[Puppet Users] /etc/puppetlabs/puppetserver/conf.d/auth.conf : want to use wildcards in certificate_request section
Hi guys,
so I'm trying to restrict requests from known domains eg
{ # Allow nodes to request a new certificate match-request: { path:
"/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow: [
"*.dev.XXX.com", "*.dev.YYY.com" ] sort-order: 500 name: "puppetlabs csr" },
having read puppet docs on hocon style files, inc arrays, wildcards etc.
However, when I try to use this, I get
Client:
Error: Could not request certificate: Error 403 on SERVER: Forbidden request:
/puppet-ca/v1/certificate_request/a.b.com (method :get). Please see the server
logs for details.
Server:
2017-04-13 03:20:42,855 ERROR [qtp1106686223-70] [p.t.a.rules] Forbidden
request: 10.112.19.76 access to /puppet-ca/v1/certificate_request/a.b.com
(method :get) (authenticated: false) denied by rule 'puppetlabs csr'.
Server version is 2.7.0 (puppet v4).
Can anybody help?
Thanks
Chris
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/384ce816-ea37-45ca-aa8d-83a44f0bc732%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Need Ruby help for facts (inline_template) --> <%= classes.collect { |k, v| v }.sort.join(" ") %> --> empty
hi,
what is very interesting:
If I'm go back to my old
vars=> hiera_hash('icinga_vars', {}),
and adding to hieradata/common.yaml
puppet_classes: "%{::classes}"
than I get back all classes, but with the "[" "]"
vars.puppet_classes = "["settings", "augeas::files"]"
So, it seems, that only the classes are listed, which are from the manifest
of my class "profile::icinga2::agent", which is included via "include
profile::icinga2::agent" in the node manifest.
cu denny
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d5381c79-6c11-44ce-8056-6a309a45deaf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Need Ruby help for facts (inline_template) --> <%= classes.collect { |k, v| v }.sort.join(" ") %> --> empty
hi Derek, Am Montag, 17. April 2017 21:50:37 UTC+2 schrieb Derek Harkness: > > In your example it looks like classes is an array not a hash. Should be > able to just do classes.join(“ “). > > Derek > > I tried it, as the "module" example uses only .join. It works only for a few classes (13 in numbers): + vars.puppet_classes = "base::root::password host.domain.local icinga2 icinga2::config icinga2::feature::api icinga2::feature::checker icinga2::feature::mainlog icinga2::install icinga2::params icinga2::repo icinga2::service profile::icinga2::agent settings" but facter -p classes --yaml | wc -l 96 so I have over 90 classes which are not shown. Very strange. Is there a limit ? cu denny -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/aac02373-1bc3-4e03-8cd0-328aaba9029c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Need Ruby help for facts (inline_template) --> <%= classes.collect { |k, v| v }.sort.join(" ") %> --> empty
In your example it looks like classes is an array not a hash. Should be able
to just do classes.join(“ “).
Derek
> On Apr 17, 2017, at 00:46, Denny Fuchs wrote:
>
> Hello,
>
> for my Icinga2, I want to add all classes to vars, like described in
> https://goo.gl/z798HG (page 41). I added the sjoeboo/puppet-common module,
> which gives me all classes as a fact:
>
> facter -p classes
> ["settings", "host.foo.local", "base::root::password", "icinga2::params",
> "icinga2", ... ]
>
> facter -p classes --yaml
> ---
> classes:
> - settings
> - host.foo.local
> - "base::root::password"
> - "icinga2::params"
> - icinga2
>
> I tried the line:
>
> [...]
> puppet_classes => inline_template(
> '<%= classes.collect { |k, v| v }.sort.join(" ") %>'
> ),
> [...]
>
> so that in the end...
>
> vars.settings
> vars.host.foo.local
> vars.base
> vars.icinga2
>
> is generated for the Icinga2 monitoring host. But in my case, the following
> is generated instead:
>
> + vars.puppet_classes = ""
>
>
> Maybe, the howto is a bit older and the syntax was changed a bit. We use the
> Puppet 3.7.2-4 agent.
>
> Any suggestions are very welcome :-)
>
> cu denny
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d20e6894-1379-4039-855d-9babfa447be6%40googlegroups.com
>
> .
> For more options, visit https://groups.google.com/d/optout
> .
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ED56A543-44E0-44F6-AC46-4008B78DA0E2%40mac.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] SQL server install express / enterprise
I want to install this on my test env at home but i dont have access to en_sql_server_2012_enterprise_edition_x86_x64 without having a microsoft subscription which cost money. Can I just use express edition for my test environment? Then use the same puppet code within my Org where they use enterprise edition? I ask because I don't know enough about SQL and/or the differences between express and enterprise editions I need to install SQL server I need to setup multiple test instances I need to install some features as well [Fulltext, SQLEngine, IS, MD5,SSMS] <-- don't know if these are even valid features , dont quote me -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/755761d9-6de0-4676-b883-4584a891b046%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Need Ruby help for facts (inline_template) --> <%= classes.collect { |k, v| v }.sort.join(" ") %> --> empty
hi, I tried to use ".each" instead of ".collect" in the inline_template and than I get "some" output, but only a few classes and not all": + vars.puppet_classes = "base::root::password icinga2 icinga2::config icinga2::feature::api icinga2::feature::checker icinga2::feature::mainlog icinga2::install icinga2::params icinga2::repo icinga2::service profile::icinga2::agent settings" instead of ~30. strange. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4577e615-4881-49c4-b1cb-140214c6be79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet lighttpd module
Hi All, I have just started to learn puppet. I want to write lighttpd module. I have written manifests such as init.pp and install.pp, services.pp and config.pp. Now I want to write configuration files in file directory. I have already downloaded lighttpd. What shall be my next step ? Regards, Afaq -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92f477eb-d66d-4569-8d4d-45a708abffa1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet install NSCP-x64.msi with error is not valid 32 application: Create Process
Puppet master transfer file to Windows Server is done, but exec install this file is error with message: is not valid 32 application: Create Process But I go to this Windows Server and install this file on CMD is OK. maybe i missing something? Pls tell me. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cf30a43e-371e-46fd-857c-cc62a05ed164%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppetlabs-firewall rspec
Thanks Trevor! That was exactly the kind of thing we were looking for.
On Thursday, April 13, 2017 at 8:54:20 PM UTC-4, Trevor Vaughan wrote:
>
> Hi Brian,
>
> You can get ahold of the catalog directly by using the 'catalogue' object.
>
> See the following for an example:
>
>
> https://github.com/simp/pupmod-simp-auditd/blob/master/spec/classes/config/audit_profiles/simp_spec.rb#L85
>
> Thanks,
>
> Trevor
>
> On Wed, Apr 12, 2017 at 9:20 AM, brian mancuso > wrote:
>
>> Hey guys,
>>
>> My group has been working on deploying puppet to existing servers and
>> newer servers. During this time practices have naturally changed and we're
>> trying to write tests to ensure that when we migrate from one way of
>> writing firewall rules to another, we don't miss any. So here's some
>> background and an example of what we're trying to do.
>>
>> Old rules:
>>
>> firewall { '018 accept TCP-1521 from 10.96.0.0/24':
>> source => '10.96.0.0/24',
>> dport => [1521],
>> state => 'NEW',
>> proto => 'tcp',
>> action => 'accept',
>> }
>> firewall { '018 accept TCP-1521 from 10.32.0.0/11':
>> source => '10.32.0.0/11',
>> dport => [1521],
>> state => 'NEW',
>> proto => 'tcp',
>> action => 'accept',
>> }
>> firewall { '018 accept TCP-1521 from 10.64.0.0/25':
>> source => '10.64.0.0/25',
>> dport => [1521],
>> state => 'NEW',
>> proto => 'tcp',
>> action => 'accept',
>> }
>>
>>
>> To replace repetitive stuff like this amongst the classes, we have the
>> following method:
>>
>> define profiles::base::firewall_rule ($order = '030',
>> $dport = undef,
>> $port = undef,
>> $proto = 'tcp',
>> $chain = 'INPUT',
>> $action = 'accept',
>> $state = undef,
>> )
>> {
>> if ($dport) {
>> if ($state) {
>> firewall { "${order} ${action} ${dport} traffic from ${name}":
>> source => $name,
>> dport => $dport,
>> proto => $proto,
>> action => $action,
>> chain => $chain,
>> state => $state,
>> }
>> } else {
>> firewall { "${order} ${action} ${dport} traffic from ${name}":
>> source => $name,
>> dport => $dport,
>> proto => $proto,
>> action => $action,
>> chain => $chain,
>> }
>> }
>> } elsif ($port) {
>> if ($state) {
>> firewall { "${order} ${action} ${port} traffic from ${name}":
>> source => $name,
>> port => $port,
>> proto => $proto,
>> action => $action,
>> chain => $chain,
>> }
>> } else {
>> firewall { "${order} ${action} ${port} traffic from ${name}":
>> source => $name,
>> port => $port,
>> proto => $proto,
>> action => $action,
>> chain => $chain,
>> state => $state,
>> }
>> }
>> }
>> }
>>
>> So now in the original class we can just have this:
>>
>> profiles::base::firewall_rule{ $db_access:
>> dport => [1521],
>> state => 'NEW',
>> }
>>
>> With the hiera file for the node:
>>
>> profiles::banner::database::samplenode::db_access:
>> - 10.96.0.0/24
>> - 10.32.0.0/11
>> - 10.64.0.0/25
>>
>> Anyway, with the background information, we need to verify (preferably
>> with rspec) that the node has a firewall rule given a certain
>> port/protocol/state/etc. The rspec tests examples we've found and the
>> original tests we had are all based on the firewall name. Sure we could
>> change the new system to try and match the old names, but that kind of
>> testing doesn't seem as effective since the name itself could be anything.
>> We want to test the firewall rule's parameters.
>>
>> Does anyone have an example of how we could do this?
>>
>> This is a snippet of what we have, but like I said, it tests via name,
>> which is not what we want. This only tests that the new rule exists. We
>> can't use it against both the new rules and the old rules. We want to have
>> complete coverage on the old rules, then migrate to the new rules and
>> verify that the new rules meet the tests.
>>
>> require 'spec_helper'
>> describe "profiles::samplenode" do
>> on_supported_os.each do |os, facts|
>> context "on #{os}" do
>> let(:facts) do
>> facts.merge({
>> :hostname => 'samplenode',
>> :apptier => 'production',
>> :clientcert => 'samplenode.example.com',
>> })
>> end
>> it { should create_firewall("030 accept 1521 traffic from
>> 10.96.0.0/24") }
>> it { should create_firewall("030 accept 1521 traffic from
>> 10.32.0.0/11") }
>> it { should create_firewall("030 accept 1521 traffic from
>> 10.64.0.0/25") }
>> end
>> end
>> end
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com .
>> To view this
[Puppet Users] Need Ruby help for facts (inline_template) --> <%= classes.collect { |k, v| v }.sort.join(" ") %> --> empty
Hello,
for my Icinga2, I want to add all classes to vars, like described in
https://goo.gl/z798HG (page 41). I added the sjoeboo/puppet-common module,
which gives me all classes as a fact:
facter -p classes
["settings", "host.foo.local", "base::root::password", "icinga2::params",
"icinga2", ... ]
facter -p classes --yaml
---
classes:
- settings
- host.foo.local
- "base::root::password"
- "icinga2::params"
- icinga2
I tried the line:
[...]
puppet_classes => inline_template(
'<%= classes.collect { |k, v| v }.sort.join(" ") %>'
),
[...]
so that in the end...
vars.settings
vars.host.foo.local
vars.base
vars.icinga2
is generated for the Icinga2 monitoring host. But in my case, the following
is generated instead:
+ vars.puppet_classes = ""
Maybe, the howto is a bit older and the syntax was changed a bit. We use
the Puppet 3.7.2-4 agent.
Any suggestions are very welcome :-)
cu denny
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d20e6894-1379-4039-855d-9babfa447be6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
