Re: [Puppet Users] Puppet security issue?
On 27/01/12 02:14, Ryan Bowlby wrote: > Hi All, > > I have a two puppet servers using Apache with mod_proxy as the > frontend. Similar to what what's described in Pro Puppet. > Unfortunately, Apache mod_proxy is passing the puppetca requests using > the loopback IP instead of the original source IP. You're not mentioning what stack your master are running. But if they're running on Apache and Passenger, may I suggest using mod_rpaf? > This is a bit of a security concern when configuring auth.conf! An > example stanza in auth.conf: > > # allow certificate management on provisioning server without cert > path ~ /cert* > auth no > allow localhost If you instead make this a certname, then it's secure again. > With that near the bottom of auth.conf ALL hosts can now perform any > API calls matching that path. This is due to puppet using the > 127.0.0.1 passed by Apache. > > I need one of the following: > > 1. A way to do IP passthrough in apache such that the correct > originating IP is used. Configure your mod_proxy to pass the IP in X-Forwarded-For. > 2. Puppet to make use of the X-Forwarded-For header if it exists and > to fallback in instances where it doesn't. And mod_rpaf is what you need, running in your master apache. > Likely the latter is the best method. Please feel free to correct me > if I am missing something. I have verified that with the above > auth.conf stanza ALL hosts can perform all /cert* related API calls. > Additionally here is a log line: > > 127.0.0.1 - - [27/Jan/2012:00:32:00 +] "GET /production/ > certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- > redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ > 0.6.5" > > That's a request from another server. Here are the Apache configs: > > http://pastebin.com/rDKPSjjy > > > Thanks everyone! > Ryan Bowlby > -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Issue Installing Puppet on Red Hat6
I use CentOS 6.2 with yum-priorities and several additional repositories. In general the following priority order works well: updates -> extras -> puppetlabs -> epel -> rpmforge Then, as said previously, just run yum -y install puppet-dashboard and continue following docs. That setup will allow you access to just about every package you would need without causing crazy dependency issues. -Ryan On Jan 26, 3:33 pm, Gmoney wrote: > I have been trying to follow the bootstrap instructions for installing > puppet-dashboard. I keep getting error about rubyge(rake) and > rubygems. I'd appreciate any help or corrections, thanks in advance. > > ruby-libs-1.8.7.299-4.el6.x86_64 > ruby-1.8.7.299-4.el6.x86_64 > > These are some installation steps I took. > > rvm tools rvm-env ruby bash > rvm install 1.8.7 > > yum install ruby > > downloaded rubygems from:http://rubygems.org/pages/download > > gem install rubygems-update > > LD_LIBRARY_PATH=/usr/local/rvm/src/ruby-1.8.7-p357:$PATH > export LD_LIBRARY_PATH > gem install mysql-2.8.1.gem > > install rake: > git clone g...@github.com:gmoneyice/rake > cd /root/ruby > gem install rake > > Here is the error: > > yum install puppet-dashboard > Loaded plugins: rhnplugin > This system is not registered with RHN. > RHN support will be disabled. > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: ruby-mysql for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > ---> Package ruby-mysql.x86_64 0:2.8.2-1.el6 set to be updated > --> Finished Dependency Resolution > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygem(rake) > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygems > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: passing argument to a class or a module
Classes can only be declared once while defines can be declared multiple times. So if you wanted two vhost files a define would be needed. On Jan 26, 3:47 pm, Joehillen wrote: > whoa, my bad. I learned puppet before 2.6 > > Now I don't know why there is a distinction between classes and defines. > I'll have to read up. > > Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet security issue?
Hi All, I have a two puppet servers using Apache with mod_proxy as the frontend. Similar to what what's described in Pro Puppet. Unfortunately, Apache mod_proxy is passing the puppetca requests using the loopback IP instead of the original source IP. This is a bit of a security concern when configuring auth.conf! An example stanza in auth.conf: # allow certificate management on provisioning server without cert path ~ /cert* auth no allow localhost With that near the bottom of auth.conf ALL hosts can now perform any API calls matching that path. This is due to puppet using the 127.0.0.1 passed by Apache. I need one of the following: 1. A way to do IP passthrough in apache such that the correct originating IP is used. 2. Puppet to make use of the X-Forwarded-For header if it exists and to fallback in instances where it doesn't. Likely the latter is the best method. Please feel free to correct me if I am missing something. I have verified that with the above auth.conf stanza ALL hosts can perform all /cert* related API calls. Additionally here is a log line: 127.0.0.1 - - [27/Jan/2012:00:32:00 +] "GET /production/ certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ 0.6.5" That's a request from another server. Here are the Apache configs: http://pastebin.com/rDKPSjjy Thanks everyone! Ryan Bowlby -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: passing argument to a class or a module
Thank you On Jan 26, 5:48 pm, Nan Liu wrote: > On Thu, Jan 26, 2012 at 5:22 PM, Joehillen wrote: > > You can't pass arguments to classes, only defines. > > Classes support parameters since 2.6.0, here's the > documentation:http://docs.puppetlabs.com/learning/modules2.html > > Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Issue Installing Puppet on Red Hat6
You're mixing downloads and system packages. rpm (thus yum) doesn't recognize that you have rubygems and rake installed, because it only looks at the package database to determine that. Right now, you are missing a repo that contains those packages in your rh6 config, so yum can't find and install them automatically. Best practice is to download everything, or use only system packages. Don't try to do both. RHEL6 has an optional repo that likely contains these packages. Try enabling it. On Jan 26, 4:33 pm, Gmoney wrote: > I have been trying to follow the bootstrap instructions for installing > puppet-dashboard. I keep getting error about rubyge(rake) and > rubygems. I'd appreciate any help or corrections, thanks in advance. > > ruby-libs-1.8.7.299-4.el6.x86_64 > ruby-1.8.7.299-4.el6.x86_64 > > These are some installation steps I took. > > rvm tools rvm-env ruby bash > rvm install 1.8.7 > > yum install ruby > > downloaded rubygems from:http://rubygems.org/pages/download > > gem install rubygems-update > > LD_LIBRARY_PATH=/usr/local/rvm/src/ruby-1.8.7-p357:$PATH > export LD_LIBRARY_PATH > gem install mysql-2.8.1.gem > > install rake: > git clone g...@github.com:gmoneyice/rake > cd /root/ruby > gem install rake > > Here is the error: > > yum install puppet-dashboard > Loaded plugins: rhnplugin > This system is not registered with RHN. > RHN support will be disabled. > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: ruby-mysql for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > ---> Package ruby-mysql.x86_64 0:2.8.2-1.el6 set to be updated > --> Finished Dependency Resolution > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygem(rake) > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygems > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Issue Installing Puppet on Red Hat6
On Thu, Jan 26, 2012 at 3:33 PM, Gmoney wrote: > I have been trying to follow the bootstrap instructions for installing > puppet-dashboard. I keep getting error about rubyge(rake) and > rubygems. I'd appreciate any help or corrections, thanks in advance. > > ruby-libs-1.8.7.299-4.el6.x86_64 > ruby-1.8.7.299-4.el6.x86_64 > > These are some installation steps I took. > > rvm tools rvm-env ruby bash > rvm install 1.8.7 > > yum install ruby > > downloaded rubygems from: > http://rubygems.org/pages/download > > gem install rubygems-update > > LD_LIBRARY_PATH=/usr/local/rvm/src/ruby-1.8.7-p357:$PATH > export LD_LIBRARY_PATH > gem install mysql-2.8.1.gem > > > install rake: > git clone g...@github.com:gmoneyice/rake > cd /root/ruby > gem install rake > > > > > Here is the error: > > yum install puppet-dashboard > Loaded plugins: rhnplugin > This system is not registered with RHN. > RHN support will be disabled. > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: ruby-mysql for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Running transaction check > ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated > --> Processing Dependency: rubygem(rake) for package: puppet- > dashboard-1.2.4-1.el6.noarch > --> Processing Dependency: rubygems for package: puppet- > dashboard-1.2.4-1.el6.noarch > ---> Package ruby-mysql.x86_64 0:2.8.2-1.el6 set to be updated > --> Finished Dependency Resolution > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygem(rake) > Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- > products) > Requires: rubygems > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest You're mixing native packaging and ruby/source bits quite a bit. You'll likely have better luck doing it all one way or the other. On EL6, I normally don't use rvm. Just yum install puppet-dashboard (You might need EPEL setup as well for dependencies). If you're using RHEL (actual RHEL), be sure you have the 'optional' channels enabled, as those have rubygem-rake, and rubygems, I think. Mike > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: passing argument to a class or a module
whoa, my bad. I learned puppet before 2.6 Now I don't know why there is a distinction between classes and defines. I'll have to read up. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8StUMI-Bg5oJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Cipher is not a module
It's highly suspect that you have ruby-libs 1.8.5 and 1.8.7 installed. Might want to see about removing 1.8.5. Also, what does ruby -r openssl -e 'puts OpenSSL::VERSION' -e 'puts OpenSSL::OPENSSL_VERSION' -e 'puts OpenSSL::Cipher.class' output? On Tue, Jan 24, 2012 at 12:11 PM, kgz wrote: > Hi, > > I'm trying to install puppet as a client on a new machine. > I received this weird error when trying to start up as /etc/init.d/ > puppet start : > /usr/lib/ruby/1.8/openssl/cipher.rb:22: Cipher is not a module > (TypeError) > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `gem_original_require' > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `require' > from /usr/lib/ruby/1.8/openssl.rb:20 > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `gem_original_require' > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `require' > from /usr/lib/ruby/site_ruby/1.8/puppet/ssl.rb:3 > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `gem_original_require' > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: > 36:in `require' > from /usr/lib/ruby/site_ruby/1.8/puppet.rb:155 > from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:271:in > `require' > from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:271:in > `initialize' > from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb: > 60:in `new' > from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb: > 60:in `execute' > from /usr/bin/puppet:4 > > My Linux is 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:13:52 EDT 2011 > x86_64 x86_64 x86_64 GNU/Linux > which is a Centos 5.6 > > and the packages I installed using yum install are: > ruby-libs-1.8.7.352-5.el5 > ruby-libs-1.8.5-5.el5_4.8 > rubygem-activesupport-2.1.1-2.el5 > ruby-1.8.7.352-5.el5 > ruby-augeas-0.4.1-1.el5 > ruby-irb-1.8.7.352-5.el5 > rubygems-1.8.10-1.el5 > rubygem-activerecord-2.1.1-2.el5 > ruby-shadow-1.4.1-7.el5 > ruby-rdoc-1.8.7.352-5.el5 > libselinux-ruby-1.33.4-5.7.el5 > facter-1.6.3-1.el5 > puppet-2.7.6-2.el5 > puppet-server-2.7.6-2.el5 > > I even removed the /usr/lib/ruby before reinstalling but it doesn't > work. Funny thing is , it worked for my puppet master and one of my > clients, and repeated the same way for this machine, but I kept > getting this "Cipher is not a module" error. Please point out what I'm > missing... > > thanks, > K > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Adrien Thebo | Puppet Labs pgp: 0x6F1C4519 pgp.mit.edu -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Dashboard 1.2.5 Available [security update - moderate]
Welcome to the first Puppet Dashboard maintenance release of the new year. This release includes a security update to address CVE-2012-0891, a XSS vulnerability discovered by David Dasz . We have classified the risk from this exposure as moderate. All Puppet Dashboard users are encouraged to upgrade when possible. Puppet Enterprise users should visit http://puppetlabs.com/security for links to hotfixes and/or patches for their release. For more information, please visit http://puppetlabs.com/security/cve/cve-2012-0891 It includes contributions from the following people: Bruno Leon, Daniel Pittman, Daniel Sauble, Pieter van de Bruggen This release is available for download at: http://downloads.puppetlabs.com/dashboard/ We have created Debian and RPM packages as well as a tarball. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 1.2.5 http://projects.puppetlabs.com/projects/dashboard Documentation is available at: http://docs.puppetlabs.com/dashboard/index.html Puppet Dashboard 1.2.5 Release Notes === (#11365) Rigorously escape user inputs (CVE-2012-0891) This fix addresses a bug in Puppet Dashboard versions 1.0 – 1.2.4 that allows for Cross Site Scripting (XSS) attacks on certain input fields. This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database. This commit sanitizes user inputs to avoid the aforementioned XSS attacks and also updates the jquery tokeninput library to resist XSS attacks. (#5879) Removes 'url' column from 'nodes' table The url column is no longer used by Dashboard, so this commit removes it. Puppet Dashboard 1.2.5 Changelog === Bruno Leon (1): b448067 Fix path to pid files Daniel Pittman (1): da28abf Added some documentation on writing plugins. Daniel Sauble (1): 89f6341 (#5879) Removes 'url' column from 'nodes' table Pieter van de Bruggen (1): (#11365) Rigorously escape user inputs (CVE-2012-0891) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Selecting modlues based on subnet in nodes.pp
Hello, On 12-01-23 02:14 PM, Derek wrote: > I have four major zones in my nework: Development, Quality Assurance, > User Acceptanc Testing, and Production. I am able to deply different > modules to these zones based on the simple regular expressions posted > in the example at the bottom of this message. > > I have two data centers in my network: Salt Lake City and Santa > Clara. I would like to be able to deploy different modules to servers > based on the data center that they reside it. I have tried simple if > statements and case statements but don't seem to be able to deploy my > site based modules. > > Can you give me some imput on the best approach to my problem? You could use environments to differentiate the nodes..: http://docs.puppetlabs.com/guides/environment.html http://hunnur.com/blog/2010/10/dynamic-git-branch-puppet-environments/ Or (maybe better) you could define a custom fact that tells in which DC your node is present and then branch on the value of this fact: http://www.devco.net/archives/2011/06/29/facter_facts_from_txt_json_yaml_and_non_ruby_scripts.php (see the end of the post for a link to github where you can find the code for custom facts from arbitrary files) -- Gabriel Filion -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Issue Installing Puppet on Red Hat6
I have been trying to follow the bootstrap instructions for installing puppet-dashboard. I keep getting error about rubyge(rake) and rubygems. I'd appreciate any help or corrections, thanks in advance. ruby-libs-1.8.7.299-4.el6.x86_64 ruby-1.8.7.299-4.el6.x86_64 These are some installation steps I took. rvm tools rvm-env ruby bash rvm install 1.8.7 yum install ruby downloaded rubygems from: http://rubygems.org/pages/download gem install rubygems-update LD_LIBRARY_PATH=/usr/local/rvm/src/ruby-1.8.7-p357:$PATH export LD_LIBRARY_PATH gem install mysql-2.8.1.gem install rake: git clone g...@github.com:gmoneyice/rake cd /root/ruby gem install rake Here is the error: yum install puppet-dashboard Loaded plugins: rhnplugin This system is not registered with RHN. RHN support will be disabled. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated --> Processing Dependency: ruby-mysql for package: puppet- dashboard-1.2.4-1.el6.noarch --> Processing Dependency: rubygem(rake) for package: puppet- dashboard-1.2.4-1.el6.noarch --> Processing Dependency: rubygems for package: puppet- dashboard-1.2.4-1.el6.noarch --> Running transaction check ---> Package puppet-dashboard.noarch 0:1.2.4-1.el6 set to be updated --> Processing Dependency: rubygem(rake) for package: puppet- dashboard-1.2.4-1.el6.noarch --> Processing Dependency: rubygems for package: puppet- dashboard-1.2.4-1.el6.noarch ---> Package ruby-mysql.x86_64 0:2.8.2-1.el6 set to be updated --> Finished Dependency Resolution Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- products) Requires: rubygem(rake) Error: Package: puppet-dashboard-1.2.4-1.el6.noarch (puppetlabs- products) Requires: rubygems You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] intermodule dependency
Hello,
On 12-01-23 04:45 AM, Jos Houtman wrote:
> I am looking for advice/best-practices on how to handle inter module
> dependency's.
> We have a fairly large/complex code base (100+ modules) with a lot of
> history (we started at 0.24) and lately we have taken into looking how
> we can improve the quality of the codebase.
> Parameterized classes, the style guide are all quick wins and no brainers.
>
> But we have some intermodule dependency's, mostly because of ordering,
> for which a proper design pattern is more elusive.
I'm fairly interested in this subject and would like to see what others
have to say here.
>From my experience, modules tend to come in "sets" of inter-dependant
modules, and this makes it sometimes painful to integrate modules from
external sources. Even just merging divergant modules can be quite
tedious. For example, I worked on merging new stuff that was developed
on the nagios module by others in the community.. but since service
resources are declared pretty much _everywhere_ in the module code base,
it took an extensive analysis of what the changes would impact and the
merging process took much more time than it should have because of this.
> A good example is our ldap setup, this setup needs to happen after the
> initialization of our packaging system.
> It also has to happen before a lot of the other modules, because ldap
> provides the details for some of the file owners/groups that are used.
> [...]
In this case, the link between the differring blocks should be
externalized from your ldap module (e.g. the ldap module should care
about stuff related to ldap.. not about relations to other modules).
You could put the order declaration in a "node type" or "node role" kind
of class that you include in your node.
say:
class mysql_server_role {
include ldap_authentication_role # which declares whatever is needed
# for ldap support
include mysql
Class['Ldap'] -> Class['Mysql']
}
--
Gabriel Filion
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Anyone know a good tool for 'watching' configurations?
You could use a source code repository system. Have the client running on the host that periodically checks in the configuration files. It would be most useful with text configuration files but there are repository systems like perforce that can store binaries really well. Perforce also supports triggers which is useful for a scenario like this (you could fire off notifications for example). It's pricey but you can demo it for free. On Tue, Jan 24, 2012 at 8:02 AM, NixFU wrote: > Now that we have configuration management for our OS and we are > actively managing our operating systems nearly hands off we want to > now start doing some configuration mgmt of our applications. > > We don't frankly see having all our application teams use puppet or > anything else to actively manage their applications. What we would > like to do is watch the applications and know when things change. > Basically, watch the directories that the developers put their > applications into and keep a history of what changes and when. > > Does anyone have any idea on if there are any tools that can provide > the ability to watch directories for changes like that. > > I know there is auditd that can do this, as well as maybe an intrusion > detection tool like AIDE, but those solutions would involve lots of > raw data and not much human readable stuff. I suppose we could write > something to take all that data, digest it and report on it. > > But I was wondering if anyone knows of a tool that would do this type > of function and provide some human friendly data and reports etc.. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Conditionally replace in file type
Ok Daniel, thanks for your reply, but I have not control about these individual "noreplace" files because are $hostname dependent. In different hostnames, have different source locations so I cannot define them in a specific way. E.g: hostname1/home/user/foo/bar/johndoe05/file1.cfg hostname2/home/user/foo/bar/maryjoe02/file1.cfg That was the reason for I need something recursive, similar to ignore parameter. (Or a workaround) Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/B6T9Me-vja4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: passing argument to a class or a module
On Thu, Jan 26, 2012 at 5:22 PM, Joehillen wrote: > You can't pass arguments to classes, only defines. > Classes support parameters since 2.6.0, here's the documentation: http://docs.puppetlabs.com/learning/modules2.html Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Reports getting sent even when there were no changes
| I'm running Puppet master version 2.7.9 on RHEL6. My puppet agent is | 2.7.5 on RHEL5. I have an issue where I get the following email every | 30 mins even though no changes were detected by puppet agent. That sounds like this: http://projects.puppetlabs.com/issues/9167 That issue report includes a note from me showing how we worked around it, by hacking a change into tagmail.rb to suppress those messages. Hope that helps - cheers! John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Conditionally replace in file type
On Thu, Jan 26, 2012 at 13:35, krish wrote:
>>I am ignoring these two files ("file1.cfg","file2.cfg"), cause they are
>>dynamically modified by the application. So, not puppet managed.
>>And here's my problem. Because on the other hand I have to initialize both
>>files in the first run.
>
> first application run?
> How would you generally initialize them manually?
The right answer to these problems is almost always that you have a
`file { ".../foo": ensure => present }` resource in Puppet: that will
put it in place if the file is not present, using whatever source you
give, but will not touch the content of an existing file.
If you are using a recursive file resource to put the rest of the
content in place around this, no problem, because the more specific
file resource will override the recursive one, and you won't
overwrite. :)
--
Daniel Pittman
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Crash in tempfile.rb
I was just building new Ubuntu 10.04 servers that have the new version of
puppet (2.7.10) from the official apt repo. The master is also 2.7.10.
I'm getting this issue on all 4 of the new servers.
I get this from `puppet agent --test --debug`:
debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml;
using pson
debug: Prefetching parsed resources for ssh_authorized_key
notice:
/Stage[main]/Users::Admins/Users::Admin[joe]/Users::Normal[joe]/Ssh_authorized_key[ssh_auth_keys_joe]/user:
user changed 'root' to 'joe'
debug: Finishing transaction 70331047200640
info: FileBucket got a duplicate file {md5}4823b62668593982394e5940425f7180
debug: Flushing ssh_authorized_key provider target
/home/joe/.ssh/authorized_keys
/usr/lib/ruby/1.8/tempfile.rb:52:in `initialize'
/usr/lib/ruby/1.8/puppet/util/filetype.rb:107:in `new'
/usr/lib/ruby/1.8/puppet/util/filetype.rb:107:in `write'
/usr/lib/ruby/1.8/puppet/util/filetype.rb:56:in `real_write'
/usr/lib/ruby/1.8/puppet/util/filetype.rb:56:in `write'
/usr/lib/ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target'
/usr/lib/ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush'
/usr/lib/ruby/1.8/puppet/provider/parsedfile.rb:67:in `each'
/usr/lib/ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush'
/usr/lib/ruby/1.8/puppet/provider/parsedfile.rb:341:in `flush'
/usr/lib/ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:65:in `flush'
/usr/lib/ruby/1.8/puppet/util/suidmanager.rb:81:in `asuser'
/usr/lib/ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:59:in `flush'
/usr/lib/ruby/1.8/puppet/type.rb:643:in `flush'
/usr/lib/ruby/1.8/puppet/transaction/resource_harness.rb:139:in `evaluate'
/usr/lib/ruby/1.8/puppet/transaction.rb:49:in `apply'
/usr/lib/ruby/1.8/puppet/transaction.rb:84:in `eval_resource'
/usr/lib/ruby/1.8/puppet/transaction.rb:104:in `evaluate'
/usr/lib/ruby/1.8/puppet/util.rb:476:in `thinmark'
/usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'
/usr/lib/ruby/1.8/puppet/util.rb:475:in `thinmark'
/usr/lib/ruby/1.8/puppet/transaction.rb:104:in `evaluate'
/usr/lib/ruby/1.8/puppet/transaction.rb:386:in `traverse'
/usr/lib/ruby/1.8/puppet/transaction.rb:99:in `evaluate'
/usr/lib/ruby/1.8/puppet/resource/catalog.rb:141:in `apply'
/usr/lib/ruby/1.8/puppet/configurer.rb:121:in `retrieve_and_apply_catalog'
/usr/lib/ruby/1.8/puppet/util.rb:180:in `benchmark'
/usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'
/usr/lib/ruby/1.8/puppet/util.rb:179:in `benchmark'
/usr/lib/ruby/1.8/puppet/configurer.rb:120:in `retrieve_and_apply_catalog'
/usr/lib/ruby/1.8/puppet/configurer.rb:151:in `run'
/usr/lib/ruby/1.8/puppet/agent.rb:46
/usr/lib/ruby/1.8/puppet/agent/locker.rb:11:in `lock'
/usr/lib/ruby/1.8/puppet/agent.rb:46
/usr/lib/ruby/1.8/sync.rb:230:in `synchronize'
/usr/lib/ruby/1.8/puppet/agent.rb:46
/usr/lib/ruby/1.8/puppet/agent.rb:110:in `with_client'
/usr/lib/ruby/1.8/puppet/agent.rb:44
/usr/lib/ruby/1.8/puppet/application.rb:172:in `call'
/usr/lib/ruby/1.8/puppet/application.rb:172:in `controlled_run'
/usr/lib/ruby/1.8/puppet/agent.rb:42:in `run'
/usr/lib/ruby/1.8/puppet/application/agent.rb:344:in `onetime'
/usr/lib/ruby/1.8/puppet/application/agent.rb:318:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:413:in `hook'
/usr/lib/ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:404:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/1.8/puppet/util/command_line.rb:69:in `execute'
/usr/bin/puppet:4
err:
/Stage[main]/Users::Admins/Users::Admin[joe]/Users::Normal[joe]/Ssh_authorized_key[ssh_auth_keys_joe]:
Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write
/home/joe/.ssh/authorized_keys: cannot generate tempfile
`/root/puppet20120126-10183-jdezsk-9'
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/1263zPwhHHUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Reports getting sent even when there were no changes
I'm running Puppet master version 2.7.9 on RHEL6. My puppet agent is 2.7.5 on RHEL5. I have an issue where I get the following email every 30 mins even though no changes were detected by puppet agent. Thu Jan 26 15:12:29 -0500 2012 Puppet (notice): Finished catalog run in 9.43 seconds Here are the relevant config lines: tagmail.conf all: m...@me.edu puppet.conf report = true reports = tagmail,store,log I googled and found that a while back someone filed a bug report back in puppet 0.25.x. The bug report states that the problem was resolved, so I'm thinking that I'm missing something. Does anyone have any idea what I might be doing wrong? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How can I debug Master -> node run
Problem:
Puppet is not updating the node, or seeming to do much of anything
right now.
Background:
I have setup a puppet master with a puppet node on 2 seperate AWS
instances running the latest amazon linux. In order to get around
lack of DNS entries I used cert names. What I did:
On the puppet master.
In the /etc/puppet/puppet.conf
[master]
certname = site-control
modulepath = /etc/puppet/modules
On the node: /etc/puppet/puppet.con
in /etc/hosts I have an entry for "site-control" with the elastic ip
of site-control
[main]
certname = site-web1
On the node I did:
sudo puppet agent --server site-control --waitforcert 60 --test
On the server:
puppet cert --list
puppet cert --sign site-web1
This all worked, and I established the client cert.
On master I have a manifests/site.pp
import "classes/*"
node default {
include sudo
include httpd
}
In classes:
sudo.pp
class sudo {
file { "/etc/sudoers":
owner => "root",
group => "root",
mode => 440,
}
}
In modules I have an httpd directory laid out with the typical modules
structure:
-manifests
--init.pp
class httpd {
notify {'Running httpd.pp'}
package { 'httpd':
ensure => present,
before => File['/etc/httpd/conf.d/site.conf'],
}
file { '/etc/httpd/conf.d/qubeey.conf':
ensure => file,
mode => 644,
source => 'puppet:///modules/httpd/site.conf',
}
# If conf file changes, autorestart apache
service { 'httpd':
ensure => running,
enable => true,
hasrestart => true,
hasstatus => true,
subscribe => File['/etc/httpd/conf.d/site.conf'],
}
}
-tests
-templates
-lib
-files
--site.conf (contains standard vhost definition)
Debugging:
On puppet master:
puppet master --verbose --debug --no-daemonize
I see:
debug: Failed to load library 'rubygems' for feature 'rubygems'
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Failed to load library 'shadow' for feature 'libshadow'
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Puppet::Type::File::ProviderMicrosoft_windows: feature
microsoft_windows is missing
debug: Failed to load library 'ldap' for feature 'ldap'
debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/
log/puppet]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/qubeey-control.pem]:
Autorequiring File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private_keys/qubeey-control.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys/qubeey-control.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/
puppet]
debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/
puppet/manifests]
debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/
puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/
puppet]
debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/
lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet]
debug: Finishing transaction 70307902268360
debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/
lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/
lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/
lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/
var/lib/puppet/ssl/ca]
debug:
[Puppet Users] Re: passing argument to a class or a module
You can't pass arguments to classes, only defines. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Y9ZjlgMsQHAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] passing argument to a class or a module
I see plenty of examples of classes or modules such as ntp or sudo or ssd. But none of these examples pass an argument to a class or a module. If I wanted to pass the rpm name to a module or a class, what would be the call to that class in site.pp and what would be the class definition in init.pp? Thank you -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Conditionally replace in file type
>I am ignoring these two files ("file1.cfg","file2.cfg"), cause they are
>dynamically modified by the application. So, not puppet managed.
>And here's my problem. Because on the other hand I have to initialize both
>files in the first run.
first application run?
How would you generally initialize them manually?
Asking to get better idea of the problem.
--
Krish
olindata.com
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Problem with not installing package, exec do an error
> Unfortunatly it doesn't work either : err: /Stage[main]//Exec[sudo apt- > get install libmemcached-dev]/returns: change from notrun to 0 failed: > sudo apt-get install libmemcached-dev returned 1 instead of one of [0] > at /mnt/hgfs/puppet/install.pp:10 > > I would prefer to do it with package, so if someone have an idea. > Your apt-get is broken due to half installed package in dpkginfo directory. You'll have to solve this manually on the node first. -- Krish olindata.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Set hourly of execution with service puppet
On Fri, Jan 20, 2012 at 11:52 PM, Douglas Brancaglion wrote: > Hi guys! > I'm from Brazil, and i'm learning puppet. > I need set interval in puppet client for sync with puppetmaster... > How i do it? > Sorry my english > Either use cron with puppetd onetime no daemon option or checkout "puppet kick" -- Krish olindata.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Is there a particular order
... to which puppet, passenger, activerecord and dashboard should be installed in? This is my third try at getting these three to play nice together and my third epic fail. puppet is now complaining about err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not autoload active_record: uninitialized constant ActiveRecord warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run and this is localhost to localhost so all the versions should be "right." -- Peter L. Berghold Owner, Shark River Technical Solutions LLC -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64
On Thu, Jan 26, 2012 at 2:56 PM, Daniel Pittman wrote: > On Thu, Jan 12, 2012 at 10:05, Ramesh Kumar wrote: > >> Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64. > Pretty old email. I've responded in the past and for reference, I think this was the missing step on the remote mysql server: CREATE DATABASE console CHARACTER SET utf8; CREATE USER 'console'@'localhost' IDENTIFIED BY 'consolepassword'; GRANT ALL PRIVILEGES ON console.* TO 'console'@'localhost'; CREATE DATABASE console_inventory_service CHARACTER SET utf8; GRANT ALL PRIVILEGES ON console_inventory_service.* TO 'console'@'localhost'; Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] arrays after upgrade to 2.7 and ['A','B'] compared to 'A B'?
On Thu, Jan 26, 2012 at 11:52:52AM -0800, Daniel Pittman wrote: > On Thu, Jan 26, 2012 at 10:39, Steve Traylen wrote: > > On 26 Jan 2012, at 19:29, "Stefan Schulte" > > wrote: > >> On Thu, Jan 26, 2012 at 03:57:08PM +, Steve Traylen wrote: > >>> > >>> After upgrading a server and client from 2.6.13 to 2.7.10 my > >>> configuration with array attributes > >>> are behaving differently. 3 examples: > > […] > > >> Can you please tell me the ruby version you are using? So we can rule > >> 1.8.5 incompabilities out? > > > > Hi, Stefan, other than puppet and facter which are from the puppetlabs repo > > everything is rhel6 defaults so ruby 1.8.7 and facter 1.6.5 > > Hrm. Looks like that might be a bug. Can you file tickets reflecting > the different issues you are hitting? I was able to reproduce the issue and filed a bug: http://projects.puppetlabs.com/issues/12197 I've tried the following combinations puppet 2.7.9 / ruby 1.8.7 -> No issue puppet 2.7.9 / ruby 1.9.3 -> No issue puppet 2.7.10 / ruby 1.8.7 -> Bug as described earlier puppet 2.7.10 / ruby 1.9.3 -> No issue -Stefan pgpwO1ix9S7aR.pgp Description: PGP signature
Re: [Puppet Users] Moving to RVM Ruby 1.9 and Puppet
On Thu, Jan 26, 2012 at 07:52, Matt wrote: > Has anyone had any experience with using RVM with Puppet? Many, probably most, of the developers here use RVM around Puppet development. > I know with puppet 2.6 it directly invokes /usr/bin/ruby on RHEL based > OSes but in 2.7 I see that its using env to invoke ruby. It should just work™ the same way anything else Ruby-ish does. > Is there a noticable performance increase with ruby 1.9 over 1.8? Not that you are likely to see; most of the performance issues people hit with Puppet are caused by things other than MRI or 1.8.7 being slow. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Anyone know a good tool for 'watching' configurations?
On Tue, Jan 24, 2012 at 08:02, NixFU wrote: > Now that we have configuration management for our OS and we are > actively managing our operating systems nearly hands off we want to > now start doing some configuration mgmt of our applications. > > We don't frankly see having all our application teams use puppet or > anything else to actively manage their applications. What we would > like to do is watch the applications and know when things change. > Basically, watch the directories that the developers put their > applications into and keep a history of what changes and when. > > Does anyone have any idea on if there are any tools that can provide > the ability to watch directories for changes like that. The Puppet Enterprise suite includes some compliance tools that use the Puppet model to watch the system and note changes - at the level of resources, rather than just "files", so you can monitor, eg, user and service resources. Beyond that, I don't know of anything that works at a higher level that "this file changed" - but I have never really invested much effort in looking. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Set hourly of execution with service puppet
On Fri, Jan 20, 2012 at 10:22, Douglas Brancaglion wrote: > I'm from Brazil, and i'm learning puppet. > I need set interval in puppet client for sync with puppetmaster... > How i do it? The documentation on all the settings is here: http://docs.puppetlabs.com/references/stable/configuration.html You can find the appropriate setting, and the rest of our configuration, documented in there. (You want the `runinterval` setting this time. :) -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Password not changing during polling event but does using puppetd -vt
On Thu, Jan 12, 2012 at 14:08, Andre wrote: > I have created a class for the root user that uses the "User resource" > to manages the root password. All seems to work well and as expected > when I use puppetd -vt on a machine (or if I restart the service on > the client) but during a regular polling event the password is not > changed and when I go into the dashboard I can see that the event for > running my class is run. Just to make sure the clients are working > properly, I added a line to a managed file and got the expected > results of the file being replaced. > > Is this expected behaviour that I don't know about? Nope. > Is there a way to put a client puppetd process into debug and > trace so I can see the results? If you run it with `--debug` and `--trace` as a daemon, those log messages will go to syslog like everything else. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Problem with not installing package, exec do an error
On Fri, Jan 13, 2012 at 11:04, coralie ve wrote:
> I have a list of successive package, and it occured that some package
> are not installed.
[…]
> So i try something desperate :
>
> exec { 'sudo apt-get install libmemcached-dev':
> path => ['/usr/bin'],
> alias => memDev,
> require => Exec[updateGem],
> }
>
> Unfortunatly it doesn't work either : err: /Stage[main]//Exec[sudo apt-
> get install libmemcached-dev]/returns: change from notrun to 0 failed:
> sudo apt-get install libmemcached-dev returned 1 instead of one of [0]
> at /mnt/hgfs/puppet/install.pp:10
>
> I would prefer to do it with package, so if someone have an idea.
It looks to me like your problem is with `apt-get` itself, rather than
Puppet - we can't install a package if the underlying tool refuses to
do so.
At a guess, the `sudo` in the exec is not going to help, but since the
agent runs as root you shouldn't have a problem.
So, can you try running the `apt-get install libmemcached-dev` package
by hand and see what the output is? Paste it into this thread if you
can't figure it out directly from that.
--
Daniel Pittman
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: constraint checking
On Thu, Jan 26, 2012 at 6:19 AM, jcbollinger wrote: > > > On Jan 25, 10:53 am, Jo Rhett wrote: > > On Jan 25, 2012, at 8:30 AM, Nick wrote: > > > > > But then I have to anticipate every possible value of $shell and define > > > resources for them. Anything which is not defined like this is not > usable > > > within the scheme, because there will be no file resource to realize > and > > > require. And of course, it also means nothing else can say anything > about any > > > of these files without blowing up, because my code "owns" them. > > > > > So far as I can see, this property of resources makes it hard to write > > > self-contained and reusable modules, and this is frustrating. > > > > I just want to say +1 to this. I have found Puppet to be a wonderful way > to deeply tie all your automation to an exact known configuration of hosts, > but pretty much useless for dealing with situations in a generalized > fashion. It is hard enough to track all the dependencies on modules being > written by different people within the same team. I cannot image the pain > which must be felt by people who have modules written by geographically and > politically disperse teams. > It's actually not that bad at all from past experience when all the content is being written in-house, even if the authors are organizationally, politically and geographically disperse. If you have dependencies upon foreign content you didn't author, express it at the class level. This allows the other authors to refactor their own classes internally, and not break your dependencies. If you can't do this, one or both sides need to do refactoring so that it's possible. If you're building content you expect others to use more than once within a given catalog, provide it in the form of defined types with well-named parameters. You do need to have a robust release process in place along the lines of the classic dev -> test -> prod environments. If your teams push out change at significantly different rates, you may need to break up environments more to allow for this flexibility. For the most part, I think this reflects the difficulty of the > underlying problem more than any inadequacy of Puppet. If multiple > independent subsystems place different demands on the same resources, > then you have a mess to sort out no matter what tools you use to do > it. On the other hand, if multiple independent subsystems place the > same demands on certain resources, then that's pretty easy to handle, > with Puppet or otherwise. > > That's not to deny that there is room for Puppet to improve here, but > I suspect there is less room than you suppose. > +1 There are some things we could all do collectively to improve the situation, particularly around pre-commit hooks to version control. Functionality I've found useful in the past here was: * check whether the changed manifests parse * verify whether foreign class dependencies are fulfilled * verify whether references to file sources actually exist etc etc -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64
On Thu, Jan 12, 2012 at 10:05, Ramesh Kumar wrote: > Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64. You are likely to get better responses over on the PE users mailing list: https://groups.google.com/forum/#!forum/puppet-users -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] arrays after upgrade to 2.7 and ['A','B'] compared to 'A B'?
On Thu, Jan 26, 2012 at 10:39, Steve Traylen wrote: > On 26 Jan 2012, at 19:29, "Stefan Schulte" > wrote: >> On Thu, Jan 26, 2012 at 03:57:08PM +, Steve Traylen wrote: >>> >>> After upgrading a server and client from 2.6.13 to 2.7.10 my configuration >>> with array attributes >>> are behaving differently. 3 examples: […] >> Can you please tell me the ruby version you are using? So we can rule >> 1.8.5 incompabilities out? > > Hi, Stefan, other than puppet and facter which are from the puppetlabs repo > everything is rhel6 defaults so ruby 1.8.7 and facter 1.6.5 Hrm. Looks like that might be a bug. Can you file tickets reflecting the different issues you are hitting? -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Now that we have puppet node install....
On Thu, Jan 26, 2012 at 2:49 PM, Daniel Pittman wrote: > On Thu, Jan 26, 2012 at 11:06, Juri Rischel Jensen > wrote: > >> I've been playing a bit with the puppet node install command, and I >> was wondering if I should change to using puppet installed as a gem >> instead of deb/rpm/whatever? That would allow me to use the very >> latest puppet versions, without building my own deb/rpm packages or >> waiting for them to become available upstream. >> >> What's your thoughts on this...? > > Gems are generally a pretty bad user experience for install - we have > lots of feedback here to indicate that they cause lots of headaches. > > I would suggest, instead, that you either use the OS packages we > produce, or roll your own deb or RPM package that you can easily > enough track trunk with. Also apt.puppetlabs.com and yum.puppetlabs.com are reasonably up to date. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Now that we have puppet node install....
On Thu, Jan 26, 2012 at 11:06, Juri Rischel Jensen wrote: > I've been playing a bit with the puppet node install command, and I > was wondering if I should change to using puppet installed as a gem > instead of deb/rpm/whatever? That would allow me to use the very > latest puppet versions, without building my own deb/rpm packages or > waiting for them to become available upstream. > > What's your thoughts on this...? Gems are generally a pretty bad user experience for install - we have lots of feedback here to indicate that they cause lots of headaches. I would suggest, instead, that you either use the OS packages we produce, or roll your own deb or RPM package that you can easily enough track trunk with. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Now that we have puppet node install....
On Jan 26, 2012, at 12:06 PM, Juri Rischel Jensen wrote: > I've been playing a bit with the puppet node install command, and I > was wondering if I should change to using puppet installed as a gem > instead of deb/rpm/whatever? That would allow me to use the very > latest puppet versions, without building my own deb/rpm packages or > waiting for them to become available upstream. > > What's your thoughts on this...? that's what I do (use the gem) Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: constraint checking
On Jan 26, 2012, at 6:19 AM, jcbollinger wrote: > For the most part, I think this reflects the difficulty of the > underlying problem more than any inadequacy of Puppet. If multiple > independent subsystems place different demands on the same resources, > then you have a mess to sort out no matter what tools you use to do > it. On the other hand, if multiple independent subsystems place the > same demands on certain resources, then that's pretty easy to handle, > with Puppet or otherwise. I disagree. I have about 12 different modules, any combination of which may be applied to a given system, all of which need to ensure that sshd is installed and running on a system. They all have a single, common need. However, some of those modules also run on systems where we don't need to ensure that sshd is running. The solution to this is an interlocking maze of module dependancies which is downright terrifying. You can't import because of redefinitions. You yourself know well and deeply the issues involved with calling the same class from different places with different parameters. It is nearly impossible to get there from here. The ability for puppet to say "oh, I've seen this definition before and it's exactly the same so that's not an error" would be a tremendous improvement. > That's not to deny that there is room for Puppet to improve here, but > I suspect there is less room than you suppose. I did an intensive deep dive on the current puppet code base regarding this issue, and my diagnosis was that it was currently impossible without a complete rewrite of the dependency hierarchy, and likely the addition of a third phase between the current two to improve this situation. Assuming I am right, this is a major overhaul. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] constraint checking
On Jan 25, 2012, at 8:59 AM, Christopher Wood wrote: > (Define "generalized"?) Works in more than one specific situation. > Also, could you expound? I don't know any production scenario where it's > desirable to have anything other than "an exact known configuration of hosts". One thing about a well-written piece of generic code is that it can be used in many environments. A lot of my modules do things like "do I have an external interface or am I behind the firewall?" and do different things based on those answers. Likewise, when dealing with software components you could be on a system dedicated to just that one component, or you could be on a Dev/QA box which has dozens of such components installed. The behavior calls for different actions there. It is very tricky, to the point of impossible in some scenarios, to write this kind of intelligent decision choices in Puppet today. You can successfully determine if a given class is loaded in the client's manifest, but determining if certain things are set within the class is only possible in situations where ordering can be clearly constrained. This makes it truly impossible for someone on a different team to write a generic purpose module to fit Dev/QA/Prod-US/Prod-EU/Prod-AP/etc environments without having someone sit down and carefully work out the dependency flow through the modules to make this happen. And frankly, that kind of hardcore one-two-three ordering goes against the design philosophy of Puppet. It's also nearly impossible when the ordering is more like 1, 2...67588, 67589 operations. I don't believe that Puppet 2.x is capable of solving this problem. But I believe it should be a heavy design criteria for Puppet v3. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Is anyone using Rump...?
A couple of months ago I stumbled across a presentation of Rump (https://github.com/railsmachine/rump) and I thought that it was kind of interesting to use this when developing new modules. But I tend to shy away from it, as it doesn't seem to be used (a google search on "rump puppet" does _not_ give you the results you want, mind you!). So, I'll ask here: Is anyone using it..? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Now that we have puppet node install....
I've been playing a bit with the puppet node install command, and I was wondering if I should change to using puppet installed as a gem instead of deb/rpm/whatever? That would allow me to use the very latest puppet versions, without building my own deb/rpm packages or waiting for them to become available upstream. What's your thoughts on this...? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Writing a resource type provider in Python
On Fri, Jan 20, 2012 at 4:14 PM, Tom Limoncelli wrote: > Is it possible to write a provider in Python? I have to access > something via a library that is written in Python. I'd rather not > rewrite the library in Ruby, or call out to shell. > > I couldn't find any references on how to do this on the Puppet website > and web searches for [puppet providers in python] or [writing puppet > resources in python] mostly turn up links about using Puppet to manage > Python and Python packages. AFAIK, currently only in Ruby. Maybe something like http://rubypython.rubyforge.org/ can bridge the gap. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Configuring Puppet from Master to Agent
http://serverfault.com/questions/137292/how-can-i-pre-sign-puppet-certificates “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) - Gilles wrote: > > Hi, > > We have a specific configuration where Puppet Agents are in an > internet DMZ, Puppet Master is on the LAN and there's no way for > Puppet Agents to connect to the Puppet Master. > > We have opened port 8139 for the Master to establish the connection to > the Agents. > > So, we have the problem for configuration. We need the Agents to > connect to the Master so that the Master can generate the certificate > and accept the Agent request. Usually this is done via the Agent > requesting the Master to sign and accept. > > We need this done the other way, the Master generating signed > certificates for the Agents and distributing the certificates to the > Agents. > > We didn't find the documentation on the specific procedure. > > Thanks for your hints, Regards, > Gilles > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing SSH host private keys
On Thu, Jan 26, 2012 at 06:32:49PM +, Dan White wrote: > I am relatively new to both Puppet and ssh-keys, > but is it possible for the PuppetMaster to generate all the keys rather that > each client creating their own ? This might be one of the places where erb (templates) being evaluated on the puppetmaster will help. I'm just speculating, but there's no technological reason why the puppetmaster shouldn't use erb/ruby to fork ssh-keygen and store the result in some local directory. The puppet template can either create a private key, or copy in the results of a previous ssh-keygen run. I don't see technical obstacles, only security obstacles. You may not want all your ssh private keys stored in one place, for instance. > “Sometimes I think the surest sign that intelligent life exists elsewhere in > the universe is that none of it has tried to contact us.” > Bill Waterson (Calvin & Hobbes) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] arrays after upgrade to 2.7 and ['A','B'] compared to 'A B'?
On 26 Jan 2012, at 19:29, "Stefan Schulte"
wrote:
> On Thu, Jan 26, 2012 at 03:57:08PM +, Steve Traylen wrote:
>> Hi,
>>
>> After upgrading a server and client from 2.6.13 to 2.7.10 my configuration
>> with array attributes
>> are behaving differently. 3 examples:
>>
>> (1)
>> k5login {'/root/.k5login-test':
>> principals => ['m...@cern.ch', 't...@cern.ch'],
>> }
>>
>> while .k5login file is created perfectly but every puppet run updates the
>> file with.
>>
>> notice: /Stage[main]/Kerberos::Root/K5login[/root/.k5login-test]/principals:
>> principals changed ['m...@cern.ch', 't...@cern.ch'] to 'm...@cern.ch
>> t...@cern.ch'
>>
>> Notice how the ['A','B'] is compared to 'A B'
>>
>
> The ['A','B'] vs 'A B' *seems* to be just a display thing because the
> current value and the desired value are handled differently when
> printing them out (should_to_s vs. is_to_is in property.rb).
>
> Can you please tell me the ruby version you are using? So we can rule
> 1.8.5 incompabilities out?
Hi, Stefan, other than puppet and facter which are from the puppetlabs repo
everything is rhel6 defaults so ruby 1.8.7 and facter 1.6.5
>
> -Stefan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How do *you* handle yumrepo dependency chains?
Cobbler “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) - jimbob palmer wrote: > Say you have a RHEL6 environment. You have some packages you want > installed, these rely on a yumrepo. That yumrepo relies on an rpm-gpg key > being installed. > > Now you get some RHEL5 boxes to add to the network. Your yumrepo RHEL6.2 > with a dependency on the RHEL6 signing key now causes a problem: all of the > rpms you need are the same, but those rpms rely on the RHEL6.2 yumrepo > which is wrong, and that relies on the RHEL6 signing key which is wrong too. > > What approach do you use? > > Thanks. > JB > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/94RonUV1yYYJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing SSH host private keys
I am relatively new to both Puppet and ssh-keys, but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Multiple Service definitions of the same type
I think if you remove this line, name => "memcached", you should be
fine as long as $service_name is unique per instance.
Ramin
On Jan 24, 2:50 pm, Bryan Beaudreault
wrote:
> Hello,
>
> I am trying to make it so that more than 1 instance of memcached can
> run on a single service. I have a special init.d script that can
> handle this, but want to define the service multiple times in a puppet
> class. Here is the definition I am using:
>
> service { "$service_name":
> name => "memcached",
> ensure => running,
> enable => true,
> start => "$init_script start $service_name",
> stop => "$init_script stop $service_name",
> status => "$init_script status $service_name",
> restart => "$init_script restart $service_name",
> hasstatus => true,
> require => [Package[memcached],File["$file_name"]]
> }
>
> I used the $service_name so that the defintion would be unique, but
> now puppet is throwing this error:
>
> Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot
> alias Service[11411] to ["memcached"]; resource ["Service",
> ["memcached"]] already exists at
>
> How can I achieve what I am trying to achieve? Any ideas?
>
> Thanks,
>
> Bryan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] arrays after upgrade to 2.7 and ['A','B'] compared to 'A B'?
On Thu, Jan 26, 2012 at 03:57:08PM +, Steve Traylen wrote:
> Hi,
>
> After upgrading a server and client from 2.6.13 to 2.7.10 my configuration
> with array attributes
> are behaving differently. 3 examples:
>
> (1)
> k5login {'/root/.k5login-test':
> principals => ['m...@cern.ch', 't...@cern.ch'],
> }
>
> while .k5login file is created perfectly but every puppet run updates the
> file with.
>
> notice: /Stage[main]/Kerberos::Root/K5login[/root/.k5login-test]/principals:
> principals changed ['m...@cern.ch', 't...@cern.ch'] to 'm...@cern.ch
> t...@cern.ch'
>
> Notice how the ['A','B'] is compared to 'A B'
>
The ['A','B'] vs 'A B' *seems* to be just a display thing because the
current value and the desired value are handled differently when
printing them out (should_to_s vs. is_to_is in property.rb).
Can you please tell me the ruby version you are using? So we can rule
1.8.5 incompabilities out?
-Stefan
pgpb0NozSV136.pgp
Description: PGP signature
Re: [Puppet Users] Considering LDAP ENC
On Wed, Jan 25, 2012 at 10:57 AM, Throwe, Jesse wrote: > Having just gone through this conversion recently, it's not as hard as it > seems. > > - Puppet variables are managed through the puppetVar entries for the > objectClass so theres no need to extend the schema. > - All variables are passed to the manifests as a string. You need to > identify your hashes in your manifests and split them over a > delimiter. > - No parametrized classes (as of 2.6.x) can be called directly from > LDAP. We had to locate our paramterized classes that were impacted and > convert them over to using variables, and throwing a parse error if > required variables were not located. This took maybe an hour to do. > - At least as of 2.6.x it appears that the environment variable is > completely ignored from the client. This behavior is actually desired > but if you have gotten used to --environment=newfeatureenv it can be a > change. > > We are also leveraging dynamic environments as described in > http://puppetlabs.com/blog/git-workflow-and-puppet-environments/ which > helps separate development from production. > Thank you for the details. I will keep these points in mind while I test the LDAP ENC. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Is it possible to conditionally replace a file ?
Ok, I understand. But i have not control about these individual "noreplace" files because are $hostname dependent. In different hostnames, have different specific source locations. So that was the reason for I need something similar to ignore parameter. (Or a workaround) Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/4IQqlPIF6YwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Is it possible to conditionally replace a file ?
2012/1/25 Juan José Presa Rodal :
> Hi, I would like to achieve a conditional file replacement but lightly
> different. I deploy recusively a directory with a lot of config files. This
> is my resource:
>
> file {"/foo":
> ensure => directory,
> recurse => remote,
> source => "puppet:///modules/module_name/configs/${hostname}/foo",
> ignore => ["no_replace1.cfg","no_replace2.cfg"],
> }
>
> I need to ignore these two files because they will not be puppet managed but
> initializated by puppet.
A recursive file resource is "less specific" than a file resource
managing an individual file.
If you install those two configuration files with `file {
".../no_replace1.cfg": ensure => present, ... }`, Puppet will put them
in place if they are missing, but otherwise ignore their content. It
will also prevent the recurse from overwriting them.
--
Daniel Pittman
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Dependencies: packages and repos
On Jan 25, 2012, at 11:10 AM, jimbob palmer wrote: > Hello, > > What's the best way of handling package installs that rely on a yum > repository, which in turn relies on a gpg key? > > At the moment I have only RHEL6 boxes which have a few yumrepos > defined and a few packages installed. The yumrepos in turn rely on an > rpm-gpg key. > > I now need to add some RHEL5 boxes. The repos contain the major > version name and require a different rpm-gpg key. > > I could hack around with some variables in the yumrepos module but > this seems dirty. > > How are others handling this situation? > http://cern.ch/go/Cq7D Is an example of a case statement setting a yum path based on OS version,yum can pull in gpg direct from a remote URL rather than pushing it to the box first which is then one less step for puppet to handle. Steve. > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Question about puppet module development
On Jan 26, 2012, at 12:03 PM, Spirit wrote: > Hi all. > I want to write module for kerberos configuration. I planned configure > realms by using subclasses like in saz-sudo module: > > > Anybody have idea, how i can manage krb5.conf without augeas? > The following uses the concat module to manage a krb5.conf file. http://cern.ch/go/vSK8 Steve. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet on Windows - client installer?
On Wed, Jan 18, 2012 at 5:54 AM, jmp242 wrote: > Is this the case, or am I missing where the installer is? Is there any thought to creating a msi / exe installer in the future that would > have puppet be self contained Funny you should ask: https://projects.puppetlabs.com/issues/11205. We are working on an MSI installed containing everything you need to install puppet, facter, ruby, gems. > and run a service? > This is something we are not planning on doing, partly because of the issue with long running ruby processes, memory usage, etc. Instead we were looking to use scheduled tasks to run puppet on a specified interval. It does mean you couldn't `puppet kick` these agents. Would that work in your environment? Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How do *you* handle yumrepo dependency chains?
On Thu, Jan 26, 2012 at 6:56 AM, jimbob palmer wrote: > Say you have a RHEL6 environment. You have some packages you want installed, > these rely on a yumrepo. That yumrepo relies on an rpm-gpg key being > installed. > > Now you get some RHEL5 boxes to add to the network. Your yumrepo RHEL6.2 > with a dependency on the RHEL6 signing key now causes a problem: all of the > rpms you need are the same, but those rpms rely on the RHEL6.2 yumrepo which > is wrong, and that relies on the RHEL6 signing key which is wrong too. > > What approach do you use? > I read this description a couple times and don't think I quite understand the question. You can specify keys per client repo. You can also use execs to install rpm-gpg keys. Is the issue you have one yum repo and you're pointing both EL5 and EL6 boxes at it? > Thanks. > JB > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/94RonUV1yYYJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Apologies for massive message queue
We found that we had several messages awaiting moderation. That problem is being resolved, but that's the reason for high-volume on the list today. Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Cross-module dependencies
On Jan 26, 11:00 am, jcbollinger wrote:
> If we must rely only on features already present in Puppet, then I
> think that's heading in the right direction.
On the other hand, if we can wish for new features to address this
area, then there may be altogether different approaches available. In
particular, it is useful to recognize that dependencies are not just
on a particular resource generally -- rather, they are on a particular
resource having certain specific properties. For example, a web
server module doesn't just rely on, say, Package['httpd']. Rather, it
relies on that package having an 'ensure' parameter different from
'absent' and 'purged'. Puppet DSL does not currently have a means to
express that.
Consider, then, a new metaresource type, Constraint. The purpose of
the Constraint resource type would be to allow multiple unrelated
classes to collaborate on defining the properties of a single
resource, and it would do so by allowing classes to limit the values
that chosen resource properties may have.
At compilation time, Puppet would collect and combine all the
constraints on any particular resource, and use the results to set
unspecified property values and validate specified ones. Usage might
look something like this:
constraint { 'webserver-httpd_package-present':
resource => Package['httpd'],
property => 'ensure',
forbidden_value => [ 'absent', 'purged' ],
# also available: allowed_value
# maybe: default_value
}
Not only would this nicely meet the needs of different modules to
express their requirements on shared resources, it would also make it
much easier to recognize resource conflicts. If Puppet automatically
generated empty resource definitions to constrain when it discovered
constraints on otherwise-undefined resources, then that would also
overcome the problem of deciding where to define particular resources.
I can imagine many -- perhaps most -- resource definitions being
replaced or supplemented by constraint declarations.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing SSH host private keys
>> Remember, there is always some amount of manual stuff to do. >> >> 1) Install the OS (or clone your VM.) >> 2) Set the IP/hostname >> 3) Install puppet >> 4) Have the puppetmaster sign the cert >> Meh :P .. If you're using a Xen environment, we've taken care of this part already, where a puppet recipe creates a new vm, sets ip addr, installs puppet and gets the certs signed. So when the new vm boots its already pulling changes as per its node definition on master :) We plan to open source the module soon at github :) -- Krish olindata.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Configuring Puppet from Master to Agent
Hi, We have a specific configuration where Puppet Agents are in an internet DMZ, Puppet Master is on the LAN and there's no way for Puppet Agents to connect to the Puppet Master. We have opened port 8139 for the Master to establish the connection to the Agents. So, we have the problem for configuration. We need the Agents to connect to the Master so that the Master can generate the certificate and accept the Agent request. Usually this is done via the Agent requesting the Master to sign and accept. We need this done the other way, the Master generating signed certificates for the Agents and distributing the certificates to the Agents. We didn't find the documentation on the specific procedure. Thanks for your hints, Regards, Gilles -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet client server connection refused when I use puppet kick
I have very strange problem. I set up puppet client on serveral servers but have problem with one of them. When I invoke: root@www ~ # puppet agent --server puppetmaster.domain.ltd --test notice: Ignoring --listen on onetime run info: Caching catalog for puppetclient.domain.ltd info: Applying configuration version '132631' notice: Finished catalog run in 3.15 seconds everything works ok. New changes are applied to system. When I try to pull changes to client from server: root@www ~ # puppet kick puppetclient.domain.ltd I got errors on client's syslog: Jan 15 14:01:23 www puppet-agent[20903]: triggered run Jan 15 14:01:24 www puppet-agent[20903]: Could not retrieve catalog from remote server: Connection refused - connect(2) Jan 15 14:01:24 www puppet-agent[20903]: Using cached catalog Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Cronapt/ File[/etc/cron.daily/cronapt]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///cronapt/cronapt: Connection refused - connect(2) at /etc/puppet/modules/cronapt/ manifests/init.pp:7 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ File[/usr/lib/nagios/plugins/]) Failed to generate additional resources using 'eval_generate: Connection refused - connect(2) Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ File[/usr/lib/nagios/plugins/]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///nagios/usr/lib/nagios/plugins: Connection refused - connect(2) at /etc/puppet/modules/nagios/ manifests/init.pp:27 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ File[/etc/nagios/nrpe.cfg]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///nagios/etc/nagios/nrpe.cfg: Connection refused - connect(2) at /etc/puppet/modules/nagios/ manifests/init.pp:18 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ Exec[/etc/init.d/nagios-nrpe-server reload]) Dependency File[/etc/ nagios/nrpe.cfg] has failures: true Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ Exec[/etc/init.d/nagios-nrpe-server reload]) Skipping because of failed dependencies Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Apache2/ File[/etc/apache2/conf.d/deny.conf]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///apache2/etc/apache2/conf.d/deny.conf: Connection refused - connect(2) at /etc/puppet/modules/apache2/manifests/init.pp:7 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Apache2/ Service[apache2]) Dependency File[/etc/apache2/conf.d/deny.conf] has failures: true Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Apache2/ Service[apache2]) Skipping because of failed dependencies Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ File[/etc/nagios/cfg.d/]) Failed to generate additional resources using 'eval_generate: Connection refused - connect(2) Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Nagios/ File[/etc/nagios/cfg.d/]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///nagios/etc/nagios/cfg.d: Connection refused - connect(2) at /etc/puppet/modules/nagios/ manifests/init.pp:37 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Apache2/ File[/etc/apache2/.htpasswd]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///apache2/etc/apache2/.htpasswd: Connection refused - connect(2) at /etc/puppet/modules/apache2/ manifests/init.pp:31 Jan 15 14:01:24 www puppet-agent[20903]: (/Stage[main]/Apache2/ File[/usr/share/phpmyadmin/.htaccess]) Could not evaluate: Connection refused - connect(2) Could not retrieve file metadata for puppet:///apache2/usr/share/phpmyadmin/.htaccess: Connection refused - connect(2) at /etc/puppet/modules/apache2/manifests/init.pp:23 Jan 15 14:01:24 www puppet-agent[20903]: Finished catalog run in 0.33 seconds Jan 15 14:01:24 www puppet-agent[20903]: Could not send report: Connection refused - connect(2) Here are configuration files at puppetclient.domain.ltd puppet.conf [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter templatedir=$confdir/templates prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post listen = true runinterval=1800 splay=true summarize = true auth.conf: path / method find, search, save auth yes allow puppetmaster.domain.ltd namespaceauth.conf [fileserver] allow * [puppetmaster] allow * [puppetrunner] allow * [puppetbucket] allow * [puppetreports] allow * [resource] allow * Puppet master version 2.7.9 Puppet client version 2.7.6
[Puppet Users] Setup examples
Hi, I am looking for real world server setups to learn more from others. The ones I know of are The Repository of David Schmitt http://projects.puppetlabs.com/projects/1/wiki/Complete_Configuration The Wikimedia Server repository http://blog.wikimedia.org/2011/09/19/ever-wondered-how-the-wikimedia-servers-are-configured/ Regards, Kai -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Using LDAP with puppet
Does anyone have experience using LDAP as the ENC at medium to large scale? We have around 600 nodes but will quickly grow that to 2000 or so in short order. If so, is it working well? Would you do it again? If it didn't work what did you replace it with? We are thinking of using it and was looking for a little feedback from the group if anyone has done this. On the surface it sounds very nice to have the flexibility of a standards based system like LDAP and I know LDAP can scale very well for read intensive operations. Cheers! -Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Blocking or gating service restarts?
>
> Generally, Puppet uses a service's init script to manipulate it, so
> you can alter services' restart behavior by modifying their init
> scripts. That has the additional advantage that you get the same
> behavior if the service is ever restarted any other way.
>
good point, but now I have to repackge or overlay standard init scripts
(httpd & mysql at least, others are ours so less of an issue)
> There is no way to tell Puppet to start processing one resource,
> switch to processing a different resource, and later resume with the
>
I'd be happy enough for the puppet apply to just stall during bleed-down etc
> first. You could possibly split the load balancer bleed-down and spin-
> up into separate resources, however, and use standard Puppet 'require'
> and 'before' relationships or resource chaining to establish order of
> application. That might be advantageous if there are multiple
> resources you want to manage only while the load-balancer is down.
That sounds interesting, but how would you get the require/before to apply
to just a service restart as a result of the subscription?
eg if i have:
service { 'mysqld':
ensure => running,
enable => true,
subscribe => File['/etc/my.cnf'],
require => [ Package['mysql-server'], File['/prod/mysql'] ],
}
I'm want mysql to restart for any changes to /etc/my.cnf, but only when the
machine is OOS.
We have tools that coordinate restarts atm, but from the C&C out, not boxes
asking of they can restart, I'm thinking along the lines of a hook in the
service resource type to call a user-defined script to check if it's ok to
restart, blocking the puppet run until it gets an answer, the user defined
script then does what ever comms required to see if C&C are ok with the
OOS/restart.
(we do rolling deploys by allowing up to X% of machines in a given service
to go OOS for deployments)
Simon.
--
Simon McCartney
E: si...@mccartney.ie
M: +44 7710 836 915
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Failed to Allocate Memory When Connected to LDAP
Hello,
I have a Solaris 10 system running Puppet 2.6.8 that is experiencing a
very unusual problem. It has been running fine up until I configured
the system to use LDAP for users and groups. The problem is easily
reproducible. Take "ldap" out of /etc/nsswitch.conf and it runs fine,
once it's added back in, Puppet crashes:
> acad ~ # puppet agent --test --environment=jameslee --no-report
> info: Caching catalog for acad.es.gwu.edu
> info: Applying configuration version '1327003919'
> --- /etc/nsswitch.conf Thu Jan 19 15:11:54 2012
> +++ /tmp/puppet-file5186.0 Thu Jan 19 15:13:04 2012
> @@ -13,8 +13,8 @@
> # "hosts:" and "services:" in this file are used only if the
> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>
> -passwd: files
> -group: files
> +passwd: files ldap
> +group: files ldap
> hosts: files dns
> ipnodes:files
> networks: files
> info: FileBucket got a duplicate file {md5}4dc29d1e26abeda92f07cbf7ea8c8184
> info: /Stage[main]/Solaris/File[/etc/nsswitch.conf]: Filebucketed
> /etc/nsswitch.conf to puppet with sum 4dc29d1e26abeda92f07cbf7ea8c8184
> notice: /Stage[main]/Solaris/File[/etc/nsswitch.conf]/content: content
> changed '{md5}4dc29d1e26abeda92f07cbf7ea8c8184' to
> '{md5}42577aabe4178912e5f5c030a7d72634'
> notice: Finished catalog run in 59.61 seconds
> acad ~ # puppet agent --test --environment=jameslee --no-report
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/provider/package/apt.rb:15:in
> `[]=': failed to allocate memory (NoMemoryError)
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/provider/package/apt.rb:15
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/classgen.rb:117:in
> `genthing'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/classgen.rb:28:in
> `genclass'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/type.rb:1446:in
> `provide'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/provider/package/apt.rb:1
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/autoload.rb:113:in
> `loadall'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/autoload.rb:109:in
> `loadall'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/autoload.rb:108:in
> `loadall'
> ... 51 levels...
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/application.rb:305:in
> `run'
> from
> /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/lib/puppet/util/command_line.rb:62:in
> `execute'
> from /usr/local/lib/ruby/gems/1.8/gems/puppet-2.6.8/bin/puppet:4
> from /usr/local/bin/puppet:19
This system has 6 GB of memory of which only 168 MB are being used. It
does not appear that the puppet process running under the LDAP
configuration balloons out of control either, so I can't imagine it's
actually running out of memory.
I tested Puppet 2.6.12 and it has the same problem. Unfortunately
trying 2.7 is not possible at the moment.
For what it's worth, I can reduce the node's configuration down to
basically nothing and the problem goes away, so there is something in
one of our modules that is triggering the problem, but I have no idea
what. The stack trace above gives me no real clues (it's a Solaris
system, there is no APT system, and removing the apt provider just
pushes the crash to another file, same message). I don't have any LDAP
related resources in the Puppet configuration (like LDAP user
resources). What is it about LDAP that simply enabling it could cause
Puppet to crash? How might I go about debugging this?
The full debug output is shown below.
Thanks,
James
> acad ~ # puppet agent --test --environment=jameslee --no-report --debug
> debug: Failed to load library 'shadow' for feature 'libshadow'
> debug: Puppet::Type::User::ProviderPw: file pw does not exist
> debug: Failed to load library 'ldap' for feature 'ldap'
> debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
> debug: Puppet::Type::User::ProviderUseradd: file chage does not exist
> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does
> not exist
> debug: Failed to load library 'selinux' for feature 'selinux'
> debug: Puppet::Type::File::ProviderMicrosoft_windows: feature
> microsoft_windows is missing
> debug: /File[/var/lib/puppet/state/last_run_report.yaml]: Autorequiring
> File[/var/lib/puppet/state]
> debug: /File[/var/lib/puppet/state/classes.txt]: Autorequiring
> File[/var/lib/puppet/state]
> debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/pup
[Puppet Users] Re: mysql errors
Looks like this message didn't reach the group for some reason. For clarity though, I found that this was occurring on all three masters. I was able to resolve this by downgrading the activerecord gem on the puppet masters from 3.1.3 to 3.0.5. On 13 January 2012 08:31, jamese wrote: > I'm currently running three puppet masters (version 2.7.3 via apache > +passenger) in a cluster, 2 on CentOS 5.7, 1 on CentOS 6.1 > > On the 6.1 master, I am frequently getting the following error > (approximately 50% of the time when a client connects): > > err: Could not retrieve catalog from remote server: Error 400 on > SERVER: Mysql::Error: Unknown prepared statement handler (7) given to > mysqld_stmt_execute: INSERT INTO `inventory_facts` (`name`, `node_id`, > `value`) VALUES (?, ?, ?) > > I don't see any errors on the other two masters running CentOS 5.7. > > I have a separate server running CentOS 6.1 and MySQL 5.1.52 for the > inventory db. > > On the masters, I have inventory configured in the puppet.conf as > follows: > facts_terminus = inventory_active_record > dbadapter = mysql > dbname = inventory > dbuser = inventory > dbpass = > dbserver = x.x.x.x > > The masters are running ruby enterprise 1.8.7 and all have exactly the > same versions of ruby gems installed. > > *** LOCAL GEMS *** > > activemodel (3.1.3) > activerecord (3.1.3) > activesupport (3.1.3) > arel (2.2.1) > builder (3.0.0) > facter (1.6.3) > fastthread (1.0.7) > i18n (0.6.0) > multi_json (1.0.3) > mysql (2.8.1) > mysql2 (0.3.10) > passenger (2.2.9) > puppet (2.7.3) > rack (1.1.0) > rake (0.8.7) > tzinfo (0.3.31) > > The only (potentially related) differences I can see between the > masters are with the mysql-libs package (5.1.52-1 on EL6.1 and > 5.0.77-4 on EL5.7) and the ruby-mysql package (ruby-mysql-2.8.2-1 on > EL6.1, ruby-mysql-2.7.3-1 on EL5.7), although I'm not sure if this is > relevant. > > Any help regarding these errors would be greatly appreciated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] multiple versions of a package (gems) in puppet
Hi -- I'm setting our servers up to use puppet, and have hit a bit of a
sticking point with the gems we require.
For some of our servers, we need to install multiple versions of the same
gem, so I tried something like this:
class gems::gems::rails {
define gempackage::rails ( $version = $title ) {
Class[ "gems::params" ] -> Gempackage::Rails[ $version ]
package { "rails-${ version }":
name => "rails",
ensure => $version,
provider => gem,
}
}
gempackage::rails { $gems::params::railsversions: }
}
The variable $gems::params::railsversions is something like [ "2.1.1",
"2.3.4" ] for one of the (ancient!) cases. What I was hoping to do, here,
was to have the package installed for each version. It wouldn't allow a
package of the same title to be declared twice, so I made that unique, but
am still failing on the name of the package not being unique.
I can't be the only person who needs to do something like this, but I've
failed to google up anything that might help me get the multiple versions
installed.
Could anyone please advise me on how I might get around this problem?
I'm completely stumped!
Thanks in advance for any & all assistance,
Doug.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] courier imap/pop not refreshing
(My apologies for the attachment, I'm sleepy and did -a not -i in mutt.)
This electronic message contains information from Primus Telecommunications Canada Inc.
("PRIMUS") , which may be legally privileged and confidential. The information is
intended to be for the use of the individual(s) or entity named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the contents of this
information is prohibited. If you have received this electronic message in error, please notify us
by telephone or e-mail (to the number or address above) immediately. Any views, opinions or advice
expressed in this electronic message are not necessarily the views, opinions or advice of PRIMUS.
It is the responsibility of the recipient to ensure that any attachments are virus free and PRIMUS
bears no responsibility for any loss or damage arising in any way from the use thereof.The term
"PRIMUS" includes its affiliates.
Pour la version en français de ce message, veuillez voir
http://www.primustel.ca/fr/legal/cs.htm
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] mysql errors
I'm currently running three puppet masters (version 2.7.3 via apache +passenger) in a cluster, 2 on CentOS 5.7, 1 on CentOS 6.1 On the 6.1 master, I am frequently getting the following error (approximately 50% of the time when a client connects): err: Could not retrieve catalog from remote server: Error 400 on SERVER: Mysql::Error: Unknown prepared statement handler (7) given to mysqld_stmt_execute: INSERT INTO `inventory_facts` (`name`, `node_id`, `value`) VALUES (?, ?, ?) I don't see any errors on the other two masters running CentOS 5.7. I have a separate server running CentOS 6.1 and MySQL 5.1.52 for the inventory db. On the masters, I have inventory configured in the puppet.conf as follows: facts_terminus = inventory_active_record dbadapter = mysql dbname = inventory dbuser = inventory dbpass = dbserver = x.x.x.x The masters are running ruby enterprise 1.8.7 and all have exactly the same versions of ruby gems installed. *** LOCAL GEMS *** activemodel (3.1.3) activerecord (3.1.3) activesupport (3.1.3) arel (2.2.1) builder (3.0.0) facter (1.6.3) fastthread (1.0.7) i18n (0.6.0) multi_json (1.0.3) mysql (2.8.1) mysql2 (0.3.10) passenger (2.2.9) puppet (2.7.3) rack (1.1.0) rake (0.8.7) tzinfo (0.3.31) The only (potentially related) differences I can see between the masters are with the mysql-libs package (5.1.52-1 on EL6.1 and 5.0.77-4 on EL5.7) and the ruby-mysql package (ruby-mysql-2.8.2-1 on EL6.1, ruby-mysql-2.7.3-1 on EL5.7), although I'm not sure if this is relevant. Any help regarding these errors would be greatly appreciated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Static Puppet Binary
> I just wanted to ask a question here, is it possible to build a static > binary that I could sep to a client machine, and have it do it's first run > to connect to a puppet master? > > My plan is to use a static binary as a sort of installer for particular > systems, as I don't really want to have to install puppet client on 70 > systems by hand! These are all production servers already, so I'm not > getting the opportunity to build them from the ground up. > We have a script that preps a machine for puppet, it's usually called like this, on the remote box: curl http://puppetmaster.example.com/install-puppet.sh | bash -x the script just sets up the yum repos, removes any crufty ruby installed, yum installs our puppet rpms, pulling in the right ruby rpm & runs the first puppet apply, with wait for cert & then sets up the service. We also do a few other steps that trip us up (clock drift being one for certs, so ntpd is configured & time pulled from a known good source etc). I can sanitize & post this if you want. Simon. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Workaround for file syncing bug 6004
Hi, Does anyone by any chance know a work-around for the bug: https://projects.puppetlabs.com/issues/6004 ? I tried out 2.7.6 and the bug persisted in this version. Work-around, beta code fixes, tricks are greatly appreciated. Thanks, Rob -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64
Hello All, Unable to install Puppet Enterprise v2.0.0 for RHEL 5-x86_64. [root@1801 puppet-enterprise-2.0.0-el-5-x86_64]# ./puppet-enterprise- installer -a answers/full_suite.answer.sample Puppet Enterprise v2.0.0 installer for el-5-x86_64 STEP 1: READ ANSWERS FROM FILE ## Reading answers from file: answers/full_suite.answer.sample STEP 2: SELECT AND CONFIGURE ROLES This installer will offer to install the puppet master, console, cloud provisioner, and puppet agent roles. -> puppet master The puppet master serves configurations to a group of puppet agent nodes. This role also provides MCollective's message queue and client interface. It should be installed on a robust, dedicated server. ?? Install puppet master? [y/N] y -> cloud provisioner The cloud provisioner can create and bootstrap new machine instances and add them to your Puppet infrastructure. It should be installed on a trusted node where site administrators have shell access. ?? Install the cloud provisioner? [y/N] y -> console The console is a web interface for viewing reports, classifying nodes, directly managing resources, controlling Puppet runs, and invoking MCollective agents. It should usually be installed on the puppet master server, but can also installed separately. ?? Install the console? [Y/n] y -> puppet agent The puppet agent role is automatically installed with the console and puppet master roles. ?? Puppet master's unique "certname"? [Default: 1801.corp.st.org] 1801.corp.st.org ?? Puppet master's valid DNS names (comma-separated list)? [Default: 1801,1801.corp.st.org,puppet,puppet.corp.st.org] djaxlhpo9000,djaxlhpo9000.corp.citistreet.org,puppet,puppet.corp.citistreet.org ?? Port to serve the console over? [Default: 443] 443 ?? User name for accessing the console interface? [Default: console] console ?? Password for user console (minimum 4 characters)? ?? The console requires a MySQL database server. Install a new database server from your operating system's repository? [Y/n] n The console requires a MySQL database and a user account able to edit it.?? Is your existing MySQL server running on a remote host? [Y/ n] y ?? Database server hostname? [Default: localhost] 1801.corp.st.org ?? Database port? [Default: 3306] 3306 ?? Database name? [Default: console] console ?? Database user (must have all privileges on the database 'console')? [Default: console] console ?? Database user password (minimum 4 characters)? If the database and user have not yet been created on your database server, please log in as a privileged user now and set them up manually. Example SQL commands: CREATE DATABASE console CHARACTER SET utf8; CREATE USER 'console'@'localhost' IDENTIFIED BY 'consolepassword'; GRANT ALL PRIVILEGES ON console.* TO 'console'@'localhost'; CREATE DATABASE console_inventory_service CHARACTER SET utf8; GRANT ALL PRIVILEGES ON console_inventory_service.* TO 'console'@'localhost'; ?? Unique "certname" for this puppet agent node? [Default: 1801.corp.st.org] 1801.corp.st.org ?? Puppet master hostname to connect to? [Default: 1801.corp.st.org] 1801.corp.st.org -> Convenience Links The selected Puppet software will be installed into "/opt/puppet", which may not be included in your default shell PATH. For ease of use, this installer can create symbolic links to these executables in "/usr/local/bin". ?? Create symbolic links to Puppet executables in "/usr/local/bin"? [Y/ n] y ## Saved answers to file: ./answers.lastrun STEP 3: CONFIRM PLAN ?? Perform installation? [Y/n] y ## Saved answers to file: /etc/puppetlabs/installer/answers.install Warning: overwriting /etc/puppetlabs/facter/facts.d/ puppet_enterprise_installer.txt Creating Backup: /etc/puppetlabs/facter/facts.d/ puppet_enterprise_installer.txt.bak STEP 4: INSTALL PACKAGES ## Installing packages from files... Preparing... ### [100%] 1:pe-httpd ### [ 2%] 2:pe-libevent ### [ 4%] 3:pe-augeas-libs ### [ 6%]
[Puppet Users] Exported and Collected Resource With User Defined Resource Broken?
Hello all,
The key issue is, if I uncomment the line:
Myresource <<| |>> { ensure => present }
(Despite having defined the resource) I get the error:
err: Could not find type Myresource on node hmaster
I'm attempting to follow the instructions from the book Pro Puppet pgs.
143-145; however, it seems that I'm very lost, as I am unable to export
and collect my resource while I am able to export and collect both host
and sshkey resources fine. Am I doing something incorrectly?
I am using Puppet 2.7.5 on both my puppet master (Debian with puppet built from
source) and clients (CentOS 5 with puppet from rpmforge).
A unit test to show the failure is as follows (everything in site.pp):
--
node /hslave[0-9].local/ {
class{"hslave":}
}
node /hmaster.local/ {
class{"hslave": before => Class["hslave_file"]}
class{"hslave_file":}
}
class hslave {
# This works
@myresource{ "${::hostname}-virtual": }
# This "works" but can't seem to be collected
@@myresource{ "${::hostname}": }
}
class hslave_file{
# This fails with:
# err: Could not find type Myresource on node hmaster
# Myresource <<| |>> { ensure => present }
# This works fine
Myresource <| |> { ensure => present }
# This works fine
myresource { "${::hostname}-extra": ensure => present }
}
define myresource($ensure = present) {
file { "/tmp/puppet_test$name": ensure => $ensure }
}
For reference, after running this on "hmaster" I have:
[hadmin@hmaster ~]$ ls -l /tmp/*hmaster*
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster-extra
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster-virtual
Thank you,
Clay
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Looking for real world server setup example
Hi, I am looking for real world server setups to learn more from others. The ones I know of are The Repository of David Schmitt http://projects.puppetlabs.com/projects/1/wiki/Complete_Configuration The Wikimedia Server repository http://blog.wikimedia.org/2011/09/19/ever-wondered-how-the-wikimedia-servers-are-configured/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Problem with not installing package, exec do an error
Hello
I have a list of successive package, and it occured that some package
are not installed.
exec { 'sudo gem update --system':
path => ['/usr/bin/'],
alias => updateGem,
}
package { ' libmemcached-dev':
ensure => present,
alias => memDev,
require => Exec[updateGem],
}
package { ' libmemcached-dbg':
ensure => present,
alias => memDbg,
require => Package[memDev],
}
package { ' libsas2-dev':
ensure => present,
alias => sasDev,
require => Package[memDdg],
}
package { 'libcurl3-dev':
ensure => present,
alias => curlDev,
require => Package[sasDev],
}
package {'libmysqlclient-dev':
ensure => present,
alias => libSql,
require => Package[curlDev],
}
package {'libsqlite3-dev':
ensure => present,
alias => libSql3,
require => Package[libSql],
}
The package libcurl3-dev, libsas2-dev, libmemcached-dbg, libmemcached-
dev are not installed here. So i don't understand why because other
package do.
So i try something desperate :
exec { 'sudo apt-get install libmemcached-dev':
path => ['/usr/bin'],
alias => memDev,
require => Exec[updateGem],
}
Unfortunatly it doesn't work either : err: /Stage[main]//Exec[sudo apt-
get install libmemcached-dev]/returns: change from notrun to 0 failed:
sudo apt-get install libmemcached-dev returned 1 instead of one of [0]
at /mnt/hgfs/puppet/install.pp:10
I would prefer to do it with package, so if someone have an idea.
Thank you !
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Blocking or gating service restarts?
On 10 January 2012 18:36, Wolf Noble wrote: > just a thought; what if you made a fact for number of apache workers > currently serving something, and base the service restart off of that. > > Might not be the best option; might not even work, but it makes more sense > to me to have the service restart dependent on a local fact than be > dependent on something external to the server Interesting, making the machines LB status (& apache worker count etc would be pretty straightforward, machines already know if they are IS/OOS) - how do I use the fact to influence the restart - still needs a hook in the service resource type right? -- Simon McCartney E: si...@mccartney.ie M: +44 7710 836 915 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet on Windows - client installer?
I've been watching Puppet on Windows and may be interested in trying it out - our Linux team is already working with it in a pilot... The issue I see is it doesn't seem to have a msi or exe I could install on client computers, instead it looks like it'd need a ruby environment installed to get started (if I understand correctly)... Is this the case, or am I missing where the installer is? Is there any thought to creating a msi / exe installer in the future that would have puppet be self contained and run a service? Thank... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Failed to Allocate Memory When Connected to LDAP
On 01/19/2012 03:37 PM, James Lee wrote:
> Hello,
>
> I have a Solaris 10 system running Puppet 2.6.8 that is experiencing a
> very unusual problem. It has been running fine up until I configured
> the system to use LDAP for users and groups. The problem is easily
> reproducible. Take "ldap" out of /etc/nsswitch.conf and it runs fine,
> once it's added back in, Puppet crashes:
I've narrowed down what is triggering this problem, but I still do not
know how to fix it.
I created a barebones node configuration:
> node 'acad.es.gwu.edu'
> {
> package { "SUNWzsh":
> ensure => "installed",
> provider => "sun",
> }
>
> notify { "SUNWzsh is installed":
> require => Package["SUNWzsh"],
> }
> }
The 'package' resource will cause Puppet to crash with:
> acad ~ # puppet agent --test --environment=jameslee --no-report --noop
> /opt/csw/lib/ruby/gems/1.8/gems/puppet-2.6.12/lib/puppet/provider/package/apt.rb:15:in
> `[]=': failed to allocate memory (NoMemoryError)
> from
> /opt/csw/lib/ruby/gems/1.8/gems/puppet-2.6.12/lib/puppet/provider/package/apt.rb:15
> ...
Any other resource in the node configuration and Puppet runs without
complaint. For example, I can manage users and everything. The weird
thing is, once I disable 'ldap' in /etc/nsswitch.conf, Puppet will run
with the packages resource too:
> acad ~ # puppet agent --test --environment=jameslee --no-report --noop
> info: Caching catalog for acad.es.gwu.edu
> info: Applying configuration version '1327080824'
> notice: /Stage[main]//Node[acad.es.gwu.edu]/Notify[SUNWzsh is
> installed]/message: current_value absent, should be SUNWzsh is installed
> (noop)
> notice: Finished catalog run in 4.66 seconds
WEIRD! So I took a look at the 'apt.rb' file from the stack trace above
and see that it is failing trying to set an environmental variable. To
see whether it was that line or something else, I added:
> ENV["TEST"] = "foo"
to the very first line of the file. Should be harmless, but lo and behold:
> acad ~ # puppet agent --test --environment=jameslee --no-report --noop
> /opt/csw/lib/ruby/gems/1.8/gems/puppet-2.6.12/lib/puppet/provider/package/apt.rb:1:in
> `[]=': failed to allocate memory (NoMemoryError)
Just trying to set the environmental variable crashed Puppet. Next, to
see if 'ENV' was really growing out of control, I added 'p ENV' to the
top of 'apt.rb' and the result wasn't anything out of the ordinary:
> acad ~ # puppet agent --test --environment=jameslee --no-report --noop
>
> {"_"=>"/usr/local/bin/puppet", "PAGER"=>"less", "EDITOR"=>"vim",
> "OLDPWD"=>"/opt/csw/lib/ruby/gems/1.8/gems/puppet-2.6.12/lib",
> "PWD"=>"/export/home/jameslee", "SHLVL"=>"1",
> "HOME"=>"/export/home/jameslee",
> "PATH"=>"/usr/local/sbin:/usr/local/bin:/opt/csw/sbin:/opt/csw/bin:/usr/sfw/bin:/usr/sbin:/usr/bin:/sbin:/bin",
> "MAIL"=>"/var/mail//jameslee", "TZ"=>"US/Eastern", "LANG"=>"C",
> "TERM"=>"xterm", "DISPLAY"=>"localhost:13.0", "SHELL"=>"/bin/zsh",
> "LOGNAME"=>"root", "USER"=>"root", "SUDO_COMMAND"=>"/bin/zsh",
> "SUDO_USER"=>"jameslee", "SUDO_UID"=>"19374", "SUDO_GID"=>"14"}
> /opt/csw/lib/ruby/gems/1.8/gems/puppet-2.6.12/lib/puppet/provider/package/apt.rb:2:in
> `[]=': failed to allocate memory (NoMemoryError)
I don't understand how setting ENV variables is fine without LDAP and
crashes Puppet/Ruby with LDAP. At this point I suspect I am looking at
a weird consequence of another problem, but I have no idea. I've been
able to replicate this problem with Puppet 2.6.8, 2.6.12 running on Ruby
1.8.4 (from Sun Freeware) and 1.8.7 (from OpenCSW).
If anyone has any ideas, I'd love to hear them. I really just need a
fresh set of eyes at this point.
Thanks,
James
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Investigating catalog compile times and cpu utilization
https://github.com/rodjek/puppet-profiler ? -Dave On Jan 19, 7:12 am, Jake - USPS wrote: > So recently I deployed some new puppet code in our environment and > noticed CPU utilization on our puppetmasters went up a bit. This lead > me to wonder what exactly did I add to cause catalog compiling to > utilize more CPU? I was wondering if there is a way to check how long > different parts in a recipe take to compile for a node(s) ... I know > sometimes things I want to do can maybe be done in several different > ways so if I was able to find a part in my recipe that is causing > compiling to take longer maybe I can change it to be handled in a > different way. > > I'll obviously be going back to see exactly what changes I actually > made, but just curious if there is some way to check into something > like this. > > Thanks, > Jake -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Exported and Collected Resource With User Defined Resource Broken?
Hello all,
The key issue is, if I uncomment the line:
Myresource <<| |>> { ensure => present }
I get the error:
err: Could not find type Myresource on node hmaster
I'm attempting to follow the instructions from the book Pro Puppet pgs.
143-145; however, it seems that there's a parser issue or I'm very lost,
as I am unable to export and collect my resource while I am able to export
and collect both host and sshkey resources fine. Am I doing something
incorrectly?
I am using Puppet 2.7.5 on both my puppet master (Debian with puppet built
from source) and clients (CentOS 5 with puppet from rpmforge).
A unit test to show the failure is as follows (everything in site.pp):
--
node /hslave[0-9].local/ {
class{"hslave":}
}
node /hmaster.local/ {
class{"hslave": before => Class["hslave_file"]}
class{"hslave_file":}
}
class hslave {
# This works
@myresource{ "${::hostname}-virtual": }
# This "works" but can't seem to be collected
@@myresource{ "${::hostname}": }
}
class hslave_file{
# This fails with:
# err: Could not find type Myresource on node hmaster
# Myresource <<| |>> { ensure => present }
# This works fine
Myresource <| |> { ensure => present }
# This works fine
myresource { "${::hostname}-extra": ensure => present }
}
define myresource($ensure = present) {
file { "/tmp/puppet_test$name": ensure => $ensure }
}
For reference, after running this on "hmaster" I have:
[hadmin@hmaster ~]$ ls -l /tmp/*hmaster*
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster-extra
-rw-r--r-- 1 root root 0 Jan 11 07:54 /tmp/puppet_testhmaster-virtual
Thank you,
Clay
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Password not changing during polling event but does using puppetd -vt
I have created a class for the root user that uses the "User resource" to manages the root password. All seems to work well and as expected when I use puppetd -vt on a machine (or if I restart the service on the client) but during a regular polling event the password is not changed and when I go into the dashboard I can see that the event for running my class is run. Just to make sure the clients are working properly, I added a line to a managed file and got the expected results of the file being replaced. Is this expected behaviour that I don't know about? Is there a way to put a client puppetd process into debug and trace so I can see the results? Any thoughts? Thanks a lot Andre -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How do *you* handle yumrepo dependency chains?
Say you have a RHEL6 environment. You have some packages you want installed, these rely on a yumrepo. That yumrepo relies on an rpm-gpg key being installed. Now you get some RHEL5 boxes to add to the network. Your yumrepo RHEL6.2 with a dependency on the RHEL6 signing key now causes a problem: all of the rpms you need are the same, but those rpms rely on the RHEL6.2 yumrepo which is wrong, and that relies on the RHEL6 signing key which is wrong too. What approach do you use? Thanks. JB -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/94RonUV1yYYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Dependencies: packages and repos
Hello, What's the best way of handling package installs that rely on a yum repository, which in turn relies on a gpg key? At the moment I have only RHEL6 boxes which have a few yumrepos defined and a few packages installed. The yumrepos in turn rely on an rpm-gpg key. I now need to add some RHEL5 boxes. The repos contain the major version name and require a different rpm-gpg key. I could hack around with some variables in the yumrepos module but this seems dirty. How are others handling this situation? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Managing SSH host private keys
> This addresses how to distribute keys to node from the fileserver, but I > wonder if there is a mechanism where if the key doesn't exist on the > fileserver, the key that currently exists on the node is pulled in and saved > for future reference - i.e. when new nodes are created. I believe a filebucket is what you are looking for: http://docs.puppetlabs.com/man/filebucket.html http://docs.puppetlabs.com/references/latest/type.html#filebucket Should be able to use it to back up your SSH keys during a puppet run. -Steve -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Set hourly of execution with service puppet
Hi guys! I'm from Brazil, and i'm learning puppet. I need set interval in puppet client for sync with puppetmaster... How i do it? Sorry my english Douglas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Is it possible to conditionally replace a file ?
Hi, I would like to achieve a conditional file replacement but lightly
different. I deploy recusively a directory with a lot of config files. This
is my resource:
file {"/foo":
ensure => directory,
recurse => remote,
source => "puppet:///modules/module_name/configs/${hostname}/foo",
ignore => ["no_replace1.cfg","no_replace2.cfg"],
}
I need to ignore these two files because they will not be puppet managed
but initializated by puppet.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/UWBdytLFhZ8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Cipher is not a module
Hi, I'm trying to install puppet as a client on a new machine. I received this weird error when trying to start up as /etc/init.d/ puppet start : /usr/lib/ruby/1.8/openssl/cipher.rb:22: Cipher is not a module (TypeError) from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `gem_original_require' from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `require' from /usr/lib/ruby/1.8/openssl.rb:20 from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `gem_original_require' from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `require' from /usr/lib/ruby/site_ruby/1.8/puppet/ssl.rb:3 from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `gem_original_require' from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb: 36:in `require' from /usr/lib/ruby/site_ruby/1.8/puppet.rb:155 from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:271:in `require' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:271:in `initialize' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb: 60:in `new' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb: 60:in `execute' from /usr/bin/puppet:4 My Linux is 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux which is a Centos 5.6 and the packages I installed using yum install are: ruby-libs-1.8.7.352-5.el5 ruby-libs-1.8.5-5.el5_4.8 rubygem-activesupport-2.1.1-2.el5 ruby-1.8.7.352-5.el5 ruby-augeas-0.4.1-1.el5 ruby-irb-1.8.7.352-5.el5 rubygems-1.8.10-1.el5 rubygem-activerecord-2.1.1-2.el5 ruby-shadow-1.4.1-7.el5 ruby-rdoc-1.8.7.352-5.el5 libselinux-ruby-1.33.4-5.7.el5 facter-1.6.3-1.el5 puppet-2.7.6-2.el5 puppet-server-2.7.6-2.el5 I even removed the /usr/lib/ruby before reinstalling but it doesn't work. Funny thing is , it worked for my puppet master and one of my clients, and repeated the same way for this machine, but I kept getting this "Cipher is not a module" error. Please point out what I'm missing... thanks, K -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Advice/Best practices inter-module dependencies
Hello list,
I am looking for advice/best-practices on how to handle inter-module
dependencies.
We have a fairly large/complex code base (100+ modules) with a lot of
history (we started at 0.24) and lately we have taken into looking how we
can improve the quality of the codebase.
Parametrized classes, the style guide are all quick wins and no-brainers.
But we have some inter module dependencies, mostly because of ordering, for
which a proper design pattern is more elusive.
A good example is our ldap setup, this setup needs to happen after the
initialization of our packaging system.
It also has to happen before a lot of the other modules, because ldap
provides the details for some of the file owners/groups that are used.
We have experimented with a few methods of getting this setup, but
have always found significant drawbacks.
Without stages we tried three ways of doing this:
Creating a dependency chain between classes.
Class['Ldap'] -> Class['Mysql'].
This is very easy to do, but doesn't work if we inherit from Ldap, say:
class ldap::server inherits ldap
The ordering between ldap::server and Mysql is not guaranteed.
It also requires the maintainer of the ldap module to know about all
modules that depend on ldap and update them if he decides to inherit. A
task that is likely to be forgotten.
Creating a dependency chains between resources in the modules, f.e.
notify's.
Every module that is part of an dependency defines an notify{ 'endpoint':
} and makes sure that everything within the module is executed before the
notify.
If we inherit from the base class, the overriding class is responsible for
making sure that endpoint is still the last thing executed in this module.
Making it more likely that the ordering of events will remain as we want it
after a continued year of development.
But because of assumptions about out base image, and the rarity of
reinstalls. it is easy to forgot the requirements in modules that actually
need them,
Leading to some subtle bugs where the first puppet run on a fresh install
might not work but subsequent runs do.
Luckily execution is now in fixed-order, otherwise that would have been a
problem as well.
The third is the use of stages for the ordering of actions, but this seems
to be an all or nothing approach, and the result is a very splintered
module.
For example, our packaging setup is quite complex. First we initialise the
packaging system and configure all the default package source, then custom
sources could be configured on top of that we allow (un)masking of specific
package versions.
And after all this one can install a package.
We could define 4 stages and each module that needs to do one of these
actions would need to run classes in the designated stage, this results in
some very splintered packages.
Or we could define only 2 stages and have the base setup run before
everything else and then wrap all other actions with defines that specify
the ordering between them using some self-build ordering mechanism based on
notify's or classes.
A problem with this would be that those defines could only be used in the
main stage, because of the built-in ordering. Modules adding more stages,
like ldap, would need to do something custom for installing the required
packages, which again makes maintenance of the package module more
difficult to do right.
So after this rather longer email explaining our problem and some of the
options we explored, how do you guys handle these kind of complex
inter-module dependencies?
Cheers,
Jos Houtman
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Question about puppet module development
Hi all.
I want to write module for kerberos configuration. I planned configure
realms by using subclasses like in saz-sudo module:
...
### Adding sudoers definition (includes installation of sudo)
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
...
But this module just createing file in sudoers.d directory. krb5.conf
did not provide 'include' directive, so i need to manage whole file.
First i want to use augeas for this purposes, but find that augeas
supplied with debian squeeze have troubles with krb5.conf.
File have next structure:
[section1]
option1 = value
option2 = value
[section2]
option3 = value
option4 = value
For example configuration of two realms looks like:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
Anybody have idea, how i can manage krb5.conf without augeas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Writing a resource type provider in Python
Is it possible to write a provider in Python? I have to access something via a library that is written in Python. I'd rather not rewrite the library in Ruby, or call out to shell. I couldn't find any references on how to do this on the Puppet website and web searches for [puppet providers in python] or [writing puppet resources in python] mostly turn up links about using Puppet to manage Python and Python packages. Tom -- http://EverythingSysadmin.com -- my blog http://www.TomOnTime.com -- my videos -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Selecting modlues based on subnet in nodes.pp
I have four major zones in my nework: Development, Quality Assurance,
User Acceptanc Testing, and Production. I am able to deply different
modules to these zones based on the simple regular expressions posted
in the example at the bottom of this message.
I have two data centers in my network: Salt Lake City and Santa
Clara. I would like to be able to deploy different modules to servers
based on the data center that they reside it. I have tried simple if
statements and case statements but don't seem to be able to deploy my
site based modules.
Can you give me some imput on the best approach to my problem? I know
I can manually define ever server in the enterprise in my nodes.pp,
but I would prefer a more dynamic approach based IP subnet.
$sal_nets =
['10.131.21.0','10.131.31.0','10.131.40.0','10.134.40.0','10.135.1.0','10.135.2.0','10.135.20.0','10.135.3.0','10.135.6.0','10.142.20.0','10.142.23.0']
$scl_nets =
['10.146.1.0','10.146.16.0','10.146.19.0','10.146.20.0','10.146.24.0','10.146.24.0','10.146.28.0','10.146.31.0','10.151.21.0','192.168.119.0','192.168.43.0','192.168.99.0']
node /^.+\.dev\.svbank\.com/ {
# if ($network_eth0 in $sal_nets) or ($network_bond0 in $sal_nets) {
#notice('salt lake city net')
# }
# if (($network_eth0 and ($network_eth0 in $sal_nets))) or
($network_bond0 and (($network_bond0 in $scl_nets))) {
#notice('santa clara net')
# }
case $network_eth0 {
$sal_nets: { include svb-sal-sendmail-cf } # use SAL
repository
$scl_nets: { include svb-scl-sendmail-cf } # else use SCL
repository
}
include svb-core-config
include svb-core-encase
include svb-core-packages
include svb-puppet
include svb-sshd
include svb-sudo
include svb-repos
include svb-snmpd
# include svb-sendmail-cf
}
node /^.+\.qa\.svbank\.com/ {
include svb-core-config
include svb-core-encase
include svb-core-packages
include svb-puppet
include svb-sshd
include svb-sudo
include svb-repos
include svb-snmpd
# include svb-sendmail-cf
}
node /^.+\.uat\.svbank\.com/ {
include svb-core-config
include svb-core-encase
include svb-core-packages
include svb-puppet
include svb-sshd
include svb-sudo
include svb-repos
# include svb-sendmail-cf
include svb-users
}
node /^.+\.corp\.svbank\.com/ {
include svb-core-config
include svb-repos
include svb-puppet
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Exporting local resources
Hi all,
can I export a file present on a puppet client not created by puppet itself?
In example:
On host A I have a file /var/www/my_intranet_site/htusers that I like to
have on host B too
class exporter {
@@file { "/var/www/my_intranet_site/htusers":
tag => "basic_auth_users",
ensure => present,
}
}
class importer {
File <<| tag == "basic_auth_users" |>>
}
host A {
include exporter
}
host B {
include importer
}
Thanks,
L.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Conditionally replace in file type
Hello, I'm making the deployment of an application configuration as follows:
file {"/home/user/foo/bar":
ensure => directory,
recurse => remote,
source => "puppet:///configs/${hostname}/home/user/foo/bar",
ignore => ["file1.cfg","file2.cfg"],
}
I am ignoring these two files ("file1.cfg","file2.cfg"), cause they are
dynamically
modified by the application. So, not puppet managed.
And here's my problem. Because on the other hand I have to initialize both
files in the first run.
What can I do? Is there any way of mix "ignore" and "replace" parameters?
PS: I cannot define other resource with the path of not-managed files,
because depending on hostname that path changes.
Thanks in advance and apolgize my poor english!
;)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/HYtz0hP88Y8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] intermodule dependency
Hello list,
I am looking for advice/best-practices on how to handle inter module
dependency's.
We have a fairly large/complex code base (100+ modules) with a lot of
history (we started at 0.24) and lately we have taken into looking how we
can improve the quality of the codebase.
Parameterized classes, the style guide are all quick wins and no brainers.
But we have some intermodule dependency's, mostly because of ordering, for
which a proper design pattern is more elusive.
A good example is our ldap setup, this setup needs to happen after the
initialization of our packaging system.
It also has to happen before a lot of the other modules, because ldap
provides the details for some of the file owners/groups that are used.
We have experimented with a few methods of getting this setup, but
have always found significant drawbacks.
Without stages we tried three ways of doing this:
Creating a dependency chain between classes.
Class['Ldap'] -> Class['Mysql'].
This is very easy to do, but doesn't work if we inherit from Ldap, say:
class ldap::server inherits ldap
The ordering between ldap::server and Mysql is not guaranteed.
It also requires the maintainer of the ldap module to know about all
modules that depend on ldap and update them if he decides to inherit. A
task that is likely to be forgotten.
Creating a dependency chains between resources in the modules, f.e.
notify's.
Every module that is part of an dependency defines an notify{ 'endpoint':
} and makes sure that everything within the module is executed before the
notify.
If we inherit from the base class, the overriding class is responsible for
making sure that endpoint is still the last thing executed in this module.
Making it more likely that the ordering of events will remain as we want it
after a continued year of development.
But because of assumptions about out base image, and the rarity of
reinstalls. it is easy to forgot the requirements in modules that actually
need them,
Leading to some subtle bugs where the first puppet run on a fresh install
might not work but subsequent runs do.
Luckily execution is now in fixed-order, otherwise that would have been a
problem as well.
The third is the use of stages for the ordering of actions, but this seems
to be an all or nothing approach, and the result is a very splintered
module.
For example, our packaging setup is quite complex. First we initialise the
packaging system and configure all the default package source, then custom
sources could be configured on top of that we allow (un)masking of specific
package versions.
And after all this one can install a package.
We could define 4 stages and each module that needs to do one of these
actions would need to run classes in the designated stage, this results in
some very splintered packages.
Or we could define only 2 stages and have the base setup run before
everything else and then wrap all other actions with defines that specify
the ordering between them using some self-build ordering mechanism based on
notify's or classes.
A problem with this would be that those defines could only be used in the
main stage, because of the built-in ordering. Modules adding more stages,
like ldap, would need to do something custom for installing the required
packages, which again makes maintenance of the package module more
difficult to do right.
So after this rather longer email explaining our problem and some of the
options we explored, how do you guys handle these kind of complex
inter-module dependencies?
Cheers,
Jos Houtman
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Anyone know a good tool for 'watching' configurations?
Now that we have configuration management for our OS and we are actively managing our operating systems nearly hands off we want to now start doing some configuration mgmt of our applications. We don't frankly see having all our application teams use puppet or anything else to actively manage their applications. What we would like to do is watch the applications and know when things change. Basically, watch the directories that the developers put their applications into and keep a history of what changes and when. Does anyone have any idea on if there are any tools that can provide the ability to watch directories for changes like that. I know there is auditd that can do this, as well as maybe an intrusion detection tool like AIDE, but those solutions would involve lots of raw data and not much human readable stuff. I suppose we could write something to take all that data, digest it and report on it. But I was wondering if anyone knows of a tool that would do this type of function and provide some human friendly data and reports etc.. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Considering LDAP ENC
Having just gone through this conversion recently, it's not as hard as it seems. - Puppet variables are managed through the puppetVar entries for the objectClass so theres no need to extend the schema. - All variables are passed to the manifests as a string. You need to identify your hashes in your manifests and split them over a delimiter. - No parametrized classes (as of 2.6.x) can be called directly from LDAP. We had to locate our paramterized classes that were impacted and convert them over to using variables, and throwing a parse error if required variables were not located. This took maybe an hour to do. - At least as of 2.6.x it appears that the environment variable is completely ignored from the client. This behavior is actually desired but if you have gotten used to --environment=newfeatureenv it can be a change. We are also leveraging dynamic environments as described in http://puppetlabs.com/blog/git-workflow-and-puppet-environments/ which helps separate development from production. On Wed, Jan 25, 2012 at 10:44 AM, Brian Wong wrote: > I have been reading about the LDAP ENC at the wiki > http://projects.puppetlabs.com/projects/puppet/wiki/LDAP_Nodes. > > I am considering using the LDAP ENC, but I have a couple of concerns > when it comes to the implementation. > - It seems that the example using the entry attribute 'ipHostNumber' > as a puppet variable is not really viable, for the LDAP schema would > have to be updated to support arbitrary LDAP attributes such as this. > Or perhaps this is an attribute that is part of the 'core' LDAP > schema? > - To support arrays it would require puppet parser functions and > extraneous code in manifests to expand the LDAP arrays to puppet > arrays. > - It is not clear how parameterized classes can be handled. > > One of the important advantages of the LDAP ENC in my opinion is that > modification can be tied directly to LDAP authorization. I want > developers to be able to modify the classes pulled in by their > development hosts and the write access to a specific LDAP OU > containing these hosts can be granted. Another LDAP OU containing the > configuration of productions hosts will only be writable by a select > few. In addition, there are many tools available which can modify LDAP > entries. This lowers the entry barrier to using such the LDAP backend. > > Can someone confirm or dispel my concerns? Are there any other ENC > backends which would be appropriate given my goals? Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Multiple Service definitions of the same type
Hello,
I am trying to make it so that more than 1 instance of memcached can
run on a single service. I have a special init.d script that can
handle this, but want to define the service multiple times in a puppet
class. Here is the definition I am using:
service { "$service_name":
name => "memcached",
ensure => running,
enable => true,
start => "$init_script start $service_name",
stop => "$init_script stop $service_name",
status => "$init_script status $service_name",
restart => "$init_script restart $service_name",
hasstatus => true,
require => [Package[memcached],File["$file_name"]]
}
I used the $service_name so that the defintion would be unique, but
now puppet is throwing this error:
Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot
alias Service[11411] to ["memcached"]; resource ["Service",
["memcached"]] already exists at
How can I achieve what I am trying to achieve? Any ideas?
Thanks,
Bryan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
