Re: [Puppet Users] Re: Who uses the rrd graphing support?
On Thu, May 12, 2011 at 5:49 AM, Nigel Kersten ni...@puppetlabs.com wrote: On Tue, May 10, 2011 at 7:04 PM, Nigel Kersten ni...@puppetlabs.com wrote: reports = rrdgraph http://docs.puppetlabs.com/references/2.6.8/report.html#rrdgraph Is this widely used? We're trying to work out whether this is a feature that people are still using, or whether other parts of the reporting infrastructure have come to replace it. Anyone using it at all? I used too.. but the alternatives were much more appalling... Ohad -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On 05/11/2011 05:36 PM, Arnau Bria wrote: If you're keen to get it anyway, you may want to open a ticket. I think I've already asked here... but I have an example where that feature is really interesting: we have some user pool, aout 1000 users, and I'd like to distrbute one key to all those users. Why the trivial workaround, I could do it, but with 1000 lines :-) That's just not true. You surely have some defined type for your users, no? Such as my_user($fullname) { user { $name: fullname = $fullname, ... } ... } You just add the key to that my_user($fullname) { user { $name: fullname = $fullname, ... } ssh_authorized_key { key-for-$name: user = $name, key = AAznbwet..., ... } } That's what I meant - the workaround is really *that* trivial. I'm quite sure you'll have a hard time finding a use case that really requires the authorized key resource to be effective for multiple target users. Regards, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: extending puppet without hacking puppet
On 05/11/2011 01:50 AM, John Lyman wrote: You can set noop = true in the package resource and puppet won't actually change it, just log that it wants to change it. package { httpd: name= httpd, ensure = latest, noop = true, } Yes, but this will still not install the package when its missing altogether. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
On 05/12/2011 09:44 AM, Patrick wrote: On May 11, 2011, at 9:59 AM, Matt Wise wrote: Can hostB make an arbitrary call to the puppet master requesting puppet:///passwd even if its not a defined resource for that host? Simply: Yes Ways to stop this: 1) Include the file in source instead which embeds the file in the catalog. What you meant to write was content instead of source. 2) Use ACLs per module to stop that 3) Use a custom mount-point, and either define it's permissions, or else use some path munging so only the correct clients can get the file. Over all, 1 is almost always the easiest. Yes, but it can bloat the catalog depending on the workload. I've found (2) to be very effective. Puppet generates my auth.conf including ACLs. Cheers, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On Thu, 12 May 2011 09:59:21 +0200 Felix Frank wrote: On 05/11/2011 05:36 PM, Arnau Bria wrote: If you're keen to get it anyway, you may want to open a ticket. I think I've already asked here... but I have an example where that feature is really interesting: we have some user pool, aout 1000 users, and I'd like to distrbute one key to all those users. Why the trivial workaround, I could do it, but with 1000 lines :-) That's just not true. You surely have some defined type for your users, no? Such as Nop, we use an other software for creating those users. So, I must redefine each key for each user, and then my problem appears. [...] my_user($fullname) { user { $name: fullname = $fullname, ... } ssh_authorized_key { key-for-$name: user = $name, key = AAznbwet..., ... } } That's what I meant - the workaround is really *that* trivial. I'm quite sure you'll have a hard time finding a use case that really requires the authorized key resource to be effective for multiple target users. From your example I think I can play with a false define for something else trivial and add my key there Regards, Felix Cheers, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
On Thu, May 12, 2011 at 4:02 AM, Nigel Kersten ni...@puppetlabs.com wrote: I'd much prefer it if we could concentrate on Puppet providing awesome data sets for tools to graph rather than supporting something like the rrdgraph functionality. Having to install the supporting libraries all over the place doesn't feel right at all. +1 -- $ echo kpfmAdpoofdufevq/dp/vl | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Master System Requirements
I'm on the extremely small scale end from what has been previously described, but this could prove useful to those who want to manage a small number of hosts and are curious how little they need to run Puppet. I've just begun using Puppet, and so only have 10 hosts right now, but here's what I'm running... CentOS 5.6 x64 VMware ESXi virtual machine - 512MB RAM - 1 x 2.33GHz CPU - Paravirtual Roles are... - Puppetmaster - puppet-dashboard w/ mysql apache + passanger - local yum repo over http - OSSEC server. - Trey According to zabbix my system averages about .20 CPU load over 15 minute average. I occassionally peak 1.0 but that's typically when I'm running puppet manually very rapidly during testing. Memory usage is about 70% on average. On May 11, 12:41 am, Matthew Marlowe m...@deploylinux.net wrote: Keep in mind that there are many ways to run puppet. We manage ~100 nodes with just a single puppet master running within a gentoo VM w/ only single cpu core and 2GB ram. Catalog compile times average under 0.6 seconds. This is also w/ web brick. The puppet master VM also serves as a master nfs server and gentoo build server. Thats a lot of stuff on a single small VM, but it works perfectly for us because: a) our default puppet run interval is 4hrs (if something goes wrong w/ one of our manifests or the server, we'll probably notice it and stop it before too many servers get updated - for our purposes, we don't see any benefit to using an interval less than 4hrs. 4hrs is certainly sufficient for most common security updates and we also do not want to have normal updates impacting production performance during peak business hours - so 25% of servers updating every hour is perfect for us. ). b) Many of our servers, mostly the gentoo ones, only execute puppet when puppetrun is invoked either manually by systems administrators for the specific nodes they are reconfiguring or automatically as part of a nightly update systems maintenance cron job). Basically, puppet is extremely flexible w/ hardware, and it is likely your own preferences and production requirements will dictate the hardware needed rather than puppet itself. On Tuesday, May 10, 2011 06:04:22 am Panaman wrote: I've been messing around with Puppet on a VM on my personal desktop. It looks descent. I was wondering what kind of load this thing would have managing about 400 nodes. Does this thing require a beefy server? Matt -- Matthew Marlowe / 858-400-7430 / DeployLinux Consulting, Inc Professional Linux Hosting and Systems Administration Services www.deploylinux.net * m...@deploylinux.net 'MattM' @ irc.freenode.net -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On 11.05.2011 18:06, Calum wrote: On 11 May 2011 15:49, Ohad Levyohadl...@gmail.com wrote: You can use tagmail report, or use something like foreman to do it for you. Ohad Thanks - I'll look into those. I was more meaning something like: file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///modules/ntp/ntp.conf.2011-05-06, require = Package[ntp], onchange = exec(mail .), } or something like that. You almost gave yourself the answer. :) Check the refreshonly parameter for the exec type ;) But this seems more of a hack to me, so take it as you wish. Silviu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On Thu, May 12, 2011 at 5:13 AM, Silviu Paragina sil...@paragina.ro wrote: On 11.05.2011 18:06, Calum wrote: On 11 May 2011 15:49, Ohad Levyohadl...@gmail.com wrote: You can use tagmail report, or use something like foreman to do it for you. Ohad Thanks - I'll look into those. I was more meaning something like: file { /etc/ntp.conf: owner = root, group = root, mode = 644, source = puppet:///modules/ntp/ntp.conf.2011-05-06, require = Package[ntp], onchange = exec(mail .), } or something like that. You almost gave yourself the answer. :) Check the refreshonly parameter for the exec type ;) But this seems more of a hack to me, so take it as you wish. Back to Ohad's recommendation. If you have several resources that you need to receive email alerts upon resource changes, use tagmail report functionality. 1. Add the metaparameter tag = send_me_email (or any arbitrary set of tag values) to the resource you want to monitor via email. 2. Enable reports = tagmail in puppet.conf [master] section, 3. In in tagmap conf set tag and email address: send_me_email: admin@... Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Sending an email if an action happens
On 12 May 2011 11:13, Silviu Paragina sil...@paragina.ro wrote: You almost gave yourself the answer. :) Check the refreshonly parameter for the exec type ;) Perfect. Just what I wanted. The reporting looked too much for what we wanted, for now, anyway. Many thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: extending puppet without hacking puppet
On Thu, May 12, 2011 at 3:06 AM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 05/11/2011 01:50 AM, John Lyman wrote: You can set noop = true in the package resource and puppet won't actually change it, just log that it wants to change it. package { httpd: name = httpd, ensure = latest, noop = true, } Yes, but this will still not install the package when its missing altogether. I've had previous discussion about how to do this, and originally we wanted to abuse facter to upload the package into inventory, but it's not ideal for many reasons. You can use puppet inspect (2.6.5) to audit the package version separately from your puppet run, or use puppet resource package to get all package version on the system. However you need upload the audit results and parse the results. This is another crack at this issue, create a separate puppet environment (I'm calling it checkpackage) with one difference in site.pp, keep the rest of your manifests/modules the same: Package || { ensure = latest, noop = true, tag = check } On the client run against this new environment with tags check: puppet agent -t --environment checkpackage --tags check Here's a test manifests and you'll see the difference if you comment/uncomment the first line: Package || { ensure = latest, noop = true, tag = check } class packages { package { yum: ensure = present, } exec { /bin/echo foo: } } include packages $ puppet apply --tags check test.pp notice: /Stage[main]/Packages/Package[yum]/ensure: is 3.2.22-26.el5.centos, should be 3.2.22-33.el5.centos (noop) Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 11, 4:27 pm, Jeff McCune j...@puppetlabs.com wrote: On Wed, May 11, 2011 at 12:17 AM, Julien Garet julien.ga...@inria.frwrote: Hello, I am facing a strange behaviour with exported resources overriding in 0.25.5 (CentOS). I am using nagios with exported resources. In my base class, I define a hostgroup by default for all nodes. In an apache vhost define, I override this hostgroup to a value common to all webservers. This works. But in another class, I use apache vhost define but I want to override another time the hostgroup to set it to another value. This does not work, the hostgroup for the host is set to the one for apache vhosts. Is there a way to tell that the last resource override should happen after the apache vhost define is applied ? Unfortunately there isn't. The feature you're using to override resources is actually a bit of an unintended consequence of another feature added to Puppet in 0.25.5. I consider that unfortunate only insomuch as it makes the OP's life more difficult. In general, Puppet does not like it when you make contradictory declarations about a node, and I am happy to have it that way. Even when 2.7 makes the result of evaluation of such a manifest deterministic, *relying* on that evaluation order to resolve conflicts will still be a poor idea. What I consider unfortunate here is that Puppet does not raise an error when an attempt is made to perform conflicting overrides. In Puppet 2.7, the order these resources will be evaluated in will be guaranteed to be deterministic, so this will help with testing and staging into pre-production, but currently the best practice is to not override the same parameter using the collection syntax. And that will remain the best practice for the foreseeable future, as far as I am concerned. Speaking of deterministic evaluation, just how stable is it going to be? That is, it's one thing for ordering to be consistent for a particular set of manifests, but what will happen when the manifests are modified? How will ordering be affected by manifest changes? John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Variable scoping / best practice
Hey there, I have the following class that defines an array: class iptables::hyperion { system_ips [ 'ip', 'ip', 'ip', ... ] } To use this variable in a template, I'm setting it to a 'local' variable in the node definition: node 'mynode' inherits basenode { include iptables::hyperion $system_ips = $iptables::hyperion::system_ips class { iptables: fragments = [ 'hyperion.erb'] } } I can then access and use $system_ips in a template for that node (in this case, 'hyperion.erb'). Does this fit a common pattern? I know that in a template you can use 'scope.lookupvar('var')'. Should I be using said function in the template to access $iptables::hyperion::system_ips, instead of reassigning it in the node definition? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] variable scope for templates
Hi, the issue is related to how scoping works for nodes in Puppet. The variable defined in your child nodes is not accessible from within the basenode node and is thus not available in its included classes. In order for the variable to be availble to the template, you would have to move the include ntp call to the child classes. This is one of the main reasons that people wind up using either an external node classifier or extlookup for modeling data. regards, Dan On Thu, May 12, 2011 at 7:43 AM, andreash hilb...@gmail.com wrote: I have the following nodes definitions: node basenode { include hosts include ntp include resolvconf } node 'dom1.mydomain.com' inherits basenode { $ntp_role = SERVER } node 'stove1.mydomain.com' inherits basenode { $ntp_role = CLIENT } in the ntp class, the ntpd.conf file template looks like this: % if ntp_role == SERVER % listen on %= ntp_server % server ptbtime1.ptb.de server ptbtime2.ptb.de server ptbtime3.ptb.de % elsif ntp_role == CLIENT % % ntp_servers.each do |ntp_server| -% server %= ntp_server % % end % % end % However, on both clients, I get the error Failed to parse template ntp/ntpd.conf.erb: Could not find value for 'ntp_role' at /etc/puppet/ modules/ntp/manifests/init.pp:17 on node stove1.mydomain.com. What am I doing wrong here? Cheers, Andreas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to add same ssh_key to two diff accounts
On Wed, May 11, 2011 at 05:36:26PM +0200, Arnau Bria wrote: I think I've already asked here... but I have an example where that feature is really interesting: we have some user pool, aout 1000 users, and I'd like to distrbute one key to all those users. Why the trivial workaround, I could do it, but with 1000 lines :-) so, I'll open a ticket and pray for developers finding it interesting too. One key for more than one user (e.g. an array for users) is really hard to implement the right way: When puppet parses the keyfiles of different users, puppet just creates one pool of keys. Puppet identifies a key by its name (=comment) NOT by the target. So one key has be unique across all your keyfiles. That means puppet can also move one entry from one file to another: Simple test with the host type: puppet apply -v --noop -e 'host {localhost: target = /tmp/test }' info: Applying configuration version '1305216426' notice: /Stage[main]//Host[localhost]/target: is /etc/hosts, should be /tmp/test (noop) Because one key has to have a unique name, one could argue that puppet should allow an array as a value for target (or user). But that just raises other issues: Imagine you have the following: ssh_authorized_key { 'testkey': ensure = present, key= 'A', user = ['userA', 'userB' ] } What should puppet report when in userA's keyfile the keyproperty is out of sync (let's say key = 'X') while the key in userB's keyfile is correct? maybe something like Ssh_authorized_key[testkey]/key: is 'X', should be 'A' but only for 'userA' because for 'userB' key is correctly set to 'A' So in my opinion the biggest problem with managing a resource for a whole bunch of users at the same time is the problem that you now have more than one is-value. -Stefan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 12, 6:10 am, jcbollinger john.bollin...@stjude.org wrote: Speaking of deterministic evaluation, just how stable is it going to be? That is, it's one thing for ordering to be consistent for a particular set of manifests, but what will happen when the manifests are modified? How will ordering be affected by manifest changes? You can read more about the design here, but basically: in an edited manifest, any two resources that HAVEN'T been changed (and which don't depend on things that have been changed) will have the same order relative to each other. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: multiple resources overrides
On May 12, 11:32 am, Nick Fagerlund nick.fagerl...@puppetlabs.com wrote: You can read more about the design here... Wow, self, way to not post that link. http://projects.puppetlabs.com/issues/6911 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet client not receiving cert
hello list!! I'm having an issue where a client is not receiving it's cert [root@ec2-50-16-98-245 ~]# puppetd -t --waitforcert 15 --server puppet.example.net info: Creating a new SSL key for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com info: Certificate Request fingerprint (md5): 93:17:4C:99:18:B9:8C:68:4E:2A:89:76:A4:28:04:81 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate although the server is running and listening on 8140 [root@puppet ~]# lsof -i :8140 COMMANDPID USER FD TYPE DEVICE SIZE NODE NAME puppetmas 1694 puppet7u IPv4 7222 TCP *:8140 (LISTEN) and nmap confirms port is open Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-12 14:50 EDT Nmap scan report for puppet.example.net (xx.xx.xxx.xxx) Host is up (0.014s latency). rDNS record for xx.xx.xxx.xxx: ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com PORT STATE SERVICE 8140/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds http is running [root@puppet puppet]# service httpd status httpd (pid 3606) is running... but the only errors I see are 404's the only logs in the /var/log/masterhttp.log [2011-05-12 15:35:54] - - /production/certificate/portero-fs.ec2.internal [2011-05-12 15:35:55] ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com - - [12/May/2011:15:35:55 EDT] GET /production/certificate/ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com HTTP/1.1 404 but the puppet client runs well on the puppet server itself... [root@puppet puppet]# puppetd -t info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Caching catalog for puppet.acadaca.net info: /Stage[main]/Centos/Tidy[/var/lib/amanda]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File does not exist info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not exist info: Applying configuration version '1305227995' notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import webtatic key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed successfully notice: Finished catalog run in 4.84 seconds I would appreciate any advice you may have... thanks! tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppet client not receiving cert
Hi Tim, Perhaps I am missing something in your output. There may be some actions implied that you took but where not shown. So excuse me if I am misunderstanding something. Did you take any actions on the server side while you were running 'puppetd -t --waitforcert 15 --server puppet.example.net'? What I see is you had the client send a certificate to the master in order to be signed, and when it was not signed in the amount of time you specified the client gave up. Did you use 'puppetca' on the server side to sign the certificate? If not, what you see is the expected behavior, as nothing would be sent back if it was not signed. Marius Shermans Travel Media LLC. On May 12, 3:39 pm, Tim Dunphy bluethu...@gmail.com wrote: hello list!! I'm having an issue where a client is not receiving it's cert [root@ec2-50-16-98-245 ~]# puppetd -t --waitforcert 15 --server puppet.example.net info: Creating a new SSL key for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for ec2-xx-xx-xx-xxx.compute-1.amazonaws.com info: Certificate Request fingerprint (md5): 93:17:4C:99:18:B9:8C:68:4E:2A:89:76:A4:28:04:81 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session notice: Did not receive certificate although the server is running and listening on 8140 [root@puppet ~]# lsof -i :8140 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME puppetmas 1694 puppet 7u IPv4 7222 TCP *:8140 (LISTEN) and nmap confirms port is open Starting Nmap 5.21 (http://nmap.org) at 2011-05-12 14:50 EDT Nmap scan report for puppet.example.net (xx.xx.xxx.xxx) Host is up (0.014s latency). rDNS record for xx.xx.xxx.xxx: ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com PORT STATE SERVICE 8140/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds http is running [root@puppet puppet]# service httpd status httpd (pid 3606) is running... but the only errors I see are 404's the only logs in the /var/log/masterhttp.log [2011-05-12 15:35:54] - - /production/certificate/portero-fs.ec2.internal [2011-05-12 15:35:55] ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com - - [12/May/2011:15:35:55 EDT] GET /production/certificate/ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com HTTP/1.1 404 but the puppet client runs well on the puppet server itself... [root@puppet puppet]# puppetd -t info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Loading facts in mysql info: Loading facts in configured_ntp_servers info: Caching catalog for puppet.acadaca.net info: /Stage[main]/Centos/Tidy[/var/lib/amanda]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/c5-media.repo]: File does not exist info: /Stage[main]/Centos/Tidy[/etc/yum.repos.d/CentOS.repo]: File does not exist info: /Stage[main]/Apache/Tidy[/etc/httpd/conf.d/ssl.conf]: File does not exist info: Applying configuration version '1305227995' notice: /Stage[main]/Centos/Exec[import dag key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import webtatic key]/returns: executed successfully notice: /Stage[main]/Centos/Exec[import remi key]/returns: executed successfully notice: Finished catalog run in 4.84 seconds I would appreciate any advice you may have... thanks! tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Who uses the rrd graphing support?
+1 from us too On 12/05/2011, at 7:40 PM, joel.merr...@gmail.com joel.merr...@gmail.com wrote: On Thu, May 12, 2011 at 4:02 AM, Nigel Kersten ni...@puppetlabs.com wrote: I'd much prefer it if we could concentrate on Puppet providing awesome data sets for tools to graph rather than supporting something like the rrdgraph functionality. Having to install the supporting libraries all over the place doesn't feel right at all. +1 -- $ echo kpfmAdpoofdufevq/dp/vl | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] array being concatenated
Having issues trying to create the same symlink for multiple web sites. This is my class: class assoc_symlinks { $assocs=[ asecs, mgsa, athe ] define create_assoc_symlinks() { file {/www/domains/${name}.press.jhu.edu/cgi-bin/ membership_directory.cgi: ensure = symlink, target = /www/shared/cgi-bin/membership_directory.cgi, owner = apache, group = apache, mode = 2775, } } create_assoc_symlinks { $assocs } } Then I call it in my nodes.pp file as include assoc_symlinks When I run puppet, it gives me this error: hu May 12 14:14:57 -0400 2011 //Node[adv01jh]/ Assoc_symlinks[asecsmgsaathe]/File[/www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin/membership_directory.cgi]/ensure (err): change from absent to link failed: Could not set link on ensure: No such file or directory - /www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin at /etc/puppet/manifests/classes/ assoc_symlinks.pp:8 As you can see, it is combining my $assocs array into one string, instead of iterating through it as an array. Any suggestions would be great as I am relatively new and only been using puppet for a month or 2 now. Thanks, Thom -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Custom facts in modules
On May 12, 2011, at 1:44 PM, g h wrote: I am having trouble getting custom facts to be read in my puppet config. Also, for some reason the facter command is looking in the ./ facter directory when I run it; so if I run facter from within my module directory's lib folder, I can get the output. How can I get facter to read modules? Relevant output is below. Thanks! [root@puppet facter]# pwd /etc/puppet/modules/nsc-puppet-utils/lib/facter [root@puppet facter]# cat dns_servers.rb q = 1 ` grep '^[ \t]*nameserver' /etc/resolv.conf | awk '{print $2}' `.each do |line| Facter.add( dns + q.to_s ) do setcode { line } end q = q+1 end [root@puppet facter]# facter | grep dns [root@puppet facter]# cd .. [root@puppet lib]# pwd /etc/puppet/modules/nsc-puppet-utils/lib [root@puppet lib]# facter | grep dns dns1 = 172.30.0.53 dns2 = 172.30.0.54 [root@puppet lib]# strace -f facter 21 | grep dns_servers stat64(./facter/dns_servers.rb, {st_mode=S_IFREG|0644, st_size=172, ...}) = 0 open(./facter/dns_servers.rb, O_RDONLY|O_LARGEFILE) = 3 open(./facter/dns_servers.rb, O_RDONLY|O_LARGEFILE) = 3 open(./facter/dns_servers.rb, O_RDONLY|O_LARGEFILE) = 3 [root@puppet nsc-puppet-utils]# cat /etc/puppet/puppet.conf [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl pluginsync = true templatedir = $confdir/templates pluginsync = true factsync = true [master] modulepath = $confdir/modules manifestdir = $confdir/manifests manifest = $confdir/manifests/site.pp autosign = true [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig 1) You have pluginsync = true twice, but I assume this doesn't matter. 2) I believe factsync is deprecated, now and pluginsync is enough in more modern version of puppet. 3) What version of puppet are you using on the client? 4) Are the client and server the same computer? Your output seems to imply they are. 5) What does find /var/lib/puppet -name dns_servers.rb give you? (This path might not be the correct one if you're NOT using a Debian based server. If so, this should give you the right path: puppet --genconfig | grep 'vardir =' -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] array being concatenated
On Thu, May 12, 2011 at 6:21 PM, tjmaszc t...@muse.jhu.edu wrote: Having issues trying to create the same symlink for multiple web sites. This is my class: class assoc_symlinks { $assocs=[ asecs, mgsa, athe ] define create_assoc_symlinks() { file {/www/domains/${name}.press.jhu.edu/cgi-bin/ membership_directory.cgi: ensure = symlink, target = /www/shared/cgi-bin/membership_directory.cgi, owner = apache, group = apache, mode = 2775, } } create_assoc_symlinks { $assocs } Don't quote the array. If you do quote it, Puppet sees it as a string ['one', 'two'] rather than the array [one, two]. } Then I call it in my nodes.pp file as include assoc_symlinks When I run puppet, it gives me this error: hu May 12 14:14:57 -0400 2011 //Node[adv01jh]/ Assoc_symlinks[asecsmgsaathe]/File[/www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin/membership_directory.cgi]/ensure (err): change from absent to link failed: Could not set link on ensure: No such file or directory - /www/domains/ asecsmgsaathe.press.jhu.edu/cgi-bin at /etc/puppet/manifests/classes/ assoc_symlinks.pp:8 As you can see, it is combining my $assocs array into one string, instead of iterating through it as an array. Any suggestions would be great as I am relatively new and only been using puppet for a month or 2 now. Thanks, Thom -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Security of Puppet ACLs..
Thats an interesting one for a few points.. how is the uniqueid generated? On May 12, 2011, at 6:15 PM, Larry Ludwig wrote: 4) reference the file via the facter 'uniqueid' -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.