date:20120221

[Puppet Users] Capture the output of exec command

2012-02-21 Thread sateesh

Hi,

I need to capture the output of an exec command in puppet manifest
variable. How can I do this.

Thanks in advance,
Sateesh B.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Capture the output of exec command

2012-02-21 Thread Paul Tötterman

Hi Sateesh,

I need to capture the output of an exec command in puppet manifest 
> variable. How can I do this. 
>

You cannot, since the manifest is compiled into a catalog on the puppet 
master and then the catalog is sent to the agent, which can be on a 
different machine, and only then is the command defined by the exec run.

Can you describe in more detail what you are actually trying to do? ( 
http://www.joelonsoftware.com/items/2008/01/22.html )

Cheers,
Paul

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/tj3xSM8JgTAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Capture the output of exec command

2012-02-21 Thread Alexander Swen


>
> You cannot, since the manifest is compiled into a catalog on the puppet 
> master and then the catalog is sent to the agent, which can be on a 
> different machine, and only then is the command defined by the exec run.
>

Ehrm, personly I would try:
exec {
  "put text in a file":
 command => "ls -la /etc>>/var/log/exec 2>&1";
or
 command => "ls -la /etc 2>&1 |tee /var/log/exec";

}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/4TowgNHPooYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] file and user permissions on the puppet master, best practice

2012-02-21 Thread paulS

Hi all. New puppet developer. Very excited. I have the agents
communicating with the puppet master.

I'm wondering now about best practice for file and user permissions on
the puppet master. Most of my wonder probably stems from general lack
of understanding in this area. I'd like to get it right though to
avoid refactoring later.

1. What's the best practice, or your practice, for directory and file
permissions on the puppet master?

2. What's the best practice, or your practice, for users and their
permissions on the puppet master?

Feel free to point me to posts, articles, or chapters in books. I
haven't found much so far on this topic; just that the  agent should
be run as root so that it has permission to make any changes, and the
puppetmaster can be run as non root.

Thanks for any discussion here.

Here's my setup so far.

=
server OS and puppet versions
=

Ubuntu 10.04.3 LTS (Lucid) on puppet master and clients/agents

puppet-master$ dpkg -l | grep puppet
ii  facter   1.6.4-1puppetlabs1  Ruby module for
collecting simple facts abou
ii  puppet   2.7.9-1puppetlabs1  Centralized
configuration management - agent
ii  puppet-common2.7.9-1puppetlabs1  Centralized
configuration management
ii  puppetmaster 2.7.9-1puppetlabs1  Centralized
configuration management - maste
ii  puppetmaster-common  2.7.9-1puppetlabs1  Puppet master
common scripts

puppet-agent$ dpkg -l | grep puppet
ii  facter   1.6.4-1puppetlabs1   Ruby module for
collecting simple facts abou
ii  puppet   2.7.9-1puppetlabs1   Centralized
configuration management - agent
ii  puppet-common2.7.9-1puppetlabs1   Centralized
configuration management

===
directory and file permissions on the puppet master
===

puppet.conf shows default 'moduledir = /etc/puppet/modules:/var/lib/
puppet/modules:/opt/modules'

These directories are normally root:root so I've been making all
sudirectories and files for puppet manifests, modules, and files as
root:root.

=
users and permissions
=

puppet user

upon install I have a puppet user.

grep puppet /etc/group
puppet:x:113:

grep puppet /etc/passwd
puppet:x:108:113:Puppet configuration management daemon,,,:/var/lib/
puppet:/bin/false

grep puppet /etc/group
puppet:x:113:

'sudo -s su puppet' does not switch the user to puppet, so I haven't
been doing anything as puppet.

other users

puppetadmin to store just a couple things in /home/puppetadmin that
don't belong in any one employees account. puppetadmin is a member of
its own group and of the admin group

Individual user acccounts for a few ops engineer who will need access
to make changes to configuration files in /etc/puppet/files and /opt/
stacks/. These users are members of their own
group and of the admin group. They generally switch user to root to
work on the puppet files since the files are root:root.

--
Paul Stivers
Software development operations engineer
Hewlett-Packard

Opinions expressed here are my own, and not those of Hewlett-Packard
company.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: question regarding case and facts

2012-02-21 Thread Stefan Wiederoder

Hello Marc,

thanks for your reply, I´ll give it a try.


On 13 Feb., 15:24, Marc DiBlasi  wrote:
> You can do:
> case "$factA$factB" {
>
> }
>
> Or even better, assign them to a new variable:
>
> $concatenatedFacts = "$factA$factB"
>
> case $concatenatedFacts {
>
> }
>
> Or if it makes it cleaner for your specific implementation, you may
> want to check $factA, then have a nested if statement to check $factB.
>
> On Feb 13, 5:43 am, Stefan Wiederoder
>
>
>
>
>
>
>
>  wrote:
> > Hi group,
>
> > is it possible to AND different facts using a case?
>
> > for example: factA is "BL460c" and factB is "G6", then AND (=concat)
> > the two arguments:
>
> > case $factA.$factB: {
> >         "BL460cG1" :{ notify {"G1":}        }
> >         "BL460cG6" :{ notify {"G6":}        }
> >         "BL460cG7" :{ notify {"G7":}        }
>
> > }
>
> > thanks,
> > Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Example42 MySQL puppet-module

2012-02-21 Thread Felix Frank

Hi,

On 02/10/2012 03:09 AM, Will S. G. wrote:
> Hi there,
> 
> I thought I understood how this module works, but I guess I missed
> something. Here is what I have in my nodes.pp
> 
> 
> node 'mysql' inherits default {
> include mysql
> mysql::user { "db1":
> mysql_password_hash => "db1",
> mysql_user => "db1",
> mysql_host => "%"
> }
> mysql::grant { "db1":
> mysql_privileges => "ALL",
> mysql_password => "password",
> mysql_db => "db1",
> mysql_user => "db1",
> mysql_host => "%"
> }
> }
> 
> That works perfectly. What I want to do is expand this to be able to
> setup additional users and grants. I thought adding more lines for
> mysql::user & mysql::grant to do more users.
> 
> Any suggestions how I do this? I'm at a bit of a loss how to handle
> multiple users and grants.

can you rephrase your question to make it more specific?

Obviously copy'n'paste will work to duplicate your efforts to new areas.
There are good reasons not to do this, but I'm curious what exactly you
need to do that makes you ask for better ways.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Example42 MySQL puppet-module

2012-02-21 Thread Thomas Jones

mysql::grant { ["db1", "db2"]: mysql_privileges => "ALL", mysql_password =>
"password", mysql_db => "db1", mysql_user => ["db1", "db2"], mysql_host =>
"%" } }

Keep in mind this sets both users with same pw for both dbs. It would be
better to just copy n paste another grant directive and chg according to
another user.
On Feb 9, 2012 8:09 PM, "Will S. G."  wrote:

> Hi there,
>
> I thought I understood how this module works, but I guess I missed
> something. Here is what I have in my nodes.pp
>
>
> node 'mysql' inherits default {
>include mysql
>mysql::user { "db1":
>mysql_password_hash => "db1",
>mysql_user => "db1",
>mysql_host => "%"
>}
>mysql::grant { "db1":
>mysql_privileges => "ALL",
>mysql_password => "password",
>mysql_db => "db1",
>mysql_user => "db1",
>mysql_host => "%"
>}
> }
>
> That works perfectly. What I want to do is expand this to be able to
> setup additional users and grants. I thought adding more lines for
> mysql::user & mysql::grant to do more users.
>
> Any suggestions how I do this? I'm at a bit of a loss how to handle
> multiple users and grants.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Mark B

Yes...I was able to do the mco ping and the only node that responded
was the puppet master ..not the client. Both activemq and mcollective
appear to be working.

is there a pe-users group? I thought that is what this was ?

On Feb 20, 2:58 pm, Justin Stoller  wrote:
> Have you tried su-ing to the peadmin user on the master node and trying
> `mco ping`?
>
> Live Management is basically a front end for actions the peadmin user can
> do. Dropping down to that level may let you debug the issue easier.
>
> Other things to check are that activemq is working and correctly configured
> on the master, as well as mcollective on all of your agent nodes.
>
> You may also find more users that understand your question on the pe-users
> list (I assume if you're using Live Management you're using PE)
>
>  - Justin
>
> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B wrote:
>
>
>
>
>
>
>
> > Yes it is in the default group. I am wondering if it is a permissions
> > issue for the puppet user account? Does that need anything special for live
> > management ?
>
> > Reminder: it shows on all other tabs on the puppet console...just not live
> > management.
>
> > -Original Message-
> > From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com]
> > On Behalf Of Michael Stahnke
> > Sent: Monday, February 20, 2012 2:31 PM
> > To: puppet-users@googlegroups.com
> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>
> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B  wrote:
> > > The node and reports show up on the dashboard but not on the live
> > > management tab.
>
> > > Does anyone have any suggestions? is this a permissions issue?
>
> > Is the node in the default group in the dashboard?  Puppet runs setup the
> > mcollective/live management bits.  The class is called pe_mcollective.
>
> > > --
> > > You received this message because you are subscribed to the Google
> > Groups "Puppet Users" group.
> > > To post to this group, send email to puppet-users@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Parameterized classes override of parameter

2012-02-21 Thread jcbollinger



On Feb 20, 10:24 am, Jos Houtman  wrote:
> Hi group,
>
> I expect parameterized classes to behave simular to types in relation
> to overrides, but obviously this is not the case.
> Could someone what is should then expect from overriding an parameterized 
> class.
>
> what I have is:
>
> class dns(dns_servers) {
>   file{'/etc/resolv.conf':
>       content => template("dns/resolv.conf.erb")
>   }
>
> }
>
> class role::init {
>    class{'dns':
>      dns_servers => ['10.100.100.1']
>    }
>
> }
>
> class role::loadbalancer inherits role {
>    Class['dns'] {
>      dns_servers => ['127.0.0.1']
>    }
>
> }
>
> node loadbalancer1 {
>    include role::loadbalancer
>
> }
>
> I expected resolv.conf to have the 127.0.0.1 address, but it has the
> 10.100.100.1 address.
>
> Could someone explain to me the rules around parameterized class inheritence.


Parameterized class inheritance is just like non-parameterized class
inheritance.  In fact, it is *exactly* like non-parameterized class
inheritance, including that it provides no mechanism for the
parameters of the superclass to be set when the subclass is declared.


> And if using inheritence to override general use cases for very common
> modules is not the way, should all this logic then be put into our
> extlookup or something like hiera?


My recommendation is to use hiera for all the needs you may now be
addressing via class parameters.  You may find that that also reduces
your interest in class inheritence, but if you still want to use some
inheritence then you won't need to deal with parameterized base
classes.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Capture the output of exec command

2012-02-21 Thread jcbollinger

On Feb 21, 3:00 am, sateesh  wrote:
> I need to capture the output of an exec command in puppet manifest
> variable. How can I do this.

As Paul observed, what you ask is inconsistent with Puppet's manner of
operation.  How you should proceed instead depends on what you are
trying to accomplish.

A custom fact may provide what you are looking for: you can easily add
a custom fact to your system that will run a command on the node
*before* each catalog request, and provide the output as a fact
(accessible as a top-level Puppet variable).  The documentation for
custom facts (http://docs.puppetlabs.com/guides/custom_facts.html)
provides an example of exactly that.

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Problem with Custom Facter

2012-02-21 Thread Matt Mencel

Hi Nathan,

Excellent!  Thanks for the tip.

Matt



On Mon, Feb 20, 2012 at 5:33 PM, Matt Mencel  wrote:
> I am trying to write a custom facter for CentOS/RHEL that tells me how
many
> updates are found on a run of 'yum check-update'

Sorry I replied hastily.  After replying I thought about what you're
trying to do.  You don't need all those gyrations to get this data

Tested quickly on RHEL6 and CentOS5:

`sudo yum check-update -q`.split(/\n/).reject{|i| i == ""}.length

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread jcbollinger

On Feb 20, 7:14 pm, Nathan Powell  wrote:
> On Mon, Feb 20, 2012 at 5:33 PM, Matt Mencel  wrote:
> > I am trying to write a custom facter for CentOS/RHEL that tells me how many
> > updates are found on a run of 'yum check-update'
>
> Sorry I replied hastily.  After replying I thought about what you're
> trying to do.  You don't need all those gyrations to get this data
>
> Tested quickly on RHEL6 and CentOS5:
>
> `sudo yum check-update -q`.split(/\n/).reject{|i| i == ""}.length

Alternatively,

`yum -q check-update | grep '\\w' | wc --lines`.chomp

sudo is not needed to run yum queries, and avoiding sudo when you
don't need it is good practice.  Personally, I find that command a lot
more legible than the Ruby split / reject / length business, too,
though YMMV.

Also, I think you need to set the timeout inside your setcode block,
not outside.  Only that way can you be sure that you'll have the
desired timeout when the fact actually runs.  (Otherwise, you might
get the timeout that some other fact sets.)

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread Nathan Powell

On Tue, Feb 21, 2012 at 9:57 AM, jcbollinger  wrote:
> Alternatively,
>
> `yum -q check-update | grep '\\w' | wc --lines`.chomp

Yep, lots of ways to do it.

> sudo is not needed to run yum queries, and avoiding sudo when you
> don't need it is good practice.  Personally, I find that command a lot

Good point.  I was testing in irb as a regular user and just cut and
paste what I did into the email.  It shouldn't have sudo in there.

> more legible than the Ruby split / reject / length business, too,
> though YMMV.

I think method chaining and the functional aspects (reject) of Ruby
are elegant and use them every chance I get.  Both are fine and valid
though.


-- 
Nathan Powell
Linux System Administrator

"Where else would you rather be than right here, right now?"
~ Marv Levy

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Kenneth Lo

In PE, pe-activemq is the server service (master need that service) and
pe-mcollective is the client service (agents).

If you don't see your agents listed in LM normally means that the
pe-mcollective service is not running on the clients.

What I've experienced with PE is that under normal turn-key config, after
your agent initially connected to the master, by default it need to wait
for another puppet run for the mcollective class (in default) to pickup
the service.

--KL

On 2/21/12 8:08 AM, "Mark B"  wrote:

>Yes...I was able to do the mco ping and the only node that responded
>was the puppet master ..not the client. Both activemq and mcollective
>appear to be working.
>
>is there a pe-users group? I thought that is what this was ?
>
>On Feb 20, 2:58 pm, Justin Stoller  wrote:
>> Have you tried su-ing to the peadmin user on the master node and trying
>> `mco ping`?
>>
>> Live Management is basically a front end for actions the peadmin user
>>can
>> do. Dropping down to that level may let you debug the issue easier.
>>
>> Other things to check are that activemq is working and correctly
>>configured
>> on the master, as well as mcollective on all of your agent nodes.
>>
>> You may also find more users that understand your question on the
>>pe-users
>> list (I assume if you're using Live Management you're using PE)
>>
>>  - Justin
>>
>> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
>>wrote:
>>
>>
>>
>>
>>
>>
>>
>> > Yes it is in the default group. I am wondering if it is a permissions
>> > issue for the puppet user account? Does that need anything special
>>for live
>> > management ?
>>
>> > Reminder: it shows on all other tabs on the puppet console...just not
>>live
>> > management.
>>
>> > -Original Message-
>> > From: puppet-users@googlegroups.com
>>[mailto:puppet-users@googlegroups.com]
>> > On Behalf Of Michael Stahnke
>> > Sent: Monday, February 20, 2012 2:31 PM
>> > To: puppet-users@googlegroups.com
>> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>>
>> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B  wrote:
>> > > The node and reports show up on the dashboard but not on the live
>> > > management tab.
>>
>> > > Does anyone have any suggestions? is this a permissions issue?
>>
>> > Is the node in the default group in the dashboard?  Puppet runs setup
>>the
>> > mcollective/live management bits.  The class is called pe_mcollective.
>>
>> > > --
>> > > You received this message because you are subscribed to the Google
>> > Groups "Puppet Users" group.
>> > > To post to this group, send email to puppet-users@googlegroups.com.
>> > > To unsubscribe from this group, send email to
>> > puppet-users+unsubscr...@googlegroups.com.
>> > > For more options, visit this group at
>> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> > --
>> > You received this message because you are subscribed to the Google
>>Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscr...@googlegroups.com.
>> > For more options, visit this group at
>> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> > --
>> > You received this message because you are subscribed to the Google
>>Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscr...@googlegroups.com.
>> > For more options, visit this group at
>> >http://groups.google.com/group/puppet-users?hl=en.
>
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To post to this group, send email to puppet-users@googlegroups.com.
>To unsubscribe from this group, send email to
>puppet-users+unsubscr...@googlegroups.com.
>For more options, visit this group at
>http://groups.google.com/group/puppet-users?hl=en.
>

This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the email by you is prohibited.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] file and user permissions on the puppet master, best practice

2012-02-21 Thread Craig White


On Feb 21, 2012, at 2:52 AM, paulS wrote:

> Hi all. New puppet developer. Very excited. I have the agents
> communicating with the puppet master.
> 
> I'm wondering now about best practice for file and user permissions on
> the puppet master. Most of my wonder probably stems from general lack
> of understanding in this area. I'd like to get it right though to
> avoid refactoring later.
> 
>   1. What's the best practice, or your practice, for directory and file
> permissions on the puppet master?
> 
>   2. What's the best practice, or your practice, for users and their
> permissions on the puppet master?
> 
> Feel free to point me to posts, articles, or chapters in books. I
> haven't found much so far on this topic; just that the  agent should
> be run as root so that it has permission to make any changes, and the
> puppetmaster can be run as non root.
> 
> Thanks for any discussion here.
> 
> Here's my setup so far.
> 
> =
> server OS and puppet versions
> =
> 
> Ubuntu 10.04.3 LTS (Lucid) on puppet master and clients/agents
> 
> puppet-master$ dpkg -l | grep puppet
> ii  facter   1.6.4-1puppetlabs1  Ruby module for
> collecting simple facts abou
> ii  puppet   2.7.9-1puppetlabs1  Centralized
> configuration management - agent
> ii  puppet-common2.7.9-1puppetlabs1  Centralized
> configuration management
> ii  puppetmaster 2.7.9-1puppetlabs1  Centralized
> configuration management - maste
> ii  puppetmaster-common  2.7.9-1puppetlabs1  Puppet master
> common scripts
> 
> puppet-agent$ dpkg -l | grep puppet
> ii  facter   1.6.4-1puppetlabs1   Ruby module for
> collecting simple facts abou
> ii  puppet   2.7.9-1puppetlabs1   Centralized
> configuration management - agent
> ii  puppet-common2.7.9-1puppetlabs1   Centralized
> configuration management
> 
> ===
> directory and file permissions on the puppet master
> ===
> 
> puppet.conf shows default 'moduledir = /etc/puppet/modules:/var/lib/
> puppet/modules:/opt/modules'
> 
> These directories are normally root:root so I've been making all
> sudirectories and files for puppet manifests, modules, and files as
> root:root.
> 
> =
> users and permissions
> =
> 
> puppet user
> 
>   upon install I have a puppet user.
> 
>   grep puppet /etc/group
>   puppet:x:113:
> 
>   grep puppet /etc/passwd
>   puppet:x:108:113:Puppet configuration management daemon,,,:/var/lib/
> puppet:/bin/false
> 
>   grep puppet /etc/group
>   puppet:x:113:
> 
>   'sudo -s su puppet' does not switch the user to puppet, so I haven't
> been doing anything as puppet.
> 
> other users
> 
>   puppetadmin to store just a couple things in /home/puppetadmin that
> don't belong in any one employees account. puppetadmin is a member of
> its own group and of the admin group
> 
>   Individual user acccounts for a few ops engineer who will need access
> to make changes to configuration files in /etc/puppet/files and /opt/
> stacks/. These users are members of their own
> group and of the admin group. They generally switch user to root to
> work on the puppet files since the files are root:root.

I think that the ownership of the files relates more to the services that use 
these files and you don't really say if you are still using webrick, apache, 
nginx to serve these files as that may have some impact.

I myself have all the files and folders owned by puppet:puppet (/etc/puppet, 
/var/lib/puppet, /var/www/foreman, /var/www/puppet-dashboard) and use nginx to 
serve forman, puppet & puppet-dashboard.

I think if you want to change to user puppet, you probably only need to 'su - 
puppet' but if /var/lib/puppet isn't owned by puppet:puppet then switching to 
user puppet is probably going to be difficult.

Also, it seems that if you have multiple users doing configuration, you 
probably should have multiple environments (ie, development & testing and not 
just a production) and also a version control system (git or subversion) and 
perhaps a separate puppet server for development & testing to avoid inflicting 
errors into running configurations.

I found the book "Pro Puppet" very useful for defining the all of these best 
practices.

Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread Matt Mencel

John,

The only examples I've seen of timeout have it outside the setcode block.
 Can anyone confirm it's behavior depending on whether it's inside or
outside setcode?  The docs for it are pretty thin.

Thanks,
Matt


On Tue, Feb 21, 2012 at 8:57 AM, jcbollinger wrote:

>
>
> On Feb 20, 7:14 pm, Nathan Powell  wrote:
> > On Mon, Feb 20, 2012 at 5:33 PM, Matt Mencel  wrote:
> > > I am trying to write a custom facter for CentOS/RHEL that tells me how
> many
> > > updates are found on a run of 'yum check-update'
> >
> > Sorry I replied hastily.  After replying I thought about what you're
> > trying to do.  You don't need all those gyrations to get this data
> >
> > Tested quickly on RHEL6 and CentOS5:
> >
> > `sudo yum check-update -q`.split(/\n/).reject{|i| i == ""}.length
>
>
> Alternatively,
>
> `yum -q check-update | grep '\\w' | wc --lines`.chomp
>
> sudo is not needed to run yum queries, and avoiding sudo when you
> don't need it is good practice.  Personally, I find that command a lot
> more legible than the Ruby split / reject / length business, too,
> though YMMV.
>
> Also, I think you need to set the timeout inside your setcode block,
> not outside.  Only that way can you be sure that you'll have the
> desired timeout when the fact actually runs.  (Otherwise, you might
> get the timeout that some other fact sets.)
>
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] exec: How to logoutput => on_failure and get STDERR too?

2012-02-21 Thread Felix Frank

Hi,

On 02/14/2012 04:05 PM, Peter Valdemar Mørch wrote:
> It seems
> brittle, shell dependent, non-portable and redundant to have to put
> 2>&1 at the end of all exec commands, so I'm hoping there is a better
> way...

while I disagree as far as portability, dependability and savour are
concerned ;-) I agree that it shouldn't be needed.

I suggest you file a bug report and link it here, so that interested
parties can vote on it. Thanks!

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Mark B

The pe-activemq is running on the server and the pe-mcollective is
running on the agent. The reports from the client are showing up on
the puppet console. Just not seeing the node on live management
screen. Is there a way to manually do a new puppet run to try and
force it?

On Feb 21, 10:17 am, Kenneth Lo  wrote:
> In PE, pe-activemq is the server service (master need that service) and
> pe-mcollective is the client service (agents).
>
> If you don't see your agents listed in LM normally means that the
> pe-mcollective service is not running on the clients.
>
> What I've experienced with PE is that under normal turn-key config, after
> your agent initially connected to the master, by default it need to wait
> for another puppet run for the mcollective class (in default) to pickup
> the service.
>
> --KL
>
> On 2/21/12 8:08 AM, "Mark B"  wrote:
>
>
>
>
>
>
>
>
>
> >Yes...I was able to do the mco ping and the only node that responded
> >was the puppet master ..not the client. Both activemq and mcollective
> >appear to be working.
>
> >is there a pe-users group? I thought that is what this was ?
>
> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
> >> Have you tried su-ing to thepeadminuser on the master node and trying
> >> `mco ping`?
>
> >> Live Management is basically a front end for actions thepeadminuser
> >>can
> >> do. Dropping down to that level may let you debug the issue easier.
>
> >> Other things to check are that activemq is working and correctly
> >>configured
> >> on the master, as well as mcollective on all of your agent nodes.
>
> >> You may also find more users that understand your question on the
> >>pe-users
> >> list (I assume if you're using Live Management you're using PE)
>
> >>  - Justin
>
> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
> >>wrote:
>
> >> > Yes it is in the default group. I am wondering if it is a permissions
> >> > issue for the puppet user account? Does that need anything special
> >>for live
> >> > management ?
>
> >> > Reminder: it shows on all other tabs on the puppet console...just not
> >>live
> >> > management.
>
> >> > -Original Message-
> >> > From: puppet-users@googlegroups.com
> >>[mailto:puppet-users@googlegroups.com]
> >> > On Behalf Of Michael Stahnke
> >> > Sent: Monday, February 20, 2012 2:31 PM
> >> > To: puppet-users@googlegroups.com
> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>
> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B  wrote:
> >> > > The node and reports show up on the dashboard but not on the live
> >> > > management tab.
>
> >> > > Does anyone have any suggestions? is this a permissions issue?
>
> >> > Is the node in the default group in the dashboard?  Puppet runs setup
> >>the
> >> > mcollective/live management bits.  The class is called pe_mcollective.
>
> >> > > --
> >> > > You received this message because you are subscribed to the Google
> >> > Groups "Puppet Users" group.
> >> > > To post to this group, send email to puppet-users@googlegroups.com.
> >> > > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscr...@googlegroups.com.
> >> > > For more options, visit this group at
> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> > --
> >> > You received this message because you are subscribed to the Google
> >>Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to puppet-users@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscr...@googlegroups.com.
> >> > For more options, visit this group at
> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> > --
> >> > You received this message because you are subscribed to the Google
> >>Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to puppet-users@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscr...@googlegroups.com.
> >> > For more options, visit this group at
> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >--
> >You received this message because you are subscribed to the Google Groups
> >"Puppet Users" group.
> >To post to this group, send email to puppet-users@googlegroups.com.
> >To unsubscribe from this group, send email to
> >puppet-users+unsubscr...@googlegroups.com.
> >For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> This message is for the designated recipient only and may contain privileged, 
> proprietary, or otherwise private information. If you have received it in 
> error, please notify the sender immediately and delete the original. Any 
> other use of the email by you is prohibited.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://group

[Puppet Users] mcollective plugin question

2012-02-21 Thread Kenneth Lo

We've been using mcollective primarily for coordinate service restart across 
nodes as well as facts-finding, which are all well and good.

One thing we would like to utilize this tool is to create an arbitrary shell 
command plugins/services so our master can really act as a command center.

I spoke with a couple folks and know that this is just as a matter of writing 
the plugin itself, but I'm wondering if folks here already have a solution for 
it or if you have any pointers we can check.  :)

Thx in advance.

--KL

This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the email by you is prohibited.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Triggering an action on "ensure: removed"

2012-02-21 Thread jcbollinger

On Feb 20, 5:05 pm, James  wrote:
> Dear Puppet,
>
> I wish to run an Exec when a puppet define is removed.

It is always a bad idea for Puppet manifests to try to employ
introspective logic, basing decisions or actions on a dynamic
determination of whether a certain class or resource is declared for
the target node.  The approach you attempt to take is more benign than
many, being mediated as it is by the target filesystem, but it still
has a bad smell.

> The define puts
> a file in /tmp/foobar/${name}. When the define is no longer there, the
> purge does an ensure => removed, and the file gets deleted. I've also
> been able to make this work with Tidy[] instead of purge.
>
> eg:
>         file { '/tmp/foobar/':
>                 ensure => directory,         # make sure this is a directory
>                 recurse => true,             # recursively manage directory
>                 purge => true,                       # purge all unmanaged 
> files
>                 force => true,                       # also purge subdirs and 
> links
>                 owner => root, group => nobody, mode => 600, backup => false,
>         }
>
> The problem:
> including a notify => Exec['whatever'] does not work. Either this is a
> bug, and/or perhaps someone could suggest a workaround.

According to me, if that File resource were set to notify your Exec
(or if the Exec subscribed to the File), then the Exec should be
signaled if the File purges any files.  So, given

exec { 'example':
  command => '/bin/echo purged files >> /tmp/purges',
  refreshonly => true,
}

file { '/tmp/foobar/':
  ensure => directory,
  recurse => true,
  purge => true,
  force => true,
  notify => Exec['example']
}

you should see a new line added to file /tmp/purges on every run in
which Puppet purges any files from /tmp/foobar/ (or when /tmp/foobar/
is modified in any other way, but that's irrelevant).  If you do not
see that then I'd call it a bug.  In fact, it could be a manifestation
of http://projects.puppetlabs.com/issues/5414, though the description
and discussion seem to indicate otherwise.

Now back to code smell: what if a file were dropped into /tmp/foobar/
by some means other than Puppet?  Would you still want your Exec to
run when that file was purged?  If so, then your code isn't smelly,
but your initial problem description was inaccurate.

On the other hand, if you really want the Exec to run only when a
previously managed file is removed, then your whole approach is
flawed.  Instead of removing files from management, thereby allowing
them to be purged, you should actively manage them absent.  That could
look something like this:

exec { 'example':
  command => '/bin/echo removed files >> /tmp/removals',
  refreshonly => true,
}

define foobar_file($ensure => 'present') {
  case $ensure {
'present': {
  file { "/tmp/foobar/${name}": ensure => 'present' }
}
'absent': {
  file { "/tmp/foobar/${name}":
ensure => 'absent',
notify => Exec['example']
  }
}
default: { fail("invalid ensure parameter: '${ensure}'") }
  }
}

node default {
  foobar_file { "wanted": }
  foobar_file { "unwanted": ensure => 'absent' }
}

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Kenneth Lo

Just try restart the mcollective service on the agent and check if you see
any error there.

You should also check if there are anything in-between your agent and
master that's blocking traffic. Mcollective traffic goes from agent to the
master, not the other way around.

--KL

On 2/21/12 10:46 AM, "Mark B"  wrote:

>The pe-activemq is running on the server and the pe-mcollective is
>running on the agent. The reports from the client are showing up on
>the puppet console. Just not seeing the node on live management
>screen. Is there a way to manually do a new puppet run to try and
>force it?
>
>On Feb 21, 10:17 am, Kenneth Lo  wrote:
>> In PE, pe-activemq is the server service (master need that service) and
>> pe-mcollective is the client service (agents).
>>
>> If you don't see your agents listed in LM normally means that the
>> pe-mcollective service is not running on the clients.
>>
>> What I've experienced with PE is that under normal turn-key config,
>>after
>> your agent initially connected to the master, by default it need to wait
>> for another puppet run for the mcollective class (in default) to pickup
>> the service.
>>
>> --KL
>>
>> On 2/21/12 8:08 AM, "Mark B"  wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> >Yes...I was able to do the mco ping and the only node that responded
>> >was the puppet master ..not the client. Both activemq and mcollective
>> >appear to be working.
>>
>> >is there a pe-users group? I thought that is what this was ?
>>
>> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
>> >> Have you tried su-ing to thepeadminuser on the master node and trying
>> >> `mco ping`?
>>
>> >> Live Management is basically a front end for actions thepeadminuser
>> >>can
>> >> do. Dropping down to that level may let you debug the issue easier.
>>
>> >> Other things to check are that activemq is working and correctly
>> >>configured
>> >> on the master, as well as mcollective on all of your agent nodes.
>>
>> >> You may also find more users that understand your question on the
>> >>pe-users
>> >> list (I assume if you're using Live Management you're using PE)
>>
>> >>  - Justin
>>
>> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
>> >>wrote:
>>
>> >> > Yes it is in the default group. I am wondering if it is a
>>permissions
>> >> > issue for the puppet user account? Does that need anything special
>> >>for live
>> >> > management ?
>>
>> >> > Reminder: it shows on all other tabs on the puppet console...just
>>not
>> >>live
>> >> > management.
>>
>> >> > -Original Message-
>> >> > From: puppet-users@googlegroups.com
>> >>[mailto:puppet-users@googlegroups.com]
>> >> > On Behalf Of Michael Stahnke
>> >> > Sent: Monday, February 20, 2012 2:31 PM
>> >> > To: puppet-users@googlegroups.com
>> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>>
>> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B 
>>wrote:
>> >> > > The node and reports show up on the dashboard but not on the live
>> >> > > management tab.
>>
>> >> > > Does anyone have any suggestions? is this a permissions issue?
>>
>> >> > Is the node in the default group in the dashboard?  Puppet runs
>>setup
>> >>the
>> >> > mcollective/live management bits.  The class is called
>>pe_mcollective.
>>
>> >> > > --
>> >> > > You received this message because you are subscribed to the
>>Google
>> >> > Groups "Puppet Users" group.
>> >> > > To post to this group, send email to
>>puppet-users@googlegroups.com.
>> >> > > To unsubscribe from this group, send email to
>> >> > puppet-users+unsubscr...@googlegroups.com.
>> >> > > For more options, visit this group at
>> >> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> >> > --
>> >> > You received this message because you are subscribed to the Google
>> >>Groups
>> >> > "Puppet Users" group.
>> >> > To post to this group, send email to puppet-users@googlegroups.com.
>> >> > To unsubscribe from this group, send email to
>> >> > puppet-users+unsubscr...@googlegroups.com.
>> >> > For more options, visit this group at
>> >> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> >> > --
>> >> > You received this message because you are subscribed to the Google
>> >>Groups
>> >> > "Puppet Users" group.
>> >> > To post to this group, send email to puppet-users@googlegroups.com.
>> >> > To unsubscribe from this group, send email to
>> >> > puppet-users+unsubscr...@googlegroups.com.
>> >> > For more options, visit this group at
>> >> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> >--
>> >You received this message because you are subscribed to the Google
>>Groups
>> >"Puppet Users" group.
>> >To post to this group, send email to puppet-users@googlegroups.com.
>> >To unsubscribe from this group, send email to
>> >puppet-users+unsubscr...@googlegroups.com.
>> >For more options, visit this group at
>> >http://groups.google.com/group/puppet-users?hl=en.
>>
>> This message is for the designated recipient only and may contain
>>privileged, proprietary, or otherwise private information. If y

[Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Mark B

I restarted the mcollective and I see the following in the logs:

I, [2012-02-21T11:18:13.485565 #13326]  INFO -- : stomp.rb:79:in
`on_connectfail' Connction to stomp://mcollect...@puppett..xxx.xxx:61613
failed on attempt 11


On Feb 21, 11:12 am, Kenneth Lo  wrote:
> Just try restart the mcollective service on the agent and check if you see
> any error there.
>
> You should also check if there are anything in-between your agent and
> master that's blocking traffic. Mcollective traffic goes from agent to the
> master, not the other way around.
>
> --KL
>
> On 2/21/12 10:46 AM, "Mark B"  wrote:
>
>
>
>
>
>
>
>
>
> >The pe-activemq is running on the server and the pe-mcollective is
> >running on the agent. The reports from the client are showing up on
> >the puppet console. Just not seeing the node on live management
> >screen. Is there a way to manually do a new puppet run to try and
> >force it?
>
> >On Feb 21, 10:17 am, Kenneth Lo  wrote:
> >> In PE, pe-activemq is the server service (master need that service) and
> >> pe-mcollective is the client service (agents).
>
> >> If you don't see your agents listed in LM normally means that the
> >> pe-mcollective service is not running on the clients.
>
> >> What I've experienced with PE is that under normal turn-key config,
> >>after
> >> your agent initially connected to the master, by default it need to wait
> >> for another puppet run for the mcollective class (in default) to pickup
> >> the service.
>
> >> --KL
>
> >> On 2/21/12 8:08 AM, "Mark B"  wrote:
>
> >> >Yes...I was able to do the mco ping and the only node that responded
> >> >was the puppet master ..not the client. Both activemq and mcollective
> >> >appear to be working.
>
> >> >is there a pe-users group? I thought that is what this was ?
>
> >> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
> >> >> Have you tried su-ing to thepeadminuser on the master node and trying
> >> >> `mco ping`?
>
> >> >> Live Management is basically a front end for actions thepeadminuser
> >> >>can
> >> >> do. Dropping down to that level may let you debug the issue easier.
>
> >> >> Other things to check are that activemq is working and correctly
> >> >>configured
> >> >> on the master, as well as mcollective on all of your agent nodes.
>
> >> >> You may also find more users that understand your question on the
> >> >>pe-users
> >> >> list (I assume if you're using Live Management you're using PE)
>
> >> >>  - Justin
>
> >> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
> >> >>wrote:
>
> >> >> > Yes it is in the default group. I am wondering if it is a
> >>permissions
> >> >> > issue for the puppet user account? Does that need anything special
> >> >>for live
> >> >> > management ?
>
> >> >> > Reminder: it shows on all other tabs on the puppet console...just
> >>not
> >> >>live
> >> >> > management.
>
> >> >> > -Original Message-
> >> >> > From: puppet-users@googlegroups.com
> >> >>[mailto:puppet-users@googlegroups.com]
> >> >> > On Behalf Of Michael Stahnke
> >> >> > Sent: Monday, February 20, 2012 2:31 PM
> >> >> > To: puppet-users@googlegroups.com
> >> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>
> >> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B 
> >>wrote:
> >> >> > > The node and reports show up on the dashboard but not on the live
> >> >> > > management tab.
>
> >> >> > > Does anyone have any suggestions? is this a permissions issue?
>
> >> >> > Is the node in the default group in the dashboard?  Puppet runs
> >>setup
> >> >>the
> >> >> > mcollective/live management bits.  The class is called
> >>pe_mcollective.
>
> >> >> > > --
> >> >> > > You received this message because you are subscribed to the
> >>Google
> >> >> > Groups "Puppet Users" group.
> >> >> > > To post to this group, send email to
> >>puppet-users@googlegroups.com.
> >> >> > > To unsubscribe from this group, send email to
> >> >> > puppet-users+unsubscr...@googlegroups.com.
> >> >> > > For more options, visit this group at
> >> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> >> > --
> >> >> > You received this message because you are subscribed to the Google
> >> >>Groups
> >> >> > "Puppet Users" group.
> >> >> > To post to this group, send email to puppet-users@googlegroups.com.
> >> >> > To unsubscribe from this group, send email to
> >> >> > puppet-users+unsubscr...@googlegroups.com.
> >> >> > For more options, visit this group at
> >> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> >> > --
> >> >> > You received this message because you are subscribed to the Google
> >> >>Groups
> >> >> > "Puppet Users" group.
> >> >> > To post to this group, send email to puppet-users@googlegroups.com.
> >> >> > To unsubscribe from this group, send email to
> >> >> > puppet-users+unsubscr...@googlegroups.com.
> >> >> > For more options, visit this group at
> >> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> >> >--
> >> >You received this message because you are subscribed to the Go

Re: [Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Gary Larizza

On Tue, Feb 21, 2012 at 8:21 AM, Mark B  wrote:

> I restarted the mcollective and I see the following in the logs:
>
> I, [2012-02-21T11:18:13.485565 #13326]  INFO -- : stomp.rb:79:in
> `on_connectfail' Connction to stomp://mcollect...@puppett..xxx.xxx
> :61613
> failed on attempt 11
>

Note puppett (with two t's) - is that intentional?  Can you ping that
address?  Firewall rules possibly?




>
>
> On Feb 21, 11:12 am, Kenneth Lo  wrote:
> > Just try restart the mcollective service on the agent and check if you
> see
> > any error there.
> >
> > You should also check if there are anything in-between your agent and
> > master that's blocking traffic. Mcollective traffic goes from agent to
> the
> > master, not the other way around.
> >
> > --KL
> >
> > On 2/21/12 10:46 AM, "Mark B"  wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > >The pe-activemq is running on the server and the pe-mcollective is
> > >running on the agent. The reports from the client are showing up on
> > >the puppet console. Just not seeing the node on live management
> > >screen. Is there a way to manually do a new puppet run to try and
> > >force it?
> >
> > >On Feb 21, 10:17 am, Kenneth Lo  wrote:
> > >> In PE, pe-activemq is the server service (master need that service)
> and
> > >> pe-mcollective is the client service (agents).
> >
> > >> If you don't see your agents listed in LM normally means that the
> > >> pe-mcollective service is not running on the clients.
> >
> > >> What I've experienced with PE is that under normal turn-key config,
> > >>after
> > >> your agent initially connected to the master, by default it need to
> wait
> > >> for another puppet run for the mcollective class (in default) to
> pickup
> > >> the service.
> >
> > >> --KL
> >
> > >> On 2/21/12 8:08 AM, "Mark B"  wrote:
> >
> > >> >Yes...I was able to do the mco ping and the only node that responded
> > >> >was the puppet master ..not the client. Both activemq and mcollective
> > >> >appear to be working.
> >
> > >> >is there a pe-users group? I thought that is what this was ?
> >
> > >> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
> > >> >> Have you tried su-ing to thepeadminuser on the master node and
> trying
> > >> >> `mco ping`?
> >
> > >> >> Live Management is basically a front end for actions thepeadminuser
> > >> >>can
> > >> >> do. Dropping down to that level may let you debug the issue easier.
> >
> > >> >> Other things to check are that activemq is working and correctly
> > >> >>configured
> > >> >> on the master, as well as mcollective on all of your agent nodes.
> >
> > >> >> You may also find more users that understand your question on the
> > >> >>pe-users
> > >> >> list (I assume if you're using Live Management you're using PE)
> >
> > >> >>  - Justin
> >
> > >> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
> > >> >>wrote:
> >
> > >> >> > Yes it is in the default group. I am wondering if it is a
> > >>permissions
> > >> >> > issue for the puppet user account? Does that need anything
> special
> > >> >>for live
> > >> >> > management ?
> >
> > >> >> > Reminder: it shows on all other tabs on the puppet console...just
> > >>not
> > >> >>live
> > >> >> > management.
> >
> > >> >> > -Original Message-
> > >> >> > From: puppet-users@googlegroups.com
> > >> >>[mailto:puppet-users@googlegroups.com]
> > >> >> > On Behalf Of Michael Stahnke
> > >> >> > Sent: Monday, February 20, 2012 2:31 PM
> > >> >> > To: puppet-users@googlegroups.com
> > >> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
> >
> > >> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B 
> > >>wrote:
> > >> >> > > The node and reports show up on the dashboard but not on the
> live
> > >> >> > > management tab.
> >
> > >> >> > > Does anyone have any suggestions? is this a permissions issue?
> >
> > >> >> > Is the node in the default group in the dashboard?  Puppet runs
> > >>setup
> > >> >>the
> > >> >> > mcollective/live management bits.  The class is called
> > >>pe_mcollective.
> >
> > >> >> > > --
> > >> >> > > You received this message because you are subscribed to the
> > >>Google
> > >> >> > Groups "Puppet Users" group.
> > >> >> > > To post to this group, send email to
> > >>puppet-users@googlegroups.com.
> > >> >> > > To unsubscribe from this group, send email to
> > >> >> > puppet-users+unsubscr...@googlegroups.com.
> > >> >> > > For more options, visit this group at
> > >> >> >http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >> > --
> > >> >> > You received this message because you are subscribed to the
> Google
> > >> >>Groups
> > >> >> > "Puppet Users" group.
> > >> >> > To post to this group, send email to
> puppet-users@googlegroups.com.
> > >> >> > To unsubscribe from this group, send email to
> > >> >> > puppet-users+unsubscr...@googlegroups.com.
> > >> >> > For more options, visit this group at
> > >> >> >http://groups.google.com/group/puppet-users?hl=en.
> >
> > >> >> > --
> > >> >> > You received this message because you are

[Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread jcbollinger

On Feb 21, 9:21 am, Matt Mencel  wrote:

> The only examples I've seen of timeout have it outside the setcode block.
>  Can anyone confirm it's behavior depending on whether it's inside or
> outside setcode?  The docs for it are pretty thin.

I can tell you this for sure:

1) the contents of the outer block are executed at the time the fact
is installed into Facter, but the contents of the setcode block are
not executed until later

2) the contents of the setcode block are executed in a scope that has
the same access to the (same) timeout variable that contents of the
outer block has

On the other hand, I think I do have to retract my original assertion
(my apologies).  It looks like this variable is specific to each
resolution of each fact, and moreover that it should appear outside
the setcode block to be effective.

As far as I can tell from reading the source code, it makes sense to
put these things (and only these) into the outer block of a custom
fact definition:

1) invocations of the confine method (optional)
2) setting the value of the timeout variable (optional)
3) invoking the setcode method (required)

Timeouts are implemented, by the way, by passing the value of the
timeout variable as the argument to Ruby's Timeout.timeout() to
control the execution of the setcode block (when it is executed).  The
default timeout is 0, which I guess lets the block run forever if it
is inclined to do so.

John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread Matt Mencel

Awesomethank you!

On Tue, Feb 21, 2012 at 10:48 AM, jcbollinger wrote:

>
>
> On Feb 21, 9:21 am, Matt Mencel  wrote:
>
> > The only examples I've seen of timeout have it outside the setcode block.
> >  Can anyone confirm it's behavior depending on whether it's inside or
> > outside setcode?  The docs for it are pretty thin.
>
>
> I can tell you this for sure:
>
> 1) the contents of the outer block are executed at the time the fact
> is installed into Facter, but the contents of the setcode block are
> not executed until later
>
> 2) the contents of the setcode block are executed in a scope that has
> the same access to the (same) timeout variable that contents of the
> outer block has
>
> On the other hand, I think I do have to retract my original assertion
> (my apologies).  It looks like this variable is specific to each
> resolution of each fact, and moreover that it should appear outside
> the setcode block to be effective.
>
> As far as I can tell from reading the source code, it makes sense to
> put these things (and only these) into the outer block of a custom
> fact definition:
>
> 1) invocations of the confine method (optional)
> 2) setting the value of the timeout variable (optional)
> 3) invoking the setcode method (required)
>
> Timeouts are implemented, by the way, by passing the value of the
> timeout variable as the argument to Ruby's Timeout.timeout() to
> control the execution of the setcode block (when it is executed).  The
> default timeout is 0, which I guess lets the block run forever if it
> is inclined to do so.
>
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Mark B

Yes...since this is out puppet test server we call it puppett

On Feb 21, 11:36 am, Gary Larizza  wrote:
> On Tue, Feb 21, 2012 at 8:21 AM, Mark B  wrote:
> > I restarted the mcollective and I see the following in the logs:
>
> > I, [2012-02-21T11:18:13.485565 #13326]  INFO -- : stomp.rb:79:in
> > `on_connectfail' Connction to stomp://mcollect...@puppett..xxx.xxx
> > :61613
> > failed on attempt 11
>
> Note puppett (with two t's) - is that intentional?  Can you ping that
> address?  Firewall rules possibly?
>
>
>
>
>
>
>
>
>
>
>
> > On Feb 21, 11:12 am, Kenneth Lo  wrote:
> > > Just try restart the mcollective service on the agent and check if you
> > see
> > > any error there.
>
> > > You should also check if there are anything in-between your agent and
> > > master that's blocking traffic. Mcollective traffic goes from agent to
> > the
> > > master, not the other way around.
>
> > > --KL
>
> > > On 2/21/12 10:46 AM, "Mark B"  wrote:
>
> > > >The pe-activemq is running on the server and the pe-mcollective is
> > > >running on the agent. The reports from the client are showing up on
> > > >the puppet console. Just not seeing the node on live management
> > > >screen. Is there a way to manually do a new puppet run to try and
> > > >force it?
>
> > > >On Feb 21, 10:17 am, Kenneth Lo  wrote:
> > > >> In PE, pe-activemq is the server service (master need that service)
> > and
> > > >> pe-mcollective is the client service (agents).
>
> > > >> If you don't see your agents listed in LM normally means that the
> > > >> pe-mcollective service is not running on the clients.
>
> > > >> What I've experienced with PE is that under normal turn-key config,
> > > >>after
> > > >> your agent initially connected to the master, by default it need to
> > wait
> > > >> for another puppet run for the mcollective class (in default) to
> > pickup
> > > >> the service.
>
> > > >> --KL
>
> > > >> On 2/21/12 8:08 AM, "Mark B"  wrote:
>
> > > >> >Yes...I was able to do the mco ping and the only node that responded
> > > >> >was the puppet master ..not the client. Both activemq and mcollective
> > > >> >appear to be working.
>
> > > >> >is there a pe-users group? I thought that is what this was ?
>
> > > >> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
> > > >> >> Have you tried su-ing to thepeadminuser on the master node and
> > trying
> > > >> >> `mco ping`?
>
> > > >> >> Live Management is basically a front end for actions thepeadminuser
> > > >> >>can
> > > >> >> do. Dropping down to that level may let you debug the issue easier.
>
> > > >> >> Other things to check are that activemq is working and correctly
> > > >> >>configured
> > > >> >> on the master, as well as mcollective on all of your agent nodes.
>
> > > >> >> You may also find more users that understand your question on the
> > > >> >>pe-users
> > > >> >> list (I assume if you're using Live Management you're using PE)
>
> > > >> >>  - Justin
>
> > > >> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
> > > >> >>wrote:
>
> > > >> >> > Yes it is in the default group. I am wondering if it is a
> > > >>permissions
> > > >> >> > issue for the puppet user account? Does that need anything
> > special
> > > >> >>for live
> > > >> >> > management ?
>
> > > >> >> > Reminder: it shows on all other tabs on the puppet console...just
> > > >>not
> > > >> >>live
> > > >> >> > management.
>
> > > >> >> > -Original Message-
> > > >> >> > From: puppet-users@googlegroups.com
> > > >> >>[mailto:puppet-users@googlegroups.com]
> > > >> >> > On Behalf Of Michael Stahnke
> > > >> >> > Sent: Monday, February 20, 2012 2:31 PM
> > > >> >> > To: puppet-users@googlegroups.com
> > > >> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>
> > > >> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B 
> > > >>wrote:
> > > >> >> > > The node and reports show up on the dashboard but not on the
> > live
> > > >> >> > > management tab.
>
> > > >> >> > > Does anyone have any suggestions? is this a permissions issue?
>
> > > >> >> > Is the node in the default group in the dashboard?  Puppet runs
> > > >>setup
> > > >> >>the
> > > >> >> > mcollective/live management bits.  The class is called
> > > >>pe_mcollective.
>
> > > >> >> > > --
> > > >> >> > > You received this message because you are subscribed to the
> > > >>Google
> > > >> >> > Groups "Puppet Users" group.
> > > >> >> > > To post to this group, send email to
> > > >>puppet-users@googlegroups.com.
> > > >> >> > > To unsubscribe from this group, send email to
> > > >> >> > puppet-users+unsubscr...@googlegroups.com.
> > > >> >> > > For more options, visit this group at
> > > >> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> > > >> >> > --
> > > >> >> > You received this message because you are subscribed to the
> > Google
> > > >> >>Groups
> > > >> >> > "Puppet Users" group.
> > > >> >> > To post to this group, send email to
> > puppet-users@googlegroups.com.
> > > >> >> > To unsubscribe from this group, send email

[Puppet Users] Re: file and user permissions on the puppet master, best practice

2012-02-21 Thread paulS

(By the way, I should have referred to myself as a new Puppet _user_.
I certainly didn't mean to imply that I'm a developer of Puppet open
source software. I'm obviously not up to that challenge.)

Thanks a lot, Craig.

I'm using Webrick now, and will move to Apache before release to
production. I did see the chapter 4 in Pro Puppet, Turnbull, on making
the puppet master scalable. I also have "Pulling strings with Puppet,"
Turbull, and have ordered "Puppet 2.7 Cookbook," Arundel.

It sounds like you're suggesting a good practice is for users to su to
the puppet user and do their work as puppet. That's what I've read and
that's why it's bugging me that I can't seem to switch to the puppet
user.

I'll  be the primary developer of modules, manifests, etc, with a
backup person. Also a few other ops people would make changes to
configuration files that get served out as updates to the clients.

I get the part about separate environments and puppet masters for dev
and test. Thanks for that. I need to read and understand about
environments.

As I mentioned, I'm having trouble switching to the puppet user. Maybe
this is an Ubuntu sys admin question, but it pertains specifically to
the puppet user. The user is set up during install. I installed from
the following debians:

facter_1.6.4-1puppetlabs1_all.deb
puppet_2.7.9-1puppetlabs1_all.deb
puppet-common_2.7.9-1puppetlabs1_all.deb
puppet-dashboard_1.2.4-1puppetlabs1_all.deb
puppetmaster_2.7.9-1puppetlabs1_all.deb
puppetmaster-common_2.7.9-1puppetlabs1_all.deb

# sam (not the real user name) has admin rights.
# the password required here isn't the one for sam and I don't have a
password for puppet since it was set up during install.

sam@puppetmaster:~$ su - puppet
Password:

adding 'puppet ALL=(ALL) NOPASSWD:ALL' to the sudoers file didn't
help. 'su - puppet' still wants a password.

sudo password puppet # lets me create a password for puppet

The command line now accepts 'su - puppet' with the password for
puppet, but the prompt still says 'sam@puppetmaster:~$' and puppet
won't create a subdirectory from a directory owned by puppet:puppet.
Also I still have admin rights form the command line. I don't think
switch user to puppet is actually occurring.

The command line accepts 'sudo su - puppet' without a password, but
same behavior as immediately above.

I could blow away the puppet user and re-create it as a member of
puppet group and not of admin. Does that seem like a good idea? I'm
curious about the nature of the puppet user that's created during
install, and whether I'm losing anything important if I blow it away
and recreate with:

sudo useradd puppet --create-home --user-group --shell /bin/bash

Thanks for any help,

Paul

On Feb 21, 7:19 am, Craig White  wrote:
> On Feb 21, 2012, at 2:52 AM, paulS wrote:
>
>
>
>
>
>
>
>
>
> > Hi all. New puppet developer. Very excited. I have the agents
> > communicating with the puppet master.
>
> > I'm wondering now about best practice for file and user permissions on
> > the puppet master. Most of my wonder probably stems from general lack
> > of understanding in this area. I'd like to get it right though to
> > avoid refactoring later.
>
> >    1. What's the best practice, or your practice, for directory and file
> > permissions on the puppet master?
>
> >    2. What's the best practice, or your practice, for users and their
> > permissions on the puppet master?
>
> > Feel free to point me to posts, articles, or chapters in books. I
> > haven't found much so far on this topic; just that the  agent should
> > be run as root so that it has permission to make any changes, and the
> > puppetmaster can be run as non root.
>
> > Thanks for any discussion here.
>
> > Here's my setup so far.
>
> > =
> > server OS and puppet versions
> > =
>
> > Ubuntu 10.04.3 LTS (Lucid) on puppet master and clients/agents
>
> > puppet-master$ dpkg -l | grep puppet
> > ii  facter                   1.6.4-1puppetlabs1      Ruby module for
> > collecting simple facts abou
> > ii  puppet                   2.7.9-1puppetlabs1      Centralized
> > configuration management - agent
> > ii  puppet-common            2.7.9-1puppetlabs1      Centralized
> > configuration management
> > ii  puppetmaster             2.7.9-1puppetlabs1      Centralized
> > configuration management - maste
> > ii  puppetmaster-common      2.7.9-1puppetlabs1      Puppet master
> > common scripts
>
> > puppet-agent$ dpkg -l | grep puppet
> > ii  facter               1.6.4-1puppetlabs1       Ruby module for
> > collecting simple facts abou
> > ii  puppet               2.7.9-1puppetlabs1       Centralized
> > configuration management - agent
> > ii  puppet-common        2.7.9-1puppetlabs1       Centralized
> > configuration management
>
> > ===
> > directory and file permissions on the puppet master
> >

[Puppet Users] Re: Cannot see node on Live Management

2012-02-21 Thread Mark B

BTW...yes I can ping it from the client and the 3 ports are open

On Feb 21, 11:36 am, Gary Larizza  wrote:
> On Tue, Feb 21, 2012 at 8:21 AM, Mark B  wrote:
> > I restarted the mcollective and I see the following in the logs:
>
> > I, [2012-02-21T11:18:13.485565 #13326]  INFO -- : stomp.rb:79:in
> > `on_connectfail' Connction to stomp://mcollect...@puppett..xxx.xxx
> > :61613
> > failed on attempt 11
>
> Note puppett (with two t's) - is that intentional?  Can you ping that
> address?  Firewall rules possibly?
>
>
>
>
>
>
>
>
>
>
>
> > On Feb 21, 11:12 am, Kenneth Lo  wrote:
> > > Just try restart the mcollective service on the agent and check if you
> > see
> > > any error there.
>
> > > You should also check if there are anything in-between your agent and
> > > master that's blocking traffic. Mcollective traffic goes from agent to
> > the
> > > master, not the other way around.
>
> > > --KL
>
> > > On 2/21/12 10:46 AM, "Mark B"  wrote:
>
> > > >The pe-activemq is running on the server and the pe-mcollective is
> > > >running on the agent. The reports from the client are showing up on
> > > >the puppet console. Just not seeing the node on live management
> > > >screen. Is there a way to manually do a new puppet run to try and
> > > >force it?
>
> > > >On Feb 21, 10:17 am, Kenneth Lo  wrote:
> > > >> In PE, pe-activemq is the server service (master need that service)
> > and
> > > >> pe-mcollective is the client service (agents).
>
> > > >> If you don't see your agents listed in LM normally means that the
> > > >> pe-mcollective service is not running on the clients.
>
> > > >> What I've experienced with PE is that under normal turn-key config,
> > > >>after
> > > >> your agent initially connected to the master, by default it need to
> > wait
> > > >> for another puppet run for the mcollective class (in default) to
> > pickup
> > > >> the service.
>
> > > >> --KL
>
> > > >> On 2/21/12 8:08 AM, "Mark B"  wrote:
>
> > > >> >Yes...I was able to do the mco ping and the only node that responded
> > > >> >was the puppet master ..not the client. Both activemq and mcollective
> > > >> >appear to be working.
>
> > > >> >is there a pe-users group? I thought that is what this was ?
>
> > > >> >On Feb 20, 2:58 pm, Justin Stoller  wrote:
> > > >> >> Have you tried su-ing to thepeadminuser on the master node and
> > trying
> > > >> >> `mco ping`?
>
> > > >> >> Live Management is basically a front end for actions thepeadminuser
> > > >> >>can
> > > >> >> do. Dropping down to that level may let you debug the issue easier.
>
> > > >> >> Other things to check are that activemq is working and correctly
> > > >> >>configured
> > > >> >> on the master, as well as mcollective on all of your agent nodes.
>
> > > >> >> You may also find more users that understand your question on the
> > > >> >>pe-users
> > > >> >> list (I assume if you're using Live Management you're using PE)
>
> > > >> >>  - Justin
>
> > > >> >> On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B
> > > >> >>wrote:
>
> > > >> >> > Yes it is in the default group. I am wondering if it is a
> > > >>permissions
> > > >> >> > issue for the puppet user account? Does that need anything
> > special
> > > >> >>for live
> > > >> >> > management ?
>
> > > >> >> > Reminder: it shows on all other tabs on the puppet console...just
> > > >>not
> > > >> >>live
> > > >> >> > management.
>
> > > >> >> > -Original Message-
> > > >> >> > From: puppet-users@googlegroups.com
> > > >> >>[mailto:puppet-users@googlegroups.com]
> > > >> >> > On Behalf Of Michael Stahnke
> > > >> >> > Sent: Monday, February 20, 2012 2:31 PM
> > > >> >> > To: puppet-users@googlegroups.com
> > > >> >> > Subject: Re: [Puppet Users] Cannot see node on Live Management
>
> > > >> >> > On Mon, Feb 20, 2012 at 4:29 AM, Mark B 
> > > >>wrote:
> > > >> >> > > The node and reports show up on the dashboard but not on the
> > live
> > > >> >> > > management tab.
>
> > > >> >> > > Does anyone have any suggestions? is this a permissions issue?
>
> > > >> >> > Is the node in the default group in the dashboard?  Puppet runs
> > > >>setup
> > > >> >>the
> > > >> >> > mcollective/live management bits.  The class is called
> > > >>pe_mcollective.
>
> > > >> >> > > --
> > > >> >> > > You received this message because you are subscribed to the
> > > >>Google
> > > >> >> > Groups "Puppet Users" group.
> > > >> >> > > To post to this group, send email to
> > > >>puppet-users@googlegroups.com.
> > > >> >> > > To unsubscribe from this group, send email to
> > > >> >> > puppet-users+unsubscr...@googlegroups.com.
> > > >> >> > > For more options, visit this group at
> > > >> >> >http://groups.google.com/group/puppet-users?hl=en.
>
> > > >> >> > --
> > > >> >> > You received this message because you are subscribed to the
> > Google
> > > >> >>Groups
> > > >> >> > "Puppet Users" group.
> > > >> >> > To post to this group, send email to
> > puppet-users@googlegroups.com.
> > > >> >> > To unsubscribe from this group, send

[Puppet Users] Re: Puppet on Windows - client installer?

2012-02-21 Thread Shawn Turpin

Is this .MSI available (at least for testing)?  When I click on the
link it takes me to a login screen.

I am trying to pilot it in my test lab environment and would love to
give it a whirl.  Especially since this testlab environment has
limited Internet connectivity (read that as none) so trying to install
the individual pieces for the Windows agents is a pain.  Trying to do
a POC for the Windows servers.

Thanks.

On Jan 26, 9:59 am, Josh Cooper  wrote:
> On Wed, Jan 18, 2012 at 5:54 AM, jmp242  wrote:
> > Is this the case, or am I missing where the installer is? Is there any
>
> thought to creating a msi / exe installer in the future that would
>
> > have puppet be self contained
>
> Funny you should ask:https://projects.puppetlabs.com/issues/11205. We are
> working on an MSI installed containing everything you need to install
> puppet, facter, ruby, gems.
>
> > and run a service?
>
> This is something we are not planning on doing, partly because of the issue
> with long running ruby processes, memory usage, etc. Instead we were
> looking to use scheduled tasks to run puppet on a specified interval. It
> does mean you couldn't `puppet kick` these agents. Would that work in your
> environment?
>
> Josh
>
> --
> Josh Cooper
> Developer, Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] white space in fileservers.conf file causes 'connection refused - connect(2)' error

2012-02-21 Thread paulS

This is a heads up. I didn't see this particular root cause to the
'connection refused' error upon google search, so thought I'd pass it
on. I tried to make a bug report, but couldn't figure out how to do
that. I may not have permission. Arguably it's a 'sensitivity,' though
an undocumented one.

### Error seen

root@puppet-client-1:~# puppet agent --no-daemonize --verbose --
onetime # returned the error:

err: Could not retrieve catalog from remote server: Connection
refused - connect(2)

### Troubleshooting

# Cleaned certificates and keys from the puppetmaster and certificates
from the agent.
# Restarted the puppetmaster to re-create certificates and keys on the
puppetmaster.

# to request a new signed certificate from the puppetmaster.
root@puppet-client-1:~# puppet agent --no-daemonize --verbose --
onetime  # Returned the error:

err: Could not request certificate: Connection refused - connect(2)

# Also getting the following errors upon puppetmaster restart.

root@puppetmaster # puppet master --no-daemonize --verbose
notice: Starting Puppet master version 2.7.9
err: Removing mount files: /etc/puppet/files  does not exist
info: mount[stacks]: allowing *  access
Could not run: Invalid pattern *  at /etc/puppet/fileserver.conf:5

### Root cause

Traced the problem to an extra space after [files] mountpoint path
statement in in fileservers.conf
I did in fact edit that file to add a custom mountpoint. I don’t think
I got the connect error right away, however, because I used the custom
mountpoint successfully in a connect from the agent to install the
configuration package. Perhaps it occurs after restart of the
puppetmaster.

The error is reproducible. I can take the space in and out and
reproduce and repair the error. ':set list' will show the extra space.
Note the extra space between 'path /etc/puppet/files' and '$' in the
files mountpoint, and between 'allow *' and '$' in the custom
mountpoint. The first one cased the problem.

user@puppetmaster:/etc/puppet# vi fileserver.conf
:set list

-- snip ---
[files]$
  path /etc/puppet/files $
#  allow *.example.com
#  deny *.evil.example.com
#  allow 192.168.0.0/24

[stacks]
  path /opt/stacks
  allow * $
-- snip --

Paul

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: file and user permissions on the puppet master, best practice

2012-02-21 Thread Craig White


On Feb 21, 2012, at 11:46 AM, paulS wrote:

> (By the way, I should have referred to myself as a new Puppet _user_.
> I certainly didn't mean to imply that I'm a developer of Puppet open
> source software. I'm obviously not up to that challenge.)
> 
> Thanks a lot, Craig.
> 
> I'm using Webrick now, and will move to Apache before release to
> production. I did see the chapter 4 in Pro Puppet, Turnbull, on making
> the puppet master scalable. I also have "Pulling strings with Puppet,"
> Turbull, and have ordered "Puppet 2.7 Cookbook," Arundel.
> 
> It sounds like you're suggesting a good practice is for users to su to
> the puppet user and do their work as puppet. That's what I've read and
> that's why it's bugging me that I can't seem to switch to the puppet
> user.
> 
> I'll  be the primary developer of modules, manifests, etc, with a
> backup person. Also a few other ops people would make changes to
> configuration files that get served out as updates to the clients.
> 
> I get the part about separate environments and puppet masters for dev
> and test. Thanks for that. I need to read and understand about
> environments.
> 
> As I mentioned, I'm having trouble switching to the puppet user. Maybe
> this is an Ubuntu sys admin question, but it pertains specifically to
> the puppet user. The user is set up during install. I installed from
> the following debians:
> 
>   facter_1.6.4-1puppetlabs1_all.deb
>   puppet_2.7.9-1puppetlabs1_all.deb
>   puppet-common_2.7.9-1puppetlabs1_all.deb
>   puppet-dashboard_1.2.4-1puppetlabs1_all.deb
>   puppetmaster_2.7.9-1puppetlabs1_all.deb
>   puppetmaster-common_2.7.9-1puppetlabs1_all.deb
> 
> # sam (not the real user name) has admin rights.
> # the password required here isn't the one for sam and I don't have a
> password for puppet since it was set up during install.
> 
> sam@puppetmaster:~$ su - puppet
> Password:
> 
> adding 'puppet ALL=(ALL) NOPASSWD:ALL' to the sudoers file didn't
> help. 'su - puppet' still wants a password.
> 
> sudo password puppet # lets me create a password for puppet
> 
> The command line now accepts 'su - puppet' with the password for
> puppet, but the prompt still says 'sam@puppetmaster:~$' and puppet
> won't create a subdirectory from a directory owned by puppet:puppet.
> Also I still have admin rights form the command line. I don't think
> switch user to puppet is actually occurring.
> 
> The command line accepts 'sudo su - puppet' without a password, but
> same behavior as immediately above.
> 
> I could blow away the puppet user and re-create it as a member of
> puppet group and not of admin. Does that seem like a good idea? I'm
> curious about the nature of the puppet user that's created during
> install, and whether I'm losing anything important if I blow it away
> and recreate with:
> 
> sudo useradd puppet --create-home --user-group --shell /bin/bash

the one thing I have always appreciated about Linux/UNIX is that the config 
files are always text files and can be fixed and thus you don't have to resort 
to things like uninstalling/re-installing, deleting/recreating users because 
everything is relatively easily fixed - at least assuming that you know how.

su - puppet # if done by root doesn't require a password. 
# Root user doesn't need a password for anything
# if done by a user, needs puppet user's password

/etc/sudoers -  'puppet ALL=(ALL) NOPASSWD:ALL'
# Can't imagine a good reason to do this but will only 
# allow user 'puppet' to sudo anything without a password

if 'su - puppet' doesn't give you the bash shell as user puppet then perhaps 
you don't have a good shell set up for user puppet.
getent passwd | grep puppet   # will list things like the shell 
  # which should be /bin/bash but if not, use chsh
sudo chsh puppet -s /bin/bash # will set puppet users shell to /bin/bash

It's also possible that user puppet's home directory is wrongly set or the 
permissions are bad...
# getent passwd | grep puppet
puppet:x:1001:1001:Puppet,,,:/var/lib/puppet:/bin/bash

sudo chown puppet:puppet /var/lib/puppet -R

Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] white space in fileservers.conf file causes 'connection refused - connect(2)' error

2012-02-21 Thread Craig White

On Feb 21, 2012, at 12:59 PM, paulS wrote:

> This is a heads up. I didn't see this particular root cause to the
> 'connection refused' error upon google search, so thought I'd pass it
> on. I tried to make a bug report, but couldn't figure out how to do
> that. I may not have permission. Arguably it's a 'sensitivity,' though
> an undocumented one.
> 
> ### Error seen
> 
> root@puppet-client-1:~# puppet agent --no-daemonize --verbose --
> onetime # returned the error:
> 
>   err: Could not retrieve catalog from remote server: Connection
> refused - connect(2)
> 
> ### Troubleshooting
> 
> # Cleaned certificates and keys from the puppetmaster and certificates
> from the agent.
> # Restarted the puppetmaster to re-create certificates and keys on the
> puppetmaster.
> 
> # to request a new signed certificate from the puppetmaster.
> root@puppet-client-1:~# puppet agent --no-daemonize --verbose --
> onetime  # Returned the error:
> 
>   err: Could not request certificate: Connection refused - connect(2)
> 
> # Also getting the following errors upon puppetmaster restart.
> 
>   root@puppetmaster # puppet master --no-daemonize --verbose
>   notice: Starting Puppet master version 2.7.9
>   err: Removing mount files: /etc/puppet/files  does not exist
>   info: mount[stacks]: allowing *  access
>   Could not run: Invalid pattern *  at /etc/puppet/fileserver.conf:5
> 
> ### Root cause
> 
> Traced the problem to an extra space after [files] mountpoint path
> statement in in fileservers.conf
> I did in fact edit that file to add a custom mountpoint. I don’t think
> I got the connect error right away, however, because I used the custom
> mountpoint successfully in a connect from the agent to install the
> configuration package. Perhaps it occurs after restart of the
> puppetmaster.
> 
> The error is reproducible. I can take the space in and out and
> reproduce and repair the error. ':set list' will show the extra space.
> Note the extra space between 'path /etc/puppet/files' and '$' in the
> files mountpoint, and between 'allow *' and '$' in the custom
> mountpoint. The first one cased the problem.
> 
> user@puppetmaster:/etc/puppet# vi fileserver.conf
> :set list
> 
> -- snip ---
> [files]$
>  path /etc/puppet/files $
> #  allow *.example.com
> #  deny *.evil.example.com
> #  allow 192.168.0.0/24
> 
> [stacks]
>  path /opt/stacks
>  allow * $
> -- snip --

not sure what you are trying to accomplish here but if you don't have something 
specific in mind at this point just comment everything out in 
/etc/puppet/fileserver.conf

Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Caching Facts

2012-02-21 Thread Matt Mencel

I'm curious about the section "Caching Ruby Facts" on this doc page...
http://docs.puppetlabs.com/guides/custom_facts.html#configuring-facts

Apparently this ability to assign a TTL value to a fact will be in place in
1.7.0.  I've looked through the Facter source and wiki though and find no
mention of 1.7.0 anywhere.  Just 1.6.X, 2.0.x, and future.  I'm wondering
if there really is going to be a 1.7.0 at some point?  Maybe when they get
tired of using 1.6.X numbers?  :)

Looks like these are the related issuesbut they both say it's slated
for the 2.0.0 release.
http://projects.puppetlabs.com/issues/2157
http://projects.puppetlabs.com/issues/4519

I'd really like to use this TTL feature...

Thanks,
Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Problem with Custom Facter

2012-02-21 Thread Nan Liu

On Tue, Feb 21, 2012 at 6:57 AM, jcbollinger  wrote:
>
>
> On Feb 20, 7:14 pm, Nathan Powell  wrote:
>> On Mon, Feb 20, 2012 at 5:33 PM, Matt Mencel  wrote:
>> > I am trying to write a custom facter for CentOS/RHEL that tells me how many
>> > updates are found on a run of 'yum check-update'
>>
>> Sorry I replied hastily.  After replying I thought about what you're
>> trying to do.  You don't need all those gyrations to get this data
>>
>> Tested quickly on RHEL6 and CentOS5:
>>
>> `sudo yum check-update -q`.split(/\n/).reject{|i| i == ""}.length
>
>
> Alternatively,
>
> `yum -q check-update | grep '\\w' | wc --lines`.chomp

One quick comment, in Puppet/Facter, please don't use %x[] or `yum ...`
to execute command, instead:

Facter::Util::Resolution.exec('yum -q check-update | grep '\\w' | wc --lines')

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Struggle with erb syntax

2012-02-21 Thread thinkwell

Hello everyone,

I'm new to puppet & ruby - some experience with Python. I'm working at
getting some templates coded with hashes & conditionals, and using a
contrived example here to get myself started:

This works as I expect in ruby code:

pets = {"snakes"=>["python", "boa constrictor"], "kitties"=>["tomcat",
"pussycat"], "puppies"=>["akitas", "collies", "german shepherds"]}

for pet in pets.keys
puts pet
for pt in pets[pet]
if pet == 'snakes' then
puts "#{pt} is in the #{pet} family"
end
end
end



So, that's the output I want in my ERB template, which is created
thusly:
<% for pet in pets.keys %>
<%= pet %>
<% for pt in pets[pet] %>
<% if pet == 'snakes' then %>
<%=  "#{pt} is in the #{pet} family" %>
<% end %>
<% end %>
<% end %>

However, no matter how I fiddle the syntax, I always get:
err: Could not retrieve catalog from remote server: wrong header line
format


What am I doing wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet ssl issues.

2012-02-21 Thread Nan Liu

On Mon, Feb 20, 2012 at 7:24 PM, Digital Ninja  wrote:
> So I come in to work monday only to find that none of our puppet
> clients are working.
> When I run puppetd -t I get these errors: http://pastebin.com/6iwhG2Y2
>
> I go to the puppet master server and look at /var/log/puppet/
> masterhttp.log and see a bunch of these openssl errors: 
> http://pastebin.com/1jgVX4ui
>
> I checked and made sure the time and date was the exact same across
> all the servers and even tried restarting it but to no avail.
>
> Is this an issue with webrick or puppetmaster or the puppet clients?

How old is your CA cert? Did your CA expire by any chance?

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: white space in fileservers.conf file causes 'connection refused - connect(2)' error

2012-02-21 Thread paulS

I'm checking out a stacks directory from subversion into /opt/stacks
on the puppet master then mounting /opt/stacks. The stacks directory
contains configuration files for the server stacks, which I'll want to
manage with Puppet.

I'm not yet using the [file] mount but am using the [stacks] mount, so
I could comment out the file mount.

My main point was that one wants to be sure they do not leave any
spaces after the path definition, as (I think) after restarting the
puppet master the agents will no long connect.

Paul

On Feb 21, 1:30 pm, Craig White  wrote:

>
> 
> not sure what you are trying to accomplish here but if you don't have 
> something specific in mind at this point just comment everything out in 
> /etc/puppet/fileserver.conf
>
> Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Puppet Labs is growing - now hiring for 2 jobs based anywhere in US!

2012-02-21 Thread PuppetRecruiter

Puppet Labs continues to grow!  (Seriously - we're now at 70 employees
and continuing to hire more!)

I'm currently hiring a Sr Professional Services engineer to work with
our clients on custom engagements, lead Puppet trainings, and more. In
addition, we've added a new Senior Sales Engineer role who will
provide advanced pre-sales support to our sales team and evangelize
Puppet at events.  Both positions also include extensive work with our
engineering teams in contributing to the overall growth of our
products.

And - we're open to remote employees (USA).  If one of these jobs
sounds like you, check out the postings online at www.puppetlabs.com/jobs
and upload your resume and cover letter!  I'll be in touch within 1-2
business days.

Not ready to make a change now but want me to keep you in mind for the
future?  Check out our 'future opportunities' postings for PSE,
Developer, and other roles.

Thanks!
Aimee Fahey
@PuppetRecruiter
www.linkedin.com/in/aimeefahey

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Researching Puppet - Local host variations

2012-02-21 Thread thinkwell

I'm getting this worked through in my head, I think. I wanted to make
sure that Puppet would totally support me if the migration is made.
I've concluded that I can standardize a bit more than I have, and with
Daniel's suggestion, quoted below, I'm well impressed! :

file {
"/etc/rc.d/rc.firewall.local": source =>
"puppet:///modules/firewall/rc.firewall.${fqdn}"  }

That's just perfect - allows very granular "per machine" edits that'll
streamline workflow 100%. Thanks for the comments everyone! :-)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Recent updates to ruby break puppet

2012-02-21 Thread Forrie


I went to update our ruby-1.8 installation and unfortunately, it
appears to have broken something that Puppet depends on:

# service puppetmaster start
Starting puppetmaster: /usr/lib/ruby/site_ruby/1.8/rubygems.rb:334:
warning: parenthesize argument(s) for future version
/usr/lib/ruby/site_ruby/1.8/rubygems.rb:516: warning: parenthesize
argument(s) for future version
/usr/lib/ruby/site_ruby/1.8/rubygems.rb:32:in `require': /usr/lib/ruby/
site_ruby/1.8/rubygems/deprecate.rb:54: syntax error, unexpected ',',
expecting '|' (SyntaxError)
... define_method name do |*args, &block| # TODO: really works ...
  ^
/usr/lib/ruby/site_ruby/1.8/rubygems/deprecate.rb:55: syntax error,
unexpected tCONSTANT, expecting '}'
/usr/lib/ruby/site_ruby/1.8/rubygems/deprecate.rb:64: syntax error,
unexpected kEND, expecting '}'
/usr/lib/ruby/site_ruby/1.8/rubygems/deprecate.rb:69: syntax error,
unexpected kEND, expecting '}'
from /usr/lib/ruby/site_ruby/1.8/rubygems.rb:32
from /usr/bin/puppetmasterd:9:in `require'
from /usr/bin/puppetmasterd:9


I'm going to downgrade back to the old version.

Does anyone know what the issue is and whether there is a forthcoming
fix or workaround?



Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Recent updates to ruby break puppet

2012-02-21 Thread Forrie

Nevermind, I accidentally built in the wrong directory an older
version.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Caching Facts

2012-02-21 Thread Michael Stahnke

On Tue, Feb 21, 2012 at 2:04 PM, Matt Mencel  wrote:
> I'm curious about the section "Caching Ruby Facts" on this doc page...
> http://docs.puppetlabs.com/guides/custom_facts.html#configuring-facts
>
> Apparently this ability to assign a TTL value to a fact will be in place in
> 1.7.0.  I've looked through the Facter source and wiki though and find no
> mention of 1.7.0 anywhere.  Just 1.6.X, 2.0.x, and future.  I'm wondering if
> there really is going to be a 1.7.0 at some point?  Maybe when they get
> tired of using 1.6.X numbers?  :)
Your confusion is understandable.

1.7.0 isn't out.  It is in the master branch for facter on github. We
had some plans on 1.7.0 earlier when the docs were being written, but
then found some incompatibilities in Puppet's usage of them.  Those
are getting resolved currently.  The plans are to have an RC on the
next series of facter in the 6 weeks or so.



You can also use Puppet Labs stdlib to get things like facts.d usage,
which is a nice feature.
http://forge.puppetlabs.com/puppetlabs/stdlib



>
> Looks like these are the related issuesbut they both say it's slated for
> the 2.0.0 release.
> http://projects.puppetlabs.com/issues/2157
> http://projects.puppetlabs.com/issues/4519
>
> I'd really like to use this TTL feature...
>
> Thanks,
> Matt
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: file and user permissions on the puppet master, best practice

2012-02-21 Thread paulS

Nice! Thanks!

sam@puppetmaster:~$ getent passwd | grep puppet  # /bin/false is not
good
puppet:x:108:113:Puppet configuration management daemon,,,:/var/lib/
puppet:/bin/false

sam@puppetmaster:~$ sudo chsh puppet -s /bin/bash

sam@puppetmaster:~$ getent passwd | grep puppet  # that's better
puppet:x:108:113:Puppet configuration management daemon,,,:/var/lib/
puppet:/bin/bash

sam@puppetmaster-1e:~$ su - puppet  # now I can switch user
Password:
puppet@puppetmaster-1e:~$

--
Paul


On Feb 21, 1:27 pm, Craig White  wrote:

>
> 
> the one thing I have always appreciated about Linux/UNIX is that the config 
> files are always text files and can be fixed and thus you don't have to 
> resort to things like uninstalling/re-installing, deleting/recreating users 
> because everything is relatively easily fixed - at least assuming that you 
> know how.
>
> su - puppet # if done by root doesn't require a password.
>             # Root user doesn't need a password for anything
>             # if done by a user, needs puppet user's password
>
> /etc/sudoers -  'puppet ALL=(ALL) NOPASSWD:ALL'
>             # Can't imagine a good reason to do this but will only
>             # allow user 'puppet' to sudo anything without a password
>
> if 'su - puppet' doesn't give you the bash shell as user puppet then perhaps 
> you don't have a good shell set up for user puppet.
> getent passwd | grep puppet   # will list things like the shell
>                               # which should be /bin/bash but if not, use chsh
> sudo chsh puppet -s /bin/bash # will set puppet users shell to /bin/bash
>
> It's also possible that user puppet's home directory is wrongly set or the 
> permissions are bad...
> # getent passwd | grep puppet
> puppet:x:1001:1001:Puppet,,,:/var/lib/puppet:/bin/bash
>
> sudo chown puppet:puppet /var/lib/puppet -R
>
> Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: puppet ssl issues.

2012-02-21 Thread Digital Ninja

> How old is your CA cert? Did your CA expire by any chance?
I guess this is the golden question. I'm not really sure. I'm not 100%
on how webrick even serves the ssl. From all my checking it seems open
ssl used /usr/lib/ssl

openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

Is this the correct ssl to be checking?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: puppet ssl issues.

2012-02-21 Thread Digital Ninja

100% correct. /var/lib/puppet//ssl was my issue.

On Feb 21, 12:01 am, Gary Larizza  wrote:
> On Mon, Feb 20, 2012 at 9:50 PM, Digital Ninja wrote:
>
> > I have the puppet master set up to auto sign them. I did a puppetca --
> > clean FQDN and tried to readd it but I get the same issue.
>
> If you clean the cert on the server side, then you need to blow away the
> $ssldir on the client side too.  On a test client, run `puppet config print
> ssldir` to get the path where the ssl information is being stored
> client-side.  Remove that directory and then try running puppet agent -t
> again to concat the master and generate a csr.  The master should auto-sign
> and you should be good.
>
> I would definitely encourage you to look towards using something other than
> Webrick in this situation.
>
> You also mentioned that the time on the master/agents WAS synced?  It's not
> off by any significant amount?
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> --
>
> Gary Larizza
> Professional Services Engineer
> Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] "SSLv3 read server certificate B: certificate verify failed." -- Not time related

2012-02-21 Thread Jon Davis

I recently built, added to puppet and then nuked a server.  Before I
re-added the machine (after I rebuilt it, with the same name), I went to
the puppet server and ran `puppet cert revoke dev-8.company.com` and
`puppet cert clean dev-8.company.com`.  Now when puppet runs on ANY server
in my environment, they get the following error:

info: Caching certificate for dev-8.company.com
*err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed.
 This is often because the time is out of sync on the server or client*
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
*err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed.  This is often
because the time is out of sync on the server or client*


Now I know for a fact that it isn't a time issue because the puppet server
is on NTP as are the clients.  The new machine is also within 1-2 seconds
of server time.  All of the clients are configured to run (via Cron)
`/usr/sbin/puppetd --onetime --no-daemonize --logdest syslog --server
puppet.company.com`.  The server is named puppet-1.company.com but puppet.
is a valid cname.  I've tried rebooting the puppet server, I've tried
upgrading it, just about anything I can think of.

Any help would be greatly appreciated.
-Jon

PS Both clients and server are running Ubuntu:

root@puppet-1:/etc/puppet# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"

root@puppet-1:/etc/puppet# uname -a
Linux puppet-1 3.0.0-16-server #28-Ubuntu SMP Fri Jan 27 18:03:45 UTC 2012
x86_64 x86_64 x86_64 GNU/Linux



-- 
Jon
[[User:ShakataGaNai]] / KJ6FNQ
http://snowulf.com/
http://www.linkedin.com/in/shakataganai 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] "SSLv3 read server certificate B: certificate verify failed." -- Not time related

2012-02-21 Thread Russell Van Tassell

Just a couple of issues...

On Tue, Feb 21, 2012 at 4:56 PM, Jon Davis  wrote:

> I recently built, added to puppet and then nuked a server.  Before I
> re-added the machine (after I rebuilt it, with the same name), I went to
> the puppet server and ran `puppet cert revoke dev-8.company.com` and
> `puppet cert clean dev-8.company.com`.  Now when puppet runs on ANY
> server in my environment, they get the following error:
>
> info: Caching certificate for dev-8.company.com
> *err: Could not retrieve catalog from remote server: SSL_connect
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate
> verify failed.  This is often because the time is out of sync on the server
> or client*
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> *err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
> read server certificate B: certificate verify failed.  This is often
> because the time is out of sync on the server or client*
>
>
> Now I know for a fact that it isn't a time issue because the puppet server
> is on NTP as are the clients.  The new machine is also within 1-2 seconds
> of server time.
>

For "normal" NTP clients, this would imply that your time sync is off by a
few factors (ie. your time differences should be mere fractions of seconds
off between servers if your NTP setup is working correctly).


>  All of the clients are configured to run (via Cron) `/usr/sbin/puppetd
> --onetime --no-daemonize --logdest syslog --server puppet.company.com`.
>  The server is named puppet-1.company.com but puppet. is a valid cname.
>  I've tried rebooting the puppet server, I've tried upgrading it, just
> about anything I can think of.
>

If the reverse (IN-ADDR) of your puppet server is going to return
puppet.company.com as its name, but you are connecting to foo.company.com,
that's pretty much a textbook SSL error (ie. your SSL certificate doesn't
match the name it's claiming to be). What happens if you delete the SSL
cert on the client, and re-run the CSR by pointing at the real name of the
server?

Hope that helps...

Russell

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Struggle with erb syntax

2012-02-21 Thread thinkwell

Well, harrumph. Scratchin' mah head - totally baffled, perplexed. I
went to eat and gave it a break. Came back and re-verified syntax
checks. Syntax OK - just as before. Ran puppet validate for the first
time with no errors.

Then, for kicks and giggles, I again to apply the config to the node.
Shazzam - it worked; yet I had made no changes. :-( Very nice it's
working, but why the earlier "err: Could not retrieve catalog from
remote server: wrong header line
format" that cost me so much time? Seems buggy, but I reckon it's me,
the learning puppet user.

Question: what are some debugging tips & tricks that you experts use
when developing new module classes & templates, especially when the
errors messages are so vague? What can I learn from this incident?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Struggle with erb syntax

2012-02-21 Thread Russell Van Tassell

On Tue, Feb 21, 2012 at 5:32 PM, thinkwell wrote:

> Shazzam - it worked; yet I had made no changes. :-( Very nice it's
> working, but why the earlier "err: Could not retrieve catalog from
> remote server: wrong header line
> format" that cost me so much time? Seems buggy, but I reckon it's me,
> the learning puppet user.
>

Any chance your puppet server is working overtime? Running behind webrick,
or something else? I've noticed some weird "unexplained" errors when the
server starts to get busy...

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Multiple default providers for package: dpkg, pip; using dpkg, Why?

2012-02-21 Thread Kyle Anderson

Can someone help me understand how why this is happening? I have two
Ubuntu laptops that are pretty much the same. Neither of them have pip
installed, but even if I do install pip, it doesn't seem to make a
difference.

I've boiled down my manifests to try to reduce the problem, and this
is how it manifests:

root@cody-laptop:/# puppet apply -e  'package { openssh-server: ensure
=> latest; }'
warning: Found multiple default providers for package: dpkg, pip;
using dpkg
err: /Stage[main]//Package[openssh-server]: Could not evaluate: Could
not get latest version: Execution of '/usr/bin/dpkg-deb --show '
returned 2: dpkg-deb: error: failed to read archive `': No such file
or directory
notice: Finished catalog run in 0.39 seconds
Debug output: http://pastebin.com/uw6E6pSV
Facter output: http://pastebin.com/MJTBGCRQ

Other laptop works fine:
root@kyle:~# puppet apply -e  'package { openssh-server: ensure =>
latest; }'
notice: Finished catalog run in 0.32 seconds
Debug output: http://pastebin.com/vAZffw3n
Facter output: http://pastebin.com/7kFHy6j0

I've done --debug stuff, and I can kinda see it testing for the
existence of other package managers, but not for pip.

But it looks like it is trying to use dpkg-deb, but something goes
wrong.

What I would like to know is why it fails on the one laptop, but not
the other. What I really want to know is how I can better troubleshoot
this myself :) It is really stumping me.  Let me know if I can provide
more information to help diagnose it.

It as if puppet on the broken one is actually trying to use dpkg
instead of apt, but in a wrong way, and the pip thing is a red-
herring?

Kyle



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] "SSLv3 read server certificate B: certificate verify failed." -- Not time related

2012-02-21 Thread Jon Davis

On Tue, Feb 21, 2012 at 17:05, Russell Van Tassell wrote:

> Just a couple of issues...
>
> On Tue, Feb 21, 2012 at 4:56 PM, Jon Davis  wrote:
>
>> I recently built, added to puppet and then nuked a server.  Before I
>> re-added the machine (after I rebuilt it, with the same name), I went to
>> the puppet server and ran `puppet cert revoke dev-8.company.com` and
>> `puppet cert clean dev-8.company.com`.  Now when puppet runs on ANY
>> server in my environment, they get the following error:
>>
>> info: Caching certificate for dev-8.company.com
>> *err: Could not retrieve catalog from remote server: SSL_connect
>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate
>> verify failed.  This is often because the time is out of sync on the server
>> or client*
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>> *err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
>> read server certificate B: certificate verify failed.  This is often
>> because the time is out of sync on the server or client*
>>
>>
>> Now I know for a fact that it isn't a time issue because the puppet
>> server is on NTP as are the clients.  The new machine is also within 1-2
>> seconds of server time.
>>
>
> For "normal" NTP clients, this would imply that your time sync is off by a
> few factors (ie. your time differences should be mere fractions of seconds
> off between servers if your NTP setup is working correctly).
>
>

There isn't any time issue, just my typing `date` one one machine to the
other.  Everyone is running NTP it's fine.


>  All of the clients are configured to run (via Cron) `/usr/sbin/puppetd
>> --onetime --no-daemonize --logdest syslog --server puppet.company.com`.
>>  The server is named puppet-1.company.com but puppet. is a valid cname.
>>  I've tried rebooting the puppet server, I've tried upgrading it, just
>> about anything I can think of.
>>
>
> If the reverse (IN-ADDR) of your puppet server is going to return
> puppet.company.com as its name, but you are connecting to foo.company.com,
> that's pretty much a textbook SSL error (ie. your SSL certificate doesn't
> match the name it's claiming to be). What happens if you delete the SSL
> cert on the client, and re-run the CSR by pointing at the real name of the
> server?
>
>
Well unfortunately this worked until a few hours ago and I haven't changed
anything in the DNS.  There is actually no IN-ADDR record for this server.
  When I generated the SSL cert for puppet, I told it to use
puppet.company.com (IE in puppet.conf it says certname=puppet.company.com )

I've deleted certs and re-run puppet on the client about a dozen times now.
 I've also made sure to revoke/clean on the server between each try.


> Hope that helps...
>
> Russell
>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>



-- 
Jon
[[User:ShakataGaNai]] / KJ6FNQ
http://snowulf.com/
http://www.linkedin.com/in/shakataganai 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Recent updates to ruby break puppet

2012-02-21 Thread kish

On Wed, Feb 22, 2012 at 4:07 AM, Forrie  wrote:
>
> I went to update our ruby-1.8 installation and unfortunately, it
> appears to have broken something that Puppet depends on:

Hi,
We were scared of such scenarios,
one thought people suggested was to use rvm.

Could some enlightened people confirm if this approach
will help us avoid breaking puppet because of ruby updates?




-- 
Kish
---
krisk.wordpress.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Error 400 on SERVER: Cannot append, variable node_data is defined in this scope at

2012-02-21 Thread M. Piscaer


Hi,

I have an problem that I can't get resolved. I have an hash like 
www.krzywanski.net/archives/703.


With this hash i whould like the add some extra hashes before passing to 
the module, i have tryed the code below.



node testnode {
class { 'testclass':
nodes_data => {
'node1' => { 'server' => 'node1.some.domain.com', 'port' => 
'2560' },
'node2' => { 'server' => 'node2.another.domain.com', 'port' 
=> '2564' },
'node3' => { 'server' => 'node3.some.domain.com', 'port' => 
'2564' }

}
}
}

class testclass ( $node_data ) {
node_data += {
'node4' => { 'server' => 'node4.another.domain.com', 'port' => 
'2564' },
'node5' => { 'server' => 'node5.some.domain.com', 'port' => 
'2564' }

}

class { 'moduletest::test':
module_variable => $node_data
}
}

But then I get the error:

err: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Cannot append, variable node_data is defined in this scope at 
/opt/puppet/env/manifests/classes/testclass.pp:1 on node 
testmp-test-04.intern

warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Without adding the information everything works fine.


Kind regards,

Michiel Piscaer

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

53 matches

Mail list logo