[Puppet Users] Next SPUG Meeting 19.5.2011 @swisstopo in Bern - 19.00 o'clock
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Swiss Puppet User Group (SPUG) meets again on Thursday 19th May. If you like to attend the meeting, please announce your attendance to Hanspeter Christ (hanspeter.christ(at)swisstopo.ch), as noted in the announcement mail. If you like to receive any future announcements, please subscribe to the low traffic list s...@lists.saitis.net [1] ~pete [1] http://lists.saitis.net/cgi-bin/mailman/listinfo/spug - - Hi After a short but recreative hibernation the SPUG meets again to discuss, explore and share the interesting world of puppet managed systems. We would like to invite you this time to the offices of Swisstopo (Switzerland?s national cartography agency) in Bern. We set the date right after the upcoming PuppetCamp [1] in Amsterdam, as various people around the SPUG are attending the PuppetCamp and we thought that it would be interesting if the attendees could report back about what is going on in the wider puppet community. So we meet on Thursday 19. May at 19.00 o'clock at the offices of Swisstopo, which are located at Seftigenstrasse 264 in Wabern near Bern. [2] Arriving there is quite simple: Take Tram #9 in direction of Wabern and drive till Eichholz or the final station Wabern. The offices of Swisstopo are located within these two stations. For detailed information have a look at [2]. Attention: May 19th is a week later than a date that have been previously leaked to a few people. So if you already knew about the upcoming meeting, please adjust your calendar. We would like to ask interested people to send a simple e-mail to Hanspeter Christ (hanspeter.christ(at)swisstopo.ch) with the Subject Teilnahme spug meeting @swisstopo to register their attendance. Drinks and Snacks are provided. Furthermore we are looking for people that would be willing to present/discuss/share/ask/... something about their usage with puppet or related tools, so we could have a few presentations to announce. This can be in a very short manner, even only 30s presentation or a bit longer ones, like 5 or a bit more minutes. Please send your presentation idea to Marcel Härry (mh (at) scrit.ch), so we can announce them prior tothe meeting. But it will also be possible to spontaneously give a lightning talk at the meeting. A beamer and a Linux-based laptop will be available. We can already announce a few short presentations: Hanspeter Christ of Swisstopo will talk about how a puppet managed infrastructure is seen from a IT Project Manager's point of view and will share his experience in managing a team that completely automates the infrastructure with puppet. Another one will be held by Marc Fournier (Camptocamp SA). He will show how to use the cucumber testing framework to refactor your manifests and change Puppet versions without becoming insane. Marcel Härry (Puzzle ITC) will talk about the new introduced Ruby-DSL of Puppet and a use case where the Ruby-DSL provided more flexibility than the common external Puppet-DSL. Yet to be confirmed, Mathieu Bornoz (Camptocamp SA) would like to show us how he hooked a CouchDB CMDB to Puppet to be able to create/edit/remove resources properties without having to edit manifests. If you have further questions do not hesitate to ask on the SPUG-List ( spug (at) lists.saitis.net ). If you haven't done so, please subscribe to this low-traffic list, where we will also announce further meetings. Information about this meeting is also available on http://spug.ch/ Cu there! Hanspeter Christ, Marc Fournier and Marcel Härry for the SPUG [1] http://www.puppetlabs.com/community/puppet-camp/puppet-camp-ams-2011-info/ [2] http://www.swisstopo.admin.ch/internet/swisstopo/en/home/swisstopo/contact/train.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3I7TkACgkQbwltcAfKi38SKgCfYeET7Y2fGfgp+1NxVqj2FgqT qicAnAlbfTU+pQDZRM0CIUMhHWLON1Qo =Ru3m -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] how to add same ssh_key to two diff accounts
Hi all, I'm trying to add same ssh key to two diff accounts and I'm getting an error. My code: 'key_1' name= 'arnau@my_pc.domain', user= 'user1', key = rsa_key; 'key_2': name= 'arnau@my_pc.domain', user= 'user2', key = rsa_key; On the client the error is: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot alias Ssh_authorized_key[key_1] to [arnau@my_pc.domain]; resource [Ssh_authorized_key, [arnau@my_pc.domain]] already exists at /etc/puppet/manifests/services/common/modules/common_si/manifests/init.pp:165 on node X.pic.es Is there something wrong in my code? Am I trying to do something not supported? Anyone faced this before? how did you solve it? TIA, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
Hi, On 05/10/2011 12:21 PM, Arnau Bria wrote: Hi all, I'm trying to add same ssh key to two diff accounts and I'm getting an error. My code: 'key_1' name= 'arnau@my_pc.domain', user= 'user1', key = rsa_key; 'key_2': name= 'arnau@my_pc.domain', user= 'user2', key = rsa_key; On the client the error is: err: Could not retrieve catalog from remote server: Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot alias Ssh_authorized_key[key_1] to [arnau@my_pc.domain]; resource [Ssh_authorized_key, [arnau@my_pc.domain]] already exists at /etc/puppet/manifests/services/common/modules/common_si/manifests/init.pp:165 on node X.pic.es Is there something wrong in my code? yes, you're declaring the same resource twice. Am I trying to do something not supported? Yes. Anyone faced this before? how did you solve it? I helped someone with a similar issue here before. Just rename on of the keys. The name of a public key is really quite arbitrary and SSH doesn't use it for anything important (that I am aware of). Cheers, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Disable class by exception (not disable service in a class)
baseclass {
define include_class($exclude = false) {
if !$exclude { include $name }
}
}
class baseclass::no_rsyslog {
Include_class[rsyslog] { exclude = true }
}
Let me know if this works, because it would rule ;-)
I don't really understand the usage here. One key thing I want to do is
to be able to do all customization within dashboard, and never need to
go back to manifests for per system personalization. As I understand
this take on it, I would need to override the baseclass in a different
way for every permutation that I want to use?
baseclass::no_rsyslog_or_func_or_aaa? Whilst I would probably feel more
comfortable configuring classes as classes, not arbitrary strings which
are used as classes later, I don't see a way to have the flexibility I'd
really like any other way. I'm *very* new to this next level of puppet
though, and picking up things so fast I seem to spend most of my time
replacing the previous thing I did that morning.
Does the association of these overridden classes via an external node
replace the inclusion of the original baseclass in the default node? I
would expect both to be included in parallel, meaning, in this example,
rsyslog would be included and excluded seperately, so still ultimately
be included.
Consider this code (which works - I'll be damned):
class a { notify { a included: } }
class b { notify { b included: } }
class c { notify { c included: } }
class include_it {
define includer($exclude=false) {
if !$exclude {
include $name
}
}
includer { [ a, b, c ]: }
class no_a inherits include_it {
Includer[a] { exclude = true }
}
class no_b inherits include_it {
Includer[b] { exclude = true }
}
class no_c inherits include_it {
Includer[c] { exclude = true }
}
}
include include_it
include include_it::no_a
include include_it::no_c
In order to get rid of any include, you include the respective
excluder-subclass in your node (using Dashboard or whatever).
Question to the community: Pattern or anti-pattern? :-)
HTH,
Felix
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Over-riding changes in modules and classes
On 05/06/2011 06:28 PM, Sean Carolan wrote: You can just create a new class that inherits your previous class and then overwrites the File[] you declared before and use that only on the new machines. Will this also work with an augeas entry with a changes [] section? I cannot see why it wouldn't. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On Tue, 10 May 2011 12:26:06 +0200 Felix Frank wrote: Hi, Hi Felix, Am I trying to do something not supported? Yes. Do you know if this is going to be supportted in future? Just rename on of the keys. The name of a public key is really quite arbitrary and SSH doesn't use it for anything important (that I am aware of). thanks, that worked perfectly! Cheers, Felix Cheers, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] multimaster architecture with central report server
On 05/10/2011 02:30 AM, Patrick wrote: On May 9, 2011, at 9:37 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 7:30 PM, Patrick kc7...@gmail.com mailto:kc7...@gmail.com wrote: On May 9, 2011, at 9:10 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 5:54 PM, Antony Mayi antonym...@yahoo.com mailto:antonym...@yahoo.com wrote: *From:* Ohad Levy ohadl...@gmail.com mailto:ohadl...@gmail.com *To:* puppet-users@googlegroups.com mailto:puppet-users@googlegroups.com *Sent:* Fri, 15 April, 2011 19:42:10 *Subject:* Re: [Puppet Users] multimaster architecture with central report server On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi antonym...@yahoo.com mailto:antonym...@yahoo.com wrote: Hi, is there a way how to instruct the master to forward the obtained reports to another master server so we can have one central report server that would be receiving all reports from other masters in individual collocations? the report_server works fine for the master itself but not for the forwarded reports. If you use a tool such as foreman or dashboard, you can simply forward the reports to it. AM: not that simply - how about security? the puppet 8140 traffic is encrypted and mutually authenticated between the agent and master the puppet dashboard - how will you achieve the mutual X509 based authentication between the master and remote dashboard? simply ensure that https is turned on and ssl verify mode is enforced? or if you dont have common ca between all of your masters, just turn on ssl, and filter down the allowed hosts to send reports (i.e only your puppet masters can communicate with foreman/dashboard. Last I checked, puppet can't send reports to an https server. Only to a http server. Has this changed? not if you use something like: https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb That's better than what I've seen, still, it looks like he client isn't verifying the server's certificate, and the client's not sending one either, meaning many of the benefits of SSL are gone. Do you know of a way (with code or a link to the right API) that would help with either of those? You might be able to deploy stunnel on your master and each of your clients. It supports certificate validation for both client and server. The puppet client would use localhost as report server, the structure being: puppet client | | (connect to localhost via HTTP) | stunnel on client (accept unencrypted) | | (encrypted, authenticated tunnel = HTTPS) | stunnel on master (accept encrypted) | | (connect to localhost via HTTP) | puppetmaster (accept unencrypted) If you have multiple clients in a trusted LAN segment, they can even share a single client-side stunnel (which listens for connections from the LAN). Let me know if this helps. Cheers, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On 05/10/2011 12:38 PM, Arnau Bria wrote: On Tue, 10 May 2011 12:26:06 +0200 Felix Frank wrote: Hi, Hi Felix, Am I trying to do something not supported? Yes. Do you know if this is going to be supportted in future? Redeclaration of the same resource is not going to work ;-) As for the distribution of one authorized_key to multiple user accounts...I'm not sure that it's as useful as it sounds, given the trivial workaround. If you're keen to get it anyway, you may want to open a ticket. Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Master System Requirements
I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Master System Requirements
Hi, On 05/10/2011 03:04 PM, Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? we manage 320 nodes on a XEN VM based Puppet Master. 4 GB RAM, 1 Core with 2.3 GHz 80% used. We have dashboard and puppetmaster running on apache passenger and mysql running locally. hth, Martin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Master System Requirements
when you say 80% used do you meen like your cpu is 80%? On May 10, 10:16 am, Martin Alfke tux...@gmail.com wrote: Hi, On 05/10/2011 03:04 PM, Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? we manage 320 nodes on a XEN VM based Puppet Master. 4 GB RAM, 1 Core with 2.3 GHz 80% used. We have dashboard and puppetmaster running on apache passenger and mysql running locally. hth, Martin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Master System Requirements
We have puppet managing 800 nodes from a single dedicated CentOS server with 16GB ram and 8 cores, which is our standard infrastructure box. We use apache, passenger and ruby 1.8.7. Altogether about 10GB is used for puppet. All 800 nodes check in every 30 minutes. Load levels via uptime are typically 0.4 across the board. ~Charles~ On Tue, May 10, 2011 at 8:04 AM, Panaman pana...@gmail.com wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Master System Requirements
On 05/10/2011 04:25 PM, Panaman wrote: when you say 80% used do you meen like your cpu is 80%? CPU is 20% unused and 80% used (according to /proc/stat) On May 10, 10:16 am, Martin Alfke tux...@gmail.com wrote: Hi, On 05/10/2011 03:04 PM, Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? we manage 320 nodes on a XEN VM based Puppet Master. 4 GB RAM, 1 Core with 2.3 GHz 80% used. We have dashboard and puppetmaster running on apache passenger and mysql running locally. hth, Martin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Master System Requirements
thanks guys, this is very useful to me. On May 10, 10:45 am, Martin Alfke tux...@gmail.com wrote: On 05/10/2011 04:25 PM, Panaman wrote: when you say 80% used do you meen like your cpu is 80%? CPU is 20% unused and 80% used (according to /proc/stat) On May 10, 10:16 am, Martin Alfke tux...@gmail.com wrote: Hi, On 05/10/2011 03:04 PM, Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? we manage 320 nodes on a XEN VM based Puppet Master. 4 GB RAM, 1 Core with 2.3 GHz 80% used. We have dashboard and puppetmaster running on apache passenger and mysql running locally. hth, Martin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Master System Requirements
On Tue, May 10, 2011 at 3:32 PM, Panaman pana...@gmail.com wrote: I'm thinking quad xeon with 8gb of ram should be sufficient. I am probably going to be using FreeBSD Unless you're running a particularly leaky Ruby stack, I tend to find that with that sort of CPU you're unlikely to make use of more than 4GB RAM. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Managing Switches.
Anyone? Anyone? On Mon, May 9, 2011 at 2:45 PM, Douglas Garstang doug.garst...@gmail.comwrote: All, I was looking at the new feature of puppet to manage switches, and it says: A current limitation is that it isn’t possible to have 2 switches with the same interface name Does this mean that if one switch has an interface called FastEthernet 0/1, that puppet can't manage a second switch with an interface called FastEthernet 0/1? If so, that probably means you can manage a sum total of... 1 switch, given that interface names are pretty common... I hope I'm reading this wrong... Doug -- Regards, Douglas Garstang http://www.linkedin.com/in/garstang Email: doug.garst...@gmail.com Cell: +1-805-340-5627 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] multimaster architecture with central report server
On May 10, 2011, at 3:46 AM, Felix Frank wrote: On 05/10/2011 02:30 AM, Patrick wrote: On May 9, 2011, at 9:37 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 7:30 PM, Patrick kc7...@gmail.com mailto:kc7...@gmail.com wrote: On May 9, 2011, at 9:10 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 5:54 PM, Antony Mayi antonym...@yahoo.com mailto:antonym...@yahoo.com wrote: *From:* Ohad Levy ohadl...@gmail.com mailto:ohadl...@gmail.com *To:* puppet-users@googlegroups.com mailto:puppet-users@googlegroups.com *Sent:* Fri, 15 April, 2011 19:42:10 *Subject:* Re: [Puppet Users] multimaster architecture with central report server On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi antonym...@yahoo.com mailto:antonym...@yahoo.com wrote: Hi, is there a way how to instruct the master to forward the obtained reports to another master server so we can have one central report server that would be receiving all reports from other masters in individual collocations? the report_server works fine for the master itself but not for the forwarded reports. If you use a tool such as foreman or dashboard, you can simply forward the reports to it. AM: not that simply - how about security? the puppet 8140 traffic is encrypted and mutually authenticated between the agent and master the puppet dashboard - how will you achieve the mutual X509 based authentication between the master and remote dashboard? simply ensure that https is turned on and ssl verify mode is enforced? or if you dont have common ca between all of your masters, just turn on ssl, and filter down the allowed hosts to send reports (i.e only your puppet masters can communicate with foreman/dashboard. Last I checked, puppet can't send reports to an https server. Only to a http server. Has this changed? not if you use something like: https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb That's better than what I've seen, still, it looks like he client isn't verifying the server's certificate, and the client's not sending one either, meaning many of the benefits of SSL are gone. Do you know of a way (with code or a link to the right API) that would help with either of those? You might be able to deploy stunnel on your master and each of your clients. It supports certificate validation for both client and server. The puppet client would use localhost as report server, the structure being: puppet client | | (connect to localhost via HTTP) | stunnel on client (accept unencrypted) | | (encrypted, authenticated tunnel = HTTPS) | stunnel on master (accept encrypted) | | (connect to localhost via HTTP) | puppetmaster (accept unencrypted) If you have multiple clients in a trusted LAN segment, they can even share a single client-side stunnel (which listens for connections from the LAN). It's not that bad. Only the other puppetmasters need the tunnel. The clients should NOT have permission to use it. This isn't quite what I want since it assumes all traffic on 127.0.0.1 is trusted, but better than the alternative. Thanks for the help. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
you could also define the key as virtual resource and realize it on different occasions (hosts). 2011/5/10 Felix Frank felix.fr...@alumni.tu-berlin.de On 05/10/2011 12:38 PM, Arnau Bria wrote: On Tue, 10 May 2011 12:26:06 +0200 Felix Frank wrote: Hi, Hi Felix, Am I trying to do something not supported? Yes. Do you know if this is going to be supportted in future? Redeclaration of the same resource is not going to work ;-) As for the distribution of one authorized_key to multiple user accounts...I'm not sure that it's as useful as it sounds, given the trivial workaround. If you're keen to get it anyway, you may want to open a ticket. Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Master System Requirements
My setup handles about 40 clients on a default half hour schedule. Manifests take anywhere from .1 to .4 seconds to compile on the master. The master is a 3.46ghz hex-core xeon server with 24GB of ram and a raid 6 (lsi hardware raid) on 7200rpm sata drives. 15 minute load on the server is usually around .17 and that's with 3 other vm's(testing vm's, usually idle) running on the server that is the puppetmaster. Obviously really really complicated manifests will probably take a tad bit longer to compile so YMMV. On May 10, 9:04 am, Panaman pana...@gmail.com wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Master System Requirements
On Tue, May 10, 2011 at 6:32 PM, Blazer40 blaze...@gmail.com wrote: My setup handles about 40 clients on a default half hour schedule. Manifests take anywhere from .1 to .4 seconds to compile on the master. The master is a 3.46ghz hex-core xeon server with 24GB of ram and a raid 6 (lsi hardware raid) on 7200rpm sata drives. 15 minute load on the server is usually around .17 and that's with 3 other vm's(testing vm's, usually idle) running on the server that is the puppetmaster. Obviously really really complicated manifests will probably take a tad bit longer to compile so YMMV. Great detail. How much peak RAM usage do you usually end up with? Are you running with Passenger/Apache ? Unicorn? nginx? mongrel? Details on the number of backends would be great. On May 10, 9:04 am, Panaman pana...@gmail.com wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Who uses the rrd graphing support?
reports = rrdgraph http://docs.puppetlabs.com/references/2.6.8/report.html#rrdgraph Is this widely used? We're trying to work out whether this is a feature that people are still using, or whether other parts of the reporting infrastructure have come to replace it. -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] multimaster architecture with central report server
On Tue, May 10, 2011 at 3:30 AM, Patrick kc7...@gmail.com wrote: On May 9, 2011, at 9:37 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 7:30 PM, Patrick kc7...@gmail.com wrote: On May 9, 2011, at 9:10 AM, Ohad Levy wrote: On Mon, May 9, 2011 at 5:54 PM, Antony Mayi antonym...@yahoo.com wrote: -- *From:* Ohad Levy ohadl...@gmail.com *To:* puppet-users@googlegroups.com *Sent:* Fri, 15 April, 2011 19:42:10 *Subject:* Re: [Puppet Users] multimaster architecture with central report server On Fri, Apr 15, 2011 at 2:44 PM, Antony Mayi antonym...@yahoo.comwrote: Hi, is there a way how to instruct the master to forward the obtained reports to another master server so we can have one central report server that would be receiving all reports from other masters in individual collocations? the report_server works fine for the master itself but not for the forwarded reports. If you use a tool such as foreman or dashboard, you can simply forward the reports to it. AM: not that simply - how about security? the puppet 8140 traffic is encrypted and mutually authenticated between the agent and master the puppet dashboard - how will you achieve the mutual X509 based authentication between the master and remote dashboard? simply ensure that https is turned on and ssl verify mode is enforced? or if you dont have common ca between all of your masters, just turn on ssl, and filter down the allowed hosts to send reports (i.e only your puppet masters can communicate with foreman/dashboard. Last I checked, puppet can't send reports to an https server. Only to a http server. Has this changed? not if you use something like: https://github.com/ohadlevy/puppet-foreman/blob/master/foreman/files/foreman-report.rb That's better than what I've seen, still, it looks like he client isn't verifying the server's certificate, and the client's not sending one either, meaning many of the benefits of SSL are gone. Do you know of a way (with code or a link to the right API) that would help with either of those? in order to verify you need to: 1. enable verify mode 2. specify the certs to use google replied with this example: http://stackoverflow.com/questions/2507902/how-to-validate-ssl-certificate-chain-in-ruby-with-net-http which doesnt seem like a lot of work to change the code i pasted above. Ohad -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] cannot create www-data user
hello list!
I am having a little trouble with one of my manifests. in my apache
module I attempt to start the httpd service, but it complains that
www-data is a 'bad user'.
This is what happens if I attempt to start httpd by hand after the
initial puppet run:
[root@puppet yum.repos.d]# service httpd start
Starting httpd: httpd: bad user name www-data
[FAILED]
It's rather confusing because I do have www-date defined in a file
called group.pp
[root@puppet yum.repos.d]# ls -l /etc/puppet/manifests/groups/group.pp
-rw-r--r-- 1 puppet puppet 3453 May 10 15:41
/etc/puppet/manifests/groups/group.pp
Which has the user defined like this:
group {
..
group { 'www-data':
ensure = 'present',
gid = '33'
}
..
}
It is included in my site.pp file
# site.pp
import template
import nodes
import classes/*
import groups/*
import users/*
import os/*
And I am sure to include it in a class called centos
class centos {
include yumrepos
include group
..
}
which is itself included in a base class template:
node basenode {
include sshd
include centos
}
node default inherits basenode {}
node webserver inherits basenode {
include apache
}
and this is how the node is defined:
node 'puppet.acadaca.net' inherits webserver {
}
I define the httpd service in
/etc/puppet/modules/apache/manifests/init.pp this way:
service { httpd:
enable = true,
ensure = running,
hasrestart = true,
hasstatus = true,
require = [$requires,Group[www-data]],
}
This is how the puppet run looks:
[root@puppet yum.repos.d]# puppetd -t
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Caching catalog for puppet.acadaca.net
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File
does not exist
info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File
does not exist
info: Applying configuration version '1305056672'
notice: /Stage[main]/Centos/Exec[import webtatic key]/returns:
executed successfully
notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed successfully
notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed successfully
err: /Stage[main]/Apache/Service[httpd]/ensure: change from stopped to
running failed: Could not start Service[httpd]: Execution of
'/sbin/service httpd start' returned 1: at
/etc/puppet/modules/apache/manifests/init.pp:260
notice: Finished catalog run in 3.49 seconds
If I add the www-data user by hand:
[root@puppet yum.repos.d]# useradd www-data -g www-data
Creating mailbox file: File exists
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
The httpd service starts by hand just fine:
[root@puppet yum.repos.d]# service httpd start
Starting httpd:[ OK ]
And if I stop the httpd service and let puppet try to start it at this
point..it WORKS!!
[root@puppet yum.repos.d]# puppetd -t
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Caching catalog for puppet.acadaca.net
info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File
does not exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File
does not exist
info: Applying configuration version '1305056672'
notice: /Stage[main]/Centos/Exec[import webtatic key]/returns:
executed successfully
notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed successfully
notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed successfully
notice: /Stage[main]/Apache/Service[httpd]/ensure: ensure changed
'stopped' to 'running'
notice: Finished catalog run in 3.96 seconds
How can I automate the creation of the www-data user so that the
service will start automatically? Thank you for your kind attention to
this issue!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] cannot create www-data user
We use CentOS 5.x and by default httpd runs as the apache user and not
www-data.
HTH
Charles
On Tue, May 10, 2011 at 2:59 PM, Tim Dunphy bluethu...@gmail.com wrote:
hello list!
I am having a little trouble with one of my manifests. in my apache
module I attempt to start the httpd service, but it complains that
www-data is a 'bad user'.
This is what happens if I attempt to start httpd by hand after the
initial puppet run:
[root@puppet yum.repos.d]# service httpd start
Starting httpd: httpd: bad user name www-data
[FAILED]
It's rather confusing because I do have www-date defined in a file
called group.pp
[root@puppet yum.repos.d]# ls -l /etc/puppet/manifests/groups/group.pp
-rw-r--r-- 1 puppet puppet 3453 May 10 15:41
/etc/puppet/manifests/groups/group.pp
Which has the user defined like this:
group {
..
group { 'www-data':
ensure = 'present',
gid = '33'
}
..
}
It is included in my site.pp file
# site.pp
import template
import nodes
import classes/*
import groups/*
import users/*
import os/*
And I am sure to include it in a class called centos
class centos {
include yumrepos
include group
..
}
which is itself included in a base class template:
node basenode {
include sshd
include centos
}
node default inherits basenode {}
node webserver inherits basenode {
include apache
}
and this is how the node is defined:
node 'puppet.acadaca.net' inherits webserver {
}
I define the httpd service in
/etc/puppet/modules/apache/manifests/init.pp this way:
service { httpd:
enable = true,
ensure = running,
hasrestart = true,
hasstatus = true,
require = [$requires,Group[www-data]],
}
This is how the puppet run looks:
[root@puppet yum.repos.d]# puppetd -t
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Caching catalog for puppet.acadaca.net
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File
does not exist
info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not
exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File
does not exist
info: Applying configuration version '1305056672'
notice: /Stage[main]/Centos/Exec[import webtatic key]/returns:
executed successfully
notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed
successfully
notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed
successfully
err: /Stage[main]/Apache/Service[httpd]/ensure: change from stopped to
running failed: Could not start Service[httpd]: Execution of
'/sbin/service httpd start' returned 1: at
/etc/puppet/modules/apache/manifests/init.pp:260
notice: Finished catalog run in 3.49 seconds
If I add the www-data user by hand:
[root@puppet yum.repos.d]# useradd www-data -g www-data
Creating mailbox file: File exists
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
The httpd service starts by hand just fine:
[root@puppet yum.repos.d]# service httpd start
Starting httpd:[ OK ]
And if I stop the httpd service and let puppet try to start it at this
point..it WORKS!!
[root@puppet yum.repos.d]# puppetd -t
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Loading facts in mysql
info: Loading facts in configured_ntp_servers
info: Caching catalog for puppet.acadaca.net
info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not
exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File
does not exist
info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File
does not exist
info: Applying configuration version '1305056672'
notice: /Stage[main]/Centos/Exec[import webtatic key]/returns:
executed successfully
notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed
successfully
notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed
successfully
notice: /Stage[main]/Apache/Service[httpd]/ensure: ensure changed
'stopped' to 'running'
notice: Finished catalog run in 3.96 seconds
How can I automate the creation of the www-data user so that the
service will start automatically? Thank you for your kind attention to
this issue!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users
Re: [Puppet Users] Re: chicken and the egg.. pushing custom facter plugins for use within puppet..
Couple quick examples. In the dpkg/apt module:
if ($lsbdistcodename == '') {
err(LsbDistCodename not set on $fqdn. Not configuring apt!)
} else {
Or use '': in a case statement, eg:
case $foo {
'1': { foo }
'': { undefined }
default: { other }
}
I'm having trouble finding specific examples in our current setup - I've
been moving away from it in favor of running with pluginsync and --tags
no_such_tag (so the problem doesn't come up as often.)
We used to have at least one template example but I can't find it.. :/
On Thu, May 5, 2011 at 12:44 AM, Michael Dodwell
michael.dodw...@gmail.comwrote:
We work around it by checking the existence of the fact/value before
using it
Is this done in the template file or somewhere else? Can you please
supply dummy code as an example?
Thanks
On May 5, 12:01 am, Disconnect dc.disconn...@gmail.com wrote:
Although good advice (pluginsync is win) that still doesn't solve the
chicken/egg problem - puppet won't evaluate the new facts on the first
run.
We work around it by checking the existence of the fact/value before
using
it. Not ideal but it works. (And on brand new hosts, we run puppetd -t
--tags no_such_tag to get the sync done. We actually do it twice, so that
the new values are pushed up to the puppetmaster before the 'real' run,
but
that probably isn't strictly necessary.)
On Tue, May 3, 2011 at 11:04 PM, Nan Liu n...@puppetlabs.com wrote:
On Tue, May 3, 2011 at 10:04 PM, Michael Dodwell
michael.dodw...@gmail.com wrote:
Hi,
I've created a number of custom facts that i've added to manifests.
If
i add the custom fact, have puppet push the custom fact file to the
host, then after it's pushed it add it to the templates everything
works fine. However if i try and use the module on a fresh host
without the custom facter it fails. When it looks at the templates it
isn't aware of the custom fact yet and errors out.
How can i get it to pull down the facter plugin before it tries to
read the template file?
I have tried:
file {
/etc/somefile:
owner = root,
group = root,
mode= 644,
require = File[/usr/lib/ruby/1.8/facter/custom_fact.rb],
content = template(module/etc/somefile);
}
Any suggestions? I'd prefer not to have to add the custom facter to
the kickstart/jumpstart enviroment.
This is solved with pluginsync option. Puppet will download any custom
facts/providers, so you should not distribute them to the agent as
file resources.
Thanks,
Nan
--
You received this message because you are subscribed to the Google
Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Managing Switches.
I dunno. Don't think this is a stupid question. Maybe someone else can answer this. -- Regards, Martin Willemsma 2011/5/10 Douglas Garstang doug.garst...@gmail.com Anyone? Anyone? On Mon, May 9, 2011 at 2:45 PM, Douglas Garstang doug.garst...@gmail.comwrote: All, I was looking at the new feature of puppet to manage switches, and it says: A current limitation is that it isn’t possible to have 2 switches with the same interface name Does this mean that if one switch has an interface called FastEthernet 0/1, that puppet can't manage a second switch with an interface called FastEthernet 0/1? If so, that probably means you can manage a sum total of... 1 switch, given that interface names are pretty common... I hope I'm reading this wrong... Doug -- Regards, Douglas Garstang http://www.linkedin.com/in/garstang Email: doug.garst...@gmail.com Cell: +1-805-340-5627 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: chicken and the egg.. pushing custom facter plugins for use within puppet..
On Tue, May 10, 2011 at 3:16 PM, Disconnect dc.disconn...@gmail.com wrote:
Couple quick examples. In the dpkg/apt module:
if ($lsbdistcodename == '') {
err(LsbDistCodename not set on $fqdn. Not configuring apt!)
} else {
Or use '': in a case statement, eg:
case $foo {
'1': { foo }
'': { undefined }
default: { other }
}
Ah, in this case lsbdistcodename is dependent on lsb packages. Yeah,
unfortunately this can't be solved with pluginsync, since pluginsync
doesn't install packages. This is one package I would suggest
including in the base image.
Pluginsync takes care of facts written purely in Ruby, so I did not
consider these other cases and I don't have a good solution for facts
with external dependency. Maybe tag resources required for facts and
run puppet agent -t --tags plugins. Definitely open for other better
solutions.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppet not working after switch to passenger - permissions issue?
On May 5, 2:31 am, Andreas Kuntzagk andreas.kuntz...@mdc-berlin.de
wrote:
Ok, seems that I have an authentication issue here.
when I set (for all paths) auth no in auth.conf, it's working again.
Maybe I set these options wrong in the apache.conf:
SSLCertificateFile /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem
As far as I can tell these files match.
regards, Andreas
Andreas Kuntzagk wrote:
Hi,
Nan Liu wrote:
On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
andreas.kuntz...@mdc-berlin.de wrote:
Hi,
as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache
config as
far as I understood. I restarted apache.
Now when I run an agent I get:
/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039
[find]
at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
In the server log I find this:
May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
May 4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0
Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?
No. I just enabled debugging (did not see this option before). Now I get
many more lines.
I suspect these to be the important ones:
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
authentication any
May 5 08:59:36 node002 puppet-master[16796]: Inserting default
'/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to
no access for node002
[...]
It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
Ok, auth.conf was missing. But I copied the gems default conf file and
it's still not working.
Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
No. There is no [master] section at all. And also in all example confs
there is no [master] section. Btw. this is version 2.6.4.
regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I'm not 100% sure if that's correct but I'm
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add
# The following client headers allow the same configuration to work
with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
That seems to be the other bit that actually passes the authentication
down the chain to puppet.
-Paul
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppet not working after switch to passenger - permissions issue?
On May 5, 2:31 am, Andreas Kuntzagk andreas.kuntz...@mdc-berlin.de
wrote:
Ok, seems that I have an authentication issue here.
when I set (for all paths) auth no in auth.conf, it's working again.
Maybe I set these options wrong in the apache.conf:
SSLCertificateFile /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem
As far as I can tell these files match.
regards, Andreas
Andreas Kuntzagk wrote:
Hi,
Nan Liu wrote:
On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
andreas.kuntz...@mdc-berlin.de wrote:
Hi,
as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache
config as
far as I understood. I restarted apache.
Now when I run an agent I get:
/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039
[find]
at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
In the server log I find this:
May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
May 4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0
Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?
No. I just enabled debugging (did not see this option before). Now I get
many more lines.
I suspect these to be the important ones:
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
authentication any
May 5 08:59:36 node002 puppet-master[16796]: Inserting default
'/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to
no access for node002
[...]
It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
Ok, auth.conf was missing. But I copied the gems default conf file and
it's still not working.
Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
No. There is no [master] section at all. And also in all example confs
there is no [master] section. Btw. this is version 2.6.4.
regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I'm not 100% sure if that's correct but I'm
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add
# The following client headers allow the same configuration to work
with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
That seems to be the other bit that actually passes the authentication
down the chain to puppet.
-Paul
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppet not working after switch to passenger - permissions issue?
On May 5, 2:31 am, Andreas Kuntzagk andreas.kuntz...@mdc-berlin.de
wrote:
Ok, seems that I have an authentication issue here.
when I set (for all paths) auth no in auth.conf, it's working again.
Maybe I set these options wrong in the apache.conf:
SSLCertificateFile /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem
As far as I can tell these files match.
regards, Andreas
Andreas Kuntzagk wrote:
Hi,
Nan Liu wrote:
On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
andreas.kuntz...@mdc-berlin.de wrote:
Hi,
as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache
config as
far as I understood. I restarted apache.
Now when I run an agent I get:
/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039
[find]
at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
In the server log I find this:
May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
May 4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0
Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?
No. I just enabled debugging (did not see this option before). Now I get
many more lines.
I suspect these to be the important ones:
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
authentication any
May 5 08:59:36 node002 puppet-master[16796]: Inserting default
'/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to
no access for node002
[...]
It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
Ok, auth.conf was missing. But I copied the gems default conf file and
it's still not working.
Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
No. There is no [master] section at all. And also in all example confs
there is no [master] section. Btw. this is version 2.6.4.
regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I'm not 100% sure if that's correct but I'm
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add
# The following client headers allow the same configuration to work
with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
That seems to be the other bit that actually passes the authentication
down the chain to puppet.
-Paul
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: extending puppet without hacking puppet
You can set noop = true in the package resource and puppet won't
actually change it, just log that it wants to change it.
package { httpd:
name= httpd,
ensure = latest,
noop = true,
}
This is especially convenient with tagmail or other reporting.
If possible, making noop the default for all packages will save a
lot of typing.
Package { noop = true }
It sounds like that's what you want anyway, and you can always
override individual packages with noop = false if needed.
Standard disclaimers apply, be sure to test first.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] rack problems
I'm having some issues running rake commands for puppet dashboard. Here is one of the symptoms (see below). I'm a little new to setting up rails/rack applications, so I may be making a common mistake. It looks like gems are already packaged with dashboard, specifically rack-1.01. Should that gem just work out of the box? Command: rake RAILS_ENV=production reports:prune upto=1 unit=mon rake RAILS_ENV=production Output: can't activate rack (~ 1.2.2) for [], already activated rack-1.0.1 for [] Here is the trace: db:raw:optimize (in /opt/puppet-dashboard) ** Invoke reports:prune (first_time) ** Invoke environment (first_time) ** Execute environment rake aborted! can't activate rack (~ 1.2.2) for [], already activated rack-1.0.1 for [] /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:271:in `require_frameworks' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:134:in `process' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:113:in `send' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:113:in `run' /opt/puppet-dashboard/config/environment.rb:14 /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in `gem_original_require' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in `require' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:156:in `require' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:521:in `new_constants_in' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:156:in `require' /opt/puppet-dashboard/vendor/rails/railties/lib/tasks/misc.rake:4 /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in `call' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in `execute' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in `execute' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:597:in `invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in `invoke_with_call_chain' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:607:in `invoke_prerequisites' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:604:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:604:in `invoke_prerequisites' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:596:in `invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in `invoke_with_call_chain' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:583:in `invoke' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2051:in `invoke_task' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in `standard_exception_handling' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2023:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2001:in `run' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in `standard_exception_handling' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1998:in `run' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 /usr/bin/rake:19:in `load' /usr/bin/rake:19 My set up: Puppet 2.6.8 Ruby 1.8.7 rack (1.2.2) rails (3.0.5) apache 2.2.15 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: rack problems
Never mind,I just commented out the 'require rack' in environments.rb. On May 10, 9:51 pm, Luke Baker bake...@missouri.edu wrote: I'm having some issues running rake commands for puppet dashboard. Here is one of the symptoms (see below). I'm a little new to setting up rails/rack applications, so I may be making a common mistake. It looks like gems are already packaged with dashboard, specifically rack-1.01. Should that gem just work out of the box? Command: rake RAILS_ENV=production reports:prune upto=1 unit=mon rake RAILS_ENV=production Output: can't activate rack (~ 1.2.2) for [], already activated rack-1.0.1 for [] Here is the trace: db:raw:optimize (in /opt/puppet-dashboard) ** Invoke reports:prune (first_time) ** Invoke environment (first_time) ** Execute environment rake aborted! can't activate rack (~ 1.2.2) for [], already activated rack-1.0.1 for [] /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:271:in `require_frameworks' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:134:in `process' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:113:in `send' /opt/puppet-dashboard/config/../vendor/rails/railties/lib/ initializer.rb:113:in `run' /opt/puppet-dashboard/config/environment.rb:14 /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in `gem_original_require' /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in `require' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:156:in `require' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:521:in `new_constants_in' /opt/puppet-dashboard/vendor/rails/activesupport/lib/active_support/ dependencies.rb:156:in `require' /opt/puppet-dashboard/vendor/rails/railties/lib/tasks/misc.rake:4 /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in `call' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:636:in `execute' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:631:in `execute' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:597:in `invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in `invoke_with_call_chain' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:607:in `invoke_prerequisites' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:604:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:604:in `invoke_prerequisites' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:596:in `invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:590:in `invoke_with_call_chain' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:583:in `invoke' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2051:in `invoke_task' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `each' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2029:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in `standard_exception_handling' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2023:in `top_level' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2001:in `run' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2068:in `standard_exception_handling' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1998:in `run' /usr/lib64/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 /usr/bin/rake:19:in `load' /usr/bin/rake:19 My set up: Puppet 2.6.8 Ruby 1.8.7 rack (1.2.2) rails (3.0.5) apache 2.2.15 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Master System Requirements
Keep in mind that there are many ways to run puppet. We manage ~100 nodes with just a single puppet master running within a gentoo VM w/ only single cpu core and 2GB ram. Catalog compile times average under 0.6 seconds. This is also w/ web brick. The puppet master VM also serves as a master nfs server and gentoo build server. Thats a lot of stuff on a single small VM, but it works perfectly for us because: a) our default puppet run interval is 4hrs (if something goes wrong w/ one of our manifests or the server, we'll probably notice it and stop it before too many servers get updated - for our purposes, we don't see any benefit to using an interval less than 4hrs. 4hrs is certainly sufficient for most common security updates and we also do not want to have normal updates impacting production performance during peak business hours - so 25% of servers updating every hour is perfect for us. ). b) Many of our servers, mostly the gentoo ones, only execute puppet when puppetrun is invoked either manually by systems administrators for the specific nodes they are reconfiguring or automatically as part of a nightly update systems maintenance cron job). Basically, puppet is extremely flexible w/ hardware, and it is likely your own preferences and production requirements will dictate the hardware needed rather than puppet itself. On Tuesday, May 10, 2011 06:04:22 am Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? Matt -- Matthew Marlowe/ 858-400-7430 /DeployLinux Consulting, Inc Professional Linux Hosting and Systems Administration Services www.deploylinux.net * m...@deploylinux.net 'MattM' @ irc.freenode.net -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
