[Puppet Users] camptocamp / puppet-apache can't get it to work properly.
Hello, I'm attempting to use the camptocamp / puppet-apache module on one of my CentOS 6 hosts. I defined include apache on my node, imported the modules, and then executed puppetd to run. This is what I see when I run it: err: Could not retrieve catalog from remote server: Error 400 on SERVER: No matching value for selector param 'undef' at /etc/puppet/ modules/apache/manifests/redhat.pp:85 on node The message is a bit cryptic to me since line 85 is not really referring to anything that's substantially useful to my troubleshooting process. Given the lack of readme notes (most of it talks about auth), I don't think I have the full scope, of how I'm supposed to set up the module. Has anyone else successfully deployed this module, let alone, on a CentOS 5/6 host? Thank you, Will -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] camptocamp / puppet-apache can't get it to work properly.
Hi Will, I don't use the module but every time I see the word 'undef' in an error I think a variable is used before being defined. Line 80: file { ${apache::params::conf}/mods-available: ensure = directory, source = $lsbmajdistrelease ? { 5 = puppet:///modules/apache/etc/httpd/mods-available/redhat5/, 6 = puppet:///modules/apache/etc/httpd/mods-available/redhat6/, }, recurse = true, mode = 644, owner = root, group = root, seltype = httpd_config_t, require = Package[apache], } The only selector operator in there is: source = $lsbmajdistrelease { That is an LSB Fact. You can confirm that the Fact is available by running facter -p | grep lsb on your Puppet Agent system. IIRC you only get LSB Facts if you have the necessary LSB package, which is redhat-lsb on RHEL I think. On 20/12/11 09:07, Will S. G. wrote: Hello, I'm attempting to use the camptocamp / puppet-apache module on one of my CentOS 6 hosts. I defined include apache on my node, imported the modules, and then executed puppetd to run. This is what I see when I run it: err: Could not retrieve catalog from remote server: Error 400 on SERVER: No matching value for selector param 'undef' at /etc/puppet/ modules/apache/manifests/redhat.pp:85 on node The message is a bit cryptic to me since line 85 is not really referring to anything that's substantially useful to my troubleshooting process. Given the lack of readme notes (most of it talks about auth), I don't think I have the full scope, of how I'm supposed to set up the module. Has anyone else successfully deployed this module, let alone, on a CentOS 5/6 host? Thank you, Will -- Luke Bigum Information Systems +44 (0) 20 3192 2520 luke.bi...@lmax.com | http://www.lmax.com LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN The information in this e-mail and any attachment is confidential and is intended only for the named recipient(s). The e-mail may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not a named recipient please notify the sender immediately and delete any copies of this message. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Any view or opinions presented are solely those of the author and do not necessarily represent those of the company. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: camptocamp / puppet-apache can't get it to work properly.
IIRC you only get LSB Facts if you have the necessary LSB package, which is redhat-lsb on RHEL I think. That was it; redhat-lsb package was missing, which begs the question, why not require it in the module? There is another error (Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type common::concatfilepart at / etc/puppet/modules/apache/manifests/listen.pp:30), but I'm sure I can figure it out. Thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet capacity with apache+passenger, server saturated
Hi Brice, Thanks for the reply. I've been looking at what you sent me and now I think I meet all these requirements. Currently, each node accesses the settings every hour, which means that from 1927 to 1960 = 32 nodes checking every minute. I use Passenger with apache, maybe it's the best solution I've also read that Nginx is lighter than apache, it would be a solution? I recently had a problem observed in the apache logs, in which he said he had to increase the MaxClients variable, so I decided to upload it. I attached the module worker (currently I have installed apache-mpm- worker) if maybe one of these parameters are wrong. IfModule mpm_worker_module StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 400 MaxRequestsPerChild 0 / IfModule With this configuration, the service works perfectly, but I think that has increased exponentially, my consumption of RAM, I leave the data extracted from Munin: apps: 10Gb page_tables: 48.91 Mb Swap_Cache: 7.24 Mb Slab_Cache: 110.55 Mb Cache: 565.15 Mb Buffers: 62.67 Mb Unused: 243.82 Mb Swap: 29.40 Mb Inactive: 1.68 Gb Committed: 12.91 GB Active: 9.64 Gb Vmalloc_Used: 39.53 Mb Mapped: 13.68 Mb As a preventive measure to continue the deployment of the application I will dilate much execution interval to every two hours scattered through a seed (as I have done with cron minutes to the dispersion of nodes), also occurred to me to use the variable use_cached_catalog, but I doubt arises, if I add this variable nodes use the catalog caching, meaning that if you change the manifest to the server nodes are not updated? There would be some way to tell the node to use its cached catalog until they have updates on the server? Thank you for everything! ;) Best regards! On 16 dic, 15:36, Brice Figureau brice-pup...@daysofwonder.com wrote: On Fri, 2011-12-16 at 04:56 -0800, Antonio Xanxess wrote: I have a problem with my Puppet server, the server is overloaded and processes need to add half of my farm nodes yet! The server is hosted on a blade with the following characteristics: Processors: 8 cores Memory Ram: 12 Gb Operating System: Debian Squeeze Version of parcel: 2.7.1-1 ~ bpo60 puppet 1 puppet-common 2.7.1-1 ~ bpo60 1 2.7.1-1 ~ bpo60 1 puppetmaster puppetmaster 2.7.1-1 ~ bpo60-1 common puppet vim 2.7.1-1 ~ bpo60-1 The number of nodes that I have now is 1927 and I'm in the middle of the deployment process. The nodes do not use the demon puppet, but I created a cron task that runs dispersed to run in one hour intervals. With these data the server is currently using on average 4 cores, but the RAM is used almost entirely (it has 1 GB free of 12) If your setup is consuming so much ram, that means your concurrency is too high. You might also benefit of using Ruby Enterprise Edition, because passenger might be able to share more memory between those ruby processes. Puppetmasters are mostly CPU bound. Since your server has 8 cores, having more than 8, 12 or 16 puppetmaster processes at one will not give you more horse power (yeah CPU is a finite quantity). What is your current concurrency? If your problem is that your CPU is constantly at 100% because of the puppet runs (ie too many clients checking-in at the same time), then I'm afraid you'll either: * need another server * increase the time between your client check in (every 60min in lieu of 30 for instance) * use of Mcollective Puppet Controller [1] * my experimental catalog caching [2] You can do some math to see if your near the limit: if you have 1927 nodes each checking-in every 30 minutes, that means you (if spread evenly) 1927/30=64 nodes checking in every minute. That's more than 1 node coming in per second. Since you have a concurrency of 8 (because of your 8 core) at max, you can accomodate 8 nodes at the same time. Since 64/8 = 8, you can accomodate 8 client per minute, which means each client must be serviced in less than 60/8=7.5s or you'll run into trouble. And you can even do better than math, you can benchmark your master (better a test server with the same capacity) [3] I would like to know some technical expert for the optimization of services, anything you can think of will help me because I am a bit blocked I've been thinking about creating another puppetmaster and use a load balancer, but in my case would have security problems because the connections are behind the balancer and servers unencrypted would be in different physical locations, having to go unencrypted information by the network. You can certainly load balance SSL connections without having to decrypt the content (ie a pure layer 3-4 load-balancer). I'm sure haproxy would be able to do that. If you go this route, make sure you have a standalone CA and point your clients to this standalone CA (that's way simpler than trying to replicate your CA between your
[Puppet Users] Re: camptocamp / puppet-apache can't get it to work properly.
I figured it out, I needed the puppet-common modules installed and included. Thank you for your help this morning. On Dec 20, 1:30 am, Will S. G. w...@arw.in wrote: IIRC you only get LSB Facts if you have the necessary LSB package, which is redhat-lsb on RHEL I think. That was it; redhat-lsb package was missing, which begs the question, why not require it in the module? There is another error (Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type common::concatfilepart at / etc/puppet/modules/apache/manifests/listen.pp:30), but I'm sure I can figure it out. Thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: camptocamp / puppet-apache can't get it to work properly.
Invalid resource type is exactly what it sounds. Consider the following: file { /etc/passwd: } woofwoof { /tmp: } service { httpd: } If you don't have any extra Custom Types or Defined Types on your Master, then the woofwoof resource type would give you the same error. What you'll want to do is clone down the 'common' module, probably from the same GitHub account, which I'd guess will provide the common::concatfilepart type (I know this because of the namespace of the error is common:: so that's where the apache module is expecting to find concatfilepart). This will be an implementation of https://github.com/ripienaar/puppet-concat if you want to read up on what it actually is. On 20/12/11 09:30, Will S. G. wrote: IIRC you only get LSB Facts if you have the necessary LSB package, which is redhat-lsb on RHEL I think. That was it; redhat-lsb package was missing, which begs the question, why not require it in the module? There is another error (Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type common::concatfilepart at / etc/puppet/modules/apache/manifests/listen.pp:30), but I'm sure I can figure it out. Thanks! -- Luke Bigum Information Systems +44 (0) 20 3192 2520 luke.bi...@lmax.com | http://www.lmax.com LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN The information in this e-mail and any attachment is confidential and is intended only for the named recipient(s). The e-mail may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not a named recipient please notify the sender immediately and delete any copies of this message. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Any view or opinions presented are solely those of the author and do not necessarily represent those of the company. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet capacity with apache+passenger, server saturated
One other thing to look at is how many nodes are hitting your server at once. If you're not using the ip_to_cron function from the Cron Patterns page, you might want to take a look at it. http://projects.puppetlabs.com/projects/1/wiki/Cron_Patterns Some people are also using MCollective to to a more controlled call-in of nodes. Trevor On Fri, Dec 16, 2011 at 7:56 AM, Antonio Xanxess antonio.sanchez.agui...@gmail.com wrote: Hi everyone, I have a problem with my Puppet server, the server is overloaded and processes need to add half of my farm nodes yet! The server is hosted on a blade with the following characteristics: Processors: 8 cores Memory Ram: 12 Gb Operating System: Debian Squeeze Version of parcel: 2.7.1-1 ~ bpo60 puppet 1 puppet-common 2.7.1-1 ~ bpo60 1 2.7.1-1 ~ bpo60 1 puppetmaster puppetmaster 2.7.1-1 ~ bpo60-1 common puppet vim 2.7.1-1 ~ bpo60-1 The number of nodes that I have now is 1927 and I'm in the middle of the deployment process. The nodes do not use the demon puppet, but I created a cron task that runs dispersed to run in one hour intervals. With these data the server is currently using on average 4 cores, but the RAM is used almost entirely (it has 1 GB free of 12) I would like to know some technical expert for the optimization of services, anything you can think of will help me because I am a bit blocked I've been thinking about creating another puppetmaster and use a load balancer, but in my case would have security problems because the connections are behind the balancer and servers unencrypted would be in different physical locations, having to go unencrypted information by the network. Thank you and if you need some data from the server will put. A greeting! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] custom facts loaded twice
Hi all, Every time I run puppet manually I see the message: # puppetd --test --server $SERVER info: Retrieving plugin info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Caching catalog for XX As you can see facts are loaded twice. Everything works fine, but I'm wondering if this is normal or we have some missconfiguration. Honestly, I don't know what conf provide apart from client's puppet conf file: [main] # Where Puppet stores dynamic and growing data. # The default value is '/var/puppet'. vardir = /var/lib/puppet # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl pluginsync = true [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig report = false Cheers, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
Is there a minimum version of ruby or puppet for it to work? I am open to running this on my entire puppet tree (close to 53 modules and growing). puppet-lint /etc/puppet/manifests /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint/plugin.rb:43: warning: parenthesize argument(s) /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint.rb:28:in `read': Is a directory - /etc/puppet/mE from /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint.rb:28:in `file=' from /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/puppet-lint:51 from /usr/bin/puppet-lint:19:in `load' from /usr/bin/puppet-lint:19 On Mon, Dec 19, 2011 at 4:11 PM, Henrik Lindberg henrik.lindb...@cloudsmith.com wrote: I am also very interested in this to enable Geppetto to also provide the same feedback. One difficulty I have faced is to find good samples that should trigger different kinds of warnings and errors. I have collected some in Geppetto's tests, and I keep adding more over time. Biggest difficulty however are unclear language semantics ;) or issues like the 'hyphen in variable name'. Anyway... It may be of value to set up a shared repository at github with samples that contains problems for the tools (lint, geppetto, or the puppet runtime) to process and where the expected outcome is perhaps described in comments (or some other simple mechanism). The various tool projects can then use this for their unit tests + naturally learn about tips and tricks. It should be really easy for anyone to contribute a sample documented with expected outcome. I think it is also of value to include examples that result in errors/warnings at runtime - i.e. not so much a lint issue, but various real problems and how the are reported. This for the same purpose; unit test that the tools find these as expected and report problems in a good way. I can see my self contributing to such a joint effort. What do you think? Regards - henrik On 2011-19-12 21:00, James Turnbull wrote: So some of you may be aware that Tim Sharpe from GitHub wrote a Puppet linting tool: $ gem install puppet-lint $ puppet-lint mymanifest.pp Source: https://github.com/rodjek/**puppet-linthttps://github.com/rodjek/puppet-lint The linting tool checks Puppet code for best practice based on the Puppet Labs Style Guide: http://docs.puppetlabs.com/**guides/style_guide.htmlhttp://docs.puppetlabs.com/guides/style_guide.html A lot of us have been using puppet-lint (and puppet parser validate) to ensure our code is synoptically correct and as best practice as possible. We're also aware that there are some strange and odd things in the Puppet language and whilst we can't fix all them right now we'd like to find a way to highlight items and syntax that is sub-optimal for you via linting. So what can you do to help? Well firstly help us identify any syntax, language constructions, structures etc that have caused issues for you or that when used result in errors or issues. You can let us know about these in three ways: * Submit patches and additions to the linting tool. Patches in the form of failing tests are especially welcome if you aren't comfortable adding new tests yourself. * Email me or the list with tickets containing issues like this. * Send me or the list snippets of Puppet code that cause issues and the output/issue they result in. We'll also look at tracking as many of these as possible and where relevant update the Style Guide with them too. Cheers James -- You received this message because you are subscribed to the Google Groups Puppet Developers group. To post to this group, send email to puppet-...@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@** googlegroups.com puppet-dev%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/** group/puppet-dev?hl=en http://groups.google.com/group/puppet-dev?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks. I assume that the section in this:- http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability Stating that is doesn't work for 0.25 2.6 also applies to the 2.7.9 release that is the latest ? Sharing an area via NFS/iSCSI/rsync'ing or whatever is potentially viable does anyone know how this would be possible with different hostnames serving the certs and the traffic being directed via a load- balancer ? Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. Thanks all. Paul -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] duplicate definition error
Basically, yes. It's all to do with how unqualified variables are resolved. Try class { '::passenger': } instead to qualify the class as being in the root scope. HTH Dan Thanks Dan that solved it. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Seperate CA's/Master behind load balancer
On Tue, 2011-12-20 at 07:14 -0800, ollies...@googlemail.com wrote: Thanks. I assume that the section in this:- http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability Stating that is doesn't work for 0.25 2.6 also applies to the 2.7.9 release that is the latest ? Yes, I believe chained CA are still not working in 2.7.x, if that's what you meant. Sharing an area via NFS/iSCSI/rsync'ing or whatever is potentially viable does anyone know how this would be possible with different hostnames serving the certs and the traffic being directed via a load- balancer ? That's easy: dedicate two host to be CAs only. One is the hot standby of the first one. You can either manually bring it up when the first one fails, or use something like drbd+pacemaker to do it automatically. Then have all your other masters run in no ca mode. Each can have a different server CN, or they can share the same server certificate. This is explained in length in the Pro puppet [1] book if you need. Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. The simplest architecture for load balanced puppet is the single CA one, of course that means you can live with the SPOF. BTW, the SPOF is only at certificate signing. In the event your CA becomes unresponsive, it won't prevent your actual nodes to get a catalog. I highly recommend you to get a copy of the Pro Puppet book. It contains an extensive chapter on load balancing puppet master (both with the SPOF and without it). [1]: http://www.apress.com/9781430230571 -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
it'd be very great if the various best-practice definitions in the puppet universe would match ;-) Have fun, David On Mon, 19 Dec 2011 22:11:53 +0100, Henrik Lindberg henrik.lindb...@cloudsmith.com wrote: I am also very interested in this to enable Geppetto to also provide the same feedback. One difficulty I have faced is to find good samples that should trigger different kinds of warnings and errors. I have collected some in Geppetto's tests, and I keep adding more over time. Biggest difficulty however are unclear language semantics ;) or issues like the 'hyphen in variable name'. Anyway... It may be of value to set up a shared repository at github with samples that contains problems for the tools (lint, geppetto, or the puppet runtime) to process and where the expected outcome is perhaps described in comments (or some other simple mechanism). The various tool projects can then use this for their unit tests + naturally learn about tips and tricks. It should be really easy for anyone to contribute a sample documented with expected outcome. I think it is also of value to include examples that result in errors/warnings at runtime - i.e. not so much a lint issue, but various real problems and how the are reported. This for the same purpose; unit test that the tools find these as expected and report problems in a good way. I can see my self contributing to such a joint effort. What do you think? Regards - henrik On 2011-19-12 21:00, James Turnbull wrote: So some of you may be aware that Tim Sharpe from GitHub wrote a Puppet linting tool: $ gem install puppet-lint $ puppet-lint mymanifest.pp Source: https://github.com/rodjek/puppet-lint The linting tool checks Puppet code for best practice based on the Puppet Labs Style Guide: http://docs.puppetlabs.com/guides/style_guide.html A lot of us have been using puppet-lint (and puppet parser validate) to ensure our code is synoptically correct and as best practice as possible. We're also aware that there are some strange and odd things in the Puppet language and whilst we can't fix all them right now we'd like to find a way to highlight items and syntax that is sub-optimal for you via linting. So what can you do to help? Well firstly help us identify any syntax, language constructions, structures etc that have caused issues for you or that when used result in errors or issues. You can let us know about these in three ways: * Submit patches and additions to the linting tool. Patches in the form of failing tests are especially welcome if you aren't comfortable adding new tests yourself. * Email me or the list with tickets containing issues like this. * Send me or the list snippets of Puppet code that cause issues and the output/issue they result in. We'll also look at tracking as many of these as possible and where relevant update the Style Guide with them too. Cheers James -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
That's easy: dedicate two host to be CAs only. One is the hot standby of the first one. You can either manually bring it up when the first one fails, or use something like drbd+pacemaker to do it automatically. Then have all your other masters run in no ca mode. Each can have a different server CN, or they can share the same server certificate. This is explained in length in the Pro puppet [1] book if you need. Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. The simplest architecture for load balanced puppet is the single CA one, of course that means you can live with the SPOF. BTW, the SPOF is only at certificate signing. In the event your CA becomes unresponsive, it won't prevent your actual nodes to get a catalog. I highly recommend you to get a copy of the Pro Puppet book. It contains an extensive chapter on load balancing puppet master (both with the SPOF and without it). Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran puppet master to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Seperate CA's/Master behind load balancer
On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: That's easy: dedicate two host to be CAs only. One is the hot standby of the first one. You can either manually bring it up when the first one fails, or use something like drbd+pacemaker to do it automatically. Then have all your other masters run in no ca mode. Each can have a different server CN, or they can share the same server certificate. This is explained in length in the Pro puppet [1] book if you need. Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. The simplest architecture for load balanced puppet is the single CA one, of course that means you can live with the SPOF. BTW, the SPOF is only at certificate signing. In the event your CA becomes unresponsive, it won't prevent your actual nodes to get a catalog. I highly recommend you to get a copy of the Pro Puppet book. It contains an extensive chapter on load balancing puppet master (both with the SPOF and without it). Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran puppet master to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. That's expected because when the client connects to one of your loadbalanced server it receives a certificate that was signed/generated under the previous CA. You actually need your loadbalanced masters to get a certificate from your current CA. This certificate will then be used when talking to your nodes. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
On Dec 20, 4:16 pm, Brice Figureau brice-pup...@daysofwonder.com wrote: On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: That's easy: dedicate two host to be CAs only. One is the hot standby of the first one. You can either manually bring it up when the first one fails, or use something like drbd+pacemaker to do it automatically. Then have all your other masters run in no ca mode. Each can have a different server CN, or they can share the same server certificate. This is explained in length in the Pro puppet [1] book if you need. Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. The simplest architecture for load balanced puppet is the single CA one, of course that means you can live with the SPOF. BTW, the SPOF is only at certificate signing. In the event your CA becomes unresponsive, it won't prevent your actual nodes to get a catalog. I highly recommend you to get a copy of the Pro Puppet book. It contains an extensive chapter on load balancing puppet master (both with the SPOF and without it). Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran puppet master to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. That's expected because when the client connects to one of your loadbalanced server it receives a certificate that was signed/generated under the previous CA. You actually need your loadbalanced masters to get a certificate from your current CA. This certificate will then be used when talking to your nodes. But the Apache LB settings are sending the certificate stuff to the seperate CA server (I can see this in the logs) and the CA has the signed cert in the puppet cert --list --all but it still complains on the client. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Seperate CA's/Master behind load balancer
On Tue, 2011-12-20 at 08:25 -0800, ollies...@googlemail.com wrote: On Dec 20, 4:16 pm, Brice Figureau brice-pup...@daysofwonder.com wrote: On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: That's easy: dedicate two host to be CAs only. One is the hot standby of the first one. You can either manually bring it up when the first one fails, or use something like drbd+pacemaker to do it automatically. Then have all your other masters run in no ca mode. Each can have a different server CN, or they can share the same server certificate. This is explained in length in the Pro puppet [1] book if you need. Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. The simplest architecture for load balanced puppet is the single CA one, of course that means you can live with the SPOF. BTW, the SPOF is only at certificate signing. In the event your CA becomes unresponsive, it won't prevent your actual nodes to get a catalog. I highly recommend you to get a copy of the Pro Puppet book. It contains an extensive chapter on load balancing puppet master (both with the SPOF and without it). Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran puppet master to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. That's expected because when the client connects to one of your loadbalanced server it receives a certificate that was signed/generated under the previous CA. You actually need your loadbalanced masters to get a certificate from your current CA. This certificate will then be used when talking to your nodes. But the Apache LB settings are sending the certificate stuff to the seperate CA server (I can see this in the logs) and the CA has the signed cert in the puppet cert --list --all but it still complains on the client. The client is supposed to validate the certificate server. It does this by checking the certificate the server sent against its locally cached CA certificate. In your case, depending on how your LB is working, it might be possible the SSL endpoint is your LB. In which case this is the one that will send the server certificate. Make sure this one sends a certificate that was generated by the loadbalanced CA. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Bug #9388 prevents us from upgrading to 2.7.x
Hi, can somebody who understands the puppet codebase take a look at bug #9388? I isolated the problem and it seems that the yaml cache files are not properly updated when mongrel is used. Cody Robertson added the the switch from GET to POST/PUT between 2.6.x and 2.7.x might be the problem and that the POST/PUT code might not update the cache files while the old GET code does. Given that 2.7.x is considered stable I'm getting a bit nervous that such a bug is still present and we are basically stuck on an outdated version. Regards, Dennis -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zd298i0fS2sJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Bug #9388 prevents us from upgrading to 2.7.x
On Tue, 2011-12-20 at 08:32 -0800, Dennis Jacobfeuerborn wrote: Hi, can somebody who understands the puppet codebase take a look at bug #9388? I isolated the problem and it seems that the yaml cache files are not properly updated when mongrel is used. Cody Robertson added the the switch from GET to POST/PUT between 2.6.x and 2.7.x might be the problem and that the POST/PUT code might not update the cache files while the old GET code does. Given that 2.7.x is considered stable I'm getting a bit nervous that such a bug is still present and we are basically stuck on an outdated version. I believe this was fixed as part of the work in: https://projects.puppetlabs.com/issues/9109 So it was released in 2.7.8rc1, and should definitely be fixed in 2.7.8. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] custom facts loaded twice
On Tue, Dec 20, 2011 at 6:32 AM, Arnau Bria listsar...@gmail.com wrote: Hi all, Every time I run puppet manually I see the message: # puppetd --test --server $SERVER info: Retrieving plugin info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Caching catalog for XX As you can see facts are loaded twice. Everything works fine, but I'm wondering if this is normal or we have some missconfiguration. It's not a misconfiguration and it might be unavoidable based on discussions in http://projects.puppetlabs.com/issues/8341 Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Bug #9388 prevents us from upgrading to 2.7.x
Confirming that was fixed and is available in 2.7.8+ On Tue, Dec 20, 2011 at 8:59 AM, Brice Figureau brice-pup...@daysofwonder.com wrote: On Tue, 2011-12-20 at 08:32 -0800, Dennis Jacobfeuerborn wrote: Hi, can somebody who understands the puppet codebase take a look at bug #9388? I isolated the problem and it seems that the yaml cache files are not properly updated when mongrel is used. Cody Robertson added the the switch from GET to POST/PUT between 2.6.x and 2.7.x might be the problem and that the POST/PUT code might not update the cache files while the old GET code does. Given that 2.7.x is considered stable I'm getting a bit nervous that such a bug is still present and we are basically stuck on an outdated version. I believe this was fixed as part of the work in: https://projects.puppetlabs.com/issues/9109 So it was released in 2.7.8rc1, and should definitely be fixed in 2.7.8. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Can Puppet be configured to one-time deployment for modules?
We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet with Ruby1.9 issue
That should be fine as long as you're only running on Ruby 1.9. A fix for this issue went into our 2.7.x branch yesterday [ https://github.com/puppetlabs/puppet/commit/933844567fbe4078cb76f2c089ced1cb6c4170b7]. I'd love to hear if that solves your problems, although I think on 1.9.2 it's functionally equivalent to what you're already doing. On Fri, Dec 16, 2011 at 4:50 AM, linuxbsdfreak linuxbsdfr...@gmail.comwrote: Hi, As i already mentioned on the 1st post. I have edited the file and changed the entries mentioned in the post. I changed /usr/lib64/ruby/gems/1.9.1/gems/puppet-2.7.9/lib/puppet/ application/cert.rb Eg: option(--all, -a) do @all = true end to option(--all, -a) do |*_| @all = true end Is the syntax correct or wrong. Regards, Kevin On Dec 15, 8:57 pm, Ken Barber k...@puppetlabs.com wrote: Okay - so its a known issue: http://projects.puppetlabs.com/issues/7428 Looks like there is a workaround there Kevin. Let us know how you go. ken. On Thu, Dec 15, 2011 at 7:40 PM, Ken Barber k...@puppetlabs.com wrote: Dan - Some distro's pinned these kind of directories at 1.9.1. For example in Debian the package is called ruby-1.9.1 even though its version 1.9.2/1.9.3 (depending on release). # ruby1.9.1 --version ruby 1.9.3p0 (2011-10-30 revision 33570) [x86_64-linux] # ls /usr/lib/ruby/ 1.8 1.9.1 vendor_ruby Anyhow ... what is interesting, is that I can replicate this on wheezy. # gem1.9.1 install puppet # ruby1.9.1 /usr/local/bin/puppet cert --list /var/lib/gems/1.9.1/gems/facter-1.6.4/lib/facter/util/config.rb:7: Use RbConfig instead of obsolete and deprecated Config. /usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead. Could not parse options: wrong number of arguments (1 for 0) And switching back to the packaged version: # /usr/bin/puppet cert --list --all + dashboard (B6:1F:91:F3:70:E4:AD:C5:4C:B8:40:BF:0D:2A:7D:C5) + db1.vms.cloud.bob.sh (C6:B2:F7:3E:9A:DB:F7:75:22:CD:6F:30:55:3E:C5:06) + foremanweb1.vms.cloud.bob.sh(F8:0D:12:BB:F8:D1:3A:AD:A2:73:46:E2:78:85:69:86) + k...@bob.sh (CB:9C:4E:67:41:59:4B:43:39:0C:4B:DD:25:A2:19:D8) + lb1.vms.cloud.bob.sh (73:C7:B3:4D:C9:5A:1D:D6:80:C2:57:96:B5:0A:A9:C1) + mc-server-global (52:63:C0:02:14:83:CD:9D:36:0D:82:3F:E3:19:03:E1) + node1.cloud.bob.sh (4B:12:11:DE:8F:21:71:EA:50:3A:70:97:81:0C:A9:E4) (alt names: DNS:puppet, DNS:node1.cloud.bob.sh, DNS:puppet.cloud.bob.sh) + web1.vms.cloud.bob.sh (68:CC:0A:6F:80:CC:84:DE:3D:37:0A:02:E5:2A:BA:6D) root@node1:~# Odd. I'll dig a bit further. ken. On Thu, Dec 15, 2011 at 7:20 PM, Daniel Pittman dan...@puppetlabs.com wrote: On Thu, Dec 15, 2011 at 02:33, linuxbsdfreak linuxbsdfr...@gmail.com wrote: Hey there. I have a running puppetmaster with nginx and passenger and ruby 1.9.2. I see something odd here - 1.9.2 in the line above, and ... When i do puppet cert --trace --list . i get the following error. /usr/lib64/ruby/gems/1.9.1/gems/puppet-2.7.9/lib/puppet/application/ cert.rb:43:in `block (2 levels) in class:Cert' ... 1.9.1 here. Which we don't actually support. My guess is you are running with 1.9.1 accidentally, and that is breaking. Daniel -- ⎋ Puppet Labs Developer –http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group athttp:// groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Recommendation for general practice for application deployment?
Hi: I have a pretty general high-level question regarding application deployment using puppet infrastructure. Being new with puppet here we have a pretty simple module setup where we are utilizing a basic package-file-service combo for an tomcat application server, and with some additional war files for our apps. One of the engineering requirement regarding app deployment is to make sure tomcat shutdown cleanly before we move in with the new app war files. The way we handle new app release is via file resource that point to different puppet source based on the release tag. So the question is, given the service resource is also within the same module with the file, how do I make sure we can do the following sequentially?: 1. Shutdown the tomcat instance (service resource in tomcat module) 2. Update the application war file (file resource in tomcat module) 3. Start the tomcat instance We've been using mcollective to manually shutdown the service before applying puppet run, but I'm not sure if the sequence is correct. Thanks in advance. --KL This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Windows
Hi, Windows - Puppet - Documentation seems to be lacking. I may not be looking in the right place. Help? I'm starting a second effort [1] with Puppet at work. Got the master running, an agent (look we can change the login banner!). A fellow from the Windows server team wandered over. They like the Unix side of the office because it's a lot calmer over here, without a lot of excited managers running around yammering about downtime and production outages. I explained It's like SMS but for Solaris. And Linux. Look, I can change the login banner on all 200 hosts by editing _a_ file ... He got real excited and started babbling about making sure all files on his IIS cluster were synched up. To be honest I'm not sure what he was talking about (he'd been up the night before with a production problem with IIS and was kinda punchy) but the idea of Puppet dropping 'a' copy of 'a' file to umpty-dozen servers seemed to make him real happy. So what's the deal with Puppet and Windows? I see from this mail list people have got it going as an agent, but I can't find much in the way of documentation. Anything like a doc, a how-to, a readme out there for Puppet / Windows? [1] 1st effort a few years ago made it to the pilot stage (look we can change the login banner!) then died for lack of time and management attention. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] certificate sync methods?
Hi All, We are going to setup two puppet masters, each will include the full stack of services. Apache as the frontend on both load balancing to the backend services on both. We will be using keepalived and VIP whose A record is puppet.domain. We would like to have the CA in active/active on the two servers. The question then is what is the best method for synchronizing certs between these hosts bi-directionally? My first thought was doing something with inotify but then there is also unison. While we may end up doing as Pro Puppet suggests and having only one be active and the other CA a hot standby, it would still be best to sync bi-directionally. What are others doing? -Ryan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] custom facts loaded twice
I'm seeing this too, Debian 5.0.9 / puppet 2.7.9. On Tue, Dec 20, 2011 at 16:32, Arnau Bria listsar...@gmail.com wrote: Hi all, Every time I run puppet manually I see the message: # puppetd --test --server $SERVER info: Retrieving plugin info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Loading facts in hwtype info: Loading facts in odd_ip info: Loading facts in default_gateway info: Caching catalog for XX As you can see facts are loaded twice. Everything works fine, but I'm wondering if this is normal or we have some missconfiguration. Honestly, I don't know what conf provide apart from client's puppet conf file: [main] # Where Puppet stores dynamic and growing data. # The default value is '/var/puppet'. vardir = /var/lib/puppet # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl pluginsync = true [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig report = false Cheers, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Walter Heck -- follow @walterheck on twitter to see what I'm up to! -- Check out my new startup: Server Monitoring as a Service @ http://tribily.com Follow @tribily on Twitter and/or 'Like' our Facebook page at http://www.facebook.com/tribily -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
On 2011-19-12 21:00, James Turnbull wrote: So what can you do to help? Well firstly help us identify any syntax, language constructions, structures etc that have caused issues for you or that when used result in errors or issues. You can let us know about these in three ways 1) When I run puppet-lint manifests/*.pp, it would be nice to have the filenames output. Right now it just outputs all errors for all files in one big list, which doesn't tell me which errror belongs to which file. 2) I'd like to define the errorlevel (eg. --errorlevel=error) looks nice so far, wish we could have this in geppetto soon :) cheers, -- Walter Heck -- follow @walterheck on twitter to see what I'm up to! -- Check out my new startup: Server Monitoring as a Service @ http://tribily.com Follow @tribily on Twitter and/or 'Like' our Facebook page at http://www.facebook.com/tribily -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Geppetto templates
Hello all, I was wondering if anyone happens to sit on a nice template library for geppetto they would be willing to share? kind regards, -- Walter Heck -- Co-founder @ Tribily (http://tribily.com) In-depth Server Monitoring as a Service -- Follow @tribily on Twitter and/or 'Like' our Facebook page at http://www.facebook.com/tribily -- Walter Heck -- Co-founder @ Tribily (http://tribily.com) In-depth Server Monitoring as a Service -- Follow @tribily on Twitter and/or 'Like' our Facebook page at http://www.facebook.com/tribily -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] a question about ensure file exists
hi all: if we need to ensure a file exist in a folder that not yet been created. puppet will simplely report error. for example: file { /aaa/bbb/ccc/aaa ensure = 'present'; } if directory ccc not yet been created, puppet client excute will get an error message. Does puppet have any function to auto mkdir -p this path an make sure the file exist? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
Walter Heck wrote: On 2011-19-12 21:00, James Turnbull wrote: So what can you do to help? Well firstly help us identify any syntax, language constructions, structures etc that have caused issues for you or that when used result in errors or issues. You can let us know about these in three ways 1) When I run puppet-lint manifests/*.pp, it would be nice to have the filenames output. Right now it just outputs all errors for all files in one big list, which doesn't tell me which errror belongs to which file. There's a patch for this already: https://github.com/rodjek/puppet-lint/pull/38. 2) I'd like to define the errorlevel (eg. --errorlevel=error) I've added a ticket for this also: https://github.com/rodjek/puppet-lint/issues/45 Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
Christopher Johnston wrote: Is there a minimum version of ruby or puppet for it to work? I am open to running this on my entire puppet tree (close to 53 modules and growing). puppet-lint /etc/puppet/manifests /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint/plugin.rb:43: warning: parenthesize argument(s) /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint.rb:28:in `read': Is a directory - /etc/puppet/mE from /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/../lib/puppet-lint.rb:28:in `file=' from /usr/lib/ruby/gems/1.8/gems/puppet-lint-0.1.7/bin/puppet-lint:51 from /usr/bin/puppet-lint:19:in `load' from /usr/bin/puppet-lint:19 Christopher You're trying to read a directory - it needs a file. $ puppet-lint /path/to/file.pp I usually grep all my files in /etc/puppet/manifests or modules and pipe all the .pp files through puppet-lint. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet capacity with apache+passenger, server saturated
Here's how I do it, which IMHO works really well in most situations and is much simpler. No external scripts, no custom functions. We take the IP address of the system, strip out the periods, and modulo 30 it: $cron_time1= generate('/usr/bin/env', 'sh', '-c', printf $(($(echo $::ipaddress | awk -F . \'{print \$1+\$2+\$3+\$4}\') % 30))) $cron_time2 = $cron_time1 + 30 Now, that's if you want to have your systems check in twice per hour. You can adjust it accordingly if you want quicker or longer check-in intervals. Jeffrey. On Tue, Dec 20, 2011 at 7:46 AM, Trevor Vaughan tvaug...@onyxpoint.comwrote: One other thing to look at is how many nodes are hitting your server at once. If you're not using the ip_to_cron function from the Cron Patterns page, you might want to take a look at it. http://projects.puppetlabs.com/projects/1/wiki/Cron_Patterns Some people are also using MCollective to to a more controlled call-in of nodes. Trevor On Fri, Dec 16, 2011 at 7:56 AM, Antonio Xanxess antonio.sanchez.agui...@gmail.com wrote: Hi everyone, I have a problem with my Puppet server, the server is overloaded and processes need to add half of my farm nodes yet! The server is hosted on a blade with the following characteristics: Processors: 8 cores Memory Ram: 12 Gb Operating System: Debian Squeeze Version of parcel: 2.7.1-1 ~ bpo60 puppet 1 puppet-common 2.7.1-1 ~ bpo60 1 2.7.1-1 ~ bpo60 1 puppetmaster puppetmaster 2.7.1-1 ~ bpo60-1 common puppet vim 2.7.1-1 ~ bpo60-1 The number of nodes that I have now is 1927 and I'm in the middle of the deployment process. The nodes do not use the demon puppet, but I created a cron task that runs dispersed to run in one hour intervals. With these data the server is currently using on average 4 cores, but the RAM is used almost entirely (it has 1 GB free of 12) I would like to know some technical expert for the optimization of services, anything you can think of will help me because I am a bit blocked I've been thinking about creating another puppetmaster and use a load balancer, but in my case would have security problems because the connections are behind the balancer and servers unencrypted would be in different physical locations, having to go unencrypted information by the network. Thank you and if you need some data from the server will put. A greeting! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] certificate sync methods?
In our case the ssldir is on a shared filesystem. On Mon, Dec 19, 2011 at 5:15 PM, Ryan Bowlby rbowlb...@gmail.com wrote: Hi All, We are going to setup two puppet masters, each will include the full stack of services. Apache as the frontend on both load balancing to the backend services on both. We will be using keepalived and VIP whose A record is puppet.domain. We would like to have the CA in active/active on the two servers. The question then is what is the best method for synchronizing certs between these hosts bi-directionally? My first thought was doing something with inotify but then there is also unison. While we may end up doing as Pro Puppet suggests and having only one be active and the other CA a hot standby, it would still be best to sync bi-directionally. What are others doing? -Ryan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] a question about ensure file exists
Any reason you can't do the following? file { /aaa/bbb/ccc ensure = 'directory', } Jeffrey. On Thu, Dec 15, 2011 at 9:43 PM, chateau Xiao chateau.x...@gmail.comwrote: hi all: if we need to ensure a file exist in a folder that not yet been created. puppet will simplely report error. for example: file { /aaa/bbb/ccc/aaa ensure = 'present'; } if directory ccc not yet been created, puppet client excute will get an error message. Does puppet have any function to auto mkdir -p this path an make sure the file exist? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
On Dec 20, 2011, at 9:49 AM, Swampcritter wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? this sort of goes against the grain of what puppet intends but this is what I do for a few things... (watch out for mail driven line wrapping) class mod_puppet::deployment_files { exec{ Make /etc/puppet/deployment_files: command = /bin/mkdir /etc/puppet/deployment_files, unless = /bin/ls -l /etc/puppet/deployment_files, } } class postfix::configure { include mod_puppet::deployment_files file{/etc/puppet/deployment_files/postfix-main.cf: ensure = present, owner = postfix, group = postfix, mode= 0664, content = template(postfix/main.cf.erb), require = Class[postfix::install, mod_puppet::deployment_files], notify= Class[postfix::service], } exec{Deploy postfix/main.cf from template: command = /bin/cp /etc/postfix/main.cf /etc/postfix/main.cf-backup; /bin/cat /etc/puppet/deployment_files/postfix-main.cf /etc/postfix/main.cf; /bin/touch /etc/puppet/deployment_files/postfix-main.cf-deployed, unless = /bin/ls -l /etc/puppet/deployment_files/postfix-main.cf-deployed, require = File[/etc/puppet/deployment_files/postfix-main.cf] , } } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
If you really don't want ongoing configuration management then Puppet may not be your tool of choice. Cobbler perhaps? On Tue, Dec 20, 2011 at 10:41 AM, Craig White craig.wh...@ttiltd.com wrote: On Dec 20, 2011, at 9:49 AM, Swampcritter wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? this sort of goes against the grain of what puppet intends but this is what I do for a few things... (watch out for mail driven line wrapping) class mod_puppet::deployment_files { exec{ Make /etc/puppet/deployment_files: command = /bin/mkdir /etc/puppet/deployment_files, unless = /bin/ls -l /etc/puppet/deployment_files, } } class postfix::configure { include mod_puppet::deployment_files file{/etc/puppet/deployment_files/postfix-main.cf: ensure = present, owner = postfix, group = postfix, mode = 0664, content = template(postfix/main.cf.erb), require = Class[postfix::install, mod_puppet::deployment_files], notify = Class[postfix::service], } exec{Deploy postfix/main.cf from template: command = /bin/cp /etc/postfix/main.cf /etc/postfix/main.cf-backup; /bin/cat /etc/puppet/deployment_files/postfix-main.cf /etc/postfix/main.cf; /bin/touch /etc/puppet/deployment_files/postfix-main.cf-deployed, unless = /bin/ls -l /etc/puppet/deployment_files/postfix-main.cf-deployed, require = File[/etc/puppet/deployment_files/postfix-main.cf] , } } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
On Tue, Dec 20, 2011 at 08:49, Swampcritter mawors...@gmail.com wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. [...] Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? Not as stated, but the problem can be solved several ways: 1. You can use `puppet apply` This will happily apply any modules you want, stand-alone, without doing anything long term. 2. You can just run Puppet master/agent when you want to enforce, which you can only do one if you want. I don't know there is anything more to say, but as a hint, putting `noop = true` in the configuration file helps make it hard to mess this up. 3. You can use environments, which select the set of code applied to a machine. Put your do once stuff in a do once environment, and manually run Puppet in that environment when you want it to do things. 4. Use a separate Puppet master. This is like the environments, but harder to accidentally mess up, because you have two separate masters with separate content. Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
On Tue, Dec 20, 2011 at 11:49 AM, Swampcritter mawors...@gmail.com wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. I'm looking at a similar use for Puppet. We want to use Puppet to both provision and manage hosts. The provisioning process will set up a bunch of files according to our security / policy requirements, but not all of these files need to be controlled by Puppet for the life of the server. To put it another way, the number of classes used to manage servers will be a subset of the classes used to provision those servers. The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? I'm contemplating options for this. One is to use environments. In my scenario, I think I'd have two defined environments (provisioning and production), but configure both environments to use the same modulepath. This will allow us to reuse classes between provisioning and production. The provisioning environment would have a site.pp with a default node that simply includes all the necessary classes for provisioning a virgin server. Part of the Kickstart %post would be to install and invoke Puppet against the provisioning environment. We could do this with separate Puppet Masters, but that feels like more overhead for little added benefit in our scenario. Cheers, Scott -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
On Tue, Dec 20, 2011 at 8:49 AM, Swampcritter mawors...@gmail.com wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? You can use a completely separate bootstrap environment if it's significantly different. # onetime puppet agent --environment bootstrap # later on puppet agent --environment production Or you can use a custom fact. Easiest way is either environment variable or facts.d (see stdlibs). FACTER_bootstrap=true puppet agent -t node example { if $::bootstrap { include onetime_class } else { include normal_class } } Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
An easy way to avoid messing up a development box as you describe is to not run the puppet client on it. Contrarywise, how about using tags ? http://projects.puppetlabs.com/projects/1/wiki/Using_Tags “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) - Swampcritter mawors...@gmail.com wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] certificate sync methods?
I am working on an idea for using my Cobbler-Server/PuppetMaster as a CA for TLS/SSL (R)syslogging where the CA generates all the certs. That way, bi-directional cert sync in unnecessary. The PuppetMaster becomes the CertMaster. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) - Aaron Grewell aaron.grew...@gmail.com wrote: In our case the ssldir is on a shared filesystem. On Mon, Dec 19, 2011 at 5:15 PM, Ryan Bowlby rbowlb...@gmail.com wrote: Hi All, We are going to setup two puppet masters, each will include the full stack of services. Apache as the frontend on both load balancing to the backend services on both. We will be using keepalived and VIP whose A record is puppet.domain. We would like to have the CA in active/active on the two servers. The question then is what is the best method for synchronizing certs between these hosts bi-directionally? My first thought was doing something with inotify but then there is also unison. While we may end up doing as Pro Puppet suggests and having only one be active and the other CA a hot standby, it would still be best to sync bi-directionally. What are others doing? -Ryan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
- Nan Liu n...@puppetlabs.com wrote: You can use a completely separate bootstrap environment if it's significantly different. # onetime puppet agent --environment bootstrap # later on puppet agent --environment production Or you can use a custom fact. Easiest way is either environment variable or facts.d (see stdlibs). FACTER_bootstrap=true puppet agent -t node example { if $::bootstrap { include onetime_class } else { include normal_class } } Thanks, Nan Excellent suggestion. Better than tags or not running puppet and less resource intensive than running multiple puppet masters “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Network config module won't work. -Mac address errors
Hello, I created a module for modifying the base network settings on a machine. However no matter what changes I make it keeps giving me the error has different MAC address than expected, ignoring when the network tries to startup. I am testing this out on the puppet learning VM. Does anyone see anything wrong with my code: init.pp -- define basehost ($ipaddress, $gateway, $hostname, $environ, $macaddress) { file { 'hosts': path= '/etc/hosts', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/hosts.erb), notify = Service[network], } file { 'resolv.conf': path= '/etc/resolv.conf', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/resolv.conf.erb), notify = Service[network], } file { 'network': path= '/etc/sysconfig/network', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/network.erb), notify = Service[network], } file { 'ifcfg-eth0': path= '/etc/sysconfig/network-scripts/ifcfg-eth0', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/ifcfg-eth0.erb), notify = Service[network], } service { network: ensure = running, hasstatus = true, hasrestart = true, restart = /etc/init.d/network restart, } } hosts.erb # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost %= ipaddress % %= hostname % %= hostname %.%= environ %.mydomain.local manage.%= environ %.mydomain.net ::1 localhost6.localdomain6 localhost6 resolve.conf.erb search %= environ %.mydomain.local nameserver 10.180.0.2 nameserver 10.180.0.4 network.erb -- NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=%= hostname %.%= environ %.mydomain.local GATEWAY=%= gateway % ifcfg-eth0.erb # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static IPADDR=%= ipaddress % NETMASK=255.255.255.0 ONBOOT=yes HWADDR=%= macaddress % Gets kicked off using: basehost {'basehostsetup': ipaddress = '10.148.0.32', gateway = '10.148.0.1', hostname = 'myhostname', environ = 'test', macaddress = '00:50:56:ac:40:8a', } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Network config module won't work. -Mac address errors
Hello, What are the VM's definitions of its network interfaces? Also, if you are trying Linux, what are the contents of /etc/udev/rules.d/70-persistent-net.rules ? Charles Buckley On Tue, Dec 20, 2011 at 1:41 PM, Luke lutay...@gmail.com wrote: Hello, I created a module for modifying the base network settings on a machine. However no matter what changes I make it keeps giving me the error has different MAC address than expected, ignoring when the network tries to startup. I am testing this out on the puppet learning VM. Does anyone see anything wrong with my code: init.pp -- define basehost ($ipaddress, $gateway, $hostname, $environ, $macaddress) { file { 'hosts': path= '/etc/hosts', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/hosts.erb), notify = Service[network], } file { 'resolv.conf': path= '/etc/resolv.conf', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/resolv.conf.erb), notify = Service[network], } file { 'network': path= '/etc/sysconfig/network', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/network.erb), notify = Service[network], } file { 'ifcfg-eth0': path= '/etc/sysconfig/network-scripts/ifcfg-eth0', ensure = 'present', owner = 'root', group = 'root', mode = '644', content = template(basehost/ifcfg-eth0.erb), notify = Service[network], } service { network: ensure = running, hasstatus = true, hasrestart = true, restart = /etc/init.d/network restart, } } hosts.erb # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost %= ipaddress % %= hostname % %= hostname %.%= environ %.mydomain.local manage.%= environ %.mydomain.net ::1 localhost6.localdomain6 localhost6 resolve.conf.erb search %= environ %.mydomain.local nameserver 10.180.0.2 nameserver 10.180.0.4 network.erb -- NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=%= hostname %.%= environ %.mydomain.local GATEWAY=%= gateway % ifcfg-eth0.erb # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 BOOTPROTO=static IPADDR=%= ipaddress % NETMASK=255.255.255.0 ONBOOT=yes HWADDR=%= macaddress % Gets kicked off using: basehost {'basehostsetup': ipaddress = '10.148.0.32', gateway = '10.148.0.1', hostname = 'myhostname', environ = 'test', macaddress = '00:50:56:ac:40:8a', } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: [Puppet-dev] Re: When the lint accumulates...
On 2011-20-12 16:21, Walter Heck wrote: looks nice so far, wish we could have this in geppetto soon :) cheers, -- Walter Heck Just a quick note regarding Geppetto in this respect, and to let you know what the plans are (I am not trying to hijack this thread :)... I follow the lint project and read the all the issues that are logged there, as well as looking at reported puppet bugs, and what people have problems with/questions on this mailinglist/group. In geppetto I have added Potential Problems preferences and started implementing additional lint checks. The ambition is to add every check that is semantic in nature. Each of the checks are configurable (ignore, warning, error), and they are set to warning by default. The first couple of such checks will be available in the 2.1.2 release, which is almost ready. Also plan to add support for the formatting related lints, but this is delayed due to deficiencies in the underlying formatter that is used. Waiting for an improved formatter framework to be available. When that is in place, it is possible to control it in a more fine grained way, and thus, rather than complaining that the formatting is off, you can simply format everything using the policy (or tweak it if you don't want to stick to the party-line). Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can Puppet be configured to one-time deployment for modules?
On Tue, Dec 20, 2011 at 6:49 PM, Swampcritter mawors...@gmail.com wrote: We are developing in-house RHEL VM provisioning (similar to Satellite/ Spacewalk) along with a customized kickstart template, but also including Puppet to handle the actual configuration of the While being biased, I would recommend you to look at other open source projects in the same scope, such as Foreman[1], might save you some time eventually. Ohad FYI - I'm Foreman's maintainer. [1] - http://theforeman.org environment. One thing we need to see is does Puppet have a variable that will deploy one module only once and not check against it just in case the configuration file it has created has been altered or not and try to revert back. Example: Boot using PXEBoot w/ DHCP, build RHEL VM using custom kickstart configuration, create local repo file with pointers to in- house repository and comment out the variables to use the RHN driven one, download from the repo and apply the RHN/Errata updates, then reconfigure the rc.local to install Puppet on the reboot and apply the actual environment requirements (i.e. check to see if its a Apache web server, Oracle database, Weblogic/JBoss portal, etc). The last part is the deciding factor -- as this part of the requirements are quite possibly going to change via the developers that are actually using the environment for testing and tweaking the RHEL OS memory and TCP communication needs (/etc/sysctl.conf) or the Apache /etc/httpd/httpd.conf code. We don't want Puppet to revert back the code variables as these are being modified by hand and not using SVN or any other type of code version control at this time. Anyone know if module exclusion is possible for a deploy once, don't touch again scenario? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] script to find non-puppet systems
Hi, Just curious if anybody had written a script to find systems that don't have puppet installed by doing a port scan or something else. I would like to have my puppetmaster send an email when it finds a system that doesn't have puppet installed and possibly take action by installing it. Does anybody have some good ideas how a system can be detected as a non-puppet system? One idea would be to use net-snmp to query the list of installed packages. But this requires net-snmp to be running snmpwalk -v 2c -c public hostname 1.3.6.1.2.1.25.6.3.1.2 | grep puppet Corey Osman co...@logicminds.biz Green I.T and Datacenter Automation Specialist -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.