[Puppet Users] Re: Passenger issues running Puppet
Hi, sorry for the late reply but have a look at my config.ru cat /usr/share/puppet/rack/puppetmasterd/config.ru # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $:.unshift('/opt/puppet/lib') $0 = "master" # if you want debugging: # ARGV << "--debug" ARGV << "--rack" require 'puppet/application/master' # we're usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Application[:master].run Also make sure that it is owned by the puppet user. Here is my gem list (not all of them need for puppet): *** LOCAL GEMS *** actionmailer (2.3.8) actionpack (2.3.8) activerecord (2.3.8) activeresource (2.3.8) activesupport (2.3.8) arrayfields (4.7.4) attributes (5.0.1) builder (2.1.2) camping (2.0) fastthread (1.0.7) fattr (2.1.0) git (1.2.5) highline (1.6.1) main (4.2.0) markaby (0.6.8) metaid (1.0) passenger (2.2.15) pg (0.9.0) postgres (0.7.9.2008.01.28) rack (1.1.0) rails (2.3.8) rake (0.8.7) restr (0.5.2) reststop (0.4.0) sqlite3-ruby (1.3.1) sys-filesystem (0.3.3) Cheers, Den On May 12, 6:31 am, PBWebGuy wrote: > I have been through all of the instructions for setting up a > PuppetMaster using Passenger. At the present time, when I access > Passenger I receive the Passenger Error page with the message "The > application has exited during startup (i.e. during the evaluation of > config/environment.rb)". I've looked at the log files and there is > nothing obvious. > > When I run puppetmaster everything is working with a 2nd node. Then > when I switch over to Passenger, I get the error. > > Below is the stacktrace that appears in the error page. Is it normal > that Puppet is trying to "daemonize" the process when running in > Apache? > > The application is failing at the following code which is to put > Puppet into daemonized mode which doesn't make any sense to me running > in Passenger. Could I be missing some configuration setting? > > # Put the daemon into the background. > def daemonize > if pid = fork > Process.detach(pid) > exit(0) > end > > 0 /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb 19 in > `exit' > 1 /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb 19 in > `daemonize' > 2 /usr/lib/ruby/site_ruby/1.8/puppet/application/ > master.rb 105 in `main' > 3 /usr/lib/ruby/site_ruby/1.8/puppet/application/ > master.rb 46 in `run_command' > 4 /usr/lib/ruby/site_ruby/1.8/puppet/application.rb > 287 in `run' > 5 /usr/lib/ruby/site_ruby/1.8/puppet/application.rb > 393 in `exit_on_fail' > 6 /usr/lib/ruby/site_ruby/1.8/puppet/application.rb > 287 in `run' > 7 config.ru 21 > 8 /usr/lib/ruby/gems/1.8/gems/rack-1.2.2/lib/rack/ > builder.rb 46 in `instance_eval' > 9 /usr/lib/ruby/gems/1.8/gems/rack-1.2.2/lib/rack/ > builder.rb 46 in `initialize' > 10 config.ru 1 in `new' > 11 config.ru 1 > > The log files show that Puppet is starting up but that is about it. > > Here is some of my configuration information: > > config.ru > > # a config.ru, for use with every rack-compatible webserver. > # SSL needs to be handled outside this, though. > > # if puppet is not in your RUBYLIB: > # $:.unshift('/opt/puppet/lib') > > $0 = "master" > > # if you want debugging: > # ARGV << "--debug" > ARGV << "--debug" > > #ARGV << "--rack" > require 'puppet/application/master' > # we're usually running inside a Rack::Builder.new {} block, > # therefore we need to call run *here*. > run Puppet::Application[:master].run > --- > > *** LOCAL GEMS *** > > daemon_controller (0.2.6) > fastthread (1.0.7) > passenger (3.0.7) but have tried downgrading to 2.2.15 > rack (1.2.2) > rake (0.8.7) > > Running Puppet 2.6.7 but have tried downgrading to 2.6.4 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Thoughts about extlookup: http://blog.wl0.org/2011/05/thoughts-about-extlookup-in-puppet/
Hi, I have been trying to improve the coding of some of my puppet recipes and had some trouble so wrote this: http://blog.wl0.org/2011/05/thoughts-about-extlookup-in-puppet/ Comments on the web seem to indicate that extlookup() solves "all problems" but I don't really see that and hence have proposed a possible way to keep the data closer together and make the extlookup() behaviour more explicit and thus IMO clearer. What do you think? Simon -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Dashboard on Freebsd 8.2
Is anyone running the puppet dashboard on freebsd 8.2 I am kinda a newb to freebsd but managed to get puppet installed with apache and mysql. But I haven't actually figured out how to get the dashboard to install. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
Thats an interesting one for a few points.. how is the uniqueid generated? On May 12, 2011, at 6:15 PM, Larry Ludwig wrote: > 4) > > reference the file via the facter 'uniqueid' > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
4) reference the file via the facter 'uniqueid' -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] array being concatenated
On Thu, May 12, 2011 at 6:21 PM, tjmaszc wrote: > Having issues trying to create the same symlink for multiple web > sites. This is my class: > > class assoc_symlinks { > $assocs=[ "asecs", "mgsa", "athe" ] > > define create_assoc_symlinks() { > file {"/www/domains/${name}.press.jhu.edu/cgi-bin/ > membership_directory.cgi": > ensure => symlink, > target => "/www/shared/cgi-bin/membership_directory.cgi", > owner => apache, group => apache, mode => 2775, > } > } > create_assoc_symlinks { "$assocs" } Don't quote the array. If you do quote it, Puppet sees it as a string "['one', 'two']" rather than the array ["one", "two"]. > } > > Then I call it in my nodes.pp file as "include assoc_symlinks" > > When I run puppet, it gives me this error: > hu May 12 14:14:57 -0400 2011 //Node[adv01jh]/ > Assoc_symlinks[asecsmgsaathe]/File[/www/domains/ > asecsmgsaathe.press.jhu.edu/cgi-bin/membership_directory.cgi]/ensure > (err): change from absent to link failed: Could not set link on > ensure: No such file or directory - /www/domains/ > asecsmgsaathe.press.jhu.edu/cgi-bin at /etc/puppet/manifests/classes/ > assoc_symlinks.pp:8 > > As you can see, it is combining my $assocs array into one string, > instead of iterating through it as an array. > Any suggestions would be great as I am relatively new and only been > using puppet for a month or 2 now. > > Thanks, > Thom > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Custom facts in modules
On May 12, 2011, at 1:44 PM, g h wrote: > I am having trouble getting custom facts to be read in my puppet > config. Also, for some reason the facter command is looking in the "./ > facter" directory when I run it; so if I run facter from within my > module directory's lib folder, I can get the output. > > How can I get facter to read modules? > > Relevant output is below. > > Thanks! > > [root@puppet facter]# pwd > /etc/puppet/modules/nsc-puppet-utils/lib/facter > [root@puppet facter]# cat dns_servers.rb > > q = 1 > ` grep '^[ \t]*nameserver' /etc/resolv.conf | awk '{print $2}' `.each > do |line| >Facter.add( "dns" + q.to_s ) do >setcode { line } >end >q = q+1 > end > [root@puppet facter]# facter | grep dns > [root@puppet facter]# cd .. > [root@puppet lib]# pwd > /etc/puppet/modules/nsc-puppet-utils/lib > [root@puppet lib]# facter | grep dns > dns1 => 172.30.0.53 > dns2 => 172.30.0.54 > [root@puppet lib]# strace -f facter 2>&1 | grep dns_servers > stat64("./facter/dns_servers.rb", {st_mode=S_IFREG|0644, > st_size=172, ...}) = 0 > open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 > open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 > open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 > [root@puppet nsc-puppet-utils]# cat /etc/puppet/puppet.conf > [main] ># The Puppet log directory. ># The default value is '$vardir/log'. >logdir = /var/log/puppet > ># Where Puppet PID files are kept. ># The default value is '$vardir/run'. >rundir = /var/run/puppet > ># Where SSL certificates are kept. ># The default value is '$confdir/ssl'. >ssldir = $vardir/ssl > >pluginsync = true >templatedir = $confdir/templates >pluginsync = true >factsync = true > > [master] >modulepath = $confdir/modules >manifestdir = $confdir/manifests >manifest = $confdir/manifests/site.pp >autosign = true > > [agent] ># The file in which puppetd stores a list of the classes ># associated with the retrieved configuratiion. Can be loaded in ># the separate ``puppet`` executable using the ``--loadclasses`` ># option. ># The default value is '$confdir/classes.txt'. >classfile = $vardir/classes.txt > ># Where puppetd caches the local configuration. An ># extension indicating the cache format is added automatically. ># The default value is '$confdir/localconfig'. >localconfig = $vardir/localconfig 1) You have "pluginsync = true" twice, but I assume this doesn't matter. 2) I believe factsync is deprecated, now and pluginsync is enough in more modern version of puppet. 3) What version of puppet are you using on the client? 4) Are the client and server the same computer? Your output seems to imply they are. 5) What does "find /var/lib/puppet -name dns_servers.rb" give you? (This path might not be the correct one if you're NOT using a Debian based server. If so, this should give you the right path: "puppet --genconfig | grep 'vardir =' " -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] array being concatenated
Having issues trying to create the same symlink for multiple web sites. This is my class: class assoc_symlinks { $assocs=[ "asecs", "mgsa", "athe" ] define create_assoc_symlinks() { file {"/www/domains/${name}.press.jhu.edu/cgi-bin/ membership_directory.cgi": ensure => symlink, target => "/www/shared/cgi-bin/membership_directory.cgi", owner => apache, group => apache, mode => 2775, } } create_assoc_symlinks { "$assocs" } } Then I call it in my nodes.pp file as "include assoc_symlinks" When I run puppet, it gives me this error: hu May 12 14:14:57 -0400 2011 //Node[adv01jh]/ Assoc_symlinks[asecsmgsaathe]/File[/www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin/membership_directory.cgi]/ensure (err): change from absent to link failed: Could not set link on ensure: No such file or directory - /www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin at /etc/puppet/manifests/classes/ assoc_symlinks.pp:8 As you can see, it is combining my $assocs array into one string, instead of iterating through it as an array. Any suggestions would be great as I am relatively new and only been using puppet for a month or 2 now. Thanks, Thom -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Custom facts in modules
I am having trouble getting custom facts to be read in my puppet config. Also, for some reason the facter command is looking in the "./ facter" directory when I run it; so if I run facter from within my module directory's lib folder, I can get the output. How can I get facter to read modules? Relevant output is below. Thanks! [root@puppet facter]# pwd /etc/puppet/modules/nsc-puppet-utils/lib/facter [root@puppet facter]# cat dns_servers.rb q = 1 ` grep '^[ \t]*nameserver' /etc/resolv.conf | awk '{print $2}' `.each do |line| Facter.add( "dns" + q.to_s ) do setcode { line } end q = q+1 end [root@puppet facter]# facter | grep dns [root@puppet facter]# cd .. [root@puppet lib]# pwd /etc/puppet/modules/nsc-puppet-utils/lib [root@puppet lib]# facter | grep dns dns1 => 172.30.0.53 dns2 => 172.30.0.54 [root@puppet lib]# strace -f facter 2>&1 | grep dns_servers stat64("./facter/dns_servers.rb", {st_mode=S_IFREG|0644, st_size=172, ...}) = 0 open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 open("./facter/dns_servers.rb", O_RDONLY|O_LARGEFILE) = 3 [root@puppet nsc-puppet-utils]# cat /etc/puppet/puppet.conf [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl pluginsync = true templatedir = $confdir/templates pluginsync = true factsync = true [master] modulepath = $confdir/modules manifestdir = $confdir/manifests manifest = $confdir/manifests/site.pp autosign = true [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Disabling optional services
For syslog-ng, we used the following and it seems to work: case defined(Package["syslog-ng"]) { false: { service { "syslog": enable => false } } } package { "syslog-ng": ensure => installed, provider => yum } service { "syslog-ng": enable => true, require => [ Service["syslog"], Package["syslog-ng"] ] } I am pretty sure that the syslog-ng RPM stops sysklogd along the way. On 6 May 2011 08:12, treydock wrote: > I ran into this same challenge just a few days ago. I run mostly > CentOS and syslogd is installed by default, but I prefer to run > rsyslog. Here's a post, > http://itscblog.tamu.edu/managing-syslog-and-log-forwarding-with-puppet/ > ,I just did on my blog that has the recipes I used for syslog > management. Hope that helps > > - Trey > > On May 5, 2:18 pm, Chris Phillips wrote: > > Howdy, > > > > Can someone enlighten me as to how I can disable a service *IF* it is > > installed? I want to ensure rsyslog is installed and running, which > requires > > syslogd to not be running, but the only way I can see to enforce this in > > Puppet is to remove the sysklogd package, which I'd rather not do, I'd > > rather just disable the service if it's there, but can't see how. > > > > Pointers appreciated > > > > Thanks > > > > Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppet client not receiving cert
Hello Marius, Thank you very much indeed for your prompt reply! It seems that I was under the impression that autosigning had been turned on on the puppet server. I see now that I was mistaken. Best regards, and be well good sir! tim On Thu, May 12, 2011 at 4:41 PM, Saurval wrote: > Hi Tim, > > Perhaps I am missing something in your output. There may be some > actions implied that you took but where not shown. So excuse me if I > am misunderstanding something. > > Did you take any actions on the server side while you were running > 'puppetd -t --waitforcert 15 --server puppet.example.net'? What I see > is you had the client send a certificate to the master in order to be > signed, and when it was not signed in the amount of time you specified > the client gave up. Did you use 'puppetca' on the server side to sign > the certificate? If not, what you see is the expected behavior, as > nothing would be sent back if it was not signed. > > Marius > Shermans Travel Media LLC. > > On May 12, 3:39 pm, Tim Dunphy wrote: >> hello list!! >> >> I'm having an issue where a client is not receiving it's cert >> >> [root@ec2-50-16-98-245 ~]# puppetd -t --waitforcert 15 --server >> puppet.example.net >> info: Creating a new SSL key for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com >> warning: peer certificate won't be verified in this SSL session >> info: Caching certificate for ca >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> info: Creating a new SSL certificate request for >> ec2-xx-xx-xx-xxx.compute-1.amazonaws.com >> info: Certificate Request fingerprint (md5): >> 93:17:4C:99:18:B9:8C:68:4E:2A:89:76:A4:28:04:81 >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> warning: peer certificate won't be verified in this SSL session >> notice: Did not receive certificate >> >> although the server is running and listening on 8140 >> >> [root@puppet ~]# lsof -i :8140 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> puppetmas 1694 puppet 7u IPv4 7222 TCP *:8140 (LISTEN) >> >> and nmap confirms port is open >> >> Starting Nmap 5.21 (http://nmap.org) at 2011-05-12 14:50 EDT >> Nmap scan report for puppet.example.net (xx.xx.xxx.xxx) >> Host is up (0.014s latency). >> rDNS record for xx.xx.xxx.xxx: ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com >> PORT STATE SERVICE >> 8140/tcp open unknown >> >> Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds >> >> http is running >> >> [root@puppet puppet]# service httpd status >> httpd (pid 3606) is running... >> >> but the only errors I see are 404's the only logs in the >> /var/log/masterhttp.log >> >> [2011-05-12 15:35:54] - -> /production/certificate/portero-fs.ec2.internal >> [2011-05-12 15:35:55] ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com - - >> [12/May/2011:15:35:55 EDT] "GET >> /production/certificate/ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com >> HTTP/1.1" 404 >> >> but the puppet client runs well on the puppet server itself... >> >> [root@puppet puppet]# puppetd -t >> info: Loading facts in mysql >> info: Loading facts in configured_ntp_servers >> info: Loading facts in mysql >> info: Loading facts in configured_ntp_servers >> info: Caching catalog for puppet.acadaca.net >> info: /Stage[main]/Centos/Tidy[/var/lib/amanda]: File does not exist >> info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File >> does not exist >> info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File >> does not exist >> info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not >> exist >> info: Applying configuration version '1305227995' >> notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed >> successfully >> notice: /Stage[main]/Centos/Exec[import webtatic key]/returns: >> executed successfully >> notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed >> successfully >> notice: Finished catalog run in 4.84 seconds >> >> I would appreciate any advice you may have... >> >> thanks! >> >> tim >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
+1 from us too On 12/05/2011, at 7:40 PM, "joel.merr...@gmail.com" wrote: > On Thu, May 12, 2011 at 4:02 AM, Nigel Kersten wrote: >> I'd much prefer it if we could concentrate on Puppet providing awesome >> data sets for tools to graph rather than supporting something like the >> rrdgraph functionality. Having to install the supporting libraries all >> over the place doesn't feel right at all. >> > > +1 > > > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppet client not receiving cert
Hi Tim, Perhaps I am missing something in your output. There may be some actions implied that you took but where not shown. So excuse me if I am misunderstanding something. Did you take any actions on the server side while you were running 'puppetd -t --waitforcert 15 --server puppet.example.net'? What I see is you had the client send a certificate to the master in order to be signed, and when it was not signed in the amount of time you specified the client gave up. Did you use 'puppetca' on the server side to sign the certificate? If not, what you see is the expected behavior, as nothing would be sent back if it was not signed. Marius Shermans Travel Media LLC. On May 12, 3:39 pm, Tim Dunphy wrote: > hello list!! > > I'm having an issue where a client is not receiving it's cert > > [root@ec2-50-16-98-245 ~]# puppetd -t --waitforcert 15 --server > puppet.example.net > info: Creating a new SSL key for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com > warning: peer certificate won't be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > info: Creating a new SSL certificate request for > ec2-xx-xx-xx-xxx.compute-1.amazonaws.com > info: Certificate Request fingerprint (md5): > 93:17:4C:99:18:B9:8C:68:4E:2A:89:76:A4:28:04:81 > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > notice: Did not receive certificate > > although the server is running and listening on 8140 > > [root@puppet ~]# lsof -i :8140 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > puppetmas 1694 puppet 7u IPv4 7222 TCP *:8140 (LISTEN) > > and nmap confirms port is open > > Starting Nmap 5.21 (http://nmap.org) at 2011-05-12 14:50 EDT > Nmap scan report for puppet.example.net (xx.xx.xxx.xxx) > Host is up (0.014s latency). > rDNS record for xx.xx.xxx.xxx: ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com > PORT STATE SERVICE > 8140/tcp open unknown > > Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds > > http is running > > [root@puppet puppet]# service httpd status > httpd (pid 3606) is running... > > but the only errors I see are 404's the only logs in the > /var/log/masterhttp.log > > [2011-05-12 15:35:54] - -> /production/certificate/portero-fs.ec2.internal > [2011-05-12 15:35:55] ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com - - > [12/May/2011:15:35:55 EDT] "GET > /production/certificate/ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com > HTTP/1.1" 404 > > but the puppet client runs well on the puppet server itself... > > [root@puppet puppet]# puppetd -t > info: Loading facts in mysql > info: Loading facts in configured_ntp_servers > info: Loading facts in mysql > info: Loading facts in configured_ntp_servers > info: Caching catalog for puppet.acadaca.net > info: /Stage[main]/Centos/Tidy[/var/lib/amanda]: File does not exist > info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File > does not exist > info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File > does not exist > info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not > exist > info: Applying configuration version '1305227995' > notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed > successfully > notice: /Stage[main]/Centos/Exec[import webtatic key]/returns: > executed successfully > notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed > successfully > notice: Finished catalog run in 4.84 seconds > > I would appreciate any advice you may have... > > thanks! > > tim > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet client not receiving cert
hello list!! I'm having an issue where a client is not receiving it's cert [root@ec2-50-16-98-245 ~]# puppetd -t --waitforcert 15 --server puppet.example.net info: Creating a new SSL key for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com info: Certificate Request fingerprint (md5): 93:17:4C:99:18:B9:8C:68:4E:2A:89:76:A4:28:04:81 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate although the server is running and listening on 8140 [root@puppet ~]# lsof -i :8140 COMMANDPID USER FD TYPE DEVICE SIZE NODE NAME puppetmas 1694 puppet7u IPv4 7222 TCP *:8140 (LISTEN) and nmap confirms port is open Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-12 14:50 EDT Nmap scan report for puppet.example.net (xx.xx.xxx.xxx) Host is up (0.014s latency). rDNS record for xx.xx.xxx.xxx: ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com PORT STATE SERVICE 8140/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds http is running [root@puppet puppet]# service httpd status httpd (pid 3606) is running... but the only errors I see are 404's the only logs in the /var/log/masterhttp.log [2011-05-12 15:35:54] - -> /production/certificate/portero-fs.ec2.internal [2011-05-12 15:35:55] ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com - - [12/May/2011:15:35:55 EDT] "GET /production/certificate/ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com HTTP/1.1" 404 but the puppet client runs well on the puppet server itself... [root@puppet puppet]# puppetd -t info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Caching catalog for puppet.acadaca.net info: /Stage[main]/Centos/Tidy[/var/lib/amanda]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File does not exist info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not exist info: Applying configuration version '1305227995' notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import webtatic key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed successfully notice: Finished catalog run in 4.84 seconds I would appreciate any advice you may have... thanks! tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 12, 11:32 am, Nick Fagerlund wrote: > You can read more about the design here... Wow, self, way to not post that link. http://projects.puppetlabs.com/issues/6911 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 12, 6:10 am, jcbollinger wrote: > Speaking of deterministic evaluation, just how stable is it going to > be? That is, it's one thing for ordering to be consistent for a > particular set of manifests, but what will happen when the manifests > are modified? How will ordering be affected by manifest changes? > You can read more about the design here, but basically: in an edited manifest, any two resources that HAVEN'T been changed (and which don't depend on things that have been changed) will have the same order relative to each other. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On Wed, May 11, 2011 at 05:36:26PM +0200, Arnau Bria wrote: > I think I've already asked here... but I have an example where that > feature is really interesting: we have some user pool, aout 1000 > users, and I'd like to distrbute one key to all those users. Why the > trivial workaround, I could do it, but with 1000 lines :-) > > so, I'll open a ticket and pray for developers finding it interesting > too. > One key for more than one user (e.g. an array for users) is really hard to implement the right way: When puppet parses the keyfiles of different users, puppet just creates one pool of keys. Puppet identifies a key by its name (=comment) NOT by the target. So one key has be unique across all your keyfiles. That means puppet can also move one entry from one file to another: Simple test with the host type: puppet apply -v --noop -e 'host {localhost: target => "/tmp/test" }' info: Applying configuration version '1305216426' notice: /Stage[main]//Host[localhost]/target: is /etc/hosts, should be /tmp/test (noop) Because one key has to have a unique name, one could argue that puppet should allow an array as a value for target (or user). But that just raises other issues: Imagine you have the following: ssh_authorized_key { 'testkey': ensure => present, key=> 'A', user => ['userA', 'userB' ] } What should puppet report when in userA's keyfile the keyproperty is out of sync (let's say key => 'X') while the key in userB's keyfile is correct? maybe something like Ssh_authorized_key[testkey]/key: is 'X', should be 'A' but only for 'userA' because for 'userB' key is correctly set to 'A' So in my opinion the biggest problem with managing a resource for a whole bunch of users at the same time is the problem that you now have more than one is-value. -Stefan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] variable scope for templates
Hi, the issue is related to how scoping works for nodes in Puppet. The variable defined in your child nodes is not accessible from within the basenode node and is thus not available in its included classes. In order for the variable to be availble to the template, you would have to move the include ntp call to the child classes. This is one of the main reasons that people wind up using either an external node classifier or extlookup for modeling data. regards, Dan On Thu, May 12, 2011 at 7:43 AM, andreash wrote: > I have the following nodes definitions: > > node basenode { > include hosts > include ntp > include resolvconf > } > > node 'dom1.mydomain.com' inherits basenode { > $ntp_role = "SERVER" > } > > node 'stove1.mydomain.com' inherits basenode { > $ntp_role = "CLIENT" > } > > in the ntp class, the ntpd.conf file template looks like this: > > <% if ntp_role == "SERVER" %> > listen on <%= ntp_server %> > server ptbtime1.ptb.de > server ptbtime2.ptb.de > server ptbtime3.ptb.de > <% elsif ntp_role == "CLIENT" %> > <% ntp_servers.each do |ntp_server| -%> > server <%= ntp_server %> > <% end %> > <% end %> > > However, on both clients, I get the error "Failed to parse template > ntp/ntpd.conf.erb: Could not find value for 'ntp_role' at /etc/puppet/ > modules/ntp/manifests/init.pp:17 on node stove1.mydomain.com". What am > I doing wrong here? > > Cheers, > Andreas > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Variable scoping / best practice
Hey there, I have the following class that defines an array: class iptables::hyperion { system_ips [ 'ip', 'ip', 'ip', ... ] } To use this variable in a template, I'm setting it to a 'local' variable in the node definition: node 'mynode' inherits basenode { include iptables::hyperion $system_ips = $iptables::hyperion::system_ips class { iptables: fragments => [ 'hyperion.erb'] } } I can then access and use $system_ips in a template for that node (in this case, 'hyperion.erb'). Does this fit a common pattern? I know that in a template you can use 'scope.lookupvar('var')'. Should I be using said function in the template to access $iptables::hyperion::system_ips, instead of reassigning it in the node definition? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] variable scope for templates
I have the following nodes definitions: node basenode { include hosts include ntp include resolvconf } node 'dom1.mydomain.com' inherits basenode { $ntp_role = "SERVER" } node 'stove1.mydomain.com' inherits basenode { $ntp_role = "CLIENT" } in the ntp class, the ntpd.conf file template looks like this: <% if ntp_role == "SERVER" %> listen on <%= ntp_server %> server ptbtime1.ptb.de server ptbtime2.ptb.de server ptbtime3.ptb.de <% elsif ntp_role == "CLIENT" %> <% ntp_servers.each do |ntp_server| -%> server <%= ntp_server %> <% end %> <% end %> However, on both clients, I get the error "Failed to parse template ntp/ntpd.conf.erb: Could not find value for 'ntp_role' at /etc/puppet/ modules/ntp/manifests/init.pp:17 on node stove1.mydomain.com". What am I doing wrong here? Cheers, Andreas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Sending an email if an action happens
On Thu, May 12, 2011 at 4:19 PM, jcbollinger wrote: > > > On May 12, 5:13 am, Silviu Paragina wrote: > > On 11.05.2011 18:06, Calum wrote: > > > > > > > > > On 11 May 2011 15:49, Ohad Levy wrote: > > >> You can use tagmail report, or use something like foreman to do it for > you. > > >> Ohad > > > Thanks - I'll look into those. > > > > > I was more meaning something like: > > > > > file { "/etc/ntp.conf": > > > owner => root, > > > group => root, > > > mode=> 644, > > > source => > "puppet:///modules/ntp/ntp.conf.2011-05-06", > > > require => Package["ntp"], > > > onchange => exec("mail ."), > > > } > > > > > or something like that. > > > > You almost gave yourself the answer. :) Check the refreshonly parameter > > for the exec type ;) > > But this seems more of a hack to me, so take it as you wish. > > > To be clear, to do it this way, "onchange" should be spelled "notify", > and the Exec should be declared with refreshonly => true. It doesn't > seem very hackish to me, but tagmail would be a better solution for > most purposes. the problem with tagmail is that you get every email (that was tagged for) regardless of environment, host owner etc. Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Sending an email if an action happens
On May 12, 5:13 am, Silviu Paragina wrote: > On 11.05.2011 18:06, Calum wrote: > > > > > On 11 May 2011 15:49, Ohad Levy wrote: > >> You can use tagmail report, or use something like foreman to do it for you. > >> Ohad > > Thanks - I'll look into those. > > > I was more meaning something like: > > > file { "/etc/ntp.conf": > > owner => root, > > group => root, > > mode => 644, > > source => "puppet:///modules/ntp/ntp.conf.2011-05-06", > > require => Package["ntp"], > > onchange => exec("mail ."), > > } > > > or something like that. > > You almost gave yourself the answer. :) Check the refreshonly parameter > for the exec type ;) > But this seems more of a hack to me, so take it as you wish. To be clear, to do it this way, "onchange" should be spelled "notify", and the Exec should be declared with refreshonly => true. It doesn't seem very hackish to me, but tagmail would be a better solution for most purposes. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 11, 4:27 pm, Jeff McCune wrote: > On Wed, May 11, 2011 at 12:17 AM, Julien Garet wrote: > > > Hello, > > I am facing a strange behaviour with exported resources overriding in > > 0.25.5 (CentOS). I am using nagios with exported resources. In my base > > class, I define a hostgroup by default for all nodes. In an apache vhost > > define, I override this hostgroup to a value common to all webservers. This > > works. > > But in another class, I use apache vhost define but I want to override > > another time the hostgroup to set it to another value. This does not work, > > the hostgroup for the host is set to the one for apache vhosts. > > > Is there a way to tell that the last resource override should happen after > > the apache vhost define is applied ? > > Unfortunately there isn't. The feature you're using to override resources > is actually a bit of an unintended consequence of another feature added to > Puppet in 0.25.5. I consider that unfortunate only insomuch as it makes the OP's life more difficult. In general, Puppet does not like it when you make contradictory declarations about a node, and I am happy to have it that way. Even when 2.7 makes the result of evaluation of such a manifest deterministic, *relying* on that evaluation order to resolve conflicts will still be a poor idea. What I consider unfortunate here is that Puppet does not raise an error when an attempt is made to perform conflicting overrides. > In Puppet 2.7, the order these resources will be evaluated in will be > guaranteed to be deterministic, so this will help with testing and staging > into pre-production, but currently the best practice is to not override the > same parameter using the collection syntax. And that will remain the best practice for the foreseeable future, as far as I am concerned. Speaking of deterministic evaluation, just how stable is it going to be? That is, it's one thing for ordering to be consistent for a particular set of manifests, but what will happen when the manifests are modified? How will ordering be affected by manifest changes? John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: extending puppet without hacking puppet
On Thu, May 12, 2011 at 3:06 AM, Felix Frank wrote: > On 05/11/2011 01:50 AM, John Lyman wrote: >> You can set "noop => true" in the package resource and puppet won't >> actually change it, just log that it wants to change it. >> >> package { "httpd": >> name => "httpd", >> ensure => "latest", >> noop => true, >> } > > Yes, but this will still not install the package when its missing > altogether. I've had previous discussion about how to do this, and originally we wanted to abuse facter to upload the package into inventory, but it's not ideal for many reasons. You can use puppet inspect (2.6.5) to audit the package version separately from your puppet run, or use puppet resource package to get all package version on the system. However you need upload the audit results and parse the results. This is another crack at this issue, create a separate puppet environment (I'm calling it checkpackage) with one difference in site.pp, keep the rest of your manifests/modules the same: Package <||> { ensure => latest, noop => true, tag => check } On the client run against this new environment with tags check: puppet agent -t --environment checkpackage --tags check Here's a test manifests and you'll see the difference if you comment/uncomment the first line: Package <||> { ensure => latest, noop => true, tag => check } class packages { package { "yum": ensure => present, } exec { "/bin/echo foo": } } include packages $ puppet apply --tags check test.pp notice: /Stage[main]/Packages/Package[yum]/ensure: is 3.2.22-26.el5.centos, should be 3.2.22-33.el5.centos (noop) Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On 12 May 2011 11:13, Silviu Paragina wrote: > You almost gave yourself the answer. :) Check the refreshonly parameter for > the exec type ;) Perfect. Just what I wanted. The reporting looked too much for what we wanted, for now, anyway. Many thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On Thu, May 12, 2011 at 5:13 AM, Silviu Paragina wrote: > On 11.05.2011 18:06, Calum wrote: >> >> On 11 May 2011 15:49, Ohad Levy wrote: >>> >>> You can use tagmail report, or use something like foreman to do it for >>> you. >>> Ohad >> >> Thanks - I'll look into those. >> >> I was more meaning something like: >> >> file { "/etc/ntp.conf": >> owner => root, >> group => root, >> mode => 644, >> source => "puppet:///modules/ntp/ntp.conf.2011-05-06", >> require => Package["ntp"], >> onchange => exec("mail ."), >> } >> >> or something like that. >> > You almost gave yourself the answer. :) Check the refreshonly parameter for > the exec type ;) > But this seems more of a hack to me, so take it as you wish. > Back to Ohad's recommendation. If you have several resources that you need to receive email alerts upon resource changes, use tagmail report functionality. 1. Add the metaparameter tag => send_me_email (or any arbitrary set of tag values) to the resource you want to monitor via email. 2. Enable reports = tagmail in puppet.conf [master] section, 3. In in tagmap conf set tag and email address: send_me_email: admin@... Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On 11.05.2011 18:06, Calum wrote: On 11 May 2011 15:49, Ohad Levy wrote: You can use tagmail report, or use something like foreman to do it for you. Ohad Thanks - I'll look into those. I was more meaning something like: file { "/etc/ntp.conf": owner => root, group => root, mode=> 644, source => "puppet:///modules/ntp/ntp.conf.2011-05-06", require => Package["ntp"], onchange => exec("mail ."), } or something like that. You almost gave yourself the answer. :) Check the refreshonly parameter for the exec type ;) But this seems more of a hack to me, so take it as you wish. Silviu -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Master System Requirements
I'm on the extremely small scale end from what has been previously described, but this could prove useful to those who want to manage a small number of hosts and are curious how little they need to run Puppet. I've just begun using Puppet, and so only have 10 hosts right now, but here's what I'm running... CentOS 5.6 x64 VMware ESXi virtual machine - 512MB RAM - 1 x 2.33GHz CPU - Paravirtual Roles are... - Puppetmaster - puppet-dashboard w/ mysql & apache + passanger - local yum repo over http - OSSEC server. - Trey According to zabbix my system averages about .20 CPU load over 15 minute average. I occassionally peak 1.0 but that's typically when I'm running puppet manually very rapidly during testing. Memory usage is about 70% on average. On May 11, 12:41 am, Matthew Marlowe wrote: > Keep in mind that there are many ways to run puppet. > > We manage ~100 nodes with just a single puppet master running within a gentoo > VM w/ only single cpu core and 2GB ram. Catalog compile times average under > 0.6 seconds. This is also w/ web brick. The puppet master VM also serves as > a master nfs server and gentoo build server. > > Thats a lot of stuff on a single small VM, but it works perfectly for us > because: > a) our default puppet run interval is 4hrs (if something goes wrong w/ one of > our manifests or the server, we'll probably notice it and stop it before too > many servers get updated - for our purposes, we don't see any benefit to using > an interval less than 4hrs. 4hrs is certainly sufficient for most common > security updates and we also do not want to have normal updates impacting > production performance during peak business hours - so 25% of servers updating > every hour is perfect for us. ). > b) Many of our servers, mostly the gentoo ones, only execute puppet when > puppetrun is invoked either manually by systems administrators for the > specific nodes they are reconfiguring or automatically as part of a nightly > update systems maintenance cron job). > > Basically, puppet is extremely flexible w/ hardware, and it is likely your own > preferences and production requirements will dictate the hardware needed > rather than puppet itself. > > On Tuesday, May 10, 2011 06:04:22 am Panaman wrote: > > > I've been messing around with Puppet on a VM on my personal desktop. > > It looks descent. I was wondering what kind of load this thing would > > have managing about 400 nodes. > > Does this thing require a beefy server? > > Matt > -- > Matthew Marlowe / 858-400-7430 / DeployLinux Consulting, Inc > Professional Linux Hosting and Systems Administration Services > www.deploylinux.net * m...@deploylinux.net > 'MattM' @ irc.freenode.net -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
On Thu, May 12, 2011 at 4:02 AM, Nigel Kersten wrote: > I'd much prefer it if we could concentrate on Puppet providing awesome > data sets for tools to graph rather than supporting something like the > rrdgraph functionality. Having to install the supporting libraries all > over the place doesn't feel right at all. > +1 -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
puppet-users@googlegroups.com
Hi, Büro 2.0 [1] invites to a Grill&Barbecue on Friday evening due to Linuxtag [2]. Drinks and Food will be available. The Büro 2.0 team kindly asks for donations to cover expenses. I have added a puppet meetup[3]. Looking forward to seeing you. Address: Büro 2.0 Weigandufer 45 12059 Berlin http://www.openstreetmap.org/browse/node/800177727 Best, Martin [1] http://www.buero20.org/ [2] http://www.linuxtag.org/ [3] http://www.meetup.com/Puppet/Berlin-DE/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
- Original Message - > Anyone using it at all? > > I used too.. but the alternatives were much more appalling... > > > That's quite an impressive typo! I used to, then it broke in some release and I disabled it, never felt the need to re-enable it. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
On 12 May 2011 08:01, Ohad Levy wrote: > > >> Anyone using it at all? >> > I used too.. but the alternatives were much more appalling... > That's quite an impressive typo! Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On Thu, 12 May 2011 09:59:21 +0200 Felix Frank wrote: > On 05/11/2011 05:36 PM, Arnau Bria wrote: > >> If you're keen to get it anyway, you may want to open a ticket. > > I think I've already asked here... but I have an example where that > > feature is really interesting: we have some user pool, aout 1000 > > users, and I'd like to distrbute one key to all those users. Why the > > trivial workaround, I could do it, but with 1000 lines :-) > > That's just not true. > > You surely have some defined type for your users, no? Such as Nop, we use an other software for creating those users. So, I must redefine each key for each user, and then my problem appears. [...] > my_user($fullname) { > user { "$name": fullname => $fullname, ... } > ssh_authorized_key { "key-for-$name": > user => $name, > key => "AAznbwet...", > ... > } > } > That's what I meant - the workaround is really *that* trivial. > > I'm quite sure you'll have a hard time finding a use case that really > requires the authorized key resource to be effective for multiple > target users. >From your example I think I can play with a false define for something else trivial and add my key there > Regards, > Felix Cheers, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
On 05/12/2011 09:44 AM, Patrick wrote: > > On May 11, 2011, at 9:59 AM, Matt Wise wrote: > >> Can hostB make an arbitrary call to the puppet master requesting >> "puppet:///passwd" even if its not a defined resource for that host? > > Simply: Yes > > Ways to stop this: > 1) Include the file in "source" instead which embeds the file in the > catalog. What you meant to write was "content instead of source". > 2) Use ACLs per module to stop that > 3) Use a custom mount-point, and either define it's permissions, or else > use some path munging so only the correct clients can get the file. > > > Over all, "1" is almost always the easiest. Yes, but it can bloat the catalog depending on the workload. I've found (2) to be very effective. Puppet generates my auth.conf including ACLs. Cheers, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: extending puppet without hacking puppet
On 05/11/2011 01:50 AM, John Lyman wrote: > You can set "noop => true" in the package resource and puppet won't > actually change it, just log that it wants to change it. > > package { "httpd": > name=> "httpd", > ensure => "latest", > noop => true, > } Yes, but this will still not install the package when its missing altogether. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On 05/11/2011 05:36 PM, Arnau Bria wrote: >> If you're keen to get it anyway, you may want to open a ticket. > I think I've already asked here... but I have an example where that > feature is really interesting: we have some user pool, aout 1000 > users, and I'd like to distrbute one key to all those users. Why the > trivial workaround, I could do it, but with 1000 lines :-) That's just not true. You surely have some defined type for your users, no? Such as my_user($fullname) { user { "$name": fullname => $fullname, ... } ... } You just add the key to that my_user($fullname) { user { "$name": fullname => $fullname, ... } ssh_authorized_key { "key-for-$name": user => $name, key => "AAznbwet...", ... } } That's what I meant - the workaround is really *that* trivial. I'm quite sure you'll have a hard time finding a use case that really requires the authorized key resource to be effective for multiple target users. Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
On May 11, 2011, at 9:59 AM, Matt Wise wrote: > Can hostB make an arbitrary call to the puppet master requesting > "puppet:///passwd" even if its not a defined resource for that host? Simply: Yes Ways to stop this: 1) Include the file in "source" instead which embeds the file in the catalog. 2) Use ACLs per module to stop that 3) Use a custom mount-point, and either define it's permissions, or else use some path munging so only the correct clients can get the file. Over all, "1" is almost always the easiest. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
On Thu, May 12, 2011 at 5:49 AM, Nigel Kersten wrote: > On Tue, May 10, 2011 at 7:04 PM, Nigel Kersten > wrote: > > reports = rrdgraph > > > > http://docs.puppetlabs.com/references/2.6.8/report.html#rrdgraph > > > > Is this widely used? We're trying to work out whether this is a > > feature that people are still using, or whether other parts of the > > reporting infrastructure have come to replace it. > > Anyone using it at all? > I used too.. but the alternatives were much more appalling... Ohad > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.