[Puppet Users] Re: Creating user with random password (only once)
Dear Werner, Good Morning ! I am also working with User Module in puppet (New to the puppet) ... But i am not getting how /where to implement randome password generation. Below is my Module: /etc/puppetlabs/puppet/modules/user/manifests/user.pp : #cat user.pp define add_user ( $name, $uid, $groups, $shell, $password, $sshkeytype, $sshkey,$password_max_age, $password_min_age ) { $username = $title user { $username: comment = $name, home= /home/$username, shell = /bin/bash, uid = $uid, password_max_age = $password_max_age, password_min_age = $password_min_age } group { $username: gid = $uid, require = user[$username] } file { /home/$username/: ensure = directory, owner = $username, group = $username, mode= 750, require = [ user[$username], group[$username] ] } file { /home/$username/.ssh: ensure = directory, owner = $username, group = $username, mode= 700, require = file[/home/$username/] } file { /home/$username/.ssh/authorized_keys: ensure = present, owner = $username, group = $username, mode= 600, require = file[/home/$username/] } ssh_authorized_key{ $username: user = $username, ensure = present, type = $sshkeytype, key = $sshkey, name = $username } } /etc/puppetlabs/puppet/manifests/nodes.pp node 'alvtutl032.wm.com' { user { installer: ensure = absent } add_user { apple1: name= WM_admin_user, uid = 3334, password_min_age = '2', password_max_age = '8', password ='$1$7NwLmsAf$25L8RI8v5gbirkPKLSulE/', shell = /bin/bash, groups = ['apple1'], type = ssh-dss, sshkey = B3NzaC1kc3MAAACBAJzMVL4afDQBJ3rcM9LlHqxg0rmkWDwoWehS4nIpBLJL9qGoyR1YBzPvpD1VufsUqgUXH9dYdfaiVum4IaTgyu2Tb0ezR4Nx2Jkcnp+8jFh/Cys3zgMvzJaIw/Au45E 9h4vBdwvouj1Sg0YaY5mGuKZ2w121uPLawjc3DJsNSc+jFQCb7+Vtir8w+o/CIDiSPXr6MVj16QAAAIBFHMnBixvQaxekLK70eR9TgYUAXsh0MHT8VT+XMUWlOC8u8yVEOTDzrU1ZL2vNWo4NZL6ex9ffx 0JRS5hSCU/o8aVcoC4viCC7SGmntNb0nQo+iKUyTQbGcmMoPG9lO498prML66GbOYWzTedc4XT683kyWV4k0iVixyvLsfLnIB4PmZfjdTtYwC7cE/upvfC/HWpKHHAn66YW6PRTCwZPqCd2AvHAMX/l7nb k1u+BL0YtymawzNT97FcYuvM1UWrJ+fT8isTyHsoUkf76irVxcTBH0SReChHbYeWa2bATEvaj0u2597H4O7qYHJ6IZpTTAeWP0EeKDABfonAr+ZJw==, } exec { first_login_password_ch: command = /usr/bin/chage -d 0 apple1, path= /usr/bin/chage } } + random password script: #!/bin/bash # random password generator by typedeaF # Sets the maximum size of the password the script will generate MAXSIZE=15 # I put escape chars on all the non alpha-numeric characters just for precaution array1=( q w e r t y u i o p a s d f g h j k l z x c v b n m Q W E R T Y U I O P A S D F G H J K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 ! @ # $ % ^ * ( ) ) # Used in conjunction with modulus to keep random numbers in range of the array size MODNUM=${#array1[*]} # Keeps track of the number characters in the password we have generated pwd_len=0 while [ $pwd_len -lt $MAXSIZE ] do x=$(($RANDOM%500)) y=0 while [ $y -lt $x ] do ((y++)) index=$(($RANDOM%$MODNUM)) echo -n ${array1[$index]} done ((pwd_len++)) done exit 0 I dont know how to integrate with puppet module ... Your help is much appreciated Thanks Regards, Siva Kumar S. On Wednesday, February 8, 2012 1:30:09 PM UTC-6, wernerbahlke wrote: Hi, I want to create a user with a random password. Is there a way to only execute the manifest once when the user does not exist but not once the user is created? I know how to create a random password and can use generate to execute this function (or make it a custom fact provided I get this fact executed). So far I call an add_user method define in a users module out of my base class. Here is the code: include users users::add_user { 'testuser': name = 'testuser', uid = '777', password = generate('/usr/local/bin/new_hash'), shell= '/bin/csh', groups = 'testuser', } But alas this will get executed every time the client runs since the password will have changed due to the new generate call. One work-around I could think of is to create the user on the client (FreeBSD) using an exec calling the makepassword and pw
Re: [Puppet Users] Creating user with random password (only once)
The package expect contains a script/binary called mkpasswd that I find very appropriate for making passwords. Here's its man-page: http://linux.die.net/man/1/mkpasswd -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
Hi, ppl, I m following the puppet cookbook tutorial. On page 167 to 169 Managing Apache Servers. When I add the: apache::snippet { site-specific.conf: } I got the error of the title: Could not parse for environment production: Syntax error at '{'; expected '}' at /etc/puppet/manifests/nodes.pp:3. Here is my manifests node.pp /etc/puppet/manifests/node.pp node 'thegrid.geofusion' { include apache include apache::snippet { site-test.conf }, } init.pp /etc/puppet/modules/apache/manifests/init.pp class apache { package { apache2-mpm-prefork: ensure = installed } service { apache2: enable = true, ensure = running, require = Package[apache2-mpm-prefork], } file { /etc/apache2/logs: ensure = directory, require = Package[apache2-mpm-prefork], } file { /etc/apache2/conf.d/name-based-vhosts.conf: content = NameVirtualHost *:80, require = Package[apache2-mpm-prefork], notify = Service[apache2], } define snippet() { file { /etc/apache2/conf.d/${name}: source = puppet:///modules/apache/${name}, notify = Service[apache2], } } } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/T5Fu4pZlakMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
On Tue, 2012-10-30 at 06:19 -0700, Havary wrote: Hi, ppl, I m following the puppet cookbook tutorial. On page 167 to 169 Managing Apache Servers. When I add the: apache::snippet { site-specific.conf: } I got the error of the title: Could not parse for environment production: Syntax error at '{'; expected '}' at /etc/puppet/manifests/nodes.pp:3. Here is my manifests node.pp /etc/puppet/manifests/node.pp node 'thegrid.geofusion' { include apache include apache::snippet { site-test.conf }, } apache::snippet isn't a class, so you don't use 'include' on it. You use it the same as a native puppet type. Your node.pp should look like this: node 'thegrid.geofusion' { include apache apache::snippit { 'site-test.conf': } } -- Calvin Walton calvin.wal...@kepstin.ca smime.p7s Description: S/MIME cryptographic signature
Re: [Puppet Users] Puppet on OpenSuSE SLES
Why did they put it in systemsmanagement:puppet:devel instead of systemsmanagement:puppet? Having a separate devel project seems kinda fragmented and unnecessary to me. Is the a reason for packaging it as a gem? I haven't done any ruby packaging in OBS, only perl, so i dont' know if that's preferred. The spec should also be updated with a Provides: ruby-shadow so any systems that have a ruby-shadow package installed trigger a conflict. -- Later, Darin On Mon, Oct 29, 2012 at 2:32 AM, Niels Abspoel abo...@gmail.com wrote: Hi Darin, The puppet package has been updated in systemsmanagement:puppet:devel in opensuse build service to include ruby-shadow. Hope this package will become the new puppet package in opensuse 12.3. en SLES. It works great on my own machine. Maybe we can update the spec file with the spec file from opensuse build service? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LujHjEL98JwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Over riding global settings/class/variables at node level
Thanks for the response. I am able to fix the problem class syslog_ng::service inherits standard-services { Service['rsyslog'] { enable = false, ensure = stopped, } service { 'syslog-ng': ensure = running, enable = true, require = Class['syslog_ng::install'] } } On Saturday, 27 October 2012 12:33:14 UTC-7, Ramin K wrote: On 10/26/2012 7:21 PM, chandan kumar wrote: Hello, I am new to puppet programming. I have encountered a problem where the a global setting, application to all servers, nodes across the board to enable a particular service such as rsyslog. And I want to have a server that should not run rsyslog rather it should run syslog-ng. So basically I am having two classes in the same node, one is saying start rsyslog and another (my class) is saying to stop rsyslog and start syslog-ng. Whenever I run this it shows duplication definition error. So one class is doing service {'rsyslog': enable = true} another class service {'rsyslog': ensure = stopped} err: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate definition: Service[rsyslog] is already defined in file /etc/puppet/environments/syslog/manifests/classes/enabled-c6.pp at line 8; cannot redefine at /etc/puppet/environments/syslog/modules/syslog_ng/manifests/service.pp:5 on node test-logserver One solution is to create the following class. modules/rsyslog/manifests/service/disable.pp class rsyslog::service::disable inherits rsyslog::service { Service['rsyslog'] { ensure = stopped, enable = false, } } assuming you have something like this node basenode { include rsyslog } Then you'd add the addition class to override the original functionality. node 'someserver' inherits basenode { include syslog_ng include rsyslog::service::disable } Or if syslog_ng and rsyslog can never coexist, I'd include the disable class directly in the init.pp of your syslog_ng class. Ramin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/lenskww7jWYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Launching a full screen app through puppet
just FYI I was able to launch the app into the active desktop using the tool http://developex.com/custom-software/devxexec.html which is probably just an implementation of the article you posted. The only caveat is that I still had to run the service under the logged in user, which so far is showing no negative side effects. thanks for the info On Friday, October 26, 2012 2:40:20 PM UTC-4, Josh Cooper wrote: Hi Lucas, On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers lucasv...@gmail.comjavascript: wrote: Hello, I'm controlling 180 windows machines for an art project. I am using puppet to configure the machines, push out an app as a zip, unzip it, change permissions, then launch it. If you do not need LocalSystem permissions, then you could simply configure the puppet service to run as an unprivileged (domain or local) user: sc config puppet obj= username password= password and allow the service to interact with the desktop: sc config puppet type= interact Everything works perfectly, except the app is being launched in a hidden desktop due to windows security. This page describes some of the issues. http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions. So privilege escalation. From what I'm told since puppet runs as a service it is not allowed to launch an app on the logged in desktop. I confirmed that when running the puppet agent manually the app launches correctly. It is possible to allow services running under LocalSystem to interact with the desktop in older versions of Windows. If you don't care about the security implications, you could investigate that, though I wouldn't recommend it. Alternatively, you could do something like this: http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html. Compile it and distribute it with your module. Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zTUvy2vrKKkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Spec test failure
I am adding spec tests to my modules and have run into an issue I can't seem to figure out. I have a simple class: (ruby/manifests/init.pp) class ruby { include common $blah = dirname('/tmp/test/file.txt') file { $blah: ensure = director } } And a spec file: (spec/classes/ruby_init_spec.rb) require 'spec_helper' describe 'ruby', :type = :class do it { should contain_file('/tmp/test') } end I have a simple define: (ruby/manifests/thin.pp) define ruby::thin { include common $blah = dirname('/tmp/test/file.txt') file { $blah: ensure = director } } And a spec file: (spec/defines/ruby_thin_spec.rb) require 'spec_helper' describe 'ruby::thin', :type = :define do let(:title) { 'test_site' } it { should contain_file('/tmp/test') } end My .fixtures.yml contains: fixtures: repositories: common: gitol...@git.mycompany.com:puppet/mycompany-common.git symlinks: ruby: #{source_dir} common/lib/puppet/parser/functions/dirname.rb exists and is based off of https://github.com/camptocamp/puppet-common/blob/master/lib/puppet/parser/functions/dirname.rb. I've been using it for a very long time without issue. Any thoughts as to what I'm missing? I think I've narrowed it down to a class works and the define does not. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: hiera_array() default value not taken
we end up doing this a lot: $var = hiera_hash('key','SOMESTRING') if is_hash($var) { } not the most elegant On Friday, April 6, 2012 11:52:58 AM UTC-5, psychobyte wrote: I don't think hiera likes defaults as array/hashes explicitly I usually do a $empty_hsh = {} $empty_arr = [] and use those as default values. HTH On Monday, April 2, 2012 5:03:37 AM UTC-7, pablo.f...@cscs.ch wrote: Hi, There is probably something stupid I am missing, but I just can't see it. I do: $iptables_open_ports_public = hiera_array ('iptables_open_ports_public', []) And I have not defined that in the hiera tree, so the default (an empty array) should be returned. But I get, instead: Error 400 on SERVER: Could not find data item iptables_open_ports_public in any Hiera data file and no default supplied Is there any special way to define an empty array as a parameter? Thanks! Pablo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Ikyx3E7QWogJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
Calvin Walton, thank you! Do you recomend a book for reading and learning? I will need some help again, maybe I made an other mistake. I made the correction in my node.pp. but now I m reciving this error msg: *info: Retrieving plugin err: Could not retrieve catalog from remote server: Could not intern from pson: Could not autoload package: Could not autoload /usr/lib/ruby/vendor_ruby/puppet/provider/package/windows.rb: no such file to load -- windows/error warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run* I try googled but no success, it is stranger but there is no reason for windows.rb problem. I m using a linux server and a linux client for puppet. Thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/z7l9CLD9FC8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Creating user with random password (only once)
Hey, There is also this: https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb KW On Tuesday, October 30, 2012 1:39:35 PM UTC, Ygor wrote: The package expect contains a script/binary called mkpasswd that I find very appropriate for making passwords. Here's its man-page: http://linux.die.net/man/1/mkpasswd -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/rL3ZUwnQpYUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Class in puppet-dashboard
The counter in the dashboard only shows the number of nodes who have this class directly assigned. You can view a list of all assigned nodes by clicking on the class. Nodes that receive a class through inclusing in a manifst cannot be found in the dashboard. Best Regards, D. On 2012-10-26 11:02, Manu Mora wrote: Hello. I have a puppet class: class change-password-root{ user { root: password = 'asdfasdfasdfsafasfdsadf', ensure = present } } The task works perfectly but in puppet-dashboard always has the counter to zero. Thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/0ADty1axJOMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Pass Variable to Virtual Resource
Hello, Little background on what I am trying to do. App1 and App2 are both distributed systems, running on both virtual and physical machines. Mount points for the virtual machines will be /data and mount points for the physical machines will be /disk1/, /disk2/, ... /diskN/. In test, both App1 and App2 are running on the same machines so I can't duplicate definitions. I've read about Virtual Resources, however I cannot figure out how to dynamically pass variables to the Virtual Resource. I have the following: class data_mounts { file { $mountpoint: ensure = directory, owner = root, group = root, mode= 0644, } @mount { $mountpoint: name = ${mountpoint}, ensure = mounted, fstype = ext3, options = defaults,noatime, require = [ File[$mountpoint], ], } } How can I pass in different mountpoints? I can generate a list of mountpoints and pass them in to a `define` and it works, however I cannot do this using virtual resources in order to work from multiple modules. Thanks, Brandon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aJPgkAA-eIEJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: PuppetDB Install error: ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62
I have the same issue did you find a solution or explanation for this issue? On Friday, 12 October 2012 16:04:01 UTC+2, Worker Bee wrote: Hi Everyone; I am getting the following error when I try to install PuppetDB. Maybe I have stale instructions?? Thanks! Bee Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid tag ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LPifBJID-N8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: PuppetDB Install error: ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62
Found it!! You need to include the dependencies of the module in you module path: cprice404/inifile - http://forge.puppetlabs.com/cprice404/inifile puppetlabs/postgresql - http://forge.puppetlabs.com/puppetlabs/postgresql Regards, Nr18 On Tuesday, 30 October 2012 22:18:01 UTC+1, Nr18 wrote: I have the same issue did you find a solution or explanation for this issue? On Friday, 12 October 2012 16:04:01 UTC+2, Worker Bee wrote: Hi Everyone; I am getting the following error when I try to install PuppetDB. Maybe I have stale instructions?? Thanks! Bee Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid tag ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Wf8DXzYUoh8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Wednesday, October 24, 2012 7:44:26 PM UTC-4, Nick Fagerlund wrote: HMMM, this actually sounds like you've got a slightly larger problem, since can't get its own node object or its plugins. Any chance we could get a look at your whole auth.conf? On Wednesday, October 24, 2012 3:41:32 PM UTC-7, Forrie wrote: No, I didn't leave *example.com* in my config - I put our own domain in there... just FYI ;-) auth.conf is below. First, we have some simple classes that we use to manage files and packages that do not need to be in a module. For example, /etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal systems and I use this very simple recipe to manage them, which works fine under 2.7: [ ntp-client.pp ] class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client From what I read in the docs, this /should/ work. But it doesn't. I shouldn't have to create a module path in order for this recipe to work (as I've seen suggested, or I've misunderstood). Here is the auth.conf file: [ auth.conf ] # This is an example auth.conf file, it mimics the puppetmasterd defaults # # The ACL are checked in order of appearance in this file. # # Supported syntax: # This file supports two different syntax depending on how # you want to express the ACL. # # Path syntax (the one used below): # - # path /path/to/resource # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] # allow [host|ip|*] # deny [host|ip] # # The path is matched as a prefix. That is /file match at # the same time /file_metadat and /file_content. # # Regex syntax: # - # This one is differenciated from the path one by a '~' # # path ~ regex # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] # allow [host|ip|*] # deny [host|ip] # # The regex syntax is the same as ruby ones. # # Ex: # path ~ .pp$ # will match every resource ending in .pp (manifests files for instance) # # path ~ ^/path/to/resource # is essentially equivalent to path /path/to/resource # # environment:: restrict an ACL to a specific set of environments # method:: restrict an ACL to a specific set of methods # auth:: restrict an ACL to an authenticated or unauthenticated request # the default when unspecified is to restrict the ACL to authenticated requests # (ie exactly as if auth yes was present). # ### Authenticated ACL - those applies only when the client ### has a valid certificate and is thus authenticated # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 # allow all nodes to access the certificates services path /certificate_revocation_list/ca method find allow * # allow all nodes to store their reports path /report method save allow * # inconditionnally allow access to all files services # which means in practice that fileserver.conf will # still be used # path /file # allow * # allow_ip 10.101.0.0/24 # allow_ip 10.103.0.0/24 # Note that nothing here works, regardless of the CIDR path ~ ^/file_(metadata|content)/files/ auth yes allow /^(.+\.)?example.com$/ allow_ip 10.0.0.0/8 ### Unauthenticated ACL, for clients for which the current master doesn't ### have a valid certificate # allow access to the master CA path /certificate/ca auth no method find allow * path /certificate/ auth no method find allow * path /certificate_request auth no method find, save allow * # this one is not stricly necessary, but it has the merit # to show the default policy which is deny everything else path / # allow * auth any Here are some of the errors I'm seeing today. I do not have any other modules or classes defined here, just the ntp-client.pp on the staging system: Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats: b64_zlib_yaml dot pson raw yaml; using pson Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for stage1.mydomain.com Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version '1351630198' Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to File[/etc/ntp.conf] Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp] Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to Service[ntpd] Oct 30
[Puppet Users] Upgrading puppet 2.7.19 to 3.0.1
Hello everyone. I'm asking this question with reluctance; but I've been working on this upgrade for most of the day. I had a working Kubuntu 12.04 puppet master 2.7.19 with most clients at 2.7.19 as well. I'm trying to upgrade the puppetmaster to 3.0.1 for the speed improvements. Upgrading via apt generated unwelcome errors that I need not go into here. Let's just say that I uninstalled all ruby versions ruby gems and started from scratch. So now I have puppet 3.0.1 installed from the puppetlabs debian repo and I thought I'd fought my way through the thicket, but I've hit a wall with this error When running puppet agent on the clients. I get the following error: Ruby (Rack) application could not be started *Error message:*undefined method `settings' for Puppet:Module*Exception class:*NoMethodError*Application root:* /etc/puppet/rack/puppetmaster *Backtrace:* # File Line Location 0 /usr/lib/ruby/vendor_ruby/puppet/application.rb273 in `run_mode' 1 /usr/lib/ruby/vendor_ruby/puppet/application/master.rb5 2 /usr/lib/ruby/vendor_ruby/1.8/rubygems/custom_require.rb36 in `gem_original_require' 3 /usr/lib/ruby/vendor_ruby/1.8/rubygems/custom_require.rb36 in `require' 4 config.ru13 5 /var/lib/gems/1.8/gems/rack-1.1.0/lib/rack/builder.rb46 in `instance_eval' 6 /var/lib/gems/1.8/gems/rack-1.1.0/lib/rack/builder.rb 46 in `initialize' 7 config.ru1 in `new' 8 config.ru My puppetmaster site and conf files are attached. I'd be under many obligations for some help. TIA, Dave -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3BNJL8OuZVsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 VirtualHost *:8140 SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP #SSLCertificateFile /var/lib/puppet/ssl/certs/bearkub.thinkwell.lan.pem SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.thesecurityappliance.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/bearkub.thinkwell.lan.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile/var/lib/puppet/ssl/certs/ca.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 # The `ExportCertData` option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ RackBaseURI / Directory /usr/share/puppet/rack/puppetmasterd/ Options None AllowOverride None Order allow,deny allow from all /Directory /VirtualHost LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-2.2.11/ext/apache2/mod_passenger.so PassengerRoot /var/lib/gems/1.8/gems/passenger-2.2.11 PassengerRuby /usr/bin/ruby1.8 # Recommended Passenger Configuration PassengerHighPerformance on PassengerUseGlobalQueue on # PassengerMaxPoolSize control number of application instances, # typically 1.5x the number of processor cores. PassengerMaxPoolSize 10 # Restart ruby process after handling specific number of request to resolve MRI memory leak. PassengerMaxRequests 4000 # Shutdown idle Passenger instances after 30 min. PassengerPoolIdleTime 1800 # End of /etc/httpd/conf.d/10_passenger.conf # /etc/httpd/conf.d/20_puppetmaster.conf # Apache handles the SSL encryption and decryption. It replaces webrick and listens by default on 8140 Listen 8140 VirtualHost *:8140 SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP # Puppet master should generate initial CA certificate. # ensure certs are located in /var/lib/puppet/ssl # Change puppet.example.com to the fully qualified domain name of the Puppet master, i.e. $(facter
Re: [Puppet Users] Upgrading puppet 2.7.19 to 3.0.1
On 2012-10-31 03:01, thinkwell wrote: So now I have puppet 3.0.1 installed from the puppetlabs debian repo and I thought I'd fought my way through the thicket, but I've hit a wall with this error When running puppet agent on the clients. I get the following error: Ruby (Rack) application could not be started Just an idea, are you using the config.ru file updated for 3.0, provided by the puppet-common package? Should be in /usr/share/puppet/ext/rack/files/config.ru or /usr/share/puppet/rack/puppetmasterd/config.ru. Andreas signature.asc Description: OpenPGP digital signature
[Puppet Users] Re: Upgrading from PuppetMaster 2.7 to 3.0 breaks the Console dashboard and foreman
Hello, For Foreman please see here, cannot verify any of the suggested fixes as for me it was easier to roll back to Puppet 2.7. http://theforeman.org/issues/1872#change-5687 Cheers Luke. On Saturday, October 27, 2012 6:15:44 AM UTC+11, MasterPO wrote: I am running RHEL 6 64bit using the puppetlabs yum repositories. I have it configured to run the Puppet Console against port 3000 and The Foreman against port 3030 using passenger. When I installed the upgrade to puppetmaster 3.0, both the Puppet Cosole stopped working and rails/passenger broke for The Foreman. Has anyone else seen this and if so, how have you fixed it? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/vhJ4r6MBxxEJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Starting master fails
Have found the same issue and it looks like you need to have a version of OpenSSL that supports the encryption installed. Note: This only appears to be in the 3.x stream - must be a change in there to strengthen the certificates or something. 2.x seems OK as far as I can tell... The one Oracle/Sun provides in /usr/sfw doesn't support SHA256 by the looks of it (Its OpenSSL 0.9.7d with security patches) Run ldd against the OpenSSL library in Ruby to confirm which library you are using: bash-3.2# ldd ./lib/ruby/1.8/i386-solaris2.10/openssl.so | grep ssl libssl.so.0.9.7 = /usr/sfw/lib/64/libssl.so.0.9.7 -- /usr/sfw/lib is core Solaris GNU packages - really old... libssl_extra.so.0.9.7 = /usr/sfw/lib/amd64/libssl_extra.so.0.9.7 (NOTE: You will need find your openssl.so object - in my case its from a self-compiled copy of ruby...) bash-3.2# uname -a SunOS test1 5.10 Generic_147441-25 i86pc i386 i86pc bash-3.2# /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333) Basically, looks like you need to get packages for (or compile) a more recent version of OpenSSL then link ruby against it. A very brief glance at http://www.openssl.org/news/changelog.html suggests that you need version 1.0.1 or later. Checking Solaris 11: bash# openssl version OpenSSL 1.0.0j 10 May 2012 bash# uname -a SunOS test2 5.11 11.0 i86pc i386 i86pc This version also seems to support sha256, so looks like it may be available in some current 1.0.0 streams as well... Hope that helps... Greg On Saturday, 22 September 2012 07:39:50 UTC+10, Jakov Sosic wrote: On 09/21/2012 01:35 PM, Peter Spatz wrote: Hello, first, i�m new to puppet. I�m searching for a configuration management tool and puppet was in focus. I�m using Solaris Zone SunOS: 5.10 Generic_147440-15 sun4v sparc sun4v Ruby: ruby 1.8.5 (2006-12-04 patchlevel 2) [sparc-solaris2.10] puppet: v3.0.0-rc6 /lib:/usr/lib:/opt/coolstack/mysql_32bit/bin/:/opt/coolstack/mysql_32bit/lib/:/usr/local/lib:/opt/sfw/lib/ruby/:/usr/local/ss/lib/ Starting puppet master, syslog prints: Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.debug] Finishing transaction 6891204 Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.info] Creating a new SSL certificate request for ca Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.error] Could not prepare for execution: uninitialized constant OpenSSL::Digest::SHA256 What�s missing? First, what does the: $ which ruby says? Then try this: $ ruby -ropenssl -e 'p OpenSSL::Digest::Digest.new(sha256)' and this: $ ruby -e puts require('openssl') And then report back with output. Also, that being Solaris, check whether you have more than one ruby installations on system and if you are using the right one... -- Jakov Sosic www.srce.unizg.hr -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/IwxB8_WPDtwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.