[Puppet Users] The security of the puppet master
hi,guys when you use the puppet manage all you production server. the security of the puppet master is very very very very import. because if the hacker control the puppet master server. the can control you all servers. and can do anythings he want. I think most company use a VPN network connect the puppet agent and the puppet master. but , I think it's not enough safe. if some one's work PC control by a hacker ,the hacker can into the vpn network. or the hacker is some one that not allowed use the puppet master. vpn is safe ,but not enough . so, the puppet master need 3A. Authentication, Authorization, Accounting. every body push the puppet manifest need 3A. and use cert to sign the code. the puppet master only allow signed manifest code. In my environment, I not use puppet master. and the puppet agent download the signed manifest from a rsync server. verify the manifest and run it. I think it's safe than puppet master publish the code. because I use a networkless pc to sign the code .then copy the code to the rsync server. so , the security risk move to all puppet agent. not the puppet master or rsync server. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to specify kernel version from puppet and downgrade pkg version.
Hello I have some kernel moduls rpms related to specific kernel version. Is there a method to control kernel versions by puppet? Another question is : Some time we need upgrade pkg version and downgrade pkg version, is possible by puppet? Regards Xiaofei -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Executing command via puppet !
Hi, Is it possible to get response of a command from puppet ? For example if I run nginx -t it would give some details about the configurations i.e. if configuration has some error then which file has the error ! Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to deploy excecute script remotely
Hi, I am new to Puppet just had installed Puppet master on Centos.And manging Linux Windows nodes, now I would like to deploy and execute script on one of my Linux Box Remotely from Puppet Master. Appriciate your help. Pls. share steps to be followed for achieving above tast. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Solaris useradd uses /export/home and not /home
Many thanks John. Now it is solved. Here is the solution. init.pp class admin_user::group { group { baaderadm: gid = 888, ensure = present, } } class admin_user { include admin_user::group, admin_user::list } list.pp class admin_user::list { admin_user::useradd { user1: comment = user1, uid = 1032, gid = 888, group = baaderadm, shell = /bin/bash, password = '$6$QMhC7iyQ$CeUQnyZR1/jkH61SaE7gz/', sshkeytype = rsa, sshkey = B3NzaC1yc2EBIwAAAIEAs+EjM0/U4rGLe5OipRtqkwkfk93KX/i6N8=, } admin_user::useradd { user2: comment = user2, uid = 1033, gid = 888, group = baaderadm, shell = /bin/bash, password = '$6$QMhC7iyQ$CeUQnyZR1/jkH61SaE7gz/', sshkeytype = rsa, sshkey = B3NzaC1yc2EBIwAAAIEAs+EjM0/U4rGLe5OipRtqkwkfk93KX/i6N8=, } } useradd.pp define admin_user::useradd ( $comment, $uid, $group, $gid, $password, $shell, $sshkeytype, $sshkey) { include admin_user::group $username = $title user { $username: ensure = present, comment = $comment, uid = $uid, gid = $gid, shell = $shell, home = /home/$username, managehome = true, forcelocal = true, password = $password, require = Group[baaderadm], } ssh_authorized_key { $username: user = $username, type = $sshkeytype, key = $sshkey, require = User[$username], } } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet to install and rollback using single module.
Hi all, I would like to provide installation and rollback for any module. Here are was I've tried but not work, At modules/katie/manifests/init.pp class katie::add { tag 'add' user {'katie': ensure = present, } } class katie::remove { tag 'remove' user {'katie': ensure = absent, } } class katie { include katie::remove, katie::remove } test command, [root@centos ~]# puppet agent --test --tags add Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/pip_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/python_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: User[katie] is already declared in file /etc/puppet/modules/katie/manifests/init.pp:5; cannot redeclare at /etc/puppet/modules/katie/manifests/init.pp:12 on node centos.local Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run [root@centos ~]# If this is not the way to go, is there any alternative to get the install/rollback? Thanks you, -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: puppet healthcheck
Hi, I worked around the problem, the solution is documented at [1], not written by me. Basically I use a bash script with curl in combination with xinetd and the loadbalancer allows to specify a different port for the health check. Best regards, Steven [1] http://uberobert.com/puppet_master_health_check_haproxy/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet agent and puppet master
Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Executing command via puppet !
Hi, You can get response from puppet, depend upon what you want to achieve. *1st case* : if you want to log the output of command nginx -t, you can use attribute logoutput = true or false of exec resource Please refer http://www.puppetcookbook.com/posts/exec-output-logging.html for deatailed description. *2nd case* : if you want to execute something after finding file containing configuration error then you can use attribute onlyif = command of exec resource Please refer http://www.puppetcookbook.com/posts/exec-onlyif.html for deatiled description Thanks Regards, Sneha More, NTT DATA GTS, OSS Center India, (Pune). On Monday, September 16, 2013 11:57:12 AM UTC+5:30, Adeel Bhatti wrote: Hi, Is it possible to get response of a command from puppet ? For example if I run nginx -t it would give some details about the configurations i.e. if configuration has some error then which file has the error ! Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet agent and puppet master
You can use splay to schedule agent run and yes, you can view agent run / changes status in /var/log/messages. http://docs.puppetlabs.com/references/latest/configuration.html#splay -V On Mon, Sep 16, 2013 at 4:27 PM, Adeel Bhatti adeelarifbha...@gmail.comwrote: Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet agent and puppet master
Hi, Could we not run the agent command from the server ? The point is if I have the access the client after changing the configuration on puppet master it would be tedious ! BTW, Puppet master Enterprise server functions the same way or it provides this funtionality ? Adeel On Monday, September 16, 2013 2:10:51 PM UTC+2, tujwww wrote: You can use splay to schedule agent run and yes, you can view agent run / changes status in /var/log/messages. http://docs.puppetlabs.com/references/latest/configuration.html#splay -V On Mon, Sep 16, 2013 at 4:27 PM, Adeel Bhatti adeelar...@gmail.comjavascript: wrote: Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Executing command via puppet !
It adds the entry in the log file but locally, I want to have agent's entry on the puppet server's log file !! is it possible ? Adeel On Monday, September 16, 2013 2:08:28 PM UTC+2, Sneha More wrote: Hi, You can get response from puppet, depend upon what you want to achieve. *1st case* : if you want to log the output of command nginx -t, you can use attribute logoutput = true or false of exec resource Please refer http://www.puppetcookbook.com/posts/exec-output-logging.html for deatailed description. *2nd case* : if you want to execute something after finding file containing configuration error then you can use attribute onlyif = command of exec resource Please refer http://www.puppetcookbook.com/posts/exec-onlyif.html for deatiled description Thanks Regards, Sneha More, NTT DATA GTS, OSS Center India, (Pune). On Monday, September 16, 2013 11:57:12 AM UTC+5:30, Adeel Bhatti wrote: Hi, Is it possible to get response of a command from puppet ? For example if I run nginx -t it would give some details about the configurations i.e. if configuration has some error then which file has the error ! Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet agent and puppet master
Hi Adeel, First time you have to access the puppet agent and do the certificate generation and signing on puppet master. After that you can set the runinterval parameter in pupet.conf file( puppet agent request the puppet master manifests at defined time interval). This will automatically request the manifests from puppet master continuously. puppet.conf runinterval =XX (default 30 minute) This setting can be a time interval in seconds(30 or 30s), minutes (30m), hours (6h), days (2d), or year (5y). For the report or status refer files present in /var/lib/puppet/state directory. Thanks and Regards, Rahul Khengare, NTT DATA OSS Center, Pune, India. On Monday, September 16, 2013 4:27:54 PM UTC+5:30, Adeel Bhatti wrote: Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: when does 'updated_at' column get updated?
Does anyone know? On Wednesday, September 11, 2013 5:08:23 PM UTC-4, John Santana wrote: Using centos 6 with puppet-2.6.17 with thin_storeconfigs with mysql and nagios exported resources. Every time an agent connects to the master, the updated_at column in the hosts table is updated. However, the updated_at column in the other tables is not updated even when I alter a nagios resource attribute like retry_check_interval. What are the conditions by which the updated_at column is updated for the other tables? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet agent and puppet master
Thanks for your reply ! This would be really cool if the agent can look and identify the manifect changes ! I have a service restart in my class, so I want to execute that only if there is some change in the configuration/manifest ! Regards Adeel On Monday, September 16, 2013 2:20:24 PM UTC+2, Rahul Khengare wrote: Hi Adeel, First time you have to access the puppet agent and do the certificate generation and signing on puppet master. After that you can set the runinterval parameter in pupet.conf file( puppet agent request the puppet master manifests at defined time interval). This will automatically request the manifests from puppet master continuously. puppet.conf runinterval =XX (default 30 minute) This setting can be a time interval in seconds(30 or 30s), minutes (30m), hours (6h), days (2d), or year (5y). For the report or status refer files present in /var/lib/puppet/state directory. Thanks and Regards, Rahul Khengare, NTT DATA OSS Center, Pune, India. On Monday, September 16, 2013 4:27:54 PM UTC+5:30, Adeel Bhatti wrote: Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to deploy excecute script remotely
Not hard at all... just use file resource to deploy the file and then exec to execute it: file{ /path/to/my/script.sh source = puppet:///modules/${module_name}/script.sh, mode = 755, } ~ exec { /path/to/my/script.sh refreshonly = true, } The important bit here is the ~ . That means notify and require. It basically means it will notify the exec when the file is deployed and that puppet will push the file before trying to execute it. The refreshonly true will assure you that the script will be executed only if it is notified. Cheers Juan On Monday, September 16, 2013 7:25:59 AM UTC+1, Raju Patil wrote: Hi, I am new to Puppet just had installed Puppet master on Centos.And manging Linux Windows nodes, now I would like to deploy and execute script on one of my Linux Box Remotely from Puppet Master. Appriciate your help. Pls. share steps to be followed for achieving above tast. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet Resources Ordering
This could be related to a bug in puppet, even though the dependency is defined between classes, the resources within the classes float and get executed in a different order. Take a look at the anchor pattern in the puppetlabs documentation. Juan On Sunday, September 15, 2013 6:14:17 AM UTC+1, chengkai liang wrote: Hi All, I have the following classes define: init.pp class { 'A': } - class { 'B': } - class { 'C': } Supposedly, the execution order should A then B then C, but the actual execution order seems that C is being executed before B. Why is this happening? Isn't - will chain up the resources order? Anybody has any idea? Thanks, Chengkai -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Is it possible to install actual OS using puppet?
On Saturday, September 14, 2013 8:38:31 AM UTC-5, Rich Siegel wrote: the Puppet code by which you achieve the OS installation is totally different from what you would use to maintain any part of the installed system post installation, via a client running on it? Yes but within our gitrepo, using the same tooling and contributions via the same workflow and peer review. This provides transparency and you can in a matter of minutes see how the system is built. Using other things like altiris, systemctr, standalone scripts, Or wds doesn't allow a true source of truth at this time. Fair enough. I just wanted to point out that the system you described might be very different in form and nature from what the OP (thought he) was asking about. Best, John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Failed to apply catalog: Netowork is unreachable - connect(2)
On Friday, September 13, 2013 4:46:55 PM UTC-5, Anup Singh wrote: Error: Failed to apply catalog: Netowork is unreachable - connect(2) Error: Could not send report: Network is unrechable - connect (2) logged in as roop Test telnet localhost 8041 (61613 and 443) connected telnet learn.localdomain 8041 (61613 and 443) network is unreachable This is not a Puppet problem. It is a problem with the networking configuration on the client. The Puppet agent cannot establish a network connection to the master to request a catalog. There are several possible problems here, among them: - No external network interface is configured. There are many possible reasons for this, such as faulty provisioning, missing NIC driver or firmware, or all NICs disabled in BIOS. - NIC is unusable or incorrectly configured. I've occasionally been bitten by this on laptops that have a switch to disable the NIC's radio -- when the radio is off, no wireless connections can be made. Alternatively, if the the NIC is configured for DHCP but it gets bad or no configuration from the DHCP server, then it may not be able to reach the network. - Strict firewall configuration. No amount of messing around with Puppet manifests or configs will get you around this. John puppet agent -t Failed to apply catalog: Network is Unreachable Could not send report: Network is Unreachable Hosts file puppet agent and host have same information in /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.105 lear.localdomain learn puppet.localdomain puppet Certs cd.pem learnlocaldomain.pem pe-internal-mcillective-servers.pem pe-internal-broker.pem pe-internal-puppet-console-mcillecitve-client.pem -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet agent and puppet master
Adeel, This is already how puppet operates by default if your manifest is written correctly. You should not be explicitly telling puppet to restart your service each time the agent runs. Instead, you should create a dependency relationship between the service and its configuration file (and even its package). For example, the following code ties together three resource types into one class: class webserver { package { 'httpd': ensure = installed, } file { '/etc/httpd/conf/httpd.conf': owner = 'root', group = 'root', mode = '0644', require = Package['httpd'], } service { 'httpd': ensure = running, enable = true, hasstatus = true, hasrestart = true, subscribe = File['/etc/httpd/conf/httpd.conf'], } } Notice how the file resource requires the package resource, and the service resource subscribes to the file resource. This sets up a logical dependency chain. That the httpd service subscribes to the httpd.conf configuration file is particularly important, because this is what tells puppet that it should restart the httpd service any time it notices and copies over a changed httpd.conf file. An exec resource containing a service httpd restart command is not required. -- Peter Bukowinski On Sep 16, 2013, at 8:40 AM, Adeel Bhatti adeelarifbha...@gmail.com wrote: Thanks for your reply ! This would be really cool if the agent can look and identify the manifect changes ! I have a service restart in my class, so I want to execute that only if there is some change in the configuration/manifest ! Regards Adeel On Monday, September 16, 2013 2:20:24 PM UTC+2, Rahul Khengare wrote: Hi Adeel, First time you have to access the puppet agent and do the certificate generation and signing on puppet master. After that you can set the runinterval parameter in pupet.conf file( puppet agent request the puppet master manifests at defined time interval). This will automatically request the manifests from puppet master continuously. puppet.conf runinterval =XX (default 30 minute) This setting can be a time interval in seconds(30 or 30s), minutes (30m), hours (6h), days (2d), or year (5y). For the report or status refer files present in /var/lib/puppet/state directory. Thanks and Regards, Rahul Khengare, NTT DATA OSS Center, Pune, India. On Monday, September 16, 2013 4:27:54 PM UTC+5:30, Adeel Bhatti wrote: Hi, Is it nesseccary to access the client machine and execute the agent command manually to take in configuration ? or if the agent can know itsself that the server has some changes for it !! secondly, can't we have agent's logs/status of taking in changes/configurations ? I am using open source puppet master ! Adeel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet Resources Ordering
On Monday, September 16, 2013 12:19:50 AM UTC-5, Rahul Khengare wrote: Hi Chengkai, I have faced similar kind of problem for class ordering using ordering arrow (*-)*. You can try the stage resources for ordering classes. Run stages are indeed a mechanism for controlling application order of classes, but they are an awfully big and blunt hammer. Indiscriminate use of stages is likely to get you into trouble. Instead, you should fix the problem with your classes. On Sunday, September 15, 2013 10:44:17 AM UTC+5:30, chengkai liang wrote: Hi All, I have the following classes define: init.pp class { 'A': } - class { 'B': } - class { 'C': } Supposedly, the execution order should A then B then C, but the actual execution order seems that C is being executed before B. Why is this happening? Isn't - will chain up the resources order? Chances are that the chain operator works fine, but your expectation of what it means to apply (not execute) a class is flawed. Problems of this kind are usually containment issues: when one class declares another, that does not inherently place any ordering relationship between the declared and declaring classes, nor are relationships between the declaring class and any resources or other classes directly relevant to the declared class. This is quite different from the case of actual resources declared by a given class. The distinction is intentional and necessary, but that's a separate topic. As JuanBrein suggested, you can find more information about the issue and the most common solution, the anchor pattern, in the language docs. Here's a link: http://docs.puppetlabs.com/puppet/3/reference/lang_containment.html . John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet agent and puppet master
On Monday, September 16, 2013 7:40:35 AM UTC-5, Adeel Bhatti wrote: Thanks for your reply ! This would be really cool if the agent can look and identify the manifect changes ! I have a service restart in my class, so I want to execute that only if there is some change in the configuration/manifest ! Regards Adeel Puppet can do that. See below. In answer to your original question, it is usual for each Puppet client to run the agent on a regular schedule, either using its built-in daemon mode (i.e. running it as a service) or via an external scheduler, such as cron. That way there is no need to touch individual clients to roll out configuration changes -- it is sufficient to change the manifests and/or data on the master. It is important to understand that Puppet is a state management service, not a script engine. The distinction shows up here in that the Puppet agent's normal behavior is to check the properties of each managed resource, and to apply only those changes needed to put it into the target state. Resources that are already in the target state are not changed in any way. Thus, whenever the agent modifies a resource, such as a service's configuration file, it constitutes a genuine change. Puppet has a mechanism for notifying resources about such changes in other resources, and it is particularly well supported for exactly the situation you describe: restarting services when their configuration changes. It can look like this: file { '/etc/myservice.conf': ensure = 'file', content = template('myservice.conf.tmpl'), # ... } service { 'myservice': enable = true, ensure = running, subscribe = File['/etc/myservice.conf'] } The magic is in the 'subscribe' parameter. It says that the service needs to be refreshed if the agent applies any changes to the referenced file resource. The meaning of refresh varies by resource type, but for services it means to restart the service. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Executing command via puppet !
On Monday, September 16, 2013 7:18:24 AM UTC-5, Adeel Bhatti wrote: It adds the entry in the log file but locally, I want to have agent's entry on the puppet server's log file !! is it possible ? Puppet's mechanism for communicating general information about nodes to the master is facts. If there is information you want to communicate to the master beyond what it already receives, then it is relatively easy for you to create your own custom fact, such as one that provides the output of a given command. Do be aware that on each Puppet run, all facts are evaluated before any changes are applied to the target node. Here is some documentation on creating custom facts: http://docs.puppetlabs.com/guides/custom_facts.html . John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to deploy excecute script remotely
On Monday, September 16, 2013 1:25:59 AM UTC-5, Raju Patil wrote: Hi, I am new to Puppet just had installed Puppet master on Centos.And manging Linux Windows nodes, now I would like to deploy and execute script on one of my Linux Box Remotely from Puppet Master. Appriciate your help. Pls. share steps to be followed for achieving above tast. It depends on what you mean by that. If the target node is already registered with the master, and the agent is running on a regular schedule (whether as a standalone service or via a scheduler service such as cron), then you can proceed more or less as JuanBrein described. There are many variations, nuances, and caveats that he didn't cover, but I'll hold off on those for now, except this one: the approach described will result in the agent running the specified command as part of its next scheduled run. If instead you want to deploy and run your script right away, then you need something more or different, such as MCollective, for example. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Puppet Resources Ordering
Thanks for this information. I'm now looking at the anchor pattern. On Sep 16, 2013, at 6:43 AM, jcbollinger john.bollin...@stjude.org wrote: On Monday, September 16, 2013 12:19:50 AM UTC-5, Rahul Khengare wrote: Hi Chengkai, I have faced similar kind of problem for class ordering using ordering arrow (-). You can try the stage resources for ordering classes. Run stages are indeed a mechanism for controlling application order of classes, but they are an awfully big and blunt hammer. Indiscriminate use of stages is likely to get you into trouble. Instead, you should fix the problem with your classes. On Sunday, September 15, 2013 10:44:17 AM UTC+5:30, chengkai liang wrote: Hi All, I have the following classes define: init.pp class { 'A': } - class { 'B': } - class { 'C': } Supposedly, the execution order should A then B then C, but the actual execution order seems that C is being executed before B. Why is this happening? Isn't - will chain up the resources order? Chances are that the chain operator works fine, but your expectation of what it means to apply (not execute) a class is flawed. Problems of this kind are usually containment issues: when one class declares another, that does not inherently place any ordering relationship between the declared and declaring classes, nor are relationships between the declaring class and any resources or other classes directly relevant to the declared class. This is quite different from the case of actual resources declared by a given class. The distinction is intentional and necessary, but that's a separate topic. As JuanBrein suggested, you can find more information about the issue and the most common solution, the anchor pattern, in the language docs. Here's a link: http://docs.puppetlabs.com/puppet/3/reference/lang_containment.html . John -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/OvTTmJm5QvA/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: The security of the puppet master
On Monday, September 16, 2013 2:20:21 AM UTC-5, huangm...@gmail.com wrote: hi,guys when you use the puppet manage all you production server. the security of the puppet master is very very very very import. because if the hacker control the puppet master server. the can control you all servers. and can do anythings he want. True. I think most company use a VPN network connect the puppet agent and the puppet master. but , I think it's not enough safe. if some one's work PC control by a hacker ,the hacker can into the vpn network. or the hacker is some one that not allowed use the puppet master. vpn is safe ,but not enough . Not exactly. VPN is only really relevant for remote clients. It is fairly common -- I would even say typical -- for the master and all managed servers to reside on the same physical network within the organization. Nevertheless, the fact remains that if an attacker compromises a machine belonging to the target organization, then he might be able to access the network on which the Puppet master resides, whether via VPN or otherwise. Even so, that is quite different from compromising the master itself. It would be unusual for access to a client machine to enable an assailant to modify anything about the master. For that, an assailant would need to compromise the credentials of a user having login access to the master. In a secure setup, there might be NO such users defined outside the master itself, so that an attacker would need to compromise the master by other means than analyzing data found on the compromised client. I think you are overstating the risk. so, the puppet master need 3A. Authentication, Authorization, Accounting. every body push the puppet manifest need 3A. and use cert to sign the code. Puppet uses SSL certificates both to securely identify the master to agents and to securely identify agents to the master. Unless bypassed, that same system provides for one-time manual authentication of each agent. This allows the master to avoid serving sensitive configuration information to machines that are not authorized to have it, and allows clients to confirm that they are receiving their configs from the correct, trusted source. the puppet master only allow signed manifest code. Of course there is the question of security of the master's manifests, separate from the issue of securely serving compiled catalogs to clients. That is not managed directly by Puppet, but shops that care about security -- i.e. most of them -- have procedures in place to mitigate the associated security risks to their satisfaction. In my environment, I not use puppet master. and the puppet agent download the signed manifest from a rsync server. verify the manifest and run it. I think it's safe than puppet master publish the code. because I use a networkless pc to sign the code .then copy the code to the rsync server. I'm glad you are satisfied with that solution. Please refer to my above comments about security risk mitigation. so , the security risk move to all puppet agent. not the puppet master or rsync server. Are you asking for comments about your approach? Well, then, it is more secure than a default master / agent setup with respect to the integrity and validity of the information served to clients, because the configuration authority cannot be compromised over the network. Security risk does not ALL move to the agents, however: the rsync server still constitutes a single point of failure that could be targeted for denial of service. Additionally, your approach does not appear to provide for limiting configuration information to the clients that need it. That is, I don't see how you can avoid serving the complete manifest set to every client, thus if the manifests contain any sensitive information then you expose it to anyone who compromises *any* client. At minimum, you provide a map of your entire managed infrastructure to assailants. That could be a greater risk than those you avoid. Information security is a complex subject, filled with trade-offs. There is no solution that is right for everyone. I think Puppet's built-in security mechanisms are fairly good, and I rely on them, but nothing can satisfy everyone. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Unable to specify hierarchy for data-in-modules
Hello, I'm running Puppet agent stand-alone on Windows. I got data-in-modules working. However, no matter what I put into the module hiera.yaml, I can only override the defaults from common.yaml by osfamily (and not, e.g., by environment). In the setup below the following command outputs: puppet apply --binder -e notice lookup ('my_key') --environment=local Notice: Scope(Class[main]): windows-value Notice: Compiled catalog for myhostname in environment local in 1.40 seconds And if I delete the osfamily directory, the same command outputs common-value. So, even though osfamily is not part of the hierarchy, it's used to override the common value. Conversely, environment is part of the hierarchy, but it's not used. Did I miss anything? Thanks, Igor. Module structure: my_module/ hiera.yaml data/ common.yaml environment/ local.yaml osfamily/ windows.yaml hiera.yaml contains: --- version: 2 hierarchy: [ ['environment', '${environment}', 'data/environment/${environment}'], ['common', 'true', 'data/common'] ] data/common.yaml contains: --- my_key: 'common-value' data/osfamily/windows.yaml contains: --- my_key: 'windows-value' data/environment/local.yaml contains: --- my_key: 'local-value' -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: /var/opt/lib/pe-puppet/reports/$hostname yaml files not recent
Still cannot figure out why I have such a variety of dates for the yaml files that exist in /var/opt/lib/pe-puppet/reports/`hostname` on each node. Each node is configured with report = true, and the reports are supposedly being sent to the Master. Not sure at all why sometimes I get a local yaml file, and sometimes I don't. Anyway, I'm using Puppet Enterprise, and my reading of the docs tells me the Master is storing the info from each run in PuppetDB. Anyone have any luck extracting info from PuppetDB? Again, what I'm looking for is what Puppet changed or wants to change on each node. Thanks. On Saturday, September 14, 2013 3:16:35 PM UTC-4, root wrote: Cross-posted from Puppet Enterprise Users: Is Puppet Enterprise (3.0) supposed to create a yaml file in /var/opt/lib/pe-puppet/reports/$hostname every time it runs? Because the files in this directory on all my nodes are not very consistent and they are not recent. If I do a puppet run on the node either through the Console or manually on the the node, it does not create a new yaml report file. My bigger need is to generate my own custom reports from Puppet runs. I thought these yaml files would be easier to parse than the log messages sent to syslog. The information I want to display is a summary of what Puppet found to change for particular class/modules. Thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: SSH configuration Question
On Sunday, September 15, 2013 10:00:16 PM UTC-5, John.1209 wrote: I'm somewhat new to puppet and I have this issue with SSH. Let's say I have 6 different SSH configurations. How do I get puppet to install or upgrade SSH based on the configurations? Assume the O/S and SSHD versions are all the same. So let's say I have different configurations that run SSHD with the following ports: Port 22 Port Port 1000, and so on. How can I write or modify the puppet openssh module to update the different configurations? Thanks in advance. There are two separate issues here: how to provide for variation in machine-to-machine configuration details within a single module, and how to make Puppet choose the correct configuration for each machine. These are not completely separate. But I will start by focusing on the former. Basically, the problem you are asking about is that of site-specific module data. You need to be able to feed data about your site and the machine being configured into your module in order for the managed resources to be configured correctly. This is where Puppet variables come in. You can rely on variables defined by any declared class (including the one wherein you are declaring the needed resources), by the relevant node block (if any), or at top scope. You can use these variables directly as or in resource parameter values, or you can use them in ERB templates evaluated via the template() or inline_template() functions. Templates are often used for the content of configuration files. The next question, then, is how variables get their values. There are several ways: - node facts are exposed as global variables; their values are provided by the client as part of the catalog request - node-scope variables are defined by node blocks, typically based on the target node's identity - variables at any level can be set to the results of Puppet functions. This is particularly powerful, as functions can compute their results by any means. Some, such as hiera() and its siblings, are specifically designed to look up values in external files. - variables that happen to be class or definition parameters can receive their values from explicit class or resource declarations or from default values; class parameters can also receive their values from an external node classifier (ENC) or from automated data binding via the hiera external data subsystem. As far as the module design goes, the best approach would probably be to rely on external data, with sensible default values declared where there are any. For example, class ssh_server::config { # ... $port = hiera('ssh_server::config::port', 22) # ... file { '/etc/ssh/sshd_config': ensure = file, uid = 0, gid = 0, mode = 0600, content = template('sshd_config.tmpl') } } Then, somewhere in the template you have #... Port %= @port % #... Note that it is quite popular these days to make class parameters out of the characteristic data of your classes. The practice is more popular than I think is warranted its technical merits, but if you wanted to go that route then the beginning of the above class might look something like this: class ssh_server::config ( # ... maybe other parameters ... $port = 22 ) { # ... file { '/etc/ssh/sshd_config': #... John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: SSH configuration Question
I wrote an ssh_config defined type, unpublished, to manage every sshd config value. This allowed me to set custom options like $port, $allowgroups, create $match and $match_conditions, etc, on a server by servers basis. -- Later, Darin On Mon, Sep 16, 2013 at 12:02 PM, jcbollinger john.bollin...@stjude.org wrote: On Sunday, September 15, 2013 10:00:16 PM UTC-5, John.1209 wrote: I'm somewhat new to puppet and I have this issue with SSH. Let's say I have 6 different SSH configurations. How do I get puppet to install or upgrade SSH based on the configurations? Assume the O/S and SSHD versions are all the same. So let's say I have different configurations that run SSHD with the following ports: Port 22 Port Port 1000, and so on. How can I write or modify the puppet openssh module to update the different configurations? Thanks in advance. There are two separate issues here: how to provide for variation in machine-to-machine configuration details within a single module, and how to make Puppet choose the correct configuration for each machine. These are not completely separate. But I will start by focusing on the former. Basically, the problem you are asking about is that of site-specific module data. You need to be able to feed data about your site and the machine being configured into your module in order for the managed resources to be configured correctly. This is where Puppet variables come in. You can rely on variables defined by any declared class (including the one wherein you are declaring the needed resources), by the relevant node block (if any), or at top scope. You can use these variables directly as or in resource parameter values, or you can use them in ERB templates evaluated via the template() or inline_template() functions. Templates are often used for the content of configuration files. The next question, then, is how variables get their values. There are several ways: node facts are exposed as global variables; their values are provided by the client as part of the catalog request node-scope variables are defined by node blocks, typically based on the target node's identity variables at any level can be set to the results of Puppet functions. This is particularly powerful, as functions can compute their results by any means. Some, such as hiera() and its siblings, are specifically designed to look up values in external files. variables that happen to be class or definition parameters can receive their values from explicit class or resource declarations or from default values; class parameters can also receive their values from an external node classifier (ENC) or from automated data binding via the hiera external data subsystem. As far as the module design goes, the best approach would probably be to rely on external data, with sensible default values declared where there are any. For example, class ssh_server::config { # ... $port = hiera('ssh_server::config::port', 22) # ... file { '/etc/ssh/sshd_config': ensure = file, uid = 0, gid = 0, mode = 0600, content = template('sshd_config.tmpl') } } Then, somewhere in the template you have #... Port %= @port % #... Note that it is quite popular these days to make class parameters out of the characteristic data of your classes. The practice is more popular than I think is warranted its technical merits, but if you wanted to go that route then the beginning of the above class might look something like this: class ssh_server::config ( # ... maybe other parameters ... $port = 22 ) { # ... file { '/etc/ssh/sshd_config': #... John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
From the command line all works fine, only not from Puppet. BTW, I am not the only one with this complaint online on your forums and elsewhere, people complain that Tar works, but not UnTar. -S On 9/12/13 5:54 AM, Matthew Burgess wrote: On 11 September 2013 23:55, slafreni...@b-e-f.org mailto:slafreni...@b-e-f.org wrote: Ed, I am having trouble unzipping any tarball via Puppet. So I installed your module to see how you might have done it. It runs, it creates the javapath and copies the file... but I get the same error that I get on my modules... can I please ask how you made unzip work? I am on Ubuntu 10.4.1, and 2.6.4 (Puppet Enterprise 1.0). err: /Stage[main]/Apache-maven-v3/Exec[install_maven_v3]/returns: change from notrun to 0 failed: /bin/tar zxf /usr/local/java/apache-maven-3.0.3-bin.tar.gz returned 2 instead of one of [0] at /etc/puppetlabs/puppet/modules/apache-maven-v3/manifests/init.pp:18 What happens if you run '/bin/tar zxf /usr/local/java/apache-maven- 3.0.3-bin.tar.gz' from the command line? Additionally, you could change your manifest so that it executes 'pwd /bin/tar zxf /usr/local/java/apache-maven-3.0.3-bin.tar.gz' so that you can see what directory the contents of the file are being extracted to. My suspicion is that you're either extracting to the wrong directory, or the directory you're extracting to has incorrect permissions set on it or the tar file has incorrect permissions set on it. Regards, Matt. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/AlqzFLkTS28/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Incorrect return code for failed exec
Done: https://projects.puppetlabs.com/issues/22572 On Thursday, September 12, 2013 10:07:49 AM UTC-4, Rob Reynolds wrote: Please log this at https://projects.puppetlabs.com/projects/puppet/issues/new In keywords, please put windows. Thanks. On Tue, Sep 10, 2013 at 11:29 AM, Igor Berger codew...@gmail.comjavascript: wrote: Should log an issue about this someplace? On Tuesday, September 3, 2013 10:56:01 AM UTC-4, Igor Berger wrote: It returns 1053. The sc start command prints: [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. You can easily reproduce it by registering a service with a non-existing executable: sc create MyService binPath= C:\NotThere.exe Then add this to a test.cmd file: sc start MyService echo %errorlevel% On Tuesday, September 3, 2013 10:34:32 AM UTC-4, Rob Reynolds wrote: What does cmd /c sc start MyService return? On Tue, Sep 3, 2013 at 9:23 AM, Igor Berger codew...@gmail.com wrote: As I mentioned, I'm running into this issue when the service fails to start. sc start returns a failure, Puppet mentions it in the log file. The problem is that puppet apply returns 0 (success) to the shell when sc start fails. However, puppet apply --detailed-exitcodes returns a failure to the shell correctly. On Monday, September 2, 2013 1:51:31 AM UTC-4, Rahul Khengare wrote: Hi Igor, You can run sc start MyService command manually on your machine and check whether the service run correctly. Also check the environment parameters are set for that service. Can you explain your query in more detail manner. Thanks and Regards, Rahul Khengare, NTT DATA OSS Center, Pune, India. On Saturday, August 31, 2013 3:20:54 AM UTC+5:30, Igor Berger wrote: Hello, I'm running puppet agent standalone on Windows. The last step in the manifest is exec { 'start_service': command = sc start MyService }. When the service has a problem and doesn't start, Puppet logs: /Stage[main]//Exec[start_**servi**ce]/returns (err): change from notrun to 0 failed: sc start MyService returned 29 instead of one of [0] However, the %errorlevel% returned is still 0. However, if I use --detailed-exitcodes, the %errorlevel% is correctly set to 6. Regards, Igor. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.**com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group/puppet-usershttp://groups.google.com/group/puppet-users . For more options, visit https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out . -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] default data lookup w/ hiera2? Data in Modules
And yes, a 3rd positional argument for the default would be fantastic. (For now...) On Thursday, September 12, 2013 12:13:37 AM UTC+3, Henrik Lindberg wrote: Does adding a 3d argument to lookup for default cut it for you? Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] default data lookup w/ hiera2? Data in Modules
Henrik, Thank you for your quick response. Sorry mine wasn't so quick- Google ate my message, perhaps it contained too many curly braces. :) Anyhow, adding a default argument option to lookup() would be great. But adding the option to pass a hash with keyword arguments would be even better! Python solved the API UI for this quite well with **, and *. http://docs.python.org/release/2.7.4/tutorial/controlflow.html#keyword-arguments and http://docs.python.org/release/2.7.4/tutorial/controlflow.html#unpacking-argument-lists Imo, the 2nd positional argument of the lookup() function should accept ONLY a hash. Otherwise, what would I do if I want to set a hash to BE the default argument? e.g., 1st Positional argument as a hash? Ambiguous positional argument (error!) lookup('namespace::some_hash', {'my_key' = 'my_value'}) More explicit, better: lookup('namespace::some_hash', { type = 'Hash', default = {'my_key' = 'my_value'} }) On Thursday, September 12, 2013 12:13:37 AM UTC+3, Henrik Lindberg wrote: Thank you for the feedback, very good comments. See more inline... On 2013-11-09 11:02, robbyt wrote: I am reading over the release notes for Puppet 3.3, and buried under data in modules is a link to ARM-9. There is a good chance that I don't get it - Puppet is moving pretty fast these days and I am still trying to get caught up with all of the changes. I have only read the latest Puppet code and the ARM docs- I have not tried it on a real system yet. However, I am concerned about the usefullness of the default lookup syntax. I find the examples in the ARM document a bit obtuse. https://github.com/puppetlabs/armatures/blob/master/arm-9.data_in_modules/index.md#lookup-with-default With hiera1, we can (very simply) do: hiera(namespace::key_name, default value ) Hiera2 requires some more work: $x = lookup('something') $looked_up = $x ? { undef = 'nothing', default = $x } This is ugly. Checking if variables are undefined, and then setting them to a default is what we did in bash. Not good. The challenge here was to have a function that works for 3x as well as for what is being worked on for 4x (where the data-in-modules supposedly is on by default along parser future). When we reach that point, it is possible to reference a type directly without having to encode it in a string. i.e. it will be possible to do like this: lookup('mykey', Integer) For 3.x this was not possible and the signature of the lookup function is now lookup(String key, String type), or just lookup(String key), and thus difficult to handle both type and default value as optional (given two strings, it that key and type or key and default). We have a couple of options before 4x: a) Add a third argument, and if a default is wanted, type must be specified. b) Add the ability to pass arguments as a hash, it can either be a third argument, or used instead of the type argument. (i.e. giving arguments by name instead). The first is simple to add, the second does not work well unless the future parser is also used. Examples: # a lookup('mykey', 'Integer', 42) # b (requires future parser since 3x does not support direct passing # of a hash lookup('mykey', 'Integer', { default = 42}) lookup('mykey', { type = 'Integer', default = 42}) # In 4x. this will is possible: lookup('mykey', 'Integer', 42) lookup('mykey', Integer, 42) lookup('mykey', 42) lookup('mykey', Integer) If future parser is used, it is also possible to use a lambda, there is no need to first assign variable and then check - i.e. $x = lookup('something') {|$x| $x ? { undef = 'nothing', default = $x } which is just slightly better, but still bulky. I am in favor of adding the 3d argument for default, and until 4x the lookup must then also use type. What do you think about that? On the positive side, the lookup function adds a static type checker, but it also fails to be completely useful because we cannot (?) define our own static types or validators. If we had the ability to define our own type check via lambda or other function, this would be useful. We could do complex validation on data, more than just 'string' or 'array'. I would like to see something like: lookup(namespace::key_name, custom_validator_function) Where the custom_validator_function could be any puppet parser function OR since we now worship the**great *οΏ½, *we should be able to use an anonymous function in-place to validate the input (and in this fictitious example, set a default value): lookup(namespace::key_name, |$val| {$val or default value} ) There is a short and a long answer. Short answer, the lookup already takes a lambda which can do validation and handle default value. This works now with --parser future. Longer
Re: [Puppet Users] Re: How to specify kernel version from puppet and downgrade pkg version.
Hello John Thanks very much! I am a new user of puppet. If I have lot of machines that install different version of kernel. I want them install the same version. Do I need specify delete all other version of kernel? Another question : I didn't find where to set the arch of package from resource type. Best regards Xiaofei 于 2013/9/16 22:31, jcbollinger wrote: On Monday, September 16, 2013 1:57:19 AM UTC-5, Yan Xiaofei wrote: Hello I have some kernel moduls rpms related to specific kernel version. Is there a method to control kernel versions by puppet? You can use Puppet to install and remove kernel packages. You can control what version of a given package must be installed. You can use facts to determine which kernel version is currently running -- there are built-in facts for this. Another question is : Some time we need upgrade pkg version and downgrade pkg version, is possible by puppet? You can specify specific package versions that are supposed to be installed, and Puppet will attempt to achieve it. As with most things related to packages, this works best when the underlying package manager relies on a package repository somewhere, as many do. You can also ask that Puppet ensure the latest available version of a given package is installed. Refer to the docs for the Package resource type: http://docs.puppetlabs.com/references/3.stable/type.html#package John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: End of Life Plan for Puppet 2.7.x
Hey Sam, following up from Puppet Conf. Anything I can do to assist with forthcoming 2.7.x releases? In particular, the full deprecation notices you mentioned in person would be great to get into a release! Cheers, Aaron On Wednesday, August 21, 2013 3:03:18 PM UTC-7, Sam Kottler wrote: Will Farrington, Andrew Parker, Mike Stahnke, and I just had a conversation at PuppetConf about the future of 2.7 and decided that Will and I will be maintaining and managing releases for the 2.7 branch. This means that Puppet Labs will be hosting 2.7 packages on the releases page and in package repos at least until September 30, 2014 when the Puppet Enterprise 2.x lifecycle ends. Will and I will write the release notes for 2.7 and will likely setup a separate Jenkins instance to run integration and functional tests. We'd love some help on the QA side going forward so feel free to reach out if you're interested in getting involved. One of the motivations behind this change is that the packages in EPEL and Debian wheezy rely (or will very soon) on a stable 2.7 branch due to the large number of breaking changes in 3.0+. This branch will serve as an upstream for those repos. Let me know if you've got any questions. -Sam On Thursday, July 11, 2013 9:28:08 AM UTC-7, Michael Stanhke wrote: The time has come for us to say good-bye to the Puppet 2.7 series. This means the security fixes, bug fixes, and features provided for Puppet 2.7 since its release in June 2011 will cease on October 1, 2013. We strongly encourage users who have not already upgraded to move forward to the Puppet 3 series, originally released on Sept 28, 2012. This version is actively developed and maintained, with Puppet 3.2.2 released June 18 and 3.2.3 currently in a release candidate phase. To support your upgrade, please make use of the following resources: Puppet Labs Upgrade Guide: http://docs.puppetlabs.com/guides/upgrading.html Web: http://ask.puppetlabs.com IRC: #puppet Mailing list: puppet...@googlegroups.com Thanks, Michael Stahnke Engineering -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
On Monday, September 16, 2013 10:53:38 AM UTC-5, Sean LaFreniere wrote: From the command line all works fine, only not from Puppet. BTW, I am not the only one with this complaint online on your forums and elsewhere, people complain that Tar works, but not UnTar. -S I see no reason to think that this arises from a bug in Puppet. Almost certainly it involves issues with how Puppet is being used. Here are some of the aspects of the execution environment provided by Puppet Exec resources that could be related to such issues: - Puppet provides a very sparse environment to commands it executes. Any other desired environment variables need to be specified in the 'environment' property of the Exec resource or set within the command itself. Environment variables are not inherited from the environment provided to the agent, nor are the shell startup files read. - The working directory in which the command starts is not defined unless you provide the 'cwd' parameter to the Exec. - The 'command', 'unless', and 'onlyif' commands of every exec all have independent environments. You cannot use any of them to modify the environment variables or working directory provided to others. - If you want an executable search path, you must provide it via the 'path' parameter or among the specified environment variables. Otherwise, you must give the fully-qualified pathname of the command(s) you want to run. - By default, the command is run with the credentials and security context of the Puppet process. Even though the agent normally runs as a privileged user, mandatory access controls (e.g. SELinux) may still deny it permission to perform some actions. - Privileged users on the local system may have less -- or even no -- privilege on remote systems. This can be an issue, for example, with remote NFS filesystems mounted on the local machine. - By default the command is passed directly to the system to execute, bypassing the shell. On POSIX clients, setting provider = 'shell' will cause the command to be executed via '/bin/sh', instead, or you can always Exec the shell directly. - By default, success of an Exec is judged by whether the command exits with code 0. Additional or different successful exit codes can be specified via the 'returns' parameter. All of those are intentional and logical, but some may nevertheless take users by surprise, especially users more used to a script-centric model of system administration. The Puppet model does not work the same way. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Need input on how to run a file with list of commands
Hello Wolf, Thanks for the reference. It is very useful information. Thanks again, Mani On Sun, Sep 15, 2013 at 10:58 PM, Wolf Noble w...@wolfspyre.com wrote: Glad to hear you got it worked out! You might have good luck with this module for controlling network interfaces https://github.com/adrienthebo/puppet-network =MobileMail= Please excuse brevity or spelling errors On Sep 15, 2013, at 22:31, Mani Devarajan manidevara...@gmail.com wrote: All, Adding /bin/bash helped fix the issue. Thanks all. command = /bin/bash $intconfigfile, Thanks, Mani On Sunday, September 15, 2013 4:55:08 PM UTC-7, Mani Devarajan wrote: Hello, I am downloading a file from puppet master which has list of ifconfig command and run it using exec command on client. But it fails change from notrun to 0 failed: intconfig returned 1 instead of one of [0] at. Any suggestion on how to overcome this error. Thanks in advance. File content: ifconfig eth3 up exit 0 Puppet code: file { $intconfigfile: owner = root, group = root, mode = 777, source = puppet:///files/$intfilename**, } exec {config_uplink: command = $intconfigfile, require = File[$intconfigfile] } Error: err: returns: change from notrun to 0 failed: intconfig returned 1 instead of one of [0] at Thanks, Mani -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/IfbRUGoA__Q/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Need help with defining same package resource in two modules
Hello all, I have two puppet modules A B. A module is enabled or disabled with flag set to true or false respectively. I need a package pkg1 to do complete the workflow of B. Module A: package { pkg1: ensure = installed } Module B: package { pkg1: ensure = installed } Case1: A=false, When the B module runs, pkg1 is installed and works fine. Case2: A=true, when B runs it fails Error 400 on SERVER: Duplicate definition: Package[pkg1] is already defined in file A at line ; cannot redefine at How do i overcome this issue to complete the workflow of module B in both cases (where A is enabled or disabled) Thanks, Mani -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.