Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
*Thanks for the details response.* On Tuesday, June 17, 2014 10:28:01 PM UTC+3, jcbollinger wrote: Probably. Hooking up an ENC is not very hard. If the ENC is not running when a catalog request comes in then most likely the ENC it is not properly configured. Supposing that you are running in agent / master mode, the ENC needs to be set up on the master. There, the 'node_terminus' configuration parameter must be set to exec and the 'external_nodes' configuration parameter must be set to the absolute pathname of the ENC script. Furthermore, the script must be accessible and executable by the master, which typically does not run as a privileged user. Not only the script, but also all directories in the path to it must be readable and executable/traversable by the master. File permissions and other access controls may come into play here. Also, once it is properly configured, you need to restart the master in order for the new configuration to be noticed. All done already as you describe. It is highly unlikely that the master is running the ENC successfully, the output is what you say, and yet it is ignored. Is there any way to debug it? I would start by looking at the master's log. If you're not already running the master with --debug output turned on, then I would do that, too, to make the log more informative. Likewise, look at the agent's log. In particular, make sure the agent successfully retrieved a fresh catalog from the master -- it will complain if it cannot do so, but it may then proceed to use a cached catalog. I will try that. John Thanks a lot! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/491960a1-8081-4835-a18f-c546bc88e988%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Open puppet port(s) to the internet
It uses port 8140 and ssl. It is client cert authenticated. So, barring something like heartbleed, you're about as good as logging in to any website that uses ssl. On Jun 17, 2014 10:19 AM, jmp242 jp10...@gmail.com wrote: I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's safe enough for any value of safe, what ports does it use? Thanks, -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f85a67b5-96f2-4ffe-a655-5df3ea018ec0%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/f85a67b5-96f2-4ffe-a655-5df3ea018ec0%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADt6FWM%2BCS7xde-C9ZGwzDrXaKQ%2BVEUY7oJd_4izte0p0-K1aA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Large files over puppet
Thanks John, your opinion is really helpful :) El martes, 17 de junio de 2014 15:30:53 UTC+2, jcbollinger escribió: On Tuesday, June 17, 2014 3:45:57 AM UTC-5, Félix Barbeira wrote: I always heard that serve large files over puppet is a bad practice. But...I guess it depends of what you consider a large file. Everyone agree that serve for example a 25MB file over puppet it's definitely not recommended. It is generally useful in such cases to understand *why* a thing is considered poor practice. Otherwise it's very hard to reason about questions such as the one you are posing. The general advice to avoid serving large files via the Puppet master's built-in file server is based on Puppet's default behavior of using MD5 checksums to determine whether the target file's content is already in sync. Checksumming the source and target files is comparatively expensive, and the master must do it for each catalog request for each client for each File resource in its catalog (that uses the default checksum method). My question is wether a text file of ~7000 lines and ~700KB would be acceptable. Do you think this file rebase puppet recommended size limits for file and it's big enough to use the advices of the following thread?? https://ask.puppetlabs.com/question/627/serving-large-files-formally-code-artifacts-best-practices/ https://www.google.com/url?q=https%3A%2F%2Fask.puppetlabs.com%2Fquestion%2F627%2Fserving-large-files-formally-code-artifacts-best-practices%2Fsa=Dsntz=1usg=AFQjCNEX6OGIKtjD9bPDQi_xRBYq9BN6LA There is no one-size-fits-all answer. If your master can support the combined load, and if the load on your clients (from checksumming on their side) is acceptable, then you are basically ok. Beware, however, of the load creeping up as you add more Files, and mind that your master's client capacity is affected by how much work it must perform for each client. Note, too, that there are multiple possible approaches. If the file(s) you want to serve is static and doesn't change too frequently then packaging it up and managing it via a Package is a good solution, and I would certainly consider that for a 700kB file. Especially so if it's part of a collection that you can package up together. On the other hand, you can also reduce the computational load by switching to a lighter-weight checksum method http://docs.puppetlabs.com/references/3.4.stable/type.html#file-attribute-checksum, at the expense of a greater risk of Puppet mistaking whether the File is already in sync. Or if you put it on a network file server accessible to your clients, then 'source'ing it from there works, and spares the master from checksumming. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c0f34e4d-771c-41fb-b520-8db1a90e8896%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] PuppetDB connection issue - Failed to connect!!
Santanu,. can you please try and update your jetti.ini as follows [jetty] host = 0.0.0.0 port = 8080 *ssl-host = 0.0.0.0* ssl-port = 8081 ssl-key = /etc/puppetdb/ssl/private.pem ssl-cert = /etc/puppetdb/ssl/public.pem ssl-ca-cert = /etc/puppetdb/ssl/ca.pem Restart puppetdb and verify... On Wed, Jun 18, 2014 at 5:03 AM, Sans r.santanu@gmail.com wrote: The puppetdb log is attached in the previous post. And, here is the curl output: root@puppet:~# curl ' http://puppet.internal:8080/v2/metrics/mbean/java.lang:type=Memory' { ObjectPendingFinalizationCount : 0, HeapMemoryUsage : { committed : 86220800, init : 8052480, max : 194641920, used : 41882456 }, NonHeapMemoryUsage : { committed : 63504384, init : 24313856, max : 224395264, used : 63257288 }, Verbose : false, ObjectName : java.lang:type=Memory -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/36c1d8af-e7bb-4d95-960f-f00db7dc460e%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/36c1d8af-e7bb-4d95-960f-f00db7dc460e%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAEJrXMUf75zSg1w7PUS3Zb0ufx1WnZtxvcO6W%2Bjdhdbj_7-%3DyQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] How to get logs in to the same termianl in agent side
Hi, I am executing a shell script in the puppet agent side. If I execute the same shell script in my local machine it will print several log messages to terminal. But when I execute it in the puppet agent it does not print any log into the agent terminal. How can I print the logs of the shell script when I run it using puppet ? I am using following command to execute the shell script. exec { strating: user = 'root', environment = 'JAVA_HOME=/home/malintha/jdk1.6.0', path= $command_path, command= /pathToShellScript/myScript.sh, * logoutput = true,* timeout = 3600, require = Exec['another goal'], } Regards, Malintha Adikari -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/dc3a5a66-8f3d-4efc-b1ab-e0f262efa746%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: [Puppet-dev] Re: Announce: Puppet 3.6.2 [ Security and Bug fix Release ]
Hi Josh, On Tuesday, June 17, 2014 6:35:19 PM UTC+2, Joshua Partlow wrote: Is that the issue you are seeing? Sorry for the confustion but I had the deprecation warning from the package type; allow_virtual parameter. Fixed it yesterday, had disable_warnings in the wrong location. Stefan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/be75fc74-a03f-422f-88b5-dfc5f248f1d2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
Hi, I still can make the ENC work on my puppet server. General: Puppet server: 3.3.1 Puppet agent: 2.7.25 The server run Passenger on Apache, so the puppetmaster run from apache and not by himself. I have in /etc/puppet/puppet.conf : [master] mode_terminus = exec external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://user:pass@localhost:3000 /usr/share/puppet-dashboard/bin/external_node script details: The file external_node contain perl, all the directories and the external_node itself have the permission 755. I did: * When I run the perl script locally (as a regular script from the command line – not with puppet) on the puppet server it run okay and give the YAML output I sent in my previous emails. * looking for errors in messages log and apache log – nothing look suspicious. But the warning: - [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) - YAML in network requests is deprecated and will be removed in a future version. * Also tried to make syntax error in my perl script external_node – got no error in the logs. What make me think maybe: * puppet it not running external_node script at all. * ENC have problems when it Passenger Apache? Thanks for all the people who answer me. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4c5248b8-35c3-4013-8556-1fd7626682f0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Connection timed out - connect(2) when using puppet module
On Wednesday, June 18, 2014 12:14:21 AM UTC-5, Torsten Kleiber wrote: Am Dienstag, 17. Juni 2014 15:03:20 UTC+2 schrieb jcbollinger: You mean you have set these in your puppet.conf or in your environment? If the former then which one (file system path) and which section? Are you running as root or as an unprivileged user? I run at the moment with root and have set it via export before the call. After setting it now in puppet.conf, the error changes similar to curl without -k: puppet module install rtyler/jenkins --debug Notice: Preparing to install into /etc/puppet/modules ... Notice: Downloading from https://forgeapi.puppetlabs.com ... Debug: HTTP GET https://forgeapi.puppetlabs.com/v3/releases?module=rtyler-jenkins https://www.google.com/url?q=https%3A%2F%2Fforgeapi.puppetlabs.com%2Fv3%2Freleases%3Fmodule%3Drtyler-jenkinssa=Dsntz=1usg=AFQjCNHu-FqhQGWQIIlMLS_p0AJTBVu6Qw Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com Unable to verify the SSL certificate The certificate may not be signed by a valid CA The CA bundle included with OpenSSL may not be valid or up to date Well you don't really want to trust unverified certificates, certainly not in an automated way. It sounds like you may need to update your trusted certificate store with one or more new CA certificates. On a RedHat-family Linux, that probably means updating package ca-certificates. For what it's worth, neither Firefox on Windows nor curl (without -k) on CentOS 6.5 complain to me about untrusted SSL certificates when I access that forge URL, and I haven't made any special accommodation for it. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/caf39dff-7544-4b4b-81de-d0dada0ae9d2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Open puppet port(s) to the internet
On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's safe enough for any value of safe, what ports does it use? Thanks, In normal operation, Puppet (the master) *doesn't* connect to clients -- the clients connect to it (on port 8140), thereby establishing a two-way communication channel. Client-side firewalls need to allow outgoing traffic to that port, and accept incoming traffic belonging to an established connection to that port. Those permissions can be narrowed to specific destination networks or machines, if needed. For its part, the master needs to accept connections on port 8140 from all client machines; that can be narrowed to traffic originating on specific networks, if you wish. Each end of the conversation between agent and master authenticates to the other via SSL certificate. Spencer understated the security there: on the web, most SSL connections are authenticated only on one end, so Puppet's communications are even better secured. With that said, if you want laptops in the field to be able to retrieve their configuration, then you have the alternative of requiring them to establish a VPN connection to your internal network in order to do so (especially if users will want / need to use VPN anyway), or of just letting them go without syncing until they return home. The Puppet service itself is pretty well secured, but allowing connections from anywhere on the internet increases your exposure to network-level attacks. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet: Dependency cycle
Hi, I have a weird dependency cycle issue. This is just a test module which I created while trying to solve this issue: modules/testmod/manifests/init.pp: class testmod { package { 'nginx': ensure = installed } service { 'nginx': ensure = running, enable = true, require = Package['nginx'] } } class testmod::nginxtest { file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } } manifests/test-node.pp: node 'test-node.site' { class { 'testmod': } class { 'testmod::nginxtest': require = Class['testmod'] } } When I apply this on node test-node.site I get: Error: Could not apply complete catalog: Found 1 dependency cycle: == test-node: (File[/tmp/nginx.test] = Service[nginx] = Class[Testmod] = Class[Testmod::Nginxtest] = File[/tmp/nginx.test]) == test-node: Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/BA65EC71-6CB1-4448-99F0-D25680533960%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Historical reporting, BI from puppetdb?
I mentioned Pentaho (albeit spelled incorrectly) as an example, as I saw it mentioned a number of times online due to its open source community variant and full feature set. Thanks for the links, it appears that slurping data into Pentaho via puppetdb's REST API or otherwise is quite possible if enough time is put into it. I'm still wondering if anyone is doing the type of BI I'm talking about today against puppetdb? If so, with what tools? I'm willing to try out a couple solutions, but if there are others doing this successfully, I'd rather not reinvent the wheel. Thanks, RCA On Wednesday, June 18, 2014 12:10:48 AM UTC-5, Ken Barber wrote: And others: http://wiki.pentaho.com/display/EAI/JSON+Input http://wiki.pentaho.com/display/EAI/HTTP+Client Perhaps, you could combine the JSON input perhaps on the contents of a 'puppetdb export' tarball if you wanted to analyze the data from a previous backup :-). ken. On Tue, Jun 17, 2014 at 10:01 PM, Ken Barber k...@puppetlabs.com javascript: wrote: Ryan, What about something like this? http://wiki.pentaho.com/display/EAI/Rest+Client This page seems to mix in general actions with integration steps, but there are more integration types available here: http://wiki.pentaho.com/display/EAI/Pentaho+Data+Integration+Steps ken. On Tue, Jun 17, 2014 at 9:53 PM, Ken Barber k...@puppetlabs.com javascript: wrote: Sorry, do you mean Pentaho? On Tue, Jun 17, 2014 at 9:53 PM, Ken Barber k...@puppetlabs.com javascript: wrote: Thanks, good to know. While the REST API would be the method to get at the data, my issue is that I'm not capable of writing a web app + data repository that can generate web-based reports, etc. I've actually gotten into the habit of running one-off queries using the API with curl to get YAML-formatted reports, which in part got me wanting more. Question, this BI tool Pentah, what formats/apis is it able to ingest beyond SQL? Are there any ETL capabilities built into this tool? Would something like CSV work? ken. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f7735e83-a9f3-444b-bac0-f3db5a8a147f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Hi, On 06/18/2014 03:51 PM, Sergey Arlashin wrote: Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . actually yes, there is. file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } The 'notify' implicitly puts File['/tmp/nginx.test'] *before* Service['nginx']. The class { 'testmod::nginxtest': require = Class['testmod'] } ends up doing the opposite - wanting the Service['nginx'] before File['/tmp/nginx.test']. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A19A45.30903%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
On 18 June 2014 14:10, shlo.af...@gmail.com wrote: Hi, I still can make the ENC work on my puppet server. General: Puppet server: 3.3.1 Puppet agent: 2.7.25 The server run Passenger on Apache, so the puppetmaster run from apache and not by himself. I have in /etc/puppet/puppet.conf : [master] mode_terminus = exec external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://user:pass@localhost:3000 /usr/share/puppet-dashboard/bin/external_node Once again why do you have all that in your external_nodes ? eg what is /usr/bin/env doing, what is PUPPET_DASHBOARD_URL=http:// user:pass@localhost:3000 doing for you? Why not just external_nodes = /usr/share/puppet-dashboard/ bin/external_node Is your external_nodes script executable by puppet? Did you add the node: certname bit to your YAML output as suggested? -- Ritchie script details: The file external_node contain perl, all the directories and the external_node itself have the permission 755. I did: * When I run the perl script locally (as a regular script from the command line – not with puppet) on the puppet server it run okay and give the YAML output I sent in my previous emails. * looking for errors in messages log and apache log – nothing look suspicious. But the warning: - [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) - YAML in network requests is deprecated and will be removed in a future version. * Also tried to make syntax error in my perl script external_node – got no error in the logs. What make me think maybe: * puppet it not running external_node script at all. * ENC have problems when it Passenger Apache? Thanks for all the people who answer me. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4c5248b8-35c3-4013-8556-1fd7626682f0%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/4c5248b8-35c3-4013-8556-1fd7626682f0%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFWLKddv75ovMwp4wLm-%2Biyog2puEYM0BtEwWW82_Om3ap1VsA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] PuppetDB connection issue - Failed to connect!!
Thanks Rakesh! But, as you probably can guess, that didn't change a thing; still getting the same error. I'm not sure if PuppetDB look in the DNS record (as opposed to hosts file), in that case it never gonna work. Best!! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9c9cc6c3-1059-4b67-abd8-29f8d77e8527%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Hm, ok. But when I use 'subscribe' instead of 'notify' class testmod { package { 'nginx': ensure = installed } service { 'nginx': ensure= running, enable= true, require = Package['nginx'], subscribe = File['/tmp/nginx.test'] } } class testmod::nginxtest { file { '/tmp/nginx.test': ensure = present } } I get == test-node: Error: Could not apply complete catalog: Found 1 dependency cycle: == test-node: (File[/tmp/nginx.test] = Service[nginx] = Class[Testmod] = Class[Testmod::Nginxtest] = File[/tmp/nginx.test]) == test-node: Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? On Jun 18, 2014, at 5:55 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, On 06/18/2014 03:51 PM, Sergey Arlashin wrote: Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . actually yes, there is. file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } The 'notify' implicitly puts File['/tmp/nginx.test'] *before* Service['nginx']. The class { 'testmod::nginxtest': require = Class['testmod'] } ends up doing the opposite - wanting the Service['nginx'] before File['/tmp/nginx.test']. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A19A45.30903%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9548D943-73FE-41B1-984C-1EDC8FAD40D3%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: How to get logs in to the same termianl in agent side
I think, you cannot: The manifest is first compiled on Puppet Master and then the catalog (complied manifests) is sent to the agent, where that command actually runs. You can try this instead to see if you get any thing better command= '/pathToShellScript/myScript.sh 21', logoutput = true, Best! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3c611f20-e087-42ef-8edd-e8d20d0acc82%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Open puppet port(s) to the internet
Hi Running puppet on port 443 might be a good move if you expect your laptops to be using cafe hotel airport style wifi sslh might be a suitable tool to proxy for puppet I've not tried it though. Regards Neil On 18 Jun 2014 14:30, jcbollinger john.bollin...@stjude.org wrote: On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's safe enough for any value of safe, what ports does it use? Thanks, In normal operation, Puppet (the master) *doesn't* connect to clients -- the clients connect to it (on port 8140), thereby establishing a two-way communication channel. Client-side firewalls need to allow outgoing traffic to that port, and accept incoming traffic belonging to an established connection to that port. Those permissions can be narrowed to specific destination networks or machines, if needed. For its part, the master needs to accept connections on port 8140 from all client machines; that can be narrowed to traffic originating on specific networks, if you wish. Each end of the conversation between agent and master authenticates to the other via SSL certificate. Spencer understated the security there: on the web, most SSL connections are authenticated only on one end, so Puppet's communications are even better secured. With that said, if you want laptops in the field to be able to retrieve their configuration, then you have the alternative of requiring them to establish a VPN connection to your internal network in order to do so (especially if users will want / need to use VPN anyway), or of just letting them go without syncing until they return home. The Puppet service itself is pretty well secured, but allowing connections from anywhere on the internet increases your exposure to network-level attacks. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: How to get logs in to the same termianl in agent side
Another thing, JFYI: I think somewhere you said you are new the Puppet, so get into the habit to follow the style-guide before it's too late, especially for the quote: you are mixing up the double and single quotes. Look at here: http://docs.puppetlabs.com/guides/style_guide.html -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/bf6c50dc-942c-4cf8-9af5-7d6110336da3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Backports for puppet with Ubuntu 14.04
I am not able to update my current puppet master at this exact time and I need to see if I can backport puppet 3.1.1 to ubuntu 14.04. I have looked at the backports but I am not finding any puppet backports at all for 14.04. Thank you, Eric -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b2062161-c2c5-4627-9a00-47bc70a97752%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Also see these for interesting ideas: http://www.craigdunn.org/2012/05/239/ http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-1/ http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/ In your place, this is how I would arrange what you want, because I often cram configs together (huzzah legacy systems): class testmod::packages { package { 'nginx': } } class testmod::services { service { 'nginx': ensure= running, enable= true, } } class testmod::nginxtest { file { '/tmp/nginx.test': } } # you might also look into contain over include? class testmod { include ::testmod::packages include ::testmod::services Class['::testmod::packages'] ~ Class['::testmod::services'] } # this shows how a generic testmod is all normal-ish... class profile::testmod { include ::testmod } # ...but a testmod nginx tester is a bit special # obviously you could move includes/chaining around class profile::testmodnginx { include ::testmod::packages include ::testmod::services include ::testmod::nginxtest Class['::testmod::packages'] ~ Class['::testmod::services'] Class['::testmod::packages'] - Class['::testmod::nginxtest'] Class['::testmod::nginxtest'] ~ Class['::testmod::services'] } Or you could do it in a parameterized fashion: class testmod ( $nginxtest = false ) { package { 'nginx': } # from stdlib, see puppet forge if str2bool($nginxtest) { file { '/tmp/nginx.test': ensure = present, require = Package['nginx'], notify = Service['nginx'], } } service { 'nginx': ensure = running, enable = true, } } Then in hiera: testmod::nginxtest: true And somewhere else: include testmod Or the declarative way, having a higher chance of hurting you later: class { 'testmod': nginxtest = true, } Or you could do it any way you wanted, really. (Cue zillions of different posts about the right way to do this.) On Wed, Jun 18, 2014 at 06:22:00PM +0400, Sergey Arlashin wrote: Hm, ok. But when I use 'subscribe' instead of 'notify' class testmod { package { 'nginx': ensure = installed } service { 'nginx': ensure= running, enable= true, require = Package['nginx'], subscribe = File['/tmp/nginx.test'] } } class testmod::nginxtest { file { '/tmp/nginx.test': ensure = present } } I get == test-node: Error: Could not apply complete catalog: Found 1 dependency cycle: == test-node: (File[/tmp/nginx.test] = Service[nginx] = Class[Testmod] = Class[Testmod::Nginxtest] = File[/tmp/nginx.test]) == test-node: Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? On Jun 18, 2014, at 5:55 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, On 06/18/2014 03:51 PM, Sergey Arlashin wrote: Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . actually yes, there is. file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } The 'notify' implicitly puts File['/tmp/nginx.test'] *before* Service['nginx']. The class { 'testmod::nginxtest': require = Class['testmod'] } ends up doing the opposite - wanting the Service['nginx'] before File['/tmp/nginx.test']. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A19A45.30903%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9548D943-73FE-41B1-984C-1EDC8FAD40D3%40gmail.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140618150053.GA27009%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Wow, Christopher gave an exhaustive answer :-) I'll try and Keep It Simple. On 06/18/2014 04:22 PM, Sergey Arlashin wrote: I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. Yes, you face the same issue, seeing as you just brought it in a different notation. The same relationships are established. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? This is actually not possible. If Puppet should refresh the service upon change of the config file, it *must* evaluate the file resource before the service resource. You need to disentangle your relationships and come up with an order in which you want your resources applied, e.g. Package - File - Service This may indeed mean that you cannot require a whole class. But as Christopher has advised, you mileage may increase if you structure the classes more distinctly. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A1AA93.9000708%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
I tried also just /usr/share/puppet-dashboard/bin/external_node it act the same way. I add node:, I hope I did it in the right way because I did not find it in the document - also not work. If I'm not adding any 'node: ', It should work for all the nodes the same. Am I right? or it must appear in the output? Also I have another warning that I did not mention in my previous email, which I consider as warning: Gem::Specification#installation_path called from /usr/share/puppet-dashboard/config/../vendor/rails/railties/lib/rails/vendor_gem_source_index.rb:93. NOTE: Gem::Specification#installation_path is deprecated, use base_dir. It will be removed on or after 2011-10-01. I tried to solve this warning in the past - with no success. Thank you. On Wednesday, June 18, 2014 5:10:43 PM UTC+3, RichT wrote: On 18 June 2014 14:10, shlo@gmail.com javascript: wrote: Hi, I still can make the ENC work on my puppet server. General: Puppet server: 3.3.1 Puppet agent: 2.7.25 The server run Passenger on Apache, so the puppetmaster run from apache and not by himself. I have in /etc/puppet/puppet.conf : [master] mode_terminus = exec external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://user:pass@localhost:3000 /usr/share/puppet-dashboard/bin/external_node Once again why do you have all that in your external_nodes ? eg what is /usr/bin/env doing, what is PUPPET_DASHBOARD_URL=http:// user:pass@localhost:3000 doing for you? Why not just external_nodes = /usr/share/puppet-dashboard/ bin/external_node Is your external_nodes script executable by puppet? Did you add the node: certname bit to your YAML output as suggested? -- Ritchie script details: The file external_node contain perl, all the directories and the external_node itself have the permission 755. I did: * When I run the perl script locally (as a regular script from the command line – not with puppet) on the puppet server it run okay and give the YAML output I sent in my previous emails. * looking for errors in messages log and apache log – nothing look suspicious. But the warning: - [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) - YAML in network requests is deprecated and will be removed in a future version. * Also tried to make syntax error in my perl script external_node – got no error in the logs. What make me think maybe: * puppet it not running external_node script at all. * ENC have problems when it Passenger Apache? Thanks for all the people who answer me. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4c5248b8-35c3-4013-8556-1fd7626682f0%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/4c5248b8-35c3-4013-8556-1fd7626682f0%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52cb308a-6843-41a3-b700-cdaa3efc82a1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Christopher, Felix, I got the idea. Thank you very much! -- Best regards, Sergey Arlashin On Jun 18, 2014, at 7:04 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Wow, Christopher gave an exhaustive answer :-) I'll try and Keep It Simple. On 06/18/2014 04:22 PM, Sergey Arlashin wrote: I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. Yes, you face the same issue, seeing as you just brought it in a different notation. The same relationships are established. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? This is actually not possible. If Puppet should refresh the service upon change of the config file, it *must* evaluate the file resource before the service resource. You need to disentangle your relationships and come up with an order in which you want your resources applied, e.g. Package - File - Service This may indeed mean that you cannot require a whole class. But as Christopher has advised, you mileage may increase if you structure the classes more distinctly. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A1AA93.9000708%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/D08BD01A-A46E-42B4-9E0C-F0852C611D84%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] New content of file is not sent to filebucket
Hello everyone, I am using Puppet dashboard and I properly configured it to show bucketed files: Changed (1) File[puppetlabs.list] (/etc/puppet/modules/apt/manifests/source.pp:35) PropertyMessagecontentcontent changed '{md5}9495858ce6c5ed7d5bdb098f13709ae2' to '{md5}f572dd8d58abbc84a3fe28ebc3fcbd34' When I click on the first md5, I get a popup with the old file. However, the md5 of the file is a 404.I configured my puppet.conf to add archive_files = true in the [agent] section.I added this to my manifest.pp:filebucket { main: server = 'whatever', path = false, }File { backup = main, }But still… Any idea ?Thank you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/13bfeda5-a86f-4508-9ccd-fe09c8026501%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] How to get logs in to the same termianl in agent side
you will need to run the puppet agent with --verbose (or --test which implied verbose) to actually display the output in the terminal. On 18 June 2014 12:23, Malintha Adikari malin...@wso2.com wrote: Hi, I am executing a shell script in the puppet agent side. If I execute the same shell script in my local machine it will print several log messages to terminal. But when I execute it in the puppet agent it does not print any log into the agent terminal. How can I print the logs of the shell script when I run it using puppet ? I am using following command to execute the shell script. exec { strating: user = 'root', environment = 'JAVA_HOME=/home/malintha/jdk1.6.0', path= $command_path, command= /pathToShellScript/myScript.sh, * logoutput = true,* timeout = 3600, require = Exec['another goal'], } Regards, Malintha Adikari -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/dc3a5a66-8f3d-4efc-b1ab-e0f262efa746%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/dc3a5a66-8f3d-4efc-b1ab-e0f262efa746%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Erik Dalén -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAAzDLeQgOt4T4Wqy4U-rtcVquimBC50%2BFFPd%3DxjrzzNikNW1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
On Wednesday, June 18, 2014 8:10:38 AM UTC-5, shlo@gmail.com wrote: Hi, I still can make the ENC work on my puppet server. General: Puppet server: 3.3.1 Puppet agent: 2.7.25 That's a potential problem, but not likely the one you're currently fighting. The master provides as much compatibility with older agents as it can, but that's so much older an agent (in version number terms) that you're pushing the envelope. Moreover, even the master is a little old -- current is 3.6.2. The server run Passenger on Apache, so the puppetmaster run from apache and not by himself. I have in /etc/puppet/puppet.conf : [master] mode_terminus = exec external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://user:pass@localhost:3000 /usr/share/puppet-dashboard/bin/external_node Per the docs, the 'external_nodes' property should be the full path to the ENC executable. Note well: path to the executable not command line. Puppet will run that executable -- probably directly, not via a shell -- passing it the node's certname as the only argument. script details: The file external_node contain perl, all the directories and the external_node itself have the permission 755. I did: * When I run the perl script locally (as a regular script from the command line – not with puppet) on the puppet server it run okay and give the YAML output I sent in my previous emails. * looking for errors in messages log and apache log – nothing look suspicious. But the warning: - [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) - YAML in network requests is deprecated and will be removed in a future version. * Also tried to make syntax error in my perl script external_node – got no error in the logs. What make me think maybe: * puppet it not running external_node script at all. That seems a reasonable conclusion. * ENC have problems when it Passenger Apache? No. But perhaps either 1. Puppet is not using the config file you think it's using, or 2. you have not properly restarted the master to get it to read its updated configuration. Under Passenger, the config file Puppet uses is affected by your config.ru. In particular, therein you need to be sure to set the appropriate --confdir and --vardir. The default config.ru shipped with Puppet should be correct for a default Puppet installation, but if you installed in a different location or rolled your own config.ru then perhaps the problem is there. It's worth having a look in any case. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4179a29e-5478-4196-a561-c9096ac90b1d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppetlabs support for squeeze
Hi Erik, Yes, we will keep the Squeeze repos up at apt.puppetlabs.com. Once Squeeze is announced EOL, we will begin the process of removing support, but we will be sure to let users know before that happens. On Mon, Jun 16, 2014 at 7:20 AM, Erik Dalén erik.gustav.da...@gmail.com wrote: Debian has announced a long term support for debian squeeze: https://www.debian.org/News/2014/20140616 I'm wondering if this will mean that Squeeze will stick around at apt.puppetlabs.com for the same period? -- Erik Dalén -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAAzDLe303b91ZY7dpL1BOpgT-g_nKA9Oa_YgpRbHLsjNpFQqQ%40mail.gmail.com https://groups.google.com/d/msgid/puppet-users/CAAAzDLe303b91ZY7dpL1BOpgT-g_nKA9Oa_YgpRbHLsjNpFQqQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Melissa Stone Release Engineer, Puppet Labs *Join us at PuppetConf 2014 http://www.puppetconf.com/, September 20-24 in San Francisco* *Register by June 5th to take advantage of the Early Adopter discount http://links.puppetlabs.com/puppetconf-early-adopter **—**save $349!* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHEe_kpyeeDfZsCdBCPykHTg%3Dho3154p5Ra53Zyv0_-zG7hYcQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Backports for puppet with Ubuntu 14.04
Or my other thought, can I ensure the kernel version through puppet? That would solve some issue as well. Eric On Wednesday, June 18, 2014 9:56:56 AM UTC-5, Eric Speake wrote: I am not able to update my current puppet master at this exact time and I need to see if I can backport puppet 3.1.1 to ubuntu 14.04. I have looked at the backports but I am not finding any puppet backports at all for 14.04. Thank you, Eric -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/81d0b089-b29a-43fc-91c5-1295e3dc093f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Backports for puppet with Ubuntu 14.04
You can run 'apt-cache policy puppet' on your trusty nodes. If you have the puppetlabs apt repo enabled you should see many old versions available. As a last resort, you could install from ruby gems. As for kernel versioning, if you can express that in a package name you can do it in puppet. Of course kernels are a bit wonky, so you would probably need to enforce a reboot to make sure your change is live on the system. I'm not aware of a good way for puppet to manage rolling reboots through a set of systems, that sounds more like an orchestration task. On Wed, Jun 18, 2014 at 11:31 AM, Eric Speake espeak...@gmail.com wrote: Or my other thought, can I ensure the kernel version through puppet? That would solve some issue as well. Eric On Wednesday, June 18, 2014 9:56:56 AM UTC-5, Eric Speake wrote: I am not able to update my current puppet master at this exact time and I need to see if I can backport puppet 3.1.1 to ubuntu 14.04. I have looked at the backports but I am not finding any puppet backports at all for 14.04. Thank you, Eric -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/81d0b089-b29a-43fc-91c5-1295e3dc093f%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/81d0b089-b29a-43fc-91c5-1295e3dc093f%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Spencer Krum (619)-980-7820 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADt6FWNkh6z4FOZC%3DxE-YcF31gmD5EccmH8%2BpEJydrFy9pm1jw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Connection timed out - connect(2) when using puppet module
On Wed, Jun 18, 2014 at 6:11 AM, jcbollinger john.bollin...@stjude.org wrote: On Wednesday, June 18, 2014 12:14:21 AM UTC-5, Torsten Kleiber wrote: Am Dienstag, 17. Juni 2014 15:03:20 UTC+2 schrieb jcbollinger: You mean you have set these in your puppet.conf or in your environment? If the former then which one (file system path) and which section? Are you running as root or as an unprivileged user? I run at the moment with root and have set it via export before the call. After setting it now in puppet.conf, the error changes similar to curl without -k: puppet module install rtyler/jenkins --debug Notice: Preparing to install into /etc/puppet/modules ... Notice: Downloading from https://forgeapi.puppetlabs.com ... Debug: HTTP GET https://forgeapi.puppetlabs. com/v3/releases?module=rtyler-jenkins https://www.google.com/url?q=https%3A%2F%2Fforgeapi.puppetlabs.com%2Fv3%2Freleases%3Fmodule%3Drtyler-jenkinssa=Dsntz=1usg=AFQjCNHu-FqhQGWQIIlMLS_p0AJTBVu6Qw Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com Unable to verify the SSL certificate The certificate may not be signed by a valid CA The CA bundle included with OpenSSL may not be valid or up to date Well you don't really want to trust unverified certificates, certainly not in an automated way. It sounds like you may need to update your trusted certificate store with one or more new CA certificates. On a RedHat-family Linux, that probably means updating package ca-certificates. For what it's worth, neither Firefox on Windows nor curl (without -k) on CentOS 6.5 complain to me about untrusted SSL certificates when I access that forge URL, and I haven't made any special accommodation for it. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/caf39dff-7544-4b4b-81de-d0dada0ae9d2%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/caf39dff-7544-4b4b-81de-d0dada0ae9d2%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. FYI, after the heartbleed incident we obtained new SSL certificates for all SSL related services, including forgeapi.puppetlabs.com. The new certificate was issued by UserTrustNetwork, and caused problems for the module tool on Windows, because the UserTrustNetwork root is not trusted. See https://tickets.puppetlabs.com/browse/PUP-2365 for more info. We recently switched back to a GeoTrust Global CA issued certificate, and that may explain why the module tool fails to authenticate the forgeapi for you. Josh -- Josh Cooper Developer, Puppet Labs *Join us at PuppetConf 2014 http://www.puppetconf.com/, September 20-24 in San Francisco* *Register by July 31st to take advantage of the Early Bird discount https://puppetconf2014.eventbrite.com/?discount=EarlyBird **—**save $249!* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97u%3DqDiHaiT48pQ8TGS6%2BvLChC-%2Bdkds7g8KM4s_SWW9nxA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Setting file level ACL
Is this still not natively available within Puppet? On Wednesday, September 28, 2011 8:23:52 AM UTC-5, jcbollinger wrote: On Sep 27, 6:23 pm, Corey Osman co...@logicminds.biz wrote: How do I go about using puppet to set an ACL on a file. I did not see ACL support under the file type. Has anybody done this before without using exec? Example: # Set ACL on directory setfacl -R -d -m mask:007 /directory The command you present as an example can have no Puppet equivalent other than an Exec, because the state change it directs depends on the current state of the resources it affects. Or looking at it from the opposite direction, Puppet has no way to determine whether the affected resources are already in the target state. That is not the way Puppet works, except Exec. If Puppet did support managing file ACLs then it would do so via the File resource type. If you check that type you will find 'owner', 'group', and 'mode' properties, along with several pertinent to SELinux; these are what you have to work with. There is also the 'recurse' property for extending the scope of a directory declaration to all its contents, recursively, but it is likely to cause you trouble if the files affected that way are many or collectively large. It is conceivable that File could be extended to allow you to specify an ACL, but manifests would need to specify the full ACL that was desired, for application via 'setfacl --set' (NOT 'setfacl -- modify' ). It would be tricky to get this right because of the overlap between such a property and File's other properties, but it in principle it could be done. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/863505b1-51d7-41fb-8c4c-d383406f45f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Backports for puppet with Ubuntu 14.04
Spencer, Thanks for the info. I can get the kernel versions from my facter information, I do think it will be easier to upgrade those my self. Thanks, Again. On Wednesday, June 18, 2014 2:06:16 PM UTC-5, Spencer Krum wrote: You can run 'apt-cache policy puppet' on your trusty nodes. If you have the puppetlabs apt repo enabled you should see many old versions available. As a last resort, you could install from ruby gems. As for kernel versioning, if you can express that in a package name you can do it in puppet. Of course kernels are a bit wonky, so you would probably need to enforce a reboot to make sure your change is live on the system. I'm not aware of a good way for puppet to manage rolling reboots through a set of systems, that sounds more like an orchestration task. On Wed, Jun 18, 2014 at 11:31 AM, Eric Speake espe...@gmail.com javascript: wrote: Or my other thought, can I ensure the kernel version through puppet? That would solve some issue as well. Eric On Wednesday, June 18, 2014 9:56:56 AM UTC-5, Eric Speake wrote: I am not able to update my current puppet master at this exact time and I need to see if I can backport puppet 3.1.1 to ubuntu 14.04. I have looked at the backports but I am not finding any puppet backports at all for 14.04. Thank you, Eric -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/81d0b089-b29a-43fc-91c5-1295e3dc093f%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/81d0b089-b29a-43fc-91c5-1295e3dc093f%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Spencer Krum (619)-980-7820 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0ff89d3a-1da3-46e5-8681-adf011640fea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Setting file level ACL
Hi John, Not at this time. It was added to the Windows support so hopefully Linux isn't far behind! Thanks, Trevor On Wed, Jun 18, 2014 at 4:44 PM, Dennis Miller miller.den...@gmail.com wrote: Is this still not natively available within Puppet? On Wednesday, September 28, 2011 8:23:52 AM UTC-5, jcbollinger wrote: On Sep 27, 6:23 pm, Corey Osman co...@logicminds.biz wrote: How do I go about using puppet to set an ACL on a file. I did not see ACL support under the file type. Has anybody done this before without using exec? Example: # Set ACL on directory setfacl -R -d -m mask:007 /directory The command you present as an example can have no Puppet equivalent other than an Exec, because the state change it directs depends on the current state of the resources it affects. Or looking at it from the opposite direction, Puppet has no way to determine whether the affected resources are already in the target state. That is not the way Puppet works, except Exec. If Puppet did support managing file ACLs then it would do so via the File resource type. If you check that type you will find 'owner', 'group', and 'mode' properties, along with several pertinent to SELinux; these are what you have to work with. There is also the 'recurse' property for extending the scope of a directory declaration to all its contents, recursively, but it is likely to cause you trouble if the files affected that way are many or collectively large. It is conceivable that File could be extended to allow you to specify an ACL, but manifests would need to specify the full ACL that was desired, for application via 'setfacl --set' (NOT 'setfacl -- modify' ). It would be tricky to get this right because of the overlap between such a property and File's other properties, but it in principle it could be done. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/863505b1-51d7-41fb-8c4c-d383406f45f7%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/863505b1-51d7-41fb-8c4c-d383406f45f7%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoUvFGhYsJFSEG0PhMds5t0UOp79RqnWZnoEcJp1EDgj8w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Moving from manifest files to ENC script - not working...
On 18 Jun 2014 14:10, shlo.af...@gmail.com wrote: Hi, I still can make the ENC work on my puppet server. General: Puppet server: 3.3.1 Puppet agent: 2.7.25 The server run Passenger on Apache, so the puppetmaster run from apache and not by himself. I have in /etc/puppet/puppet.conf : [master] mode_terminus = exec ??? That should be node_terminus not mode_terminus. Matt -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BZm%2BZ1ZCdUMEpeoUyGRbOgxXbf4sZwJhUjSpN9%3DOH-7w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.