Re: [Puppet Users] Turn on strict_variables for an enviornment only

[Henrik Lindberg]

On 2015-25-06 5:37, david.lev...@netspot.com.au wrote:

Hey All,

We are looking at turning on strict variables, but want to do some
checking/due diligence before on an environment before making it
standard in prod.
https://docs.puppetlabs.com/references/3.stable/configuration.html#strictvariables

I can't see an option or the ability to enable this particular setting
or exactly how to do it - is it possible?

The --strict_variables setting is not available as an environment 
specific setting. The best you can do (without using a separate master) 
is to use puppet master --compile and turn on the flag on the command line.


- henrik


Cheers
David



--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/063a7598-1e28-4949-bc35-8a7f36c01cfa%40googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/mn7af8%24fgk%242%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet 4 API, questions about custom functions and "data binding" in modules

[Henrik Lindberg]

On 2015-25-06 6:19, Francois Lafont wrote:

Hi,

Sorry again for my late answer.

On 17/06/2015 19:01, Henrik Lindberg wrote:


Functions in puppet are under /functions/ and not under 
/lib/puppet/functions (where only ruby functions should live).
You do not have to change the bindings - it just called modulename::data() and 
does not know or care if it is implemented in ruby or puppet.


Ok.


Clear, with puppet 4 you should be able to do most things (+ merges hashes, you 
can concatenate arrays etc), the thing you cannot do is change variables, but 
you can always use local scopes, use the iterative functions etc. This reduces 
the need to have spaghetti logic and code that requires variables in the first 
place - i.e. a more functional approach.


Ok, indeed with Puppet 4 it's more flexible but sometimes
I find it's more simple to use ruby code with mutable variables.


Ok, I understand well the "function" paradigm but if it's just in order
to *read* a fact, for instance to just read the 'lsbdistcodename' fact
and put it in a variable, is it really a bad idea? Ok I can add a parameter
to my function `fct(a, b, lsbdistcodename)` but if I can avoid this and just
have `fct(a, b)` and just get the 'lsbdistcodename' fact value in the
function (just for reading), where is the problem in this specific case?


That is not a problem, it is a global variable so does not depend on calling 
context. In puppet:

function fct($a, $b) {
   # get a fact
   $facts[lsbdistcodename]
}


Ok, that's perfect.


What you want to avoid is creating dependencies - you want your modules to work 
independently (just it, and its dependencies) without making assumptions that 
certain data must be bound in hiera in a particular way across all environments.

As an example if you have a data function for modulea and want to give the 
default value - you could do:

function mymodule::data() {
   { thekey => lookup('network::ip') }
}

Now you depend on 'network::ip' existing in hiera and having a value.
You could specify a default value if the key is missing. Now you have a default 
value embedded in your module and if you need to change the default, you need 
to find all such places to change it.

If you instead make modulea depend on a module 'networking' and let networking 
contain the default values, you have specified something that is consistent in 
terms of dependencies (no need to add a default to the lookup). If you want to 
update the defaults for all usage of network::ip, create a new version of the 
network module.

If you need to override that in one environment, add an environment::data() 
function that returns the ip specific for that environment.

And, finaly, in a pinch, if you need to change something across all 
environments Right Now (you need to do it right away and do not have time to 
make the code changes/check in etc.), then change the network::ip key in hiera..


Err... I'm not sure to well understand. I will explain below with a real 
example.


Ok, if I understand well with lookup function I allow overriding but
with module_b::data() this is not the case.


Not sure I understand what you are saying. The lookup function looks up the 
value in hiera, environment, module
- the looked up key with the highest precedence wins (by default). So overrides 
are possible. The data function
just specifies the data for what it is in (a module, or the environment)


If I understand well with lookup('foo::var') in the ::foo class, there will be
a look up:
- in hiera with the foo::var entry;
- in the environment with the environment::data() function (look up the value
of 'foo::var');
- in the foo module with the foo::data() function (look up the value of 
'foo::var'.

Is it correct?



Yes, that is correct.


But what happens if I have just lookup('var') (ie the key is unqualified) in the
::foo class? Is there only a lookup in hiera? Because unqualified key seems to 
be
not allowed in a *::data() function?

Correct, not allowed in a module. It can only bind to names in the 
module's own namespace. In your environment you may bind any key.
Your environment can naturally also call functions in modules and 
arrange those contributions in any way it likes.



If you want to modularize in a good way, and use the style of "theme" and functional 
decomposition, then you want to avoid using hiera since it only looks up data across all 
environments. You have to start including the environment in your hierarchy and have hiera 
"dip into" environments to find data there.

You then only use hiera for installation specific overrides, and panic changes, 
everything else is data in modules and environments.


In fact, I'm not sure to understand well. I take an real example.
I have a "network" module with the ::network class:

-
class network ( $interfaces, ) {
   # Configure the file /etc/network/interfaces of a Debian host.
}
-

If I understand well I can set default

[Puppet Users] How to change not reports nodes from 30 days to 1 day?

[staceytian4321]

Hi guys,

I have a question about Puppet Dashboard report.

I am using open source Puppet 3.7.3 and Dashboard.

On puppet dashboard, I can check which nodes has not reported 
http://mypuppetmaster:3000/nodes/unreported

Daily run status 

Number and status of runs during the *last 30 days*:

— No runs found to report — 

Question: by default only nodes that have not reported in* last 30 days* 
will be listed there. 
Can I change this configuration to list nodes not reported in *1 day?*

Thanks,
Stacey


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2ea1118e-3e16-47da-b9c2-756dffdd4d6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[R.I.Pienaar]

- Original Message -
> From: "Daniel Dreier" 
> To: "puppet-users" 
> Sent: Friday, July 3, 2015 4:19:09 PM
> Subject: Re: [Puppet Users] Ordering without dependencies

>> On Jul 3, 2015, at 7:42 AM, R.I.Pienaar  wrote:
>> 
>> 
>> 
>> - Original Message -
>>> From: "Christopher Wood" 
>>> To: "puppet-users" 
>>> Sent: Friday, July 3, 2015 3:34:29 PM
>>> Subject: Re: [Puppet Users] Ordering without dependencies
>> 
 On Fri, Jul 03, 2015 at 02:10:55PM +0100, R.I.Pienaar wrote:
 hello,
 
 I am looking for a way to influence run order without also doing 
 dependencies.
 
 I have a case where I am removing a bit of software from my system and so 
 as is
 typical things need to be done in a different order from creation, 
 crucially I
 also do not really care if removal fails.  It should just try to remove
 everything
 independent of each other - but at least in a given order so there's some 
 chance
 of it working.
>>> 
>>> I couldn't say about doing things without dependencies, but for uninstalling
>>> stuff I have wrapped everything in a giant if/then or had two different 
>>> classes
>>> doing different things.
>>> 
>>> class c1 ($un = false) {
>>> if str2bool($un) {
>>>   service { 'mys': ensure => stopped, enable => false }
>>>   package { 'myp': ensure => absent, }
>>> }
>>> else {
>>>   package { 'myp': }
>>>   service { 'mys': ensure => running, enable => true, require => 
>>> Package['myp'] }
>>> 
>>> }
>>> }
>>> 
>>> Once managing the service resource fails on every host (due to a lack of 
>>> init
>>> script from package removal) I amend the manifests. Filthy but it works.
>>> 
 There seems to be no way to influence order which does not also imply a
 requirement
 and so today the only way this is achieved is by invoking puppet 3 times 
 with 3
 different manifest files which seems horrible but that's the only way I 
 can find
 to achieve this as well.
>>> 
>>> If you don't care about the service maybe just kill it?
>>> 
>>> class c2 {
>>> exec {'k': command => 'killall -9 mys || true', path => ['/bin', 
>>> '/usr/bin'], }
>>> package { 'myp': ensure => absent, require => Exec['k'], }
>>> }
>>> 
>>> (Using true because an exec fails on a non-zero exit status iirc.)
>> 
>> Yeah it's a bit more complex than just a service.  This manifest builds an
>> entire
>> hyperv cluster with n dependant servers, storage volumes, dns entries and so
>> forth
>> and so on, even virtual machine deployment.
>> 
>> On teardown I don't care what stays and go, just want to try my best to kill
>> things
>> 
>> So the resources in question are varied and custom and spread over multiple
>> hosts.
>> 
>> So rather than a specific solution that involves just killing this or that I 
>> am
>> after ideas for how to do so in a generic way with any kind of resource
>> 
> One relatively generic option would be to switch the ordering mode to use
> manifest ordering. I've never used it but it's been possible since 3.3ish. I
> believe you just set ordering=manifest in the agent's puppet.conf. A blog post
> introducing the functionality is at
> https://puppetlabs.com/blog/introducing-manifest-ordered-resources.
> 
> That would allow you to simply order the resources sequentially in the 
> manifest
> without establishing hard dependencies, while retaining the option to set
> dependencies if needed.

Indeed this is going to be the ultimate solution - once we're on that version of
puppet :(

What I really want is a way for resources to influence sorting only and not make
dependencies.

Manifest ordering does what I want - it orders one resource before another and 
does
not add relationships. I want parameters for that kind of non relational 
ordering.

I am though require surprised by the behaviour of notify.

  exec{"false": notify => Exec["true"]}
  exec{"true": }

Exec["true"] will never run because notify is a dependency.  

>From a systems view if I had a machine already built with 10 PHP apps and I now
want to upgrade 1 of these apps that notifies a service and there's any kind of
thing wrong with this crappy php app manifest then suddenly my web server 
service
is unmanaged as it's failing as a side effect.

When the server is still in a position where the web server should be ensured up
or whatever.  Notify shouldn't always imply a requirement I guess.

> 
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email
> to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/918D0F8F-A584-4A1F-8285-7AEBF3453440%40puppetlabs.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group an

Re: [Puppet Users] Ordering without dependencies

[Daniel Dreier]

> On Jul 3, 2015, at 7:42 AM, R.I.Pienaar  wrote:
> 
> 
> 
> - Original Message -
>> From: "Christopher Wood" 
>> To: "puppet-users" 
>> Sent: Friday, July 3, 2015 3:34:29 PM
>> Subject: Re: [Puppet Users] Ordering without dependencies
> 
>>> On Fri, Jul 03, 2015 at 02:10:55PM +0100, R.I.Pienaar wrote:
>>> hello,
>>> 
>>> I am looking for a way to influence run order without also doing 
>>> dependencies.
>>> 
>>> I have a case where I am removing a bit of software from my system and so 
>>> as is
>>> typical things need to be done in a different order from creation, 
>>> crucially I
>>> also do not really care if removal fails.  It should just try to remove
>>> everything
>>> independent of each other - but at least in a given order so there's some 
>>> chance
>>> of it working.
>> 
>> I couldn't say about doing things without dependencies, but for uninstalling
>> stuff I have wrapped everything in a giant if/then or had two different 
>> classes
>> doing different things.
>> 
>> class c1 ($un = false) {
>> if str2bool($un) {
>>   service { 'mys': ensure => stopped, enable => false }
>>   package { 'myp': ensure => absent, }
>> }
>> else {
>>   package { 'myp': }
>>   service { 'mys': ensure => running, enable => true, require => 
>> Package['myp'] }
>> 
>> }
>> }
>> 
>> Once managing the service resource fails on every host (due to a lack of init
>> script from package removal) I amend the manifests. Filthy but it works.
>> 
>>> There seems to be no way to influence order which does not also imply a
>>> requirement
>>> and so today the only way this is achieved is by invoking puppet 3 times 
>>> with 3
>>> different manifest files which seems horrible but that's the only way I can 
>>> find
>>> to achieve this as well.
>> 
>> If you don't care about the service maybe just kill it?
>> 
>> class c2 {
>> exec {'k': command => 'killall -9 mys || true', path => ['/bin', 
>> '/usr/bin'], }
>> package { 'myp': ensure => absent, require => Exec['k'], }
>> }
>> 
>> (Using true because an exec fails on a non-zero exit status iirc.)
> 
> Yeah it's a bit more complex than just a service.  This manifest builds an 
> entire
> hyperv cluster with n dependant servers, storage volumes, dns entries and so 
> forth
> and so on, even virtual machine deployment.
> 
> On teardown I don't care what stays and go, just want to try my best to kill 
> things
> 
> So the resources in question are varied and custom and spread over multiple 
> hosts.
> 
> So rather than a specific solution that involves just killing this or that I 
> am 
> after ideas for how to do so in a generic way with any kind of resource
> 
One relatively generic option would be to switch the ordering mode to use 
manifest ordering. I've never used it but it's been possible since 3.3ish. I 
believe you just set ordering=manifest in the agent's puppet.conf. A blog post 
introducing the functionality is at 
https://puppetlabs.com/blog/introducing-manifest-ordered-resources.

That would allow you to simply order the resources sequentially in the manifest 
without establishing hard dependencies, while retaining the option to set 
dependencies if needed. 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/918D0F8F-A584-4A1F-8285-7AEBF3453440%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[Craig Dunn]

On Fri, Jul 3, 2015 at 4:42 PM, R.I.Pienaar  wrote:

> On teardown I don't care what stays and go, just want to try my best to kill 
> things
>
> So the resources in question are varied and custom and spread over multiple 
> hosts.
>
> So rather than a specific solution that involves just killing this or that I 
> am
> after ideas for how to do so in a generic way with any kind of resource


I don't think you'll find a clean way of doing this - you are trying
to take a system that is built entirely around the concept of
enforcing a desired state and telling it to "try it's best".   You
could do something batshit crazy with run stages but that would likely
be more trouble than its worth.



-- 
Enviatics | Automation and configuration management
http://www.enviatics.com | @Enviatics
Puppet Training http://www.enviatics.com/training/

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhEk39Voo7dQ0EXOSJxMsk5AqjwnQaPmOgqGxUJq%3Dg7g_w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[Christopher Wood]

On Fri, Jul 03, 2015 at 03:42:42PM +0100, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Christopher Wood" 
> > To: "puppet-users" 
> > Sent: Friday, July 3, 2015 3:34:29 PM
> > Subject: Re: [Puppet Users] Ordering without dependencies
> 
> > On Fri, Jul 03, 2015 at 02:10:55PM +0100, R.I.Pienaar wrote:
> >> hello,
> >> 
> >> I am looking for a way to influence run order without also doing 
> >> dependencies.
> >> 
> >> I have a case where I am removing a bit of software from my system and so 
> >> as is
> >> typical things need to be done in a different order from creation, 
> >> crucially I
> >> also do not really care if removal fails.  It should just try to remove
> >> everything
> >> independent of each other - but at least in a given order so there's some 
> >> chance
> >> of it working.
> > 
> > I couldn't say about doing things without dependencies, but for uninstalling
> > stuff I have wrapped everything in a giant if/then or had two different 
> > classes
> > doing different things.
> > 
> > class c1 ($un = false) {
> >  if str2bool($un) {
> >service { 'mys': ensure => stopped, enable => false }
> >package { 'myp': ensure => absent, }
> >  }
> >  else {
> >package { 'myp': }
> >service { 'mys': ensure => running, enable => true, require => 
> > Package['myp'] }
> > 
> >  }
> > }
> > 
> > Once managing the service resource fails on every host (due to a lack of 
> > init
> > script from package removal) I amend the manifests. Filthy but it works.
> > 
> >> There seems to be no way to influence order which does not also imply a
> >> requirement
> >> and so today the only way this is achieved is by invoking puppet 3 times 
> >> with 3
> >> different manifest files which seems horrible but that's the only way I 
> >> can find
> >> to achieve this as well.
> > 
> > If you don't care about the service maybe just kill it?
> > 
> > class c2 {
> >  exec {'k': command => 'killall -9 mys || true', path => ['/bin', 
> > '/usr/bin'], }
> >  package { 'myp': ensure => absent, require => Exec['k'], }
> > }
> > 
> > (Using true because an exec fails on a non-zero exit status iirc.)
> 
> Yeah it's a bit more complex than just a service.  This manifest builds an 
> entire
> hyperv cluster with n dependant servers, storage volumes, dns entries and so 
> forth
> and so on, even virtual machine deployment.
> 
> On teardown I don't care what stays and go, just want to try my best to kill 
> things
> 
> So the resources in question are varied and custom and spread over multiple 
> hosts.
> 
> So rather than a specific solution that involves just killing this or that I 
> am 
> after ideas for how to do so in a generic way with any kind of resource

Just rhubarbing along, but what about:

copying all the current environment into another environment
removing all the require/before/subscribe/notify metaparams
removing all the ensure metaparams
add a stack of resource defaults saying ensure => absent
(except for Service, which has true/false running/stopped not present/absent)
(might need to preserve puppet so it's the last to die)
agent runs in the other environment

Service { ensure => false }
Package { ensure => absent }
Hypervserver { ensure => absent }
...

Another thought, grabbing all the resource titles/types from your catalogs and 
generating a site.pp with ensure => absent as the only parameter for each 
resource.

Being ridiculous now, a single site.pp with a resources type for each type (and 
a stub puppet config!) you have:

resources { 't1': purge => true, }
resources { 't2': purge => true, }

On the other hand, since this is HyperV, maybe you can keep your removal 
manifests to the lower level stuff Destroying all the low-level resources (VMs, 
storage pools, virtual switches) would take out everything at higher levels too.


> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/2022577340.109977.1435934562598.JavaMail.zimbra%40devco.net.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150703151602.GA25552%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[R.I.Pienaar]

- Original Message -
> From: "Christopher Wood" 
> To: "puppet-users" 
> Sent: Friday, July 3, 2015 3:34:29 PM
> Subject: Re: [Puppet Users] Ordering without dependencies

> On Fri, Jul 03, 2015 at 02:10:55PM +0100, R.I.Pienaar wrote:
>> hello,
>> 
>> I am looking for a way to influence run order without also doing 
>> dependencies.
>> 
>> I have a case where I am removing a bit of software from my system and so as 
>> is
>> typical things need to be done in a different order from creation, crucially 
>> I
>> also do not really care if removal fails.  It should just try to remove
>> everything
>> independent of each other - but at least in a given order so there's some 
>> chance
>> of it working.
> 
> I couldn't say about doing things without dependencies, but for uninstalling
> stuff I have wrapped everything in a giant if/then or had two different 
> classes
> doing different things.
> 
> class c1 ($un = false) {
>  if str2bool($un) {
>service { 'mys': ensure => stopped, enable => false }
>package { 'myp': ensure => absent, }
>  }
>  else {
>package { 'myp': }
>service { 'mys': ensure => running, enable => true, require => 
> Package['myp'] }
> 
>  }
> }
> 
> Once managing the service resource fails on every host (due to a lack of init
> script from package removal) I amend the manifests. Filthy but it works.
> 
>> There seems to be no way to influence order which does not also imply a
>> requirement
>> and so today the only way this is achieved is by invoking puppet 3 times 
>> with 3
>> different manifest files which seems horrible but that's the only way I can 
>> find
>> to achieve this as well.
> 
> If you don't care about the service maybe just kill it?
> 
> class c2 {
>  exec {'k': command => 'killall -9 mys || true', path => ['/bin', 
> '/usr/bin'], }
>  package { 'myp': ensure => absent, require => Exec['k'], }
> }
> 
> (Using true because an exec fails on a non-zero exit status iirc.)

Yeah it's a bit more complex than just a service.  This manifest builds an 
entire
hyperv cluster with n dependant servers, storage volumes, dns entries and so 
forth
and so on, even virtual machine deployment.

On teardown I don't care what stays and go, just want to try my best to kill 
things

So the resources in question are varied and custom and spread over multiple 
hosts.

So rather than a specific solution that involves just killing this or that I am 
after ideas for how to do so in a generic way with any kind of resource

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2022577340.109977.1435934562598.JavaMail.zimbra%40devco.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[Christopher Wood]

On Fri, Jul 03, 2015 at 02:10:55PM +0100, R.I.Pienaar wrote:
> hello,
> 
> I am looking for a way to influence run order without also doing dependencies.
> 
> I have a case where I am removing a bit of software from my system and so as 
> is
> typical things need to be done in a different order from creation, crucially 
> I 
> also do not really care if removal fails.  It should just try to remove 
> everything
> independent of each other - but at least in a given order so there's some 
> chance
> of it working.

I couldn't say about doing things without dependencies, but for uninstalling 
stuff I have wrapped everything in a giant if/then or had two different classes 
doing different things.

class c1 ($un = false) {
  if str2bool($un) {
service { 'mys': ensure => stopped, enable => false }
package { 'myp': ensure => absent, }
  }
  else {
package { 'myp': }
service { 'mys': ensure => running, enable => true, require => 
Package['myp'] }

  }
}

Once managing the service resource fails on every host (due to a lack of init 
script from package removal) I amend the manifests. Filthy but it works.

> There seems to be no way to influence order which does not also imply a 
> requirement
> and so today the only way this is achieved is by invoking puppet 3 times with 
> 3
> different manifest files which seems horrible but that's the only way I can 
> find
> to achieve this as well.

If you don't care about the service maybe just kill it?

class c2 {
  exec {'k': command => 'killall -9 mys || true', path => ['/bin', '/usr/bin'], 
}
  package { 'myp': ensure => absent, require => Exec['k'], }
}

(Using true because an exec fails on a non-zero exit status iirc.)

> I tried:
> 
>   exec{"false": before => Exec["true"]}
>   exec{"true": }
> 
> This fails because before implies a requirement.
> 
> Surprisingly this also implies a requirement:
> 
>   exec{"false": notify => Exec["true"]
>   exec{"true": }
> 
> Here the true exec is skipped when false exec fails, I really did not expect
> this to be the case
> 
> ---
> R.I.Pienaar
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/886907918.98844.1435929055488.JavaMail.zimbra%40devco.net.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150703143429.GA25315%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Exposing master to the public internet

[Chris Spence]

Without firewalling you're asking for trouble though if you ask me.

Take for example the certificate endpoint - the security model requires 
that the certificate request endpoint be open to unauthenticated access. 
 There are obvious denial of service possibilities there (fill up the disk 
with crufty requests, for example).

I'd find some way of running without a master, or if I had to run one on 
the public internet, implement some security at the network to filter 
requests.

On Friday, 3 July 2015 08:31:02 UTC+1, Craig Dunn wrote:
>
> On Thu, Jul 2, 2015 at 9:51 PM, Nik Haldimann  > wrote: 
>
> > However, my impression is that a puppet master is usually deployed 
> within a 
> > private networks (e.g., internal to a data center or as part of a 
> private 
> > VPC subnet on AWS). For my use case I would have to open the master to 
> the 
> > public internet. What are the implications of this? Is this recommended 
> or 
> > not? Are there specific settings I should be watching out for to make 
> this 
> > secure? 
>
> I can't think of any reason why it would be a bad idea to run Puppet 
> over a public network - The SSL features alone actually make it quite 
> suitable for this type of set up. You can also tweak auth.conf to 
> further secure it.  Two things which I would advise though are 1) 
> Don't autosign your certs, and 2) don't trust any facts from the 
> agent, if using things like certname in hiera.yaml or elsewhere always 
> source the value from a trusted facts 
> (
> https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts)
>  
>
>
> Craig 
>
> Don't autosign your certs 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/89816714-4f6c-4e43-b97b-ca596a0226a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[R.I.Pienaar]

- Original Message -
> From: "Craig Dunn" 
> To: "puppet-users" 
> Sent: Friday, July 3, 2015 2:47:53 PM
> Subject: Re: [Puppet Users] Ordering without dependencies

> On Fri, Jul 3, 2015 at 3:10 PM, R.I.Pienaar  wrote:
>> hello,
>>
>> I am looking for a way to influence run order without also doing 
>> dependencies.
>>
>> I have a case where I am removing a bit of software from my system and so as 
>> is
>> typical things need to be done in a different order from creation, crucially 
>> I
>> also do not really care if removal fails.  It should just try to remove
>> everything
>> independent of each other - but at least in a given order so there's some 
>> chance
>> of it working.
> 
> 
> Theres also a parameter to exec called 'returns' that takes an array,
> so if you know what return codes are possible you can do...
> 
> exec { '/bin/false':
>  returns => [ '0', '1' ],
>  before => Exec['other'],
> }
> 
> and it will never fail the resource, I think thats cleaner than my
> other example.

yeah those will work for exec, unfort these include non exec stuff :(

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1622170803.106596.1435932638047.JavaMail.zimbra%40devco.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[Craig Dunn]

On Fri, Jul 3, 2015 at 3:10 PM, R.I.Pienaar  wrote:
> hello,
>
> I am looking for a way to influence run order without also doing dependencies.
>
> I have a case where I am removing a bit of software from my system and so as 
> is
> typical things need to be done in a different order from creation, crucially I
> also do not really care if removal fails.  It should just try to remove 
> everything
> independent of each other - but at least in a given order so there's some 
> chance
> of it working.


Theres also a parameter to exec called 'returns' that takes an array,
so if you know what return codes are possible you can do...

exec { '/bin/false':
  returns => [ '0', '1' ],
  before => Exec['other'],
}

and it will never fail the resource, I think thats cleaner than my
other example.

Craig


-- 
Enviatics | Automation and configuration management
http://www.enviatics.com | @Enviatics
Puppet Training http://www.enviatics.com/training/

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhFMzpoWdp7-pAPUa8SGTOjz%2Bnzcg0%3D3REcdF0sxmowQQA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ordering without dependencies

[Craig Dunn]

On Fri, Jul 3, 2015 at 3:10 PM, R.I.Pienaar  wrote:

>
> I tried:
>
>   exec{"false": before => Exec["true"]}
>   exec{"true": }
>
> This fails because before implies a requirement.

If you don't care about a failure, why not always mask it to be true?

exec { '/bin/remove mystuff; /bin/true':
   before => Exec['carry_on_regardless'],
}

exec { '/bin/carry_on_regardless': }


?

-- 
Enviatics | Automation and configuration management
http://www.enviatics.com | @Enviatics
Puppet Training http://www.enviatics.com/training/

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhFd07iWnF4p0WOhuH357yJtcfXStv7fw%2BouU4G-JAyT3Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Ordering without dependencies

[R.I.Pienaar]

hello,

I am looking for a way to influence run order without also doing dependencies.

I have a case where I am removing a bit of software from my system and so as is
typical things need to be done in a different order from creation, crucially I 
also do not really care if removal fails.  It should just try to remove 
everything
independent of each other - but at least in a given order so there's some chance
of it working.

There seems to be no way to influence order which does not also imply a 
requirement
and so today the only way this is achieved is by invoking puppet 3 times with 3
different manifest files which seems horrible but that's the only way I can find
to achieve this as well.


I tried:

  exec{"false": before => Exec["true"]}
  exec{"true": }

This fails because before implies a requirement.

Surprisingly this also implies a requirement:

  exec{"false": notify => Exec["true"]
  exec{"true": }

Here the true exec is skipped when false exec fails, I really did not expect
this to be the case

---
R.I.Pienaar

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/886907918.98844.1435929055488.JavaMail.zimbra%40devco.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Using Puppet 4 with external CA and single intermediate CA

[Andreas Paul]

Found a Puppet Server bug which sounds to me like the source of my problem: 
https://tickets.puppetlabs.com/browse/SERVER-346

On Thursday, July 2, 2015 at 6:36:52 PM UTC+2, Andreas Paul wrote:
>
> Hello there,
>
> I'm trying to bootstrap my new Puppet 4 environment with an external CA as 
> described here: 
> https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca
>
> Here is the important part of the config:
>
> webserver.conf:
>> ...
>> ssl-cert : /etc/puppetlabs/puppet/ssl/certs/.pem
>> ssl-key : /etc/puppetlabs/puppet/ssl/private_keys/.pem
>> ssl-ca-cert : /etc/puppetlabs/puppet/ssl/certs/clientsca.pem
>> ssl-cert-chain : /etc/puppetlabs/puppet/ssl/certs/chain.pem
>> ssl-crl-path : /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
>> ...
>>
>
> The chain.pem contains both the Root CA and the intermediate CA 
> certificates.
>
> A connection check with openssl works:
>
> $ openssl s_client -verify 2 -CAfile 
>> /etc/puppetlabs/puppet/ssl/certs/chain.pem -cert 
>> /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem -key 
>> /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem -connect 
>> localhost:8140 2>/dev/null | grep Verify
>> Verify return code: 0 (ok)
>>
>
> and I also added ssl_client_ca_auth to the puppet.conf:
>
> [main]
>> ssl_client_ca_auth = $certdir/chain.pem
>>
>
>
> The problem I have is that the client can not get the CRL for the 
> intermediate CA:
>
> Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate 
>> verify failed: [unable to get certificate CRL for 
>> /O=MyCompany/OU=MyUnit/CN=Puppet Clients CA]
>>
>
> When I try to replace /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with a CRL 
> generated from the self-signed Root CA, I get:
>
> Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate 
>> verify failed: [unable to get certificate CRL for /CN=]
>>
>
> My theory is that I need to provide the Puppetserver both CRLs. One issued 
> by the Root CA, if the intermediate CA is still valid and one issued by the 
> intermediate CA if the client cert is still valid.
>
> I tried concatenating both CRLs into 
> /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem with different order, but the 
> Puppetserver seems to only use the first CRL found inside.
>
> Is there a way to provide the Puppetserver with both CRLs or is the single 
> intermediate CA architecture even supported with Puppet 4/Puppetserver?
>
> Thanks in advance!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1f0d7a0c-9622-4533-b444-a2d60f92420a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to execute multiple script in puppet using bashrc file sourced.

[ayyanar]

On Thursday, July 2, 2015 at 3:25:42 PM UTC+5:30, Martin Alfke wrote:
>
> Hi, 
> On 02 Jul 2015, at 10:29, Ayyanar > 
> wrote: 
>
> > 1. I am executing  two shell script in puppet agent. 
> > 2. In first shell script setting env variable in bashrc file. example 
> export  "JAVA_HOME=/opt/jdk1.8.0_45"  >> bashrc file and i sourced bashrc 
> file. 
>
> Do not do this via an exec. Have you taken a look on file_line (from std 
> lib) or the inifile module from PuppetLabs? 
> https://forge.puppetlabs.com/puppetlabs/stdlib 
> https://forge.puppetlabs.com/puppetlabs/inifile 
>
> > 3.In second shell script changing  permission for JAVA_HOME. The 
> permission is not changed. Once i LogIn and LogOut in agent then i ran 
> second  script now the permission was changed. 
>
> What kind of permission are you going to change? 
> Permission on the directory? 
> Please use the file resource type for managing directories. 
>
> > 
> > How to change permission without logout in agent Or Tell me some 
> solution to run multiple script and reflect env variable in puppet. 
>
> I suppose that you expect from second shell script that it uses standard 
> environment. 
> This is not true. Puppet Exec resource type uses an empty environment. 
>
> hth, 
> Martin 
>
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Puppet Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to puppet-users...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/d3c4cc3f-d489-4d46-bfa7-9437e394970d%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>
Thanks
Martin. 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b9dea738-e9e0-43f4-97df-09884ade0354%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: how to access fact with host specific name like zone_vm5809_iptype

[Andreas Dvorak]

Thank you that is nice

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/809db7e5-4840-4336-8c64-6c8bafd3c7a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet firewall module and more esoteric rules

[Tom Boland]

Hi all,

I've been looking at using the puppet firewall module to define the 
rules on a load balancer/proxy I'm working on.  Unfortunately, I don't 
think it's going to work, unless there's a workaround for the issue I've 
just found.


I'm looking at implementing the SYNPROXY guidelines in this RedHat article:

http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

I've attempted to implement a rule in iptables, and then use puppet 
resource to reverse engineer it in to puppet, and this is the result:


$ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 
-j CT --notrack

$ puppet resource firewall
firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
  ensure => 'present',
  chain  => '80',
  checksum_fill  => 'false',
  clamp_mss_to_pmtu  => 'false',
  dport  => ['CT'],
  iniface=> '--tcp-flags',
  isfragment => 'false',
  jump   => '--notrack',
  kernel_timezone=> 'false',
  physdev_is_bridged => 'false',
  proto  => 'FIN,SYN,RST,ACK SYN',
  random => 'false',
  rdest  => 'false',
  reap   => 'false',
  rsource=> 'false',
  rttl   => 'false',
  socket => 'false',
  table  => 'raw',
  time_contiguous=> 'false',
}

As you may see, the parameters are a bit jumbled.  The chain has the 
value for the port, and the dport has the value for the jump, the 
protocol has various TCP packet types rather than just 'tcp' etc etc.


Would anyone be able to suggest a way around this?

For the moment I'll look in to stopping the module purging existing 
rules and manage my SYNPROXY stuff outside of puppet.


Many thanks.  Tom.

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Exposing master to the public internet

[Craig Dunn]

On Thu, Jul 2, 2015 at 9:51 PM, Nik Haldimann  wrote:

> However, my impression is that a puppet master is usually deployed within a
> private networks (e.g., internal to a data center or as part of a private
> VPC subnet on AWS). For my use case I would have to open the master to the
> public internet. What are the implications of this? Is this recommended or
> not? Are there specific settings I should be watching out for to make this
> secure?

I can't think of any reason why it would be a bad idea to run Puppet
over a public network - The SSL features alone actually make it quite
suitable for this type of set up. You can also tweak auth.conf to
further secure it.  Two things which I would advise though are 1)
Don't autosign your certs, and 2) don't trust any facts from the
agent, if using things like certname in hiera.yaml or elsewhere always
source the value from a trusted facts
(https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts)

Craig

Don't autosign your certs

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhH1EWerYfw6X%3D0JGYDDJ_pwHyxU6D6pPt2F%2BJYBtOfYGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: how to access fact with host specific name like zone_vm5809_iptype

[asq]

W dniu piątek, 3 lipca 2015 08:28:22 UTC+2 użytkownik Andreas Dvorak 
napisał:
>
> Dear all,
>
> I would like to use the fact zone_vm5809_iptype, but vm5809 is specific to 
> the host vm5809.
> If this fact on any host is excl do something
>
> Can somebody please help me?
>
> I have tried:
> if ( $::zone_${::hostname}_iptype == 'excl')
> Could not match ${::hostname}_iptype
> or
> $hostname = $::hostname
> if ( $::zone_${hostname}_iptype == 'excl')
> Could not match ${hostname}_iptype
>
> Best regards
> Andreas
>

$local_zone = inline_template('<%= 
scope.lookupvar("zone_#{@hostname}_iptype") %>') 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0e859db6-b0ba-4e8e-974e-defb5888f531%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.