[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks, On our older infrastrcture if we wanted to scale out we just copied the ssldir and changed the filenames to the FQDN of the new master server. certdnsnames would be wildcarded. Now using 2.7.9 how do we do certificates so we could scale out horizontally from behind this loadbalancer ? Tring this approach leads now to this:- # puppet cert --list --all warning: The `certdnsnames` setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set `dns_alt_names` in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other `subjectAltName` value, for another nodes certificate. Alternately you can use the `--dns_alt_names` command line option to set the labels added while generating your own CSR. - (FA:C4:68:C1:30:E2:95:9E:48:AB:ED:E4:A7:BF:3F:19) (certificate signature failure) Going around in circles somewhat trying to get a modern puppet setup with a potential to scale horizontally. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: How to change the time interval in dashboard for a node is considered unresponsive
Hi Martin, Thank you very much for the information, I had not noticed that there was this file, I have it as .example Thank you very much, Best regards! ;) On 16 dic, 15:19, Martin Willemsma wrote: > Hi Antonio, > > I believe this is the setting your looking for: > > In /config/settings.yml: > > # Amount of time in seconds since last report before a node is > considered no longer reporting > no_longer_reporting_cutoff: 144000 > > restart dashboard > > Regards, > > Martin > > 2011/12/16 Antonio Xanxess : > > > > > > > > > Hi everyone, > > > I have a problem with puppet-dashboard because I appear unresponsive > > when many nodes are running correctly. > > In my current configuration nodes do not run the daemon, but I have > > created a cron task that runs once the command puppetd at hourly > > intervals. > > The point is that when I look into dashboard many nodes are always > > considered unresponsive because it seems that the default dashboard > > node also adds the label after one hour. > > My question is: Where you can change the time interval of a node to be > > considered unresponsive? > > > Thank you all in advance. > > > Regards! > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Hosting the user password only, not the .bashrc and -bash_profile files
Hi all,
We have a number of server on which user "admin" exists, and that have
manual modifications to its bashrc and bash_profile files. What I'd
like to do is to host its user password from puppet master, but not
the bash-files.
I tries this (we're running Puppet Enterprise 2):
-- code start --
pe_accounts::user { 'admin':
password => "encrypted_password_here",
}
-- code end --
but found that puppetmaster overwrites the user's bash-files. So
either I will have to start hosting the bash-files (which I'd like not
to at the moment), or I must find a way to only change the admin
password.
Does anyone know how I get puppet to _not_ overwrite the bash-file,
and only host the users password?
Best regards,
Kenneth
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
AW: [Puppet Users] Hosting the user password only, not the .bashrc and -bash_profile files
Are you sure Puppet does change your bash-files? I got the same configuration a
lot of times (Puppet 2.6.6 and 2.6.12) and did not encounter such behavior. Can
you give more details?
Bernd
> -Ursprüngliche Nachricht-
> Von: puppet-users@googlegroups.com [mailto:puppet-
> us...@googlegroups.com] Im Auftrag von Kenneth Holter
> Gesendet: Montag, 19. Dezember 2011 12:48
> An: puppet-users@googlegroups.com
> Betreff: [Puppet Users] Hosting the user password only, not the .bashrc
> and -bash_profile files
>
> Hi all,
>
>
> We have a number of server on which user "admin" exists, and that have
> manual modifications to its bashrc and bash_profile files. What I'd
> like to do is to host its user password from puppet master, but not the
> bash-files.
>
> I tries this (we're running Puppet Enterprise 2):
>
> -- code start --
> pe_accounts::user { 'admin':
> password => "encrypted_password_here", }
> -- code end --
>
> but found that puppetmaster overwrites the user's bash-files. So either
> I will have to start hosting the bash-files (which I'd like not to at
> the moment), or I must find a way to only change the admin password.
>
> Does anyone know how I get puppet to _not_ overwrite the bash-file, and
> only host the users password?
>
>
> Best regards,
> Kenneth
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to puppet-
> users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Learn from MY Mistake: "false" != false
Sharing my stoopid mistake in the hopes of saving someone else the same grief:
I had a boolean toggle that was not performing as expected.
Long story short: I had put quotes around the word "false"
class { 'foo' : boolFlag => "false" } was coming up TRUE
To fix it, lose the quotes
class { 'foo' : boolFlag => false }
“Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Learn from MY Mistake: "false" != false
On Mon, 2011-12-19 at 16:14 +, Dan White wrote:
> Sharing my stoopid mistake in the hopes of saving someone else the same grief:
>
> I had a boolean toggle that was not performing as expected.
>
> Long story short: I had put quotes around the word "false"
>
> class { 'foo' : boolFlag => "false" } was coming up TRUE
>
> To fix it, lose the quotes
> class { 'foo' : boolFlag => false }
It all depends what is done with boolFlag in your parametrized class.
More specifically what doesn't work is:
if "false" {
}
Because a string when (internally) converted to a boolean is true.
This was discussed 2 days ago (look when the thread changes name):
http://groups.google.com/group/puppet-users/browse_thread/thread/3dfba6566d97880e/c473deea3f302410?#
And this is tracked in the following bug:
http://projects.puppetlabs.com/issues/5648
--
Brice Figureau
Follow the latest Puppet Community evolutions on www.planetpuppet.org!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] duplicate definition error
I have an error that I do not understand. I get a duplicate
definition and I am not sure why: http://pastie.org/3041278
if I change line 27 in that paste from class { 'passenger': } to
include passenger, there is not an error but the passenger class (it
is a module) is not evaluated.
Does having module foo that contains a class, foo:bar::baz and then
including another module named, baz cause this?
I tested with puppet 2.7.9, 2.7.8 and 2.7.3
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] duplicate definition error
On 19/12/11 16:36, Chris Blumentritt wrote:
> I have an error that I do not understand. I get a duplicate
> definition and I am not sure why: http://pastie.org/3041278
>
> if I change line 27 in that paste from class { 'passenger': } to
> include passenger, there is not an error but the passenger class (it
> is a module) is not evaluated.
>
> Does having module foo that contains a class, foo:bar::baz and then
> including another module named, baz cause this?
>
> I tested with puppet 2.7.9, 2.7.8 and 2.7.3
>
Basically, yes. It's all to do with how unqualified variables are resolved.
Try "class { '::passenger': }" instead to qualify the class as being in
the root scope.
HTH
Dan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Learn from MY Mistake: "false" != false
Thanks for pointing that out for two reasons:
(1) In the flow of the mailing list, simple little tricks like this can flash
right past you if you are not reading carefully.
(2) That thread gave me a better approach for what I am doing in my class.
Thanks again, everyone !
“Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
- Brice Figureau wrote:
> On Mon, 2011-12-19 at 16:14 +, Dan White wrote:
> > Sharing my stoopid mistake in the hopes of saving someone else the same
> > grief:
> >
> > I had a boolean toggle that was not performing as expected.
> >
> > Long story short: I had put quotes around the word "false"
> >
> > class { 'foo' : boolFlag => "false" } was coming up TRUE
> >
> > To fix it, lose the quotes
> > class { 'foo' : boolFlag => false }
>
> It all depends what is done with boolFlag in your parametrized class.
> More specifically what doesn't work is:
>
> if "false" {
> }
>
> Because a string when (internally) converted to a boolean is true.
>
> This was discussed 2 days ago (look when the thread changes name):
> http://groups.google.com/group/puppet-users/browse_thread/thread/3dfba6566d97880e/c473deea3f302410?#
>
> And this is tracked in the following bug:
> http://projects.puppetlabs.com/issues/5648
>
> --
> Brice Figureau
> Follow the latest Puppet Community evolutions on www.planetpuppet.org!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Seperate CA's/Master behind load balancer
On 19/12/11 12:05, ollies...@googlemail.com wrote: > Thanks, > > On our older infrastrcture if we wanted to scale out we just copied > the ssldir and changed the filenames to the FQDN of the new master > server. certdnsnames would be wildcarded. The problem with this way of scaling is that you won't be able to revoke a certificate. The reason is that more than one certificate can have the same serial. I believe it's better to dedicate a master to be a CA only master. Then you point your clients to this ca. If you fear the SPOF, then you can use a pair of CA server sharing ssldir either through rsync or anything else allowing sharing files. > Now using 2.7.9 how do we do certificates so we could scale out > horizontally from behind this loadbalancer ? There's no reasons you can't do what you were doing before upgrading to the 2.7.9 version. If what you were doing doesn't work anymore, then it might be a bug you should report. > Tring this approach leads now to this:- > > # puppet cert --list --all > warning: The `certdnsnames` setting is no longer functional, > after CVE-2011-3872. We ignore the value completely. > > For your own certificate request you can set `dns_alt_names` in the > configuration and it will apply locally. There is no configuration > option to > set DNS alt names, or any other `subjectAltName` value, for another > nodes > certificate. > > Alternately you can use the `--dns_alt_names` command line option to > set the > labels added while generating your own CSR. > - (FA:C4:68:C1:30:E2:95:9E:48:AB:ED:E4:A7:BF:3F:19) > (certificate signature failure) > > Going around in circles somewhat trying to get a modern puppet setup > with a potential to scale horizontally. The command just complains about the certdnsnames option that has been removed. You can stil use dns_alt_names to generate clients and/or server certificates with embedded subjectAltName extension. -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] When the lint accumulates...
So some of you may be aware that Tim Sharpe from GitHub wrote a Puppet linting tool: $ gem install puppet-lint $ puppet-lint mymanifest.pp Source: https://github.com/rodjek/puppet-lint The linting tool checks Puppet code for "best practice" based on the Puppet Labs Style Guide: http://docs.puppetlabs.com/guides/style_guide.html A lot of us have been using puppet-lint (and puppet parser validate) to ensure our code is synoptically correct and as "best practice" as possible. We're also aware that there are some strange and odd things in the Puppet language and whilst we can't fix all them right now we'd like to find a way to highlight items and syntax that is sub-optimal for you via linting. So what can you do to help? Well firstly help us identify any syntax, language constructions, structures etc that have caused issues for you or that when used result in errors or issues. You can let us know about these in three ways: * Submit patches and additions to the linting tool. Patches in the form of failing tests are especially welcome if you aren't comfortable adding new tests yourself. * Email me or the list with tickets containing issues like this. * Send me or the list snippets of Puppet code that cause issues and the output/issue they result in. We'll also look at tracking as many of these as possible and where relevant update the Style Guide with them too. Cheers James -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Learn from MY Mistake: "false" != false
Dan White wrote: > Thanks for pointing that out for two reasons: > (1) In the flow of the mailing list, simple little tricks like this can flash > right past you if you are not reading carefully. > (2) That thread gave me a better approach for what I am doing in my class. > > Thanks again, everyone ! > This is an excellent example of something that could be caught by linting until the bug is fixed: https://github.com/rodjek/puppet-lint/issues/43 Regards James -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Learn from MY Mistake: "false" != false
On 2011-20-12 24:57, James Turnbull wrote: Dan White wrote: Thanks for pointing that out for two reasons: (1) In the flow of the mailing list, simple little tricks like this can flash right past you if you are not reading carefully. (2) That thread gave me a better approach for what I am doing in my class. This is an excellent example of something that could be caught by linting until the bug is fixed: https://github.com/rodjek/puppet-lint/issues/43 And ditto for Geppetto. I added this check and will be available in Geppetto 2.1.2 (it is user configurable ignore/warning/error) under Potential Problems preferences. Regards - henrik -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Hosting the user password only, not the .bashrc and -bash_profile files
On Mon, Dec 19, 2011 at 3:47 AM, Kenneth Holter wrote:
> Hi all,
>
>
> We have a number of server on which user "admin" exists, and that have
> manual modifications to its bashrc and bash_profile files. What I'd
> like to do is to host its user password from puppet master, but not
> the bash-files.
>
> I tries this (we're running Puppet Enterprise 2):
>
> -- code start --
> pe_accounts::user { 'admin':
> password => "encrypted_password_here",
> }
> -- code end --
>
> but found that puppetmaster overwrites the user's bash-files. So
> either I will have to start hosting the bash-files (which I'd like not
> to at the moment), or I must find a way to only change the admin
> password.
The pe_accounts::user resource uses the pe_accounts::home_dir resource
by default to manage some basic things about the home directory. We
added some basic bashrc files to help get started quickly, but
unfortunately it looks like they're getting in your way more than
they're helping.
The bashrc files we put down for you do automatically source
~/.bashrc.custom if it exists. This file isn't managed by Puppet at
all. Would it be possible for you to simply copy existing bashrc
customizations you have into ~/.bashrc.custom to continue using the
pe_accounts module?
Alternatively, I'd like to add some features to the accounts module to
accomodate your use case? If you could describe what you'd like to
happen I can try to capture it in a feature request for a future
release of the module. Perhaps just turning off bashrc files on a
per-resource basis would help you?
> Does anyone know how I get puppet to _not_ overwrite the bash-file,
> and only host the users password?
Unfortunately I don't see a way to do this without modifying the
pe_accounts module itself, which will make upgrades difficult.
You could "fork" the module by copying and pasting everything into
your own module that's not named pe_accounts, but clearly this isn't
ideal either.
Hope this helps,
--
Jeff McCune
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
