[Puppet Users] Re: Creating user with random password (only once)
Dear Werner,
Good Morning !
I am also working with User Module in puppet (New to the puppet) ... But i
am not getting how /where to implement randome password generation.
Below is my Module:
/etc/puppetlabs/puppet/modules/user/manifests/user.pp :
#cat user.pp
define add_user ( $name, $uid, $groups, $shell, $password, $sshkeytype,
$sshkey,$password_max_age, $password_min_age ) {
$username = $title
user { $username:
comment = $name,
home= /home/$username,
shell = /bin/bash,
uid = $uid,
password_max_age = $password_max_age,
password_min_age = $password_min_age
}
group { $username:
gid = $uid,
require = user[$username]
}
file { /home/$username/:
ensure = directory,
owner = $username,
group = $username,
mode= 750,
require = [ user[$username], group[$username] ]
}
file { /home/$username/.ssh:
ensure = directory,
owner = $username,
group = $username,
mode= 700,
require = file[/home/$username/]
}
file { /home/$username/.ssh/authorized_keys:
ensure = present,
owner = $username,
group = $username,
mode= 600,
require = file[/home/$username/]
}
ssh_authorized_key{ $username:
user = $username,
ensure = present,
type = $sshkeytype,
key = $sshkey,
name = $username
}
}
/etc/puppetlabs/puppet/manifests/nodes.pp
node 'alvtutl032.wm.com' {
user { installer:
ensure = absent
}
add_user { apple1:
name= WM_admin_user,
uid = 3334,
password_min_age = '2',
password_max_age = '8',
password ='$1$7NwLmsAf$25L8RI8v5gbirkPKLSulE/',
shell = /bin/bash,
groups = ['apple1'],
type = ssh-dss,
sshkey =
B3NzaC1kc3MAAACBAJzMVL4afDQBJ3rcM9LlHqxg0rmkWDwoWehS4nIpBLJL9qGoyR1YBzPvpD1VufsUqgUXH9dYdfaiVum4IaTgyu2Tb0ezR4Nx2Jkcnp+8jFh/Cys3zgMvzJaIw/Au45E
9h4vBdwvouj1Sg0YaY5mGuKZ2w121uPLawjc3DJsNSc+jFQCb7+Vtir8w+o/CIDiSPXr6MVj16QAAAIBFHMnBixvQaxekLK70eR9TgYUAXsh0MHT8VT+XMUWlOC8u8yVEOTDzrU1ZL2vNWo4NZL6ex9ffx
0JRS5hSCU/o8aVcoC4viCC7SGmntNb0nQo+iKUyTQbGcmMoPG9lO498prML66GbOYWzTedc4XT683kyWV4k0iVixyvLsfLnIB4PmZfjdTtYwC7cE/upvfC/HWpKHHAn66YW6PRTCwZPqCd2AvHAMX/l7nb
k1u+BL0YtymawzNT97FcYuvM1UWrJ+fT8isTyHsoUkf76irVxcTBH0SReChHbYeWa2bATEvaj0u2597H4O7qYHJ6IZpTTAeWP0EeKDABfonAr+ZJw==,
}
exec { first_login_password_ch:
command = /usr/bin/chage -d 0 apple1,
path= /usr/bin/chage
}
}
+
random password script:
#!/bin/bash
# random password generator by typedeaF
# Sets the maximum size of the password the script will generate
MAXSIZE=15
# I put escape chars on all the non alpha-numeric characters just for
precaution
array1=(
q w e r t y u i o p a s d f g h j k l z x c v b n m Q W E R T Y U I O P A S
D
F G H J K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 ! @ # $ % ^ * ( )
)
# Used in conjunction with modulus to keep random numbers in range of the
array size
MODNUM=${#array1[*]}
# Keeps track of the number characters in the password we have generated
pwd_len=0
while [ $pwd_len -lt $MAXSIZE ]
do
x=$(($RANDOM%500))
y=0
while [ $y -lt $x ]
do
((y++))
index=$(($RANDOM%$MODNUM))
echo -n ${array1[$index]}
done
((pwd_len++))
done
exit 0
I dont know how to integrate with puppet module ... Your help is much
appreciated
Thanks Regards,
Siva Kumar S.
On Wednesday, February 8, 2012 1:30:09 PM UTC-6, wernerbahlke wrote:
Hi,
I want to create a user with a random password. Is there a way to only
execute the manifest once when the user does not exist but not once
the user is created?
I know how to create a random password and can use generate to execute
this function (or make it a custom fact provided I get this fact
executed).
So far I call an add_user method define in a users module out of my
base class. Here is the code:
include users
users::add_user { 'testuser':
name = 'testuser',
uid = '777',
password = generate('/usr/local/bin/new_hash'),
shell= '/bin/csh',
groups = 'testuser',
}
But alas this will get executed every time the client runs since the
password will have changed due to the new generate call.
One work-around I could think of is to create the user on the client
(FreeBSD) using an exec calling the makepassword and pw
Re: [Puppet Users] Creating user with random password (only once)
The package expect contains a script/binary called mkpasswd that I find very appropriate for making passwords. Here's its man-page: http://linux.die.net/man/1/mkpasswd -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
Hi, ppl,
I m following the puppet cookbook tutorial. On page 167 to 169 Managing
Apache Servers. When I add the:
apache::snippet { site-specific.conf: }
I got the error of the title: Could not parse for environment production:
Syntax error at '{'; expected '}' at /etc/puppet/manifests/nodes.pp:3.
Here is my manifests
node.pp
/etc/puppet/manifests/node.pp
node 'thegrid.geofusion' {
include apache
include apache::snippet { site-test.conf },
}
init.pp
/etc/puppet/modules/apache/manifests/init.pp
class apache {
package { apache2-mpm-prefork: ensure = installed }
service { apache2:
enable = true,
ensure = running,
require = Package[apache2-mpm-prefork],
}
file { /etc/apache2/logs:
ensure = directory,
require = Package[apache2-mpm-prefork],
}
file { /etc/apache2/conf.d/name-based-vhosts.conf:
content = NameVirtualHost *:80,
require = Package[apache2-mpm-prefork],
notify = Service[apache2],
}
define snippet() {
file { /etc/apache2/conf.d/${name}:
source = puppet:///modules/apache/${name},
notify = Service[apache2],
}
}
}
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/T5Fu4pZlakMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
On Tue, 2012-10-30 at 06:19 -0700, Havary wrote:
Hi, ppl,
I m following the puppet cookbook tutorial. On page 167 to 169 Managing
Apache Servers. When I add the:
apache::snippet { site-specific.conf: }
I got the error of the title: Could not parse for environment production:
Syntax error at '{'; expected '}' at /etc/puppet/manifests/nodes.pp:3.
Here is my manifests
node.pp
/etc/puppet/manifests/node.pp
node 'thegrid.geofusion' {
include apache
include apache::snippet { site-test.conf },
}
apache::snippet isn't a class, so you don't use 'include' on it. You use
it the same as a native puppet type. Your node.pp should look like this:
node 'thegrid.geofusion' {
include apache
apache::snippit { 'site-test.conf': }
}
--
Calvin Walton calvin.wal...@kepstin.ca
smime.p7s
Description: S/MIME cryptographic signature
Re: [Puppet Users] Puppet on OpenSuSE SLES
Why did they put it in systemsmanagement:puppet:devel instead of systemsmanagement:puppet? Having a separate devel project seems kinda fragmented and unnecessary to me. Is the a reason for packaging it as a gem? I haven't done any ruby packaging in OBS, only perl, so i dont' know if that's preferred. The spec should also be updated with a Provides: ruby-shadow so any systems that have a ruby-shadow package installed trigger a conflict. -- Later, Darin On Mon, Oct 29, 2012 at 2:32 AM, Niels Abspoel abo...@gmail.com wrote: Hi Darin, The puppet package has been updated in systemsmanagement:puppet:devel in opensuse build service to include ruby-shadow. Hope this package will become the new puppet package in opensuse 12.3. en SLES. It works great on my own machine. Maybe we can update the spec file with the spec file from opensuse build service? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LujHjEL98JwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Over riding global settings/class/variables at node level
Thanks for the response. I am able to fix the problem
class syslog_ng::service inherits standard-services {
Service['rsyslog'] {
enable = false,
ensure = stopped,
}
service { 'syslog-ng':
ensure = running,
enable = true,
require = Class['syslog_ng::install']
}
}
On Saturday, 27 October 2012 12:33:14 UTC-7, Ramin K wrote:
On 10/26/2012 7:21 PM, chandan kumar wrote:
Hello,
I am new to puppet programming. I have encountered a problem where the a
global setting, application to all servers, nodes across the board to
enable a particular service such as rsyslog. And I want to have a server
that should not run rsyslog rather it should run syslog-ng.
So basically I am having two classes in the same node, one is saying
start rsyslog and another (my class) is saying to stop rsyslog and start
syslog-ng. Whenever I run this it shows duplication definition error.
So one class is doing
service {'rsyslog': enable = true}
another class
service {'rsyslog': ensure = stopped}
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate definition: Service[rsyslog] is already defined in file
/etc/puppet/environments/syslog/manifests/classes/enabled-c6.pp at line
8; cannot redefine at
/etc/puppet/environments/syslog/modules/syslog_ng/manifests/service.pp:5
on node test-logserver
One solution is to create the following class.
modules/rsyslog/manifests/service/disable.pp
class rsyslog::service::disable inherits rsyslog::service {
Service['rsyslog'] { ensure = stopped, enable = false, }
}
assuming you have something like this
node basenode {
include rsyslog
}
Then you'd add the addition class to override the original functionality.
node 'someserver' inherits basenode {
include syslog_ng
include rsyslog::service::disable
}
Or if syslog_ng and rsyslog can never coexist, I'd include the disable
class directly in the init.pp of your syslog_ng class.
Ramin
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/lenskww7jWYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Launching a full screen app through puppet
just FYI I was able to launch the app into the active desktop using the tool http://developex.com/custom-software/devxexec.html which is probably just an implementation of the article you posted. The only caveat is that I still had to run the service under the logged in user, which so far is showing no negative side effects. thanks for the info On Friday, October 26, 2012 2:40:20 PM UTC-4, Josh Cooper wrote: Hi Lucas, On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers lucasv...@gmail.comjavascript: wrote: Hello, I'm controlling 180 windows machines for an art project. I am using puppet to configure the machines, push out an app as a zip, unzip it, change permissions, then launch it. If you do not need LocalSystem permissions, then you could simply configure the puppet service to run as an unprivileged (domain or local) user: sc config puppet obj= username password= password and allow the service to interact with the desktop: sc config puppet type= interact Everything works perfectly, except the app is being launched in a hidden desktop due to windows security. This page describes some of the issues. http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions. So privilege escalation. From what I'm told since puppet runs as a service it is not allowed to launch an app on the logged in desktop. I confirmed that when running the puppet agent manually the app launches correctly. It is possible to allow services running under LocalSystem to interact with the desktop in older versions of Windows. If you don't care about the security implications, you could investigate that, though I wouldn't recommend it. Alternatively, you could do something like this: http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html. Compile it and distribute it with your module. Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zTUvy2vrKKkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Spec test failure
I am adding spec tests to my modules and have run into an issue I can't seem
to figure out.
I have a simple class: (ruby/manifests/init.pp)
class ruby {
include common
$blah = dirname('/tmp/test/file.txt')
file { $blah: ensure = director }
}
And a spec file: (spec/classes/ruby_init_spec.rb)
require 'spec_helper'
describe 'ruby', :type = :class do
it { should contain_file('/tmp/test') }
end
I have a simple define: (ruby/manifests/thin.pp)
define ruby::thin {
include common
$blah = dirname('/tmp/test/file.txt')
file { $blah: ensure = director }
}
And a spec file: (spec/defines/ruby_thin_spec.rb)
require 'spec_helper'
describe 'ruby::thin', :type = :define do
let(:title) { 'test_site' }
it { should contain_file('/tmp/test') }
end
My .fixtures.yml contains:
fixtures:
repositories:
common: gitol...@git.mycompany.com:puppet/mycompany-common.git
symlinks:
ruby: #{source_dir}
common/lib/puppet/parser/functions/dirname.rb exists and is based off of
https://github.com/camptocamp/puppet-common/blob/master/lib/puppet/parser/functions/dirname.rb.
I've been using it for a very long time without issue.
Any thoughts as to what I'm missing? I think I've narrowed it down to a class
works and the define does not.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: hiera_array() default value not taken
we end up doing this a lot:
$var = hiera_hash('key','SOMESTRING')
if is_hash($var) {
}
not the most elegant
On Friday, April 6, 2012 11:52:58 AM UTC-5, psychobyte wrote:
I don't think hiera likes defaults as array/hashes explicitly
I usually do a
$empty_hsh = {}
$empty_arr = []
and use those as default values.
HTH
On Monday, April 2, 2012 5:03:37 AM UTC-7, pablo.f...@cscs.ch wrote:
Hi,
There is probably something stupid I am missing, but I just can't see
it. I do:
$iptables_open_ports_public = hiera_array ('iptables_open_ports_public',
[])
And I have not defined that in the hiera tree, so the default (an empty
array) should be returned. But I get, instead:
Error 400 on SERVER: Could not find data item
iptables_open_ports_public in any Hiera data file and no default supplied
Is there any special way to define an empty array as a parameter?
Thanks!
Pablo
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/Ikyx3E7QWogJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not parse for environment production: Syntax error at '{'; expected '}' at
Calvin Walton, thank you! Do you recomend a book for reading and learning? I will need some help again, maybe I made an other mistake. I made the correction in my node.pp. but now I m reciving this error msg: *info: Retrieving plugin err: Could not retrieve catalog from remote server: Could not intern from pson: Could not autoload package: Could not autoload /usr/lib/ruby/vendor_ruby/puppet/provider/package/windows.rb: no such file to load -- windows/error warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run* I try googled but no success, it is stranger but there is no reason for windows.rb problem. I m using a linux server and a linux client for puppet. Thanks! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/z7l9CLD9FC8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Creating user with random password (only once)
Hey, There is also this: https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb KW On Tuesday, October 30, 2012 1:39:35 PM UTC, Ygor wrote: The package expect contains a script/binary called mkpasswd that I find very appropriate for making passwords. Here's its man-page: http://linux.die.net/man/1/mkpasswd -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/rL3ZUwnQpYUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Class in puppet-dashboard
The counter in the dashboard only shows the number of nodes who have
this class directly assigned. You can view a list of all assigned nodes
by clicking on the class. Nodes that receive a class through inclusing
in a manifst cannot be found in the dashboard.
Best Regards, D.
On 2012-10-26 11:02, Manu Mora wrote:
Hello. I have a puppet class:
class change-password-root{
user { root:
password = 'asdfasdfasdfsafasfdsadf',
ensure = present
}
}
The task works perfectly but in puppet-dashboard always has the counter
to zero.
Thanks.
--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/0ADty1axJOMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Pass Variable to Virtual Resource
Hello,
Little background on what I am trying to do.
App1 and App2 are both distributed systems, running on both virtual and
physical machines. Mount points for the virtual machines will be /data and
mount points for the physical machines will be /disk1/, /disk2/, ...
/diskN/.
In test, both App1 and App2 are running on the same machines so I can't
duplicate definitions. I've read about Virtual Resources, however I cannot
figure out how to dynamically pass variables to the Virtual Resource. I
have the following:
class data_mounts {
file { $mountpoint:
ensure = directory,
owner = root,
group = root,
mode= 0644,
}
@mount { $mountpoint:
name = ${mountpoint},
ensure = mounted,
fstype = ext3,
options = defaults,noatime,
require = [ File[$mountpoint], ],
}
}
How can I pass in different mountpoints? I can generate a list of
mountpoints and pass them in to a `define` and it works, however I cannot
do this using virtual resources in order to work from multiple modules.
Thanks,
Brandon
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/aJPgkAA-eIEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: PuppetDB Install error: ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62
I have the same issue did you find a solution or explanation for this issue? On Friday, 12 October 2012 16:04:01 UTC+2, Worker Bee wrote: Hi Everyone; I am getting the following error when I try to install PuppetDB. Maybe I have stale instructions?? Thanks! Bee Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid tag ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LPifBJID-N8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: PuppetDB Install error: ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62
Found it!! You need to include the dependencies of the module in you module path: cprice404/inifile - http://forge.puppetlabs.com/cprice404/inifile puppetlabs/postgresql - http://forge.puppetlabs.com/puppetlabs/postgresql Regards, Nr18 On Tuesday, 30 October 2012 22:18:01 UTC+1, Nr18 wrote: I have the same issue did you find a solution or explanation for this issue? On Friday, 12 October 2012 16:04:01 UTC+2, Worker Bee wrote: Hi Everyone; I am getting the following error when I try to install PuppetDB. Maybe I have stale instructions?? Thanks! Bee Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid tag ::postgresql::validate_db_connection at /etc/puppet/modules/puppetdb/manifests/server/validate_db.pp:62 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Wf8DXzYUoh8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Wednesday, October 24, 2012 7:44:26 PM UTC-4, Nick Fagerlund wrote:
HMMM, this actually sounds like you've got a slightly larger problem,
since can't get its own node object or its plugins. Any chance we could get
a look at your whole auth.conf?
On Wednesday, October 24, 2012 3:41:32 PM UTC-7, Forrie wrote:
No, I didn't leave *example.com* in my config - I put our own domain in
there... just FYI ;-)
auth.conf is below.
First, we have some simple classes that we use to manage files and packages
that do not need to be in a module. For example,
/etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal
systems and I use this very simple recipe to manage them, which works fine
under 2.7:
[ ntp-client.pp ]
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
From what I read in the docs, this /should/ work. But it doesn't. I
shouldn't have to create a module path in order for this recipe to work (as
I've seen suggested, or I've misunderstood).
Here is the auth.conf file:
[ auth.conf ]
# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# -
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated
requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
# path /file
# allow *
# allow_ip 10.101.0.0/24
# allow_ip 10.103.0.0/24
# Note that nothing here works, regardless of the CIDR
path ~ ^/file_(metadata|content)/files/
auth yes
allow /^(.+\.)?example.com$/
allow_ip 10.0.0.0/8
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate
# allow access to the master CA
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
# allow *
auth any
Here are some of the errors I'm seeing today. I do not have any other
modules or classes defined here, just the ntp-client.pp on the staging
system:
Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats:
b64_zlib_yaml dot pson raw yaml; using pson
Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for
stage1.mydomain.com
Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules
Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds
Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version
'1351630198'
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to
File[/etc/ntp.conf]
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp]
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to
Service[ntpd]
Oct 30
[Puppet Users] Upgrading puppet 2.7.19 to 3.0.1
Hello everyone. I'm asking this question with reluctance; but I've been
working on this upgrade for most of the day. I had a working Kubuntu 12.04
puppet master 2.7.19 with most clients at 2.7.19 as well. I'm trying to
upgrade the puppetmaster to 3.0.1 for the speed improvements. Upgrading via
apt generated unwelcome errors that I need not go into here. Let's just say
that I uninstalled all ruby versions ruby gems and started from scratch.
So now I have puppet 3.0.1 installed from the puppetlabs debian repo and I
thought I'd fought my way through the thicket, but I've hit a wall with
this error When running puppet agent on the clients. I get the following
error:
Ruby (Rack) application could not be started
*Error message:*undefined method `settings' for Puppet:Module*Exception
class:*NoMethodError*Application root:* /etc/puppet/rack/puppetmaster
*Backtrace:* # File Line Location 0
/usr/lib/ruby/vendor_ruby/puppet/application.rb273 in `run_mode' 1
/usr/lib/ruby/vendor_ruby/puppet/application/master.rb5
2 /usr/lib/ruby/vendor_ruby/1.8/rubygems/custom_require.rb36 in
`gem_original_require' 3
/usr/lib/ruby/vendor_ruby/1.8/rubygems/custom_require.rb36 in `require'
4 config.ru13
5 /var/lib/gems/1.8/gems/rack-1.1.0/lib/rack/builder.rb46 in
`instance_eval' 6 /var/lib/gems/1.8/gems/rack-1.1.0/lib/rack/builder.rb
46 in `initialize' 7 config.ru1 in `new' 8 config.ru
My puppetmaster site and conf files are attached. I'd be under many
obligations for some help.
TIA,
Dave
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/3BNJL8OuZVsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
VirtualHost *:8140
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#SSLCertificateFile
/var/lib/puppet/ssl/certs/bearkub.thinkwell.lan.pem
SSLCertificateFile
/var/lib/puppet/ssl/certs/puppet.thesecurityappliance.com.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/bearkub.thinkwell.lan.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile/var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try
disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate
expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
Directory /usr/share/puppet/rack/puppetmasterd/
Options None
AllowOverride None
Order allow,deny
allow from all
/Directory
/VirtualHost
LoadModule passenger_module
/var/lib/gems/1.8/gems/passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/bin/ruby1.8
# Recommended Passenger Configuration
PassengerHighPerformance on
PassengerUseGlobalQueue on
# PassengerMaxPoolSize control number of application instances,
# typically 1.5x the number of processor cores.
PassengerMaxPoolSize 10
# Restart ruby process after handling specific number of request to resolve MRI
memory leak.
PassengerMaxRequests 4000
# Shutdown idle Passenger instances after 30 min.
PassengerPoolIdleTime 1800
# End of /etc/httpd/conf.d/10_passenger.conf
# /etc/httpd/conf.d/20_puppetmaster.conf
# Apache handles the SSL encryption and decryption. It replaces webrick and
listens by default on 8140
Listen 8140
VirtualHost *:8140
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in /var/lib/puppet/ssl
# Change puppet.example.com to the fully qualified domain name of the Puppet
master, i.e. $(facter
Re: [Puppet Users] Upgrading puppet 2.7.19 to 3.0.1
On 2012-10-31 03:01, thinkwell wrote: So now I have puppet 3.0.1 installed from the puppetlabs debian repo and I thought I'd fought my way through the thicket, but I've hit a wall with this error When running puppet agent on the clients. I get the following error: Ruby (Rack) application could not be started Just an idea, are you using the config.ru file updated for 3.0, provided by the puppet-common package? Should be in /usr/share/puppet/ext/rack/files/config.ru or /usr/share/puppet/rack/puppetmasterd/config.ru. Andreas signature.asc Description: OpenPGP digital signature
[Puppet Users] Re: Upgrading from PuppetMaster 2.7 to 3.0 breaks the Console dashboard and foreman
Hello, For Foreman please see here, cannot verify any of the suggested fixes as for me it was easier to roll back to Puppet 2.7. http://theforeman.org/issues/1872#change-5687 Cheers Luke. On Saturday, October 27, 2012 6:15:44 AM UTC+11, MasterPO wrote: I am running RHEL 6 64bit using the puppetlabs yum repositories. I have it configured to run the Puppet Console against port 3000 and The Foreman against port 3030 using passenger. When I installed the upgrade to puppetmaster 3.0, both the Puppet Cosole stopped working and rails/passenger broke for The Foreman. Has anyone else seen this and if so, how have you fixed it? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/vhJ4r6MBxxEJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Starting master fails
Have found the same issue and it looks like you need to have a version of
OpenSSL that supports the encryption installed. Note: This only appears to
be in the 3.x stream - must be a change in there to strengthen the
certificates or something. 2.x seems OK as far as I can tell...
The one Oracle/Sun provides in /usr/sfw doesn't support SHA256 by the looks
of it (Its OpenSSL 0.9.7d with security patches)
Run ldd against the OpenSSL library in Ruby to confirm which library you
are using:
bash-3.2# ldd ./lib/ruby/1.8/i386-solaris2.10/openssl.so | grep ssl
libssl.so.0.9.7 = /usr/sfw/lib/64/libssl.so.0.9.7 --
/usr/sfw/lib is core Solaris GNU packages - really old...
libssl_extra.so.0.9.7 =
/usr/sfw/lib/amd64/libssl_extra.so.0.9.7
(NOTE: You will need find your openssl.so object - in my case its from a
self-compiled copy of ruby...)
bash-3.2# uname -a
SunOS test1 5.10 Generic_147441-25 i86pc i386 i86pc
bash-3.2# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270
CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576
CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131
CVE-2012-2333)
Basically, looks like you need to get packages for (or compile) a more
recent version of OpenSSL then link ruby against it. A very brief glance at
http://www.openssl.org/news/changelog.html suggests that you need version
1.0.1 or later.
Checking Solaris 11:
bash# openssl version
OpenSSL 1.0.0j 10 May 2012
bash# uname -a
SunOS test2 5.11 11.0 i86pc i386 i86pc
This version also seems to support sha256, so looks like it may be
available in some current 1.0.0 streams as well...
Hope that helps...
Greg
On Saturday, 22 September 2012 07:39:50 UTC+10, Jakov Sosic wrote:
On 09/21/2012 01:35 PM, Peter Spatz wrote:
Hello,
first, i�m new to puppet. I�m searching for a configuration
management
tool and puppet was in focus.
I�m using Solaris Zone
SunOS: 5.10 Generic_147440-15 sun4v sparc sun4v
Ruby: ruby 1.8.5 (2006-12-04 patchlevel 2) [sparc-solaris2.10]
puppet: v3.0.0-rc6
/lib:/usr/lib:/opt/coolstack/mysql_32bit/bin/:/opt/coolstack/mysql_32bit/lib/:/usr/local/lib:/opt/sfw/lib/ruby/:/usr/local/ss/lib/
Starting puppet master, syslog prints:
Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.debug]
Finishing transaction 6891204
Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.info]
Creating a new SSL certificate request for ca
Sep 21 13:24:55 sis102f0 puppet-master[9649]: [ID 702911 daemon.error]
Could not prepare for execution: uninitialized constant
OpenSSL::Digest::SHA256
What�s missing?
First, what does the:
$ which ruby
says?
Then try this:
$ ruby -ropenssl -e 'p OpenSSL::Digest::Digest.new(sha256)'
and this:
$ ruby -e puts require('openssl')
And then report back with output.
Also, that being Solaris, check whether you have more than one ruby
installations on system and if you are using the right one...
--
Jakov Sosic
www.srce.unizg.hr
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/IwxB8_WPDtwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
