[Puppet Users] Issue in running puppet-dashboard with apache web server
Hi guys, I am running puppet-dashboard with apache web server but when i am using following command in one of my model file:- `puppet parser validate #{module}` I am not getting any error if module has syntax error. But it gives error when it is running with webrick web server not with apache. Can u plz tell me why this is happening? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Why IF-ELSE not work?
I try include different .pp for my systems. site.pp like: if $operatingsystem == 'debian' { import '../my/os/linux/debian.pp' } elsif $operatingsystem == 'windows' { import '../my/os/windows/windows.pp' } else { import '../my/os/default/default.pp' } and I try CASE: case $operatingsystem { redhat: { import '../my/os/linux/redhat.pp' } centos: { import '../my/os/linux/centos.pp' } windows: { import '../my/os/windows/windows.pp' } default: { import '../my/os/default/default.pp' } } Why it didn't work? If I run puppet-agent, it read all pp-files and crash on windows-parameters on Linux or on linux-parameters on Windows. What I do incorrect? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to call one manifset from another
import 'some.pp' среда, 13 февраля 2013 г., 13:03:15 UTC+4 пользователь yarlagadda ramya написал: > > Hi all, > > I have 3 different manifests. How can i call one manifest from another > manifest? > > Please do help me with this. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] facter-dot-d: not reading /etc/facts.d on agent
Hello Emily, I am reasonably sure you put your yaml files in /etc/facter/facts.d On 14 February 2013 06:19, Emily Marx wrote: > Hello, > > I am a new puppet user and I am trying to have my agent use facts defined > in /etc/facts.d. I followed the instructions in the facter-dot-d readme and > did the following: > 1. Included stdlib in the node > 2. agent -t --pluginsync (confirmed that facter-dot-d was run) > 3. created a test.txt file with values (test=123) in /etc/facts.d > 4. ran facter --puppet > > My fact was not displayed. When I did something similar on the master (put > file in /etc/puppetlabs/facter/facts.d) it worked fine. Does anyone know > how I can create and set these facts on the agent? > > Thanks, > > Emily > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Trying to install a specific version of Java on Redhat
I have a class that looks like this: class java { package { "java-1.6.0-sun.x86_64": ensure => '1.6.0.39-1jpp.4.el5_9', } } ...but it gives me this error: err: /Stage[main]/Java/Package[java-1.6.0-sun.x86_64]/ensure: change from 1.6.0.33-1jpp.1.el5_8 to 1.6.0.39-1jpp.4.el5_9 failed: Could not update: Failed to update to version 1.6.0.39-1jpp.4.el5_9, got version 1.6.0.33-1jpp.1.el5_8 instead at /etc/puppet/modules/java/manifests/init.pp:5 However, if I change the class to just use ensure => 'latest', it will do this: notice: /Stage[main]/Java/Package[java-1.6.0-sun.x86_64]/ensure: ensure changed '1.6.0.33-1jpp.1.el5_8' to '1:1.6.0.39-1jpp.4.el5_9' So I know it's possible for the upgrade to work, but I don't want puppet arbitrarily installing whatever the latest is, I want to ensure it's that version. Any ideas? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] facter-dot-d: not reading /etc/facts.d on agent
Hello, I am a new puppet user and I am trying to have my agent use facts defined in /etc/facts.d. I followed the instructions in the facter-dot-d readme and did the following: 1. Included stdlib in the node 2. agent -t --pluginsync (confirmed that facter-dot-d was run) 3. created a test.txt file with values (test=123) in /etc/facts.d 4. ran facter --puppet My fact was not displayed. When I did something similar on the master (put file in /etc/puppetlabs/facter/facts.d) it worked fine. Does anyone know how I can create and set these facts on the agent? Thanks, Emily -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] how to check whether a linux process is running?
On 13 February 2013 19:41, Matthias Viehweger wrote: > Hi Oliver! > > On Tue, Feb 12, 2013 at 07:53:55PM -0800, oliver zhang wrote: > > How do I do this in puppet: > > > > if process A is running, do nothing. > > > > else mount share and install package A > > > > I couldn't find any reference about this. > > I would first ensure that the process is running (assuming that it's a > service). The service would require the package which would require the > share to be mounted. > +1 I was just about to recommend doing it in a similar way. It's not too tricky to make a service in linux if your application isn't already one. A rough outline would be: > > service { 'A': > ensure => running, > require => Package['A']; > } > > package { 'A': > ensure => installed, > require => Exec['mount share']; > } > > exec { 'mount share': > command => '...', > if => command to check if not mounted; > } > > I may be wrong, of course, but this would be my first try to resolve > this. > Nope not wrong at all. I would probably recommend putting them in separate subclasses and then using class chaining or require => Class[blah::service] etc to make it easier to add new packages or services later but the theory is the same. > Cheers, > Matthias > -- > Serververwaltung und Softwareentwicklung > > https://www.heute-kaufen.de > Prinzessinnenstraße 20 - 10969 Berlin > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet Enterprise hotfixes for CVE-2013-0277, CVE-2013-0263, CVE-2013-0269, and CVE-2013-0169.
Security vulnerabilities have been disclosed in Ruby on Rails, Rack, the JSON rubygem, and certain cryptographic protocols used in OpenSSL, assigned CVEs CVE-2013-0277, CVE-2013-0263, CVE-2013-0269 and CVE-2013-0169, respectively. These vulnerabilities affect Puppet Enterprise. CVE-2013-0277 affects the 2.3 and 3.0 series of Rails. The vulnerability allows an attacker to cause deserialization of arbitrary YAML. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277. CVE-2013-0263 affects session cookie handling in Rack. The vulnerability exposes Rack to privilege escalation and arbitrary code execution. CVE details can be found at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263. CVE-2013-0269 affects all versions of the JSON gem. This vulnerability exposes Ruby on Rails to SQL injection and denial of service attacks. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269. CVE-2013-0169 affects the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in various cryptographic libraries and products, including OpenSSL, OpenJDK, PolarSSL. This vulnerability allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks. This CVE affects Puppet Enterprise Solaris and Windows agents only, as the agent packages for these platforms ship with a built-in version of OpenSSL that is vulnerable. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169. Puppet Labs has generated security hotfixes patching the vulnerability for the latest in the 1.x series and 2.x series of Puppet Enterprise. These can be downloaded from the Puppet Labs security pages for these events: http://puppetlabs.com/security/cve/cve-2013-0277 http://puppetlabs.com/security/cve/cve-2013-0263 http://puppetlabs.com/security/cve/cve-2013-0269 http://puppetlabs.com/security/cve/cve-2013-0169 Note: in the case of the pe-puppet-dashboard package, the updated package contains security fixes for CVEs CVE-2013-0277, CVE-2013- 263, and CVE-2013-0269. For consistency the package appears in all three CVE folders, but only one installation of pe-puppet-dashboard is necessary. These security fixes will also be included in forthcoming patch releases of Puppet Enterprise, versions 1.2.7 and 2.7.2. If you have any questions or comments, please get in touch with Puppet Labs Support. We always want your feedback! Regards, Moses Mendoza Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 2.7.20 and 3.1.0 Windows packages updated for CVE-2013-0169
We have rebuilt Windows packages for Puppet 2.7.20 and 3.1.0 in response to CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169). The packages include ruby 1.8.7-p371 compiled against openssl 1.0.0k. They are available at http://downloads.puppetlabs.com/windows Here's a brief description of the ssl vulnerability: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Downloads Puppet 2.7.20: https://downloads.puppetlabs.com/windows/puppet-2.7.20-2013-02-13-1.msi Puppet 3.1.0: https://downloads.puppetlabs.com/windows/puppet-3.1.0-2013-02-13-1.msi -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] roles, profiles, and hiera
Will this help? http://docs.puppetlabs.com/puppet/3/reference/lang_variables.html#parser-set-variables -- Brian Lalor bla...@bravo5.org On Feb 13, 2013, at 6:17 PM, Chad Huneycutt wrote: > I have been following the various blog posts about the roles and > profiles pattern for classifying hosts, and I like it. It doesn't > provide a perfect fit for our infrastructure, but it is much better > than the ad-hoc classification we do now. I have a couple of > questions for those that use it, though: > > 1. Where are you putting your role classes and profile classes? A > role module and a profile module makes sense to me, but it seems like > something more tightly integrated with the Puppet DSL might be nice? > > 2. Assuming you have roles and profiles in modules, at what point do > you specify the parameters to your modules? I am particularly > interested in the answer to this question with regards to hiera. I > find that I want to add roles and profiles to the hiera hierarchy, and > I cannot come up with a way to do it. > > I think if hiera supported lookup by the class containing the hiera > call, I could achieve what I want. For instance: > > class profiles::oneofmyprofiles { > include myparameterizedclass > } > > I would like to have a hiera.yaml like so: > > --- > :backends: > - yaml > :hierarchy: > - nodes/%{::hostname} > - profiles/%{class_name} > - common > :yaml: > :datadir: /etc/puppet/environments/%{environment}/data > > > Am I just completely off-base? > > -- > Chad M. Huneycutt > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] roles, profiles, and hiera
I have been following the various blog posts about the roles and profiles pattern for classifying hosts, and I like it. It doesn't provide a perfect fit for our infrastructure, but it is much better than the ad-hoc classification we do now. I have a couple of questions for those that use it, though: 1. Where are you putting your role classes and profile classes? A role module and a profile module makes sense to me, but it seems like something more tightly integrated with the Puppet DSL might be nice? 2. Assuming you have roles and profiles in modules, at what point do you specify the parameters to your modules? I am particularly interested in the answer to this question with regards to hiera. I find that I want to add roles and profiles to the hiera hierarchy, and I cannot come up with a way to do it. I think if hiera supported lookup by the class containing the hiera call, I could achieve what I want. For instance: class profiles::oneofmyprofiles { include myparameterizedclass } I would like to have a hiera.yaml like so: --- :backends: - yaml :hierarchy: - nodes/%{::hostname} - profiles/%{class_name} - common :yaml: :datadir: /etc/puppet/environments/%{environment}/data Am I just completely off-base? -- Chad M. Huneycutt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] SSL config in puppet.conf in v3.0x
[master] has been used for a while now. At least 2.6 up. On Feb 13, 2013, at 12:52 PM, vioilly wrote: > Hi, > > Does this still apply in puppet 3.0.2 in the puppet.conf file on the puppet > master? > > [puppetmasterd] > > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_header = SSL_CLIENT_VERIFY > > > > If yes, is puppetmasterd correct or should it be something else, like [main] > or [master]? > > Cheers, > Oli > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Coordinated application deployments
There may be, but when we want to upgrade an application and minimize downtime, a well-defined window of a checkin period is not sufficient. For example, given 10 machines, we need to upgrade 5, validate them, then upgrade the remaining 5. The 5 being upgraded will get pulled out of the load balancer during the puppet run. If the upgrade is deemed a failure, the old version must be reinstated on those 5 machines. This is all possible with puppet, and it feels like the master/agent relationship is an impediment. -- Brian Lalor bla...@bravo5.org On Feb 13, 2013, at 4:09 PM, jcbollinger wrote: > I urge you to consider whether and to what extent you really need to control > when updated configuration is applied. Generally speaking, there are a lot > of circumstances in which it is quite sufficient to have a predictable window > in which you can rely on updates being applied, at least in terms of > functionality and level of service. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Coordinated application deployments
On Tuesday, February 12, 2013 8:37:56 PM UTC-6, blalor wrote: > > I'd like to use Puppet for the "last-mile" deployment of our applications, > starting from a bare VM and ending up with a server that is running a > specific version of an application. We're using a Puppet master already, > which I kind of feel is something of a problem: if I were just running > "puppet apply" in standalone mode, I could be confident that a successful > run resulted in the server being configured correctly. When using a puppet > master, changes could be applied anytime between now and the next agent > check-in. Well, no. If you run the puppet agent then your machine will be configured as directed by the master each time it checks in, and not any time in between. Moreover, it will check in immediately when you first start it. In fact, this really has little to do with running the agent as a daemon. Daemon mode just puts the responsibility on the agent to check in periodically, but each individual run is the same no matter how the agent is run. > I don't like nondeterminism. :-) > It's completely deterministic. With sufficient information you can predict precisely when each node will sync with the master, and therefore when any updated configuration the master may have for it will be applied. Moreover, if agent runs are automated on a schedule, then Puppet can ensure that your nodes' configurations get repaired if ever they are broken. > > I don't want to reinvent the wheel. How are other people solving this > problem? In general, how do you roll out changes to managed systems in a > controlled, deterministic fashion? Are there simpler solutions than > MCollective? > > If by "deterministic" you mean "immediate" or "synchronized" for all clients, then your best bet is to push out the needed manifests and data to the nodes and trigger a "puppet apply" via whatever cluster control tool you favor. MCollective would be one option for such a tool. This is all more work to set up and monitor than a solution revolving around a puppetmaster. I urge you to consider whether and to what extent you really need to control when updated configuration is applied. Generally speaking, there are a lot of circumstances in which it is quite sufficient to have a predictable window in which you can rely on updates being applied, at least in terms of functionality and level of service. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] SSL config in puppet.conf in v3.0x
Hi, Does this still apply in puppet 3.0.2 in the puppet.conf file on the puppet master? [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY If yes, is puppetmasterd correct or should it be something else, like [main] or [master]? Cheers, Oli -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppetlabs nginx module
On Wed, Feb 13, 2013 at 11:47 AM, Ellison Marks wrote: > Just checking if anyone's made an attempt to update the puppetlabs nginx > module, or could point me to one they like. Last version in forge was > uploaded in june of 2011, and while the github version is more recent (two > months ago), it's doesn't seem quite together, given that the comments are > disagreeing with the code at times. We don't have an active maintainer for this module and I've been considering taking it down. Do you know of anyone that would like to take up stewardship? Send me an email off-list if you do. -- Ryan Coleman | Modules & Forge | @ryanycoleman | ryancoleman in #puppet -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Announce: Puppet Dashboard 1.2.22 Available [ security release ]
This release of Puppet Dashboard addresses CVE-2013-0277 and CVE-2013-0269. These are vulnerabilities that affect Ruby on Rails, specifically around YAML serialization and JSON handling. They expose vulnerable systems to SQL Injection, Denial of Service Attacks, and arbitrary YAML deserialization. Additionally, CVE-2013-0276 and CVE-2013-0263 affect vendored components of Puppet Dashboard, but by default Puppet Dashboard does not interact with them in a way that exposes it to these vulnerabilities. Nevertheless, this release of Puppet Dashboard addresses these CVEs as well. Detailed information on the CVEs can be found at these URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263 Downloads RPM packages for are available at https://yum.puppetlabs.com/el or /fedora Debian packages are available at https://apt.puppetlabs.com Source can be downloaded from https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.22.tar.gz, along with the accompanying signature file, https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.22.tar.gz.asc. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Changelog Nick Lewis (4): efab99d Upgrade to Rails 2.3.17 d2ae98f Upgrade to rack 1.1.6 90f2ca6 Upgrade json_pure to 1.5.5 2128ed8 Fix failing test due to new HTML-escaping rules -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppetlabs nginx module
Just checking if anyone's made an attempt to update the puppetlabs nginx module, or could point me to one they like. Last version in forge was uploaded in june of 2011, and while the github version is more recent (two months ago), it's doesn't seem quite together, given that the comments are disagreeing with the code at times. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: All Hosts Shown as Unresponsive. Worker Restart Fails. Clients Seem Happy?
I think there might be a bug buried here. I hit this before a demo this morning - the problem was that the pid files at /opt/puppet/share/puppet-dashboard/tmp/pids/delayed_job.{0,1}.pid were present but there was no PID in them (and the background workers weren't running). Removing the pidfiles allowed the service to start, but we need to discover why these files are being created empty. My master was on Ubuntu 12.04 and PE 2.7.0 On Thu, Feb 7, 2013 at 10:44 AM, Mike Beauchamp wrote: > I was able to fix this by going into the > /etc/init.d/pe-puppet-dashboard-workers and editing the CPU line in the > start section. > > Previously it had {CPU:-2}, and I changed that to 4. Instantly cleared > the queue, and nodes showed up. > > > On Tuesday, December 11, 2012 6:55:56 PM UTC-7, Dave Mankoff wrote: >> >> [On my dev server] For the past 3 days, my puppet master has shown all of >> the hosts as unresponsive. However, when I log into one of the hosts and >> run "puppet agent --test" everything seems to run without complaint. >> Meanwhile the master shows an ever increasing number of pending tasks. >> >> When I try to restart the dashboard workers, I get the following: >> >> # /etc/init.d/pe-puppet-**dashboard-workers restart >> * Restarting PE Puppet Dashboard Workers >> ERROR: there is already one or more instance(s) of the program running >> ERROR: there is already one or more instance(s) of the program running >> * PE Puppet Dashboard Worker (pid ) is not running >> >> [fail] >> >> Rebooting the computer does not seem to help. For that matter, I think >> this problem started after a recent system update and reboot. It is running >> Ubuntu 12.04. I can not seem to find anything meaningful in the logs, >> though perhaps I am looking in the wrong places. Any advice? Things worked >> fine just a few days ago, and I have not touched Puppet. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Gary Larizza Professional Services Engineer -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: PuppetDB & KahaDB db.data leak
On Wednesday, February 13, 2013 12:00:40 PM UTC-6, Ken Barber wrote: > > Hi all, > > I've been looking at a potential problem, as documented here: > > http://projects.puppetlabs.com/issues/19241 > > To do with a leak within the KahaDB persistence layer of ActiveMQ. > Specifically, there are reports of the db.data file growing unbounded: > > https://issues.apache.org/jira/browse/AMQ-3956 > > I'm hoping to find out information from other PuppetDB users to see if > this is happening in the wild. What I'm hoping is that users can > provide me with information around the size of the files in > /var/lib/puppetdb/localhost/KahaDB. For example, here is the size on > my test machine: > > root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# pwd > /var/lib/puppetdb/mq/localhost/KahaDB > root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# du -sk * > 5552 db-1.log > 32 db.data > 32 db.redo > 0 lock > root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# > > And an indication of how long its been running: > > $ ps auxw | grep java > puppetdb 52606 0.3 3.6 1536236 216136 ? Sl 13:34 0:55 > /usr/bin/java -XX:OnOutOfMemoryError=kill -9 %p -Xmx1g > -XX:+HeapDumpOnOutOfMemoryError > -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -jar > /usr/share/puppetdb/puppetdb.jar services -c /etc/puppetdb/conf.d > > And the version of PuppetDB: > > # dpkg -l puppetdb > ... > ii puppetdb1.1.1-1puppetlab all PuppetDB > Centralized Storage. > > (rpm -qi puppetdb on Redhat based machines). > > I've so far had 1 suspected case of this (the directory was reported > at 17 GB), but no data to back it up - if you use PuppetDB and have > the time and inclination, I'd appreciate some outputs from your > PuppetDB hosts like the ones shown above (scrubbing private > information of course) - even if it looks fine - as it will help us > decide on the priority of this bug. > > Thanks in advance! > > /var/lib/puppetdb/mq/localhost/KahaDB$ du -sk * 7800db-1366.log 32 db.data 32 db.redo 0 lock $ ps auxw | grep java puppetdb 10913 1.5 9.1 1639876 370180 ? Sl Jan16 622:58 /usr/bin/java -XX:OnOutOfMemoryError=kill -9 %p -Xmx192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -jar /usr/share/puppetdb/puppetdb.jar services -c /etc/puppetdb/conf.d $ dpkg -l puppetdb ii puppetdb 1.0.1-1puppetlabs1PuppetDB Centralized Storage. > ken. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] PuppetDB & KahaDB db.data leak
Hi all, I've been looking at a potential problem, as documented here: http://projects.puppetlabs.com/issues/19241 To do with a leak within the KahaDB persistence layer of ActiveMQ. Specifically, there are reports of the db.data file growing unbounded: https://issues.apache.org/jira/browse/AMQ-3956 I'm hoping to find out information from other PuppetDB users to see if this is happening in the wild. What I'm hoping is that users can provide me with information around the size of the files in /var/lib/puppetdb/localhost/KahaDB. For example, here is the size on my test machine: root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# pwd /var/lib/puppetdb/mq/localhost/KahaDB root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# du -sk * 5552 db-1.log 32 db.data 32 db.redo 0 lock root@puppetdb1:/var/lib/puppetdb/mq/localhost/KahaDB# And an indication of how long its been running: $ ps auxw | grep java puppetdb 52606 0.3 3.6 1536236 216136 ? Sl 13:34 0:55 /usr/bin/java -XX:OnOutOfMemoryError=kill -9 %p -Xmx1g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -jar /usr/share/puppetdb/puppetdb.jar services -c /etc/puppetdb/conf.d And the version of PuppetDB: # dpkg -l puppetdb ... ii puppetdb1.1.1-1puppetlab all PuppetDB Centralized Storage. (rpm -qi puppetdb on Redhat based machines). I've so far had 1 suspected case of this (the directory was reported at 17 GB), but no data to back it up - if you use PuppetDB and have the time and inclination, I'd appreciate some outputs from your PuppetDB hosts like the ones shown above (scrubbing private information of course) - even if it looks fine - as it will help us decide on the priority of this bug. Thanks in advance! ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: PuppetDB API permissions
Hi Nick, My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed. I also wonder if PuppetDB has any sense of environments? What I mean, does it separate data in environments, so for example, NODE1 being in development environment can access NODE2's resources which is in production environment? Thanks, Vaidas On Friday, 26 October 2012 19:56:26 UTC+1, Nick Lewis wrote: > > On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote: > >> Hello, >> >> Is it possible to control from which nodes is it allowed to execute >> commands like "replace catalog" and "replace facts", and which nodes can >> only do queries (but no changes)? It seems like once someone could access >> the service through http or https (depending on jetty.ini settings) can do >> both. >> >> > Unfortunately, this isn't currently possible, though it's certainly > something we'd like to provide in the future. Currently the only > restriction that can be made is a whitelist of certnames which are allowed > to talk to the API, for both read and write alike. > > Until this is supported by PuppetDB itself, you could use a proxy to allow > only certain routes. > > If we were to add this feature, would it be sufficient to just have "no > access", "read access", and "read/write access" as categories, or would you > need something more granular than that (for instance, can query metrics but > not facts)? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Yes, it is exactly the cause of the problem! " certificate_signer.rb # Take care of signing a certificate in a FIPS 140-2 compliant manner. # # @see http://projects.puppetlabs.com/issues/17295 # # @api private class Puppet::SSL::CertificateSigner def initialize if OpenSSL::Digest.const_defined?('SHA256') @digest = OpenSSL::Digest::SHA256 elsif OpenSSL::Digest.const_defined?('SHA1') @digest = OpenSSL::Digest::SHA1 else raise Puppet::Error, "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest" end @digest end def sign(content, key) content.sign(key, @digest.new) end end " If I switch the order of these checks if OpenSSL::Digest.const_defined?('SHA256') @digest = OpenSSL::Digest::SHA256 elsif OpenSSL::Digest.const_defined?('SHA1') @digest = OpenSSL::Digest::SHA1 probably it will work I'll let you know.. On 13 February 2013 17:08, Matthew Black wrote: > Yes because as part of the fix it checks on the CA, when its signing > the cert, whether it can support 256 or not. If it does not it drops > down to a lower SHA. > > If you look at the pull request that is part of the ticket, > specifically the changes. If you scroll down to the > certificate_signer.rb change it will make more sense. > > https://github.com/puppetlabs/puppet/pull/1413/files > > > On Wed, Feb 13, 2013 at 10:37 AM, Luigi Martin Petrella > wrote: > > Matthew, you are right, this explain ALMOST everything > > > > "Puppet is using the Solaris-provided OpenSSL as part of the Ruby > install in > > this case, which runs version 0.9.7 with patches and doesn’t support > sha256. > > I don’t mind the idea of compiling 1.0.x but the issue still seems to > stand > > that you can’t choose the digest method anymore – there is an apparent > use > > of SHA256 regardless of what option you choose." > > > > But > > > > If I use as master RH4 with openssl-lib 0.9.7 I have no problem > connecting > > the others RH4 nodes. This means tha Puppet don't use always SHA256, but > > only If it is available from openssl library. Right? > > > > So, there are two ways (one harder then the other for me) to solve the > issue > > at openssl level: > > 1. install opensslib rpm for RH5 on RH4 (but there are a lot of missing > > dependencies) > > 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 > > ??? > > > > Since --digest option won't work, is there any other way to force puppet > not > > to use SHA256?? > > > > > > > > > > > > On 13 February 2013 16:16, Matthew Black wrote: > >> > >> I think this issue is related to your issue since the version > >> discussed is 0.9.7. > >> > >> http://projects.puppetlabs.com/issues/17295 > >> > >> What you will need to do is more than likely is update the openssl on > >> the agent. I dont think it will work too well but you can try to take > >> the srpm from rhel 5 or 6 and build it for rhel 4 > >> > >> > >> On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella > >> wrote: > >> > Master: > >> > Centos 6.3 , Puppet 3.1.0 > >> > Ubuntu, Puppet 3.1.0 > >> > > >> > Agent: > >> > Redhat 4, Puppet 3.1.0 > >> > > >> > Yesterday something strange happened: > >> > we tryied to connect RedHat agent with a Puppet Enterprise Master on > >> > Centos > >> > 6.3, and there wasn't any certificate problems and everything worked. > >> > Today we are trying with the same configuratione, but It appeared the > >> > same > >> > validation errore described before > >> > > >> > > >> > > >> > On 13 February 2013 14:12, Matthew Black wrote: > >> >> > >> >> What is the versions of the puppet are being used on the client and > >> >> the server? Assuming master is running on Linux, what distro and > >> >> release is the master running on? > >> >> > >> >> I suspect the openssl might be the issue on the client. > >> >> > >> >> > >> >> > >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella > >> >> wrote: > >> >> > Felix, why do you think the problem is related to the > "--waitforcert" > >> >> > option? > >> >> > I tryied to run "puppet agent -t --waitforcert 100" , and after > >> >> > signing > >> >> > the > >> >> > request on master, on agent I receive this message: > >> >> > > >> >> > Error: Could not request certificate: Unsupported digest algorithm > >> >> > (SHA256). > >> >> > Error: Failed to apply catalog: Unsupported digest algorithm > >> >> > (SHA256). > >> >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values > >> >> > mismatch > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > On 13 February 2013 13:15, Felix Frank > >> >> > > >> >> > wrote: > >> >> >> > >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: > >> >> >> > All cert problems are either time sync or certificate name > issues. > >> >> >> > So > >> >> >> > it's one of those two. > >> >> >> > >> >> >> A bold assertion. It may hold true as far as puppet is concerned, > >> >> >> though. > >> >> >> > >> >> >> I generally advise to take the tim
Re: [Puppet Users] Run Puppet Against Master with Local node.pp Manifest?
You should be versioning all your puppet manifests and modules. You can then write a simple script to pull down the changes. Once you have the files you can have the manfiests and modules folder look exactly like the puppet master and then type something like this to test. puppet apply /etc/puppet/manifests/site.pp If you want to test one module you can create that node.pp file, which imports the module. You will need to create a modules directory and place your module in that directory then type from command line puppet apply /path/to/node.pp --modulepath=/path/to/modules/dir Ensure that modulepath is to the modules directory you created and not the module itself. On Tue, Feb 12, 2013 at 5:35 AM, Ralph Bolton wrote: > Thanks for the suggestion. I did wonder about copying all the modules and > configs off the Puppet Master onto the test box. My concern is really just > about keeping that lot up to date, and most importantly to make sure that it > behaves the same as it would do if it came from the Master. It could be done > this way, but I'm worried it seems simple now, but will turn into a headache > later on. If this is the only way to do it, then I guess I'll just have to > suck it up :-( > > This might sound daft, but where's the security issue? If I'm root on a box, > and I want to do some wacky install on it, then I already can, regardless of > what Puppet thinks. This wouldn't allow me to change anything on the Puppet > Master, so I wouldn't be able to alter any boxes except the one I'm on. What > additional concern would there be for having this as a feature? > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] semi-standalone puppet mode
Without fully understanding your modules and how they interact you can always take a copy of the site manifest and modules with the node and then do something like this puppet apply /etc/puppet/manifests/site.pp --modulepath=/etc/puppet/modules I typically do something similar when testing a module without a puppet master. On Tue, Feb 12, 2013 at 8:03 AM, Ivan Lysov wrote: > Hi All! > > I do manage some hosts with puppet and it's pretty great. > But among those hosts htere are some boxes that are sometimes taken away > from my network, used for demonstrations somewhere outside and return back. > And I want puppet to manage those hosts even when they are away and alone. > And of course I want them to fetch the latest catalogs on the moment they > appear in domestic network. > > I even wrote an ugly script that does something like "puppet catalog > download" and then apply on every boot, but this is ugly, smells and > obviousless. > Had somebody invented something like that and how? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Yes because as part of the fix it checks on the CA, when its signing the cert, whether it can support 256 or not. If it does not it drops down to a lower SHA. If you look at the pull request that is part of the ticket, specifically the changes. If you scroll down to the certificate_signer.rb change it will make more sense. https://github.com/puppetlabs/puppet/pull/1413/files On Wed, Feb 13, 2013 at 10:37 AM, Luigi Martin Petrella wrote: > Matthew, you are right, this explain ALMOST everything > > "Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in > this case, which runs version 0.9.7 with patches and doesn’t support sha256. > I don’t mind the idea of compiling 1.0.x but the issue still seems to stand > that you can’t choose the digest method anymore – there is an apparent use > of SHA256 regardless of what option you choose." > > But > > If I use as master RH4 with openssl-lib 0.9.7 I have no problem connecting > the others RH4 nodes. This means tha Puppet don't use always SHA256, but > only If it is available from openssl library. Right? > > So, there are two ways (one harder then the other for me) to solve the issue > at openssl level: > 1. install opensslib rpm for RH5 on RH4 (but there are a lot of missing > dependencies) > 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 > ??? > > Since --digest option won't work, is there any other way to force puppet not > to use SHA256?? > > > > > > On 13 February 2013 16:16, Matthew Black wrote: >> >> I think this issue is related to your issue since the version >> discussed is 0.9.7. >> >> http://projects.puppetlabs.com/issues/17295 >> >> What you will need to do is more than likely is update the openssl on >> the agent. I dont think it will work too well but you can try to take >> the srpm from rhel 5 or 6 and build it for rhel 4 >> >> >> On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella >> wrote: >> > Master: >> > Centos 6.3 , Puppet 3.1.0 >> > Ubuntu, Puppet 3.1.0 >> > >> > Agent: >> > Redhat 4, Puppet 3.1.0 >> > >> > Yesterday something strange happened: >> > we tryied to connect RedHat agent with a Puppet Enterprise Master on >> > Centos >> > 6.3, and there wasn't any certificate problems and everything worked. >> > Today we are trying with the same configuratione, but It appeared the >> > same >> > validation errore described before >> > >> > >> > >> > On 13 February 2013 14:12, Matthew Black wrote: >> >> >> >> What is the versions of the puppet are being used on the client and >> >> the server? Assuming master is running on Linux, what distro and >> >> release is the master running on? >> >> >> >> I suspect the openssl might be the issue on the client. >> >> >> >> >> >> >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella >> >> wrote: >> >> > Felix, why do you think the problem is related to the "--waitforcert" >> >> > option? >> >> > I tryied to run "puppet agent -t --waitforcert 100" , and after >> >> > signing >> >> > the >> >> > request on master, on agent I receive this message: >> >> > >> >> > Error: Could not request certificate: Unsupported digest algorithm >> >> > (SHA256). >> >> > Error: Failed to apply catalog: Unsupported digest algorithm >> >> > (SHA256). >> >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values >> >> > mismatch >> >> > >> >> > >> >> > >> >> > >> >> > On 13 February 2013 13:15, Felix Frank >> >> > >> >> > wrote: >> >> >> >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> >> >> > All cert problems are either time sync or certificate name issues. >> >> >> > So >> >> >> > it's one of those two. >> >> >> >> >> >> A bold assertion. It may hold true as far as puppet is concerned, >> >> >> though. >> >> >> >> >> >> I generally advise to take the time and lern about x509 and >> >> >> openssl's >> >> >> interface, so one can inspect the actual certificates in question. >> >> >> >> >> >> > Exiting; no certificate found and waitforcert is >> >> >> > disabled| >> >> >> >> >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> >> >> >> >> If you haven't, that's your problem right there. >> >> >> >> >> >> HTH, >> >> >> Felix >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "Puppet Users" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send >> >> >> an >> >> >> email to puppet-users+unsubscr...@googlegroups.com. >> >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> >> Visit this group at >> >> >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "Puppet Users" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to puppet-users
[Puppet Users] Re: Daemonize puppet agent but disable periodic runs
You would have to run your agent daemon wiht '--no-client' parameter. See 'man puppet.conf'. On Wednesday, 13 February 2013 13:49:06 UTC, Andriy Yurchuk wrote: > > I need puppet agent daemon running because I need to access agent's REST > API (http://docs.puppetlabs.com/guides/rest_api.html#the-agent-rest-api). > But I don't need the agent to run periodic checks. Is there any way to > either access REST API without daemonizing agent (I suspect this id not > possible) or disable periodic runs while running agent as a daemon? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Matthew, you are right, this explain ALMOST everything "Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in this case, which runs version 0.9.7 with patches and doesn’t support sha256. I don’t mind the idea of compiling 1.0.x but the issue still seems to stand that you can’t choose the digest method anymore – there is an apparent use of SHA256 regardless of what option you choose." But If I use as master RH4 with openssl-lib 0.9.7 I have no problem connecting the others RH4 nodes. This means tha Puppet don't use always SHA256, but only If it is available from openssl library. Right? So, there are two ways (one harder then the other for me) to solve the issue at openssl level: 1. install opensslib rpm for RH5 on RH4 (but there are a lot of missing dependencies) 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 ??? Since --digest option won't work, is there any other way to force puppet not to use SHA256?? On 13 February 2013 16:16, Matthew Black wrote: > I think this issue is related to your issue since the version > discussed is 0.9.7. > > http://projects.puppetlabs.com/issues/17295 > > What you will need to do is more than likely is update the openssl on > the agent. I dont think it will work too well but you can try to take > the srpm from rhel 5 or 6 and build it for rhel 4 > > > On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella > wrote: > > Master: > > Centos 6.3 , Puppet 3.1.0 > > Ubuntu, Puppet 3.1.0 > > > > Agent: > > Redhat 4, Puppet 3.1.0 > > > > Yesterday something strange happened: > > we tryied to connect RedHat agent with a Puppet Enterprise Master on > Centos > > 6.3, and there wasn't any certificate problems and everything worked. > > Today we are trying with the same configuratione, but It appeared the > same > > validation errore described before > > > > > > > > On 13 February 2013 14:12, Matthew Black wrote: > >> > >> What is the versions of the puppet are being used on the client and > >> the server? Assuming master is running on Linux, what distro and > >> release is the master running on? > >> > >> I suspect the openssl might be the issue on the client. > >> > >> > >> > >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella > >> wrote: > >> > Felix, why do you think the problem is related to the "--waitforcert" > >> > option? > >> > I tryied to run "puppet agent -t --waitforcert 100" , and after > signing > >> > the > >> > request on master, on agent I receive this message: > >> > > >> > Error: Could not request certificate: Unsupported digest algorithm > >> > (SHA256). > >> > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). > >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values > >> > mismatch > >> > > >> > > >> > > >> > > >> > On 13 February 2013 13:15, Felix Frank < > felix.fr...@alumni.tu-berlin.de> > >> > wrote: > >> >> > >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: > >> >> > All cert problems are either time sync or certificate name issues. > So > >> >> > it's one of those two. > >> >> > >> >> A bold assertion. It may hold true as far as puppet is concerned, > >> >> though. > >> >> > >> >> I generally advise to take the time and lern about x509 and openssl's > >> >> interface, so one can inspect the actual certificates in question. > >> >> > >> >> > Exiting; no certificate found and waitforcert is > >> >> > disabled| > >> >> > >> >> Hmm, so did you *ever* use --waitforcert on your agent side? > >> >> > >> >> If you haven't, that's your problem right there. > >> >> > >> >> HTH, > >> >> Felix > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "Puppet Users" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to puppet-users+unsubscr...@googlegroups.com. > >> >> To post to this group, send email to puppet-users@googlegroups.com. > >> >> Visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to puppet-users+unsubscr...@googlegroups.com. > >> > To post to this group, send email to puppet-users@googlegroups.com. > >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en > . > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to puppet-users+unsubscr...@googlegroups.com. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> Visit this grou
Re: [Puppet Users] Re: ruby gems versus yum install
Vaidas and Matt - thats perfect information. Yum it is for me... Thanks for your posts! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: ruby gems versus yum install
Hi Oli, I strongly recommend packaging everything up. It makes your life a lot easier in the long term. Package systems like RPM with Yum give you a lot of benefits, like package verification, easy updates, dependency resolution across your system, easy way to uninstall packages etc. The other strong advantage of proper distribution packages is that you will not need to have things like gcc or development-tools installed on your servers. Gem are quite nice, especially if you're on Ubuntu or similar deb-based distributions, because these type of distros just simply do not package gems at all to native packages (deb in this case). If you're not very experienced in packaging software to RPM packages, have a look at tool called "fpm" - it can easily create you an RPM package right from a gem package. Even though I do not recommend using fpm built packages in production. Thanks, Vaidas On Wednesday, 13 February 2013 15:07:17 UTC, vioilly wrote: > > Hi, > > We are trying to determine the best way to install puppet using passenger. > Is it best to install passenger via yum by making an RPM package or using > ruby gems? What are the main gotchas using either? > > Many thanks > Oli > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] ruby gems versus yum install
On Wed, Feb 13, 2013 at 3:07 PM, vioilly wrote: > Hi, > > We are trying to determine the best way to install puppet using passenger. > Is it best to install passenger via yum by making an RPM package or using > ruby gems? What are the main gotchas using either? I'd definitely recommend RPMs (or insert your OS's native packaging format here) over other packaging formats. It just integrates and plays nicer with the OS as a whole simply because it's all using the same package DB. If you use gems for some packages and RPMs for others, the potential for file conflicts is always there. It also provides less administration overhead as you only need to learn one set of commands to understand what packages you have installed, which ones are available, and which ones are update/upgrade candidates. In addition, I'd also recommend creating your own yum repository(ies) so that you're not reliant on the availability of 3rd party repos/external network connections, and can control the versions of all your packages so you can stick with versions that have been well tested in your environments. As far as passenger is concerned, there are RPMs already available from http://passenger.stealthymonkeys.com/ for various flavours of RHEL, Fedora and SL, so you shouldn't need to build your own. Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
I think this issue is related to your issue since the version discussed is 0.9.7. http://projects.puppetlabs.com/issues/17295 What you will need to do is more than likely is update the openssl on the agent. I dont think it will work too well but you can try to take the srpm from rhel 5 or 6 and build it for rhel 4 On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella wrote: > Master: > Centos 6.3 , Puppet 3.1.0 > Ubuntu, Puppet 3.1.0 > > Agent: > Redhat 4, Puppet 3.1.0 > > Yesterday something strange happened: > we tryied to connect RedHat agent with a Puppet Enterprise Master on Centos > 6.3, and there wasn't any certificate problems and everything worked. > Today we are trying with the same configuratione, but It appeared the same > validation errore described before > > > > On 13 February 2013 14:12, Matthew Black wrote: >> >> What is the versions of the puppet are being used on the client and >> the server? Assuming master is running on Linux, what distro and >> release is the master running on? >> >> I suspect the openssl might be the issue on the client. >> >> >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella >> wrote: >> > Felix, why do you think the problem is related to the "--waitforcert" >> > option? >> > I tryied to run "puppet agent -t --waitforcert 100" , and after signing >> > the >> > request on master, on agent I receive this message: >> > >> > Error: Could not request certificate: Unsupported digest algorithm >> > (SHA256). >> > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values >> > mismatch >> > >> > >> > >> > >> > On 13 February 2013 13:15, Felix Frank >> > wrote: >> >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> >> > All cert problems are either time sync or certificate name issues. So >> >> > it's one of those two. >> >> >> >> A bold assertion. It may hold true as far as puppet is concerned, >> >> though. >> >> >> >> I generally advise to take the time and lern about x509 and openssl's >> >> interface, so one can inspect the actual certificates in question. >> >> >> >> > Exiting; no certificate found and waitforcert is >> >> > disabled| >> >> >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> >> >> If you haven't, that's your problem right there. >> >> >> >> HTH, >> >> Felix >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to puppet-users+unsubscr...@googlegroups.com. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to puppet-users+unsubscr...@googlegroups.com. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Yes, RED HAT 4 is very old, but we can't update it. I agree with the idea that the problem could be ssl library. As I wrote before, on RH4 we have openssl-0.9.7, on the others systems it'1.0.0 Maybe puppet 3.0.1 master force the use of SHA256 for certificate digest, but SHA256 is not supported by openssl-0.9.7? Is there any way to force master to use SHA1? I already tryied the option "--digest sha1" in >puppet cert sign --all --digest sha1 but the error remains... On 13 February 2013 15:58, Felix Frank wrote: > On 02/13/2013 03:32 PM, Luigi Martin Petrella wrote: > > MASTER Centos 6.3, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR > > MASTER Ubuntu 12.10, puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > > ERROR MASTER RedHat 4, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > > OK > > I agree with Matthew that this does smell like a libssl related issue. > > Isn't RedHat 4 ancient? Aren't they past 6 or somesuch by now? > > > I don't understand the basis for claiming that not using --waitforcert > > would cause issues. > > Mea culpa. I seemed to remember an issue with puppet 2.6 not receiving > the signed certificate unless invoking the option. That may have been me > blundering in some other exciting way, though. > > Thanks for clearing that up, John! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] ruby gems versus yum install
Hi, We are trying to determine the best way to install puppet using passenger. Is it best to install passenger via yum by making an RPM package or using ruby gems? What are the main gotchas using either? Many thanks Oli -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
On 02/13/2013 03:32 PM, Luigi Martin Petrella wrote: > MASTER Centos 6.3, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR > MASTER Ubuntu 12.10, puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > ERROR MASTER RedHat 4, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = > OK I agree with Matthew that this does smell like a libssl related issue. Isn't RedHat 4 ancient? Aren't they past 6 or somesuch by now? > I don't understand the basis for claiming that not using --waitforcert > would cause issues. Mea culpa. I seemed to remember an issue with puppet 2.6 not receiving the signed certificate unless invoking the option. That may have been me blundering in some other exciting way, though. Thanks for clearing that up, John! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] MCO caching Facts from Facter
Hi, We are trying to use a custom fact to tell us the version of our service in order to do hot deployment. The idea is that we poll mco for servers with this fact matching the new version until it returns that there are some, which is a signal we can move on to the next server. Unfortunately we're bumping into the cache of facts mentioned in the server config here: http://docs.puppetlabs.com/mcollective/reference/basic/configuration.html For reasons it would be tedious to explain we can't directly control the fact cache configuration value. Is there any way dynamically to tell mco to flush the cache, either for all facts or this one fact? Or to use a different cache value for a particular fact? Thanks for any advice, Rob -- -- This email was sent by a company owned by Pearson plc, registered office at 80 Strand, London WC2R 0RL. Registered in England and Wales with company number 53723. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
I have to do an update. We just configured one RED HAT 4 node as puppet master, and connected another RH4 agent node without any ssl or certificate issue. So, brief recap: MASTER Centos 6.3, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR MASTER Ubuntu 12.10, puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = ERROR (we mean always the same ERROR on certificate validation) MASTER Centos 6.3, Puppet Enterprise 2.6 , based on Puppet open source 2.7 --> Agent RedHat 4, Puppet 3.0.1 = OK but not always MASTER RedHat 4, Puppet 3.0.1 --> Agent RedHat 4, Puppet 3.0.1 = OK On 13 February 2013 15:13, jcbollinger wrote: > > > On Wednesday, February 13, 2013 6:15:09 AM UTC-6, Felix.Frank wrote: >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> If you haven't, that's your problem right there. >> >> > I never use --waitforcert. Instead, I just run the agent twice when I > first set up Puppet, signing the cert in between. Naturally, the agent > receives neither certificate nor catalog on the first run, but on the > second it receives both. That's slightly less secure than the client > maintaining the connection and receiving a cert via the same network > connection over which it requested one, but it's good enough for me. Most > importantly, it works reliably. I don't understand the basis for claiming > that not using --waitforcert would cause issues. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: semi-standalone puppet mode
Unfortunately no. It uses cached catalog only if puppet master returns error code. If it is completely unavaliable agent just does nothing. Logs contain something like >>> 2013-02-13T18:02:09.416421+04:00 distbuilder-b puppet-agent[1432]: Puppet --listen / kick is deprecated. See http://links.puppetlabs.com/puppet-kick-deprecation 2013-02-13T18:02:09.703607+04:00 distbuilder-b puppet-agent[1432]: Starting Puppet client version 3.0.1 2013-02-13T18:02:09.704367+04:00 distbuilder-b puppet-agent[1432]: Reopening log files 2013-02-13T18:02:09.820540+04:00 distbuilder-b puppet-agent[1432]: Reopening log files 2013-02-13T18:02:09.861180+04:00 distbuilder-b puppet-agent[1432]: Failed to apply catalog: getaddrinfo: Name or service not known 2013-02-13T18:02:09.879258+04:00 distbuilder-b puppet-agent[1432]: Could not send report: getaddrinfo: Name or service not known <<< вторник, 12 февраля 2013 г., 19:23:00 UTC+4 пользователь Paul Tötterman написал: > > Hi Ivan, > > >> Had somebody invented something like that and how? >> > > Doesn't puppet do that right now? If it's unable to fetch a new catalog > from master it uses the cached catalog that it has received previously. > > Cheers, > Paul > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
On Wednesday, February 13, 2013 6:15:09 AM UTC-6, Felix.Frank wrote: > > Hmm, so did you *ever* use --waitforcert on your agent side? > > If you haven't, that's your problem right there. > > I never use --waitforcert. Instead, I just run the agent twice when I first set up Puppet, signing the cert in between. Naturally, the agent receives neither certificate nor catalog on the first run, but on the second it receives both. That's slightly less secure than the client maintaining the connection and receiving a cert via the same network connection over which it requested one, but it's good enough for me. Most importantly, it works reliably. I don't understand the basis for claiming that not using --waitforcert would cause issues. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Daemonize puppet agent but disable periodic runs
I need puppet agent daemon running because I need to access agent's REST API (http://docs.puppetlabs.com/guides/rest_api.html#the-agent-rest-api). But I don't need the agent to run periodic checks. Is there any way to either access REST API without daemonizing agent (I suspect this id not possible) or disable periodic runs while running agent as a daemon? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to call one manifset from another
On Wednesday, February 13, 2013 3:03:15 AM UTC-6, yarlagadda ramya wrote: > > Hi all, > > I have 3 different manifests. How can i call one manifest from another > manifest? > > Please do help me with this. > It depends on what is in the manifests... if you used modules and classes and have things on the file system in the layout the autoloader works with, it's as easy as just doing: include myclass or include myclass::otherclass If you didn't follow the guidelines... can't answer your question without seeing code. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Referencing facts in Puppet Ruby DSL
That worked, thanks a lot John. On Tuesday, February 12, 2013 4:15:52 PM UTC+2, jcbollinger wrote: > > > > On Tuesday, February 12, 2013 5:10:02 AM UTC-6, Andriy Yurchuk wrote: >> >> How do I reference my custom created facts (distributed via pluginsync)? >> I tried Facter[:custom_fact].value, but this does not seem to work - it >> always returns the value for the fact on master. >> > > Node facts, both custom and built-in, manifest as the top-scope Puppet > variables. You should be able to access them via > scope.lookupvar('::custom_fact'). > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Master: Centos 6.3 , Puppet 3.1.0 Ubuntu, Puppet 3.1.0 Agent: Redhat 4, Puppet 3.1.0 Yesterday something strange happened: we tryied to connect RedHat agent with a Puppet Enterprise Master on Centos 6.3, and there wasn't any certificate problems and everything worked. Today we are trying with the same configuratione, but It appeared the same validation errore described before On 13 February 2013 14:12, Matthew Black wrote: > What is the versions of the puppet are being used on the client and > the server? Assuming master is running on Linux, what distro and > release is the master running on? > > I suspect the openssl might be the issue on the client. > > > > On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella > wrote: > > Felix, why do you think the problem is related to the "--waitforcert" > > option? > > I tryied to run "puppet agent -t --waitforcert 100" , and after signing > the > > request on master, on agent I receive this message: > > > > Error: Could not request certificate: Unsupported digest algorithm > (SHA256). > > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). > > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values > mismatch > > > > > > > > > > On 13 February 2013 13:15, Felix Frank > > wrote: > >> > >> On 02/11/2013 10:51 PM, Jo Rhett wrote: > >> > All cert problems are either time sync or certificate name issues. So > >> > it's one of those two. > >> > >> A bold assertion. It may hold true as far as puppet is concerned, > though. > >> > >> I generally advise to take the time and lern about x509 and openssl's > >> interface, so one can inspect the actual certificates in question. > >> > >> > Exiting; no certificate found and waitforcert is > >> > disabled| > >> > >> Hmm, so did you *ever* use --waitforcert on your agent side? > >> > >> If you haven't, that's your problem right there. > >> > >> HTH, > >> Felix > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to puppet-users+unsubscr...@googlegroups.com. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to puppet-users+unsubscr...@googlegroups.com. > > To post to this group, send email to puppet-users@googlegroups.com. > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
What is the versions of the puppet are being used on the client and the server? Assuming master is running on Linux, what distro and release is the master running on? I suspect the openssl might be the issue on the client. On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella wrote: > Felix, why do you think the problem is related to the "--waitforcert" > option? > I tryied to run "puppet agent -t --waitforcert 100" , and after signing the > request on master, on agent I receive this message: > > Error: Could not request certificate: Unsupported digest algorithm (SHA256). > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values mismatch > > > > > On 13 February 2013 13:15, Felix Frank > wrote: >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> > All cert problems are either time sync or certificate name issues. So >> > it's one of those two. >> >> A bold assertion. It may hold true as far as puppet is concerned, though. >> >> I generally advise to take the time and lern about x509 and openssl's >> interface, so one can inspect the actual certificates in question. >> >> > Exiting; no certificate found and waitforcert is >> > disabled| >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> If you haven't, that's your problem right there. >> >> HTH, >> Felix >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Felix, why do you think the problem is related to the "--waitforcert" option? I tryied to run "puppet agent -t --waitforcert 100" , and after signing the request on master, on agent I receive this message: Error: Could not request certificate: Unsupported digest algorithm (SHA256). Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). Error: Could not send report: SSL_CTX_use_PrivateKey:: key values mismatch On 13 February 2013 13:15, Felix Frank wrote: > On 02/11/2013 10:51 PM, Jo Rhett wrote: > > All cert problems are either time sync or certificate name issues. So > > it's one of those two. > > A bold assertion. It may hold true as far as puppet is concerned, though. > > I generally advise to take the time and lern about x509 and openssl's > interface, so one can inspect the actual certificates in question. > > > Exiting; no certificate found and waitforcert is > > disabled| > > Hmm, so did you *ever* use --waitforcert on your agent side? > > If you haven't, that's your problem right there. > > HTH, > Felix > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
On 02/11/2013 10:51 PM, Jo Rhett wrote: > All cert problems are either time sync or certificate name issues. So > it's one of those two. A bold assertion. It may hold true as far as puppet is concerned, though. I generally advise to take the time and lern about x509 and openssl's interface, so one can inspect the actual certificates in question. > Exiting; no certificate found and waitforcert is > disabled| Hmm, so did you *ever* use --waitforcert on your agent side? If you haven't, that's your problem right there. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to puppetise Task Scheduler on Windows
Hi David, Is it possible to manage Task Scheduler through puppet? Yes: http://docs.puppetlabs.com/references/latest/type.html#scheduledtask Cheers, Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to puppetise Task Scheduler on Windows
Hi all, I have puppet running well, and for the Windows servers in our environment it manages files, contents and services. Is it possible to manage Task Scheduler through puppet? The task is in xml format (an export from an existing task), which puppet can ensure exists in a directory somewhere. However, I cannot find a way of having Puppet import the xml into the Scheduler itself and confirm it is running. Does anyone know if this is possible? Many thanks, David H. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Issue in using postgresql with puppetdb
Hi Ken, In my case the issue was *ssl-host = * in jetty.ini Changed to *ssl-host = 0.0.0.0* and now it is fine, thank you! вторник, 12 февраля 2013 г., 21:14:31 UTC+11 пользователь Heena написал: > > Hi, > When i m using Postgresql database with puppetdb in puppet 3.0.2, > following error is coming. > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Failed to submit 'replace facts' command for abcd.example.com to PuppetDB > at puppet-DB.example.com:8081: Connection refused - connect(2) > Can anyone have any solution regarding this? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] how to check whether a linux process is running?
Hi Oliver! On Tue, Feb 12, 2013 at 07:53:55PM -0800, oliver zhang wrote: > How do I do this in puppet: > > if process A is running, do nothing. > > else mount share and install package A > > I couldn't find any reference about this. I would first ensure that the process is running (assuming that it's a service). The service would require the package which would require the share to be mounted. A rough outline would be: service { 'A': ensure => running, require => Package['A']; } package { 'A': ensure => installed, require => Exec['mount share']; } exec { 'mount share': command => '...', if => command to check if not mounted; } I may be wrong, of course, but this would be my first try to resolve this. Cheers, Matthias -- Serververwaltung und Softwareentwicklung https://www.heute-kaufen.de Prinzessinnenstraße 20 - 10969 Berlin signature.asc Description: Digital signature
Re: [Puppet Users] how to check whether a linux process is running?
On Wed, Feb 13, 2013 at 3:53 AM, oliver zhang wrote: > Hi Everyone, > > I'm new to puppet. > > How do I do this in puppet: > > if process A is running, do nothing. > > else mount share and install package A > > I couldn't find any reference about this. > > Thanks. In addition to what Paul says, the way that something like this would normally be handled in Puppet is: 1) If process A is not running, start process A (this could be done via an Exec) 2) Step 1 may fail, because the binary used to launch process A is not installed. So, you'd also have a Package resource that would manage the package that contains that binary. At this point, the Exec can be told to depend on the Package such that trying to start process A will automatically trigger the installation of the necessary Package if it's not already installed. 3) The Package (or particular configuration thereof) may require a mount point to be available. So, you'd also have a Mount resource that would configure that mount point. At this point, the Package resource configured in step 2 can be told to depend on the Mount resource such that installing the Package will automatically set up and mount the Mount point resource. 4) Your node's manifest would only contain the Exec set up in step 1; everything else will automatically be configured through the defined dependency relationships. Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: getting notrun to 0 error
Thanks i got the solution mathew On Wednesday, 13 February 2013 11:16:13 UTC+5:30, yarlagadda ramya wrote: > > *Hi all, > > I wrote a manifest for downloading linux.x64_11gR2_database_1of2.zip and > copying that to another directory and unzipping there..its getting > downloaded but copying and unzipping is not happening..am getting this > error.. > * > notice: /Stage[main]//Exec[download_url]/returns: executed successfully > err: /Stage[main]//Exec[copy_unzip]/returns: change from notrun to 0 > failed: /usr/bin/unzip -C /db/oracle /db/combo.zip returned 9 instead of > one of [0] at /root/learning-manifests/combozip.pp:13 > notice: Finished catalog run in 0.19 seconds > > the manifest that i wrote is: > $URL = " > http://192.168.24.171:8080/softwares/linux.x64_11gR2_database_1of2.zip"; > $Software = "/db" > $Server = "/db/oracle" > > exec { "download_url": > command => "/usr/bin/wget $URL", > cwd => "$Software", > } > > exec {"copy_unzip": >command => "/usr/bin/unzip -C /db/oracle > /db/linux.x64_11gR2_database_1of2.zip", >cwd => "$Server", > } > > Exec['download_url'] -> Exec['copy_unzip'] > > Please do help me with this. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to call one manifset from another
Hi all, I have 3 different manifests. How can i call one manifest from another manifest? Please do help me with this. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] getting notrun to 0 error
On Wed, Feb 13, 2013 at 5:46 AM, yarlagadda ramya wrote: > Hi all, > > I wrote a manifest for downloading linux.x64_11gR2_database_1of2.zip and > copying that to another directory and unzipping there..its getting > downloaded but copying and unzipping is not happening..am getting this > error.. > > notice: /Stage[main]//Exec[download_url]/returns: executed successfully > err: /Stage[main]//Exec[copy_unzip]/returns: change from notrun to 0 failed: > /usr/bin/unzip -C /db/oracle /db/combo.zip returned 9 instead of one of [0] > at /root/learning-manifests/combozip.pp:13 > notice: Finished catalog run in 0.19 seconds > > the manifest that i wrote is: > $URL = > "http://192.168.24.171:8080/softwares/linux.x64_11gR2_database_1of2.zip"; > $Software = "/db" > $Server = "/db/oracle" > > exec { "download_url": > command => "/usr/bin/wget $URL", > cwd => "$Software", > } > > exec {"copy_unzip": >command => "/usr/bin/unzip -C /db/oracle > /db/linux.x64_11gR2_database_1of2.zip", >cwd => "$Server", > } > > Exec['download_url'] -> Exec['copy_unzip'] > > Please do help me with this. I answered this yesterday. Anyway, what happens if you run: cd /db/oracle /usr/bin/unzip -C /db/oracle /db/linux.x64_11gR2_database_1of2.zip from a command line? I *still* don't think that you need the '-C /db/oracle' portion of that command, so it should just be: /usr/bin/unzip /db/linux.x64_11gR2_database_1of2.zip But running the full command from the command line should provide you with some output that might help figure out what's going on. Regards, Matt. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: how to check whether a linux process is running?
Hi Oliver, if process A is running, do nothing. > > else mount share and install package A > This doesn't really sit well with the declarative nature of Puppet. It would be better if your package pre-installation scripts were to cleanly implement this imperative procedure. Something like shut down service, mount, install, start service back up. If you really want to try doing this with puppet, look at exec and onlyif/unless ( unless => 'pgrep process' ) and dependencies. Cheers, Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.