the base is going to be irrelevant if some of the "99%" modules aren't in
> > it.
> > I've come up with this methodology which seems to technically work...
> > ===
> > class baseclass {
> > $classes = ["aaa", "access", "banner", "func", "hosts", "munin",
> "ntp",
> > "resolv", "rhn", "rsyslog", "ssh", "sudo"]
> > define include_class() {
> > if ($exclude_classes == undef) or ! ($name in $exclude_classes) {
> > include $name
> > }
> > }
> > include_class{ $classes: }
> > }
> > node default {
> > include baseclass
> > }
>
> Do not follow by my bad example of abusing inline_templates (write a
> puppet function instead), but this should work for your use case:
>
> $class = inline_template("<% [classes].flatten - [exclude_classes].flatten
> %>")
> class { [$class]: }
>
> Thanks,
>
> Nan


Ahh, that's nice. I was looking for intersections and things, but not
knowing ruby originally I'm still really unsure how the puppet and template
codes relate to what's possible in ruby. Seems just as confusing as
interlinking python and cheetah in cobbler. Not dared to write a function
yet, but may well be worthwhile having a look.

What is the need for the flatten? Is that just for completeness, as I'm not
planning on dealing with multi-dimensional arrays at all. I can certainly
imagine it might be best practices etc. Could this relate to dealing with a
possibly non-existent exclude_classes variable?

Thanks

Chris

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] ANNOUNCE: The Marionette Collective Release 1.2.0

[R.I.Pienaar]

hello,

We are pleased to announce the release of a new Production release
of The Marionette Collective.

This release brings to general availability all the features added 
in the 1.1.x development series.

A summary of changes since 1.0.0 can be seen below:

Enhancements:

 * The concept of sub-collectives were introduced that help you partition
   your MCollective traffic for network isolation, traffic management and 
security
 * The single executable framework has been introduced replacing the old
   mc-* commands
 * A new AES+RSA security plugin was added that provides strong encryption,
   client authentication and message security
 * New fact matching operators <=, >=, <, >, !=, == and =~
 * Actions can be written in external scripts and therefore other languages
   than Ruby, wrappers exist for PHP, Perl and Python
 * Plugins can now be configured using the _plugins.d_ directory
 * A convenient and robust exec wrapper has been written to assist in calling
   external scripts
 * The MCOLLECTIVE_EXTRA_OPTS environment variable has been added that will
   add options to all client scripts
 * Network timeout handling has been improved to better take account of latency
 * Registration plugins can elect to skip sending of registration data by
   returning nil, previously nil data would be published
 * Multiple libdirs are supported
 * The logging framework is pluggable and easier to use
 * Fact plugins can now force fact cache invalidation.  The YAML plugin will
   force a cache clear as soon as the source YAML file updates
 * The ping application now supports filters
 * Network payload can now be Base64 encoded avoiding issues with Unicode 
characters
   in older Stomp gems
 * All fact plugins are now cached and only updated every 300 seconds
 * The progress bar now resizes based on terminal dimensions
 * DDL files with missing output blocks will not invalidate the whole DDL
 * Display of DDL assisted complex data has been improved to be more readable
 * Stomp messages can have a priority header added for use with recent versions
   of ActiveMQ
 * Almost 300 unit tests have been written, lots of old code and any new code 
being
   written is subject to continuous testing on Ruby 1.8.5, 1.8.6 and 1.9.2
 * Improved the Red Hat RC script to be more compliant with distribution 
policies
   and to reuse the builtin functions

Deprecations and removed functionality:

 * The old mc-* commands are being removed in favor for the new mco command.
   The old style is still available and your existing scripts will keep working 
but
   porting to the new single executable system is very easy and encouraged.
 * MCOLLECTIVE_TIMEOUT and MCOLLECTIVE_DTIMEOUT were removed in favor of 
MCOLLECTIVE_EXTRA_OPTS
 * mc-controller could exit all mcollectived instances, this feature was not 
ported
   to the new mco controller application

Bug Fixes:

 * mcollectived and all of the standard supplied client scripts now disconnects
   cleanly from the middleware avoiding exceptions in the ActiveMQ logs
 * Communications with the middleware has been made robust by adding a timeout
   while sending
 * Machines that do not pass security validation are now handled as having not
   responded at all
 * When a fire and forget request was sent, replies were still sent, they are
   now suppressed

Backwards compatibility

This release can communicate with machines running older versions of MCollective
there are though a few steps to take to ensure a smooth upgrade.

Users upgrading from 1.0.x must read the release notes[1] as there are 
configuration
changes you need to perform.  Users upgrading from 1.1.4 should have no 
problems or
config changes.

The release can be downloaded from the usual locations[2] and is available as 
Debian
and RPM packages.

[1] http://srt.ly/mc120
[2] http://www.puppetlabs.com/misc/download-options/

-- 
R.I.Pienaar

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Can puppet client make immediate pull after a file's content change by user?

[Daniel Pittman]

On Thu, Apr 7, 2011 at 23:52, John Chris Richards
 wrote:

> I totally agree with you. Hence with the above solution we can have a
> little bit more control over our systems.

Hey.  Sorry for getting into this discussion late: if you really
wanted to trigger a puppet run after a file was modified, I would
probably take the approach of using an external tool to do the
triggering.

Linux has the inotify system, and *BSD have something similar, which
do real-time event notification on files and directories.  You can
either write a small monitor based on those, or find one of the
existing ones (inoticoming, inocron, and at least one more exist in
Linux-ville).

When they observe a change in the appropriate location they can
trigger the puppet run for you; that gives you the desired behavior,
more or less.  You will still have the period between the puppet run
starting and the change being backed out where the system is wrong, of
course.

Overall, though, I wouldn't recommend the strategy: this is a
technical solution to a social problem – if your users are making
uncontrolled, or bad, changes then you need to bring them into the
fold, not fight with them.  The later will just make them more
duplicitous: they will disable your notification tool (or puppet, if
that did the monitoring), then make their changes.

I would strongly encourage you to either get to the point that they
are not fighting you (and puppet) for control of the system by
bringing them on board to the process (eg: they update puppet, rather
than hack on the machine), or by locking them out.

Regards,
Daniel

...and, yes, they /will/ get very upset with the "locking them out" option. :)
-- 
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman 
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] variables inside a template for my hp ilo device

[Daniel Pittman]

On Wed, May 4, 2011 at 17:40, Corey Osman  wrote:

> I am writing a hp ilo module to automatically assign a static ip that is 
> derived from the IP of the system which is fed in via facter.  I basically 
> just need to change the network the ilo is connected to.
>
> The ruby code works great inside the irb console.  However, puppet doesn't 
> seem to be able to use the variable I have derived from the ipaddress.  This 
> is my first template so I am not exactly sure if I can use ruby syntax inside 
> a template.

It should be just fine you you wrap it in the "Ruby escape":

<% example = 12 * 12 %>
<%= example %>  => 144

If you want, though, you can use the erb command line tool that ships
with Ruby to make the transformation for you.  'erb -x foo.erb' will
spit out the transformed Ruby to generate your content, and you can
inspect that to see exactly how this is working.

Regards,
Daniel
-- 
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman 
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Disabling optional services

[Chris Phillips]

Howdy,

Can someone enlighten me as to how I can disable a service *IF* it is
installed? I want to ensure rsyslog is installed and running, which requires
syslogd to not be running, but the only way I can see to enforce this in
Puppet is to remove the sysklogd package, which I'd rather not do, I'd
rather just disable the service if it's there, but can't see how.

Pointers appreciated

Thanks

Chris

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Disabling optional services

[Ohad Levy]

On Thu, May 5, 2011 at 10:18 PM, Chris Phillips  wrote:

> Howdy,
>
> Can someone enlighten me as to how I can disable a service *IF* it is
> installed? I want to ensure rsyslog is installed and running, which requires
> syslogd to not be running, but the only way I can see to enforce this in
> Puppet is to remove the sysklogd package, which I'd rather not do, I'd
> rather just disable the service if it's there, but can't see how.
>
if you don't need the software, don't install it (or ensure its removed).
if you need it, tell puppet to ensure its installed and running

for this specific case, if you use syslog-ng for example, you can ensure
that its running, but not sysklogd.

my 2 cents.

Ohad

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Disabling optional services

[treydock]

I ran into this same challenge just a few days ago.  I run mostly
CentOS and syslogd is installed by default, but I prefer to run
rsyslog.  Here's a post, 
http://itscblog.tamu.edu/managing-syslog-and-log-forwarding-with-puppet/
,I just did on my blog that has the recipes I used for syslog
management.  Hope that helps

- Trey

On May 5, 2:18 pm, Chris Phillips  wrote:
> Howdy,
>
> Can someone enlighten me as to how I can disable a service *IF* it is
> installed? I want to ensure rsyslog is installed and running, which requires
> syslogd to not be running, but the only way I can see to enforce this in
> Puppet is to remove the sysklogd package, which I'd rather not do, I'd
> rather just disable the service if it's there, but can't see how.
>
> Pointers appreciated
>
> Thanks
>
> Chris

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: virtualized resource collections

[denmat]

Anyone?  Stupid question?

On May 5, 3:34 pm, tu2bg...@gmail.com wrote:
> Hi all,
>
> I'm trying to figure out how to automatically configure my nodes with  
> amanda backup client.
>
> What I want to achieve is that the server have an entry created in the  
> /etc/amanda/(Daily|Weekly|Monthly)/disklist.conf file on the server.
>
> The disklist.conf file lists entries like so:
> nodename partition alias {
> a
> bunch
> of
> vars}
>
> anothernodename partition alias {
> a
> bunch
> of
> vars
>
> }
>
> I want that to come from a 'role' class assignment - ie, a webserver has  
> the webserver role and has a backup template.
>
> I was hoping to use a define like so:
> define amanda::client::takebackup ($type, $period, $compress = undef) {
> # take the hostname from the name var.
> $myhost = $name
>
> @@file { "/etc/amanda/$period/disklist.conf":
> ensure => present,
> owner => "amandabackup",
> group => "disk",
> mode => 0600,
> content => template("amanda/$period/$type.erb"),
> tag => amandabackupdisklist,
>
> }
> } #end define
>
> And activate the resource like so:
> devel_buildserver.pp:
> class roles::devel_buildserver {
> include amanda::client
> amanada::client::takebackup { $fqdn:
> type => "dev_build",
> period => "Daily",
> compress => false,
>
> }
> } #end class
>
> The erb is like so:
> dev_build.erb:
> # This is a puppet controlled disklist file for dev_build
> <%= myhost %> "/" "/" {
> zmc_unix_base
> encrypt none
> <% if has_variable?("compress") then -%>
> compress client best
> <% else -%>
> compress none
> <% end -%>
> estimate calcsize server
> property "zmc_type" "unix"
> property "zmc_disklist" "Daily"
> property "zmc_version" "3"
> property "zmc_extended_attributes" "gtar"
> property "zmc_amanda_app" "gtar"
> property "zmc_show_advanced" "on"
> property "creation_time" "2011-04-19 23:38:01"
> property "zmc_occ" "33438030906"
> property "last_modified_time" "2011-04-20 18:56:43"
> exclude "/proc,/srv,/sys"
> property "zmc_amcheck_date" "20110420185643"
> zmc_gtar_app
>
> }
>
> Then in the server class I wanted to realize the resource like so:
> class amanda::server {
> ...
> some other stuff
> ...
> File <<| tag == 'amandabackupdisklist' |>>
>
> }
>
> This is not working. The file is not being realized on the server node. I  
> don't think the way I've gone about it will ever work though the way I  
> first thought - hence this call for help... :)
>
> How can I get this to work? What has got me especially worried is the  
> appending of node data to the disklist.conf file - how to do that?
>
> Cheers,
> Den

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] scheduling package installs - ignore schedule if not installed

[Steven Acres]

On Thu, Apr 28, 2011 at 3:36 AM, Felix Frank <
felix.fr...@alumni.tu-berlin.de> wrote:

> On 04/23/2011 04:01 AM, Steven Acres wrote:
> > On Fri, Apr 22, 2011 at 2:34 PM, trey85stang  > > wrote:
> >
> > Is there a way to override a schedule for a package if the package is
> > not installed?
> >
> > class packages {
> >  schedule { installs:
> >range   => "2-4",
> >period  => daily,
> >repeat  => 1,
> >  }
> >  package { openssh:
> >ensure   => latest,
> >schedule => installs,
> >  }
> > }
> >
> > I dont want to check if openssh is the latest package everytime
> puppet
> > runs;  but I do want it installed if it is not already installed
> > regardless of the schedule.
> >
> > Anyway to do this?
> >
> >
> > Hi,
> >
> > Sure, there are many ways to achieve this. You would be better off
> > defining which packages should be present on which nodes in another
> > class. Then use an include in the node(s) definition (or whatever method
> > you have defined for your architecture structure).
> >
> > BTW, if you're using yum and you would like to keep pkgs. updated, you
> > may want to look into yum-cron.
>
> Hi,
>
> I don't agree. Telling puppet to "install at all times but update only
> on a specific schedule" is not trivial if at all possible.
>
> Doing the upgrades outside the package provider may indeed be a sensible
> workaround.
>
> Cheers,
> Felix
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> Hi all,

Easy as could be .. simple conditionals and cron, at  if we're in the
'old' days .. but since we now have the 'magic' of pkg. managers ... we
manage this effortlessly now. Not only does this free time to catch up on
BOFH ... it also ties into DR, auditing and compliance (i.e. PCI-DSS) which
need to be included and documented in our architectural process/design. The
most time is and should be spent on that  design and the rest is primarily
fine-tuning.



-- 
Cheers,

Steven
---
Steven Acres
UNIX/Linux System Administrator

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.