[Puppet Users] PuppetDB doesn't work in Puppet 4: Error Executing http request
I am trying to use PuppetDB with a Puppet 4 server that I am testing. I have set it up as per the official docs but now I get this error when trying to do a Puppet run (it worked before adding PuppetDB): # puppet agent -t --noop Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Could not retrieve facts for ip-172-30-2-43.eu-west-1.compute.internal: Failed to find facts from PuppetDB at puppetdb.solutions.exmaple.co.uk:8081: Error executing http request Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for ip-172-30-2-43.eu-west-1.compute.internal to PuppetDB at puppetdb.solutions.example.co.uk:8081: Error executing http request Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run I re-followed the instructions on a Puppet 3.8.1 master and PuppetDB worked as expected. DNS correctly resolves the hostname, security groups in AWS are open to allow the connection. The only differing factor between the two setups was the use of Puppet 4 for the one that is failing. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3a89c5f9-b9e1-41b5-8e77-7971e6e79669%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: r10k: modules folder content deleted
argh. of course it's the non-existent puppetfile what was my problem. added a Puppetfile only containing the moduledir: puppetfile_modules and all is fine! - Thomas Am Dienstag, 9. Juni 2015 10:23:46 UTC+2 schrieb Thomas Müller: Hi ! I'd like to move to r10k (1.5.1) for the environment deployment for our new puppet master setup. Right now we have the complete environment in an git branch. Later on we maybe move to the Puppetfile/modules approach. Our modules live in the modules/ subfolder. r10k removes the content of this folder. I speculate: it's because it likes to install the modules form Puppetfile (non-existent) into this folder. Is it possible to disable the cleanup of the modules folder or specify another folder as Puppetfile target? - Thomas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8da6bf64-5aed-4f8e-8d95-bb1be51e04f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] r10k: modules folder content deleted
Hi ! I'd like to move to r10k (1.5.1) for the environment deployment for our new puppet master setup. Right now we have the complete environment in an git branch. Later on we maybe move to the Puppetfile/modules approach. Our modules live in the modules/ subfolder. r10k removes the content of this folder. I speculate: it's because it likes to install the modules form Puppetfile (non-existent) into this folder. Is it possible to disable the cleanup of the modules folder or specify another folder as Puppetfile target? - Thomas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/322ae89e-7f2d-4baa-ae5b-5ef93eeab958%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Creating Windows MSI for puppet agent
Hi Rob, The application event log does not have any information with respect to Puppet. There is no log named Puppet. Also when I run the agent from the command I get the following message: cannot load such file -- facter. I have attached the screenshot. Regards, Deepak. On Tuesday, 9 June 2015 00:54:10 UTC+5:30, Rob Reynolds wrote: On Mon, Jun 8, 2015 at 2:00 AM, Puppeteer kdeep...@gmail.com javascript: wrote: Hi Melissa, Thanks for you response. That is something that I will look into (pretty new to all these things). I got the puppet_for_the_win working by modifying foss-stable.yaml by including the following lines from foss-4.0-x86.yaml: mcollective: :ref: 2.8.1 :repo: git://github.com/puppetlabs/marionette-collective.git After including the above lines I was able to build the MSI and install it. However the Puppet service does not start. I have attached the message I get on starting the service. I did not find any logs in the c:\ProgramData\puppet folder or in the event viewer. Any idea why the service is not starting? From the image, I would suggest attempting to run puppet by hand and see what you get. It's likely something is missing that Puppet expects to be there for the service. You can also look in the Application Event Log to see what Puppet may have failed with. Regards, Deepak. On Thursday, 4 June 2015 22:04:22 UTC+5:30, Melissa Stone wrote: On Thu, Jun 4, 2015 at 1:05 AM, Puppeteer kdeep...@gmail.com wrote: Hi, I want to create a custom MSI for the puppet agent. Can someone guide me on this. I tried using puppetlabs/puppet_for_the_win but was not successful. Hey! Unfortunately, we have yet to streamline this process for external use. You can still roll your own native facter build though. You'll want to use the script at https://github.com/puppetlabs/facter/blob/master/contrib/facter.ps1. You need to run the script on probably a windows 2012 box (64 bit), and I would strongly suggest reviewing the script to ensure that we don't do anything that's going to mess you up. It's meant to be run on a disposable box. After that builds, we collect all the built bits and library dependencies into the zip archive that the automation in puppet_for_the_win looks for. We don't have that automation in a public space, but here's a summary of what goes into that archive. This assumes you're building 64 bit, so if you're building for a 32 bit machine, you'll have to modify it. # Move all necessary dll's into facter bindir cp /cygdrive/c/tools/mingw64/bin/libgcc_s_seh-1.dll /cygdrive/c/tools/mingw64/bin/libstdc++-6.dll /cygdrive/c/tools/mingw64/bin/libwinpthread-1.dll /home/Administrator/facter/release/bin/ # Format everything to prepare to archive it mkdir -p /home/Administrator/archive/lib ; cp -r /home/Administrator/facter/release/bin /home/Administrator/facter/lib/inc /home/Administrator/archive/ ; cp /home/Administrator/facter/release/lib/facter.rb /home/Administrator/archive/lib/ # Zip up the built archives 7za.exe a -r -tzip facter.zip 'C:\\cygwin64\\home\\Administrator\\archive\\*'\ Once you have that archive, you can modify the config file you're using to point to where that archive can be found. That *should* let the automation in puppet_for_the_win work. Let me know how that goes! I used the command: rake windows:build AGENT_VERSION_STRING=1.0.0 CONFIG=foss-4.1-x86.yaml I get the following error: curl -O http://builds.puppetlabs.lan/facter/9586d5cd1ee6c18e88506a8f4a8b12f2ee51 d154/artifacts/windows//facter-2.4.3-1074-g9586d5c-x86.zip curl: (6) Couldn't resolve host 'builds.puppetlabs.lan' rake aborted! Command failed with status (6): [curl -O http://builds.puppetlabs.lan/facte...] Tasks: TOP = windows:msi = windows:wixobj = windows:wxs = windows:stage = w indows:checkout = windows:clone (See full trace by running task with --trace) Thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d759891a-e50b-4553-a36f-3416f39a88c7%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/d759891a-e50b-4553-a36f-3416f39a88c7%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Melissa Stone Release Engineer, Puppet Labs -- *PuppetConf 2015 http://2015.puppetconf.com/ is coming to Portland, Oregon! Join us October 5-9.* *Register now to take advantage of the Early Adopter discount https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter * *—**save $349!* -- You received this message
[Puppet Users] Snippet: Apache vHost to proxy to central CA and local puppet server
hi
If you have a centralized ca you can proxy the certificate traffic to the
central puppet ca service (1).
And forward all the other traffic to the local puppet server (2, 3).
The snippet requires puppetlabs-apache module 1.4.1 as it won't include
the proxy template with $proxy_pass_match only (it's already fixed on
github).
- Thomas
Docs:
1)
https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic
2)
https://docs.puppetlabs.com/puppetserver/2.1/external_ssl_termination.html
3) https://docs.puppetlabs.com/puppetserver/2.1/external_ca_configuration.html
(relevant: Disabling the Internal Puppet CA Service)
include '::apache'
apache::vhost { $::fqdn:
servername= ${::fqdn}:8140,
serveraliases = [ 'puppet', puppet.${::domain} ],
port = 8140,
docroot = '/var/www/html',
ssl = true,
ssl_ca= '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
ssl_cert = */etc/puppetlabs/puppet/ssl/certs/*${::fqdn}.pem,
ssl_key =
*/etc/puppetlabs/puppet/ssl/private_keys/*${::fqdn}.pem,
ssl_crl = '/etc/puppetlabs/puppet/ssl/crl.pem',
ssl_verify_client = 'optional',
ssl_verify_depth = 1,
ssl_proxyengine = true,
ssl_options = ['+StdEnvVars', '+ExportCertData'],
proxy_pass_match = [
{ 'path' = '^/([^/]+/certificate.*)$',
'url' = 'https://puppetca:8140/$1
https://centralpuppetca:8140/$1' },
{ 'path' = '/(.*)',
'url' = 'http://localhost:18140/$1' },
],
request_headers = [
'set X-Client-Verify %{SSL_CLIENT_VERIFY}e',
'set X-Client-DN %{SSL_CLIENT_S_DN}e',
#'set X-Client-Cert %{SSL_CLIENT_CERT}e', # disabled because of bug
SERVER-217
'edit X-Client-DN ^/(CN=.+)$ $1', # workaround for bug SERVER-213
]
}
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/74e381e7-33f2-40a6-b238-33401aff6e8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] 8K node infrastructure and CA setup
In that diagram can you have a HA Master CA setup and HA Agent CA setup where there is a master and agent CA in each datacenter, but served by a VIP/Proxy/SRV record? Not exactly sure how CAs work when it comes to redundancy. Corey On Tuesday, June 9, 2015 at 12:07:17 AM UTC-4, Trevor Vaughan wrote: Hi Corey, That setup should work just fine and be even easier now that everything has a solid set of certs that don't cross over at all. If you're using PE, be sure to properly generate your role certificates that are used by the Console, ActiveMQ, etc... Trevor On Mon, Jun 8, 2015 at 10:25 PM, Corey Osman co...@logicminds.biz javascript: wrote: Has anybody used this setup before? Any caveats? https://docs.puppetlabs.com/puppet/3.8/reference/config_ssl_external_ca.html#option-3-two-intermediate-cas-issued-by-one-root-ca Does this still apply when using puppet server 2.1? Corey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7E32D1B6-A700-4643-B210-BD0F28738B9C%40logicminds.biz . For more options, visit https://groups.google.com/d/optout. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvau...@onyxpoint.com javascript: -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/fb2bcf99-43ed-447d-8bc5-1f2b8db2e81f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] why puppet cert clean generates so much output and takes a lot of time
I´m not puppet expert, and I know this may be a question completely relative to my environment, I just want to know why when I run puppet cert clean I get thousands of lines like this. Notice: Revoked certificate with serial 152536 Notice: Revoked certificate with serial 152627 Notice: Revoked certificate with serial 152885 Notice: Revoked certificate with serial 152971 Notice: Revoked certificate with serial 153088 Notice: Revoked certificate with serial 153159 Notice: Revoked certificate with serial 153329 Notice: Revoked certificate with serial 153403 Notice: Revoked certificate with serial 153473 Notice: Revoked certificate with serial 153529 Notice: Revoked certificate with serial 153622 Notice: Revoked certificate with serial 153747 Notice: Revoked certificate with serial 154033 Notice: Revoked certificate with serial 154122 Notice: Revoked certificate with serial 154199 Notice: Revoked certificate with serial 154460 Notice: Revoked certificate with serial 154654 Notice: Revoked certificate with serial 155065 Notice: Revoked certificate with serial 155296 Notice: Revoked certificate with serial 155425 Notice: Revoked certificate with serial 155624 Notice: Revoked certificate with serial 155825 Notice: Revoked certificate with serial 156019 Notice: Revoked certificate with serial 156203 Notice: Revoked certificate with serial 156346 Notice: Revoked certificate with serial 156455 Notice: Revoked certificate with serial 156507 Notice: Revoked certificate with serial 156644 Notice: Revoked certificate with serial 156767 Notice: Revoked certificate with serial 156988 Notice: Revoked certificate with serial 157066 Notice: Revoked certificate with serial 157159 Is kind of annoying have to wait for this to finish. Thanks. --av.- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cf3de270-1965-4db1-a78f-a8af1416e62d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] No certificates in /var/lib/puppet/ssl/ca/signed
Hi everyone, I have noticed an unexpected change in the behaviour of my puppet infrastructure that I can't explain. I am using puppet 3.8.1, puppet-server 3.8.1 and puppetdb 2.3.5 on Centos 7. After making some changes to my modules, I noticed that client certificates are not being stored in /var/lib/puppet/ssl/ca/signed any longer, in fact they are not stored anywhere on my puppet master filesystem. They are however listed in my puppetdb tables in the certnames table. Is this expected behaviour in some setups? Best regards, Alastair -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/36e99e2f-44af-4d6b-abd3-a1a0d2f3033e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] where is PC1 for Debian Jessie?
Hello, On 09/06/2015 22:30, Kylo Ginsberg wrote: We're planning to release the next puppet-agent drop on June 22nd and that should include Jessie packages/repos. Thanks Kylo, this is a good news. ;) Sorry if I change a little the subject (I suppose the thread is resolved) but do you know when the packages mcollective-*-agent and mcollective-*-client will be available in the Puppet4 PC1 repositories? François Lafont -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/557758F1.9020904%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] why puppet cert clean generates so much output and takes a lot of time
On 09/06/15 12:14 PM, Andrés Abelardo Villarroel Acosta wrote: I´m not puppet expert, and I know this may be a question completely relative to my environment, I just want to know why when I run puppet cert clean humm .. the text below gives the impression that the command you're running is actually revoking every certificate it knows of, which is not supposed to happen unless you specify --all. What version of puppet are you running on your puppet master? I get thousands of lines like this. Notice: Revoked certificate with serial 152536 Notice: Revoked certificate with serial 152627 Notice: Revoked certificate with serial 152885 Notice: Revoked certificate with serial 152971 Notice: Revoked certificate with serial 153088 Notice: Revoked certificate with serial 153159 Notice: Revoked certificate with serial 153329 Notice: Revoked certificate with serial 153403 Notice: Revoked certificate with serial 153473 Notice: Revoked certificate with serial 153529 Notice: Revoked certificate with serial 153622 Notice: Revoked certificate with serial 153747 Notice: Revoked certificate with serial 154033 Notice: Revoked certificate with serial 154122 Notice: Revoked certificate with serial 154199 Notice: Revoked certificate with serial 154460 Notice: Revoked certificate with serial 154654 Notice: Revoked certificate with serial 155065 Notice: Revoked certificate with serial 155296 Notice: Revoked certificate with serial 155425 Notice: Revoked certificate with serial 155624 Notice: Revoked certificate with serial 155825 Notice: Revoked certificate with serial 156019 Notice: Revoked certificate with serial 156203 Notice: Revoked certificate with serial 156346 Notice: Revoked certificate with serial 156455 Notice: Revoked certificate with serial 156507 Notice: Revoked certificate with serial 156644 Notice: Revoked certificate with serial 156767 Notice: Revoked certificate with serial 156988 Notice: Revoked certificate with serial 157066 Notice: Revoked certificate with serial 157159 -- Gabriel Filion -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/557754A6.403%40lelutin.ca. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [Puppet Users] where is PC1 for Debian Jessie?
Hey all, We're planning to release the next puppet-agent drop on June 22nd and that should include Jessie packages/repos. Meanwhile, you can grab jessie packages from our nightly builds, e.g. http://nightlies.puppetlabs.com/puppet-agent/3a6740a0753b6fb20d27e45071eedc29dd8b436c/repos/deb/jessie/PC1/puppet-agent_1.1.0.170.g3a6740a-1jessie_amd64.deb Builds only promote to nightly if they pass CI, but these are nightlies, so standard caveats apply. Thanks, Kylo On Tue, Jun 9, 2015 at 5:54 AM, Louis Coilliot louis.coill...@think.fr wrote: Hello, many people are waiting for this, including me. You can vote for the ticket here : https://tickets.puppetlabs.com/browse/CPR-111 Please provide repository for Debian jessie Some people also asked for it on the thread [Puppet Users] Announce: Puppet 4 available! That said, for me it works on Jessie with the repos meant for Wheezy : deb http://apt.puppetlabs.com wheezy PC1 Regards, Louis Coilliot 2015-06-09 14:28 GMT+02:00 Rachel Andrew rachelandre...@gmail.com: Hi all comments on this post https://puppetlabs.com/blog/say-hello-open-source-puppet-4 state that packages are available for Jessie, however they don't appear to be in the list at http://apt.puppetlabs.com/ Does anyone know where the package might be? Rachel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/73767d7a-7676-48ac-a89a-134975821b89%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/73767d7a-7676-48ac-a89a-134975821b89%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE9jN3050Ao7KMiRL6zJu1v-tPFhuXLPDQw41TShqEfRHGn3gA%40mail.gmail.com https://groups.google.com/d/msgid/puppet-users/CAE9jN3050Ao7KMiRL6zJu1v-tPFhuXLPDQw41TShqEfRHGn3gA%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- Kylo Ginsberg | k...@puppetlabs.com | irc: kylo | twitter: @kylog *PuppetConf 2015 http://2015.puppetconf.com/ is coming to Portland, Oregon! Join us October 5-9.* *Register now to take advantage of the Early Adopter discount https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter * *—**save $349!* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CALsUZFFBsTL81v-ii05BwKayLPi9L-iKU3JeJLC5zQuNFA9sJA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Using puppetlabs-apache to help install and secure Apache httpd 2.2?
Folks, So, I’m running into some issues with this module, and I wanted to ask for your advice. First, some background. I’m helping develop the systems that will allow a certain government agency to deploy their own public and private cloud systems. One of the web servers they want to include is Apache httpd. Of course, they also have an extensive document that they want us to follow with regards to hardening this system, an example of which can be found at https://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=909checklistId=392. Now, I know about the module at https://forge.puppetlabs.com/arildjensen/cis, but that’s not going to do it for us. We’re following a government standard that is similar to the CIS benchmark, but somewhat different. Multiple parties and organizations have had their fingers in this pie, so off-the-shelf solutions in this space won’t help. The particular problem I’m having at the moment is that, within the “Directory” option for a given vhost, we need to control the “order deny,allow” as well as the “deny from all” settings. This is easy enough to do with the puppetlabs-apache module for the main vhost definition, because it exposes options to do exactly that. However, we also need to control these settings for all the other configuration files in /etc/httpd/*, and the puppetlabs-apache module deploys the configuration file /etc/httpd/conf.d/alias.conf directly from a template where these values are hard coded (see https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/mod/alias.pp and https://github.com/puppetlabs/puppetlabs-apache/blob/master/templates/mod/alias.conf.erb). And this doesn’t appear to be the only configuration file where it’s doing this. I don’t want to get into warring modules over who is going to be putting what content into this file, and since they aren’t using Augeas to perform this function, I don’t think that I can use Augeas myself to do configuration-file-surgery on it after-the-fact. So, is there an easy solution here? I really don’t want to have to fork the puppetlabs-apache module and then have to explain why we can’t use the standard puppet module for doing this kind of stuff, but I’ll do that if I have to. I just would prefer to find a solution to this issue that allows me to avoid that fight. Suggestions? Thanks! -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/727A6A9E-2B3B-4168-A4F3-92B61B4E6843%40shub-internet.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [Puppet Users] Using puppetlabs-apache to help install and secure Apache httpd 2.2?
On 6/9/15 7:16 PM, Brad Knowles wrote: Folks, So, I’m running into some issues with this module, and I wanted to ask for your advice. First, some background. I’m helping develop the systems that will allow a certain government agency to deploy their own public and private cloud systems. One of the web servers they want to include is Apache httpd. Of course, they also have an extensive document that they want us to follow with regards to hardening this system, an example of which can be found at https://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=909checklistId=392. Now, I know about the module at https://forge.puppetlabs.com/arildjensen/cis, but that’s not going to do it for us. We’re following a government standard that is similar to the CIS benchmark, but somewhat different. Multiple parties and organizations have had their fingers in this pie, so off-the-shelf solutions in this space won’t help. The particular problem I’m having at the moment is that, within the “Directory” option for a given vhost, we need to control the “order deny,allow” as well as the “deny from all” settings. This is easy enough to do with the puppetlabs-apache module for the main vhost definition, because it exposes options to do exactly that. However, we also need to control these settings for all the other configuration files in /etc/httpd/*, and the puppetlabs-apache module deploys the configuration file /etc/httpd/conf.d/alias.conf directly from a template where these values are hard coded (see https://github.com/puppetlabs/puppetlabs-apache/blob/master/manifests/mod/alias.pp and https://github.com/puppetlabs/puppetlabs-apache/blob/master/templates/mod/alias.conf.erb). And this doesn’t appear to be the only configuration file where it’s doing this. I don’t want to get into warring modules over who is going to be putting what content into this file, and since they aren’t using Augeas to perform this function, I don’t think that I can use Augeas myself to do configuration-file-surgery on it after-the-fact. So, is there an easy solution here? I really don’t want to have to fork the puppetlabs-apache module and then have to explain why we can’t use the standard puppet module for doing this kind of stuff, but I’ll do that if I have to. I just would prefer to find a solution to this issue that allows me to avoid that fight. Suggestions? Thanks! -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu Hi Brad, The puppetlabs/apache module has started using a pattern[1] where you can override the template that they use with your own, though currently this only applies to the template for httpd.conf. Would suggest adding that type of functionality to the module, so that you can specify your own templates. Given that the pattern already exists, Puppet Labs will likely entertain your pull requests. [1] - https://github.com/puppetlabs/puppetlabs-apache#conf_template Best regards, -g -- Garrett Honeycutt @learnpuppet Puppet Training with LearnPuppet.com Mobile: +1.206.414.8658 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5577832C.6010908%40garretthoneycutt.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: puppetserver and LDAP terminus
Hi Steve, thanks for tracking this down! The LDAP node terminus is a useful
but pretty cobwebby corner of Puppet (IIRC it predates the existence of the
External Node Classifier API which is what most sites are using now). So as
you found its docs do not get a lot of love and there are no acceptance/CI
tests that cover its use.
I have a couple of comments inline. Our education team ran across this
issue, which is why I'm replying to a months-old thread. We're tracking it
in JIRA at https://tickets.puppetlabs.com/browse/SERVER-711
On Tuesday, February 3, 2015 at 2:40:50 PM UTC-8, Steve Huston wrote:
So, I've spent another day beating on this problem and finally
achieved success. We started with:
# puppetserver gem install ruby-ldap
Nobody pointed out, either here or in the documentation, that when
using puppetserver you have to use jruby-ldap instead. Once I did
that, the gem installed, yay! But it still didn't work. When the
server attempted to do a lookup it would still report that the search
failed, even though tcpdump showed it asking for the CN and getting
the right answer.
After quite a bit of prodding and help from a colleague I found that
jruby-ldap does not have a to_hash method in LDAP::Entry. This was
confirmed by a bit of code and comment at the top of
https://github.com/alibby/ldap_authenticated/blob/master/lib/ldap_authenticated.rb
https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Falibby%2Fldap_authenticated%2Fblob%2Fmaster%2Flib%2Fldap_authenticated.rbsa=Dsntz=1usg=AFQjCNHByxK-zpNHjvHylNOMedsrd7ciBw
I inserted that code into the ruby module, since I would have to
manually upgrade that but the puppetserver RPM might get upgraded (and
wipe out that change), and got a little further. Now, however, it
failed with another error: Puppet Cannot reassign variable macaddress
on node syrinx.astro.princeton.edu
It seems like the to_hash change would be better off as a patch to the
upstream module vs a monkey-patch in Puppet.
On our old server running under passenger, if I look at
/var/lib/puppet/yaml/node/syrinx.astro.princeton.edu I see there's
both a macaddress and a macAddress, so I realized what's going on
- the downcase in that code snippet is causing two facts to appear at
once.
That's not great either :(
All in all, this tells me a few things:
1) The documentation for using LDAP with the new puppetserver needs to
be updated to reflect not only that one must use 'jruby-ldap' (and
puppetserver gem install at that) but that the tests listed (running
ruby -rpuppet -e 'p Puppet.features.ldap?' and such) are incorrect as
they will report 'true' if you have the gem installed through the
normal system commands but puppetserver will not see it.
That's true. Would you be willing to work up a pull request against the
puppet-docs repo with the things you've learned? The source markdown for
the guide is here:
https://github.com/puppetlabs/puppet-docs/blob/master/source/guides/ldap_nodes.markdown
2) There needs to be a patch, perhaps somewhere in puppetserver, that
makes sure the jruby-ldap LDAP::Entry class has a 'to_hash' method (or
code around the necessity of needing it), for example:
if RUBY_PLATFORM =~ /^java.*/i
class LDAP::Entry
def to_hash
h = {}
get_attributes.each { |a| h[a.to_sym] = self[a] }
h[:dn] = [dn]
h
end
end
end
As I said, I think this would be better as an upstream patch to the
jruby-ldap project, especially since you found another project that had to
do the same thing. Carrying individual monkey-patches against upstream
projects is a practice that rarely ends well in my experience.
3) I discovered when I spun up my VM this morning that puppetserver
failed to start because it wanted to create a /var/run/puppet (which
it does not appear to actually use thereafter). Since /var/run is on
a tmpfs on RHEL7, and owned by root, yet the puppetserver process runs
as user 'puppet', this will fail on every reboot. Admittedly I'm not
running the puppetlabs RPM, but our package maintainer does a very
good job of making sure that the scripts and setups are duplicated if
he rebuilds something - please correct me if the logic to recreate
this directory is included somewhere and I can point it out to him to
fix in our repository.
This one is fixed in Puppet Server 1.0.8 and 2.1.0:
https://tickets.puppetlabs.com/browse/SERVER-336
--eric0
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f2cb5d50-7ea5-45a0-9e5e-c117eda82fe3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Release 2.0.0 of abstractit-puppet with support for puppet 4
Hi gang, I just released version 2.0.0 of my abstractit-puppet module. I have added support for puppet 4, puppetserver, the new all-in-one collections and cfacter. It also supports the new puppetserver under puppet 3 It has many fixes and improvements and changes. Checkout the changelog for all the details. https://forge.puppetlabs.com/abstractit/puppet/2.0.0/changelog If you aren't aware of the module it is my take on managing puppet and friends with puppet. It doesn't do everything yet but it manages a significant portion of your puppet server and each agent in your environments. -- Pete Brown Director and Primary Infrastructure Developer Abstract IT Pty Ltd. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAM8R_x9qgLhLo%3DNDdwdJoEZa9ZL2p_xB7p2J1DTMO7Uh7aqwJQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] where is PC1 for Debian Jessie?
On Tue, Jun 9, 2015 at 2:21 PM, Francois Lafont francois.lafont.1...@gmail.com wrote: Hello, On 09/06/2015 22:30, Kylo Ginsberg wrote: We're planning to release the next puppet-agent drop on June 22nd and that should include Jessie packages/repos. Thanks Kylo, this is a good news. ;) Sorry if I change a little the subject (I suppose the thread is resolved) but do you know when the packages mcollective-*-agent and mcollective-*-client will be available in the Puppet4 PC1 repositories? We're including mcollective as a part of the puppet-agent package. All you have to install is puppet-agent, and you'll have mcollective installed on your machine! François Lafont -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/557758F1.9020904%40gmail.com . For more options, visit https://groups.google.com/d/optout. -- Melissa Stone Release Engineer, Puppet Labs -- *PuppetConf 2015 http://2015.puppetconf.com/ is coming to Portland, Oregon! Join us October 5-9.* *Register now to take advantage of the Early Adopter discount https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter * *—**save $349!* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHEe_ko6MqGKqhJnGLkW0A9nj%2BHdK33YitfTjHgnQDb2Q4dwEA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] where is PC1 for Debian Jessie?
Hello, many people are waiting for this, including me. You can vote for the ticket here : https://tickets.puppetlabs.com/browse/CPR-111 Please provide repository for Debian jessie Some people also asked for it on the thread [Puppet Users] Announce: Puppet 4 available! That said, for me it works on Jessie with the repos meant for Wheezy : deb http://apt.puppetlabs.com wheezy PC1 Regards, Louis Coilliot 2015-06-09 14:28 GMT+02:00 Rachel Andrew rachelandre...@gmail.com: Hi all comments on this post https://puppetlabs.com/blog/say-hello-open-source-puppet-4 state that packages are available for Jessie, however they don't appear to be in the list at http://apt.puppetlabs.com/ Does anyone know where the package might be? Rachel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/73767d7a-7676-48ac-a89a-134975821b89%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/73767d7a-7676-48ac-a89a-134975821b89%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE9jN3050Ao7KMiRL6zJu1v-tPFhuXLPDQw41TShqEfRHGn3gA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] where is PC1 for Debian Jessie?
Hi all comments on this post https://puppetlabs.com/blog/say-hello-open-source-puppet-4 state that packages are available for Jessie, however they don't appear to be in the list at http://apt.puppetlabs.com/ Does anyone know where the package might be? Rachel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/73767d7a-7676-48ac-a89a-134975821b89%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] PuppetDB doesn't work in Puppet 4: Error Executing http request
I am trying to use PuppetDB with a Puppet 4 server that I am testing. I have set it up as per the official docs but now I get this error when trying to do a Puppet run (it worked before adding PuppetDB): # puppet agent -t --noop Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Could not retrieve facts for ip-172-30-2-43.eu-west-1.compute.internal: Failed to find facts from PuppetDB at puppetdb.solutions.exmaple.co.uk:8081: Error executing http request Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for ip-172-30-2-43.eu-west-1.compute.internal to PuppetDB at puppetdb.solutions.example.co.uk:8081: Error executing http request Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run The error is a little generic, do you have the error and stack trace from the master process, so we can see what line of code is causing this perhaps? Unfortunately the agent error is just a mirror of the error on the server, you need to look into the master process to dig further - potentially even turn on debugging. The puppetdb termini will also log its actions as well in the master log, so it would be good to see a full run here, where it breaks and the stack trace to figure out why. I re-followed the instructions on a Puppet 3.8.1 master and PuppetDB worked as expected. DNS correctly resolves the hostname, security groups in AWS are open to allow the connection. The only differing factor between the two setups was the use of Puppet 4 for the one that is failing. If you can provide the normal diagnostic info, like distro, version of distro and exact version of all the elements (like puppetdb puppetdb-terminus) this might be useful. Also - what does your /etc/puppet/puppetdb.conf file look like? ken. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTmogdjkh9SjxCA-Pc67S9doV1YLrctHo9SqXLhTRaEHCQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet get stuck for 75 seconds when triggered by mcollective
When I use mco command like mco puppet runonce -v -F computer_ip='172.16.233.110', I fount that it always takes about 75 seconds for puppet to complete its job. I checked the puppet_access log and it showed like this: 172.16.233.110 - - [08/Jun/2015:19:20:00 +0800] GET /test/node/test-account-110.web.test.glodon.com?transaction_uuid=3c74393e-2b84-4692-b14e-dcc6ccf46249fail_on_404=true HTTP/1.1 200 4797 - - 172.16.233.110 - - [08/Jun/2015:19:21:13 +0800] POST /test/catalog/test-account-110.web.test.glodon.com HTTP/1.1 200 843 - - 172.16.233.110 - - [08/Jun/2015:19:21:15 +0800] PUT /test/report/test-account-110.web.test.glodon.com HTTP/1.1 200 20 - -. every time it took about 75 seconds between GET and POST. But if I do not use mco command and just run puppt agent, everything works fine. I found that someone had raised a question which was exactly the same as mine in https://groups.google.com/forum/#!topic/puppet-users/XJQY4dDqj8w. I wonder if someone can give me some advice, this problem has puzzled me for a really long time. Thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/36518900-2bca-4f3a-846c-39fd8cfb086c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] using vhost templates definitions in puppet
Hey all,
I have a few different templates that I'd like to use to generate some
apache configurations using definitions.
I have a standard vhost template that works quite well! However that's the
only one that works. Anytime I try to specify one of the other template
definitions I get an error.
These are my templates:
[root@puppet:/etc/puppet] #ls -l
environments/production/modules/apache/templates/ | grep vhost
-rw-r--r--. 1 puppet puppet 1388 Apr 23 22:14 vhost_auth.conf.erb
-rw-r--r--. 1 puppet puppet 1352 Apr 23 22:14 vhost.conf.erb
-rw-r--r--. 1 puppet puppet 1350 Apr 23 22:14 vhost.conf.erb.bak
-rw-r--r--. 1 puppet puppet 11428 Apr 23 22:14 vhost_foswiki.conf.erb
-rw-r--r--. 1 puppet puppet 2678 Apr 23 22:14 vhost_trac.conf.erb
And if I use the standard vhost template in my definition, it works!
apache::vhost { 'wiki.mydomain.com':
port = 80,
docroot = '/var/www/jf/wiki',
ssl = false,
priority = 001,
serveraliases = ''
}
And I get a clean puppet run!
If however I try to use my vhost_auth template, I am getting an error:
apache::vhost_auth { 'wiki.mydomain.com':
port = 80,
docroot = '/var/www/jf/wiki',
ssl = false,
priority = 001,
serveraliases = ''
}
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid
resource type apache::vhost_auth at
/etc/puppet/environments/production/manifests/nodes.pp:47 on node
ops.jokefire.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
So how can I correctly specify any of my other vhost templates in the
definition so that it'll work?
Thanks!!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOZy0e%3DGfymwPzdqTMO3WiLuia5nMpTzyjwZy_gTfS%2BqS4Kd5A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
