[Puppet Users] Augeus: Duplicate sysctl setting
Hello
I have a issue with duplicate Augeas settings and hoping to bounce the
issue off the community for some ideas.
I like to pre-deploy my servers regardless of what application they will
run and I typically have them sitting in
(/etc/puppet/manifest/classes/-linux-server) where they remain until
they are moved into an application class which then adds additional
modules
My base setup does not allow ip_forwarding:
[root@puppetdev-stc development]# grep net.ipv4.ip_forward
defaults/manifests/config.pp
sysctl { 'net.ipv4.ip_forward': value = '0', comment = 'this is a
comment' }
[root@puppetdev-stc development]#
However, I have an application that does require ip_forwarding .and
when I add the application layer I get a conflict:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate declaration: Sysctl[net.ipv4.ip_forward] is already declared in
file /etc/puppet/modules/development/defaults/manifests/config.pp:4; cannot
redeclare at /etc/puppet/modules/development/wombat/manifests/config.pp:5
on node puppet-client..xxx.xx
How can I force puppet to simply execute the sysctl settings in order (I
use requires to control module order) ...meaning the last setting will
become the valid setting?
Thanks
Bruce
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHvj1qaRySdJudgCHFVe2Y%3DGrJu0F-0B5QbnwWce8gM2Ve3iwA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3.3.0 Certificate Issue
Hi I've been struggling with Puppet 3.3.0 in what appears to be a bug so I'm hoping this post invites some assistance. My setup is 100% stock standard default. with the exception of a single dns entry (cname) of puppet which point to my master adm6. I 've been running puppet 2.7.23 without any problems and decided to upgrade to the latest version. In order to test 3.3.0, I installed to new RHEL 6.4 boxes, added the puppetlabs-products repository and installed the latest puppet (3.3.0) Everything appears to work ...until I sign a test clients key immediately after singing a client key, the puppetmaster (adm6.xx.xx.xx) decided that I need to clean it's OWEN client key. [root@puppetmaster ~]# [root@puppetmaster ~]# [root@puppetmaster ~]# puppet ca list --all + adm6.xxx.xxx.xxx (SHA256) 9B:71:FB:A4:C2:06:F2:83:3E:40:55:CF:41:39:91:4F:F7:5C:45:8D:79:8E:D3:68:63:FD:B0:14:A6:AC:FE:59 bbushby-linux.xxx.xxx.xxx (SHA256) FF:11:53:FE:3C:85:75:33:2E:C0:8A:A1:00:BD:23:96:62:73:64:1F:8B:C8:5C:7D:65:7D:04:7F:8F:89:89:13 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert list bbushby-linux.xxx.xxx.xxx (SHA256) FF:11:53:FE:3C:85:75:33:2E:C0:8A:A1:00:BD:23:96:62:73:64:1F:8B:C8:5C:7D:65:7D:04:7F:8F:89:89:13 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert sign bbushby-linux.xxx.xxx.xxx Notice: Signed certificate request for bbushby-linux.xxx.xxx.xxx Notice: Removing file Puppet::SSL::CertificateRequest bbushby-linux.xxx.xxx.xxx at '/var/lib/puppet/ssl/ca/requests/bbushby-linux.xxx.xxx.xxx.pem' [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert list -all + adm6.xxx.xxx.xxx (SHA256) 9B:71:FB:A4:C2:06:F2:83:3E:40:55:CF:41:39:91:4F:F7:5C:45:8D:79:8E:D3:68:63:FD:B0:14:A6:AC:FE:59 (alt names: DNS:xxx.xxx.xxx.xxx, DNS:puppet, DNS:puppet.xxx.xxx.xxx) + bbushby-linux.xxx.xxx.xxx (SHA256) B5:B7:2D:44:52:07:CA:DC:5C:99:3A:AC:24:29:85:A6:88:E9:0C:3B:54:30:71:4D:D0:FC:DC:3A:D5:E8:E2:52 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet ca list --all Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: B5:B7:2D:44:52:07:CA:DC:5C:99:3A:AC:24:29:85:A6:88:E9:0C:3B:54:30:71:4D:D0:FC:DC:3A:D5:E8:E2:52 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean adm6.xxx.xxx.xxx On the agent: rm -f /var/lib/puppet/ssl/certs/adm6.xxx.xxx.xxx.pem puppet agent -t Error: Try 'puppet help ca list' for usage [root@puppetmaster ~]# I have tried so many different setups, fresh OS installs ... all of it and I am unable to sign a key and then run pupppet ca list --all Anybody else have this issue? Both my machines are RHEL 6.4 Both have ntp and correct UTC time Both have exact same versions of rpms (puppetmaster has an extra rpm puppet-server) I then dropped my puppet and puppet-server versions down to 3.2.4 same problem (now I'm wondering if it is a bug...since it's happening across versions) These people appear to experience similar problems: http://www.mail-archive.com/puppet-bugs@googlegroups.com/msg46757.html http://projects.puppetlabs.com/issues/19680 http://comments.gmane.org/gmane.comp.sysutils.puppet.user/46356 http://thr3ads.net/puppet-users/2012/12/2238067-puppet-ca-list-all-ERROR http://thr3ads.net/puppet-users/2007/10/186450-puppetca-is-unable-to-sign-certificate Any ideas? Thanks Bruce -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] escaping the @ symbol
Hi
I've been writing a little module to handle some grub settings on RHEL
6 and appear the have run into a silly little problem that I just
can't fix.
I've trying to append the string crashkernel=128M@16M to the kernel
line in my grub.conf. The following module works 100% if I leave out
the @ symbol. Any ideas how I can escape the @ ??
I know I can use crashkernel=auto but I would like to know how
to insert any string I chooseeven an @.
Thanks
init.pp:
class grub {
include grub::grub
grub::set {
timeout: value = 10;
}
grub::insert {
/files/boot/grub/grub.conf/title/kernel/ro: value =
'crashkerne128M@16M';
}
}
grub.pp:
class grub::grub {
define set ( $value ) {
$key = $name
$context = /files/boot/grub/grub.conf
augeas { grub_conf/$key:
context = $context,
onlyif = get $key != '$value',
changes = set $key '$value',
incl= '/boot/grub/grub.conf',
lens= 'grub.lns',
}
}
define insert ( $value ) {
$key = $name
$context = /files/boot/grub/grub.conf
augeas { grub_conf/$key:
context = $context,
changes = insert '$value' after \'$key',
incl= '/boot/grub/grub.conf',
lens= 'grub.lns',
}
}
file { grub_conf:
name = $operatingsystem ? {
default = /boot/grub/grub.conf,
},
}
}
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet module layout
Thanks Nigel, appreciate the heads up! I'm finding that puppet module are great when you want a module for ssh or a module for sudoers ...but I can't find an example where there is a module called os which contains ssh.pp , prod_sudoers.pp , dev_sudoers.pp , userauth.pp, iptables.pp etc Then /etc/puppet/manifest/site.pp would include the module os and then /etc/puppet/modules/os/manifest/init.pp would include the various pp components for various hosts lists. Is this even possible? On Jun 20, 5:50 pm, Nigel Kersten ni...@puppetlabs.com wrote: On Sat, Jun 18, 2011 at 1:29 AM, Bruce Bushby bruce.bus...@gmail.comwrote: Hello I'm new to large scale puppet deployment and was hoping the list could offer some pointers on module layout My initial layout was motivated by a need to harden our Linux systems. I grouped the various hardening configs into: Kernel OS Network Shell Files Application I'm hoping I can create the same module structure within puppet. In my experience, these module categories are too broad and it will make maintenance difficult. You don't want to get too fine-grained with your modules, but if you keep things this broad, you'll end up having lots of complicated relationships like Class[os::foo] - Class[files::foo] I made this mistake on a large deployment and regretted it. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet module layout
One last question:
Would the list suggest implementing augeas where possible? and would
augeas fit into the module layout
Thanks
Bruce
On Jun 18, 9:29 am, Bruce Bushby bruce.bus...@gmail.com wrote:
Hello
I'm new to large scale puppet deployment and was hoping the list could
offer some pointers on module layout
My initial layout was motivated by a need to harden our Linux
systems. I grouped the various hardening configs into:
Kernel
OS
Network
Shell
Files
Application
I'm hoping I can create the same module structure within puppet.
Using sudo as the first example, I want puppet to ensure /usr/bin/
sudo has 4111 file perms and root:root ownership.
Directory layout:
I used this handy script from
ProfFalkenhttp://www.threedrunkensysadsonthe.net/2010/04/quick-creation-of-pupp...
BUT...this is where things are getting a little grey. I currently
have:
[root@laptop manifests]# pwd
/etc/puppet/manifests
[root@laptop manifests]#
[root@laptop manifests]# tree os
os
|-- files
|-- lib
| |-- facter
| `-- puppet
| |-- parser
| |-- provider
| `-- type
|-- manifests
| |-- init.pp
| `-- sudo.pp
`-- templates
9 directories, 2 files
[root@laptop manifests]#
[root@laptop manifests]# cat os/manifests/sudo.pp
# /etc/puppet/manifests/classes/sudo.pp
class sudo {
file { /etc/sudoers:
owner = root,
group = root,
mode = 4111,
}}
[root@laptop manifests]#
Am I on the correct track?
I'm guessing I should break the classes down into:
sudo::perms
sudo::ownership
sudo::file (have puppet serve the sudo template)
then in os/manifests/site.pp . would I import sudo?
and the second question: How would I create hosts groups? I would like
to group my hosts in dev, uat, staging and prod etc?
ThanksBruce
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet module layout
Thanks Ken.I think I'm getting itslowly :)
...Start developing _something_ and see how your organisation works for
you..
RightI've started with the most basic setup to test CA keys by
simply implementing file perms for /etc/sudoers
I think my initial confusion was that I didn't realize that when
deploying modules ... you still need a /etc/puppet/manifest/
site.pp etc
How do you identify these hosts now?
Some of the prod systems have prod in their hostnamebut there
are a lot that don't confirm, thanks for the examples for grouping
will give them a go.
Getting back to my ultra simple setup, I'm finding that I can't run
puppetd --test:
[root@msukpuppet02 puppet]# puppetd --test
err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
[root@msukpuppet02 puppet]#
HOWEVER...this works perfectly:
[root@msukpuppet02 puppet]# puppetd --test --
server=msukpuppet01.mserv.local
info: Caching catalog for msukpuppet02.mserv.local
info: Applying configuration version '1308583986'
notice: Finished catalog run in 0.02 seconds
[root@msukpuppet02 puppet]#
My puppet config file sits in /etc/sysconfig/puppet
[root@msukpuppet02 puppet]# cat /etc/sysconfig/puppet
# The puppetmaster server
PUPPET_SERVER=msukpuppet01.mserv.local
# If you wish to specify the port to connect to do so here
PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system
log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
PUPPET_EXTRA_OPTS=--waitforcert=500
[root@msukpuppet02 puppet]#
I have checked both systems time is correct perfect and both system
resolve in the dns correctly for both A and PTR records.
I'm using RHEL 6.1 (puppet-0.25.5-1.el6.noarch)
Thanks again for the help
Bruce
On Jun 20, 1:12 pm, Ken Barber k...@puppetlabs.com wrote:
Augeas is a resource - I don't see how it fits in as a module. You may
_use_ it in your modules if you like.
On Mon, Jun 20, 2011 at 12:09 PM, Bruce Bushby bruce.bus...@gmail.com wrote:
One last question:
Would the list suggest implementing augeas where possible? and would
augeas fit into the module layout
Thanks
Bruce
On Jun 18, 9:29 am, Bruce Bushby bruce.bus...@gmail.com wrote:
Hello
I'm new to large scale puppet deployment and was hoping the list could
offer some pointers on module layout
My initial layout was motivated by a need to harden our Linux
systems. I grouped the various hardening configs into:
Kernel
OS
Network
Shell
Files
Application
I'm hoping I can create the same module structure within puppet.
Using sudo as the first example, I want puppet to ensure /usr/bin/
sudo has 4111 file perms and root:root ownership.
Directory layout:
I used this handy script from
ProfFalkenhttp://www.threedrunkensysadsonthe.net/2010/04/quick-creation-of-pupp...
BUT...this is where things are getting a little grey. I currently
have:
[root@laptop manifests]# pwd
/etc/puppet/manifests
[root@laptop manifests]#
[root@laptop manifests]# tree os
os
|-- files
|-- lib
| |-- facter
| `-- puppet
| |-- parser
| |-- provider
| `-- type
|-- manifests
| |-- init.pp
| `-- sudo.pp
`-- templates
9 directories, 2 files
[root@laptop manifests]#
[root@laptop manifests]# cat os/manifests/sudo.pp
# /etc/puppet/manifests/classes/sudo.pp
class sudo {
file { /etc/sudoers:
owner = root,
group = root,
mode = 4111,
}}
[root@laptop manifests]#
Am I on the correct track?
I'm guessing I should break the classes down into:
sudo::perms
sudo::ownership
sudo::file (have puppet serve the sudo template)
then in os/manifests/site.pp . would I import sudo?
and the second question: How would I create hosts groups? I would like
to group my hosts in dev, uat, staging and prod etc?
ThanksBruce
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet module layout
Thanks again Ken!! I found it, /etc/puppet/puppet.conf requires: server = server_name and then: puppetd --test works without having to specify the server name..doh I should have checked that this morning! At last I can start testing a module layout and augeas :)) I'll be sure to post the results in case others have a similar question. Bruce On Jun 20, 7:30 pm, Ken Barber k...@puppetlabs.com wrote: Getting back to my ultra simple setup, I'm finding that I can't run puppetd --test: [root@msukpuppet02 puppet]# puppetd --test err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run [root@msukpuppet02 puppet]# HOWEVER...this works perfectly: [root@msukpuppet02 puppet]# puppetd --test -- server=msukpuppet01.mserv.local info: Caching catalog for msukpuppet02.mserv.local info: Applying configuration version '1308583986' notice: Finished catalog run in 0.02 seconds [root@msukpuppet02 puppet]# My puppet config file sits in /etc/sysconfig/puppet Well - thats the RedHat specific environment file. Your configuration file for puppet (at least the one we usually refer to) is usually /etc/puppet/puppet.conf ;-). Anyway - the error you are getting is an SSL certificate security issue. When you run: puppet agent --test Its looking for the hostname 'puppet' and trying to connect to it. Now if the server side certificate doesn't have the alias 'puppet' in the CN field its going to get rejected by the client. Think web server certificates in your browser ... except instead of giving you a warning you can push through ... we reject the connection. This is why using the alternate hostname works: puppet agent --test --server=msukpuppet01.mserv.local The hostname matches the CN field in the certificate this time :-). So you have a few choices here. You can update the /etc/puppet/puppet.conf on your clients with the setting: [agent] server=msukpuppet01.mserv.local That way it will just use that each time you do a 'puppet agent -t'. Or, you can regenerate your server certificate to have a number of aliases: puppet, msukpuppet01.mserv.local, puppet.mserv.local etc. I can explain this but ... what version of Puppet are you running btw? I get the impression its an old one. I would recommend upgrading to 2.6 before you proceed too far :-). If you already run 2.6 let me know :-). ken. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet module layout
Hello
I'm new to large scale puppet deployment and was hoping the list could
offer some pointers on module layout
My initial layout was motivated by a need to harden our Linux
systems. I grouped the various hardening configs into:
Kernel
OS
Network
Shell
Files
Application
I'm hoping I can create the same module structure within puppet.
Using sudo as the first example, I want puppet to ensure /usr/bin/
sudo has 4111 file perms and root:root ownership.
Directory layout:
I used this handy script from ProfFalken
http://www.threedrunkensysadsonthe.net/2010/04/quick-creation-of-puppet-modules/
BUT...this is where things are getting a little grey. I currently
have:
[root@laptop manifests]# pwd
/etc/puppet/manifests
[root@laptop manifests]#
[root@laptop manifests]# tree os
os
|-- files
|-- lib
| |-- facter
| `-- puppet
| |-- parser
| |-- provider
| `-- type
|-- manifests
| |-- init.pp
| `-- sudo.pp
`-- templates
9 directories, 2 files
[root@laptop manifests]#
[root@laptop manifests]# cat os/manifests/sudo.pp
# /etc/puppet/manifests/classes/sudo.pp
class sudo {
file { /etc/sudoers:
owner = root,
group = root,
mode = 4111,
}
}
[root@laptop manifests]#
Am I on the correct track?
I'm guessing I should break the classes down into:
sudo::perms
sudo::ownership
sudo::file (have puppet serve the sudo template)
then in os/manifests/site.pp . would I import sudo?
and the second question: How would I create hosts groups? I would like
to group my hosts in dev, uat, staging and prod etc?
Thanks
Bruce
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
