Re: [Puppet Users] [EPP] Using tagged, defined, a better way to create variables, ... to verify if a class is included

[Christopher Wood]

Top post, I'm not skilled enough to read this hence not sure where I'd
interject. You may be better off using simpler constructs so that
people with a wider variety of skill levels in your organization can
contribute.

What problems are you encountering where describing state is not
sufficient to correctly configure a host?

We're using the roles/profiles model, with 1 role per host, and
multiple profiles in that role. Keeping the two-step approach helps us
assign roles more clearly. Also see:

https://www.craigdunn.org/2012/05/239/

https://puppet.com/docs/pe/2019.1/the_roles_and_profiles_method.html

The way this goes here is that in site.pp we have:

include role::${::role}

That variable $::role is set in the ENC:

https://puppet.com/docs/puppet/6.6/nodes_external.html

The role class is like:

class role::myrole {
  include profile::firstprofile
  include profile::moregenericprofile
}

The profile class is like:

class profile::firstprofile (
  String $requiredparam,
  String $optionalparam = 'default text',
) {
  class { 'myclass':
attribute => $requiredparam, 
  }
  # etc.
}

This way people can figure out what classes go where, and which hiera
keys interpolate into which configs, without reading the catalog or
unfolding logic in their heads.

On Mon, 2019-07-22 at 11:45 +, Helmut Schneider wrote:
> Hi,
> 
> I hope I can descripe the challenge.
> 
> /etc/puppetlabs/code/environments/production/manifests/nodes.pp:
> node default {
>   include common
> }
> 
> /etc/puppetlabs/code/modules/common/manifests/init.pp:
> class common inherits config {
>   include $classes
> [...]
> 
> /etc/puppetlabs/code/modules/config/manifests/init.pp:
> class config {
>   $classes = lookup({
> "name" => "classes",
> "merge" => {
>   "strategy" => "deep",
>   "knockout_prefix" => "--",
> },
> "default_value" => [],
>   })
> 
> /etc/puppetlabs/code/modules/bacula/templates/etc/bacula/fileset-
> exclude
> .epp
> <%- | Hash $packages,
>   Array $classes
> > -%>
> <% if !empty(grep($packages['install'], "amavis")) or
> !empty(grep($classes, "amavis")) { -%>
> 
> 
> 
> But I'm also using roles:
> 
> /etc/puppetlabs/code/environments/production/hieradata/nodes/node.yam
> l
> roles:
>   mailserver:
> - amavisd
>   vpn:
> - openvpn
>   webserver:
> - apache
> 
> /etc/puppetlabs/code/environments/production/hieradata/roles.yaml:
> role_details:
>   mailserver:
> amavisd:
>   classes:
> - amavisd
> - clamav
> - spamassassin
> 
> To include all role classes I do:
> 
> /etc/puppetlabs/code/modules/common/manifests/init.pp:
> class common inherits config {
>   include $classes
> 
>   if ($roles) {
> $roles.dig.keys.each |String $role| {
>   $roles[$role].each |String $application| {
> $roleClasses = lookup({"name" =>
> "role_details.${role}.${application}.classes", "merge" => "deep",
> "default_value" => undef})
> if ($roleClasses) {
>   include $roleClasses
> }
>   }
> }
>   }
> 
> As I did not find a way put all role-classes to a single variable
> (e.g.$roleClasses) I tried to do this in the epp:
> 
> <%= tagged("amavisd") %>
> 
> It resolves to false. Always.
> 
> Does anyone see a way to put all roleClasses into a single variable
> or
> make "tagged" work in the epp or any other way to solve this? I know
> the concept of Puppet but there are sometimes challenges where just
> describing a state is not sufficient. :)
> 
> [helmut@BSDHelmut ~]$ puppet -V
> 5.5.14
> [helmut@BSDHelmut ~]$
> 
> Thank you!
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2bde02fcb3cdb5167d28f492cc0b43b446557fd0.camel%40pobox.com.

[Puppet Users] JRuby-OpenSSL will parse incorrect labels unlike OpenSSL for Ruby

[Christopher Wood]

(It's a tiny tiny edge case, just making sure this is in the mailing
list archives here too.)

https://github.com/jruby/jruby/issues/5746

In short, JRuby-OpenSSL (actually using Bouncy Castle) will parse certs
ending in both ways noted in the diff below, whereas actual OpenSSL
won't.


$ diff test1a.pem test1b.pem 
20c20
< -END CERTIFICATE-
---
> -END CERTIFICATE

 If you were intending that certs validated using a ruby function on
the Puppetserver during catalog compilation would always be useful in
production, you may very intermittently be disappointed.


[root@puppetmaster2 ~]# openssl x509 -in /tmp/test1b.pem
unable to load certificate
139748268332944:error:0906D066:PEM routines:PEM_read_bio:bad end
line:pem_lib.c:815:


[root@puppetmaster2 ~]# /opt/puppetlabs/server/bin/puppetserver irb
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> c = File.read('/tmp/test1b.pem')
=> "-BEGIN CERTIFICATE-
\nMIIDVzCCAj+gAwIBAgIJAMXhmW2H4rU0MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV\nBAY
TAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg\nQ29tcGFu
eSBMdGQwHhcNMTkwNTI3MTUzMDU0WhcNMjAwNTI2MTUzMDU0WjBCMQsw\nCQYDVQQGEwJYW
DEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh\ndWx0IENvbXBhbnkgTH
RkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nwiiWr0JesxM4e0YVsWz0wAA
oYrw2TIaHwg0hZVeX6R1NOLfApeDAbLLsEzO2G9Tj\n6IuzxaMYzpRCJoSxe7iyttY9M6Z/
OmlidMeBscRrEgR0YfSUC5szl4zHs3o1eML2\nVAUYgmFu/nTrvPiznrIyLuPT/GrDKqZvK
yj9h4/YX6oE+DeXGbdJ2Z9o3dXxlSgJ\n8c6gqU+7IUkSO7CTpm4q3w/vHCFB+XfgJ6VJ3g
2sSlsWM/Pmax47g14I+UgsFMGj\nG0n4T6Nv6Kgen3GXUGfBoqtlBYpDQHcQljWXhuXQynn
zSwDBYJkychIhpnuxjtn4\nRZV1h5TrRqPDEuKC/zxKoQIDAQABo1AwTjAdBgNVHQ4EFgQU
DJdr9taJqUSJh0uX\n9oanZJlx5ewwHwYDVR0jBBgwFoAUDJdr9taJqUSJh0uX9oanZJlx5
ewwDAYDVR0T\nBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEARGsherQt9G7xaZ/EKCarZD
hOCVqV\nUXSZ4vkIEdPsNpvsPq07MPlMt9dePvcrtwlpy9JzxT3YSDOkJGIL71WrzRr4xCS
r\nJ9FqB64beHKjYgiZ1eJiLYveRBXBnDzpLfctjzT4r0xwnZjnFfbNHRnpO9tz4sc0\ne8
0j3yG1968u+8LhShd3Jl/3AY/g3+VgzGuAPgLYzAObHigWS8yME9HPBBHAIeKx\nkXwZ4hi
DaBh6q3UXD0IgSp3V7izQK3ScM2PDyrFDsLEg+R7YdnofWCbMiTc3uEVC\nq/+dXqnGIeBz
b4BrV0iYsbxCEdR6b9cF2ACoycFSs5nFLxz906yAvdeoFA==\n-END CERTIFICATE-
---\n"
irb(main):003:0> OpenSSL::X509::Certificate.new(c)
=> #

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1558980169.19664.5.camel%40pobox.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet environments and "avalability zones"

[Christopher Wood]

Not sure if you'd call it a "best" practice, but with a fairly standard
control repo(1) and r10k'ish environments you can:

 * branch
 * make your changes in the new branch/environment
 * move a few canary hosts into the new environment using your ENC(2),
   see how that goes
 * move a few more, see if you are comfortable with the change
 * repeat until you're comfortable
 * merge the control repo branch and move hosts into the live
   environment with your ENC

Another alternative, that I have never used, is to temporarily
configure your environment for slower agent run cycling, say hours
instead of 30 minutes, that would slow things right down.

Similarly to option one, you could do the change in two phases:

 * one change pushes up the code to make the change, but turned off
   behind a feature flag
 * another set of actions activates the change in different parts of
   your infrastructure (probably using some hiera key)

It's late and Friday, I'm probably out of ideas by now.


(1) https://github.com/puppetlabs/control-repo

(2) https://puppet.com/docs/puppet/5.5/nodes_external.html

On Tue, 2019-05-07 at 08:57 -0700, Iakov Gan wrote:
> Hi, 
> 
> I wonder are there any best practices for deployment of changes in a
> large puppet environment?
> 
> Once we change puppet code all changes are applied within 30 minutes
> on an environment of several thousand hosts across multiple
> geographical zones. An automation power in its scaring beauty.
> Surely it is tested in preproduction and dev envs before, but still,
> there is a risk when applying it on all zones almost the same time. 
> 
> What I look for is to deploy changes progressively per equivalent of
> Amazon's Availability Zone via a pipeline, in order to control the
> propagation of system changes.  Surely it will make a change slower
> but it is a price to pay. 
> 
> Any best practice about it? 
> 
> Best regards,
> Iakov 
> 
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/18f24142-226b-4f10-98a5-
> 6db992f4a005%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1557523314.16997.2.camel%40pobox.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Include Hiera Classes

[Christopher Wood]

Do yourself a favour, define puppet classes and resources in puppet code. There 
are surprisingly few people who can look at puppet resources in yaml and 
conceptualize which portion is causing that odd ruby+yaml error.

This is a useful model for how to lay that out:

https://puppet.com/docs/pe/2018.1/the_roles_and_profiles_method.html

If you keep only the most significant items in hiera it will be much easier to 
read. Albeit that it's older documentation, this section has the best phrasing 
I've found for this so far:

https://puppet.com/docs/pe/2016.4/r_n_p_full_example.html#the-rules-for-profile-classes

Quoth:

* If your business will always use the same value for a given parameter, 
hardcode it.
* If you can’t hardcode it, try to compute it based on information you already 
have.
* Finally, if you can’t compute it, look it up in your data. To reduce lookups, 
identify cases where multiple parameters can be derived from the answer to a 
single question.


(But maybe not hard-hardcode it, put it in a puppet variable or something.)

On Mon, Aug 06, 2018 at 01:19:45PM +, Helmut Schneider wrote:
> Hi,
> 
> I want to include hiera classes.
> 
> ---
> roles::webserver::apache::classes:
>   - my_apache
> roles::backup::bacula::classes:
>   - bacula
> roles::timeserver::ntpd::classes:
>   - ntpd
> roles::databaseserver::mysql::classes:
>   - mysqld
> 
> I used to use the follwoing (ugly) code in nodes.pp to do so:
> 
>   if ($roles) {
> $roles.each |$category, $classes| {
>   if ($classes) and (category) {
> $classes.each |$class| {
>   if ($class) {
> hiera_include ("roles::${category}::${class}::classes", {})
>   }
> }
>   }
> }
>   }
> 
> Is there a better way e.g. using lookup?
> 
> Thank you!
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/xn0lddu4bbmleo000%40news.gmane.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180807164459.odzcrdocirljrcwv%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet server stopped working

[Christopher Wood]

If you're reaching expiry you might consider this thing, it worked for me to 
refresh the CA cert:

https://forge.puppet.com/puppetlabs/certregen

(NB, check all your puppetserver/puppetmaster hosts for stray puppet/ssl/ca 
directories, having extra ones around can cause a bit of pain. Make sure you 
only have a "ca" dir on your CA host before starting, test first, etc.)

On Thu, Jul 19, 2018 at 01:55:33PM -0400, Bret Wortman wrote:
>I did, by building a new server. That said, I'd try this advice before
>starting
>over: 
> [1]https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html
>For us it was also a change to move from a monolithic, everything on one
>server architecture to something a bit more distributed.
>On Thu, Jul 19, 2018 at 11:35 AM, Scott Hazelhurst
><[2]scott.hazelhu...@gmail.com> wrote:
> 
>  Were you able to resolve this issue? I am now getting the same
>  problem
>  Thanks
>  Scott
> 
>  --
>  You received this message because you are subscribed to a topic in the
>  Google Groups "Puppet Users" group.
>  To unsubscribe from this topic, visit
>  
> [3]https://groups.google.com/d/topic/puppet-users/c9tpVjpF4sc/unsubscribe.
>  To unsubscribe from this group and all its topics, send an email to
>  [4]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [5]https://groups.google.com/d/msgid/puppet-users/23914a82-0812-4aa8-92cc-ae35dbd6b6be%40googlegroups.com.
>  For more options, visit [6]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [7]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [8]https://groups.google.com/d/msgid/puppet-users/CAN9oxgSh_G5qStiQd6DaJjZ%3DoTtQB0ms%3DcoyoD1Z5G%3DxSJ_pZQ%40mail.gmail.com.
>For more options, visit [9]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html
>2. mailto:scott.hazelhu...@gmail.com
>3. https://groups.google.com/d/topic/puppet-users/c9tpVjpF4sc/unsubscribe
>4. mailto:puppet-users+unsubscr...@googlegroups.com
>5. 
> https://groups.google.com/d/msgid/puppet-users/23914a82-0812-4aa8-92cc-ae35dbd6b6be%40googlegroups.com?utm_medium=email_source=footer
>6. https://groups.google.com/d/optout
>7. mailto:puppet-users+unsubscr...@googlegroups.com
>8. 
> https://groups.google.com/d/msgid/puppet-users/CAN9oxgSh_G5qStiQd6DaJjZ%3DoTtQB0ms%3DcoyoD1Z5G%3DxSJ_pZQ%40mail.gmail.com?utm_medium=email_source=footer
>9. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180719182709.xaovnc45hnrghirz%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Christopher Wood]

Nice catch, wouldn't have figured on that.

On Fri, Jul 13, 2018 at 05:17:05PM +, Helmut Schneider wrote:
> Christopher Wood wrote:
> 
> > On Fri, Jul 13, 2018 at 03:44:04PM +, Helmut Schneider wrote:
> > > Christopher Wood wrote:
> > > 
> > > > Have you considered switching to an EPP template? You can limit
> > > > the data passed in to only valid types (otherwise catalog
> > > > compilation failure), it's quite useful.
> > > 
> > > Not yet. And I'm not sure if that will help. In my case there are
> > > commands with and without parameters:
> > > 
> > > proto udp
> > > dev tun
> > > persist-tun
> > > nobind
> > 
> > This still sounds like a data validation item quite doable with types.
> > 
> >
> https://puppet.com/docs/puppet/5.5/lang_data_hash.html#the-hash-data-type
> > 
> > Hash[Enum['proto', 'dev'], String]
> > Hash[Enum['proto', 'dev'], Variant[String, Undef]]
> > 
> > > So even if I pass only specific ones I still have to check if there
> > > is a corresponding value for the key, otherwise
> > > 
> > > <%= key %> <%= value %>
> > > 
> > > will fail.
> > 
> > However the odd thing is that I am unable to reproduce what you are
> > seeing with a plain undef in a very simple case. The undef is not
> > stringified for me in puppet 5.4.0.
> 
> I changed the template to output value.class:
> 
> proto String
> dev String
> persist-tun Symbol
> nobind Symbol
> resolv-retry String
> comp-lzo String
> user String
> group String
> persist-key Symbol
> cert String
> key String
> ca String
> ns-cert-type String
> verb String
> log-append String
> script-security String
> plugin String
> up String
> down String
> 
> After further investigation this happend with deep_merge, because
> without:
> 
> proto String
> dev String
> persist-tun NilClass
> nobind NilClass
> resolv-retry String
> compress NilClass
> comp-lzo String
> user String
> group String
> persist-key NilClass
> cert String
> key String
> ca String
> ns-cert-type String
> verb String
> log-append String
> script-security String
> plugin NilClass
> up String
> down String
> 
> Without the deep_merge "if @openvpnConf[parameter]" works as expected.
> 
> helmut@h2786452:~$ puppet -V
> 4.10.12
> helmut@h2786452:~$
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/xn0lcew6gvygcft005%40news.gmane.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180713173528.g3cdmfi44mbnbkym%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Christopher Wood]

On Fri, Jul 13, 2018 at 03:44:04PM +, Helmut Schneider wrote:
> Christopher Wood wrote:
> 
> > Have you considered switching to an EPP template? You can limit the
> > data passed in to only valid types (otherwise catalog compilation
> > failure), it's quite useful.
> 
> Not yet. And I'm not sure if that will help. In my case there are
> commands with and without parameters:
> 
> proto udp
> dev tun
> persist-tun
> nobind

This still sounds like a data validation item quite doable with types.

https://puppet.com/docs/puppet/5.5/lang_data_hash.html#the-hash-data-type

Hash[Enum['proto', 'dev'], String]
Hash[Enum['proto', 'dev'], Variant[String, Undef]]

> So even if I pass only specific ones I still have to check if there is
> a corresponding value for the key, otherwise
> 
> <%= key %> <%= value %>
> 
> will fail.

However the odd thing is that I am unable to reproduce what you are seeing with 
a plain undef in a very simple case. The undef is not stringified for me in 
puppet 5.4.0.


$ cat /tmp/x.pp
$x = { 'a' => undef }
$c = template('/tmp/t.erb')
notice($c)
$ cat /tmp/t.erb 
a is <%= @x[0] %>
$ puppet apply /tmp/x.pp 
Notice: Scope(Class[main]): a is 

Notice: Compiled catalog for cwl in environment production in 0.03 seconds
Notice: Applied catalog in 0.16 seconds


Possibly is_a? might help in this case if you need the erb for flexibility. 
Very simplistically and untested:

<%= key %><%= if value.is_a? String then " = #{value}" end %>
<%= key %><%= if value.is_a? Array then " = #{value.sort.join(' ')}" end %>

Then if you see the undef appear in your output file you will know it exists in 
the yaml as one of these specific data types.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180713162532.4tqgcymyurwtt6fh%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Christopher Wood]

Have you considered switching to an EPP template? You can limit the data passed 
in to only valid types (otherwise catalog compilation failure), it's quite 
useful.

https://puppet.com/docs/puppet/5.5/lang_template_epp.html

In the example below, you might do something like:

$content = epp('modulename/template.epp', {
  'dev' => $openvpnConf['dev'],
})

file { '/path/to/file':
  content => $content,
}

With your template:

--
<% |
String $dev,
| -%>
### <%= $dev %> ###
--

If $dev inside the template ends up as anything but a string, splat goes your 
catalog with a helpful error message.


On Fri, Jul 13, 2018 at 02:37:08PM +, Helmut Schneider wrote:
> Hi,
> 
> openvpn.yaml:
> [...]
> profiles:
>   vpn:
> openvpn:
>   defaults:
> client:
>   dev:   'tun'
>   proto: 'udp'
>   resolv-retry:  'infinite'
>   nobind:
>   user:  'nobody'
>   group: 'nogroup'
>   persist-key:
>   persist-tun:
> 
> init.pp:
> [...]
> $openvpnConf = $profiles['vpn']['openvpn']['defaults']['client']
> [...]
> 
> In the template:
> 
> ### <%= @openvpnConf['dev'] %> ###
> ### <%= @openvpnConf['nobind'] %> ###
> 
> The result is
> 
> ### tun ###
> ### undef ###
> 
> but I would expect
> 
> ### tun ###
> ###  ###
> 
> The problem is that testing for defined?, .nil? and also != 'undef' all
> fail.
> 
> How can I test if a key has a value withn the template?
> 
> Thank you!
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/xn0lcerxlvsqnut003%40news.gmane.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180713150136.ohps2c6upmxyb5xq%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Problems installing PuppetDB from source - the instructions don't actually work

[Christopher Wood]

On Thu, Jun 21, 2018 at 06:49:01PM -0700, Simon Tideswell wrote:
>Hello Rob
>No, I'm not trying to do anything fancy. I just wanted to use PuppetDB on
>a Ubuntu 18 server so that I can access the data with PuppetBoard. I can

I've had a good experience using PuppetBoard via Docker per the instructions. I 
encapsulated the "run it" part in a shell script for easy startup.

https://github.com/voxpupuli/puppetboard#docker-images

That will let you run PuppetDB anywhere you please and run PuppetBoard locally 
on an ad-hoc basis. (Which is nice since it appears that some of the queries 
make PuppetDB and PostgreSQL work a bit harder than usual.)


>see that Canonical provided a package for PuppetDB on U14. I actually used
>the same Package on a U16 server with good results. But the U14 and U16
>servers were running Puppet 3.8.x. Now that I'm using Puppet 5 on U18 I
>thought it was high time that I used a newer PuppetDB package. Canonical
>don't provide one, there doesn't appear to be one at apt.puppetlabs.com
>and the instructions for compiling from source are broken, so I was a bit
>stuck. It's not a high priority, but I find PuppetBoard useful (from a
>sysadmin perspective).
>Simon
> 
>On Saturday, June 16, 2018 at 7:29:50 AM UTC+10, Rob Browning wrote:
> 
>  Simon Tideswell <[1]stide...@gmail.com> writes:
> 
>  > The instructions here
>  > [2]https://puppet.com/docs/puppetdb/5.2/install_from_source.html don't
>  > actually work! I'm doing this on Ubuntu 18 (Bionic). I've installed
>  *lein*
>  > from the Ubuntu 18 packages rather than pulling it down from github
>  (in
>  > case that is relevant).
> 
>  Hmm, sorry you're having trouble.  We'll definitely want to make sure
>  the instructions work, but first I'd like to make sure I understand your
>  more immediate interests.  Are you looking for packages, or perhaps just
>  being able to build an uberjar you can run directly, or...?
> 
>  > *"Could not transfer metadata
>  > puppetlabs:puppetdb:5.3.0-SNAPSHOT/maven-metadata.xml from/to
>  snapshots
>  >
>  
> ([3]https://artifactory.delivery.puppetlabs.net/artifactory/list/clojure-snapshots__local/):
>  > Connect to [4]artifactory.delivery.puppetlabs.net:443
>  > [[5]artifactory.delivery.puppetlabs.net/192.69.65.54] failed:
>  Connection timed
>  > out (Connection timed out)*
> 
>  Ahh right - we're planning to fix this, and I think someone else has
>  reported a similar problem:
>  [6]https://tickets.puppetlabs.com/browse/PDB-3922
> 
>  I suspect, among possibly other things, we'll move the internal
>  repositories out of the main profile.  For now you should be able to
>  just comment them out, and any remaining failures would be additional
>  bugs we'll need to address.
> 
>  In any case, hopefully we'll be able to get things working for you soon.
> 
>  --
>  Rob Browning
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [7]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [8]https://groups.google.com/d/msgid/puppet-users/7a8bf12d-bda1-4865-8097-da192a1e80c5%40googlegroups.com.
>For more options, visit [9]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. javascript:
>2. https://puppet.com/docs/puppetdb/5.2/install_from_source.html
>3. 
> https://artifactory.delivery.puppetlabs.net/artifactory/list/clojure-snapshots__local/
>4. http://artifactory.delivery.puppetlabs.net:443/
>5. http://artifactory.delivery.puppetlabs.net/192.69.65.54
>6. https://tickets.puppetlabs.com/browse/PDB-3922
>7. mailto:puppet-users+unsubscr...@googlegroups.com
>8. 
> https://groups.google.com/d/msgid/puppet-users/7a8bf12d-bda1-4865-8097-da192a1e80c5%40googlegroups.com?utm_medium=email_source=footer
>9. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180622162718.tsjbjf6dud5wsxcy%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Unable to run source using 'exec' resource

[Christopher Wood]

I'm not really sure what's going on (bit rusty in bash), but the following 
things to check on come to mind.

/bin/sh may not be linked to bash, and "export THING=whatever" is a bashism. It 
could be that "THING=whatever; export THING" will work better for you. However 
you're likely using something Linux so this doesn't count.

Execs are going to run in a subshell and be separated at the process level from 
other execs. If you check the source builtin in the bash manual it says "in the 
current shell environment". You running source at the command line and then 
running puppet means that puppet will pick up environment settings from your 
current environment, whereas "bash -c" and the exec make the settings exist in 
a subshell. They will be contained to a single child PID and vanish when the 
exec is over.

The documentation suggests that openrc.sh is sourced, so if you need to set up 
environment variables for the rest of the keystone setup a single exec 
definitely won't work.

https://docs.openstack.org/liberty/install-guide-ubuntu/keystone-openrc.html#using-the-scripts

In your place (with 100% less openstack experience than you) I would be 
provisioning openrc.sh as a file resource on the system, with 0600 permissions, 
and then ensuring that the keystone clients (handled elsewhere in puppet?) 
source that file, with their resources depending on the openrc.sh file resource 
so things were in the right order.

On Sun, Apr 22, 2018 at 12:26:11AM -0700, Justin tim wrote:
>Hi,
> 
>I've been trying to setup openstack keystone for my DEV environment using
>Puppet. Everything works fine, except the 'exec' resource.
> 
>I have tried the below things, but not getting the desired results
> 
>1. '/bin/bash -c 'source /root/openrc.sh' in the command attribute, but
>nothing happens.
>2. tried using the 'provider' attribute in the exec resource.
>3. tried using 'environment' attribute.
> 
>It's only when i manually run 'source /root/openrc.sh', the variables are
>set.
> 
>Below are the contents of the actual puppet manifest, and the openrc.sh
>file which is to be run on the node.
> 
># cat testexec.pp
> 
> exec { 'admin':
>    command => '/bin/sh /root/openrc.sh'
>   
>  }
> 
>Contents of openrc.sh
> 
>#!/bin/sh
>export OS_TOKEN="fbed3beb36960f2b3e1b"
>export OS_URL="http://openstack:35357/v3;
>export OS_IDENTITY_API_VERSION=3
> 
>Is there a way we achieve this?
> 
>Thanks in Advance.
>J
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/05c9d71f-c02d-4d5a-8607-70ecbf68dafe%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/05c9d71f-c02d-4d5a-8607-70ecbf68dafe%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180422115546.l7h3bokrsro7p4oz%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PuppetDB: manually import reports

[Christopher Wood]

To challenge an assumption, what are you gaining from having more than one 
puppet infrastructure (puppetservers+puppetdb)?

Could you perhaps handle your dev stuff with another environment or set of 
puppetservers under the same CA with the same puppetdb?

Is there any reason for a separate puppet infrastructure to live longer than it 
takes to proof an upgrade for production?

On Thu, Apr 19, 2018 at 04:46:01AM -0700, Thomas Müller wrote:
>HI
> 
>I've got some prod puppetserver/puppetdb and some dev
>puppetserver/puppetdb. But to have the complete overview over all nodes
>with the prod puppetdb I'd like to import the reports from the dev
>puppetserver (stored by reports=store config) into the prod puppetdb.
> 
>is there some hidden tool to do so? I wasn't able to find anything in that
>direction.
> 
>Reading
>
> https://github.com/puppetlabs/puppetdb/blob/master/puppet/lib/puppet/reports/puppetdb.rb
>this could maybe adapted to read a yaml file and then send it to puppetdb.
> 
>- Thomas
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/d5a3b811-655f-4497-84de-a5693954d08e%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/d5a3b811-655f-4497-84de-a5693954d08e%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180419171825.hpvbgkvkxyisl5ki%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet "package" resource type for multi-file installer

[Christopher Wood]

Sounds like this thing would be useful?

https://forge.puppet.com/puppet/archive

On Wed, Apr 18, 2018 at 07:55:40PM -0700, Ty Young wrote:
>I'm still ramping up on Puppet 5.4.0, but I'm stuck on something.
> 
>I have a customer needing to automate installation of a software package
>on Windows nodes. The installer is most easily transported as a .zip file,
>but (obviously) would need to be unzipped before running the enclosed .bat
>file to perform the installation. 
> 
>Any suggestions?  
> 
>Thanks
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/f8366287-59aa-46db-b20b-8e180b3b24a8%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/f8366287-59aa-46db-b20b-8e180b3b24a8%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180419115652.aufc267tf2a4x643%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] error de conection

[Christopher Wood]

I haven't had that experience with puppet, but I have had it with other 
services.

Assuming you've gone through things like checking load, logs (for the 
puppetserver/puppet master), continuous ping, strace, and so on, I recommend 
that you capture packets on either side. Checking timestamps may show you if 
both sides of the tcp conversation are getting through. If they are you know 
the issue is isolated to one or both sides, if the packets aren't getting 
through then you know to check intervening switches and firewalls.

Especially the "connection reset by peer" part. If one end is hanging and the 
other end reports a reset connection, to me that sounds like something in the 
middle.

On Wed, Apr 11, 2018 at 04:43:56AM -0700, Javier Velasco wrote:
>when I run in the agent the command puppet master --debug --no-daemonize
>stays waiting in the line debug: Finishing transaction -612625138 and does
>not deliver the certificate, I run the command
> 
>openssl s_client -connect puppetc4: 8140  and habeces connects and other
>times, when I run again the command puppet master --debug --no-daemonize
> 
>err: Could not retrieve catalog from remote server: Connection reset by
>peer - SSL_connect
> 
>notice: Using cached catalog
> 
>err: Could not retrieve catalog; skipping run
> 
>debug: Executing '/ etc / puppet / etckeeper-commit-post'
> 
>debug: report supports formats: b64_zlib_yaml pson raw yaml; using pson
> 
>err: Could not send report: Connection reset by peer - SSL_connect
> 
>I would appreciate the help possible
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/19c0b7e2-779f-4877-8397-c129be232f3f%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/19c0b7e2-779f-4877-8397-c129be232f3f%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180413173401.tzghgam3tyvehnpm%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PuppetDB catalog-hash-conflict-debugging substitute

[Christopher Wood]

Once upon a time I successfully used catalog-hash-conflict-debugging to find an 
unsorted thing being different in every catalog and that was very helpful. 
Recently catalog duplication (in the PuppetDB dashboard) has dropped about 10% 
and the setting is gone from PuppetDB in 5.2.0.

https://tickets.puppetlabs.com/browse/PDB-1931
https://tickets.puppetlabs.com/browse/PDB-1932

Is there a way of storing and diffing different catalogs to see why duplication 
percentage may have dropped?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180406191054.nyfhmmw4nujrlwaa%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Style regarding param data types

[Christopher Wood]

Somebody in the office here loves their complicated restrictive parameters. 
Those go in type aliases which cuts down a bit on the class parameter width.

https://puppet.com/docs/puppet/5.4/lang_type_aliases.html

On Wed, Mar 07, 2018 at 11:17:19AM -0500, Gabriel Filion wrote:
> Hiya!
> 
> I'm wondering if there's a current trend around style with parameter
> data types. I couldn't find a clear mention of how this is generally
> done in the community in the coding style guide on puppet.com.
> 
> Is it better to align param names to the right of all data types in
> class/define definitions like this?
> 
> class blah (
>   String[1]  $input,
>   Boolean$manage_x = true,
>   Enum['hello', 'there'] $text = 'hello',
> }
> 
> it seems to make things a lot clearer, however it can push arguments
> quite far to the right side of the screen (and column count).
> 
> what are your experiences wrt this?
> 
> Cheers
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/03de82e3-cc27-901d-e878-4ae8b83bebb5%40lelutin.ca.
> For more options, visit https://groups.google.com/d/optout.



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180307181335.cs4rbm7xjauhik4t%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] hiera key questions, key naming and per-file keys

[Christopher Wood]

(inline)

On Thu, Mar 01, 2018 at 11:36:40PM +0100, Henrik Lindberg wrote:
> On 01/03/18 16:03, Christopher Wood wrote:
> > As background, for "reasons" I am looking at individual domains in hiera as 
> > keys. I do have questions beyond "why would I even".
> > 
> > A) hiera lookup key format
> > 
> > I notice that if I use puppet lookup to test things I get similar behaviour 
> > as using lookup() from a manifest, a key with dots in it is truncated. 
> > Notice how the node hierarchy understand the key as "www" below(1). I could 
> > just use underscores but I'd rather understand what was going on first.
> > 
> 
> A '.' is an operator that "digs" into a data structure. If you are looking
> up the key "foo", and it results in a hash, and this hash has a key "bar",
> you can get its value by looking up "foo.bar".
> 
> You can quote the period to make it a verbatim period char. For example by
> looking up "'foo.bar'", or "foo'.'bar" would lookup the entire key including
> the period.
> 
> The '%' char has special meaning.
> 
> > Is there a list of permitted characters in a hiera key lookup?
> > 
> You should read up on the hiera documentation to get all the details.
> It is on puppet's documentation site.

Yes it's all right there in front of me. *facepalm*

For posterity, I had missed this bit:

https://puppet.com/docs/puppet/5.4/hiera_automatic.html#access-hash-and-array-elements-using-a-keysubkey-notation

> > B) hierarchy interpolation
> > 
> > https://puppet.com/docs/puppet/5.4/hiera_intro.html#hierarchies-interpolate-variables
> > 
> > Is there anything else a hierarchy can interpolate? I'm thinking it would 
> > be easier to explain to people that 'www.boitc.test' information was listed 
> > under hieradata/domains/www.boitc.test.yaml rather than in the longer 
> > hieradata/domains.yaml.
> > 
> > Failing that, is it future-proof to use $title in a hierarchy in the same 
> > manner as $classname seems sometimes used?
> > 
> 
> That is not a good design, it makes keys have different value depending from
> where they are looked up. In addition it forces hiera to have to evict the
> caches so it is bad for performance as well.

I had not realized that, it's obvious with a night's sleep now.

> Only use top scope variables (for example facts) in your hierarchy.
> 
> > 
> > (1) The lookup that is misunderstood in the environment data provider.
> > 
> > puppet lookup --node host.domain.com -d 'www.boitc.test'
> > 
> 
> quote the '.' to make it work
> 
> >Searching for "www.boitc.test"
> >  Global Data Provider (hiera configuration version 5)
> >No such key: "www.boitc.test"
> >  Environment Data Provider (hiera configuration version 5)
> >Using configuration 
> > "/etc/puppetlabs/code/environments/puppetmasters_tls/hiera.yaml"
> >Hierarchy entry "nodes"
> >  Path 
> > "/etc/puppetlabs/code/environments/puppetmasters_tls/hieradata/nodes/host.domain.com.eyaml"
> >Original path: "nodes/%{::trusted.certname}.eyaml"
> >No such key: "www"
> > 
> > 
> 
> - henrik
> -- 
> 
> Visit my Blog "Puppet on the Edge"
> http://puppet-on-the-edge.blogspot.se/
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/p79v5p%248oe%241%40blaine.gmane.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180302131141.tbm3sikyaaxpc75d%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] hiera key questions, key naming and per-file keys

[Christopher Wood]

As background, for "reasons" I am looking at individual domains in hiera as 
keys. I do have questions beyond "why would I even".

A) hiera lookup key format

I notice that if I use puppet lookup to test things I get similar behaviour as 
using lookup() from a manifest, a key with dots in it is truncated. Notice how 
the node hierarchy understand the key as "www" below(1). I could just use 
underscores but I'd rather understand what was going on first.

Is there a list of permitted characters in a hiera key lookup?

B) hierarchy interpolation

https://puppet.com/docs/puppet/5.4/hiera_intro.html#hierarchies-interpolate-variables

Is there anything else a hierarchy can interpolate? I'm thinking it would be 
easier to explain to people that 'www.boitc.test' information was listed under 
hieradata/domains/www.boitc.test.yaml rather than in the longer 
hieradata/domains.yaml.

Failing that, is it future-proof to use $title in a hierarchy in the same 
manner as $classname seems sometimes used?


(1) The lookup that is misunderstood in the environment data provider.

puppet lookup --node host.domain.com -d 'www.boitc.test'

  Searching for "www.boitc.test"
Global Data Provider (hiera configuration version 5)
  No such key: "www.boitc.test"
Environment Data Provider (hiera configuration version 5)
  Using configuration 
"/etc/puppetlabs/code/environments/puppetmasters_tls/hiera.yaml"
  Hierarchy entry "nodes"
Path 
"/etc/puppetlabs/code/environments/puppetmasters_tls/hieradata/nodes/host.domain.com.eyaml"
  Original path: "nodes/%{::trusted.certname}.eyaml"
  No such key: "www"


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180301150343.n274yltilcjct6y4%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] fqdn_rand() output will change in 5.4.0, non-FIPS too

[Christopher Wood]

This part of the release notes:

https://puppet.com/docs/puppet/5.4/release_notes.html#fips-support

"When running Puppet 5.4.0 on a FIPS-enabled platform, Puppet modifies its 
default digest_algorithm and supported_checksum_types settings to exclude MD5, 
which is not a FIPS-compliant algorithm. By default, Puppet on FIPS uses SHA256 
when managing file resources, including filebuckets. This behavior also affects 
values returned by the fqdn_rand function."

I happened to read that as only affecting FIPS-enabled hosts given the start of 
the paragraph. NB, FIPS:

https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards

At any rate, continuing. Nothing up the left sleeve, nothing up the right 
sleeve:

[root@puppetmaster1 ~]# facter fips_enabled
false

[root@puppetmaster1 ~]# cat /tmp/x.pp 
$a = fqdn_rand(60, 'abcd')
$b = fqdn_rand(60, 'bcde')
$c = fqdn_rand(60, 'cdef')
$d = fqdn_rand(60, 'defg')

notice("a is ${a}")
notice("b is ${b}")
notice("c is ${c}")
notice("d is ${d}")

With every open source puppet version from 5.0.0 to 5.3.5 (I checked with each 
one):

[root@puppetmaster1 ~]# puppet --version
5.3.5
[root@puppetmaster1 ~]# puppet apply /tmp/x.pp
Notice: Scope(Class[main]): a is 59
Notice: Scope(Class[main]): b is 33
Notice: Scope(Class[main]): c is 44
Notice: Scope(Class[main]): d is 16
Notice: Compiled catalog for puppetmaster1.me.com in environment production in 
0.06 seconds
Notice: Applied catalog in 0.20 seconds

And with the latest open source puppet:

[root@puppetmaster1 ~]# puppet --version
5.4.0
[root@puppetmaster1 ~]# puppet apply /tmp/x.pp
Notice: Scope(Class[main]): a is 43
Notice: Scope(Class[main]): b is 27
Notice: Scope(Class[main]): c is 8
Notice: Scope(Class[main]): d is 40
Notice: Compiled catalog for puppetmaster1.me.com in environment production in 
0.05 seconds
Notice: Applied catalog in 0.24 seconds

Going down the list of PUP tickets mentioning fqdn_rand(), PUP-8141 jumped out 
at me.

https://tickets.puppetlabs.com/browse/PUP-8141
https://github.com/puppetlabs/puppet/pull/6445/files

>From the fqdn_rand.rb diff, lightly edited:

-seed = Digest::MD5.hexdigest([self['::fqdn'],max,args].join(':')).hex
+# We are consciously not using different hash algs based on fips mode here
+# since the randomness is not guaranteed to be predictable for a given node
+# It just needs to be unique for a given node
+seed = Digest::SHA256.hexdigest([self['::fqdn'],max,args].join(':')).hex

That handily explains that.

We have no fqdn_rand() usage where this change would cause unexpected behaviour 
so I'm a bit more relaxed now. Those were not the usual resources modified 
during a puppet-agent rpm update.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180226180407.6vi6ivrp4d72vbqn%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet-lint & Syntax

[Christopher Wood]

Taking a stab at this...

The puppet parser will always be the authoritative source for one's puppet code 
validation since that is what will be parsing the code via agent or server. It 
will introduce any number of bugs and inconsistencies and delay to have 
puppet-lint keep up with what puppet does anyway.

However!

You do not need to check this all manually every time you commit. There are 
tools which wrap these commands that you can set up to do this automatically.

You can use puppet-git hooks to have all these checks performed right before a 
git commit is applied. Even better, you can set this up on the server side so 
that people are incapable of pushing risible crud to your main git repository.

https://github.com/drwahl/puppet-git-hooks

Under the hood, PDK uses puppet and puppet-lint and gives you the chance to add 
specification testing. I have this set up in our gitlab instance to run "pdk 
validate" and "pdk test unit" on every module we've run through "pdk convert". 
(You can likely have this one in a pre-commit hook too, haven't done that 
here.) We had some training/implementation sort of workshops and people were 
able to get some very basic tests done in their first time using PDK which was 
pleasant.

https://puppet.com/docs/pdk/1.x/pdk_install.html


On Tue, Feb 20, 2018 at 10:51:07PM +0100, Albert Shih wrote:
>  20/02/2018 à 14:01:23+0100, Maria Elena a écrit
> > Hi Albert,
> > maybe cause puppet-lint checks only style (http://puppet-lint.com/).
> > Regards.
> 
> You're perfectly right. But in fact I'm not very good in english, so I will
> rephrase...
> 
> Can puppet-lint check also the syntax ? So we don't need to launch two
> thing
> 
>   puppet parser validate
> 
> and
> 
>   puppet-lint
> 
> that would be much easier.
> 
> Regards.
> 
> JAS
> 
> > Hi everyone,
> >
> > I'm wonder why puppet-lint don't show any syntax error.
> >
> > For example I just delete a "," at the end of a line and
> >
> > [root@io manifests]$ puppet-lint init.pp
> > [root@io manifests]$ puppet parser validate init.pp Error: Could not 
> > parse
> > for environment production: Syntax error at 'Boolean' (file: /home/jas/
> > Travaux/puppet/modules/apache/manifests/init.pp, line: 19, column: 3)
> > [root@io manifests]$
> >
> > puppet-lint seem to be a very powerfull tool. I don't understand why he
> > cannot complain when something very simple like a missing comma cannot 
> > be
> > detected.
> >
> --
> Albert SHIH
> xmpp: j...@obspm.fr
> Heure local/Local time:
> Tue Feb 20 22:49:11 CET 2018
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/20180220215107.GC1284%40io.chezmoi.fr.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180220221751.txygrxov4g3ye56z%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to make puppetlabs yum repository mirror

[Christopher Wood]

rsync://rsync.puppet.com/

Dig around in there.

On Thu, Jan 18, 2018 at 09:11:16PM +0800, Yan Xiaofei wrote:
> Hello
> 
> I used to rsync from rsync://yum.puppetlabs.com/. But it did not works any
> more.
> How can I make local mirror from yum.puppetlabs.com.
> 
> Thanks very much!
> Xiaofei
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/512d6e9a-167b-11a5-1049-a94db04aa0c0%40gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180118143029.zbceefg4u5bjckpa%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] /etc/sysconfig/puppetserver git source?

[Christopher Wood]

Digging around there takes me to 28aee7b (SERVER-815), which appears close 
enough for an explanation. Quoth:

--
This is done in hopes of counteracting some of the 'Out of Memory' JVM errors 
that we've been seeing when running unit/integration tests via Travis CI.
---

https://github.com/puppetlabs/puppetserver/commit/28aee7b
https://tickets.puppetlabs.com/browse/SERVER-815

(Works for me.)

On Wed, Jan 03, 2018 at 01:15:45PM -0800, Matthaus Owens wrote:
> Just to add a little extra info, the template draws from several
> sources, one of which is in the project.clj for puppetserver here:
> https://github.com/puppetlabs/puppetserver/blob/5.1.x/project.clj#L113-L114
> 
> On Wed, Jan 3, 2018 at 12:09 PM, Christopher Wood
> <christopher_w...@pobox.com> wrote:
> > That turned out to be even more interesting, thank you!
> >
> > On Wed, Jan 03, 2018 at 06:38:02PM +, Morgan Rhodes wrote:
> >>Hi Christopher,
> >>That file is generated during packaging and is generated from a template
> >>in the ezbake
> >>project. 
> >> [1]https://github.com/puppetlabs/ezbake/blob/master/resources/puppetlabs/lein-ezbake/template/foss/ext/default.erb
> >>On Wed, Jan 3, 2018 at 9:56 AM Christopher Wood
> >><[2]christopher_w...@pobox.com> wrote:
> >>
> >>  Is the source for /etc/sysconfig/puppetserver in the puppetserver rpm
> >>  stored in any public-facing git repository? If so, where?
> >>
> >>  More details:
> >>
> >>  I was reading the tuning guide (it's augment time again) and it 
> >> occurred
> >>  to me to read the commit messages for this file to see how Puppet
> >>  figured out the defaults. That information may inform my own
> >>  configurations.
> >>
> >>  [3]https://puppet.com/docs/puppetserver/5.1/tuning_guide.html
> >>
> >>  I'm not actually a programmer, and couldn't find this file or obvious
> >>  source code in the puppetserver git repository if it is there. (Hints
> >>  welcome too!)
> >>
> >>  [4]https://github.com/puppetlabs/puppetserver
> >>
> >>  Running puppetserver 5.1.4 here.
> >>
> >>  --
> >>  You received this message because you are subscribed to the Google
> >>  Groups "Puppet Users" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send
> >>  an email to [5]puppet-users+unsubscr...@googlegroups.com.
> >>  To view this discussion on the web visit
> >>  
> >> [6]https://groups.google.com/d/msgid/puppet-users/20180103175542.2jt55rzf3hz3tpkp%40iniquitous.heresiarch.ca.
> >>  For more options, visit [7]https://groups.google.com/d/optout.
> >>
> >>--
> >>Morgan Rhodes
> >>mor...@puppet.com
> >>Release Engineer
> >>
> >>--
> >>You received this message because you are subscribed to the Google 
> >> Groups
> >>"Puppet Users" group.
> >>To unsubscribe from this group and stop receiving emails from it, send 
> >> an
> >>email to [8]puppet-users+unsubscr...@googlegroups.com.
> >>To view this discussion on the web visit
> >>
> >> [9]https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv3G5WtPSh95p7KW9nraEKBZx9Fo%3DEoRFgj5PNO5OO8-Dg%40mail.gmail.com.
> >>For more options, visit [10]https://groups.google.com/d/optout.
> >>
> >> References
> >>
> >>Visible links
> >>1. 
> >> https://github.com/puppetlabs/ezbake/blob/master/resources/puppetlabs/lein-ezbake/template/foss/ext/default.erb
> >>2. mailto:christopher_w...@pobox.com
> >>3. https://puppet.com/docs/puppetserver/5.1/tuning_guide.html
> >>4. https://github.com/puppetlabs/puppetserver
> >>5. mailto:puppet-users%2bunsubscr...@googlegroups.com
> >>6. 
> >> https://groups.google.com/d/msgid/puppet-users/20180103175542.2jt55rzf3hz3tpkp%40iniquitous.heresiarch.ca
> >>7. https://groups.google.com/d/optout
> >>8. mailto:puppet-users+unsubscr...@googlegroups.com
> >>9. 
> >> https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv3G5WtPSh95p7KW9nraEKBZx9Fo%3DEoRFgj5PNO5OO8-Dg%40mail.gmail.com?utm_medium=email_source=footer
> >>   10. https://groups.google.com/d/optout
> >
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Puppet Users" group.
> > To

Re: [Puppet Users] /etc/sysconfig/puppetserver git source?

[Christopher Wood]

That turned out to be even more interesting, thank you!

On Wed, Jan 03, 2018 at 06:38:02PM +, Morgan Rhodes wrote:
>Hi Christopher,
>That file is generated during packaging and is generated from a template
>in the ezbake
>project. 
> [1]https://github.com/puppetlabs/ezbake/blob/master/resources/puppetlabs/lein-ezbake/template/foss/ext/default.erb
>On Wed, Jan 3, 2018 at 9:56 AM Christopher Wood
><[2]christopher_w...@pobox.com> wrote:
> 
>  Is the source for /etc/sysconfig/puppetserver in the puppetserver rpm
>  stored in any public-facing git repository? If so, where?
> 
>  More details:
> 
>  I was reading the tuning guide (it's augment time again) and it occurred
>  to me to read the commit messages for this file to see how Puppet
>  figured out the defaults. That information may inform my own
>  configurations.
> 
>  [3]https://puppet.com/docs/puppetserver/5.1/tuning_guide.html
> 
>  I'm not actually a programmer, and couldn't find this file or obvious
>  source code in the puppetserver git repository if it is there. (Hints
>  welcome too!)
> 
>  [4]https://github.com/puppetlabs/puppetserver
> 
>  Running puppetserver 5.1.4 here.
> 
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [5]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [6]https://groups.google.com/d/msgid/puppet-users/20180103175542.2jt55rzf3hz3tpkp%40iniquitous.heresiarch.ca.
>  For more options, visit [7]https://groups.google.com/d/optout.
> 
>--
>Morgan Rhodes
>mor...@puppet.com
>Release Engineer
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [8]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [9]https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv3G5WtPSh95p7KW9nraEKBZx9Fo%3DEoRFgj5PNO5OO8-Dg%40mail.gmail.com.
>For more options, visit [10]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. 
> https://github.com/puppetlabs/ezbake/blob/master/resources/puppetlabs/lein-ezbake/template/foss/ext/default.erb
>2. mailto:christopher_w...@pobox.com
>3. https://puppet.com/docs/puppetserver/5.1/tuning_guide.html
>4. https://github.com/puppetlabs/puppetserver
>5. mailto:puppet-users%2bunsubscr...@googlegroups.com
>6. 
> https://groups.google.com/d/msgid/puppet-users/20180103175542.2jt55rzf3hz3tpkp%40iniquitous.heresiarch.ca
>7. https://groups.google.com/d/optout
>8. mailto:puppet-users+unsubscr...@googlegroups.com
>9. 
> https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv3G5WtPSh95p7KW9nraEKBZx9Fo%3DEoRFgj5PNO5OO8-Dg%40mail.gmail.com?utm_medium=email_source=footer
>   10. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180103200959.f4lafrj3bqf3bzwf%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] /etc/sysconfig/puppetserver git source?

[Christopher Wood]

Is the source for /etc/sysconfig/puppetserver in the puppetserver rpm stored in 
any public-facing git repository? If so, where?

More details:

I was reading the tuning guide (it's augment time again) and it occurred to me 
to read the commit messages for this file to see how Puppet figured out the 
defaults. That information may inform my own configurations.

https://puppet.com/docs/puppetserver/5.1/tuning_guide.html

I'm not actually a programmer, and couldn't find this file or obvious source 
code in the puppetserver git repository if it is there. (Hints welcome too!)

https://github.com/puppetlabs/puppetserver

Running puppetserver 5.1.4 here.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20180103175542.2jt55rzf3hz3tpkp%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet lookup could not find directory environment

[Christopher Wood]

(inline)

On Tue, Dec 05, 2017 at 11:23:32AM -0800, dkoleary wrote:
>On Tuesday, December 5, 2017 at 1:10:44 PM UTC-6, Christopher Wood wrote:
> 
>  Twofold:
> 
>  "fqdn" is usually a puppet fact, I suspect you wouldn't find that if you
>  grepped your hiera data. Try these as root on any node:
> 
>You are quite right.  My attempt to simplify the problem apparently went
>awry.
> 
> 
>  puppet lookup --node [1]myhost.me.com --environment production --explain
>  myclass::someparam
>  puppet lookup --node [2]myhost.me.com --environment production --explain
>  fqdn
>  puppet help lookup | less
> 
>I had tried variations of those all with the same result:
># puppet lookup --environment production --node cl1vinfconf2442.mydom.com
>--explain mpiossec:run_ossec
>Error:  Could  not run:  Could  not find a directory environment named
>'unconfigured' anywhere in the path:  /etc/puppetlabs/code/environments.
>Does the directory exist?
> mpiossec is *definitely* a hiera data entry.
>Thanks for the response.  I appreciate it.

Quoth your earlier post:

"Puppet environments, in my setup, are established via an external node 
classifier."

What does the ENC return for that node? The ENC is listed under the 
"external_nodes" parameter in /etc/puppetlabs/puppet/puppet.conf, you should be 
able to run it at the console like "/usr/bin/myenc nodename" sort of thing.

The output makes me suspect that the environment is listed as "unconfigured" in 
your ENC output. Here I typically leave out the --environment parameter, so 
"puppet lookup" must be consulting the ENC at some point or I'd never find 
anything. I presume there is no /etc/puppetlabs/code/environments/unconfigured.

I notice you are missing a colon in your hiera key, should that be 
"mpiossec::run_ossec"? The class::param delimiter is two colons.

Editorially, it's quite nifty once you get it going, keep at it.

> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [3]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/818f86f2-027a-487a-a457-593d35944206%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. http://myhost.me.com/
>2. http://myhost.me.com/
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/818f86f2-027a-487a-a457-593d35944206%40googlegroups.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20171205194953.ucrro2ajfowtdp4v%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet lookup could not find directory environment

[Christopher Wood]

Twofold:

"fqdn" is usually a puppet fact, I suspect you wouldn't find that if you 
grepped your hiera data. Try these as root on any node:

facter fqdn
facter -p | less

If you do have a hiera key called "fqdn", you can try looking it up on any host 
which has your environments in the usual place and using the explain parameter 
to have it tell you what's wrong.

puppet lookup --node myhost.me.com --environment production --explain 
myclass::someparam
puppet lookup --node myhost.me.com --environment production --explain fqdn
puppet help lookup | less

On Tue, Dec 05, 2017 at 10:44:56AM -0800, dkoleary wrote:
>Hi;
>I'm running open source puppet server ver 5.  So far, I've been
>exceedingly happy with the performance and maintainability of it.  I'm
>about to start a rewrite of a module and would like to verify some hiera
>data.  Quick google search shows what looks like it should be the perfect
>tool - problem is, it doesn't work.
>On the puppet server, I run:
># puppet lookup fqdn
>Error:  Could  not run:  Could  not find a directory environment named
>'unconfigured' anywhere in the path:  /etc/puppetlabs/code/environments.
>Does the directory exist?
> 
>I tried adding the environment with the same result:
># puppet lookup --environment production fqdn
>Error:  Could  not run:  Could  not find a directory environment named
>'unconfigured' anywhere in the path:  /etc/puppetlabs/code/environments.
>Does the directory exist?
>Puppet environments, in my setup, are established via an external node
>classifier.  I tried adding 'environment = production' to the user section
>of /etc/puppetlabs/puppet/puppet.conf but that didn't have any affect
>either.  Even with that, though, I would have thought specifying the
>environment on the command line would resolve that.
>Has anyone seen this and know what I may have messed up and/or how to work
>around it?
>Any hints/tips/suggestions greatly appreciated.
>Doug O'Leary
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/ae431f1f-02de-4ad2-abdb-92ed5288ef15%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/ae431f1f-02de-4ad2-abdb-92ed5288ef15%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20171205191031.zmyeavuo2dzzz4b4%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] force dist-upgrade once on each puppet run and update on each package to be installed?

[Christopher Wood]

I found that a single "apt-get update" exec before any packages were managed 
was useful enough. Out of interest, what is the use case that needs "apt-get 
update" before every package is installed?

Lately here the "yum upgrade" is a daily thing with some incremental canarying 
as the month goes on, but same general concept.

If you were using puppet to install apt repositories before packages, you could 
use some chained collectors to make sure you got the apt-get update after your 
repositories were installed, but before any packages were installed. To wit:

file  { '/etc/apt/sources.list.d/myrepo.repo':
  content => "deb etc. etc.\n",
  tag => 'apt',
}

package { 'mypackage': }

exec { '/usr/bin/apt-get -y update':
  refreshonly => true,
}

File <| tag == 'apt' |> ~> Exec['/usr/bin/apt-get -y update']

Exec['/usr/bin/apt-get -y update'] -> Package <| |>

(Of course the file resource could have a notify instead of a tag in this case.)

We are doing something broadly similar with yum for the last several years with 
no complaints. One trade-off is that all repositories are declared through 
resources rather than shipped with packages but that also means we have a 
single list of all our repos currently in use.

On Tue, Dec 05, 2017 at 05:32:21AM -0800, Kristian Rink wrote:
>Folks;
>using puppet with the apt module, I am looking for a way to do
>- an apt-get update && apt-get dist-upgrade *once* on each puppet agent
>run, and
>- an apt-get update before each package to be installed.
>Right now I am playing with various exec[] approaches but none seems
>really to do what I want. 
>Is there any "best" way to do this?
>TIA and all the best,
>Kristian
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/31e6de73-5a60-43f1-9ead-c642bb5ade58%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/31e6de73-5a60-43f1-9ead-c642bb5ade58%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20171205143356.nrq3t2rr375sz6xb%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] multiple puppetdb, single postgres

[Christopher Wood]

Running two puppetdb in front of a single postgresql here and it's fine. The 
puppetservers use one puppetdb for everything and the second puppetdb is for 
monitoring and interactive use. The only hiccoughs are when trans-oceanic links 
blip.

The puppetdb instances are managed using puppet and at my SLA levels I get to 
shrug and say that agent runs will fail for a minute or so during the upgrade. 
Depending on your SLA you may have to upgrade at a specific time or swap 
servers behind a load balancer or something else quicker.

If I had a tighter SLA I would build new upgraded puppetdb hosts instead of 
upgrading in place. (Then repoint the puppetservers and turn down the old 
puppetdb hosts.) I haven't had schema issues during puppetdb upgrades.

For the puppet 4->5 upgrade I have a new 1xPostgreSQL9.6+2xPuppetDB5 set built, 
the upgraded puppetservers will fill them up soon enough.

On Thu, Nov 02, 2017 at 03:35:33PM +0100, Fabrice Bacchella wrote:
> Is there any risk running multiple puppetdb reading or perhaps writing to a 
> single postgres database ?
> 
> For my understanding, all puppetdb's data are stored in pg, so there is no 
> coherency problems, but too much caching on pdb's side might break that 
> assumption.
> 
> There is also the schema consistency. Upgrading one puppetdb without checking 
> the other might break it.
> 
> Is there any other failure case that I didn't think about ?
> 
> The goal is not to have a full HA solution, but be able to upgrade the 
> servers regularly without service disruption, as our puppetdb is used by 
> other tools than the puppet server.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/398CFCCB-5704-426C-B438-B36FCB4D1CE0%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20171102145457.mugalpasrarkp2lk%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] pdk and puppetlabs-ntp Gemfile on non-windows?

[Christopher Wood]

Thank you for the pointer, now the module does validate using 1.2.1 from the 
xenial deb. I checked validation against the commit in my gist as well as 
current master (fe01174).

For posterity, a diff of the working Gemfile.lock against the previous file 
from my failed validation shows a few differences in the working version.

https://gist.github.com/christopherwood/01aec6a03fa500fcaa02be7e4c83a2fe

At my level of experience I suspect I may have tried the validation with an 
empty $HOME/.pdk right when some gems were being shuffled around.

On Tue, Oct 31, 2017 at 02:22:47PM +, David Schmitt wrote:
>Hi Christopher,
> 
>I'm running the xenial packages on Debian testing myself, and have no
>issues with running the pdk validation of the puppetlabs-ntp module. If I
>use the Gemfile.lock from your log instead of a clean one, I get the same
>error. Please remove the Gemfile.lock and try again.
> 
>Cheers, David
>On Thu, Oct 26, 2017 at 5:19 PM Christopher Wood
><[1]christopher_w...@pobox.com> wrote:
> 
>  I'm not sure if this is an issue, or something I'm doing, since I'm
>  trying to use Ubuntu debs on patched-up Debian 9. The question: Is this
>  PEBKAC or what?
> 
>  To wit, I get a fatal error when attempting "pdk validate -d" and "pdk
>  test unit -d" at 1215f02 of the puppetlabs-ntp module. This happens in
>  the same manner with the following debs.
> 
>  pdk_1.2.0.0-1trusty_amd64.deb
>  pdk_1.2.0.0-1xenial_amd64.deb
> 
>  These gists are typescript sessions of me reproducing the issue:
> 
>  
> [2]https://gist.github.com/christopherwood/d2ac5542a3cdbf80cba7eaac6135ef14
>  
> [3]https://gist.github.com/christopherwood/05f60e9f87465e73730606d8870065e7
> 
>  I think the issue boils down to these lines:
> 
>  pdk (FATAL): The dependency puppet-module-win-default-r2.1 (>= 0) will
>  be unused by any of the platforms Bundler is installing for. Bundler is
>  installing for ruby but the dependency is only for x86-mswin32,
>  x86-mingw32, x64-mingw32. To add those platforms to the bundle, run
>  `bundle lock --add-platform x86-mswin32 x86-mingw32 x64-mingw32`.
>  The dependency puppet-module-win-dev-r2.1 (= 0.0.7) will be unused by
>  any of the platforms Bundler is installing for. Bundler is installing
>  for ruby but the dependency is only for x86-mswin32, x86-mingw32,
>  x64-mingw32. To add those platforms to the bundle, run `bundle lock
>  --add-platform x86-mswin32 x86-mingw32 x64-mingw32`.
>  The dependency puppet-module-win-system-r2.1 (>= 0) will be unused by
>  any of the platforms Bundler is installing for. Bundler is installing
>  for ruby but the dependency is only for x86-mswin32, x86-mingw32,
>  x64-mingw32. To add those platforms to the bundle, run `bundle lock
>  --add-platform x86-mswin32 x86-mingw32 x64-mingw32`.
> 
>  When I do "gem install --user-install puppet-module-win-default-r2.1" on
>  my system ruby 2.3.3p222 it installs with no issues. However the Gemfile
>  in the puppetlabs-ntp module specifies
> 
>  :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
> 
>  and for some reason that appears to cause an issue here.
> 
>  I haven't really used bundler so definitely puzzled.
> 
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [4]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [5]https://groups.google.com/d/msgid/puppet-users/20171026161936.27u6hl22k2v5olbi%40iniquitous.heresiarch.ca.
>  For more options, visit [6]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [7]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [8]https://groups.google.com/d/msgid/puppet-users/CALF7fHZw3AzDv3th%2BQyH7ndBPvbx3ggbQunprYTub5snHubRkA%40mail.gmail.com.
>For more options, visit [9]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:christopher_w...@pobox.com
>2. https://gist.github.com/christopherwood/d2ac5542a3cdbf80cba7eaac6135ef14
>3. https://gist.github.com/christopherwood/05f60e9f87465e73730606d8870065e7
>4. mailto:puppet-users%2bunsubscr...@googlegroups.com
>  

[Puppet Users] pdk and puppetlabs-ntp Gemfile on non-windows?

[Christopher Wood]

I'm not sure if this is an issue, or something I'm doing, since I'm trying to 
use Ubuntu debs on patched-up Debian 9. The question: Is this PEBKAC or what?

To wit, I get a fatal error when attempting "pdk validate -d" and "pdk test 
unit -d" at 1215f02 of the puppetlabs-ntp module. This happens in the same 
manner with the following debs.

pdk_1.2.0.0-1trusty_amd64.deb
pdk_1.2.0.0-1xenial_amd64.deb

These gists are typescript sessions of me reproducing the issue:

https://gist.github.com/christopherwood/d2ac5542a3cdbf80cba7eaac6135ef14
https://gist.github.com/christopherwood/05f60e9f87465e73730606d8870065e7

I think the issue boils down to these lines:

pdk (FATAL): The dependency puppet-module-win-default-r2.1 (>= 0) will be 
unused by any of the platforms Bundler is installing for. Bundler is installing 
for ruby but the dependency is only for x86-mswin32, x86-mingw32, x64-mingw32. 
To add those platforms to the bundle, run `bundle lock --add-platform 
x86-mswin32 x86-mingw32 x64-mingw32`.
The dependency puppet-module-win-dev-r2.1 (= 0.0.7) will be unused by any of 
the platforms Bundler is installing for. Bundler is installing for ruby but the 
dependency is only for x86-mswin32, x86-mingw32, x64-mingw32. To add those 
platforms to the bundle, run `bundle lock --add-platform x86-mswin32 
x86-mingw32 x64-mingw32`.
The dependency puppet-module-win-system-r2.1 (>= 0) will be unused by any of 
the platforms Bundler is installing for. Bundler is installing for ruby but the 
dependency is only for x86-mswin32, x86-mingw32, x64-mingw32. To add those 
platforms to the bundle, run `bundle lock --add-platform x86-mswin32 
x86-mingw32 x64-mingw32`.

When I do "gem install --user-install puppet-module-win-default-r2.1" on my 
system ruby 2.3.3p222 it installs with no issues. However the Gemfile in the 
puppetlabs-ntp module specifies

:require => false, :platforms => ["mswin", "mingw", "x64_mingw"]

and for some reason that appears to cause an issue here.

I haven't really used bundler so definitely puzzled.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20171026161936.27u6hl22k2v5olbi%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] querying unrealized/inactive resources in the catalog?

[Christopher Wood]

Is there a document somewhere that describes the visilibity of an unrealized 
and inactive resource in the downloaded catalog and puppetdb catalog?

I thought I would be able to retrieve inactive resources from somewhere in 
puppetdb, but I can't and that could be just me.

It would suit me perfectly if unrealized resources actually did not exist 
anywhere in the stored catalog so possibly I'm puzzled by the phrasing in the 
documentation, where it says that "unrealized virtual resources are included in 
the catalog, but they are marked as inactive".

https://docs.puppet.com/puppet/4.10/lang_virtual.html#behavior

Going deeper, I have the following scratch manifest (naming munged for privacy, 
conventions ignored for experimentation):

class role::test1 {

  @file { '':
content => "11\n",
path=> '/tmp/a',
  }

  @file { '':
content => "22\n",
path=> '/tmp/b',
  }

  @file { '':
content => "33\n",
path=> '/tmp/c',
  }

  realize(File[''])

}

With that role applied to a host the  file resource appears in the catalog, 
both in puppetdb and downloaded, but  and  do not.

I can retrieve the  file resource via puppetdb query to 
/pdb/query/v4/resources/File/ but not the others (returns json []).

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170914153549.nsuxpxyp6sk5rqra%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet functions in EPP templates?

[Christopher Wood]

And sometimes it turns out the answer is obvious in retrospect once one's error 
has been posted up in public. I was doing:

file { '/tmp/tt2':
  content => template('test1/two.epp'),
}

When I actually invoke an epp template like I should, it works.

file { '/tmp/tt2':
  content => epp('test1/two.epp'),
}

We'll please attribute this to an unusual moment of dimness.

On Wed, Jul 26, 2017 at 09:50:11AM -0400, Christopher Wood wrote:
> Would somebody mind passing a spare clue regarding the correct syntax?
> 
> I already know this works in an erb template:
> 
> <%= scope.call_function('test1::test1', ['input one!!']) %>
> 
> However this fails in an epp template:
> 
> <%= test1::test1('input two!!') %>
> 
> Unfortunately, that's about as far as I got using "puppet apply".
> 
> My stub test module (with the busted epp part commented out):
> 
> https://gist.github.com/christopherwood/b7e3b4c60a60a8088a2a42f1242df2d9
> 
> And the result with the epp part uncommented:
> 
> $ puppet apply --modulepath . test1.pp
> Error: Evaluation Error: Error while evaluating a Function Call, Failed to 
> parse template test1/two.epp:
>   Filepath: /var/tmp/t1/test1/templates/two.epp
>   Line: 1
>   Detail: undefined local variable or method `test1' for 
> #
>  at /var/tmp/t1/test1/manifests/init.pp:6:16 on node cwl.me.com
> 
> I read these but couldn't find an obvious example, if somebody would like to 
> point one out.
> 
> https://docs.puppet.com/puppet/4.10/lang_expressions.html
> https://docs.puppet.com/puppet/4.10/lang_functions.html
> https://docs.puppet.com/puppet/4.10/lang_template_epp.html
> 
> As far as use case, I wanted to see if it would work for potential upcoming 
> module notions since parameterizable epp makes some things easier.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/20170726135011.aus2qeaqn7egtvns%40iniquitous.heresiarch.ca.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170726140537.xp7fp245qjkzxaxi%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet functions in EPP templates?

[Christopher Wood]

Would somebody mind passing a spare clue regarding the correct syntax?

I already know this works in an erb template:

<%= scope.call_function('test1::test1', ['input one!!']) %>

However this fails in an epp template:

<%= test1::test1('input two!!') %>

Unfortunately, that's about as far as I got using "puppet apply".

My stub test module (with the busted epp part commented out):

https://gist.github.com/christopherwood/b7e3b4c60a60a8088a2a42f1242df2d9

And the result with the epp part uncommented:

$ puppet apply --modulepath . test1.pp
Error: Evaluation Error: Error while evaluating a Function Call, Failed to 
parse template test1/two.epp:
  Filepath: /var/tmp/t1/test1/templates/two.epp
  Line: 1
  Detail: undefined local variable or method `test1' for 
#
 at /var/tmp/t1/test1/manifests/init.pp:6:16 on node cwl.me.com

I read these but couldn't find an obvious example, if somebody would like to 
point one out.

https://docs.puppet.com/puppet/4.10/lang_expressions.html
https://docs.puppet.com/puppet/4.10/lang_functions.html
https://docs.puppet.com/puppet/4.10/lang_template_epp.html

As far as use case, I wanted to see if it would work for potential upcoming 
module notions since parameterizable epp makes some things easier.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170726135011.aus2qeaqn7egtvns%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet Packet Rate?

[Christopher Wood]

The answer is that it depends on your catalogs and what you're ramming through 
them. You might get a squinty rule of thumb measurement from figuring out the 
size of uploaded facts/report, downloaded catalog/files, add some more for 
random discussion traffic, divide by the number of seconds an agent run 
allegedly takes.

That said, you sound like you're living an even more corporate life than I am, 
and they might not take an answer of "it depends what you make puppet do".

You might also do a packet capture or some hypervisor i/o monitoring during an 
agent run, see how much that is and divide by the agent run time.

And then your numbers may turn out fictional when somebody decides they're 
going to ram tarballs in via file resource.

On Fri, Jul 07, 2017 at 04:52:02PM +, Peter Berghold wrote:
>Has anybody out there done any sort of study on what Puppet produces in
>terms of I/O packet rate?  I'm being asked to fill in a spreadsheet with
>that information
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/CAArvnv3G8Lbe8GL11SGC251YYn-SjUs-KEPR2NfDjKGqzgZhEw%40mail.gmail.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/CAArvnv3G8Lbe8GL11SGC251YYn-SjUs-KEPR2NfDjKGqzgZhEw%40mail.gmail.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170707194535.5vx25lcl7qxu2uun%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trigger apt-get update if packages are to be installed

[Christopher Wood]

Not sure what their solution was, but mine was (back when puppeting 
Debian/Ubuntu) to run apt-get update on every run, but make sure to also run 
apt-cacher-ng to be an apt proxy on the local network. That sped things up.

On Fri, Jul 07, 2017 at 07:23:17AM -0700, Klavs Klavsen wrote:
>Did you ever find a good solution to this? found stuff like this:
>
> https://blog.bluemalkin.net/puppet-trick-running-apt-get-update-only-when-needed/
>- but thats really ugly
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/52bf65e9-5458-4053-95e5-842eaebe7203%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/52bf65e9-5458-4053-95e5-842eaebe7203%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170707153129.ujpuob5dqxzhxejk%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: PuppetDB - High CPU Large number of KahaDB files and very little work going to postgresql

[Christopher Wood]

I'm wondering if that puppetdb instance's queue would grow if it wasn't also 
doing normal agent runs.

Maybe pause puppet agent runs until puppetdb is caught up? Puppetdb may not be 
happy doing its regular work plus this cleanup. You could stop the puppetserver 
service(s) for the cheap way to accomplish this.

Another option would be to build another puppetdb (backended with your existing 
postgresql) and have the puppetserver instances use that, to let your existing 
puppetdb chew through things. It sounds like postgresql is not the bottleneck. 
I found that breaking puppetdb and postgresql apart onto separate hosts lowered 
my intermittent puppetdb queue backlog.

If neither resolves things, it sounds like building a fresh set of 
puppetdb+postgresql hosts and pointing some puppetservers at it will resolve 
the question of whether your kahadb queues will grow with the refactored fact 
or if your issues are just from the backlog of the changeover. This depends how 
attached you are to the existing data. (Not so much here, agent runs will 
refill it.)

On Wed, Jul 05, 2017 at 06:38:36AM -0700, Peter Krawetzky wrote:
>So after a change from the module owner who's fact's were very very large,
>the java CPU has been reduced significantly and running much better.
> However, now that the facts have changed for every single node, the DB is
>doing a significant amount of work to clean things up.  And the KahaDB
>queue is still growing out of control. 
> 
>At this point it might be a better option to stop the puppetdb server,
>shutdown postgresql, delete the data directory (after copying pg_hba.conf
>and postgresql.conf to /tmp), init a new db, copy those 2 files from /tmp
>back to their original spot, start postgresql and start puppetdb allowing
>it to create everything it needs from scratch.  Any opinions?
> 
>On Wednesday, June 28, 2017 at 12:25:57 PM UTC-4, Peter Krawetzky wrote:
> 
>  Last Sunday we hit a wall on our 3.0.2 puppetdb server.  The cpu spiked
>  and the KahaDB logs started to grow eventually almost filling a
>  filesystem.  I stopped the service, removed the mq directory per a
>  troubleshooting guide, and restarted.  After several minutes the same
>  symptoms began again and I have not been able to come up with a puppetdb
>  or postgresql config to fix this.
>  We tried turning off storeconfig in the puppet.conf file on our puppet
>  master servers but that doesn't appear to have resolved the problem.  I
>  also can't find a good explanation as to what this parameter really does
>  or does not do even in the puppet server documentation.  Anyone have a
>  better insight into this?
>  Also is there a way to just turn off puppetdb?
>  I've attached a file that is a snapshot of the puppetdb dashboard.
>  Anyone experience anything like this?
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/42d78acf-727e-406f-a2c1-f6253121991b%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/42d78acf-727e-406f-a2c1-f6253121991b%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170705135915.qrkwme4mczdkk4us%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PuppetDB low catalog-duplication rate Puppet DB 4.3.0

[Christopher Wood]

I had a broadly similar issue in that I had a low catalog duplication rate and 
I had to change some puppet manifests around to fix that.

Back in 2015 I was doing this to get mcollective plugin sources for the file 
resource:

source => regsubst(keys($plugins), '^', 'puppet:///modules/mco/plugins/')

But obviously keys() returns things in any old order and every catalog was 
different. The solution was to sort it:

source => regsubst(sort(keys($plugins)), '^', 'puppet:///modules/mco/plugins/')

In your place I would grab some different catalogs for the same host, 
pretty-format them and diff to see what's different. That will show you what's 
changing between runs. The easy way for this is to do a bunch of agent runs and 
then use curl in between them on the puppetdb host.

curl http//localhost:8080/pdb/query/v4/catalogs/host.domain.com | python -m 
json.tool >/tmp/cat1

On Wed, Jun 28, 2017 at 11:11:17AM -0700, Mike Sharpton wrote:
>Hey all,
>I am hoping there is someone else in the same boat as I am.  We are
>running Puppet 4.2.2, along with PuppetDB 4.3.0.  I am seeing low
>duplication rate which I think is contributing to our queuing problems in
>PuppetDB.  The queue will fluctuate from 0-100 queued, to up to 2000.  We
>have around 4500 nodes, and we are using 8 threads on our PuppetDB server.
> I am seeing that the low duplication rate is caused by hashes not
>matching and a full insert running which is expensive on the DB instead of
>just updating the time stamp.  I don't know why these would not be
>matching, and may need help as far as how to find something like this.  I
>see items in PuppetDB3 for this, but not 4.  I see that using timestamp
>and other items which change each time will cause the catalog to never be
>the same, but I would think we would have 0% duplication if this was the
>case.  I am also seeing that things are improved in 4.4.0 as far as
>performance and a missing index is corrected that may speed things.  I am
>wondering what others have done/seen with this and whether upgrading to
>4.4.0 would do me good.  I am thinking it would as many things appear to
>fixed around the issues I am seeing.  Thanks in advance,
>Mike
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/bde7abd4-fccb-420b-b3d8-d4c674ca5705%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/bde7abd4-fccb-420b-b3d8-d4c674ca5705%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170628192618.5kwip7wdxr62hajo%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] passing a regex as a class parameter

[Christopher Wood]

After more discussion in #puppet on freenode, this thing:

https://tickets.puppetlabs.com/browse/PUP-7735

On Tue, Jun 27, 2017 at 11:44:26AM -0400, Christopher Wood wrote:
> A little oddity I stumbled across while getting things wrong about somebody's 
> pastebin entry in #puppet on freenode.
> 
> This thing:
> 
> class classname (
>   Regexp $param,
> ) {
>   notice('yes')
> }
> 
> class { 'classname':
>   param => /^.$/,
> }
> 
> Does this with puppet 4.10.2:
> 
> $ puppet apply /tmp/z.pp
> Error: Evaluation Error: Error while evaluating a Resource Statement, 
> Class[Classname]: parameter 'param' expects a Regexp value, got String at 
> /tmp/z.pp:7:1 on node cwl.me.com
> 
> Am I even supposed to be able to pass a Regexp to a class?
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/20170627154426.b4agpelmzzwzre2h%40iniquitous.heresiarch.ca.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170627170211.od4exzhulkm7bmkc%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] passing a regex as a class parameter

[Christopher Wood]

A little oddity I stumbled across while getting things wrong about somebody's 
pastebin entry in #puppet on freenode.

This thing:

class classname (
  Regexp $param,
) {
  notice('yes')
}

class { 'classname':
  param => /^.$/,
}

Does this with puppet 4.10.2:

$ puppet apply /tmp/z.pp
Error: Evaluation Error: Error while evaluating a Resource Statement, 
Class[Classname]: parameter 'param' expects a Regexp value, got String at 
/tmp/z.pp:7:1 on node cwl.me.com

Am I even supposed to be able to pass a Regexp to a class?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170627154426.b4agpelmzzwzre2h%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Dependency conundrum

[Christopher Wood]

Sounds like tags and chaining, did something similar for upstart.

file { '/usr/lib/systemd/system/patcher-client.service':
  notify => Service['patcher-client'],
  tag=> ['reload systemd'],
}

File <| tag == 'reload systemd' |> ~> Exec['systemctl daemon-reload']
Exec['systemctl daemon-reload'] -> Service <| |>


Originally (on centos6 where upstart+sysvinit is combined):

class upstart {

  $upstartreload = '/sbin/initctl reload-configuration'

  exec { $upstartreload:
refreshonly => true,
  }

  File <| tag == 'upstart' |> ~> Exec[$upstartreload]
  Exec[$upstartreload] -> Service <| tag == 'upstart' |>

}



On Thu, Jun 15, 2017 at 10:59:16AM -0400, Tom Limoncelli wrote:
>I'm having a problem getting some dependencies exactly right.
>This is the code I originally wrote:
>   
>File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
>daemon-reload']~>Service['patcher-client']
>It works great except... oops... if any other module does Exec['systemctl
>daemon-reload'], then Service['patcher-client'] restarts.  That additional
>restart is unneeded.
>I thought about rewriting it as:
>   
>File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
>daemon-reload']
>   
>
> File['/usr/lib/systemd/system/patcher-client.service']~>Service['patcher-client']
>But then how would Puppet know to do the Exec[] before the Service[]?  I
>could add:
>    Exec['systemctl daemon-reload']->Service['patcher-client']
>But then we're basically in the same situation as the original code.
>Right?
>I guess I kind of want something like this: (not real syntax)
>    File['/usr/lib/systemd/system/patcher-client.service']~> (
>Exec['systemctl daemon-reload']~>Service['patcher-client'] )
>How do I achieve that?
>Thanks in advance,
>Tom
>--
>Email: [1]t...@whatexit.org    Work: tlimonce...@stackoverflow.com
>Blog:  [2]http://EverythingSysadmin.com
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [3]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/CAHVFxgnkPQTgeNHv6L0Ao%2BuvdVtL-7ftaPfJG3gzXF0OCs6%3DsQ%40mail.gmail.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:t...@whatexit.org
>2. http://everythingsysadmin.com/
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/CAHVFxgnkPQTgeNHv6L0Ao%2BuvdVtL-7ftaPfJG3gzXF0OCs6%3DsQ%40mail.gmail.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170615152701.GA28982%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] same hiera data across multiple profiles

[Christopher Wood]

Thank you, had forgotten about that one, it's a good read.

I'm a bit leery of adding inheritance to the mix, some people here have enough 
trouble understanding a hiera_hash().

However, I hadn't considered adding module data into the mix. I think I can put 
enough into the module data to make the profiles much easier to understand. In 
my case both profiles will indeed share enough to make this worthwhile.

Thank you both, that is much food for thought.

On Wed, Jun 14, 2017 at 11:31:12AM -0400, Rob Nelson wrote:
>You may want to look at automatic parameter lookup, inheritance, and data
>in modules.
>
> [1]https://www.devco.net/archives/2016/01/08/native-puppet-4-data-in-modules.php
>has some good examples. Generally, a param class is obviated in a
>component module, but in profiles where a value may be shared across many,
>you could try something like this to be closer to your example 1:
> 
>class profile::sslparams (
>  Hash $ssldata,
>) {
>  # Nothing actually in the class, we just want the params above ^^
>}
> 
>class profile::http (
>  Hash $ssldata = $profile::sslparams::ssldata,
>) inherits profile::sslparams {
>  # use $ssldata wherever you need it
>}
> 
>You can then set profile::sslparams::ssldata as needed in the module's
>hiera data.
> 
>Like Matthew Kennedy, though, I'm not certain this is really what you want
>to do. Do both http and smtp always have the same values? Do they actually
>require the data in the exact same format? Can you provide default values
>for each, perhaps through data in modules, and override both
>profile::http::ssldata and profile::smtp::ssldata as needed? Maybe it
>isn't even needed if you are loading component modules like apache and
>postfix, as you could just `include apache` and set `apache::somesslparam:
>value1` and `postfix::differentsslparamname: value2` and not have to embed
>that in your profile classes.
>Rob Nelson
>[2]rnels...@gmail.com
>On Wed, Jun 14, 2017 at 11:05 AM, Christopher Wood
><[3]christopher_w...@pobox.com> wrote:
> 
>  I've been pondering this and I'm still tossing it back and forth in my
>  head.
> 
>  Example 1:
> 
>  class profile::ssl {
>    $ssldata = lookup('profile::ssl::ssldata', Hash)
>  }
> 
>  class profile::http {
>    include ::profile::ssl
>    $ssldata = $::profile::ssl::ssldata  # illustrating the example
>  }
> 
>  class profile::smtp {
>    include ::profile::ssl
>    $ssldata = $::profile::ssl::ssldata  # illustrating the example
>  }
> 
>  Example 2:
> 
>  class profile::http {
>    $ssldata = lookup('ssldata', Hash)
>  }
> 
>  class profile::smtp {
>    $ssldata = lookup('ssldata', Hash)
>  }
> 
>  Items:
> 
>  In example 1 Every profile would definitely own specified hiera keys
>  with no orphans.
> 
>  In example 1 some profiles would end up as "params" profiles if they
>  don't have any resources. This is likely fine if it's important that
>  every hiera key is owned by a profile.
> 
>  Example 2 means potentially different merge strategies for different
>  profiles which could lead to puzzlement.
> 
>  Example 2 means that if the lookup fails somebody has to go digging in
>  hiera rather than it being obvious that somebody hasn't included
>  profile::ssl.
> 
>  Example 1 means that some profiles end up tightly coupled. On the other
>  hand anything that uses ssl is tightly coupled with anything that
>  manages ssl anyway.
> 
>  On balance it seems like example 1 is more work up front for the same
>  functional result and easier troubleshooting later, which sounds like a
>  reasonable tradeoff. I think I will give it a go. (Presuming I'm even
>  understanding your point correctly.)
> 
>  On Tue, Jun 13, 2017 at 08:50:51PM +, Matthew Kennedy wrote:
>  >    As a general rule you shouldn't have multiple profiles pulling the
>  same
>  >    data from hiera.
>  >
>  >    Treat profiles like lego blocks that you can compose as needed.
>  >
>  >    In this case create a ssl_certs profile who's role is to pull in
>  hieradata
>  >    via standard parameters. This profile has the responsibility to get
>  the
>  >    certs on the box etc...
>  >
>      >    Any profiles that need ssl_certs can `include profile::ssl_certs`.
>  Note
>  >    that if these profiles need to get the parameters of the ssl_certs
>  class

Re: [Puppet Users] same hiera data across multiple profiles

[Christopher Wood]

I've been pondering this and I'm still tossing it back and forth in my head.

Example 1:

class profile::ssl {
  $ssldata = lookup('profile::ssl::ssldata', Hash)
}

class profile::http {
  include ::profile::ssl
  $ssldata = $::profile::ssl::ssldata  # illustrating the example
}

class profile::smtp {
  include ::profile::ssl
  $ssldata = $::profile::ssl::ssldata  # illustrating the example
}

Example 2:

class profile::http {
  $ssldata = lookup('ssldata', Hash)
}

class profile::smtp {
  $ssldata = lookup('ssldata', Hash)
}

Items:

In example 1 Every profile would definitely own specified hiera keys with no 
orphans.

In example 1 some profiles would end up as "params" profiles if they don't have 
any resources. This is likely fine if it's important that every hiera key is 
owned by a profile.

Example 2 means potentially different merge strategies for different profiles 
which could lead to puzzlement.

Example 2 means that if the lookup fails somebody has to go digging in hiera 
rather than it being obvious that somebody hasn't included profile::ssl.

Example 1 means that some profiles end up tightly coupled. On the other hand 
anything that uses ssl is tightly coupled with anything that manages ssl anyway.

On balance it seems like example 1 is more work up front for the same 
functional result and easier troubleshooting later, which sounds like a 
reasonable tradeoff. I think I will give it a go. (Presuming I'm even 
understanding your point correctly.)



On Tue, Jun 13, 2017 at 08:50:51PM +, Matthew Kennedy wrote:
>As a general rule you shouldn't have multiple profiles pulling the same
>data from hiera.
> 
>Treat profiles like lego blocks that you can compose as needed.
> 
>In this case create a ssl_certs profile who's role is to pull in hieradata
>via standard parameters. This profile has the responsibility to get the
>certs on the box etc...
> 
>Any profiles that need ssl_certs can `include profile::ssl_certs`. Note
>that if these profiles need to get the parameters of the ssl_certs class
>they can be accessed via $profile::ssl_certs::parameter_name.
> 
>Hope that helps.
> 
>On Mon, Jun 12, 2017, 9:57 AM Christopher Wood
><[1]christopher_w...@pobox.com> wrote:
> 
>  How do you typically organize your data lookups when you want to use the
>  same hiera data across multiple profiles, themselves possibly used
>  across multiple roles?
> 
>  A cut down example with fake names:
> 
>  class role::mailserver {
>    include ::profile::http
>    include ::profile::smtp
>  }
> 
>  class role::webserver {
>    include ::profile::http
>  }
> 
>  class profile::http ($ssldata) {
>    class { 'apache':
>      ssldata => $ssldata,
>    }
>  }
> 
>  class profile::smtp ($ssldata) {
>    class { 'postfix':
>      ssldata => $ssldata,
>    }
>  }
> 
>  In this example $ssldata would be a hash of loopback+cert+key+chain
>  sets.
> 
>  It seems like this is the exact case for the lookup() function but
>  perhaps one of you had a better idea.
> 
>  (Humorously, I am also taking naming suggestions for the set of
>  cross-profile hiera keys, however risky that is on a puppet-related
>  list.)
> 
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [2]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [3]https://groups.google.com/d/msgid/puppet-users/20170612165744.GA13854%40iniquitous.heresiarch.ca.
>  For more options, visit [4]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [5]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [6]https://groups.google.com/d/msgid/puppet-users/CACx1-q3eywAy5Vvv2PDh3wtqNOk-myy8jJY6OV8a-NqJd_JK9g%40mail.gmail.com.
>For more options, visit [7]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:christopher_w...@pobox.com
>2. mailto:puppet-users%2bunsubscr...@googlegroups.com
>3. 
> https://groups.google.com/d/msgid/puppet-users/20170612165744.GA13854%40iniquitous.heresiarch.ca
>4. https://groups.google.com/d/optout
>5. mailto:puppet-users+unsubscr...@googlegroups.com
>6. 
> https://groups.google.com/d/msgid/puppet-

Re: [Puppet Users] Officiel master puppet and source Puppet agent

[Christopher Wood]

Probably not 100% what you're looking for, but you might get some use out of 
the Debian puppet sources. They have packages for various ARM architectures too.

https://packages.debian.org/search?keywords=puppet

On Wed, Jun 14, 2017 at 06:03:17AM -0700, Fairouz el ouazi wrote:
>HI ,
>   Is there any possibility to have Entreprise  Puppet Master . and
>downloading puppet agent from sources in order to make it works on ARM
>devices ?
> 
>Thanks
>Fairouz
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/4abd639e-e9d4-4509-9918-6a6a11ed476d%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/4abd639e-e9d4-4509-9918-6a6a11ed476d%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170614133919.GA11905%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] same hiera data across multiple profiles

[Christopher Wood]

How do you typically organize your data lookups when you want to use the same 
hiera data across multiple profiles, themselves possibly used across multiple 
roles?

A cut down example with fake names:

class role::mailserver {
  include ::profile::http
  include ::profile::smtp
}

class role::webserver {
  include ::profile::http
}

class profile::http ($ssldata) {
  class { 'apache':
ssldata => $ssldata,
  }
}

class profile::smtp ($ssldata) {
  class { 'postfix':
ssldata => $ssldata,
  }
}

In this example $ssldata would be a hash of loopback+cert+key+chain sets.

It seems like this is the exact case for the lookup() function but perhaps one 
of you had a better idea.

(Humorously, I am also taking naming suggestions for the set of cross-profile 
hiera keys, however risky that is on a puppet-related list.)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170612165744.GA13854%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] havina an issue regarding puppet agent run

[Christopher Wood]

I think you wanted /pdb/meta/v1/version? This and the other puppetdb 
documentation may help:

https://docs.puppet.com/puppetdb/4.4/api/query/v4/query.html
https://docs.puppet.com/puppetdb/4.4/api/meta/v1/version.html

(Obviously pick your puppetdb version in the drop-down at the top of the page.)

On Wed, Jun 07, 2017 at 03:13:24AM -0700, 'Nishutosh Sharma' via Puppet Users 
wrote:
>I am facing same issue as above.
>I got the following response :-
>
>
>
>Error 404 
>
>
>HTTP ERROR: 404
>Problem accessing /v4/version. Reason:
>    Not Found
>Powered by Jetty://
>
>
>On Saturday, 30 August 2014 04:23:35 UTC+5:30, Wyatt Alt wrote:
> 
>  Hi Spriya,
> 
>  Can you try accessing your database server directly at the host and port
>  specified in /etc/puppetdb/conf.d/jetty.ini and see if you get the same
>  error?
> 
>  e.g curl [1]http://localhost:8080/v4/version
> 
>  Wyatt
> 
>  On Fri, Aug 29, 2014 at 11:30 AM, Spriya <[2]supriya.u...@gmail.com>
>  wrote:
> 
>Hi,
> 
>I installed puppet server using opensource.when i run puppet agent -t
>i am having this issue:
>Error: Could not retrieve catalog from remote server: Error 400 on
>SERVER: Failed to submit 'replace facts' command for [3]example.com to
>PuppetDB at [4]example.com:8081: [404 Not Found] http-equiv="Content-Type"
>content="text/html;charset=ISO-8859-1"/>Error 404
>HTTP ERROR: 404Problem accessing
>/v3/commands. Reason:    Not Found/>Powered by Jetty://
>Warning: Not using cache on failed catalog
>Error: Could not retrieve catalog; skipping run
> 
>Here are my version information:
>rpm -qa | grep puppet
>puppetdb-2.2.0-1.el6.noarch
>puppetlabs-release-6-6.noarch
>puppet-3.6.2-1.el6.noarch
>puppet-dashboard-1.2.23-1.el6.noarch
>puppet-server-3.6.2-1.el6.noarch
>rubygem-puppet-lint-0.3.2-1.el6.noarch
>puppetdb-terminus-2.2.0-1.el6.noarch
>puppetlabs-release-6-10.noarch
> 
>Please  help me
> 
>--
>You received this message because you are subscribed to the Google
>Groups "Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to [5]puppet-users...@googlegroups.com.
>To view this discussion on the web visit
>
> [6]https://groups.google.com/d/msgid/puppet-users/1166ffe0-eed5-449d-93c9-8d981997ff90%40googlegroups.com.
>For more options, visit [7]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [8]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [9]https://groups.google.com/d/msgid/puppet-users/2fdf4012-2740-4964-9e7b-b952cdf6e33b%40googlegroups.com.
>For more options, visit [10]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. http://localhost:8080/v4/version
>2. javascript:
>3. http://example.com/
>4. http://example.com:8081/
>5. javascript:
>6. 
> https://groups.google.com/d/msgid/puppet-users/1166ffe0-eed5-449d-93c9-8d981997ff90%40googlegroups.com?utm_medium=email_source=footer
>7. https://groups.google.com/d/optout
>8. mailto:puppet-users+unsubscr...@googlegroups.com
>9. 
> https://groups.google.com/d/msgid/puppet-users/2fdf4012-2740-4964-9e7b-b952cdf6e33b%40googlegroups.com?utm_medium=email_source=footer
>   10. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170607134630.GA17191%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Apply every time for no reason = acceptable?

[Christopher Wood]

Consider possibly these cases (which I have seen):

i) You are trying to track down an oddity in your puppet codebase, something 
like a file_line resource and exec resource both managing the same file.

ii) You are trying to find a non-puppetized job which is fighting with puppet 
to decide the particular composition of a file.

iii) You are having an outage and you are trying to figure out which change may 
have caused this.

Will it add to your overall workload, and augment your ability to provide 
stable customer-facing services, if you have some resources always listed as 
changing? Will this help you to find the resources you need to focus on for 
your particular task?

(Short version: do the full job now to prepare for the inevitable upcoming 
crises.)

On Sun, Jun 04, 2017 at 07:25:50PM -0700, Ugo Bellavance wrote:
>Hi,
>I'm working on a module that applies some changes through API commands.
> Where I am now, it's now able to set values to a PHP config using this
>API, but I feel it is a bit ugly because it does the API call every time
>puppet runs, no matter if there is a change or not.  It is problematic? I
>feel like a puppet run should be clean (silent) when nothing changes, but
>I am not aware of best practices stating otherwise either.  It is possible
>for me to use an unless statement to do an API call to determine if the
>config is already at the desired value, but it is, of course, more work.
>Thanks,
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/1bb435cb-37f3-4216-ae8a-68041dc9a7b8%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/1bb435cb-37f3-4216-ae8a-68041dc9a7b8%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170605125203.GA7378%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] migrate from puppetmaster 3.4.3 -> 4.8.2

[Christopher Wood]

While I am not the authority on the matter, it looks like the answer is no, and 
the activerecord terminus is not part of puppet 4.

https://tickets.puppetlabs.com/browse/PUP-4627
https://docs.puppet.com/puppet/4.8/lang_exported.html
https://docs.puppet.com/puppet/4.8/configuration.html#storeconfigs

Try grepping for activerecord in the puppet 3.x software:

https://apt.puppetlabs.com/pool/wheezy/main/p/puppet/puppet-common_3.8.7-1puppetlabs1_all.deb
https://apt.puppetlabs.com/pool/wheezy/main/p/puppet/puppet-el_3.8.7-1puppetlabs1_all.deb

wget file
ar x file
tar xf data.tar.gz
(repeat)
grep -r ActiveRecord usr

By contrast, there is no similar set of ActiveRecord calls in the puppet-agent 
deb. (Obviously I don't have a great understanding of ruby coding!)

https://apt.puppetlabs.com/pool/jessie/PC1/p/puppet-agent/puppet-agent_1.10.1-1jessie_amd64.deb

Puppetdb is fairly easy to configure with the forge module, at least.

https://forge.puppet.com/puppetlabs/puppetdb

As a postscript, you may consider upgrading to puppet 4.10.1 or ensuring you 
have some backported fixes out of this set:

https://docs.puppet.com/security/index.html


On Sun, Jun 04, 2017 at 11:43:23PM +0300, Anton Gorlov wrote:
> Hi all.
> In old puppet  master node with   puppetmaster 3.4.3  i use mysql to
> storу data.
> In [master] section of puppet.conf configured data to access the database:
> 
> storeconfigs = true
> dbadapter = mysql
> dbname = puppetdb
> dbuser = puppetdbu
> dbpassword = *
> dbserver =  localhost
> 
> it works fine.
> 
> On fresh install with  puppetmaster 4.8.2 I get error on client node:
> 
> ===
> Warning: Unable to fetch my node definition, but the agent run will
> continue:
> Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for
> debian9-lab3: Could not find terminus active_record for indirection facts
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Loading facts
> Error: Could not retrieve catalog from remote server: Error 500 on
> SERVER: Server Error: Could not find terminus active_record for
> indirection facts
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
> =
> 
> 
> Is it possible to use storeconfig in database without using puppetdb?
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/a3d48e4b-c946-00bd-b6cb-68397d296b00%40gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170604233103.GA20427%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to create init-scripts and immediately use them in a service?

[Christopher Wood]

Lots of different ways, it might make for lighter defines if you used some tags 
and chaining. Or even use the puppet4 iteration, for some reason defines puzzle 
a number of folks at work here.

class upstart {
  $upstartreload = '/sbin/initctl reload-configuration'
  exec { $upstartreload:
refreshonly => true,
  }
  File <| tag == 'upstart' |> ~> Exec[$upstartreload]
  Exec[$upstartreload] -> Service <| tag == 'upstart' |>
}

class queues (
  Hash $workers,
)
{
  $workers.each |$name, $details|
$initfile = "/etc/init/queue-${name}.conf"
$package = "queue-${name}-files"
file { $initfile:
  ensure  => $details['file_ensure'],
  content => template('queues/init.conf.erb'),
  tag => 'upstart',
}
package { $package:
  ensure => $details['package_ensure'],
}
service { "queue-${name}":
  ensure=> $details['service_ensure'],
  subscribe => [File[$initfile], Package[$package]],
  tag   => 'upstart',
}
  }
}

If you had non-template'able requirements for the upstart config you'd probably 
tag the package.

On Fri, May 19, 2017 at 05:02:53PM +0200, 'Bas van de Wiel' via Puppet Users 
wrote:
> Hi Martijn,
> 
> Something like this might do it.
> 
> define site::queueworker {
> 
>   file { 'worker-config':
> ..do your /etc/init/configfile here
> notify => Exec['kick-upstart'],
>   }
> 
>   exec { 'kick-upstart':
> ...do your upstart-reload here
> require => File['worker-config'],
> refreshonly => true,
> before => Service['worker'],
> notify => Service['worker'],
>   }
> 
>   service { 'worker':
> ..do your service here
> require => File['worker-config']
>   }
> 
> }
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/4fdd4175-3425-0b0f-479c-83cf3f98c883%40area536.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170519160455.GA22193%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] separating puppetdb and postgresql

[Christopher Wood]

(inline)

On Tue, Apr 25, 2017 at 07:52:19AM +0200, Angel L. Mateo wrote:
> Hello,
> 
>   I have this same configuration working without any problem.
> 
> El 24/04/17 a las 23:08, Christopher Wood escribió:
> >I am attempting to use the Puppet puppetdb and postgresql modules from the 
> >forge to have postgresql live on a separate server from puppetdb itself. 
> >It's not going brilliantly as I'm not understanding how to inform the 
> >postgresql module about what version of postgresql is in use for a 
> >versioncmp in postgresql::server::role.
> >
> >My questions to other people who have put postgresql on another host, or 
> >read puppet dsl better than me,  would be these:
> >
> >1) which classes and params did you declare in the profile to get over this 
> >hump?
> 
>   In my puppetdb server profile I have:
> 
> class profile::puppetdb::server {
> 
>   include ::puppetdb::globals
>   include ::puppetdb::server
>   ...

I facepalmed so hard at how I missed just declaring puppetdb::server directly. 
I got it working as you've shown, using puppetdb::server on the puppetdb node. 
I also had to declare puppetdb::database::postgresql on the postgresql node to 
ensure the database was there in the first place.

I tested an agent run with a scratch puppetserver node and I was able to do a 
successful agent run and then retrieve the node entry via 
http://localhost:8080/pdb/query/v4/nodes on the no-postgresql puppetdb node.

Thank you, very much appreciated!

> }
> 
>   I don't include any other puppetdb class.
> 
>   And my config (that I have on hiera) I have:
> puppetdb::server::listen_address: '0.0.0.0'
> puppetdb::server::listen_port: 8080
> puppetdb::server::disable_ssl: true
> puppetdb::server::database: postgres
> puppetdb::server::database_host: 'postgres.mydomain.com'
> puppetdb::server::database_username: 'puppetdb'
> puppetdb::server::database_name: 'puppetdb'
> puppetdb::server::database_password: 'mypassword'
> puppetdb::server::node_ttl: '15d'
> puppetdb::server::node_purge_ttl: '15d'
> puppetdb::server::java_args:
>   '-Xmx': '4g'
> 
>   I don't pass any other parameter to puppetdb classes
> 
> >2) am I able to get $connect_settings fed into postgresql::server::role 
> >somehow?
> >
>   I don't explicitly deal with postgresql::server::role at all, neither in
> puppetdb profile neither in postgresql server profile.
> 
> -- 
> Angel L. Mateo Martínez
> Sección de Telemática
> Área de Tecnologías de la Información
> y las Comunicaciones Aplicadas (ATICA)
> http://www.um.es/atica
> Tfo: 868889150
> Fax: 86337
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/eefcaaa8-461f-9abd-2f19-f205fe603904%40um.es.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170425205821.GA5492%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] separating puppetdb and postgresql

[Christopher Wood]

I am attempting to use the Puppet puppetdb and postgresql modules from the 
forge to have postgresql live on a separate server from puppetdb itself. It's 
not going brilliantly as I'm not understanding how to inform the postgresql 
module about what version of postgresql is in use for a versioncmp in 
postgresql::server::role.

My questions to other people who have put postgresql on another host, or read 
puppet dsl better than me,  would be these:

1) which classes and params did you declare in the profile to get over this 
hump?
2) am I able to get $connect_settings fed into postgresql::server::role somehow?

Exhibit A, mildly tweaked for privacy:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Evaluation Error: Error while evaluating a Resource Statement, Evaluation 
Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' 
expects a String value, got Undef at 
/etc/puppetlabs/code/environments/puppetmasters_test/modules/postgresql/manifests/server/role.pp:95:6
 at 
/etc/puppetlabs/code/environments/puppetmasters_test/modules/postgresql/manifests/server/db.pp:30
 on node temphost1.me.com

The puppetlabs-puppetdb module is at 5.1.2 (b641845), and the 
puppetlabs-postgresql module is at 4.9.0 (3021eb3).

The puppetdb module is currently in the profile like so (still working out all 
the things I need here):

  class { '::puppetdb':
certificate_whitelist => [
  'cwood',
  'some.more',
  'etc.',
],
conn_keep_alive   => '5',
database_host => 'db.me.com',
java_args => {
  '-Xmx' => '2g',
  '-Xms' => '512m',
},
jdbc_ssl_properties   => 
'?ssl=true=org.postgresql.ssl.jdbc4.LibPQFactory=verify-full=/etc/puppetlabs/puppetdb/ssl/ca.pem',
manage_dbserver   => false,
manage_package_repo   => false,
node_purge_ttl=> '1d',
node_ttl  => '14d',
postgres_version  => '9.5',
  }


If I'm reading this correctly the puppetdb::database::postgresql class is 
declared in the puppetdb class. I am not managing postgresql itself on this 
server (manage_dbserver above) so the postgresql::server::db (defined type) 
declares (a) postgresql::server::role (defined type) without declaring the 
postgresql::server class.

https://github.com/puppetlabs/puppetlabs-puppetdb/blob/5.1.2/manifests/init.pp
https://github.com/puppetlabs/puppetlabs-puppetdb/blob/5.1.2/manifests/database/postgresql.pp
https://github.com/puppetlabs/puppetlabs-postgresql/blob/4.9.0/manifests/server/role.pp
https://github.com/puppetlabs/puppetlabs-postgresql/blob/4.9.0/manifests/server/db.pp

The catch appears to be that postgresql::server::role uses $connect_settings as 
a parameter, but it is declared as such in postgresql::server::db:

  if ! defined(Postgresql::Server::Role[$user]) {
postgresql::server::role { $user:
  password_hash => $password,
  before=> Postgresql::Server::Database[$dbname],
}
  }

However the version is taken from this in role.pp:

  # If possible use the version of the remote database, otherwise
  # fallback to our local DB version
  if $connect_settings != undef and has_key( $connect_settings, 'DBVERSION') {
$version = $connect_settings['DBVERSION']
  } else {
$version = $postgresql::server::_version
  }

Neither of the $version assignments there work so $version ends up null and 
this check on line 95 of role.pp produces the error above:

  if(versioncmp($version, '9.1') >= 0) {

This is the wall upon which my head is currently beating, if anybody has any 
hints.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170424210813.GA21371%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: apt/yum.downloads.puppetlabs.com CDN & rsync deprecation

[Christopher Wood]

Not sure about the rest of you, but since I have no contract with Puppet Inc. 
specifying the maintenance of rsync services I would shrug and move to using 
apt-mirror. I've used it before and it's nearly drop-in.

https://apt-mirror.github.io/
https://packages.debian.org/jessie/apt-mirror
https://forge.puppet.com/jtopjian/apt_mirror

Pity about rsync service though.

On Mon, Apr 24, 2017 at 11:13:29AM -0700, Garrett Honeycutt wrote:
> +1 to an alternate rsync service.
> 
> A lot of us already have tooling built up around rsync, so this change
> breaks work flows. It also comes without warning for a service that has
> been around for ages.
> 
> Best regards,
> -g
> 
> On 4/24/17 7:19 AM, Andreas Paul wrote:
> > We would also be interested in an alternative server to rsync from.
> > 
> > Best regards,
> > Andreas Paul
> > 
> > On Monday, April 24, 2017 at 2:46:24 PM UTC+2, Chris Kuehl wrote:
> > 
> > Is there an alternative server we can rsync from? We've been using
> > ftpsync (the recommended tool
> >  for mirroring apt
> > repositories), which worked great until this was turned off. ftpsync
> > appears to be at least somewhat superior to the other options.
> > 
> > Thanks,
> > Chris
> > 
> > On Friday, April 21, 2017 at 1:54:36 PM UTC-7, Daniel Dreier wrote:
> > 
> > On Wednesday we put yum.puppetlabs.com
> >  and apt.puppetlabs.com
> >  behind the CloudFront CDN in order
> > to accelerate downloads for overseas users. Both repositories
> > have historically been served from the Linode Fremont
> > datacenter, and download performance from Australia and Asia in
> > particular are dramatically faster with the CDN than without.
> > 
> > One side effect is that we no longer support rsync. Other tools
> > like mrepo, reposync, and apt-mirror can sync to your local
> > mirror via HTTP. Since you'll be accessing cached content from a
> > local CloudFront edge location, HTTP mirroring should be very
> > fast for most users.
> > 
> > -- 
> > Daniel Dreier
> > Technical Operations Engineer
> > GPG: BA4379FD
> > 
> > -- 
> > You received this message because you are subscribed to the Google
> > Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to puppet-users+unsubscr...@googlegroups.com
> > .
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/puppet-users/d1c9a550-cc51-48bb-8d5b-3c6d4c5477b8%40googlegroups.com
> > .
> > For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> Garrett Honeycutt
> @learnpuppet
> Puppet Training with LearnPuppet.com
> Mobile: +1.206.414.8658
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/f49fa010-955c-e17d-2232-95d530d80c45%40garretthoneycutt.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170424181910.GA20129%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] [PuppetDB] records not being expired from puppetdb?

[Christopher Wood]

Well that was daft of me, and you're exactly right. After applying this tuning 
older things are purged as expected. Thank you!

On Wed, Feb 22, 2017 at 01:26:45PM -0800, Wyatt Alt wrote:
> Hey Christopher,
> 
> This is the default behavior of PuppetDB -- my guess is you can address it
> by tuning your node-ttl and node-purge-ttl parameters, which are described
> here:
> 
> https://docs.puppet.com/puppetdb/latest/configure.html#node-ttl
> 
> PuppetDB won't expire or delete node data unless those parameters are set,
> and they aren't by default. The reports are deleted after 14 days by default
> (report-ttl setting), which would explain why you can see node data but no
> reports.
> 
> Wyatt
> 
> 
> On 02/21/2017 11:05 AM, Christopher Wood wrote:
> >Our security department raised that point that some nodes present in 
> >puppetdb are not for current or recently decommissioned servers.
> >
> >Does anybody have a spare hint as to why these nodes haven't become expired 
> >over the last few months of not being servers, or where I can look for more 
> >information? (PuppetDB 3.2.4.)
> >
> >More details:
> >
> >On further investigation, I can retrieve old catalogs for these nodes. The 
> >catalogs are weeks or months old, and I thought the nodes themselves might 
> >have been expired by now. Sure enough, there is nothing in the "deactivated" 
> >or "expired" fields in the certnames table in PostgreSQL for these nodes. 
> >The hosts are definitely gone as servers.
> >
> >curl --data-urlencode 'query=["=", "certname", "myhost.mydomain.com"]' -v -s 
> >-S -X GET --cacert $ca --cert $cert --key $key 
> >https://puppetdb2.mydomain.com:8081/pdb/query/v4/catalogs >/tmp/myhost.json
> >
> >I am unable to retrieve reports for these nodes (200 response from puppetdb 
> >but no actual report, '[]'). Likewise they do not appear in Puppet Explorer 
> >as nodes. (Same as above but /reports not /catalogs.)
> >
> >When I deactivated one of these nodes (puppet node deactivate) I was still 
> >able to retrieve the same old catalog that I was able to before, but this 
> >time the "deactivated" field in the certnames table was filled in.
> >
> >puppetdb=# select * from certnames where certname = 'myhost.mydomain.com';
> >-[ RECORD 1 ]+---
> >id   | 2035
> >certname | myhost.mydomain.com
> >latest_report_id |
> >deactivated  | 2017-02-21 12:28:25.495-05
> >expired  |
> >
> >We're on a slightly older version of PuppetDB (3.2.4). That said, Puppetdb 
> >has been ticking along just fine for months and this is the first problem I 
> >can remember.
> >
> >bash-4.1$ rpm -q postgresql95-server
> >postgresql95-server-9.5.0-2PGDG.rhel6.x86_64
> >
> >bash-4.1$ rpm -q puppetdb
> >puppetdb-3.2.4-1.el6.noarch
> >
> >(Also, I can't find any reference to this issue with google searches or 
> >looking on tickets.puppetlabs.com, and this is as far as I can figure out 
> >this issue.)
> >
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/709a1e9b-1a10-ef9c-2144-5728bf2527d5%40puppet.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2017015336.GA18751%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] [PuppetDB] records not being expired from puppetdb?

[Christopher Wood]

Our security department raised that point that some nodes present in puppetdb 
are not for current or recently decommissioned servers.

Does anybody have a spare hint as to why these nodes haven't become expired 
over the last few months of not being servers, or where I can look for more 
information? (PuppetDB 3.2.4.)

More details:

On further investigation, I can retrieve old catalogs for these nodes. The 
catalogs are weeks or months old, and I thought the nodes themselves might have 
been expired by now. Sure enough, there is nothing in the "deactivated" or 
"expired" fields in the certnames table in PostgreSQL for these nodes. The 
hosts are definitely gone as servers.

curl --data-urlencode 'query=["=", "certname", "myhost.mydomain.com"]' -v -s -S 
-X GET --cacert $ca --cert $cert --key $key 
https://puppetdb2.mydomain.com:8081/pdb/query/v4/catalogs >/tmp/myhost.json

I am unable to retrieve reports for these nodes (200 response from puppetdb but 
no actual report, '[]'). Likewise they do not appear in Puppet Explorer as 
nodes. (Same as above but /reports not /catalogs.)

When I deactivated one of these nodes (puppet node deactivate) I was still able 
to retrieve the same old catalog that I was able to before, but this time the 
"deactivated" field in the certnames table was filled in.

puppetdb=# select * from certnames where certname = 'myhost.mydomain.com';
-[ RECORD 1 ]+---
id   | 2035
certname | myhost.mydomain.com
latest_report_id | 
deactivated  | 2017-02-21 12:28:25.495-05
expired  | 

We're on a slightly older version of PuppetDB (3.2.4). That said, Puppetdb has 
been ticking along just fine for months and this is the first problem I can 
remember.

bash-4.1$ rpm -q postgresql95-server
postgresql95-server-9.5.0-2PGDG.rhel6.x86_64

bash-4.1$ rpm -q puppetdb
puppetdb-3.2.4-1.el6.noarch

(Also, I can't find any reference to this issue with google searches or looking 
on tickets.puppetlabs.com, and this is as far as I can figure out this issue.)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170221190534.GA32135%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet Language Style Guide update

[Christopher Wood]

Same budget for tools here. I get along just fine with a combination of 
puppet-mode for emacs and the pre-commit hook from David Walhstrom's 
puppet-git-hooks project.

https://github.com/voxpupuli/puppet-mode

https://github.com/drwahl/puppet-git-hooks

(Although I obviously recommend you install the pre-receive hook on the server 
side of wherever you're pushing to.)

On Mon, Feb 13, 2017 at 09:24:51AM -0800, James Perry wrote:
>Are the any open source or free replacements for Geppetto?   RubyMine is
>like $200/year, which is outside of an IT budget of $0/year for tools. 
> 
>On Friday, January 13, 2017 at 5:03:48 AM UTC-5, Henrik Lindberg wrote:
> 
>  On 13/01/17 08:38, Peter Faller wrote:
>  > Has the Gepetto auto-formatter been updated (or will it be updated) to
>  > match the style guide? Or is there another way of automatically
>  > formatting manifests to match the style guide?
>  >
> 
>  Geppetto is pretty much up to date on the style guide as there are no
>  fundamental changes to the formatting in terms of indentation and
>  spacing. It is however somewhat behind on the language support as it has
>  no understanding of the type system and some other recent additions.
>  Geppetto is no longer maintained by Puppet as announced quite a long
>  time ago.
> 
>  An IDE that has recently updated their support for Puppet is RubyMine.
>  It is well worth taking a look at. Don't know what kind of formatting
>  they offer though.
> 
>  Best,
>  - henrik
> 
>  >
>  > --
>  > You received this message because you are subscribed to the Google
>  > Groups "Puppet Users" group.
>  > To unsubscribe from this group and stop receiving emails from it, send
>  > an email to [1]puppet-users...@googlegroups.com
>  > .
>  > To view this discussion on the web visit
>  >
>  
> [3]https://groups.google.com/d/msgid/puppet-users/d36a42d7-d46e-4cc5-b198-8b7b396031e3%40googlegroups.com
>  >
>  
> <[4]https://groups.google.com/d/msgid/puppet-users/d36a42d7-d46e-4cc5-b198-8b7b396031e3%40googlegroups.com?utm_medium=email_source=footer>.
>  > For more options, visit [5]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [6]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [7]https://groups.google.com/d/msgid/puppet-users/f0649350-e4df-4bf1-aa13-3f69978e6848%40googlegroups.com.
>For more options, visit [8]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. javascript:
>2. javascript:
>3. 
> https://groups.google.com/d/msgid/puppet-users/d36a42d7-d46e-4cc5-b198-8b7b396031e3%40googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/d36a42d7-d46e-4cc5-b198-8b7b396031e3%40googlegroups.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout
>6. mailto:puppet-users+unsubscr...@googlegroups.com
>7. 
> https://groups.google.com/d/msgid/puppet-users/f0649350-e4df-4bf1-aa13-3f69978e6848%40googlegroups.com?utm_medium=email_source=footer
>8. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170213183612.GA24194%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] User Management from LDAP / freeipa

[Christopher Wood]

The defined function is more about whether something is defined in the catalog, 
if I recall correctly.

https://docs.puppet.com/puppet/latest/function.html#defined

This sounds like something for a custom fact which returns a list of users 
found on the system. You may have to do an ldapsearch from the custom fact to 
get the DNs to translate into usernames. Then your manifest can manage the 
dotfiles based on the user list.

However, in your place I might consider a login script which checked for the 
existence of dotfiles and then copied them over (plus a 
$HOME/.dot_file_copy_done sort of lockfile) on first login. That way you don't 
need convoluted manifest code to figure out users, and you won't accidentally 
overwrite anybody's custom dotfiles. People can get generic dotfiles by 
removing the lockfile. From the end user perspective I've had the same dotfiles 
for many years and I don't want my $HOME customizations interfered with.

On Mon, Feb 06, 2017 at 02:33:35PM +, Dan White wrote:
> I am trying to figure out if I can do any user management from Puppet for 
> users initially managed by Red Hat's Identity Manager (freeipa / ldap)
> 
> Here is a code snippet I tried:
> 
> # Class: wtf
> #
> class wtf {
>   if defined( User["dewhite"] ) {
>     $foo = User["dewhite"]["home"]
>     notify { "->${foo}<-": }   } else {
>     notify { "woof": }     user { 'dewhite':
>       ensure => 'present',
>     }
>   }
> }
> 
> The dewhite user is defined - and Puppet can "see" it :
> 
> [root ~]# puppet resource user dewhite
> user { 'dewhite':
>   ensure => 'present',
>   comment => 'Daniel White',
>   gid => '68441',
>   home => '/home/dewhite',
>   shell => '/bin/bash',
>   uid => '68441',
> }
> 
> but I always get the "else" half of the manifest.
> 
> My goal is to add things like dot-files and such.
> I want to either be able to detect the existance of an LDAP created user or I 
> would like to be able to manage the freeipa/LDAP users from Puppet.
> 
> Any ideas ?
> Dan White | d_e_wh...@icloud.com
> 
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/f94a885e-9266-405d-9513-b3f86da59971%40me.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170206145826.GA7346%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Escape codes in collection types

[Christopher Wood]

This thing is nice that way:

https://github.com/drwahl/puppet-git-hooks

I recommend using the pre-receive hook on the server side. That way you can 
skip awkward conversations about how people should go the extra mile and exceed 
expectations by installing git hooks locally. Instead you get to have less 
awkward conversations about how people shouldn't push garbage to git 
repositories.

On Wed, Feb 01, 2017 at 11:54:04PM +, Rob Nelson wrote:
>It might be a good idea to add `puppet parser validate` and puppet-lint to
>your pre commit hooks, they should help catch most similar issues.
>On Wed, Feb 1, 2017 at 12:26 PM Joshua Schaeffer
><[1]jschaeffer0...@gmail.com> wrote:
> 
>That should be $color =
> 
>  Wow, I knew it was something simple. I swear I looked at that for 10
>  minutes straight and couldn't find the syntax error. Thanks for pointing
>  it out. I corrected the syntax error and it's all working correctly now.
>  Thanks,
>  Joshua 
> 
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [2]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [3]https://groups.google.com/d/msgid/puppet-users/dd919198-940a-41b7-8028-003227488d73%40googlegroups.com.
>  For more options, visit [4]https://groups.google.com/d/optout.
> 
>--
>Rob Nelson
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [5]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [6]https://groups.google.com/d/msgid/puppet-users/CAC76iT9x6A4gdfNO-3UAKz7xeq%3DPi7kJF3eDT38nU49fh2%3D7BQ%40mail.gmail.com.
>For more options, visit [7]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:jschaeffer0...@gmail.com
>2. mailto:puppet-users+unsubscr...@googlegroups.com
>3. 
> https://groups.google.com/d/msgid/puppet-users/dd919198-940a-41b7-8028-003227488d73%40googlegroups.com?utm_medium=email_source=footer
>4. https://groups.google.com/d/optout
>5. mailto:puppet-users+unsubscr...@googlegroups.com
>6. 
> https://groups.google.com/d/msgid/puppet-users/CAC76iT9x6A4gdfNO-3UAKz7xeq%3DPi7kJF3eDT38nU49fh2%3D7BQ%40mail.gmail.com?utm_medium=email_source=footer
>7. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170202202539.GA11574%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet managing thousands of resources

[Christopher Wood]

On Wed, Jan 11, 2017 at 09:40:00PM +, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Christopher Wood" <christopher_w...@pobox.com>
> > To: "puppet-users" <puppet-users@googlegroups.com>
> > Sent: Wednesday, 11 January, 2017 22:33:22
> > Subject: Re: [Puppet Users] Puppet managing thousands of resources
> 
> > Out of gruesome interest, 5000 resources of what?
> > 
> > Assuming I'm remembering the path correctly, something like this would 
> > count it
> > up, modify for your local case (assuming no puppetdb at your place) to 
> > search
> > for resource types:
> > 
> > python -m json.tool /var/lib/puppet/client_data/catalog/`hostname -f`.json |
> > grep '"type":' | sort | uniq -c | sort -rn | head
> 
> last_run_summary.yaml will show totals already also total time per resource 
> type :)

That's fairly aggregate. Were this issue of lengthy agent run times presented 
to me I would start out being more interested in the resource types as they 
might appear in the manifests. I've had success reducing catalog compilation 
times by optimizing away from stacks of tiny resources (defines, classes, lists 
of stale ensure=>absent resources).

Here's a contrived example but based on something that happened here.

# super puppetdb querying of all catalogs here
200 File
160 Class
140 Package
70 Customsoftware::Includefile

If they're all files this specific method won't be a useful count but the 
notion of exploring just what's going on here is what I'm getting at.

> > What do you mean by populating local files via ENC? I'm drawing a blank. Or
> > perhaps my mind is recoiling from the notion that you're sending contents of
> > files in via top-level ENC variables.
> > 
> > (For reference catalog sizes around here go from 500-2000 resources with 
> > agent
> > funs mostly from 15-90 seconds, 2-7 minutes in the initial run. (Because 
> > some
> > departments do actually have sensible reasons to manage things with that
> > granularity.) We're not so big though.)
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/1250936490.1005855.1484170800075.JavaMail.zimbra%40devco.net.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170111222135.GA4047%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet managing thousands of resources

[Christopher Wood]

Out of gruesome interest, 5000 resources of what?

Assuming I'm remembering the path correctly, something like this would count it 
up, modify for your local case (assuming no puppetdb at your place) to search 
for resource types:

python -m json.tool /var/lib/puppet/client_data/catalog/`hostname -f`.json | 
grep '"type":' | sort | uniq -c | sort -rn | head

What do you mean by populating local files via ENC? I'm drawing a blank. Or 
perhaps my mind is recoiling from the notion that you're sending contents of 
files in via top-level ENC variables.

(For reference catalog sizes around here go from 500-2000 resources with agent 
funs mostly from 15-90 seconds, 2-7 minutes in the initial run. (Because some 
departments do actually have sensible reasons to manage things with that 
granularity.) We're not so big though.)


On Wed, Jan 11, 2017 at 07:59:02PM +, Zachary Vida wrote:
>Exponential? Really or just an expression, but rough estimate is probably
>about 5k
> 
>On Wed, Jan 11, 2017, 2:50 PM Trevor Vaughan <[1]tvaug...@onyxpoint.com>
>wrote:
> 
>  How many resources are in your catalog?
>  Puppet starts to hit exponential catalog sizes and run times as you
>  approach 10k resources.
>  Thanks,
>  Trevor
>  On Wed, Jan 11, 2017 at 12:58 PM, Zachary Vida <[2]vida.z...@gmail.com>
>  wrote:
> 
>Hello, I was wonder if there are any significant impovements in later
>version of puppet >= 2.6 to catolog compilation and/or application
>runtimes. 
>In an environment I manage we populate many local files
>(/etc/passwd,/etc/group,/etc/hosts) via ENC. This results in a steady
>state catalog compilation/apply run times of several minutes and
>during an inital puppet apply clocking in at 90 minutes. 
> 
>--
> 
>You received this message because you are subscribed to the Google
>Groups "Puppet Users" group.
> 
>To unsubscribe from this group and stop receiving emails from it, send
>an email to [3]puppet-users+unsubscr...@googlegroups.com.
> 
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/d7cc6062-722b-4f8a-9284-27ded5048c34%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
>  --
>  Trevor Vaughan
>  Vice President, Onyx Point, Inc
>  (410) 541-6699 x788
>  -- This account not approved for unencrypted proprietary information --
> 
>  --
>  You received this message because you are subscribed to a topic in the
>  Google Groups "Puppet Users" group.
>  To unsubscribe from this topic, visit
>  
> [6]https://groups.google.com/d/topic/puppet-users/fS1cHkjuWco/unsubscribe.
>  To unsubscribe from this group and all its topics, send an email to
>  [7]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [8]https://groups.google.com/d/msgid/puppet-users/CANs%2BFoWo0EGkWKeLepqP%2BkOmbPN-hEa_cQV9Zq4C_H3caVuKSA%40mail.gmail.com.
>  For more options, visit [9]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [10]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [11]https://groups.google.com/d/msgid/puppet-users/CAC0dne-h3Fu%2BxDARb6yzW0OiN6mPwSqa4UR7qjh28oe_gjAP4A%40mail.gmail.com.
>For more options, visit [12]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:tvaug...@onyxpoint.com
>2. mailto:vida.z...@gmail.com
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/d7cc6062-722b-4f8a-9284-27ded5048c34%40googlegroups.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout
>6. https://groups.google.com/d/topic/puppet-users/fS1cHkjuWco/unsubscribe
>7. mailto:puppet-users+unsubscr...@googlegroups.com
>8. 
> https://groups.google.com/d/msgid/puppet-users/CANs%2BFoWo0EGkWKeLepqP%2BkOmbPN-hEa_cQV9Zq4C_H3caVuKSA%40mail.gmail.com?utm_medium=email_source=footer
>9. https://groups.google.com/d/optout
>   10. mailto:puppet-users+unsubscr...@googlegroups.com
>   11. 
> https://groups.google.com/d/msgid/puppet-users/CAC0dne-h3Fu%2BxDARb6yzW0OiN6mPwSqa4UR7qjh28oe_gjAP4A%40mail.gmail.com?utm_medium=email_source=footer
>   12. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20170111213322.GA3701%40iniquitous.heresiarch.ca.

[Puppet Users] type/provider for in-kernel networking?

[Christopher Wood]

I am digging around the forge and there are a few modules managing networking 
via ifupdown/net-tools/initscripts. I haven't yet found any types/providers 
using iproute2 (/sbin/ip). Do any of you know of such a module if it exists?

As background, I'm staring at a horrifying set of hardware-specific exec 
resources using exotic bits of "ip link add" and "ip address add" to do things 
with data derived from a combination of hiera data and a host's current eth0 
ip. There has to be a better way of doing this but I was under great time 
pressure the first time.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161122154416.GA22771%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet does not like ~ in file name

[Christopher Wood]

I reproduced this with 4.8.0 and filed a ticket.

https://tickets.puppetlabs.com/browse/PUP-6914

Seems like it's a ruby thing?

https://ruby-doc.org/core-2.1.8/File.html#method-c-expand_path

https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/file.rb

Usual disclaimer, not a programmer, somebody with a spare clue feel free to 
pass it along. Or just add said clue to the ticket.

On Thu, Nov 10, 2016 at 10:28:16PM +0100, Francois Lafont wrote:
> Hi,
> 
> I confirm the problem with the lastest version of Puppet (4.8.0)
> on my Ubuntu Trusty (ie puppet-agent 1.8.0) :
> 
> 
> --%<%<%<%<%<%<%<%<%<%<%<%<--
> root@puppet ~ # puppet --version
> 4.8.0
> 
> root@puppet ~ # puppet apply -e "file {'/tmp/f': ensure => present, content 
> => 'Hello' }"
> Notice: Compiled catalog for puppet.athome.priv in environment production in 
> 0.10 seconds
> Notice: /Stage[main]/Main/File[/tmp/f]/ensure: defined content as 
> '{md5}8b1a9953c4611296a827abf8c47804d7'
> Notice: Applied catalog in 0.21 seconds
> 
> root@puppet ~ # puppet apply -e "file {'/tmp/f~': ensure => present, content 
> => 'Hello' }"
> Notice: Compiled catalog for puppet.athome.priv in environment production in 
> 0.10 seconds
> Notice: /Stage[main]/Main/File[/tmp/f~]/ensure: defined content as 
> '{md5}8b1a9953c4611296a827abf8c47804d7'
> Notice: Applied catalog in 0.19 seconds
> 
> root@puppet ~ # puppet apply -e "file {'/tmp/~f': ensure => present, content 
> => 'Hello' }"
> Notice: Compiled catalog for puppet.athome.priv in environment production in 
> 0.10 seconds
> Error: Could not set 'present' on ensure: user f20161110-3350-13n4ulf doesn't 
> exist at line 1
> Error: Could not set 'present' on ensure: user f20161110-3350-13n4ulf doesn't 
> exist at line 1
> Wrapped exception:
> user f20161110-3350-13n4ulf doesn't exist
> Error: /Stage[main]/Main/File[/tmp/~f]/ensure: change from absent to present 
> failed: Could not set 'present' on ensure: user f20161110-3350-13n4ulf 
> doesn't exist at line 1
> Notice: Applied catalog in 0.19 seconds
> --%<%<%<%<%<%<%<%<%<%<%<%<--
> 
> 
> So, it's seems to be tricky because:
> 
> - no problem with '/tmp/f' (normal)
> - no problem with '/tmp/f~'
> - but error with '/tmp/~f'
> 
> I haven't seen a ticket on https://tickets.puppetlabs.com yet.
> It would deserve one in my humble opinion. I can create it is you want. ;)
> 
> Regards.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/864517c9-e8cb-093e-994f-805e6a628c59%40gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161110224707.GA29097%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet does not like ~ in file name

[Christopher Wood]

I can reproduce this using puppet 4.4.2 from puppet-agent 1.4.2, definitely 
seems like a bug. You can "cd ~user" in a bash shell so I wonder if somebody 
somewhere made something which works similarly. I'd be interested in watching 
the bug you file because I'm nosy.

$ cat /tmp/x.pp
file { '/tmp/x~x':
  content => "x\n",
}

file { '/tmp/~x':
  content => "x\n",
}

file { '/tmp/x~':
  content => "x\n",
}
$ puppet apply /tmp/x.pp
Notice: Compiled catalog for cwl.hostopia.com in environment production in 0.04 
seconds
Notice: /Stage[main]/Main/File[/tmp/x~x]/ensure: defined content as 
'{md5}401b30e3b8b5d629635a5c613cdb7919'
Error: Could not set 'file' on ensure: user x20161110-7118-fwfpjo doesn't exist 
at 5:/tmp/x.pp
Error: Could not set 'file' on ensure: user x20161110-7118-fwfpjo doesn't exist 
at 5:/tmp/x.pp
Wrapped exception:
user x20161110-7118-fwfpjo doesn't exist
Error: /Stage[main]/Main/File[/tmp/~x]/ensure: change from absent to file 
failed: Could not set 'file' on ensure: user x20161110-7118-fwfpjo doesn't 
exist at 5:/tmp/x.pp
Notice: /Stage[main]/Main/File[/tmp/x~]/ensure: defined content as 
'{md5}401b30e3b8b5d629635a5c613cdb7919'
Notice: Applied catalog in 0.15 seconds


On Thu, Nov 10, 2016 at 05:03:17PM +0100, Fabrice Bacchella wrote:
>yes it works once removed.
> 
>  Le 10 nov. 2016 à 16:13, Rob Nelson <[1]rnels...@gmail.com> a écrit :
>  I don't have an answer, but did you verify that when you remove the
>  tilde, the resource applies properly? If so, this does sound like a bug
>  of some sort.
>  Rob Nelson
>  [2]rnels...@gmail.com
>  On Thu, Nov 10, 2016 at 9:16 AM, Fabrice Bacchella
>  <[3]fabrice.bacche...@orange.fr> wrote:
> 
>I need a file called /etc/cron.hourly/~cronalive. I don't like the ~
>but don't have real choice here.
> 
>So I defined the following resource:
> 
>    file{'/etc/cron.hourly/~cronalive':
>       
>    }
> 
>But if fails with:
> 
>Error: Could not set 'file' on ensure: user
>cronalive20161110-32243-1wx31rr doesn't exist at
>.../manifests/node.pp:35
> 
>I think it resolve ~cronalive using shell resolution and looks for the
>homedir of this user. Is there any work around for that ? Adding a \
>create a file whose name starts with a \, using path   =>
>'/etc/cron.hourly/~cronalive' gives the same result.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [4]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [5]https://groups.google.com/d/msgid/puppet-users/A326124B-ACEA-43FB-A3A9-37107DD749F0%40orange.fr.
>For more options, visit [6]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:rnels...@gmail.com
>2. mailto:rnels...@gmail.com
>3. mailto:fabrice.bacche...@orange.fr
>4. mailto:puppet-users+unsubscr...@googlegroups.com
>5. 
> https://groups.google.com/d/msgid/puppet-users/A326124B-ACEA-43FB-A3A9-37107DD749F0%40orange.fr?utm_medium=email_source=footer
>6. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161110164439.GA24818%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] What is the limit of nodes mcollective and activemq can maintain?

[Christopher Wood]

(inline)

On Thu, Nov 03, 2016 at 05:22:39PM +, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Dayton Jones" 
> > To: "puppet-users" 
> > Sent: Thursday, 3 November, 2016 18:13:01
> > Subject: [Puppet Users] What is the limit of nodes mcollective and activemq 
> > can maintain?
> 
> > I've seen posts of the "800 node wall" with mcollective/activemq, but
> > nothing recent
> > (http://ramblings.narrabilis.com/books/masteringpuppet/mcollective).
> 
> There isn't really a good rule of thumb, the oreilley book has some good
> guidance but really it's a bit hit and miss at your scale.  With the way
> that Java GC is I doubt it will be solid.  I am working on using NATS.io
> instead of ActiveMQ and at least one user here reported success but ofcourse
> I have no idea how this will behave at your scale - I do suspect better
> than what you have with ActiveMQ though.

I would be that person, albeit not at the 10s of 1000s scale (though I'd like 
to be!). I'd love to see the activemq.xml that supported a collective of 9k 
hosts just to see what I didn't understand, however I wouldn't go back given 
now nats improved things here.

$ mco find | wc -l
1935

(mco inventory --lc works well with the same config file --dt 5 
--publish_timeout 5 as the above.)

Definitely look at the choria plugin set and nats broker:

https://github.com/ripienaar/puppet-nats
https://github.com/ripienaar/mcollective-choria

I have a stupider and more corporate nats setup cribbed from the above, 
unfortunately stripping internal-only items and publishing the whole mco module 
keeps being behind other things on the priority list.

https://gist.github.com/christopherwood/2afa267edfc9e6e732f95f96ec3ba217

> Philosophically I do not think such huge collectives make a whole lot of
> sense, it's hard for a human to really consider the impact of actions at
> that scale and it's perhaps worth making several actual seperate loose
> standing mcollectives rather than making this giant 30k one. Further while
> mcollective makes effort to have a data model and display model that makes
> sense even on large scale, I doubt you can really comprehend the output 
> at such scale when there is variance.
> 
> Above though depends of course on your use case and what you're doing but
> I am very weary of such giant ones.  Perhaps you can elaborate?

I'm wary too, but the ability to talk to everything at once is an important 
marker of the capability to ask important questions (read: do queries) quickly 
and comprehensively.

> Better use the mcollective-users lists.
> 
> 
> > 
> > Is there a logical limit of nodes that a collective can contain?  I'm
> > working in an environment that currently has about 27,000 nodes - they are
> > broken up into separate collectives, but some collectives have several
> > thousand nodes (up to 9,000) and growing.  Running "mco inventory --lc"
> > will most times report back in the 27k range, but more and more that number
> > is significantly less (with some collectives not even showing up) - in the
> > hundreds instead of 10's of thousands...
> > 
> > Stopping and restarting the activemq brokers, will "fix" this most of the
> > time.
> > 
> > Running puppet 3.6.2, mcollective-puppet 1.7.2, and activemq 5.9.1
> > 
> > Currently have 7 collectives configured, each collective has either one or
> > two brokers, but the "main" broker (and the largest collective) has 3
> > brokers (master +2 slaves)
> > 
> > 
> >~]$ mco inventory --lc --dt=120
> > 
> >   Collective Nodes
> >   == =
> >   col5_mcollective   136
> >   col4_mcollective   282
> >   col2_mcollective1276
> >   col7_mcollective   3059
> >   col6_mcollective3451
> >   col3_mcollective   6744
> >   col1_mcollective12115
> >   mcollective27064
> > 
> > Total nodes: 27064
> > 
> > 
> > ~]$ mco inventory --lc --dt=120
> > 
> >
> > 
> > Collective Nodes
> >   == =
> >   col5_mcollective   138
> >   col4_mcollective   284
> >   col7_mcollective   3062
> >   col6_mcollective3433
> >   mcollective6918
> > 
> > Total nodes: 6918
> > 
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email
> > to puppet-users+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/puppet-users/f075a078-1dee-49a8-bb5f-56fcc2dee5bb%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> 

Re: [Puppet Users] paragraphing hiera yaml

[Christopher Wood]

On Sun, Oct 30, 2016 at 03:38:31PM -0400, Garrett Honeycutt wrote:
> On 10/28/16 1:45 PM, Christopher Wood wrote:
> > Here's a Friday sort of question.
> > 
> > All the yaml emitters don't add the extra space that I can add as a person 
> > editing a file to make things more readable. Or to be more accurate, I 
> > can't manage it myself and I can't find one that does.
> > 
> > Consider the readability of the two examples below when thinking about what 
> > keys go with which classes. Also keep in mind that while example one may be 
> > fine for many of us, lots more people will find it easier to work with yaml 
> > using example two.
> > 
> > So how would I auto-magically auto-paragraph hiera yaml to make it 
> > friendlier for more people, while still keeping it syntactically valid?
> > 
> > 
> > Example one:
> > 
> > ---
> > one::services::enabled: true
> > one::two::abc: 8.45
> > one::two::three: this is the string
> > puppet4::ca_server: otherhostname
> > puppet4::server: hostname
> > 
> > 
> > Example two:
> > 
> > ---
> > one::services::enabled: true
> > 
> > one::two::abc: 8.45
> > one::two::three: this is the string
> > 
> > puppet4::ca_server: otherhostname
> > puppet4::server: hostname
> > 
> 
> Hi Christopher,
> 
> It sounds like you have two processes managing the same data - a program

Just people editing the yaml, but with all skill levels editing in sometimes 
hurried circumstance it can be a job to intermittently clean out the 
metaphorical stables. Tidying everything up first really helps.

> that emits YAML and people who also edit that YAML. If so, you would be
> better off by splitting that between two backends. Hiera can query the
> program that emits YAML directly as well as reading the YAML you modify
> manually.
> 
> Best regards,
> -g
> 
> -- 
> Garrett Honeycutt
> @learnpuppet
> Puppet Training with LearnPuppet.com
> Mobile: +1.206.414.8658
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/033cc1a3-3e17-993e-1a1e-bd4b87b815b1%40garretthoneycutt.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161031135328.GB25648%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] paragraphing hiera yaml

[Christopher Wood]

On Sun, Oct 30, 2016 at 08:57:39AM +, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Christopher Wood" <christopher_w...@pobox.com>
> > To: "puppet-users" <puppet-users@googlegroups.com>
> > Sent: Friday, 28 October, 2016 19:45:42
> > Subject: [Puppet Users] paragraphing hiera yaml
> 
> > Here's a Friday sort of question.
> > 
> > All the yaml emitters don't add the extra space that I can add as a person
> > editing a file to make things more readable. Or to be more accurate, I can't
> > manage it myself and I can't find one that does.
> > 
> > Consider the readability of the two examples below when thinking about what 
> > keys
> > go with which classes. Also keep in mind that while example one may be fine 
> > for
> > many of us, lots more people will find it easier to work with yaml using
> > example two.
> > 
> > So how would I auto-magically auto-paragraph hiera yaml to make it 
> > friendlier
> > for more people, while still keeping it syntactically valid?
> > 
> > 
> > Example one:
> > 
> > ---
> > one::services::enabled: true
> > one::two::abc: 8.45
> > one::two::three: this is the string
> > puppet4::ca_server: otherhostname
> > puppet4::server: hostname
> > 
> > 
> > Example two:
> > 
> > ---
> > one::services::enabled: true
> > 
> > one::two::abc: 8.45
> > one::two::three: this is the string
> > 
> > puppet4::ca_server: otherhostname
> > puppet4::server: hostname
> 
> nothing really built in but you can hack this up yourself (emphasis on hack)
> 
> https://gist.github.com/ripienaar/097aa19b928a57b4b7a4ec861fa4

That's almost exactly it, I was trying to munge the text not the data so no 
wonder I couldn't get it working. Thank you!

> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/2124299857.120.1477817859281.JavaMail.zimbra%40devco.net.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161031135224.GA25648%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] paragraphing hiera yaml

[Christopher Wood]

Here's a Friday sort of question.

All the yaml emitters don't add the extra space that I can add as a person 
editing a file to make things more readable. Or to be more accurate, I can't 
manage it myself and I can't find one that does.

Consider the readability of the two examples below when thinking about what 
keys go with which classes. Also keep in mind that while example one may be 
fine for many of us, lots more people will find it easier to work with yaml 
using example two.

So how would I auto-magically auto-paragraph hiera yaml to make it friendlier 
for more people, while still keeping it syntactically valid?


Example one:

---
one::services::enabled: true
one::two::abc: 8.45
one::two::three: this is the string
puppet4::ca_server: otherhostname
puppet4::server: hostname


Example two:

---
one::services::enabled: true

one::two::abc: 8.45
one::two::three: this is the string

puppet4::ca_server: otherhostname
puppet4::server: hostname

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20161028174542.GA10281%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Moment of duhh.... Trying to wrap my head around some condition statements.

[Christopher Wood]

On Tue, Sep 27, 2016 at 02:59:17PM -0400, markbergman...@gmail.com wrote:
> In the message dated: Tue, 27 Sep 2016 13:38:16 -0400,
> The pithy ruminations from Christopher Wood on 
>  condi
> tion statements.> were:
> => This is one of the first custom facts I wrote, you would likely want to 
> improve on it based on the guide. However it has worked for us for a few 
> years now. Enjoy?
> => 
> => This lives in inventory/lib/facter/hpsrl.rb.
> => 
> => 
> => if FileTest.exists?("/usr/sbin/dmidecode")
> => 
> => # Add remove things to query here
> => query = { 
> => 'HP ProLiant System/Rack Locator' => [
> =>   'Rack Name:',
> =>   'Enclosure Name:',
> =>   'Enclosure Model:',
> =>   'Enclosure Serial:',
> =>   'Enclosure Bays:',
> =>   'Server Bay:',
> =>   'Bays Filled:',
> =>  ]
> =>   }
> => 
> => # Run dmidecode only once
> => output=%x{/usr/sbin/dmidecode 2>/dev/null}
> => 
> => query.each_pair do |key,v|
> =>   v.each do |value|
> => output.split("Handle").each do |line|
> =>   if line =~ /#{key}/  and line =~ /#{value} (\w.*)\n*./
> => result = $1
> => result = result.gsub(/ *$/, '').gsub(/^ */, '')
> =>  Facter.add(value.chomp(':').gsub(/ /, '_')) do
> =>  confine :kernel => :linux
> => setcode do
> =>   result
> =>end
> 
> 
> I don't really (or, "really don't") do Ruby, but it looks to me like
> that sets the facts using the original case of the data returned from
> dmidecode. Maybe this is OK when creating facts by calling Facter.add(),
> and maybe this is OK for certain versions of puppet.
> 
> I'm using puppet 3.8, and setting facts via a shell script that returns
> strings (see below for a heavily abridged example). In this case, the
> variable names _must_ begin with a lower-case letter.
> 
>   https://tickets.puppetlabs.com/browse/FACT-777

In 3.4 to 3.8 I did get lower-cased fact names from the ruby custom fact there 
just like FACT-777 points out. I've never tried fact names with upper-cased 
characters so never ran into this.

> -
> #! /bin/bash
> #
> # return hardware "facts" for use by facter & puppet
> # 
> # since these facts are specific to particular modules (ie. setting IPMI 
> parameters), 
> # we choose to store the script that generates the facts with the module that 
> consumes
> # those facts, as in:
> #
> # $PUPPETHOME/environments/computenode/modules/ipmi/facts.d/ipmi_facts
> 
> which dmidecode 1> /dev/null 2>&1
> if [ $? != 0 ] ; then
> echo dmidecode=MISSING
> exit
> else
> echo dmidecode=INSTALLED
> fi
> 
> # Does this machine have an IPMI device?
> dmidecode | grep -q ^IPMI
> if [ $? = 0 ] ; then
> if [  -c /dev/ipmi0 ] ; then
> ipmi=true
> fi
> fi
> -
> 
> 
> =>  end
> => end
> =>end
> =>   end
> =>  end
> => end
> => 
> => 
> 
> -- 
> Mark 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/29256-1475002757.850308%40OpxQ.RGhU.3HbK.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160928134209.GA25162%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Moment of duhh.... Trying to wrap my head around some condition statements.

[Christopher Wood]

This is one of the first custom facts I wrote, you would likely want to improve 
on it based on the guide. However it has worked for us for a few years now. 
Enjoy?

This lives in inventory/lib/facter/hpsrl.rb.


if FileTest.exists?("/usr/sbin/dmidecode")

# Add remove things to query here
query = { 
'HP ProLiant System/Rack Locator' => [
  'Rack Name:',
  'Enclosure Name:',
  'Enclosure Model:',
  'Enclosure Serial:',
  'Enclosure Bays:',
  'Server Bay:',
  'Bays Filled:',
 ]
  }

# Run dmidecode only once
output=%x{/usr/sbin/dmidecode 2>/dev/null}

query.each_pair do |key,v|
  v.each do |value|
output.split("Handle").each do |line|
  if line =~ /#{key}/  and line =~ /#{value} (\w.*)\n*./
result = $1
result = result.gsub(/ *$/, '').gsub(/^ */, '')
 Facter.add(value.chomp(':').gsub(/ /, '_')) do
 confine :kernel => :linux
setcode do
  result
   end
 end
end
   end
  end
 end
end



On Tue, Sep 27, 2016 at 08:38:00AM -0700, Scott Walker wrote:
>Ahh perfect there is.. Now onto the next battle.. figuring out how to use
>it lol.
> 
>On Monday, 26 September 2016 18:39:45 UTC-4, Nick Miller wrote:
> 
>  Hey Scott,
> 
>  You probably want to reference a Fact, whether custom or not. Check
>  `puppet facts find $(hostname)` to see what facts are available on your
>  systems. If you don't find on you like, you may have to write one
>  following [1]this guide. It should be fairly easy to make a dmidecode
>  fact if there isn't one already.
> 
>  Good luck,
>  Nick
>  On Mon, Sep 26, 2016 at 6:09 PM, Scott Walker
>  <[2]cri...@unspeakable.org> wrote:
> 
>I'm relatively new to puppet (came from chef world).
> 
>I'm trying to figure out a way to cleanly do the following...
> 
>On machines which /usr/sbin/dmidecode | grep Z640 (this is how we are
>sure the machine is Z640 and not some other type of machine) return
>true I want to do the following:
> 
>file { '/etc/default/grub':
>    path    => '/etc/default/grub'
>    ensure => present,
>    mode    => '0644',
>    owner    => 'root',
>    group   => 'root',
>    notify => Exec['grub-update'],
>    source => 'puppet:///modules/z640/grub'
>}
> 
>exec { 'grub-update':
>  refreshonly => true,
>  command => '/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg',
>    }
> 
>Otherwise I don't want to do anything. (This is to help fix an NVME
>issue I am having on 60+ workstation out of 700 in the studio.
> 
>I just can't wrap my head around a clean way to achieve this goal.
> 
>I know this is probably a really simple task I just need some
>direction
> 
>--
>You received this message because you are subscribed to the Google
>Groups "Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to [3]puppet-users...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/024553d2-1872-4eab-9bd5-8280c92c07ec%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
>  --
> 
> Nicholas Miller
> Consultant | Onyx Point, Inc.
> 
>  [6]OnyxPoint-logo-symbol-primary.png   7050 Hi Tech Drive, Suite 102
> 
> Hanover, MD. 21076
> e: [7]nick@onyxpoint.com
> w: 443-655-3675
>  [8]copmany.png[9]careers.png[10]product.png[11]meetups.png[12]blog.png
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [13]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [14]https://groups.google.com/d/msgid/puppet-users/3c190210-fa30-48f2-8d18-4835c54cfe53%40googlegroups.com.
>For more options, visit [15]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. https://docs.puppet.com/facter/3.4/custom_facts.html
>2. javascript:
>3. javascript:
>4. 
> https://groups.google.com/d/msgid/puppet-users/024553d2-1872-4eab-9bd5-8280c92c07ec%40googlegroups.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout
>7. 

Re: [Puppet Users] notify resource different between 3 and 4?

[Christopher Wood]

On Fri, Sep 16, 2016 at 06:44:36PM +0100, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Christopher Wood" <christopher_w...@pobox.com>
> > To: "puppet-users" <puppet-users@googlegroups.com>
> > Sent: Friday, 16 September, 2016 19:39:21
> > Subject: Re: [Puppet Users] notify resource different between 3 and 4?
> 
> > On Fri, Sep 16, 2016 at 06:17:48PM +0100, R.I.Pienaar wrote:
> >> 
> >> 
> >> - Original Message -
> >> > From: "Christopher Wood" <christopher_w...@pobox.com>
> >> > To: "puppet-users" <puppet-users@googlegroups.com>
> >> > Sent: Friday, 16 September, 2016 19:10:23
> >> > Subject: [Puppet Users] notify resource different between 3 and 4?
> >> 
> >> > While trying to figure out the reduce function with notice/notify I 
> >> > happened
> >> > across this thing. It looks like an unquoted array in the notify 
> >> > resource's
> >> > message only appears as its first array item. Not sure if it's a bug.
> >> > 
> >> > I couldn't find any documentation to say if this was intended and I 
> >> > couldn't
> >> > really tell what the type was doing with the self.should bit. I am not 
> >> > actually
> >> > a programmer.
> >> > 
> >> > $ cat /tmp/xx.pp
> >> > $array = ["one", "two", "three"]
> >> > 
> >> > notify { 'notify one':
> >> >  message => "${array}",
> >> > }
> >> > 
> >> > notify { 'notify two':
> >> >  message => $array,
> >> > }
> >> > 
> >> 
> >> yes this is across all resource types, you cant pass a array to the 
> >> namevar and
> >> produce many resources, you have to do so to the title
> > 
> > I thought both messages would have some variant of [one, two, three].
> > 
> > Also the namevar here is the name parameter.
> > 
> > But then things get even weirder when I try to do things with the namevar:
> > 
> > $ cat /tmp/y.pp
> > $array = ["one", "two", "three"]
> > 
> > notify { $array:
> >  message => $array,
> > }
> > 
> > $ puppet apply /tmp/y.pp
> > Notice: Compiled catalog for cwl.hostopia.com in environment production in 
> > 0.04
> > seconds
> > Notice: one
> > Notice: /Stage[main]/Main/Notify[one]/message: defined 'message' as 'one'
> > Notice: one
> > Notice: /Stage[main]/Main/Notify[two]/message: defined 'message' as 'one'
> > Notice: one
> > Notice: /Stage[main]/Main/Notify[three]/message: defined 'message' as 'one'
> > Notice: Applied catalog in 0.08 seconds
> 
> kind of expected, or just undefined, message should be a string don't give it 
> a array.
> but you can see the names got created as per the array so that seems fine to 
> me, if anything
> I think it should raise when you pass non string to message
> 
> 
> > But this seems like it might be more normal, but then breaks in a manner I 
> > did
> > not expect:
> > 
> > $ cat /tmp/z.pp
> > $array = ["one", "two", "three"]
> > 
> > notify { $array:
> >  name => $array,
> >  message => $array,
> > }
> > 
> > $ puppet apply /tmp/z.pp
> > Error: Evaluation Error: Error while evaluating a Resource Statement, Cannot
> > alias Notify[two] to [["one", "two", "three"]] at /tmp/z.pp:3; resource
> > ["Notify", "one", "two", "three"] already declared at /tmp/z.pp:3 at
> > /tmp/z.pp:3:1 on node cwl
> 
> yeah you cant pass arrays to name either - this is the main change here, you 
> used to be able to.
> It *is* though creating notify[one] notify[two] etc but then fail because of 
> passing things
> into name you shouldnt :)
> 
> > The namevar thing works as expected with a file. Feeling more like this is 
> > bug
> > now.
> >
> > $ cat /tmp/a.pp
> > $array = ["/tmp/one", "/tmp/two", "/tmp/three"]
> > 
> > file { $array:
> >  content =>  $array,
> > }
> 
> it doesnt really, content isnt the namevar. you're passing a array to title 
> thats fine, content
> being an array it's probably just going to puts the array into the file as a 
> string
> 
> This stuff seems to work though errors can be a LOT better and I think it 
> should be more strict
> on the type of things passed to String properties like message

I think I see what you mean, each file just had "/tmp/three" in it anyway. I 
don't think I would have encountered this if I hadn't been slapping in a quick 
notify to see what my reduced array had in it.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160916175339.GA15042%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] notify resource different between 3 and 4?

[Christopher Wood]

On Fri, Sep 16, 2016 at 06:17:48PM +0100, R.I.Pienaar wrote:
> 
> 
> - Original Message -
> > From: "Christopher Wood" <christopher_w...@pobox.com>
> > To: "puppet-users" <puppet-users@googlegroups.com>
> > Sent: Friday, 16 September, 2016 19:10:23
> > Subject: [Puppet Users] notify resource different between 3 and 4?
> 
> > While trying to figure out the reduce function with notice/notify I happened
> > across this thing. It looks like an unquoted array in the notify resource's
> > message only appears as its first array item. Not sure if it's a bug.
> > 
> > I couldn't find any documentation to say if this was intended and I couldn't
> > really tell what the type was doing with the self.should bit. I am not 
> > actually
> > a programmer.
> > 
> > $ cat /tmp/xx.pp
> > $array = ["one", "two", "three"]
> > 
> > notify { 'notify one':
> >  message => "${array}",
> > }
> > 
> > notify { 'notify two':
> >  message => $array,
> > }
> > 
> 
> yes this is across all resource types, you cant pass a array to the namevar 
> and 
> produce many resources, you have to do so to the title

I thought both messages would have some variant of [one, two, three].

Also the namevar here is the name parameter.

But then things get even weirder when I try to do things with the namevar:

$ cat /tmp/y.pp
$array = ["one", "two", "three"]

notify { $array:
  message => $array,
}

$ puppet apply /tmp/y.pp
Notice: Compiled catalog for cwl.hostopia.com in environment production in 0.04 
seconds
Notice: one
Notice: /Stage[main]/Main/Notify[one]/message: defined 'message' as 'one'
Notice: one
Notice: /Stage[main]/Main/Notify[two]/message: defined 'message' as 'one'
Notice: one
Notice: /Stage[main]/Main/Notify[three]/message: defined 'message' as 'one'
Notice: Applied catalog in 0.08 seconds


But this seems like it might be more normal, but then breaks in a manner I did 
not expect:

$ cat /tmp/z.pp
$array = ["one", "two", "three"]

notify { $array:
  name => $array,
  message => $array,
}

$ puppet apply /tmp/z.pp
Error: Evaluation Error: Error while evaluating a Resource Statement, Cannot 
alias Notify[two] to [["one", "two", "three"]] at /tmp/z.pp:3; resource 
["Notify", "one", "two", "three"] already declared at /tmp/z.pp:3 at 
/tmp/z.pp:3:1 on node cwl

The namevar thing works as expected with a file. Feeling more like this is bug 
now.

$ cat /tmp/a.pp
$array = ["/tmp/one", "/tmp/two", "/tmp/three"]

file { $array:
  content =>  $array,
}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160916173921.GA14646%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] notify resource different between 3 and 4?

[Christopher Wood]

While trying to figure out the reduce function with notice/notify I happened 
across this thing. It looks like an unquoted array in the notify resource's 
message only appears as its first array item. Not sure if it's a bug.

I couldn't find any documentation to say if this was intended and I couldn't 
really tell what the type was doing with the self.should bit. I am not actually 
a programmer.

$ cat /tmp/xx.pp
$array = ["one", "two", "three"]

notify { 'notify one':
  message => "${array}",
}

notify { 'notify two':
  message => $array,
}

With puppet 3 I see this:

$ puppet --version
3.8.7
$ puppet apply /tmp/xx.pp
Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an empty 
data set
Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an empty 
data set
Notice: Compiled catalog for mail82c40.carrierzone.com in environment 
production in 0.03 seconds
Notice: one
Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 'one'
Notice: onetwothree
Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
'onetwothree'
Notice: Finished catalog run in 0.05 seconds

With puppet 4 I see this:

$ puppet --version
4.6.2
$ puppet apply /tmp/xx.pp
Notice: Compiled catalog for cwl.hostopia.com in environment production in 0.09 
seconds
Notice: [one, two, three]
Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
'[one, two, three]'
Notice: one
Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 'one'
Notice: Applied catalog in 0.11 seconds

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160916171023.GA14280%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet control, Hiera data, puppetfile, and r10k and git merging woes

[Christopher Wood]

basemodulepath helps here:

https://docs.puppet.com/puppet/latest/reference/configuration.html#basemodulepath

In puppet.conf:

basemodulepath = /etc/puppetlabs/code/environments/common/modules

If there's something that environments don't need to track specially (ntp and 
mcollective modules come to mind), they can leave those out of their Puppetfile 
and the common versions will be used.

That common branch has a puppetfile and the hiera hierarchy has 
'common/hieradata/common' at the bottom. It hasn't eliminated the issue of 
people's environments falling behind in specific areas. Whether that's an issue 
depends greatly how you handle updates without a pressing platform need. There 
are several positions on this matter held within this company so the hybrid 
approach seems to be the least-worst solution.

(You should probably pick a better solution.)

Editorially: As to whether it's more or less painful to have 50 individual 
operating environments I think we're in a bit of the same position. 
Organizationally entrenched silos and decades-old practices mean we're handling 
it in puppet instead of getting better answers to impertinent questions ("how 
do these silos benefit the company's bottom line?"). There's only so much 
curation we can automate away with that sort of headwind.

On Sat, Aug 20, 2016 at 01:52:31PM -0400, Chadwick Banning wrote:
>Can you explain more? When you say "Having a common environment for the
>common modules" that sounds like you would need to apply multiple puppet
>environments to a node to get the full config...one "common" environment
>and one with "non-common" configuration...and I don't think this is
>currently possible?
> 
>On Aug 20, 2016 12:20 PM, "Christopher Wood"
><[1]christopher_w...@pobox.com> wrote:
> 
>  Lots about hiera data in this thread, how about modules? Having a common
>  environment for the common modules and using basemodulepath helps some,
>  but it's not everything.
>  On Sat, Aug 20, 2016 at 05:50:12AM -0700, Chadwick Banning wrote:
>  >    This is an issue I run into pretty regularly. If your Puppet
>  >    infrastructure is even moderately complex, I'd recommend NOT
>  equating a
>  >    Puppet environment to an operational environment, operational
>  environment
>  >    being the groups of machines known as dev, qa, staging, etc.
>  >    For instance, in my infrastructure we have 50+ different
>  operational
>  >    environments. If I equate each one of these to a Puppet
>  environment, I'd
>  >    need 50+ branches. While doable, this immediately becomes a
>  nightmare if I
>  >    have a change that applies to all or some of the operational
>  environments
>  >    -- say, changing something in my base profile. Now I have to a)
>  hope all
>  >    50+ branches are somewhat in sync, and b) merge my change into
>  *each*
>  >    branch 50+ times. If the branches aren't in sync at all I very well
>  might
>  >    end up having to fix unique conflicts each time I merge.
>  >    This is *not* a place where you want to end up.
>  >
>  >    On Wednesday, August 17, 2016 at 4:21:45 PM UTC-4, Mike Sharpton
>  wrote:
>  >
>  >      Hey all,
>  >      We are coming up on an issue in our environment in where we have
>  >      multiple Puppet environments that are backed by git branches in a
>  puppet
>  >      control repo.  Our Hiera data is stored inside these branches and
>  >      changed frequently by our Operations teams.  Of which we then
>  have them
>  >      merge changes up the environment chain and r10k through our
>  Puppet
>  >      environments.  This is all fine.
>  >      Ex, dev -> test -> production, hiera data changes are moved up
>  and
>  >      tested each step of the way.
>  >      When things aren't fine is when we are testing code in our dev or
>  test
>  >      branch and we have changed the tags for modules/repos inside the
>  >      Puppetfile of those branches that we don't want in production
>  right away
>  >      (dev/test).  This code only applies to dev environment, on
>  purpose.  
>  >      Our operations team then comes along with their hiera changes and
>  merges
>  >      the puppetfile module/repo changes up the chain along with the
>  hiera
>  >      data.  Effectively moving our Puppetfile changes up the chain
>  when we
>  >      don't want to.  We have thought about splitting hiera data out
>  

Re: [Puppet Users] Re: Puppet control, Hiera data, puppetfile, and r10k and git merging woes

[Christopher Wood]

Lots about hiera data in this thread, how about modules? Having a common 
environment for the common modules and using basemodulepath helps some, but 
it's not everything.

On Sat, Aug 20, 2016 at 05:50:12AM -0700, Chadwick Banning wrote:
>This is an issue I run into pretty regularly. If your Puppet
>infrastructure is even moderately complex, I'd recommend NOT equating a
>Puppet environment to an operational environment, operational environment
>being the groups of machines known as dev, qa, staging, etc.
>For instance, in my infrastructure we have 50+ different operational
>environments. If I equate each one of these to a Puppet environment, I'd
>need 50+ branches. While doable, this immediately becomes a nightmare if I
>have a change that applies to all or some of the operational environments
>-- say, changing something in my base profile. Now I have to a) hope all
>50+ branches are somewhat in sync, and b) merge my change into *each*
>branch 50+ times. If the branches aren't in sync at all I very well might
>end up having to fix unique conflicts each time I merge.
>This is *not* a place where you want to end up.
> 
>On Wednesday, August 17, 2016 at 4:21:45 PM UTC-4, Mike Sharpton wrote:
> 
>  Hey all,
>  We are coming up on an issue in our environment in where we have
>  multiple Puppet environments that are backed by git branches in a puppet
>  control repo.  Our Hiera data is stored inside these branches and
>  changed frequently by our Operations teams.  Of which we then have them
>  merge changes up the environment chain and r10k through our Puppet
>  environments.  This is all fine.
>  Ex, dev -> test -> production, hiera data changes are moved up and
>  tested each step of the way.
>  When things aren't fine is when we are testing code in our dev or test
>  branch and we have changed the tags for modules/repos inside the
>  Puppetfile of those branches that we don't want in production right away
>  (dev/test).  This code only applies to dev environment, on purpose.  
>  Our operations team then comes along with their hiera changes and merges
>  the puppetfile module/repo changes up the chain along with the hiera
>  data.  Effectively moving our Puppetfile changes up the chain when we
>  don't want to.  We have thought about splitting hiera data out our
>  puppet control module like it was before Puppet 4, but this leaves us no
>  room to test hiera data up our environment chain and also leaves us with
>  some CI work to make this feasible.  Having the hieradata in each
>  environment is too nice.  We also attempted to monkey with .gitignore,
>  but this is not meant to do what we are trying to do.  Don't merge
>  Puppetfile unless I want to. 
>  Has anyone ran into this and found a somewhat elegant solution?
>   Everything we are coming up with is either not easy to manage, or just
>  doesn't make sense to do.  Perhaps we are missing something simple and
>  are over thinking things.  Thanks in advance.
>  Mike
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/8abde89d-dfec-486e-b0ba-7ced6b6e07d8%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/8abde89d-dfec-486e-b0ba-7ced6b6e07d8%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160820161935.GB18127%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet control, Hiera data, puppetfile, and r10k and git merging woes

[Christopher Wood]

I'm missing why you need static branches. I'm picturing something more like:

git checkout production
git checkout -b ticket1234
# make changes, commit, push, test, repeat
git merge production # catch up on any prod changes, retest
git tag ticket.1234
git checkout production
git merge ticket1234
git branch -d ticket1234

That way everybody's changes are working pretty close to what production is 
right now.

The alternatives are curating your branches, periodically re-branching from 
production, or just accepting the current state, as near as I can tell off the 
cuff. If you want to maintain something it requires maintenance work no matter 
the tool you pick.


On Thu, Aug 18, 2016 at 05:27:40AM -0700, Mike Sharpton wrote:
>Thanks for your reply.  We based our initial design on shit Gary says.
> This may be our only option as you say, to have hiera data changes made
>to each static branch/puppet environment by hand and not merge.  We need
>the static branches for separation of Puppet environments.  Problem with
>this approach is humans will make errors between each branch sometimes or
>always.  The branches/environments will eventually become snow flakes over
>time as far as Hieradata.  Perhaps we can possibly merge them weekly to
>lower this risk.  Assuming no code changes are in flight, which there most
>likely always will be.  The search continues. Thanks again,
>Mike
> 
>On Wednesday, August 17, 2016 at 3:52:31 PM UTC-5, Christopher Wood wrote:
> 
>  It sounds like these might help:
> 
>  [1]https://puppet.com/blog/git-workflows-puppet-and-r10k
> 
>  [2]http://garylarizza.com/blog/categories/r10k/
> 
>  Seems like you would benefit from having all teams work from branches of
>  current production and merge back, rather than maintaining a
>  semi-permanent dev branch shared by everybody. This is usually where I
>  suggest that people review commits and talk to each other and figure out
>  what's good, but sometimes that's like pulling teeth.
> 
>  On Wed, Aug 17, 2016 at 01:21:45PM -0700, Mike Sharpton wrote:
>  >    Hey all,
>  >    We are coming up on an issue in our environment in where we have
>  multiple
>  >    Puppet environments that are backed by git branches in a puppet
>  control
>  >    repo.  Our Hiera data is stored inside these branches and changed
>  >    frequently by our Operations teams.  Of which we then have them
>  merge
>  >    changes up the environment chain and r10k through our Puppet
>  environments.
>  >     This is all fine.
>  >    Ex, dev -> test -> production, hiera data changes are moved up and
>  tested
>  >    each step of the way.
>  >    When things aren't fine is when we are testing code in our dev or
>  test
>  >    branch and we have changed the tags for modules/repos inside the
>  >    Puppetfile of those branches that we don't want in production right
>  away
>  >    (dev/test).  This code only applies to dev environment, on purpose.
>   
>  >    Our operations team then comes along with their hiera changes and
>  merges
>  >    the puppetfile module/repo changes up the chain along with the
>  hiera data.
>  >     Effectively moving our Puppetfile changes up the chain when we
>  don't want
>  >    to.  We have thought about splitting hiera data out our puppet
>  control
>  >    module like it was before Puppet 4, but this leaves us no room to
>  test
>  >    hiera data up our environment chain and also leaves us with some CI
>  work
>  >    to make this feasible.  Having the hieradata in each environment is
>  too
>  >    nice.  We also attempted to monkey with .gitignore, but this is not
>  meant
>  >    to do what we are trying to do.  Don't merge Puppetfile unless I
>  want to. 
>  >    Has anyone ran into this and found a somewhat elegant solution?
>  >     Everything we are coming up with is either not easy to manage, or
>  just
>  >    doesn't make sense to do.  Perhaps we are missing something simple
>  and are
>  >    over thinking things.  Thanks in advance.
>  >    Mike
>  >
>  >    --
>  >    You received this message because you are subscribed to the Google
>  Groups
>  >    "Puppet Users" group.
>  >    To unsubscribe from this group and stop receiving emails from it,
>  send an
>  >    email to [1][3]puppet-users...@googlegroups.com.
>  >    To view this discussion on the web visit
>  

Re: [Puppet Users] Puppet control, Hiera data, puppetfile, and r10k and git merging woes

[Christopher Wood]

It sounds like these might help:

https://puppet.com/blog/git-workflows-puppet-and-r10k

http://garylarizza.com/blog/categories/r10k/

Seems like you would benefit from having all teams work from branches of 
current production and merge back, rather than maintaining a semi-permanent dev 
branch shared by everybody. This is usually where I suggest that people review 
commits and talk to each other and figure out what's good, but sometimes that's 
like pulling teeth.



On Wed, Aug 17, 2016 at 01:21:45PM -0700, Mike Sharpton wrote:
>Hey all,
>We are coming up on an issue in our environment in where we have multiple
>Puppet environments that are backed by git branches in a puppet control
>repo.  Our Hiera data is stored inside these branches and changed
>frequently by our Operations teams.  Of which we then have them merge
>changes up the environment chain and r10k through our Puppet environments.
> This is all fine.
>Ex, dev -> test -> production, hiera data changes are moved up and tested
>each step of the way.
>When things aren't fine is when we are testing code in our dev or test
>branch and we have changed the tags for modules/repos inside the
>Puppetfile of those branches that we don't want in production right away
>(dev/test).  This code only applies to dev environment, on purpose.  
>Our operations team then comes along with their hiera changes and merges
>the puppetfile module/repo changes up the chain along with the hiera data.
> Effectively moving our Puppetfile changes up the chain when we don't want
>to.  We have thought about splitting hiera data out our puppet control
>module like it was before Puppet 4, but this leaves us no room to test
>hiera data up our environment chain and also leaves us with some CI work
>to make this feasible.  Having the hieradata in each environment is too
>nice.  We also attempted to monkey with .gitignore, but this is not meant
>to do what we are trying to do.  Don't merge Puppetfile unless I want to. 
>Has anyone ran into this and found a somewhat elegant solution?
> Everything we are coming up with is either not easy to manage, or just
>doesn't make sense to do.  Perhaps we are missing something simple and are
>over thinking things.  Thanks in advance.
>Mike
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/9d9e18a4-a6e4-4d04-b0b3-377b848a8504%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/9d9e18a4-a6e4-4d04-b0b3-377b848a8504%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160817205213.GA22846%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] R10k Deploy single module first time

[Christopher Wood]

You can incrementally check r10k syntax with:

r10k
r10k deploy
(etc.)

In your case maybe one of these? Try it and see, I never use these.

r10k deploy module modulename
r10k deploy module --environment myenv modulename

On Tue, Aug 16, 2016 at 08:14:14AM -0700, broncosd183 wrote:
>Hello,
> 
>Is there a way to deploy a single module from a puppetfile the first time
>it is added to an environment's puppetfile without deploying other
>modules? Normally when we add a module from the forge or git we add it to
>the puppetfile and then run r10k deploy environment -pv. That deploys all
>the modules and can be somewhat time consuming. I know r10k deploy module
>exists, but it looks like that doesn't deploy a module if it was just
>added to the puppetfile... Thanks!
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/e775d602-ce6e-4de4-a3fd-be2989aceae9%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/e775d602-ce6e-4de4-a3fd-be2989aceae9%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160816160522.GA2006%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to refer to exported resource parameters in a template

[Christopher Wood]

On Mon, Aug 08, 2016 at 11:28:55AM -0700, Matthew Pounsett wrote:
>I'm using puppet 4.4.1.  I have a case where I need the IP addresses of
>all the servers that fit a certain set of criteria to appear in a YAML
>list in a config file on a particular host.

Been there for an activemq.xml config file, ended up using Erik Dalén's 
puppetdbquery.

https://forge.puppet.com/dalen/puppetdbquery

This in a manifest:

$qf = query_facts('id=root', ['owner', 'datacenter'])

This in a template used in that manifest:

<%
list = {}
@qf.values.each do |h|
  if h['owner']
owner = h['owner']
list[owner] = 1
  end
  if h['datacenter']
datacenter = h['datacenter']
list[datacenter] = 1
  end
end
-%>

You get the idea, could output yaml there or whatever you wanted really.

>It seems like the first step would be to create an exported resource with
>the required data in it, but I haven't yet found a way to refer to those
>data from inside a template (or from inside a module in order to populate
>a variable I can use in a template).   It seems like this would be a
>common pattern, but the closest examples I've been able to find are for
>realizing the exported resource to create a file or other resource on a
>system, rather than incorporate some of the exported resource's data in
>other resources.
>How do people normally go about doing something like this?  Are there some
>examples I've just failed to find?
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/d60d5c64-babe-4b46-8529-ceac74cf576b%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/d60d5c64-babe-4b46-8529-ceac74cf576b%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160808210214.GA10600%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Service entry for puppet agents not working

[Christopher Wood]

On Mon, Aug 08, 2016 at 05:40:24AM -0700, Bret Wortman wrote:
>We've been using cron to manage our puppet agents for the past few years
>but have discovered some issues where it's running under a different
>environment and is having trouble completing when run in cron, but it
>works fine as a daemon or from the command line. So I'm preparing to
>switch over.

This sounds like an xy problem. Your underlying issue is that the agent 
sometimes runs under a different environment than desired and you'd like this 
to stop.

Over here we've had agents (3 and 4) running from cron with the following:

usecacheonfailure = false
environment = (whatever that is)

I presume that if we used the cache on failure then if the agent did not 
retrieve a catalog after an environment change in the ENC then it would perform 
the agent run with a catalog from an undesired environment.

Do you set an environment in your External Node Classifier? If not, and you 
don't specify the environment in puppet.conf then you will start in the 
'production' environment which may not be what you want.

Have you been able to narrow down and reproduce the conditions under which your 
agent runs happen in an undesired environment? You could have a different 
issue, albeit that I never had your issue in 3.8.6 with multiple environments.

NB, xy problem: http://www.perlmonks.org/?node=XY+Problem

>Unfortunately, the following doesn't work for my 3.8.6 agents on Centos 6
>systems even though it works fine for 4.3 agents:
> 
>  service { "puppet":
>      ensure => running,
>      enable => true,
>      hasstatus => true,
>      hasrestart => true,
>  }
> 
>What we see on some agents is that puppet will restart the service each
>and every time it runs, which gives us lots of false "changes".

Off hand this sounds like the service checker can't find the pid file. If it 
happens some measurable times per day in your place I would crank up the debug 
logging and see what's going on.

On the other hand, if it works in 4.3, why not upgrade the remaining 3.x agents 
and call it a day? We've had fewer issues in 4 than we had in 3.

>  # service puppet status
>  puppet dead but pid file exists
>  # ps aux | grep puppet | grep agent
>  root      9879  0.0  0.0 134404 43516 ?       Ss     12:22    0:00
>  /usr/bin/ruby/usr/bin/puppet agent
> 
>Has anyone else seen this or know of a workaround? I've tried various ways
>of providing a "status => " command but haven't found anything that works
>yet.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/5ae7de27-705f-4856-aa07-68449af7385a%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/5ae7de27-705f-4856-aa07-68449af7385a%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160808141314.GA1149%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Recommended/Suggested R10k Deployment Strategy

[Christopher Wood]

On Wed, Jul 27, 2016 at 08:18:37AM -0700, dsdwcal wrote:
>Hmm ok thanks for the speedy reply!
> 
>In implementing R10k, we've recently transitioned from a monolithic module
>repo to individual module repos. As such, our /etc/puppet/modules folder
>used to be managed by a single git repo that was periodically pulled down
>and synced with master. It seems sensible to me that since production
>would essentially include a majority of these modules, one would want the
>production Puppetfile managing /etc/puppet/modules and all other
>environments managing their own environments modulepath
>(/etc/puppet/environments//modules). In my mind this saves
>space by avoiding copying production modules in multiple environments, and
>when you want to test a tweak to a module you can do so easily in a dev
>environment.

You can also get this by having a common environment and using a 
basemodulepath. Modules specified in the different environments will override 
any of the same name in the basemodulepath. One downside here is that people go 
off in their own directions _anyway_ without spending the additional effort in 
getting their changes back in common. The upside is obviously that you can diff 
what different configs are required by different departments based on the git 
hashes used.

>That being said, I'm curious about how others have it set up. If the
>production Puppetfile is managing the modules in
>/etc/puppet/environments/production, then what would be in the main module
>directory at /etc/puppet/modules? It seems like in our current setup that
>directory would be essentially empty if the production Puppetfile was
>pointed to manage the /etc/puppet/environments/production/modules
>directory... or am I missing something?

You're not missing anything. With everything in its own environment there's not 
much point to that directory. In our puppet4 setup:

[root@puppetmaster2 ~]# ls /etc/puppetlabs/code/modules | wc -l
0
[root@puppetmaster2 ~]# for i in `ls -d 
/etc/puppetlabs/code/environments/*/modules`; do ls $i | wc -l; done
132
50
13
72
32
31
18
52
56
0
26
24
52
47
23
56

The majority of those are individual departments' versions of production. The 
first one is the common environment. Some stuff there hasn't been touched since 
I broke things out into the r10k setup but it's still used in production. 
Definitely good candidates for not being in each environment.

>On Wednesday, July 27, 2016 at 10:16:46 AM UTC-4, Rob Nelson wrote:
> 
>  I don't do any central modules, but everything in an environment
>  modulepath. That way there's no confusion about what module may be
>  loaded. It also keeps the configuration as simple as can be, no
>  environment is special in any way.
>  Rob Nelson
>  [1]rnel...@gmail.com
>  On Wed, Jul 27, 2016 at 10:06 AM, dsdwcal <[2]gamerg...@gmail.com>
>  wrote:
> 
>So relatively recently we have deployed and set up R10k to manage our
>environments and modules. In terms of suggested practices, I am curios
>what others are currently doing to manage their production/dev
>environments. It seems logical to me to change the production
>puppetfile's moduledir to manage the /etc/puppet/modules directory,
>and have all other environments manage their own environments
>moduledirectory (/etc/puppet/environments/... That way
>the lookup hierarchy for modules will first look in the specific
>environment. If them module is not found, the production version of
>the module will be deployed. Is this recommended/ are there better
>ways of doing this?
> 
>--
>You received this message because you are subscribed to the Google
>Groups "Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to [3]puppet-users...@googlegroups.com.
>To view this discussion on the web visit
>
> [4]https://groups.google.com/d/msgid/puppet-users/ea3009d7-09b9-4797-9087-3c012a0d9e49%40googlegroups.com.
>For more options, visit [5]https://groups.google.com/d/optout.
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [6]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [7]https://groups.google.com/d/msgid/puppet-users/708647b8-c215-4b90-8045-d0a1776874d0%40googlegroups.com.
>For more options, visit [8]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. javascript:
>2. javascript:
>3. javascript:
>4. 
> https://groups.google.com/d/msgid/puppet-users/ea3009d7-09b9-4797-9087-3c012a0d9e49%40googlegroups.com?utm_medium=email_source=footer
>5. 

Re: [Puppet Users] Re: hiera-eyaml not decrypting?

[Christopher Wood]

Same, all files here are eyaml.

On Fri, Jul 08, 2016 at 11:04:11AM -0700, Andrew Grimberg wrote:
> Our team completely dropped the yaml backend as we always ended up with
> weird issues of hiera not always finding the yaml. Doesn't matter if we
> don't actually have anything encrypted in the eyaml file, all files for
> us are eyaml now.
> 
> -Andy-
> 
> On 07/08/2016 10:37 AM, dkoleary wrote:
> > I'll be damned.. that was it.  Well, I don't feel so bad about that one.  
> > 
> > Thank you very much!  
> > 
> > On Friday, July 8, 2016 at 12:33:02 PM UTC-5, Michael Watters wrote:
> > 
> > I think I ran into a similar issue before.  Try putting "eyaml" as
> > the first backend to see if that helps.
> > 
> > Here's a copy of our hiera.yaml file which works.
> > 
> > |
> > ---
> > :backends:
> >   -eyaml
> >   -yaml
> > 
> > 
> > :hierarchy:
> >   -"nodes/%{::trusted.certname}"
> >   -common
> > 
> > 
> > :yaml:
> > # datadir is empty here, so hiera uses its defaults:
> > # # - /etc/puppetlabs/code/environments/%{environment}/hieradata on *nix
> > # # -
> > %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata on
> > Windows
> > # # When specifying a datadir, make sure the directory exists.
> > #   :datadir:
> > 
> > 
> > :eyaml:
> > :extension:'yaml'
> >
> > :pkcs7_private_key:'/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem'
> >
> > :pkcs7_public_key: '/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem'
> > |
> > 
> > 
> > 
> > On Friday, July 8, 2016 at 1:09:02 PM UTC-4, dkoleary wrote:
> > 
> > Hi;
> > 
> > I have hiera.eyaml installed and functional from the CLI;
> > however, when I attempt to use it in a module, the encrypted
> > string is being used rather than the decrypted value.
> > 
> > I have to be missing something mind numbingly simple; but, I've
> > been through the doc
> > at https://github.com/TomPoulton/hiera-eyaml
> >  so many times it's
> > starting to blur.  Can someone tell me waht I messed up?
> > 
> > From the CLI:
> > 
> > |
> > -bash-4.1$ cat nap1d030.yaml
> > ---
> > # mpintp::source: 'ntp.conf.dmz'
> > # mpisyslog::el6::source: 'mpi-custom.conf'
> > mpisshd::enabled:false
> > mpiroot::pwd:>
> >
> > 
> > ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> > DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
> > SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
> > k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
> > PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
> > alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
> > uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
> > 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
> > qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
> > 
> > 
> > -bash-4.1$ eyaml decrypt -f ./nap1d030.yaml
> > [hiera-eyaml-core]Loadedconfig
> > from/opt/puppetlabs/server/data/puppetserver/.eyaml/config.yaml
> > ---
> > # mpintp::source: 'ntp.conf.dmz'
> > # mpisyslog::el6::source: 'mpi-custom.conf'
> > mpisshd::enabled:false
> > mpiroot::pwd:snipped
> > |
> > 
> > The test module just does a notify:
> > 
> > |
> > classmpiroot (
> >   $pwd,
> > ){
> > 
> >   notify {"Password: ${pwd}":}
> > }
> > |
> > 
> > 
> > And the run shows the encrypted string:
> > 
> > |
> > $ sudo puppet agent -t
> > Notice:Localenvironment:'production'doesn't match server
> > specified node environment 'dkoleary', switching agent to
> > 'dkoleary'.
> > Info: Retrieving pluginfacts
> > Info: Retrieving plugin
> > Info: Loading facts
> > Info: Caching catalog for nap1d030.multiplan.com
> > 
> > Info: Applying configuration version '1467996521'
> > Notice: Password:
> > 
> > ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> > DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
> > SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
> > k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
> > PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
> > alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
> > uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
> > 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
> > qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
> > [[snip]]
> 

Re: [Puppet Users] encrypting hiera data?

[Christopher Wood]

Puppet at least plugs it in their blog.

https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml

We've had lots of good uses for it in production.

On Fri, Jul 08, 2016 at 06:29:31AM -0700, dkoleary wrote:
>Hey;
>I've come to the point where I need to encrypt a password in hiera data.
> After trying (and failing) the recipe in the puppet cookbook, I hit the
>google searches and very quickly came across hiera eyaml.  
>So, short question: is hiera.eyaml the generally accepted method of
>encrypting data for use in modules?
>Just trying to avoid going down the wrong path again...
>Thanks
>Doug O'Leary
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/82dd1d76-e583-48ed-b0f0-d77f792e6029%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/82dd1d76-e583-48ed-b0f0-d77f792e6029%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160708134609.GA28943%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] near-identical puppetdb queries, dissimilar outputs

[Christopher Wood]

This is with puppetdb 3.2.4 running on java 1.8 on CentOS 6. Does this 
behaviour sound familiar to anybody?

This query (query1) produces fact paths limited to the named facts from the 
"stype" of "pmail" in the "environment" of "mail".

https://gist.github.com/christopherwood/aec60bc751828ccfcaa01cbaa18b43a4

This query (query7), different from the first only in that the string "pmail" 
is replaced by the string "relay", produces a list of every fact path from 
every host in every environment.

https://gist.github.com/christopherwood/6ad03d58452175ba3a81d4f5d2693e3f

This behaviour is consistent through puppetdb restarts.

[root@puppetdb2 ~]# rpm -q puppetdb
puppetdb-3.2.4-1.el6.noarch

[root@puppetdb2 ~]# rpm -qa | grep openjdk
java-1.8.0-openjdk-headless-1.8.0.71-1.b15.el6_7.x86_64


$ mco facts stype -T mail -S 'stype=relay or stype=pmail'
Report for fact: stype

pmailfound 149 times
relayfound 113 times

Finished processing 262 / 262 hosts in 1088.18 ms


My next step would be pointing the production puppetmasters at another puppetdb 
instance and elevating to debug logging here, but I'd rather not make a 
production change if this is something obvious. Or obvious to somebody else, I 
can't find anything about this on tickets.puppetlabs.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160704022432.GA17400%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re-enrolling clients after major version upgrade

[Christopher Wood]

To your specific issue, it looks like your agent's CA cert doesn't match the 
issuer of the new puppetmaster's CA cert ("unable to get local issuer 
certificate"). If I recall correctly, an agent without a CA cert will download 
one from the puppetmaster the first time and thereafter check it. You might 
check the cert chains to see what's going on, or if you downloaded the CA cert 
at all.

Otherwise I noticed this bit:

# rpm -rf /var/lib/puppet/ssl /etc/puppet/ssl /etc/puppetlabs/puppet/ssl
# ssh puppet puppet cert list host.internal.net
Error: Could not find a certificate for host.internal.net

Is it supposed to say rpm not rm? I Presume it's just the logging which is 
removing the quotes too.

Rhubarbing more generally, I had some success syncing the ssl directory during 
our own 3->4 update. I never found a reason to use a new cert for the same host 
when I already had one.

file { '/etc/puppetlabs/puppet/ssl':
  ensure   => directory,
  backup   => false,
  recurse  => true,
  recurselimit => 99,
  require  => Package[$package],
  source   => '/var/lib/puppet/ssl',
}

The catalog with that class was only a during-update thing, of course.

if versioncmp($::puppetversion, '4.0.0') >= 0 {
  include "role::${::stype}"
}
else {
  include ::puppet_upgrade
}

Otherwise you could:

rsync -a --delete /var/lib/puppet/ssl /etc/puppetlabs/puppet/

On Tue, Jun 14, 2016 at 06:39:13AM -0700, Bret Wortman wrote:
>So I'm trying to use Ansible to automate the process of re-enrolling all
>my systems after the upgrade from 3.8.6 to 4.3, and many (though not all)
>of my clients are reporting thusly:
># rpm -rf /var/lib/puppet/ssl /etc/puppet/ssl /etc/puppetlabs/puppet/ssl
># ssh puppet puppet cert list host.internal.net
>Error: Could not find a certificate for host.internal.net
># puppet agent -t --noop
>Info: Creating a new SSL key for host.internal.net
>Info: Caching certificate for ca
>Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
>Info: Creating a new SSL certificate request for host.internal.net
>Info: Certificate Request fingerprint (SHA256): 75:6A:17:...
>Info: Caching certificate for host.internal.net
>Error: Could not request certificate: SSL_connect returned=1 errno=0
>state=SSLv3 read server certificate B: certificate verify failed: [unable
>to get local issuer certificate for /CN=puppet.internal.net]
>Exiting: failed to retrieve certificate and waitforcert is disabled
># ssh root@puppet puppet cert list -a | grep host.internal.net
>+ "host.internal.net" (SHA256) 42:AF:68:...
># puppet agent --version
>3.8.6
>#
>I'm having success on other 3.8.6 clients and others as far back as 3.8.1.
>What's going on here that I'm not understanding?
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/6717bc33-381d-4890-90c0-a9be684dc9e5%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/6717bc33-381d-4890-90c0-a9be684dc9e5%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160614135035.GA7666%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Git Repo Strategy

[Christopher Wood]

On Fri, Jun 10, 2016 at 05:57:13AM -0700, Funsaized wrote:
>Hello,
> 
>I am relatively new to puppet and am trying to develop a good workflow in
>conjunction with git/github to keep a better version control system. The
>version of puppet that I am working with and has been implemented is a bit
>dated, and using R10k and developing a puppetfile would be quite time
>consuming.

Yes it would be time consuming. It's worth the time. An upgrade would probably 
help you too.

>I know that R10k and dynamic environments is the recommended
>way of doing things, though for now I'm not sure if its the best for my
>scenario and how everything has been previously set up. My question is is
>there a simple way to just map one git repo for each environment (dev, QA,
>production, etc). That way changes could be made in the dev environment,
>then moved over to the correct repos when the changes are confirmed in
>order? Would this be as simple as declaring each folder withing the
>/puppet/environments folder as a git repo and controlling that way?

Been there, tried it, moved to r10k. The above is a great way to see your 
environments drift over time.

If you want each environment to be a separate git repo you can, but it sounds 
like you may as well have them all as branches in a single git repo. That way 
you can at least diff different branches easily and cherry pick single changes 
from one to the other.

>Deployment strategy
> 
>-   Upload changes to Dev repo
> 
>-   Deploy Dev changes to Dev master
> 
>-   Test
> 
>-   Merge Dev changes to QA repo
> 
>-   Rinse and repeat

What is QA for, in this scenario? Determining that you've brought up the 
correct set of changes from dev? If so, why not use git itself to prove that 
you've brought up the correct changes, as specified by git commits, to your 
mainline branch?

>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/fe80ff27-af02-4437-bbc9-57c1cd56e5aa%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/fe80ff27-af02-4437-bbc9-57c1cd56e5aa%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160610145454.GA23490%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trigger apt-get update if packages are to be installed

[Christopher Wood]

Back when I was doing this on Debian/Ubuntu I ended up doing the apt-get update 
on every agent run. This didn't stress the apt proxy (far from it) and made 
sure the agent had an up to date view of apt every time no matter what.

This would also cover if somebody uses ensure=>latest or ensure=>1.2.3.4 
somewhere in the catalog.

On Mon, Jun 06, 2016 at 07:46:47AM -0700, Simon Weald wrote:
>Hi everyone
> 
>I've got a little bit of an issue which I'm currently fighting with. At
>the moment, we pass an array of packages to be installed to the package
>resource, however I need to call an apt-get update prior to the package
>installation (in case we add a new repo etc). My snippet below should
>probably give you a good idea of what I want to achieve:
> 
>$installpackages  = hiera_array('installed-packages')
> 
>exec  {  "apt-update":
> command  =>  "/usr/bin/apt-get update",
> refreshonly  =>  true,
>}
> 
>package  {  $installpackages:
> ensure  =>  'present',
> require  =>  Exec['apt-update'],
>}
>Obviously my goal is to have the update only run if any packages are
>actually going to be installed - I can't use empty() against the array as
>it will always contain content.
> 
>Can anyone suggest how I can achieve this?
> 
>Thanks!
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/8c248cca-5174-4406-a145-0634bfcfce9e%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/8c248cca-5174-4406-a145-0634bfcfce9e%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160606154239.GA8861%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] how to escape %{ in hiera

[Christopher Wood]

I ran into this too, use the literal function.

$ grep -rh literal hieradata/
testing::cwood1::param3: "%{literal('%')}{::hostname}"
testing::cwood1::param3: "%{literal('%')}{::hostname}"

https://docs.puppet.com/hiera/3.1/variables.html#the-literal-lookup-function

On Mon, Jun 06, 2016 at 06:20:46AM -0700, Simon wrote:
>Hi all
>does anyone know how i can escape %{ in hiera without it trying to convert
>to variable?
>i want to add the following to configure a syslog filter for logstash
> 
>match => { "message" =>
>"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp}
>%{SYSLOGHOST:syslog_hostname}
>%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:
>%{GREEDYDATA:syslog_message}"}
> 
>problem is it will try and convert to variables so only shows the
>following on the server
> 
>match => { "message" => "<>  (?:\[\])?: "}
> 
>i have tried all the methods i can think of,  any help would be
>appreciated.
> 
>cheers
> 
>S
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/c1d3661a-ee9c-4460-bb13-be23b210ddb7%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/c1d3661a-ee9c-4460-bb13-be23b210ddb7%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160606134212.GA8045%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] facter 3 behaviour change in vlan interface legacy facts

[Christopher Wood]

This is something I found after upgrading a number of puppet agents from 3.8.5 
to 4.4.2 using the puppet-agent-1.4.2-1.el6.x86_64.rpm rpm on CentOS 6. The 
legacy fact names around vlan interfaces are not the same as the facter2 
versions of those facts.

facter < 3: ipaddress_eth0_413

facter >= 3: ipaddress_eth0.413

There was a pull request to have this change implemented in facter 2 but that 
wasn't merged. I wasn't able to find any ticket about behavioural change for 
these facts in facter 3. I tried digging through the facter code but am not a 
programmer and couldn't figure out where this fact name is set in cfacter.

https://github.com/puppetlabs/facter/pull/835
https://tickets.puppetlabs.com/browse/FACT-775

FACT-701 appears related, only in so far as it covers the same set of facts.

https://tickets.puppetlabs.com/browse/FACT-701

The upshot is that I probably should already have converted to the facter 3 
structured facts. Anybody else using vlan'ed networking and the associated 
facts in puppet3/facter2 should probably check their modules.




++

More details:

To make a long story short, we are managing some vlan interfaces on eth0 using 
stanzas like the inline template below. This is to figure out the nfs ip 
address on the host to construct an ip address for use on another vlan'ed 
interface. That's life when workarounds are built on workarounds.

$nfs_if_ip = inline_template('<%= x = "ipaddress_eth0_" + 
@cluster_nfs_vlan.to_s; scope[x] %>')

In facter < 3, that fact was ipaddress_eth0_413. In facter >= 3, that fact is 
ipaddress_eth0.413 (underline versus dot). The latter format mirrors what you 
would see with "ip a s" which would give vlan'ed interfaces such as 
eth0.413@eth0.

The upshot is that the "unless" parameter of the exec bringing up the interface 
ended up being...

/sbin/ip addr show eth0.601 | grep -q 10.106.2./24

...instead of...

/sbin/ip addr show eth0.601 | grep -q 10.106.2.84/24

...and that failed 'unless' let forth the error spew.

Notice: /Stage[main]/Hnet/Exec[/sbin/ip link add link eth0 name eth0.601 type 
vlan id 601 && /sbin/ip addr add 10.106.2./24 dev eth0.601 label eth0.601 && 
/sbin/ip link set eth0.601 up]/returns: RTNETLINK answers: File exists
Error: /sbin/ip link add link eth0 name eth0.601 type vlan id 601 && /sbin/ip 
addr add 10.106.2./24 dev eth0.601 label eth0.601 && /sbin/ip link set eth0.601 
up returned 2 instead of one of [0]
Error: /Stage[main]/Hnet/Exec[/sbin/ip link add link eth0 name eth0.601 type 
vlan id 601 && /sbin/ip addr add 10.106.2./24 dev eth0.601 label eth0.601 && 
/sbin/ip link set eth0.601 up]/returns: change from notrun to 0 failed: 
/sbin/ip link add link eth0 name eth0.601 type vlan id 601 && /sbin/ip addr add 
10.106.2./24 dev eth0.601 label eth0.601 && /sbin/ip link set eth0.601 up 
returned 2 instead of one of [0]


Here's narrowing down where this change takes place. Pasting my rough notes. 
I've obfuscated the hostname and non-RFC-1918 ip address.


puppet-agent-1.0.0-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.0.0
[root@host ~]# facter --version
2.4.3
[root@host ~]# facter -p | grep ipaddress_eth0
ipaddress_eth0 => 1.2.3.4
ipaddress_eth0_413 => 10.101.13.84
ipaddress_eth0_601 => 10.106.2.84


puppet-agent-1.1.1-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.1.0
[root@host ~]# facter --version
2.4.4
[root@host ~]# facter -p | grep ipaddress_eth0
ipaddress_eth0 => 1.2.3.4
ipaddress_eth0_413 => 10.101.13.84
ipaddress_eth0_601 => 10.106.2.84


puppet-agent-1.2.0-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.2.0
[root@host ~]# facter --version
3.0.0 (commit 6a22df024ddfe7759f55d05a5ac1c8c51cb2c4aa)

(no ipaddress_eth0 legacy facts, same as below)


puppet-agent-1.2.1-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.2.0
[root@host ~]# facter --version
3.0.1 (commit 9b1ef723a1494a01e0eccfe93a75fd43316690c2)
[root@host ~]# facter -p --show-legacy | grep ipaddress_eth0
error: unrecognised option '-p'

[root@host ~]# facter --show-legacy | grep ipaddress_eth0
error: unrecognised option '--show-legacy'


puppet-agent-1.2.1-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.2.1
[root@host ~]# facter --version
3.0.2 (commit 5dc120fa9db4c19150466b1bbd1d0cf42c87c6bd)
[root@host ~]# facter -p --show-legacy | grep ipaddress_eth0
ipaddress_eth0 => 1.2.3.4
ipaddress_eth0.413 => 10.101.13.84
ipaddress_eth0.601 => 10.106.2.84


puppet-agent-1.2.4-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.2.2
[root@host ~]# facter --version
3.1.0 (commit fc7614d6ba81845757ba7318269fad2b2da08da3)
[root@host ~]# facter -p --show-legacy | grep ipaddress_eth0
ipaddress_eth0 => 1.2.3.4
ipaddress_eth0.413 => 10.101.13.84
ipaddress_eth0.601 => 10.106.2.84


puppet-agent-1.2.7-1.el6.x86_64.rpm

[root@host ~]# puppet --version
4.2.3
[root@host ~]# facter --version
3.1.1 (commit 30d2dfd3ede25be8a02cdb5b0811d84c5c92c709)
[root@host ~]# 

Re: [Puppet Users] facter 3.2 global custom facts directory?

[Christopher Wood]

I thought it might too, but turns out probably not:

https://projects.puppetlabs.com/issues/11449

On Sat, May 28, 2016 at 06:22:45AM -0700, dkoleary wrote:
>Hey;
>Thanks; yes, that was a typo.  Responding from an ipad on a shaky
>surface... bit surprised that was the only one.
>Any rate, I now have fact scripts in /etc/facter/facts.d
>$ ltree /etc/facter/facts.d
>drwxr-xr-x. 2 root root 4096 May 28 08:07 /etc/facter/facts.d
>drwxr-xr-x. 3 root root 4096 May 28 08:06 /etc/facter
>drwxr-xr-x. 122 root root 12288 May 28 08:06 /etc
>A cleaned up root debug facter run shows that root is hitting all three
>directories:
>sudo facter --debug env 2>&1
>2016-05-28 08:11:41.053089 INFO  puppetlabs.facter - executed with command
>line: --debug env.
>[[snip]]
>2016-05-28 08:11:41.079647 INFO  puppetlabs.facter - requested queries:
>env.
>2016-05-28 08:11:41.079776 DEBUG puppetlabs.facter - fact "facterversion"
>has resolved to "3.2.0".
>2016-05-28 08:11:41.080092 DEBUG puppetlabs.facter - searching
>"/opt/puppetlabs/facter/facts.d" for external facts.
>[[snip]]
>2016-05-28 08:11:41.091406 DEBUG | - env=tst
>2016-05-28 08:11:41.091561 DEBUG puppetlabs.facter - fact "env" has
>resolved to "tst".
>2016-05-28 08:11:41.091700 DEBUG leatherman.execution:555 - process exited
>with status code 0.
>2016-05-28 08:11:41.091785 DEBUG puppetlabs.facter - completed resolving
>facts from executable file "/opt/puppetlabs/facter/facts.d/hosts".
>2016-05-28 08:11:41.091933 DEBUG puppetlabs.facter - searching
>"/etc/facter/facts.d" for external facts.
>[[snip]]
>2016-05-28 08:11:41.103835 DEBUG | - env=tst
>2016-05-28 08:11:41.103998 DEBUG puppetlabs.facter - fact "env" has
>changed from "tst" to "tst".
>2016-05-28 08:11:41.104163 DEBUG leatherman.execution:555 - process exited
>with status code 0.
>2016-05-28 08:11:41.104294 DEBUG puppetlabs.facter - completed resolving
>facts from executable file "/etc/facter/facts.d/hosts".
>2016-05-28 08:11:41.104428 DEBUG puppetlabs.facter - searching
>"/etc/puppetlabs/facter/facts.d" for external facts.
>[[snip]]
>2016-05-28 08:11:41.116165 DEBUG | - env=tst
>2016-05-28 08:11:41.116332 DEBUG puppetlabs.facter - fact "env" has
>changed from "tst" to "tst".
>2016-05-28 08:11:41.116493 DEBUG leatherman.execution:555 - process exited
>with status code 0.
>Does emphasize the point that I should have those in one and only one of
>those directories...
>Following is the same debug run (with nothing snipped) from a non-root
>user showing that it's not hitting any of those directories:
>$ facter --debug env
>2016-05-28 08:16:03.979516 INFO  puppetlabs.facter - executed with command
>line: --debug env.
>2016-05-28 08:16:03.980478 INFO  leatherman.ruby:133 - ruby loaded from
>"/opt/puppetlabs/puppet/lib/libruby.so.2.1.0".
>2016-05-28 08:16:04.006387 INFO  leatherman.ruby:182 - using ruby version
>2.1.9
>2016-05-28 08:16:04.006507 INFO  puppetlabs.facter - requested queries:
>env.
>2016-05-28 08:16:04.006616 DEBUG puppetlabs.facter - fact "facterversion"
>has resolved to "3.2.0".
>2016-05-28 08:16:04.006961 DEBUG puppetlabs.facter - skipping external
>facts for "/home/doug.oleary/.puppetlabs/opt/facter/facts.d": No such file
>or directory
>2016-05-28 08:16:04.007032 DEBUG puppetlabs.facter - skipping external
>facts for "/home/doug.oleary/.facter/facts.d": No such file or directory
>2016-05-28 08:16:04.007065 DEBUG puppetlabs.facter - no external facts
>were found.
>2016-05-28 08:16:04.007681 DEBUG puppetlabs.facter - loading all custom
>facts.
>2016-05-28 08:16:04.007756 DEBUG puppetlabs.facter - fact "env" does not
>exist.
>It looks like facter, run as a non-root user, is limited to personal home
>directories.  So, rephrasing the original question: is there some way to
>tell non-root facter runs to use the standard directories without having
>to add '--external-dir' everytime?
>Thanks for the responses.
>Doug O'Leary
>On Saturday, May 28, 2016 at 7:18:13 AM UTC-5, Christopher Wood wrote:
> 
>  Just to confirm that's a typo below? You have an "s" in facter.
> 
>  /etc/facter/facts.d
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>

Re: [Puppet Users] facter 3.2 global custom facts directory?

[Christopher Wood]

Just to confirm that's a typo below? You have an "s" in facter.

/etc/facter/facts.d

On Fri, May 27, 2016 at 03:15:11PM -0700, dkoleary wrote:
> Thanks for the response. I'm pretty sure I tried /etc/faster/facts.d; but, 
> I'll confirm that.  
> 
> Thanks again.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/2dacc5a3-1b67-4ec3-b2f0-0b338ceaa2b4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160528121805.GA32387%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] facter 3.2 global custom facts directory?

[Christopher Wood]

All the custom facts here in /etc/facter/facts.d have worked just fine across 
the facter 2.4.4 -> facter 3.1.6 upgrade.

https://docs.puppet.com/facter/3.1/custom_facts.html

On Fri, May 27, 2016 at 12:28:50PM -0700, dkoleary wrote:
>Hey;
>I'm drafing some custom facts that I would like to have available to
>everyone even outside of puppet.  The facts themselves work just fine for
>root and will work for normal users if I specify the --external-dir
>option:
> 
>$ sudo facter env                                     
>tst
>$ facter --external-dir=/opt/puppetlabs/facter/facts.d env
>tst
>Without that, facter run as a normal user doesn't find the script. Is
>there a config file somewhere that I can specify, globally, that custom
>facts are in /opt/puppetlabs/facter/facts.d or a default global directory
>(facter --debug doesn't seem to show one...)? Alternatively, I could set
>an alias in /etc/profile so everyone gets it but that seems like a bit of
>a kludge.
>Any info is appreciated.
>Thanks
>Doug O'Leary
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/a9867381-4b0d-457e-aea3-173730ac86cf%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/a9867381-4b0d-457e-aea3-173730ac86cf%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160527203839.GA22243%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet and SVN

[Christopher Wood]

It sounds like what you are thinking about is the roles/profiles paradigm, and 
your tool is r10k. Reading suggestions:

https://puppet.com/blog/git-workflows-puppet-and-r10k
http://somethingsinistral.net/blog/rethinking-puppet-deployment/
http://garylarizza.com/blog/2014/02/18/puppet-workflow-part-3/
https://github.com/puppetlabs/r10k/blob/master/doc/dynamic-environments/workflow-guide.mkd

It will help you to download your first set of modules from the puppet forge. 
There's not much point re-implementing automated ntp management for instance. 
Later on you can do your own modules for any proprietary bits.

https://forge.puppet.com/

Think of it as using git as a tool to implement. You are not retrofitting git 
on your workflow, you are using git to record it.

On Tue, May 24, 2016 at 07:41:19AM +1000, Alex Samad wrote:
> Hi
> 
> Is it really that painful to retro fit git. or is the way you think
> about the DB that different ?
> 
> Could you point a good starting point to read up on this ?
> 
> Thanks
> Alex
> 
> On 24 May 2016 at 07:16, Christopher Wood <christopher_w...@pobox.com> wrote:
> > On Mon, May 23, 2016 at 03:51:58PM +1000, Alex Samad wrote:
> >> How hard is it to retro fit SVN / GIT onto a puppet install.
> >>
> >> I am building from scratch, working through the doco.
> >>
> >> Was thinking once I have a friendly setup then I would look at putting
> >> that into SVN/GIT.
> >
> > Do yourself a huge favour, use git as the tool you use to construct the 
> > setup. Use it from the start of the process, not just as what you put 
> > things into when you're done.
> >
> >> Thoughts are
> >> install puppet
> >> install puppetDB
> >> install heira ??
> >>
> >> setup environments, currently thinking
> >> Prod - all prod env
> >> SIM - testing for prod
> >> INF - inf
> >> NON Prod - anything thats not above
> >> dev - testing
> >> alex - personal
> >>
> >> Then I was going to create a whole bundle of profiles break up into
> >>
> >> OS app
> >> things like
> >> smtp
> >> ssh
> >> http
> >> etc
> >>
> >> have the default company setup
> >>
> >> Company Apps
> >> things that cover company apps
> >>
> >>
> >> Then build some roles - based solely from profiles.
> >>
> >> Then some how dynamically assign nodes to a roles / environment.
> >>
> >>
> >> Sounds okay ??
> >>
> >> A
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On 23 May 2016 at 10:47, Rilindo Foster <rili...@gmail.com> wrote:
> >> > You can use any VCS with Puppet. I know of one shop that uses Mercurial.
> >> >
> >> > Most of the tooling and integration are closely coupled with git and 
> >> > most of the workflows assumes that you will be using git. So it would be 
> >> > a good idea to get up to speed with it.
> >> >
> >> > Of note that you can use git with svn (which may be helpful if you are 
> >> > getting started:
> >> >
> >> > https://git-scm.com/book/en/v1/Git-and-Other-Systems-Git-and-Subversion
> >> >
> >> > - Rilindo
> >> >
> >> > -Original Message-
> >> > From: puppet-users@googlegroups.com 
> >> > [mailto:puppet-users@googlegroups.com] On Behalf Of Alex Samad
> >> > Sent: Sunday, May 22, 2016 7:44 PM
> >> > To: puppet-users@googlegroups.com
> >> > Subject: Re: [Puppet Users] Puppet and SVN
> >> >
> >> > Ta
> >> >
> >> > I was at the last puppet (sydney ) users group. heard r10k mentioned a 
> >> > lot.
> >> >
> >> > Also I got the impression that git was more closely integrated with 
> >> > puppet.
> >> >
> >> > Should I be l looking at git ?
> >> >
> >> > A
> >> >
> >> >
> >> > On 23 May 2016 at 10:40, Henrik Lindberg <henrik.lindb...@puppet.com> 
> >> > wrote:
> >> >> On 22/05/16 12:41, Alex Samad wrote:
> >> >>>
> >> >>> Hi
> >> >>>
> >> >>> just starting out with puppet.
> >> >>> I found
> >> >>> this
> >> >>> http://projects.puppetlabs.com/projects/1/wiki/Puppet_Version_Control
> >> >>&g

Re: [Puppet Users] Puppet and SVN

[Christopher Wood]

On Mon, May 23, 2016 at 03:51:58PM +1000, Alex Samad wrote:
> How hard is it to retro fit SVN / GIT onto a puppet install.
> 
> I am building from scratch, working through the doco.
> 
> Was thinking once I have a friendly setup then I would look at putting
> that into SVN/GIT.

Do yourself a huge favour, use git as the tool you use to construct the setup. 
Use it from the start of the process, not just as what you put things into when 
you're done.

> Thoughts are
> install puppet
> install puppetDB
> install heira ??
> 
> setup environments, currently thinking
> Prod - all prod env
> SIM - testing for prod
> INF - inf
> NON Prod - anything thats not above
> dev - testing
> alex - personal
> 
> Then I was going to create a whole bundle of profiles break up into
> 
> OS app
> things like
> smtp
> ssh
> http
> etc
> 
> have the default company setup
> 
> Company Apps
> things that cover company apps
> 
> 
> Then build some roles - based solely from profiles.
> 
> Then some how dynamically assign nodes to a roles / environment.
> 
> 
> Sounds okay ??
> 
> A
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 23 May 2016 at 10:47, Rilindo Foster  wrote:
> > You can use any VCS with Puppet. I know of one shop that uses Mercurial.
> >
> > Most of the tooling and integration are closely coupled with git and most 
> > of the workflows assumes that you will be using git. So it would be a good 
> > idea to get up to speed with it.
> >
> > Of note that you can use git with svn (which may be helpful if you are 
> > getting started:
> >
> > https://git-scm.com/book/en/v1/Git-and-Other-Systems-Git-and-Subversion
> >
> > - Rilindo
> >
> > -Original Message-
> > From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] 
> > On Behalf Of Alex Samad
> > Sent: Sunday, May 22, 2016 7:44 PM
> > To: puppet-users@googlegroups.com
> > Subject: Re: [Puppet Users] Puppet and SVN
> >
> > Ta
> >
> > I was at the last puppet (sydney ) users group. heard r10k mentioned a lot.
> >
> > Also I got the impression that git was more closely integrated with puppet.
> >
> > Should I be l looking at git ?
> >
> > A
> >
> >
> > On 23 May 2016 at 10:40, Henrik Lindberg  wrote:
> >> On 22/05/16 12:41, Alex Samad wrote:
> >>>
> >>> Hi
> >>>
> >>> just starting out with puppet.
> >>> I found
> >>> this
> >>> http://projects.puppetlabs.com/projects/1/wiki/Puppet_Version_Control
> >>> old page
> >>>
> >>> talks about checking /etc/puppet into svn.
> >>>
> >>> But on my centos install I have /etc/puppetlabs/puppet
> >>>
> >>> do I add /etc/puppetlabs or /etc/puppetlabs/puppet to svn and if the
> >>> later what about my codedir ?
> >>>
> >>
> >> You probably want to use the project r10k to manage your
> >> manifests/configurations that are stored in a source code control
> >> repository.
> >>
> >> Here is the page that explains a bit about r10k and SVN:
> >> https://github.com/puppetlabs/r10k/blob/master/doc/dynamic-environment
> >> s/svn-environments.mkd
> >>
> >> There is also lots of material available on r10k itsef that is easy to
> >> find if you google for it.
> >>
> >> Regards
> >> - henrik
> >>
> >>> Thanks
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "Puppet Users" group.
> >>> To unsubscribe from this group and stop receiving emails from it,
> >>> send an email to puppet-users+unsubscr...@googlegroups.com
> >>> .
> >>> To view this discussion on the web visit
> >>>
> >>> https://groups.google.com/d/msgid/puppet-users/ee63fdad-2d0f-4914-b9c
> >>> a-0dbdb5044dc3%40googlegroups.com
> >>>
> >>> .
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >>
> >> --
> >>
> >> Visit my Blog "Puppet on the Edge"
> >> http://puppet-on-the-edge.blogspot.se/
> >>
> >> --
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "Puppet Users" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/puppet-users/Q0ke0NzMRjY/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> puppet-users+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> >> https://groups.google.com/d/msgid/puppet-users/ac7d5df1-1798-e7d2-0215-b05166dc7b71%40puppet.com.
> >>
> >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to puppet-users+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > 

Re: [Puppet Users] puppet 4 environments git feedback?

[Christopher Wood]

On Thu, May 19, 2016 at 11:39:30AM -0400, Rob Nelson wrote:
>Doug,
> 
>If all your git repositories are local filestores, that's probably a
>pretty reasonable workflow. However, most people use some form of
>dedicated service as their git origins, that reside external to the local
>systems - GitHub, Bit Bucket, Git Lab, etc. If you are using one of those
>systems, or you can migrate to it, you can then improve your code flow by
>using pull requests to review changes and merge them into the branch at
>the upstream. These services would also be able to fire a web hook, an
>event sent to your puppet master as an http/https payload, that can
>trigger r10k to deploy the updated code.

Our inter-datacenter connectivity tends to skip a beat whenever there's a DDOS. 
It's old skule but a cron job gives us some easy resilience here.

[root@puppetmaster6 ~]# crontab -l | grep r10k
# Puppet Name: r10k deploy
* * * * * /usr/bin/lockrun --lockfile=/var/run/r10k-deploy -- 
/opt/puppetlabs/puppet/bin/r10k deploy environment --puppetfile >/dev/null 2>&1

Also when I set this up there were issues setting up plain git hooks with the 
gitlab instance we were originally using, using a cron job saved weeks of 
inter-team ticket discussion judging by other hook tickets.

>That might sound complicated, but I promise you, it's not. It's just using
>some peculiar terminology you're not familiar with. For learning git and
>services like GitHub, there are countless tutorials out there; I recommend
>[1]https://github.com/commitmas/12-days-of-commitmas. That will introduce
>you to git, GitHub, Pull Requests (PRs), and code review processes. I
>wrote an article on using r10k with a webhook at
>
> [2]https://rnelson0.com/2015/05/03/configuring-an-r10k-webhook-on-your-puppet-master/,
>and I and others have tons of articles about using r10k. With this in
>place, your process would be a little simpler:
> 
>  git commit -am 'Something I want to push to test'
>  git push origin test_change
>  
> 
>The webhook fires, r10k starts deploying code, and in a few seconds to
>minutes, your test environment has been updated to incorporate those
>changes. You'd then use PRs to promote code from test -> dev -> qa -> uat
>-> production. This has other impacts to your workflow, of course, and you
>may actually be able to remove a level of environments (feature -> qa ->
>uat -> production). You could later add some continuous integration tests
>to your code, that are automatically run by GitHub/GitLab/Jenkins/etc,
>which could lead to removing the qa level as well. But that's down the
>road a bit.
> 
>There is a lot of room for improvement here as you have time to focus on
>your pipeline.
>Rob Nelson
>[3]rnels...@gmail.com
>On Wed, May 18, 2016 at 9:02 PM, dkoleary
><[4]dkole...@olearycomputers.com> wrote:
> 
>  Hey;
>  To put this in perspective, I'm a sysadmin, not a developer.  While I've
>  used git for a couple of years, until today, I could easily count the
>  number of times I issued a 'git branch' command.
>  I'm practicing setting up a new puppet 4 server and, after some
>  research, I've got various environments under git management and have
>  successfully 'promoted code' from test through production.  It's a wee
>  bit tedious but I'm sure I could get used to it.
>  What I'm hoping is to have someone more familiar the process verify I'm
>  doing it somewhat close to right and/or make suggestions on an
>  improvements.  I have heard of r10k; however, I'm one of those that has
>  to know what's going on under the covers.  Up until now, r10k has been
>  of of those 'developer' things.  Once I run through this a few times,
>  *then* I'll start playing with r10k.
>  So, bit of a build up.  Here's what I have:
>  one git repo covering all puppet environments thusly::
>  # git branch -r
>    origin/HEAD -> origin/master
>    origin/dev
>    origin/master
>    origin/prod
>    origin/qa
>    origin/test
>    origin/uat
>  On a different system, one pulls the test system, develops code,
>  commits, pushes, etc.  In the test environment, the admin pulls the
>  updated work and tests
>  # pwd
>  /etc/puppetlabs/code/environments/test
>  # git branch
>  * test
>  once the tests are complete, a responsible admin accesses the dev
>  environment and executes:
>  git checkout test 
>  git pull # if necessary
>  git checkout dev
>  git merge test
>  Process iterates through the environments to prod.  
>  # git log --oneline
>  e298de7 prod.rst: mved from uat
>  07f3ab1 uat: merged from qa
>  a20a85c qa: mved from dev
>  2f644f2 dev: renamed from test
>  c8c067b test: added
>  a432124 puppet production environment initial check in
>  

Re: [Puppet Users] Puppet install failure

[Christopher Wood]

On Tue, Apr 26, 2016 at 01:10:41PM -0700, Paul Trepanier wrote:
>OK, tried your instructions (which only differed by "pc1" in the distname)
>and now /opt/puppetlabs is there.
> 
>What is the reason for this (I've found no less than 6 references for
>Centos 7 including a cbtnuggets.com training video that says to use the
>.rpm WITHOUT "pc1" in it).
>What is the difference between the "pc1 and non-"pc1" variants?

The reason is that Puppet changed their packaging between major versions 3 and 
4. The pc1 is the All In One packaging, also known as Puppet Collection 1.

https://puppet.com/blog/welcome-to-puppet-collections

Those links I pasted below have more details.

I think you'll benefit more from reading Puppet's own documentation than what 
you get from third parties right now.

https://docs.puppet.com/puppet/


>Would have been nice if they explained this in README.txt...
>    Paul
> 
>On Tuesday, April 26, 2016 at 2:46:13 PM UTC-5, Christopher Wood wrote:
> 
>  On Tue, Apr 26, 2016 at 12:37:38PM -0700, Paul Trepanier wrote:
>  >    Hi Folks,
>  >    ..on CentOS 7
>  >
>  >    # rpm -ivh
>  [1]http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
>  >    # yum install puppet-server
>  >    # puppet resource package puppet-server ensure=latest
>  >    After doing this, there is NO /opt/puppetlabs directory.
> 
>  I suspect you wanted the pc1 repositories and the puppetserver package?
> 
>  rpm -ivh
>  [2]http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
>  yum clean all
>  yum install puppetserver
>  rpm -q puppetserver puppet-agent
>  ls -d /opt/puppetlabs
> 
>  Using puppet-server would get you puppet 3.8.7 per
>  [3]http://yum.puppetlabs.com/el/7/products/x86_64.
> 
>  [4]https://docs.puppet.com/puppet/4.0/reference/release_notes.html
> 
>  [5]https://docs.puppet.com/puppet/4.0/reference/whered_it_go.html
> 
>  >    Any idea what the issue is?  All the docs say /opt/puppetlabs
>  should be
>  >    there.
>  >
>  >    [root@puppetmaster puppet]# yum list installed | grep -i pup
>  >    facter.x86_64                          1:2.4.6-1.el7              
>     
>  >    @puppetlabs-products
>  >    hiera.noarch                           1.3.4-1.el7                
>     
>  >    @puppetlabs-products
>  >    puppet.noarch                          3.8.6-1.el7                
>     
>  >    @puppetlabs-products
>  >    puppet-server.noarch                   3.8.6-1.el7                
>     
>  >    @puppetlabs-products
>  >    puppetlabs-release.noarch              7-12                        
>   
>  >     installed
>  >    ruby-augeas.x86_64                     0.4.1-3.el7                
>     
>  >    @puppetlabs-deps
>  >    ruby-shadow.x86_64                     1:2.2.0-2.el7              
>     
>  >    @puppetlabs-deps
>  >    Thanks!
>  >    Paul
>  >
>  >    --
>  >    You received this message because you are subscribed to the Google
>  Groups
>  >    "Puppet Users" group.
>  >    To unsubscribe from this group and stop receiving emails from it,
>  send an
>  >    email to [1][6]puppet-users...@googlegroups.com.
>  >    To view this discussion on the web visit
>  >  
>   
> [2][7]https://groups.google.com/d/msgid/puppet-users/13ec310a-9fb0-467d-9af6-0ee213dee055%40googlegroups.com.
>  >    For more options, visit [3][8]https://groups.google.com/d/optout.
>  >
>  > References
>  >
>  >    Visible links
>  >    1. mailto:[9]puppet-users+unsubscr...@googlegroups.com
>  >    2.
>  
> [10]https://groups.google.com/d/msgid/puppet-users/13ec310a-9fb0-467d-9af6-0ee213dee055%40googlegroups.com?utm_medium=email_source=footer
>  >    3. [11]https://groups.google.com/d/optout
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [12]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [13]https://groups.google.com/d/msgid/puppet-users/be5d44e1-65d6-4e37-9727-40b56272a574%40googlegroups.com.
>For more options, visit [14]https://groups.google.com/d/optout.
> 
> References
> 
>Visible lin

Re: [Puppet Users] Puppet install failure

[Christopher Wood]

On Tue, Apr 26, 2016 at 12:37:38PM -0700, Paul Trepanier wrote:
>Hi Folks,
>..on CentOS 7
> 
># rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
># yum install puppet-server
># puppet resource package puppet-server ensure=latest
>After doing this, there is NO /opt/puppetlabs directory.

I suspect you wanted the pc1 repositories and the puppetserver package?

rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum clean all
yum install puppetserver
rpm -q puppetserver puppet-agent
ls -d /opt/puppetlabs

Using puppet-server would get you puppet 3.8.7 per 
http://yum.puppetlabs.com/el/7/products/x86_64.

https://docs.puppet.com/puppet/4.0/reference/release_notes.html

https://docs.puppet.com/puppet/4.0/reference/whered_it_go.html

>Any idea what the issue is?  All the docs say /opt/puppetlabs should be
>there.
> 
>[root@puppetmaster puppet]# yum list installed | grep -i pup
>facter.x86_64                          1:2.4.6-1.el7                  
>@puppetlabs-products
>hiera.noarch                           1.3.4-1.el7                    
>@puppetlabs-products
>puppet.noarch                          3.8.6-1.el7                    
>@puppetlabs-products
>puppet-server.noarch                   3.8.6-1.el7                    
>@puppetlabs-products
>puppetlabs-release.noarch              7-12                          
> installed
>ruby-augeas.x86_64                     0.4.1-3.el7                    
>@puppetlabs-deps
>ruby-shadow.x86_64                     1:2.2.0-2.el7                  
>@puppetlabs-deps
>Thanks!
>Paul
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/13ec310a-9fb0-467d-9af6-0ee213dee055%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/13ec310a-9fb0-467d-9af6-0ee213dee055%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160426194559.GA5613%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet MultiMaster open source

[Christopher Wood]

https://docs.puppet.com/puppetserver/2.2/external_ca_configuration.html#disabling-the-internal-puppet-ca-service

I use that line and have puppetized builds for puppetmasters anyway. Albeit 
that setting the Subject Alternative Name for the outside of the load balancer 
takes slightly more effort than signing a cert for a standard puppetmaster.

https://docs.puppet.com/guides/scaling_multiple_masters.html#before-running-puppet-agent-or-puppet-master

On Wed, Apr 20, 2016 at 07:50:04PM +0200, Geoff Galitz wrote:
>Thanks for the replies... any pointers on setting up puppet servers as
>compile masters?
>-G
>On Wed, Apr 20, 2016 at 5:12 PM, Kevin Corcoran
><[1]kevin.corco...@puppet.com> wrote:
> 
>  On Wed, Apr 20, 2016 at 5:58 AM, Geoff Galitz
>  <[2]ggal...@shutterstock.com> wrote:
> 
>Is it possible to get compile master, master of master and code
>manager (file sync) working in the open source versions?
> 
>  Code manager and file sync are only available as part of Puppet
>  Enterprise.  I believe the standard alternative is to run r10k directly
>  on each master.
> 
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [3]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [4]https://groups.google.com/d/msgid/puppet-users/CAF-bMBeJ8%3DJ3tP7uBP4C3sugoEr6hdhugHmkzHUN_g5oFTkvxQ%40mail.gmail.com.
>  For more options, visit [5]https://groups.google.com/d/optout.
> 
>--
>Geoff Galitz, Systems Engineer
>Shutterstock GmbH
>Greifswalder Strasse 212
>Aufgang F, 2 Hof
>10405 Berlin
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [6]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [7]https://groups.google.com/d/msgid/puppet-users/CABiayTDyM%3DMzsbc1HAmKqzy12-eqmuxfH%2B-VjK_JxBNCLi%3DrDA%40mail.gmail.com.
>For more options, visit [8]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:kevin.corco...@puppet.com
>2. mailto:ggal...@shutterstock.com
>3. mailto:puppet-users+unsubscr...@googlegroups.com
>4. 
> https://groups.google.com/d/msgid/puppet-users/CAF-bMBeJ8%3DJ3tP7uBP4C3sugoEr6hdhugHmkzHUN_g5oFTkvxQ%40mail.gmail.com?utm_medium=email_source=footer
>5. https://groups.google.com/d/optout
>6. mailto:puppet-users+unsubscr...@googlegroups.com
>7. 
> https://groups.google.com/d/msgid/puppet-users/CABiayTDyM%3DMzsbc1HAmKqzy12-eqmuxfH%2B-VjK_JxBNCLi%3DrDA%40mail.gmail.com?utm_medium=email_source=footer
>8. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160420221439.GA4270%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to Read New Files Dynamically with Hiera?

[Christopher Wood]

On Thu, Apr 14, 2016 at 07:34:34AM -0700, o...@soluto.com wrote:
> Hi,
>We need to manage many keys in Hiera. Since many people should be able to
>edit the keys and in order to avoid a complete mess I was thinking to work
>with many different files. The problem is that I don't know how to make
>Hiera read from new files. I don't want to add each file to the hierarchy
>explicitly.
>Optimally I would add something like that
>/etc/puppetlabs/code/enironments/%{::environment}/hieradata/delegated/*
>and Hiera will just read from all files that are under the
>delegated
>folder. I wasn't able to find how to achieve my goal.
>What is the correct approach here?
>Thanks

This will be easier for you if you store your hiera data in revision control 
(say git) and have the puppetmasters sync it. That way it will be obvious who 
added what line and when.

>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/26984a85-bd19-4c86-acae-0b0dd5364125%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/26984a85-bd19-4c86-acae-0b0dd5364125%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160414202558.GA3289%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet 3.8.5 available

[Christopher Wood]

(Pardon the necro, I felt these interesting results should be filed with the 
other ones.)

On Thu, Feb 11, 2016 at 08:50:32AM -0800, Kylo Ginsberg wrote:
>On Thu, Feb 11, 2016 at 8:02 AM, Christopher Wood
><[1]christopher_w...@pobox.com> wrote:
> 
>  For idle interest's sake, I calculated the catalog compilation times
>  across our puppetmasters on Thursday January 28th with (open source)
>  3.8.4 and did the same thing just now for Thursday February 4th with
>  (open source) 3.8.5.
> 
>  Average catalog compilation times improved from 23.59 s to 20.44 s, or
>  approximately 13% improvement.
> 
>\o/
>We're giving more and more attention to performance improvements, so glad
>to get data-driven feedback like this. Thanks!
>Kylo

The above was all apache/passenger.

After another upgrade the puppetmasters here have been running these since 
Wednesday March 30th:

[root@puppetmaster4 ~]# rpm -q puppetserver
puppetserver-2.2.1-1.el6.noarch
[root@puppetmaster4 ~]# rpm -q puppet-agent
puppet-agent-1.3.6-1.el6.x86_64

On Thursday March 31st catalog compilation times averaged 5.93 s across all 
production puppetmasters.

> 
>  On Wed, Jan 27, 2016 at 02:58:29PM -0800, Eric Sorenson wrote:
>  >    Puppet 3.8.5 is now available. This is a bugfix release that
>  contains
>  >    performance improvements to catalog compilation and Mac OS X
>  service
>  >    management, along with fixes for Windows agents and the Puppet 4
>  language
>  >    parser. See the full release notes here:
>  >   
>  [2]http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html
>  >    For installation and upgrade instructions, see this doc:
>  >    [3]http://docs.puppetlabs.com/puppet/3.8/reference/pre_install.html
>  >    A special community shout-out for this release to Github user
>  'earsdown'
>  >    for the PR to fix PUP-5212, which added HTTP proxy support to the
>  PIP
>  >    package provider. 
>  >    Eric Sorenson - [4]eric.soren...@puppetlabs.com - freenode #puppet:
>  eric0
>  >    puppet platform // coffee // techno // bicycles
>  >
>  >    --
>  >    You received this message because you are subscribed to the Google
>  Groups
>  >    "Puppet Users" group.
>  >    To unsubscribe from this group and stop receiving emails from it,
>  send an
>  >    email to [1][5]puppet-users+unsubscr...@googlegroups.com.
>  >    To view this discussion on the web visit
>  >   
>  
> [2][6]https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com.
>  >    For more options, visit [3][7]https://groups.google.com/d/optout.
>  >
>  > References
>  >
>  >    Visible links
>  >    1. mailto:[8]puppet-users+unsubscr...@googlegroups.com
>  >    2.
>  
> [9]https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com?utm_medium=email_source=footer
>  >    3. [10]https://groups.google.com/d/optout
>  --
>  You received this message because you are subscribed to the Google
>  Groups "Puppet Users" group.
>  To unsubscribe from this group and stop receiving emails from it, send
>  an email to [11]puppet-users+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit
>  
> [12]https://groups.google.com/d/msgid/puppet-users/20160211160222.GA20645%40iniquitous.heresiarch.ca.
>  For more options, visit [13]https://groups.google.com/d/optout.
> 
>--
>Kylo Ginsberg | [14]k...@puppetlabs.com | irc: kylo | twitter: @kylog
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [15]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [16]https://groups.google.com/d/msgid/puppet-users/CALsUZFFewEebnPXbjezHhbwJpyxsSv7_HOba-W9XZ_MmMg6LpQ%40mail.gmail.com.
>For more options, visit [17]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:christopher_w...@pobox.com
>2. http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html
>3. http://docs.puppetlabs.com/puppet/3.8/reference/pre_install.html
>4. mailto:eric.soren...@puppetlabs.com
>5. mailto:puppet-users%2bunsubscr...@googlegroups.com
>6. 
> https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a090

Re: [Puppet Users] mirroring puppet 4

[Christopher Wood]

That PC1 thing is intentional.

https://docs.puppetlabs.com/puppet/4.0/reference/release_notes.html

I'm curious how it came to be that anybody needs to know the specific 
repository and package to install to get puppet working? In your situation I 
would probably have cobbler or similar install the repos on server build, or 
supply some kind of bootstrap rpm or shell script.

On Mon, Mar 07, 2016 at 08:22:09AM -0800, steve moulton wrote:
>Greetings,
> 
>I maintain a open source software mirror used internally at ORNL, and have
>been successfully mirroring Puppet for some time.  However a user asked me
>why he could not get Puppet 4 using the standard repository information.  
>After some research/fumbling around we located it at
>https://yum.puppetlabs.com/el/7/PC1/x86_64/, which means we were mirroring
>it all along.
> 
>This means to get puppet4 I need to have users instantiate a separate
>yum.repos.d configuration file.  
> 
>Is this the recommended approach, or is there a yum configuration that
>would work better for users?  I have no problem maintaining two separate
>yum configuration files, but users will find it confusing.
> 
>Why was puppet4 released under PC1?  Is it not ready for prime time yet?
> 
>Thanks,
> 
>  - Steve
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/34cd941b-f393-4fb5-8d47-6fb8cd03b64f%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/34cd941b-f393-4fb5-8d47-6fb8cd03b64f%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160307174749.GA17001%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] v3 agent to v4 master ssl issue

[Christopher Wood]

None of the certs are expired, I just checked.

Hopefully we will have puppet4 puppetservers in a few weeks and all this will 
be behind me.

On Fri, Feb 19, 2016 at 07:26:06PM -0500, warron.french wrote:
>HI Christopher,  is either certain invalid/expired?  I don't know the
>typical certificate lifespan.
> 
>On Feb 19, 2016 3:54 PM, "Christopher Wood"
><[1]christopher_w...@pobox.com> wrote:
> 
>  I checked, the CA in use on my puppet4/puppetserver installation
>  definitely has no subjectAltName extension and a puppet4 agent works.
> 
>  In all likelihood I messed up something in the config.
> 
>  On Wed, Feb 17, 2016 at 10:23:19PM +0100, Felix Frank wrote:
>  > Hi Christopher,
>  >
>  > I have no first hand experience with this transition, but Martin put a
>  note
>  > about SSL in the Puppet 4 chapter of the new Puppet Essentials (yes,
>  I'm
>  > plugging us :-)
>  >
>  > Apparently Puppet 4 cannot use a CA that was created without the
>  > dns_alt_names setting. This might just be your issue. And yes, you
>  will have
>  > to re-certify your infrastructure for the upgrade if this is the case.
>  >
>  > Cheers,
>  > Felix
>  >
>  > On 02/11/2016 11:02 PM, Christopher Wood wrote:
>  > >Update is that I still don't know why this happened, but I know what
>  I should not do when I go to convert the production puppetmasters.
>  > >
>  > >I have a set of 3.8.5 masters and was attempting to bring up a 4.3.2
>  master (puppetserver 2.2.1, puppet-agent 1.3.4) as a non-CA master to
>  test things with. A 3.8.5 agent got these errors when trying to use a
>  server=4.3.2 with ca_server=3.8.5 set of puppetmaster versions.
>  > >
>  > >My 3.8.5 agent worked fine against the 4.3.2 master with a completely
>  new CA, and with the new master acting as a CA with the 3.8.5 CA's ssl
>  files. Using a 3.8.5 non-CA master with the 4.3.2 CA server works too.
>  > >
>  > >The upshot is that when I convert the puppetmasters to puppet 4 I
>  will need to convert the CA first and work outward from there (other
>  puppetmasters at that location, rest of the puppetmasters, then the
>  agents).
>  > >
>  > >(Feel free to add more clue than I can provide, anybody.)
>  > >
>  > >On Fri, Feb 05, 2016 at 04:56:03PM -0500, Christopher Wood wrote:
>  > >>I have a puppet 3 agent attempting an agent run against a puppet 4
>  master but I am getting ssl errors. I'm out of google-fu and I've
>  verified certs and keys, run both sides in debug using puppetserver and
>  the rack "puppet master --no-daemonize --verbose", and am not seeing
>  anything that jumps out at me. I do notice that when running in DEBUG
>  the puppetserver log doesn't spit output during the agent run.
>  > >>
>  > >>The closest I can get to understanding this is stackoverflow, but
>  I'm not sure how I would tell the agent to use TLSv1.2.
>  > >>
>  >
>  
> >>[2]http://stackoverflow.com/questions/25814210/opensslsslsslerror-ssl-connect-syscall-returned-5-errno-0-state-sslv3-read
>  > >>
>  > >>Any hints on what these ssl errors are from and how I can fix this?
>  > >>
>  > >>SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
>  > >>
>  > >>[root@mail10c2 ~]# puppet --version
>  > >>3.8.5
>  > >>[root@mail10c2 ~]# cat /etc/redhat-release
>  > >>CentOS release 6.7 (Final)
>  > >>[root@mail10c2 ~]# openssl version
>  > >>OpenSSL 1.0.1e-fips 11 Feb 2013
>  > >>
>  > >>[root@puppetmaster1stage ~]# rpm -q puppetserver
>  > >>puppetserver-2.2.1-1.el6.noarch
>  > >>[root@puppetmaster1stage ~]# /opt/puppetlabs/bin/puppet --version
>  > >>4.3.2
>  > >>[root@puppetmaster1stage ~]# cat /etc/redhat-release
>  > >>CentOS release 6.7 (Final)
>  > >>[root@puppetmaster1stage ~]# /opt/puppetlabs/puppet/bin/openssl
>  version
>  > >>OpenSSL 1.0.2e 3 Dec 2015
>  > >>
>  > >>I've verified the hostcert, hostpubkey, and localcacert as
>  definitely belonging to each other using openssl. These files exist at
>  the paths from "puppet config print". The localcacert is definitely the
>  CA cert that both serve

Re: [Puppet Users] v3 agent to v4 master ssl issue

[Christopher Wood]

I checked, the CA in use on my puppet4/puppetserver installation definitely has 
no subjectAltName extension and a puppet4 agent works.

In all likelihood I messed up something in the config.

On Wed, Feb 17, 2016 at 10:23:19PM +0100, Felix Frank wrote:
> Hi Christopher,
> 
> I have no first hand experience with this transition, but Martin put a note
> about SSL in the Puppet 4 chapter of the new Puppet Essentials (yes, I'm
> plugging us :-)
> 
> Apparently Puppet 4 cannot use a CA that was created without the
> dns_alt_names setting. This might just be your issue. And yes, you will have
> to re-certify your infrastructure for the upgrade if this is the case.
> 
> Cheers,
> Felix
> 
> On 02/11/2016 11:02 PM, Christopher Wood wrote:
> >Update is that I still don't know why this happened, but I know what I 
> >should not do when I go to convert the production puppetmasters.
> >
> >I have a set of 3.8.5 masters and was attempting to bring up a 4.3.2 master 
> >(puppetserver 2.2.1, puppet-agent 1.3.4) as a non-CA master to test things 
> >with. A 3.8.5 agent got these errors when trying to use a server=4.3.2 with 
> >ca_server=3.8.5 set of puppetmaster versions.
> >
> >My 3.8.5 agent worked fine against the 4.3.2 master with a completely new 
> >CA, and with the new master acting as a CA with the 3.8.5 CA's ssl files. 
> >Using a 3.8.5 non-CA master with the 4.3.2 CA server works too.
> >
> >The upshot is that when I convert the puppetmasters to puppet 4 I will need 
> >to convert the CA first and work outward from there (other puppetmasters at 
> >that location, rest of the puppetmasters, then the agents).
> >
> >(Feel free to add more clue than I can provide, anybody.)
> >
> >On Fri, Feb 05, 2016 at 04:56:03PM -0500, Christopher Wood wrote:
> >>I have a puppet 3 agent attempting an agent run against a puppet 4 master 
> >>but I am getting ssl errors. I'm out of google-fu and I've verified certs 
> >>and keys, run both sides in debug using puppetserver and the rack "puppet 
> >>master --no-daemonize --verbose", and am not seeing anything that jumps out 
> >>at me. I do notice that when running in DEBUG the puppetserver log doesn't 
> >>spit output during the agent run.
> >>
> >>The closest I can get to understanding this is stackoverflow, but I'm not 
> >>sure how I would tell the agent to use TLSv1.2.
> >>
> >>http://stackoverflow.com/questions/25814210/opensslsslsslerror-ssl-connect-syscall-returned-5-errno-0-state-sslv3-read
> >>
> >>Any hints on what these ssl errors are from and how I can fix this?
> >>
> >>SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
> >>
> >>[root@mail10c2 ~]# puppet --version
> >>3.8.5
> >>[root@mail10c2 ~]# cat /etc/redhat-release
> >>CentOS release 6.7 (Final)
> >>[root@mail10c2 ~]# openssl version
> >>OpenSSL 1.0.1e-fips 11 Feb 2013
> >>
> >>[root@puppetmaster1stage ~]# rpm -q puppetserver
> >>puppetserver-2.2.1-1.el6.noarch
> >>[root@puppetmaster1stage ~]# /opt/puppetlabs/bin/puppet --version
> >>4.3.2
> >>[root@puppetmaster1stage ~]# cat /etc/redhat-release
> >>CentOS release 6.7 (Final)
> >>[root@puppetmaster1stage ~]# /opt/puppetlabs/puppet/bin/openssl version
> >>OpenSSL 1.0.2e 3 Dec 2015
> >>
> >>I've verified the hostcert, hostpubkey, and localcacert as definitely 
> >>belonging to each other using openssl. These files exist at the paths from 
> >>"puppet config print". The localcacert is definitely the CA cert that both 
> >>server and client use, by md5sum.
> >>
> >>This is the output (that is definitely the --server in the server cert):
> >>
> >>[root@mail10c2 util]# puppet agent --onetime --verbose --no-daemonize 
> >>--no-splay --server puppetmaster1stage
> >>Warning: Unable to fetch my node definition, but the agent run will 
> >>continue:
> >>Warning: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
> >>Info: Retrieving pluginfacts
> >>Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional 
> >>resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 
> >>state=SSLv3 read finished A
> >>Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not 
> >>retrieve file metadata for puppet://puppetmaster1stage/pluginfacts: 
> >>SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
> >>Info: Retrieving plugin
> >>Error: /File[/var/lib/puppet/l

Re: [Puppet Users] Announce: Puppet 3.8.5 available

[Christopher Wood]

For idle interest's sake, I calculated the catalog compilation times across our 
puppetmasters on Thursday January 28th with (open source) 3.8.4 and did the 
same thing just now for Thursday February 4th with (open source) 3.8.5.

Average catalog compilation times improved from 23.59 s to 20.44 s, or 
approximately 13% improvement.

On Wed, Jan 27, 2016 at 02:58:29PM -0800, Eric Sorenson wrote:
>Puppet 3.8.5 is now available. This is a bugfix release that contains
>performance improvements to catalog compilation and Mac OS X service
>management, along with fixes for Windows agents and the Puppet 4 language
>parser. See the full release notes here:
>http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html
>For installation and upgrade instructions, see this doc:
>http://docs.puppetlabs.com/puppet/3.8/reference/pre_install.html
>A special community shout-out for this release to Github user 'earsdown'
>for the PR to fix PUP-5212, which added HTTP proxy support to the PIP
>package provider. 
>Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
>puppet platform // coffee // techno // bicycles
> 
>--
>You received this message because you are subscribed to the Google Groups
>"Puppet Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to [1]puppet-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com.
>For more options, visit [3]https://groups.google.com/d/optout.
> 
> References
> 
>Visible links
>1. mailto:puppet-users+unsubscr...@googlegroups.com
>2. 
> https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com?utm_medium=email_source=footer
>3. https://groups.google.com/d/optout

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160211160222.GA20645%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.