[Puppet Users] Re: puppetdb - WITH inactive_nodes AS (SELECT certname

[zachary . kent]

Hi Steve, 

The query you posted looks like the inactive_nodes CTE that's used as a 
default filter which strips inactive or deactivated nodes from the 
response. As far as I know it should show up on any query and I don't think 
it's related to gc in this case. 

On Monday, August 20, 2018 at 5:03:28 AM UTC-7, Steve Traylen wrote:
>
>
>
> Hi,
>
> We recently upgraded to puppetdb 4.4.
>
> There is query that takes a while to run, 3 or 4 minutes though we are 
> unsure of why it is even running.
>
> The query below looks related to some kind of clean up or garbage 
> collection however this particular puppetdb node has two relevant 
> properties:
>
> * gc-interval is set to 0 and indeed there are no gc events in the logs.
> * This particular node only receives /pdb/query requests and no /pdb/cmd 
> requests. We have always and still do dedicate nodes to command and query 
> traffic by redirection at haproxy level.
>
> What is the action that triggers the query below. 
>
> WITH inactive_nodes AS (SELECT certname FROM certnames WHERE (deactivated 
> IS NOT NULL OR expired IS NOT NULL)) SELECT fs.certname AS certnam e, 
> fp.name AS name, f.value AS value FROM factsets fs INNER JOIN facts f ON 
> fs.id = f.factset_id INNER JOIN fact_paths fp ON f.fact_path_id = fp.id 
> INNER JOIN value_types vt ON vt.id = f .value_type_id LEFT JOIN 
> environments env ON fs.environment_id = env.id WHERE (fp.depth = 0 AND 
> (fs.certname) in ( (SELECT fs.certname AS certname FROM factsets fs 
> INNER JOIN facts f ON fs.id = f.factset_id INNER JOIN fact_paths fp ON 
> f.fact_path_id = fp.id INNER JOIN value_types vt ON f.value_type_id = 
> vt.id LEFT JOIN environments env ON fs.environment_id = env.id WHERE (
> vt.id <> 5 AND ((fp.path = $1) AND (f.value_string = $2 ) ) AND 
> ((fs.certname) in ( (SELECT fs.certname AS certname FROM factsets fs INNER 
> JOIN facts f ON fs.id = f.factset_ id INNER JOIN fact_paths fp ON 
> f.fact_path_id = fp.id INNER JOIN value_types vt ON f.value_type_id = 
> vt.id LEFT JOIN environments env ON fs.environment_id = env.id WHERE (
> vt.id <> 5 AND ((fp.path = $3) AND (f.value_string = $4 ) )) AND ((
> fp.name = $5) OR (fp.name = $6))) AND NOT ((fs.certname) in ( (SELECT 
> inactive_nodes.certname AS certname FROM inactive_nodes) ) )))
>
> Steve Traylen.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ac4beffa-27f0-41d8-9914-0ff34805da36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] old puppetdb-terminus version no longer available in ubuntu precise apt repo

[Michael Liao]

Great, I see my package in here, thanks.

On Monday, August 20, 2018 at 12:46:14 PM UTC-7, Branan Purvine-Riley wrote:
>
> Hi Michael,
>
> We've started archiving very old packages to simplify our repositories. 
> The announcement was made a couple of weeks ago: 
> https://groups.google.com/d/msgid/puppet-dev/95465939-3051-e98c-7e22-8448c8a6dcce%40puppet.com
>
> On Mon, Aug 20, 2018 at 12:42 PM Michael Liao  > wrote:
>
>> Hi,
>>
>> We've been pinning our puppet setup to puppetdb-terminus 1.1.1-1 in the 
>> precise apt repo for quite some time now, but I now noticed that package is 
>> no longer available in the precise pool. Is this intentional? 1.1.1-1 is 
>> still listed in the Packages list in the same repo. The precise pool only 
>> has 1.4+ now.
>>
>> http://apt.puppetlabs.com/dists/precise/main/binary-amd64/Packages  
>> (puppetdb-terminus 1.1.1-1 is listed here)
>> http://apt.puppetlabs.com/pool/precise/main/p/puppetdb/ 
>> (puppetdb-terminus 1.1.1-1 is no longer available here)
>>
>> Thanks,
>> Michael
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/a7a3b4b8-1f72-4ecd-abbb-30d591fe0fce%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> -- 
> Regards,
>
> Branan Riley
> Senior Software Engineer, Puppet inc.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9ea84ba8-bf14-4373-86af-af7e1cfbff3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] old puppetdb-terminus version no longer available in ubuntu precise apt repo

[Branan Riley]

Hi Michael,

We've started archiving very old packages to simplify our repositories. The
announcement was made a couple of weeks ago:
https://groups.google.com/d/msgid/puppet-dev/95465939-3051-e98c-7e22-8448c8a6dcce%40puppet.com

On Mon, Aug 20, 2018 at 12:42 PM Michael Liao  wrote:

> Hi,
>
> We've been pinning our puppet setup to puppetdb-terminus 1.1.1-1 in the
> precise apt repo for quite some time now, but I now noticed that package is
> no longer available in the precise pool. Is this intentional? 1.1.1-1 is
> still listed in the Packages list in the same repo. The precise pool only
> has 1.4+ now.
>
> http://apt.puppetlabs.com/dists/precise/main/binary-amd64/Packages
> (puppetdb-terminus 1.1.1-1 is listed here)
> http://apt.puppetlabs.com/pool/precise/main/p/puppetdb/
> (puppetdb-terminus 1.1.1-1 is no longer available here)
>
> Thanks,
> Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/a7a3b4b8-1f72-4ecd-abbb-30d591fe0fce%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
-- 
Regards,

Branan Riley
Senior Software Engineer, Puppet inc.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CADWDnrk3T%3DyzqwhCUC4oUvF-h_No4SncoYOuSytx5L782kg%3DEw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] old puppetdb-terminus version no longer available in ubuntu precise apt repo

[Michael Liao]

Hi,

We've been pinning our puppet setup to puppetdb-terminus 1.1.1-1 in the 
precise apt repo for quite some time now, but I now noticed that package is 
no longer available in the precise pool. Is this intentional? 1.1.1-1 is 
still listed in the Packages list in the same repo. The precise pool only 
has 1.4+ now.

http://apt.puppetlabs.com/dists/precise/main/binary-amd64/Packages  
(puppetdb-terminus 1.1.1-1 is listed here)
http://apt.puppetlabs.com/pool/precise/main/p/puppetdb/ (puppetdb-terminus 
1.1.1-1 is no longer available here)

Thanks,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a7a3b4b8-1f72-4ecd-abbb-30d591fe0fce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Need help with sytnax for augeasproviders_pam and position parameter

[David Lutterkort]

Hi,

yes, what you need to do is possible. See below

On Friday, August 17, 2018 at 3:39:44 AM UTC-7, T-Bear wrote:
>
> Hello, I'm trying this group to get help with the syntax for 
> augeasproviders_pam and the position paramter.
> Yes, I did try google (for several days now), and the Puppet IRC channel 
> twice (which was pretty much as typing to /dev/null)
> I cannot find out how to write a bit more complex xpath expressions for 
> augeasproviders_pam.
>
>
> Hopefully someone with some knowledge of augeasproviders_pam can help.
>
>
> The case is that need to add a pam entry to system-auth and place it 
> before one or more other entries.
>
> Placing the new 'pam_xxx' before one spesific entry is easy, and google 
> helps a lot on how to do this:
>
> pam { 'Add pam_ to system-auth':
> ensure=> positioned,
> service   => 'system-auth',
> type  => 'auth',
> control   => 'requisite',
> module=> 'pam_.so',
> arguments => ['arg1=value1','arg2=value2'],
> position  => 'before *[type="auth" and module="pam_unix.so"]',
>   }
>
> But how would one go about when what you really want is before module 
> pam_unix.so and.. if it exist this other module also.. and if there was a 
> third optional module.. then also add it before that... 
>
> The xpath syntax for that is not clear to me, does anyone know if this is 
> possible?
>
>
> Something like this doesn't work:
> position => 'before *[type="auth" and module="pam_unix.so" and 
> module="secondoptionalmodule" and module="thirdoptionalmodule"]',
>
>
> Neither does this:
> position => 'before *[type="auth" and module="pam_unix.so" and * 
> [module="secondoptionalmodule" and module="thirdoptionalmodule"]]',
>
>
>
> So the question is, is it possible to do something like this:
>
> In section Auth
>   Put new entry above modules:
>  pam_unix
>  pam_optional_1
>  pam_optional_2
>
> or is my only option to always put it after pam_env.so.. resulting that it 
> may be put to high up in the pam file?
>

The trick is that you want to do this in two steps: first, pick out all the 
possible places where it could go, and second, tell the provider to use the 
first of those. This will look something like  'before *[complicated 
condition to find all possible places][1]' - you can string predicates 
enclosed in '[..]' together and they apply to whatever was found in the 
previous predicates; the way path expressions get evaluated is that we 
first collect all matching nodes and then filter them by the conditions in 
the first '[..]', then filter that by the conditions in the second '[..]' 
etc. The nodes in that set are kept in the order in which they were 
initially found, which means that the '[1]' at the end means 'the first one 
of the possibilities as it appears in the file'

In your case, what should work is 'before *[type = "auth" and (module = 
"pam_unix.so" or module = "pam_optional_1.so" or module = 
"pam_optional_2.so")][1]'

David

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1fae2b8f-bd2a-4850-a924-4bf73c9418ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Managing mounted NFS shares, when having no write permission on that share

[Sean]

Another alternative might be to avoid specifying the user/group/mode 
attributes for the File resource.  This would assume that you can be 
confident that the agent is running as root and the system has a sufficient 
umask setting.  If that's the case, these resource attributes can be left 
out and puppet shouldn't complain about them on subsequent runs...

file { '/data/app':
 ensure => directory,
}

mount { '/data/app':
 ensure  => mounted,
 device   => nfs_server:/app
 dump=> 0,
 fstype=> 'nfs',
 target=> '/etc/fstab',
 require  => File['/data/app'],
}



On Friday, August 17, 2018 at 5:03:02 PM UTC-4, Mike Langhorst wrote:
>
> I'm having some issues with managing a mount point for an NFS server.  
> Specifically when the client system has no root write privileges to that 
> NFS share.
>
> I need to mount a NetApp NFS/Cifs share to a filesystem location 
> /data/app.   So I'll need to manage the file resource /data/app, and as 
> typical the owner and mode.
>
> file { '/data/app':
>   ensure => directory,
>   owner => root,
>   group  => root,
>   mode   => '0755',
> }
>
> mount { '/data/app':
>   ensure  => mounted,
>   device   => nfs_server:/app
>   dump=> 0,
>   fstype=> 'nfs',
>   target=> '/etc/fstab',
>   require  => File['/data/app'],
> }
>
>
> So when I mount this nfs to /data/app,  that share and it's contents are 
> nfsnobody, or some other high numbered uid,  with varying permissions, 
> sometimes 777.  The NetApp may show 777, but it's applying other ACLs due 
> to the CIFS share.  For the different shares I've had to mount, that uid 
> and permissions have been different so I couldn't do something like 
> updating the module/hiera data to match after the fact as I still wouldn't 
> want that underling directory /data/app to be 777.
>
> I don't see anything in the file resource spec to allow for an "onlyif" or 
> such.
>
> Any ideas on how to manage this?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/323abd27-a8c3-4e87-9ef1-94a2602e2d27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

R: [Puppet Users] Managing mounted NFS shares, when having no write permission on that share

[Francesco Duranti]

You’re not doing anything wrongly.
NFS directory have it’s own ownership and permission and by default it’s 
root:root 777 on netapp storage.
You see them as nfsnobody  because you did not export with “root” permission.

In your example this is what happen:
- First run
o Directory /data/app created with root:root 0755 permission
o Nfs_server:/app mounted over /data/app (now it has 777 permission and 
nfsnobody because you mounted a different directory and the permission are the 
one on the nfs volume/directory).
- Second run
o Puppet will try to change the /data/app to root:root 0755 (it will change the 
permission on the netapp volume/directory in this case). Not sure if this work 
or you should set the export permission for root user on the export 
configuration on netapp.

What you can do to make it work in just one run is to create the directory with 
an exec resource and put the file resource after the mount… something like this:

exec { "mkdir -p /data/app":
  creates => ‘/data/app’,
}

mount { '/data/app':
  ensure  => mounted,
  device   => nfs_server:/app
  dump=> 0,
  fstype=> 'nfs',
  target=> '/etc/fstab',
  notify=> File['/data/app'],
}

file { '/data/app':
  ensure => directory,
  owner => root,
  group  => root,
  mode   => '0755',
}

Da: puppet-users@googlegroups.com  Per conto di 
Mike Langhorst
Inviato: venerdì 17 agosto 2018 23:51
A: Puppet Users 
Oggetto: Re: [Puppet Users] Managing mounted NFS shares, when having no write 
permission on that share

It's v3.

Maybe I'm doing something wrong.

The file { '/data/app'  resource and the nfs share are the same location, so 
when it comes back on subsequent runs, it now sees that file /data/app is no 
longer owned as root and has 777 perms rather than 755


On Friday, August 17, 2018 at 2:30:55 PM UTC-7, Arnau wrote:
Hi,

Are you sure you are mounting nfs v3 and not 4?
Puppet does nothing with the content of the mount so it has to be some 
(missing/wrong) mount option.

HTH,
Arnau

El dv., 17 ag. 2018 , 23:03, Mike Langhorst  va escriure:
I'm having some issues with managing a mount point for an NFS server.  
Specifically when the client system has no root write privileges to that NFS 
share.

I need to mount a NetApp NFS/Cifs share to a filesystem location /data/app.   
So I'll need to manage the file resource /data/app, and as typical the owner 
and mode.

file { '/data/app':
  ensure => directory,
  owner => root,
  group  => root,
  mode   => '0755',
}

mount { '/data/app':
  ensure  => mounted,
  device   => nfs_server:/app
  dump=> 0,
  fstype=> 'nfs',
  target=> '/etc/fstab',
  require  => File['/data/app'],
}


So when I mount this nfs to /data/app,  that share and it's contents are 
nfsnobody, or some other high numbered uid,  with varying permissions, 
sometimes 777.  The NetApp may show 777, but it's applying other ACLs due to 
the CIFS share.  For the different shares I've had to mount, that uid and 
permissions have been different so I couldn't do something like updating the 
module/hiera data to match after the fact as I still wouldn't want that 
underling directory /data/app to be 777.

I don't see anything in the file resource spec to allow for an "onlyif" or such.

Any ideas on how to manage this?
--
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to javascript:.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c06294e4-21c7-43a8-9c06-1ac8b8c90731%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mailto:puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cf58c43e-eb27-4379-be2f-bfd88d240a4f%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.



Questo messaggio di posta elettronica contiene informazioni di carattere 
confidenziale rivolte esclusivamente al destinatario sopra indicato. E' vietato 
l'uso, la diffusione, distribuzione o riproduzione da parte di ogni altra 
persona. Nel caso aveste ricevuto questo messaggio di posta elettronica per 
errore, siete pregati di segnalarlo immediatamente al mittente e distruggere 
quanto ricevuto.

This communication may contain privileged or proprietary information for 
receipt and use solely by the addressee(s) named above. If you are not an 
intended recipient, any disclosure, copying or use of this information is 
prohibited. If you have received this communication in error, please delete 
and/or destroy it and kindly notify the sender.

Rispetta l’ambiente, se non è nec

[Puppet Users] puppetdb - WITH inactive_nodes AS (SELECT certname

[Steve Traylen]

Hi,

We recently upgraded to puppetdb 4.4.

There is query that takes a while to run, 3 or 4 minutes though we are 
unsure of why it is even running.

The query below looks related to some kind of clean up or garbage 
collection however this particular puppetdb node has two relevant 
properties:

* gc-interval is set to 0 and indeed there are no gc events in the logs.
* This particular node only receives /pdb/query requests and no /pdb/cmd 
requests. We have always and still do dedicate nodes to command and query 
traffic by redirection at haproxy level.

What is the action that triggers the query below. 

WITH inactive_nodes AS (SELECT certname FROM certnames WHERE (deactivated 
IS NOT NULL OR expired IS NOT NULL)) SELECT fs.certname AS certnam e, 
fp.name AS name, f.value AS value FROM factsets fs INNER JOIN facts f ON 
fs.id = f.factset_id INNER JOIN fact_paths fp ON f.fact_path_id = fp.id 
INNER JOIN value_types vt ON vt.id = f .value_type_id LEFT JOIN 
environments env ON fs.environment_id = env.id WHERE (fp.depth = 0 AND 
(fs.certname) in ( (SELECT fs.certname AS certname FROM factsets fs 
INNER JOIN facts f ON fs.id = f.factset_id INNER JOIN fact_paths fp ON 
f.fact_path_id = fp.id INNER JOIN value_types vt ON f.value_type_id = vt.id 
LEFT JOIN environments env ON fs.environment_id = env.id WHERE (vt.id <> 5 
AND ((fp.path = $1) AND (f.value_string = $2 ) ) AND ((fs.certname) in 
( (SELECT fs.certname AS certname FROM factsets fs INNER JOIN facts f ON 
fs.id = f.factset_ id INNER JOIN fact_paths fp ON f.fact_path_id = fp.id 
INNER JOIN value_types vt ON f.value_type_id = vt.id LEFT JOIN environments 
env ON fs.environment_id = env.id WHERE (vt.id <> 5 AND ((fp.path = $3) AND 
(f.value_string = $4 ) )) AND ((fp.name = $5) OR (fp.name = $6))) AND 
NOT ((fs.certname) in ( (SELECT inactive_nodes.certname AS certname FROM 
inactive_nodes) ) )))

Steve Traylen.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9dc72799-c4cb-455b-a210-3878a3884d94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.