Re: [Puppet Users] puppet-agent gone for Ubuntu Jammy 22.04?

['Eric Griswold' via Puppet Users]

Hi Brad,

We've repaired the install for Jammy puppet-agent on amd64. We will not have 
arm64 support ready in puppet-agent until the next release: 8.3.0 & 7.27.0

Eric Griswold
Puppet Release Engineering


On 10/11/23 19:53, 'Brad Reaves' via Puppet Users wrote:
Hi all,

I am getting install failures on Jammy when I try to install the puppet-agent 
package where apt says the package cannot be found in the repo.

I have tried with both the main apt repo and the nightlies, and with both 
"puppet7" and the plain "puppet" (which I presume is the latest from v8.) All 
fail.

I'm building images with cloud-init, and the same cloud-init config that fails 
on Jammy succeeds on Focal 20.04.

When I manually search through the Packages files on the repo server, I indeed 
find a puppet-agent package listed for Focal but not Jammy. I'm running arm64, 
but the amd64 package lists seem to have the same problem, so I don't think 
this is an "unsupported architecture" issue.

This is not the old issue where Jammy wasn't listed in the install.sh script. 
The package name just isn't in the repo, apart from being referenced by other 
packages.

Is anyone else having this problem? Is there a workaround that isn't "use 
focal" or "build the agent yourself?"

Thanks!
Brad Reaves
--
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
puppet-users+unsubscr...@googlegroups.com<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b34922df-12de-4763-be3c-e2104b065e41n%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/b34922df-12de-4763-be3c-e2104b065e41n%40googlegroups.com?utm_medium=email_source=footer>.


CAUTION: This email originated from outside of the organization. Do not click 
on links or open attachments unless you recognize the sender and know the 
content is safe.



This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/80787c07-9d1a-4a93-8133-4166ab52381e%40perforce.com.

Re: [Puppet Users] puppet-agent gone for Ubuntu Jammy 22.04?

['Eric Griswold' via Puppet Users]

Brad,

There's a problem with the apt repo on apt.puppet.com. We're looking into it 
now.

Eric Griswold
Puppet Release Engineering


On 10/11/23 19:53, 'Brad Reaves' via Puppet Users wrote:
Hi all,

I am getting install failures on Jammy when I try to install the puppet-agent 
package where apt says the package cannot be found in the repo.

I have tried with both the main apt repo and the nightlies, and with both 
"puppet7" and the plain "puppet" (which I presume is the latest from v8.) All 
fail.

I'm building images with cloud-init, and the same cloud-init config that fails 
on Jammy succeeds on Focal 20.04.

When I manually search through the Packages files on the repo server, I indeed 
find a puppet-agent package listed for Focal but not Jammy. I'm running arm64, 
but the amd64 package lists seem to have the same problem, so I don't think 
this is an "unsupported architecture" issue.

This is not the old issue where Jammy wasn't listed in the install.sh script. 
The package name just isn't in the repo, apart from being referenced by other 
packages.

Is anyone else having this problem? Is there a workaround that isn't "use 
focal" or "build the agent yourself?"

Thanks!
Brad Reaves
--
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
puppet-users+unsubscr...@googlegroups.com<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b34922df-12de-4763-be3c-e2104b065e41n%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/b34922df-12de-4763-be3c-e2104b065e41n%40googlegroups.com?utm_medium=email_source=footer>.


CAUTION: This email originated from outside of the organization. Do not click 
on links or open attachments unless you recognize the sender and know the 
content is safe.



This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1d52b8ec-f4a5-41b2-982b-4fbf3a537d32%40perforce.com.

Re: [Puppet Users] Removal of CentOS 8 Support

[Eric Green]

I am not an employee of Puppet Labs, but for our own product, we decided 
that we were not going to support Centos Stream because a) none of our 
customers planned to use it, and b) it was not stable enough for us to 
guarantee the performance of our product on it. For that matter we ceased 
work on CentOS 8 server support the moment Red Hat made their announcement 
that they were ending support for the OS early. It was a relief, actually, 
because internally we have now standardized on Ubuntu LTS and are migrating 
our older CentOS platforms to Ubuntu LTS as they reach end of life, and 
adding another platform that was incompatible with both CentOS 7 and Ubuntu 
LTS was proving difficult. Red Hat Software made some decisions with RHEL 8 
to a) boost their own application platform software, and b) remove 
competing application platform software, and our server product requires 
one of those competing application platform software packages that had been 
in RHEL for over a decade.

I must say that I've been very pleased with Ubuntu 20 LTS. Its mature and 
stable ZFS support in particular has been a joy on my personal NAS server 
here at home. When that NAS server was running CentOS 7, ZFS was regularly 
getting broken by kernel updates. No such oddities in Ubuntu LTS.
On Thursday, October 7, 2021 at 5:51:09 AM UTC-7 Nacho Barrientos wrote:

>
> Aidan Nathanson  writes:
>
> > Hi Nacho,
>
> Hi Aidan,
>
> >
> > Thanks for reaching out! We are looking into adding support for CentOS 
> > Stream 8 on the agent side only. Let us know if you have additional 
> > questions!
>
> Thanks for your reply. For us it'd be particularity problematic not
> having support on the server side, may I ask why are you only looking
> into adding support on the agent side? The fact that CentOS 8 goes away
> but the natural successor is not considered is somewhat surprising.
>
> Also, what are your feelings about CentOS Stream 9?
>
> Thanks a bunch.
>
> -- 
> bye
> Nacho
> http://cern.ch/nacho
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b78790ca-0e3b-4ffd-891a-a4d3688dd53an%40googlegroups.com.

[Puppet Users] Re: Reminder: Puppet Platform GPG signing changes starting January 11, 2021, action may be required

[Eric Griswold]

Hi Andy, 

Sorry for the confusion. Let's see if I can clear it up.

The release packages already contain both the old key (due to expire August 
17, 2021) and the new key (due to expire April 6, 2025). They've been this 
way since last July. The Description is misleading, I admit.

Yesterday, I flipped an internal switch that any packages released after 
the switch would be signed with the new key. Puppet Platform will continue 
their normal release process and will be viable with either key until the 
old one expires in August.

As this rolls out in the coming weeks, I won't be terribly surprised if 
there's an occasional unforeseen problem with a package.  I encourage 
bringing any issues to our attention and we'll work to fix them as quickly 
as I can.

Eric

On Tuesday, January 12, 2021 at 3:43:41 AM UTC-8 Andy Hall wrote:

> hey eric why do we not see the latest key in the release packages then ? 
> thanks.
>
> # yum info puppet-release
> Available Packages
> Name: puppet-release
> Arch: noarch
> Version : 1.0.0
> Release : 14.el6
> Description : Release packages for the Puppet repository
> : 
> : Contains the following components:
> : gpg_key 2019.4.8
> : repo_definition 2020.06.02
>
> # yum info puppet6-release
> Available Packages
> Name: puppet6-release
> Arch: noarch
> Version : 6.0.0
> Release : 10.el6
> Description : Release packages for the Puppet 6 repository
> : 
> : Contains the following components:
> : gpg_key 2019.4.8
> : repo_definition 2020.05.18
>
> On Monday, 11 January 2021 at 22:05:04 UTC eric.g...@puppet.com wrote:
>
>>
>> Puppet Platform GPG signing was initially scheduled for November last 
>> year but it was delayed until just now.
>>
>> Today I made the internal change to start signing with the updated key.
>>
>>
>> On Wednesday, October 21, 2020 at 4:24:41 PM UTC-7 Eric Griswold wrote:
>>
>>> Why This Change 
>>>
>>> Puppet sets its package signing keys to expire on a set schedule for 
>>> good security practices.
>>> Summary 
>>>
>>> On November 2, 2020, Puppet Release Engineering will start signing 
>>> Puppet Platform and Puppet Enterprise packages with an updated GPG key.
>>> This is an explanation of how various existing users will be affected by 
>>> this change and what actions they will need to take. 
>>>
>>> FOSS users can update their release packages and import the new GPG key 
>>> now so that when the GPG key changes, they will not see any problems 
>>> installing software.
>>> Puppet Enterprise Users 
>>>
>>> Puppet Enterprise users do not need to take any specific action, the GPG 
>>> change will be handled inside the PE installer.
>>> FOSS Users 
>>>
>>> Puppet Release Engineering updated the yum and apt release packages to 
>>> contain both the new key and the current key just before June 3, 2020. If 
>>> you have installed or updated the release package since that date you 
>>> should already have the new key.
>>>
>>> SLES users, however, need to take an additional step:
>>> SLES Users 
>>>
>>> SLES users need to take these steps. (Replace "puppet-release" with 
>>> "puppet5-release" or "puppet6-release" if you are using those packages) 
>>>
>>>1. 
>>>
>>>Download the updated GPG key: $ curl --remote-name --location 
>>>https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
>>>2. 
>>>
>>>Import the updated GPG key: $ sudo rpm --import 
>>>RPM-GPG-KEY-puppet-20250406
>>>3. 
>>>
>>>Update the SLES puppet-release package $ zypper update puppet-release
>>>
>>> All Other FOSS users 
>>>
>>> All other FOSS users need only upgrade to the latest puppet-release 
>>> package. (Replace "puppet-release" with "puppet5-release" or 
>>> "puppet6-release" if you are using those packages) 
>>>
>>> For the apt users:  $ sudo apt-get upgrade puppet-release
>>>
>>> For the yum users: $ sudo yum update puppet-release
>>> Further Notes 
>>>
>>> Puppet GPG signing key, 2020 edition 
>>> <https://puppet.com/blog/updated-puppet-gpg-signing-key-2020-edition> 
>>> contains this and some more information about updating the GPG key using 
>>> Puppet.
>>>
>>> Eric Griswold
>>>
>>> Puppet Release Engineering
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bf8954d0-2e76-4e05-82fa-e11c747193d2n%40googlegroups.com.

[Puppet Users] Re: Reminder: Puppet Platform GPG signing changes starting January 11, 2021, action may be required

[Eric Griswold]

Puppet Platform GPG signing was initially scheduled for November last year 
but it was delayed until just now.

Today I made the internal change to start signing with the updated key.


On Wednesday, October 21, 2020 at 4:24:41 PM UTC-7 Eric Griswold wrote:

> Why This Change 
>
> Puppet sets its package signing keys to expire on a set schedule for good 
> security practices.
> Summary 
>
> On November 2, 2020, Puppet Release Engineering will start signing Puppet 
> Platform and Puppet Enterprise packages with an updated GPG key.
> This is an explanation of how various existing users will be affected by 
> this change and what actions they will need to take. 
>
> FOSS users can update their release packages and import the new GPG key 
> now so that when the GPG key changes, they will not see any problems 
> installing software.
> Puppet Enterprise Users 
>
> Puppet Enterprise users do not need to take any specific action, the GPG 
> change will be handled inside the PE installer.
> FOSS Users 
>
> Puppet Release Engineering updated the yum and apt release packages to 
> contain both the new key and the current key just before June 3, 2020. If 
> you have installed or updated the release package since that date you 
> should already have the new key.
>
> SLES users, however, need to take an additional step:
> SLES Users 
>
> SLES users need to take these steps. (Replace "puppet-release" with 
> "puppet5-release" or "puppet6-release" if you are using those packages) 
>
>1. 
>
>Download the updated GPG key: $ curl --remote-name --location 
>https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
>2. 
>
>Import the updated GPG key: $ sudo rpm --import 
>RPM-GPG-KEY-puppet-20250406
>3. 
>
>Update the SLES puppet-release package $ zypper update puppet-release
>
> All Other FOSS users 
>
> All other FOSS users need only upgrade to the latest puppet-release 
> package. (Replace "puppet-release" with "puppet5-release" or 
> "puppet6-release" if you are using those packages) 
>
> For the apt users:  $ sudo apt-get upgrade puppet-release
>
> For the yum users: $ sudo yum update puppet-release
> Further Notes 
>
> Puppet GPG signing key, 2020 edition 
> <https://puppet.com/blog/updated-puppet-gpg-signing-key-2020-edition> 
> contains this and some more information about updating the GPG key using 
> Puppet.
>
> Eric Griswold
>
> Puppet Release Engineering
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/30be45f7-cd44-40a9-ac95-48aa3ec79032n%40googlegroups.com.

[Puppet Users] Reminder: Puppet Platform GPG signing changes starting November 2, 2020, action may be required

[Eric Griswold]

Why This Change 

Puppet sets its package signing keys to expire on a set schedule for good 
security practices.
Summary 

On November 2, 2020, Puppet Release Engineering will start signing Puppet 
Platform and Puppet Enterprise packages with an updated GPG key.
This is an explanation of how various existing users will be affected by 
this change and what actions they will need to take. 

FOSS users can update their release packages and import the new GPG key now 
so that when the GPG key changes, they will not see any problems installing 
software.
Puppet Enterprise Users 

Puppet Enterprise users do not need to take any specific action, the GPG 
change will be handled inside the PE installer.
FOSS Users 

Puppet Release Engineering updated the yum and apt release packages to 
contain both the new key and the current key just before June 3, 2020. If 
you have installed or updated the release package since that date you 
should already have the new key.

SLES users, however, need to take an additional step:
SLES Users 

SLES users need to take these steps. (Replace "puppet-release" with 
"puppet5-release" or "puppet6-release" if you are using those packages) 

   1. 
   
   Download the updated GPG key: $ curl --remote-name --location 
   https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406
   2. 
   
   Import the updated GPG key: $ sudo rpm --import 
   RPM-GPG-KEY-puppet-20250406
   3. 
   
   Update the SLES puppet-release package $ zypper update puppet-release
   
All Other FOSS users 

All other FOSS users need only upgrade to the latest puppet-release 
package. (Replace "puppet-release" with "puppet5-release" or 
"puppet6-release" if you are using those packages) 

For the apt users:  $ sudo apt-get upgrade puppet-release

For the yum users: $ sudo yum update puppet-release
Further Notes 

Puppet GPG signing key, 2020 edition 
<https://puppet.com/blog/updated-puppet-gpg-signing-key-2020-edition> 
contains this and some more information about updating the GPG key using 
Puppet.

Eric Griswold

Puppet Release Engineering

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/111a5a12-db70-424a-bd3f-1f46810e96c1n%40googlegroups.com.

[Puppet Users] Puppet Platform GPG signing changes starting November 2, 2020, action may be required

[Eric Griswold]

 Why This Change

Puppet sets its package signing keys to expire on a set schedule for 
good security practices.



 Summary

On November 2, 2020, Puppet Release Engineering will start signing 
Puppet Platform and Puppet Enterprise packages with an updated GPG key.



This is an explanation of how various existing users will be affected by 
this change and what actions they will need to take.



FOSS users can update their release packages and import the new GPG key 
nowso that when the GPG key changes, they will not see any problems 
installing software.



 Puppet Enterprise Users

Puppet Enterprise users do not need to take any specific action, the GPG 
change will be handled inside the PE installer.



 FOSS Users

Puppet Release Engineering updated the yum and apt release packages to 
contain both the new key and the current key just before June 3, 2020. 
If you have installed or updated the release package since that date you 
should already have the new key.



SLES users, however, need to take an additional step:


   SLES Users

SLES users need to take these steps. (Replace "puppet-release" with 
"puppet5-release" or "puppet6-release" if you are using those packages)


1.

   Download the updated GPG key: $ curl --remote-name --location
   https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406

2.

   Import the updated GPG key: $ sudo rpm --import
   RPM-GPG-KEY-puppet-20250406

3.

   Update the SLES puppet-release package$ zypper update puppet-release


   All Other FOSS users

All other FOSS users need only upgrade to the latest puppet-release 
package. (Replace "puppet-release" with "puppet5-release" or 
"puppet6-release" if you are using those packages)


For the apt users: $ sudo apt-get upgrade puppet-release

For the yum users: $ sudo yum update puppet-release


 Further Notes

Puppet GPG signing key, 2020 edition 
<https://puppet.com/blog/updated-puppet-gpg-signing-key-2020-edition>contains 
this and some more information about updating the GPG key using Puppet.


Eric Griswold

Puppet Release Engineering

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a0197cec-5d70-5594-c67e-b702732a43a9%40puppet.com.

Re: [Puppet Users] Is the focal repo borked for Ubuntu 20.04 LTS (Focal Fossa)?

[Eric Griswold]

Hi Chris,

Thanks for providing the details. That helps us out a lot as well.

Eric


On 6/22/20 2:11 PM, Chris wrote:

Greetings Eric,

tl;dr - PEBKEC

  Thank you for the response.  Just to make sure I am not off my 
rocker, I verified that I was getting this error on all my Ubuntu 
20.04 instances.  I was, so I built a clean Ubuntu 20 and started 
through my initialization checklist.  After installing 
puppet6-release-focal.deb on a fresh VM, I too was not getting the 
error.  That made me take a deeper look at the affected machines.  In 
the comments in /etc/apt/sources.list.d/pc_repo.list I found the note 
"# This file is managed by Puppet. DO NOT EDIT." and a bell went off. 
 /etc/apt/sources.list.d/pc_repo.list was being managed by the 
puppetlabs-puppet_agent module, which is why it wasn't removed when I 
purged puppet6-release and re-installed it.  I'd forgotten to set 
'collection', so the repo was getting stomped with the wrong collection.


Cheers,

-Chris


On Tue, Jun 23, 2020 at 5:08 AM Eric Griswold 
mailto:eric.grisw...@puppet.com>> wrote:


Hi Chris,

I tried this on a fresh Ubuntu 20.04 VM and couldn't duplicate the
problem. Would you be willing to send me a tarball of your *.list
files to analyze?

Thanks,
Eric Griswold
Puppet Release Engineering


On 6/19/20 1:06 AM, Chris Knight wrote:

I first encountered this problem a few days ago, and I thought
I'd wait to see if it was repo corruption that would be fixed. 
Sadly, even with a fresh install of the repo package I'm still
getting this:

root@babylonia:~# wget
https://apt.puppetlabs.com/puppet6-release-focal.deb
--2020-06-19 08:04:46--
https://apt.puppetlabs.com/puppet6-release-focal.deb
Resolving apt.puppetlabs.com <http://apt.puppetlabs.com>
(apt.puppetlabs.com <http://apt.puppetlabs.com>)... 13.227.21.13,
13.227.21.8, 13.227.21.103, ...
Connecting to apt.puppetlabs.com <http://apt.puppetlabs.com>
(apt.puppetlabs.com
<http://apt.puppetlabs.com>)|13.227.21.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11732 (11K) [application/x-debian-package]
Saving to: ‘puppet6-release-focal.deb’

puppet6-release-focal.deb

100%[==>]
11.46K  --.-KB/s    in 0s

2020-06-19 08:04:46 (121 MB/s) - ‘puppet6-release-focal.deb’
saved [11732/11732]

root@babylonia:~# dpkg -i puppet6-release-focal.deb
Selecting previously unselected package puppet6-release.
(Reading database ... 104937 files and directories currently
installed.)
Preparing to unpack puppet6-release-focal.deb ...
Unpacking puppet6-release (6.0.0-9focal) ...
Setting up puppet6-release (6.0.0-9focal) ...
root@babylonia:~# apt update
Hit:1 https://apt.puppet.com focal InRelease
Hit:2 http://apt.puppetlabs.com focal InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: Skipping acquire of configured file
'PC1/binary-amd64/Packages' as repository 'https://apt.puppet.com
focal InRelease' doesn't have the component 'PC1' (component
misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/binary-all/Packages'
as repository 'https://apt.puppet.com focal InRelease' doesn't
have the component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/i18n/Translation-en'
as repository 'https://apt.puppet.com focal InRelease' doesn't
have the component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file
'PC1/i18n/Translation-en_US' as repository
'https://apt.puppet.com focal InRelease' doesn't have the
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/cnf/Commands-amd64'
as repository 'https://apt.puppet.com focal InRelease' doesn't
have the component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/cnf/Commands-all' as
repository 'https://apt.puppet.com focal InRelease' doesn't have
the component 'PC1' (component misspelt in sources.list?)
root@babylonia:~#

Is there something corrupted on my end that I can address?


-- 
You received this message because you are subscribed to the

Google Groups "Puppet 

Re: [Puppet Users] Is the focal repo borked for Ubuntu 20.04 LTS (Focal Fossa)?

[Eric Griswold]

Hi Chris,

I tried this on a fresh Ubuntu 20.04 VM and couldn't duplicate the 
problem. Would you be willing to send me a tarball of your *.list files 
to analyze?


Thanks,
Eric Griswold
Puppet Release Engineering


On 6/19/20 1:06 AM, Chris Knight wrote:
I first encountered this problem a few days ago, and I thought I'd 
wait to see if it was repo corruption that would be fixed.  Sadly, 
even with a fresh install of the repo package I'm still getting this:


root@babylonia:~# wget 
https://apt.puppetlabs.com/puppet6-release-focal.deb
--2020-06-19 08:04:46-- 
https://apt.puppetlabs.com/puppet6-release-focal.deb
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 13.227.21.13, 
13.227.21.8, 13.227.21.103, ...
Connecting to apt.puppetlabs.com 
(apt.puppetlabs.com)|13.227.21.13|:443... connected.

HTTP request sent, awaiting response... 200 OK
Length: 11732 (11K) [application/x-debian-package]
Saving to: ‘puppet6-release-focal.deb’

puppet6-release-focal.deb 
100%[==>] 
11.46K  --.-KB/s    in 0s


2020-06-19 08:04:46 (121 MB/s) - ‘puppet6-release-focal.deb’ saved 
[11732/11732]


root@babylonia:~# dpkg -i puppet6-release-focal.deb
Selecting previously unselected package puppet6-release.
(Reading database ... 104937 files and directories currently installed.)
Preparing to unpack puppet6-release-focal.deb ...
Unpacking puppet6-release (6.0.0-9focal) ...
Setting up puppet6-release (6.0.0-9focal) ...
root@babylonia:~# apt update
Hit:1 https://apt.puppet.com focal InRelease
Hit:2 http://apt.puppetlabs.com focal InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: Skipping acquire of configured file 'PC1/binary-amd64/Packages' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/binary-all/Packages' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/i18n/Translation-en' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/i18n/Translation-en_US' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/cnf/Commands-amd64' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'PC1/cnf/Commands-all' as 
repository 'https://apt.puppet.com focal InRelease' doesn't have the 
component 'PC1' (component misspelt in sources.list?)

root@babylonia:~#

Is there something corrupted on my end that I can address?


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e8485a70-3f64-4447-aeef-546ae6fb09dao%40googlegroups.com 
<https://groups.google.com/d/msgid/puppet-users/e8485a70-3f64-4447-aeef-546ae6fb09dao%40googlegroups.com?utm_medium=email_source=footer>.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9f497f99-7eb2-51f7-edcf-2b9e9713a2df%40puppet.com.

[Puppet Users] Re: Could not back up /home/user/.ssh/authorized_keys: Could not find terminus file for indirection file_bucket_file

[Eric Sorenson]

It is trying to use an old backup mechanism , the way to read the error 
(not that you should have to understand this, it's terrible) is

Could not load a ruby extension named "file.rb" for the "file_bucket_file" 
setting.

The shortest fix is to set "File { backup => false }" in your site.pp. 

--eric0

On Tuesday, June 11, 2019 at 3:48:39 PM UTC-7, brian lamb wrote:
>
> I have an event failure, one for each user.  They use global facter 
> variables for the keys, im not sure if thats relavant.  *What is 
> terminus, does that insinuate endpoint?  **What is indirection, and 
> file_bucket_file? *In my implementation of this, i havent seen those 
> keywords yet, however its remotely possible its from residual code from a 
> v3 manifest, since I am in an upgrade. 
>  Event: Failure
> Export data 
> 
> View run report 
> 
> Resource Ssh_authorized_key[blamb-jumped]
> Resource path Stage[main]/Ssh/Ssh_authorized_key[my_user_key_var]/
> Node affected ws2.vtm-ws.com
> Event timestamp 2019-06-11T02:09:11.212 Z
> Class Ssh
> Config version ws4-cbp-7af07afca4c
> File and line number -
> Property 
> Old Value 
> New Value 
> Message Could not back up /home/blamb/.ssh/authorized_keys: Could not 
> find terminus file for indirection file_bucket_file
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5a0a79d5-0034-448a-8ce3-e123709d4d43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Concerns about Puppet 4 master serving Puppet 3 clients

[Eric Sorenson]

You're correct John - Puppet 4 masters using Puppet Server will work with 
Puppet 3 agents.  If the catalog compiles (Henrik's point), the 
agent/master comms will be fine.

Note the same is not true for Apache/Passenger based Puppet 4 setups - the 
URL rewriting that enables the compatibility is only implemented in 
puppetserver.

--eric

On Tuesday, January 15, 2019 at 5:52:35 AM UTC-8, jcbollinger wrote:
>
>
>
> On Monday, January 14, 2019 at 10:01:21 AM UTC-6, Henrik Lindberg wrote:
>>
>> On 2019-01-14 16:22, Peter Berghold wrote: 
>> > I am about to have our first Puppet 4 Puppet master into our production 
>> > environment. We have a very large community of Puppet 3 "leaf nodes" 
>> > being managed by our old Puppet 3 infrastructure. 
>> > 
>> > What issues might I run into with that and what should I do to mitigate 
>> > this? 
>> > 
>>
>> It is a quite open ended question unfortunately. You may want to start 
>> reading here: https://puppet.com/docs/puppet/4.10/upgrade_major_pre.html 
>> and then come back with more specific questions. 
>>
>
>
> Hmmm.  I took the question to be about whether there were known issues 
> revolving around a P4 master serving catalogs to P3 agents.  I didn't think 
> P4 broke the pattern that the master supports agents from the previous 
> generation.  Or is that less of a pattern than I thought?
>
>
> John
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ece3301a-9651-4238-a02c-3ded8831ad1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Bolt 1.8.0 now available

[Eric Sorenson]

Vlastimil - I'm forwarding this message to the puppet-users list instead of 
puppet-announce.

--eric0

> From: vlastimil.ho...@gmail.com
> Subject: Re: Bolt 1.8.0 now available
> Date: January 4, 2019 at 3:46:31 AM PST
> To: Puppet Announce 
> 
> 
> Hello,
> 
> On Friday, January 4, 2019 at 12:01:51 AM UTC+1, Puppet Product Updates wrote:
> Greetings!
> 
> We're happy to announce the release of Bolt 1.8.0. Highlights in this release 
> include:
> Standard library functions
> 
> how to use those new functions?
> 
> Having a following simple plan:
> 
> plan profiles::test {
>   ctrl::sleep(5)
> }
> 
> Complains about unknown function:
> $ bolt --boltdir=$PWD plan run profiles::test
> Starting: plan profiles::test
> Finished: plan profiles::test in 0.02 sec
> {
>   "kind": "bolt/pal-error",
>   "msg": "Evaluation Error: Unknown function: 'ctrl::sleep'. (file: 
> .../bolt/site/profiles/plans/test.pp, line: 2, column: 3)",
>   "details": {
>   }
> }
> 
> Having Bolt 1.8 from packages for C7:
> $ rpm -q puppet-bolt
> puppet-bolt-1.8.0-1.el7.x86_64
> 
> Thank you,
> Vlastimil Holer
>  
> For more information, check out the release notes: 
> https://puppet.com/docs/bolt/1.x/bolt_release_notes.html 
> 
> 
> To try this version of Bolt, follow the installation instructions for your 
> operating system:
> https://puppet.com/docs/bolt/1.x/bolt_installing.html 
> 
> 
> Thanks!
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E916991D-48D3-4365-97AD-04A230803FF3%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PUPPET 6.0 : PuppetDB SSL Engine issue

[Eric Sorenson]

Andy, did you get this fixed?

--eric0

On Friday, November 16, 2018 at 9:02:02 AM UTC-8, Andy Hall wrote:
>
> Hmm perhaps I should RTFM : 
> https://puppet.com/docs/puppetdb/6.0/maintain_and_tune.html#redo-ssl-setup-after-changing-certificates
>
> On Friday, 16 November 2018 16:49:20 UTC, Andy Hall wrote:
>>
>> Apologies for the late reply but do you know how to re-create the certs 
>> for PuppetDB ? Is there a specific PuppetDB group who may be able to answer 
>> this ? Thanks very much.
>>
>> On Wednesday, 3 October 2018 19:04:26 UTC+1, Maggie Dreyer wrote:
>>>
>>> If you regenerated your CA as part of fixing the issues with the 
>>> master/agent connection, did you also regenerate the certificates for 
>>> PuppetDB? Not having really any experience with PuppetDB, I could see thi 
>>> error being cause by still using certificates issued by the old certificate 
>>> authority.
>>>
>>> On Wed, Oct 3, 2018 at 10:58 AM Andy Hall  wrote:
>>>
 Just fixed an issue with the puppetserver ca after a 5.x to 6.x upgrade 
 (see post "PUPPET 6.0 : CSR from master does not match the agent public 
 key" for more details) but now experience the following issue with 
 PuppetDB 
 (maybe a problem with the Java KeyStore ?):

 AGENT:

 # puppet agent --test

 Warning: Unable to fetch my node definition, but the agent run will 
 continue:
 Warning: Error 500 on SERVER: Server Error: Could not retrieve facts 
 for andy-puppet6-test.london.company.com: Failed to find facts from 
 PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/
 andy-puppet6-test.london.company.com/facts' on at least 1 of the 
 following 'server_urls': https://ldn1-puppet5.london.company.com:8081

 Info: Retrieving pluginfacts
 Info: Retrieving plugin
 Info: Retrieving locales
 Info: Loading facts

 Error: Could not retrieve catalog from remote server: Error 500 on 
 SERVER: Server Error: Failed to execute 
 '/pdb/cmd/v1?checksum=53837e24e8b91d10fc3a81a657b83258c0ab3f8f=5=
 andy-puppet6-test.london.company.com=replace_facts=1538588583'
  
 on at least 1 of the following 'server_urls': 
 https://ldn1-puppet5.london.company.com:8081

 Warning: Not using cache on failed catalog
 Error: Could not retrieve catalog; skipping run

 MASTER:

 ==> /var/log/puppetlabs/puppetserver/puppetserver.log <==
 2018-10-03T18:49:26.860+01:00 ERROR [qtp1255475413-70] 
 [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
 javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
 at 
 sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
 at 
 sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
 at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
 at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
 at 
 org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
 at 
 org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
 at 
 org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
 at 
 org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
 at java.lang.Thread.run(Thread.java:748)
 Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine 
 problem
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
 at 
 sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
 at 
 sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
 at java.security.AccessController.doPrivileged(Native Method)
 at 
 

[Puppet Users] Re: Upgrade to puppet-agent 5.3.5 report failure

[Eric Sorenson]

Hi Darragh, the fact that the error message contains a '400' error suggests 
the problem happens on the server when it receives the report. 

My first guess given that error message is also that there's a mix of 
versions installed, but it's weird that it only happens on some reports. 
Maybe there is something malformed in those reports that triggers a 
different code path on the server.

You can save a copy of the reports by adding `store` to the type of report 
submission on the master: `reports = https,store` and see what they look 
like. They should go into a subdirectory 
of /opt/puppetlabs/puppet/cache/reports

HTH
--eric0



On Tuesday, November 27, 2018 at 10:10:53 AM UTC-8, Darragh Bailey wrote:
>
> Hi,
>
>
> Currently in the process of testing out an upgrade to version 5 of the 
> puppet-agent within our local virtual environment used to validate changes 
> before they can be landed and I'm running into a few problems around the 
> report at the end run.
>
> Have 5 VMs in a vagrant environment, that are initially bootstrapped with 
> some scripts to get the puppet 5 packages installed, then uses puppet apply 
> to perform some initial setup around network/apt-caching, followed by 
> applying the 'puppet_server' provisioner which runs puppet agent.
>
> Unfortunately I'm seeing an error, that doesn't occur on all the VM's and 
> I'm not sure how to debug it further or understand what's missing.
>
> vagrant up
> ...
> ==> srv-1: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 30408 exit 1'
> ==> srv-1: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 32434 exit 1'
> ==> srv-1: Error: Could not send report: Error 400 on SERVER: Bad Request: 
> The request body is invalid: Could not intern from json: Internal Error: 
> Puppet Context ':loaders' missing
> 
> ==> srv-3: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 28777 exit 1'
> ==> srv-3: Error: Could not send report: Error 400 on SERVER: Bad Request: 
> The request body is invalid: Could not intern from json: Internal Error: 
> Puppet Context ':loaders' missing
>
>
> What is also surprising is that it doesn't occur on all of the VM's, and 
> subsequently it doesn't appear if I re-run the provisioning with: vagrant 
> up --provision --provision-with puppet_server
>
> There was a suggestion that there could be some stale code around as the 
> image starts with puppet 3 pre-installed, but I've got the bootstrapping 
> scripts to purge the old packages and delete any files that could have been 
> placed under /var/lib/puppet and /etc/puppet
>
> bash code:
>
> package=puppet5-release-xenial.deb
> env https_proxy=$HTTPS_PROXY wget \
> --quiet --continue -O /tmp/$package 
> https://apt.puppetlabs.com/$package
> dpkg -i /tmp/$package
> export DEBIAN_FRONTEND=noninteractive
> apt-get update
> apt-get purge --yes puppet hiera facter
> rm -rf /var/lib/puppet /etc/puppet
> apt-get install --yes --no-install-recommends puppet-agent=5.3.5-1xenial 
> ruby policykit-1
>
> Currently pinned to 5.3.5 because there was an issues with a subsequent 
> release and decided to just pin to the same version as the upgraded puppet 
> master was running.
>
> I've tried switching the clients to 5.5.8 and I get the same error, so 
> it's not solved by moving to the most recent version.
>
> Grep'ing through /var/lib/puppet hasn't been illuminating, didn't spot 
> anything when switching it to use debug, and neither has been inspecting 
> the puppet master log so I'm not sure where exactly to look?
>
> The quick fix is to disable reporting within the virtual environment, 
> which certainly solves the problem, but seems like the wrong approach.
>
> Any thoughts on how to debug this? What do I need to enable on the puppet 
> master to be able to capture report requests both good and bad so I can see 
> what it is that is being sent that gets rejected, and what should be sent?
>
> --
> Darragh Bailey
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b70320c3-5dfa-4eb5-9c1d-7f5074f1bcf7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet.agent with path

[Eric Sorenson]

Sorry Rafael, I don't understand what you're asking. Can you share the 
puppet code that you are trying to use, and the error message you get?

--eric0

On Wednesday, November 28, 2018 at 5:54:34 AM UTC-8, Rafael Tomelin wrote:
>
> Hi,
>
> How configure path in puppet.agent.
>
> I need path = source /etc/profile . , how configuration this path?
> -- 
>
> Atenciosamente,
>
> Rafael Tomelin
>
> skype: rafael.tomelin
>
> E-mail: rafael.tome...@gmail.com
>
> RHCE  - Red Hat Certified Engineer
> PPT-205 - Puppet Certified Professional 2017
> Zabbix- ZABBIX Certified Specialist
> LPI3 
> ITIL v3
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5c0f935e-c0ff-4202-b48c-79a316f69c87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Multiple compile server and single CA server set up - certificate issues

[Eric Sorenson]

Hi Soham, I would suggest you start with a single server that contains both 
the CA and compile master functionality.

That way you can bootstrap it in a very simple way, using the instructions 
for the new intermediate CA setup in Puppet 6. Once that is working, it is 
much easier to move to a split-out service because you will have a 
functioning CA + Server which can sign the certificates for the other 
compile masters.

You should be able to serve catalogs from a single instance for several 
thousand agents, so don't scale out until you know you need it.

https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html

HTH
--eric0

On Wednesday, November 28, 2018 at 8:24:00 AM UTC-8, Soham Chakraborty 
wrote:
>
> Hi,
>
> Update:
>
> I have made the changes in webserver.conf of the compile master as 
> described in 
> https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 
> (step 3 in particular), but I still have the same problem :(
>
> On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty 
> wrote:
>>
>> Hi,
>>
>> I am trying to achieve the following in Ubuntu 18.04 (bionic):
>>
>> 1) I want to have several Puppet servers act as compile masters. They 
>> will be load balanced and point to a DNS record in AWS. 
>>
>> 2) All the compile masters will share same Puppet CA server. The CA 
>> server be responsible for only signing certificates and nothing else.
>>
>> This should be reasonably easy to implement but I am not getting odd SSL 
>> errors at every turn. I am looking to know how I should go about creating a 
>> setup like this with open source Puppet. The steps that I am following now 
>> are something like this:
>>
>> 1) Provision the instance from a packer template. I am installing Puppet 
>> 5.5.6 from the packer template.
>> 2) Login to the server and install puppetserver. 
>> 3) Disable internal CA service from services.d/ca.cfg file.
>> 4) Edit puppet.conf to point master to the DNS name of the load balancer. 
>> Don't do any change of ca server for now. Don't run any puppet agent as 
>> well.
>> 5) Provision another instance from the same packer template. 
>> 6) Install puppetserver. 
>> 7) Edit it's puppet.conf to point to the DNS name of the load balancer 
>> and also change ca server to this server itself.
>> 8) Run puppet agent -t on the compile master created in step 1.
>> 9) Sign the cert in CA server. 
>>
>> Is this all that there is? Do I need to do any config change in the 
>> webserver.conf of the Puppet compile master? If so, what would be required 
>> changes? What files should be copied over from the CA server to the compile 
>> server?
>>
>> What files need to be copied over from CA server to the compile server 
>> and where they should be placed? 
>>
>> Right now in my CA server, I am getting this error: 
>>
>> # puppet agent -t
>> Warning: Setting autosign is deprecated.
>>(location: 
>> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in 
>> `issue_deprecation_warning')
>> Warning: Setting ca is deprecated.
>>(location: 
>> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in 
>> `issue_deprecation_warning')
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>> Warning: SSL_connect returned=1 errno=0 state=error: certificate verify 
>> failed: [ok for /CN=puppetserver.org.com]
>> Info: Retrieving pluginfacts
>> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate 
>> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 
>> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com]
>> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: 
>> Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect 
>> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Info: Retrieving plugin
>> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate 
>> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 
>> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com]
>> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could 
>> not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 
>> errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Error: Could not retrieve catalog from remote server: SSL_connect 
>> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>> Error: Could not send report: SSL_connect returned=1 errno=0 state=error: 
>> certificate verify failed: [ok for /CN=puppetserver.org.com]
>> root@puppet-ca-server:~#
>>
>> And in Puppet compile master, I am getting:
>>
>> # puppet agent -t
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>> 

Re: [Puppet Users] Elegant way to supply facts to `puppet apply`

[Eric Sorenson]

You could put that same yaml or json in /etc/puppetlabs/facter/facts.d and 
the whole data structure will be available under $facts ...

--eric0

On Monday, November 26, 2018 at 11:14:27 AM UTC-8, Henrik Lindberg wrote:
>
> On 2018-11-23 03:27, Abhijeet Rastogi wrote: 
> > Hi everyone, 
> > 
> > 
> > puppet lookup command has a nice --facts option which accepts a 
> > structured json/yaml file to upload files. 
> > 
> > Why does that option not exist for puppet apply? Is the environment 
> > variable the only option? 
> > 
>
> There is a way to make it read other facts than the default getting the 
> facts for the node apply is running on. To use that you need to change 
> the facts terminus setting 
> https://puppet.com/docs/puppet/5.3/indirection.html#yaml-terminus-1 
>
> Warning: That is not easy to use. 
>
> For puppet lookup we wanted something simpler and choose to expose the 
> option directly as it is a common use case to experiment with lookup CLI 
> and different facts. 
>
> Suggest you file a ticket with a feature request for puppet apply. 
>
> Best, 
> - henrik 
>
> > Puppet version: 6.0.4 
> > 
> > Thanks, 
> > Abhijeet 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> > Groups "Puppet Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to puppet-users+unsubscr...@googlegroups.com 
> > . 
> > To view this discussion on the web visit 
> > 
> https://groups.google.com/d/msgid/puppet-users/c9c7ea63-cd97-4dbc-9c45-ee78e5cb9d4b%40googlegroups.com
>  
> > <
> https://groups.google.com/d/msgid/puppet-users/c9c7ea63-cd97-4dbc-9c45-ee78e5cb9d4b%40googlegroups.com?utm_medium=email_source=footer>.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>
> -- 
>
> Visit my Blog "Puppet on the Edge" 
> http://puppet-on-the-edge.blogspot.se/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bf91272c-4872-455f-871b-bf1a23edfe83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Enterprise 2019.0.1 now available!

[Eric Sorenson]

Dear Puppet Enterprise Users,

Puppet Enterprise 2019.0.1 is now available.

This is a bug fix and minor functionality release of Puppet Enterprise. All 
users of Puppet Enterprise 2019.0.0 are encouraged to upgrade when possible to 
Puppet Enterprise 2019.0.1.

Puppet Enterprise 2019.0.1 includes agent support for Windows Server 2019. It 
includes fixes that caused errors when upgrading from earlier versions, and it 
enables running agentless tasks over WinRM from the orchestrator.

For information on the bug fixes in this release, see 
https://puppet.com/docs/pe/2019.0/release_notes/release_notes.html

As a current Puppet Enterprise user, you can upgrade to this new version as 
part of your annual subscription. To upgrade, you must upgrade your master, 
PuppetDB, and console servers first, then update your agents.

As always, we want to hear about your experiences with Puppet Enterprise. If 
you have any questions about upgrading, be sure to get in touch with Puppet 
Support.

Eric Sorenson - e...@puppet.com 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9189BE5C-627E-447A-81F8-F83040963372%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Enterprise 2018.1.5 (LTS) is now available

[Eric Sorenson]

Dear Puppet Enterprise Users,

Puppet Enterprise 2018.1.5 is now available.

This is a security and bug fix release of the current Long-Term Support (LTS) 
series of Puppet Enterprise. All users of Puppet Enterprise 2018.1.x are 
encouraged to upgrade as soon as possible to Puppet Enterprise 2018.1.5.

Puppet Enterprise 2018.1.5 adds support for SLES 15 and Windows Server 2019 
agents. It also addresses a number of performance issues for large-scale 
console use and includes customer-requested backports, notably around 
improvements to policy-based certificate autosigning.

For full details of the changes in this release, see 
https://puppet.com/docs/pe/2018.1/release_notes/release_notes.html

As a current Puppet Enterprise user, you can upgrade to this new version as 
part of your annual subscription. When upgrading, you must upgrade your master, 
PuppetDB, and console servers first.

As always, we want to hear about your experiences with Puppet Enterprise. If 
you have any questions about upgrading, be sure to get in touch with Puppet 
Support.

Eric Sorenson - e...@puppet.com 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/267F9972-297F-4CDE-8648-17BC7AF82AF9%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Platform 6.0.3 avaialble

[Eric Sorenson]

Hot on the heels of yesterday's Puppet Platform 5.5.7, we've just release 
Puppet Platform 6.0.3. This is a bugfix release that contains a bump to Puppet. 
Of special note on this release is the continued improvement to the new SSL 
command line workflows introduced in Puppet 6 (PUP-9156) and improvements to 
the handling of Sensitive data (PUP-7580). 

Full release notes for the release are available here: 
https://puppet.com/docs/puppet/6.0/release_notes.html#puppet-603

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/399DD104-A919-4AB9-83F4-4C5F168A0696%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Platform 5.5.7 is now available

[Eric Sorenson]

The latest point release of the Puppet Platform 5 series is now available. 

This is a backwards-compatible bugfix release that contains several important 
fixes for open source and PE users (this release will roll into the next PE 
2018.1.x LTS point release, slated for Nov 6).

For the full list of changes in this release, check out the release notes: 
https://puppet.com/docs/puppet/5.5/release_notes.html#puppet-557 


Special thanks to Jacob Helwig, Kris Bosland, Jorie Tappa, and Josh Cooper for 
fixing PUP-3467 , a bug that 
has existed since the earliest days of Puppet and caused problems for anybody 
managing recursive file resources.

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/579A213F-A081-49BD-B4E9-3083131A1A3D%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: REGRESSION - Re: [Puppet Users] Announcement: Release of Puppet Platform 6.0.1

[Eric Sorenson]

Thanks for reporting this duritong - I wanted to follow up to say that this 
was fixed in 6.0.2 (indeed this was the reason we shipped 6.0.2 after 1 
day:) )

On Wednesday, October 3, 2018 at 1:30:22 AM UTC-7, Peter Meier wrote:
>
> Hi All, 
>
> > We're happy to announce the release of Puppet Platform 6.0.1. This is 
> > primarily a bug release, with some improvements to Puppet, some new 
> > features in Puppet Server, and some new component versions in Puppet 
> > Agent. 
>
> Just a heads up to everybody: There is a pretty severe regression in the 
> exec provider together with cwd, as the behavior of the type/provider 
> changed from 6.0.0 to 6.0.1: 
>
> https://tickets.puppetlabs.com/browse/PUP-9194 
>
> tldr; The cwd param is not respected in 6.0.1 for the commands specified 
> in unless or onlyif. This might trigger an unwanted execution of the 
> command, as the safe-guards in unless/onlyif might fail as they are not 
> anymore executed in the cwd. 
>
> best 
>
> ~pete 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7f2df5c4-d5b7-4931-8899-68c0ca8b3dcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Release and Archive repository changes for Puppet software

[Eric Griswold]

We've already done a first, trial run. Regular purges will likely begin 
mid-to-late September and run once every week.


release-archives is already synced weekly on Mondays, Pacific Time.

Purges from yum, apt, and downloads will be scheduled locally on 
Tuesdays. However, this is an internal purge that
will not necessarily be synced to the outside. Purge synchronization 
timing is yet to be decided.


Eric

On 08/09/2018 04:23 PM, Rob Kenefeck wrote:

Hi Eric, when will this be happening?



--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d830c8ed-76d0-a281-a718-9c6af96ef733%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Release and Archive repository changes for Puppet software

[Eric Griswold]

Hello Puppet Users & Developers,

The release repositories for Puppet software, yum.puppet.com, 
apt.puppet.com, and downloads.puppet.com have grown quite large.


To help with our release process we will be regularly removing releases 
from these repositories that are more than three years old.


An archive repository, release-archives.puppet.com, is available for 
anyone needing to locate older Puppet software.


I'm happy to answer any questions or comments.

Eric Griswold
Release Engineer


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/95465939-3051-e98c-7e22-8448c8a6dcce%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: [Puppet-dev] [Puppet-Users] Puppet Platform 6 Update

[Eric Sorenson]

On Jul 17, 2018, at 2:26 AM, Martin Alfke  wrote:
> 
>> On 17. Jul 2018, at 01:40, Eric Sorenson > <mailto:e...@puppet.com>> wrote:
>> 
>> So my question is - 
>> - do you current use/rely on 'gem install puppet' for your workflows? If so, 
>> what do you do with it? (does anybody use a 'gem install puppet' as their 
>> production "puppet agent" daemon?)
> 
> We install puppet as a gem in CI/CD unit testing.
> 

Hi Martin! Does this use depend on types and providers in puppet's lib/ 
directory? Or is it just having the core puppet code available?


>> - given the above, what would be the easiest/most intuitive way to get those 
>> extracted types into your puppet installation? some ideas we've kicked 
>> around are 
>>  * a puppet type 'meta module' that, akin to a rpm/deb metapackage, doesn't 
>> have content, just dependencies on the actual modules at particular pinned 
>> versions that match the agent package versions
>>  * a Puppetfile that you could point r10k at to get the modules installed
>>  * individual gems for each of the extracted modules with Gemfile 
>> dependencies (note: this is a Bad Idea™)
> 
> We need at least a note how we have to add the module with the separated 
> types/providers.

Yes absolutely

> 
>> 
>> WDYT?
>> --eric0
>> 
>> 
>>> On Jul 16, 2018, at 10:20 AM, Josh Cooper  wrote:
>>> 
>>> I wanted to share some significant developments as we progress towards a 
>>> Puppet Platform 6 release. I encourage you to try out nightly builds 
>>> available in the puppet6 repos:
>>> 
>>> http://nightlies.puppet.com/yum/puppet6-nightly/
>>> http://nightlies.puppet.com/apt/puppet6-nightly/
>>> http://nightlies.puppet.com/downloads/{mac,windows}/puppet6-nightly/
>>> 
>>> 1. Unvendoring Semantic Puppet
>>> 
>>> Previously, the puppet repo, puppet-agent and puppetserver 
>>> vendored/packaged different versions of the semantic_puppet gem. We've 
>>> untangled that mess so that in Platform 6:
>>> 
>>> * puppet has a runtime gem dependency on the semantic_puppet gem
>>> * puppet-agent bundles the semantic_puppet 1.0.2 gem
>>> * puppetserver no longer knows about puppet's transitive gem dependencies
>>> * we can bump the semantic_puppet version in puppet-agent in the future 
>>> without breaking puppetserver running on the same host. The same is true 
>>> for other puppet runtime gem dependencies like fast_gettext and multi_json.
>>> 
>>> See https://tickets.puppetlabs.com/browse/PA-1880 for more details.
>>> 
>>> 2. Puppet Platform 6 requires Ruby 2.3
>>> 
>>> Puppet Platform 6 requires Ruby 2.3 or up, so we can now use modern syntax 
>>> such as keyword arguments, dig, squiggly heredocs, etc. Puppet will error 
>>> when running on unsupported ruby versions such as 2.2, which went EOL on 
>>> March 31, 2018.
>>> 
>>> Since puppetserver runs puppet code in a JRuby interpreter and JRuby 1.7 
>>> conforms to the 1.9.3 Ruby language, we first had to move puppetserver from 
>>> JRuby 1.7 to 9K. In Platform 5, we made it possible to opt into using JRuby 
>>> 9K. In Platform 6, we will drop JRuby 1.7 and only support JRuby 9.1.x.x, 
>>> which conforms to Ruby 2.3.
>>> 
>>> To ensure puppet code does not break puppetserver/JRuby, we've started 
>>> running puppet PRs against JRuby 9K in TravisCI.
>>> 
>>> See https://tickets.puppetlabs.com/browse/PUP-6893 and 
>>> https://tickets.puppetlabs.com/browse/SERVER-2155 for more details.
>>> 
>>> 3. Intermediate CA improvements
>>> 
>>> Currently, customers can set up Puppet to use an intermediate CA by 
>>> manually generating and distributing certificates and keys, installing them 
>>> in the proper locations on disk, for both the master and agent. This is 
>>> time intensive, error prone, and even once these certs have been put in 
>>> place, full validation using CRL chains was not possible.
>>> 
>>> For Puppet 6, we we are making both tooling and functionality improvements 
>>> to this process. In this increment, we have implemented full validation 
>>> with chained certificates and CRLs, and we have changed the agent-side SSL 
>>> bootstrapping to automatically download these full chains from the master 
>>> and store and use them appropriately. It is now no longer necessary for 
>>> intermediate CA users to manually distribute SSL files to their agents. On 
>>> t

[Puppet Users] Re: [Puppet-dev] [Puppet-Users] Puppet Platform 6 Update

[Eric Sorenson]

Another effort that's underway but not yet complete is the extraction of 
non-core types/providers into modules. This addresses some long-standing 
requests to, for example, be able to change the nagios types and OS-specific 
resources without needing to get a full agent release out. The extracted types 
will be available in a modulepath structure in the puppet agent package, so 
(with a few targeted exceptions) there won't be any user-visible changes to 
what's available when you get the package, but an implication that hasn't 
really come up is around using Puppet in rubygem format. The extracted types 
are available on github and on the forge as separate modules, so if you 
currently use some of these extracted types, you'd need a way to get them 
installed locally.

So my question is - 
- do you current use/rely on 'gem install puppet' for your workflows? If so, 
what do you do with it? (does anybody use a 'gem install puppet' as their 
production "puppet agent" daemon?)
- given the above, what would be the easiest/most intuitive way to get those 
extracted types into your puppet installation? some ideas we've kicked around 
are 
  * a puppet type 'meta module' that, akin to a rpm/deb metapackage, doesn't 
have content, just dependencies on the actual modules at particular pinned 
versions that match the agent package versions
  * a Puppetfile that you could point r10k at to get the modules installed
  * individual gems for each of the extracted modules with Gemfile dependencies 
(note: this is a Bad Idea™)

WDYT?
--eric0


> On Jul 16, 2018, at 10:20 AM, Josh Cooper  wrote:
> 
> I wanted to share some significant developments as we progress towards a 
> Puppet Platform 6 release. I encourage you to try out nightly builds 
> available in the puppet6 repos:
> 
> http://nightlies.puppet.com/yum/puppet6-nightly/ 
> 
> http://nightlies.puppet.com/apt/puppet6-nightly/ 
> 
> http://nightlies.puppet.com/downloads/{mac,windows}/puppet6-nightly/ 
> 
> 
> 1. Unvendoring Semantic Puppet
> 
> Previously, the puppet repo, puppet-agent and puppetserver vendored/packaged 
> different versions of the semantic_puppet gem. We've untangled that mess so 
> that in Platform 6:
> 
> * puppet has a runtime gem dependency on the semantic_puppet gem
> * puppet-agent bundles the semantic_puppet 1.0.2 gem
> * puppetserver no longer knows about puppet's transitive gem dependencies
> * we can bump the semantic_puppet version in puppet-agent in the future 
> without breaking puppetserver running on the same host. The same is true for 
> other puppet runtime gem dependencies like fast_gettext and multi_json.
> 
> See https://tickets.puppetlabs.com/browse/PA-1880 
>  for more details.
> 
> 2. Puppet Platform 6 requires Ruby 2.3
> 
> Puppet Platform 6 requires Ruby 2.3 or up, so we can now use modern syntax 
> such as keyword arguments, dig, squiggly heredocs, etc. Puppet will error 
> when running on unsupported ruby versions such as 2.2, which went EOL on 
> March 31, 2018.
> 
> Since puppetserver runs puppet code in a JRuby interpreter and JRuby 1.7 
> conforms to the 1.9.3 Ruby language, we first had to move puppetserver from 
> JRuby 1.7 to 9K. In Platform 5, we made it possible to opt into using JRuby 
> 9K. In Platform 6, we will drop JRuby 1.7 and only support JRuby 9.1.x.x, 
> which conforms to Ruby 2.3.
> 
> To ensure puppet code does not break puppetserver/JRuby, we've started 
> running puppet PRs against JRuby 9K in TravisCI.
> 
> See https://tickets.puppetlabs.com/browse/PUP-6893 
>  and 
> https://tickets.puppetlabs.com/browse/SERVER-2155 
>  for more details.
> 
> 3. Intermediate CA improvements
> 
> Currently, customers can set up Puppet to use an intermediate CA by manually 
> generating and distributing certificates and keys, installing them in the 
> proper locations on disk, for both the master and agent. This is time 
> intensive, error prone, and even once these certs have been put in place, 
> full validation using CRL chains was not possible.
> 
> For Puppet 6, we we are making both tooling and functionality improvements to 
> this process. In this increment, we have implemented full validation with 
> chained certificates and CRLs, and we have changed the agent-side SSL 
> bootstrapping to automatically download these full chains from the master and 
> store and use them appropriately. It is now no longer necessary for 
> intermediate CA users to manually distribute SSL files to their agents. On 
> the server side, we are working to create a puppetserver CLI for setting up 
> and interacting with the CA. See 
> https://tickets.puppetlabs.com/browse/SERVER-2171 
> 

[Puppet Users] Re: Puppet Platform 6 pre-release builds available

[Eric Sorenson]

Hi Al - The main thing is that the certificate authority and network stack 
are going to consolidate onto the puppetserver implementations, rather than 
having a split between ruby/webrick and clojure/puppetserver. So if anyone 
is still using 'puppet master' standalone or apache-based servers, now's 
the time to cut the cord.

On Wednesday, May 2, 2018 at 7:56:41 AM UTC-7, a...@example42.com wrote:
>
> Hei Eric, 
> good news, especially the extra modularization and the agent side 
> functions, from my point of view.
> Are expected in Puppet 6 any remarkable backwards incompatibilities or 
> deprecations?
>
> Best
> Al
>
> On Monday, April 23, 2018 at 11:44:32 PM UTC+2, Eric Sorenson wrote:
>>
>> Hi all, we've started landing changes for what will become Puppet 
>> Platform 6. Here's the News You Can Use relating to the release. 
>>
>> Scope and Timeline 
>> We expect to release it in the fall, and the major features of the 
>> release are currently scoped to be: 
>> - improved secret and ephemeral data handling through the use of a new 
>> API for evaluating functions an the agent at catalog application time (more 
>> on this to come, it's still pretty early in design) 
>> - modularized types and providers;  things like the nagios types will 
>> live in their own module and be included at packaging time. This will make 
>> it easier to get changes into this code and opens the door to including 
>> more modules in packages so, for example, you don't need to download stdlib 
>> separate from puppet. Josh posted a PR to the specifications repo 
>> describing this approach here: 
>> https://github.com/puppetlabs/puppet-specifications/pull/106 
>> - consolidate the CA code onto the clojure CA and provide 1st class 
>> support for intermediate CA signing - this means the Ruby CA and tooling 
>> around it will change in favor of a CLI that supports your actual workflow. 
>>  (PUP-7877 is the epic to follow for this work) 
>>
>>
>> Branches, Builds, and Repos 
>> The upshot is that the 'master' branch of the main platform projects 
>> (puppetdb, puppetserver, facter, puppet) will become the 6.0 versions of 
>> those projects, and PRs that target master can contain larger changes - so 
>> things like improving facter output, changing default settings for things 
>> that had previously been opt-in, etc have a place to land. 
>> In addition to automatic builds that go into the nightly repos, we're 
>> working in iterations towards monthly milestones that contain completed 
>> features and are ready for testing and feedback. As these come out, we'll 
>> post updates to the mailing list describing the contents in more detail and 
>> would love for you to try them out and let us know how it goes. 
>> The release packages are up here for apt/yum systems: 
>> yum: https://yum.puppet.com/puppet6-nightly/ 
>> apt: https://apt.puppet.com/puppet6-nightly/ 
>>
>> and the direct download repos for mac, windows, and eos are here: 
>> http://nightlies.puppet.com/downloads/ 
>>
>> (Note that although the content of the agent packages in particular is 
>> being built off what will become puppet 6, the version numbers won't 
>> reflect that until it's tagged as such.) 
>> Once the release is out, the 'puppet' repo and associated release package 
>> for apt and yum will shift to 'puppet6'; the 'puppet5' repo/release package 
>> will remain as-is so you can stay pinned to that until you're ready to 
>> move. 
>>
>>
>> EOL / Lifecycle of Older versions 
>> The 5.x versions are incorporated into the upcoming PE2018.1 LTS, so the 
>> branches that feed into those versions will be open for changes. But they 
>> need to be targeted bug fixes that won't introduce instability into the 
>> components, so please be judicious when targeting non-master branches with 
>> your PRs. 
>> The 4.x series (puppet-agent 1.10, puppet-server 2.8, etc) will be going 
>> EOL towards the end of 2018. They're already on "deep LTS" mode and only 
>> critical security fixes and hyper-targeted backports are landing on these 
>> branches. 
>>
>> Please let me know if you have any questions. I'm pretty excited about 
>> this release; the slightly longer development timeline and milestone build 
>> process should enable more interesting features and a smoother upgrade 
>> path. 
>>
>> --eric0 
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/594dbe09-5421-4749-b1d2-9b94ea305992%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Platform 6 pre-release builds available

[Eric Sorenson]

Hi all, we've started landing changes for what will become Puppet Platform 6. 
Here's the News You Can Use relating to the release. 

Scope and Timeline
We expect to release it in the fall, and the major features of the release are 
currently scoped to be:
- improved secret and ephemeral data handling through the use of a new API for 
evaluating functions an the agent at catalog application time (more on this to 
come, it's still pretty early in design)
- modularized types and providers;  things like the nagios types will live in 
their own module and be included at packaging time. This will make it easier to 
get changes into this code and opens the door to including more modules in 
packages so, for example, you don't need to download stdlib separate from 
puppet. Josh posted a PR to the specifications repo describing this approach 
here: https://github.com/puppetlabs/puppet-specifications/pull/106
- consolidate the CA code onto the clojure CA and provide 1st class support for 
intermediate CA signing - this means the Ruby CA and tooling around it will 
change in favor of a CLI that supports your actual workflow.  (PUP-7877 is the 
epic to follow for this work)


Branches, Builds, and Repos
The upshot is that the 'master' branch of the main platform projects (puppetdb, 
puppetserver, facter, puppet) will become the 6.0 versions of those projects, 
and PRs that target master can contain larger changes - so things like 
improving facter output, changing default settings for things that had 
previously been opt-in, etc have a place to land. 
In addition to automatic builds that go into the nightly repos, we're working 
in iterations towards monthly milestones that contain completed features and 
are ready for testing and feedback. As these come out, we'll post updates to 
the mailing list describing the contents in more detail and would love for you 
to try them out and let us know how it goes. 
The release packages are up here for apt/yum systems: 
yum: https://yum.puppet.com/puppet6-nightly/
apt: https://apt.puppet.com/puppet6-nightly/

and the direct download repos for mac, windows, and eos are here:
http://nightlies.puppet.com/downloads/

(Note that although the content of the agent packages in particular is being 
built off what will become puppet 6, the version numbers won't reflect that 
until it's tagged as such.)
Once the release is out, the 'puppet' repo and associated release package for 
apt and yum will shift to 'puppet6'; the 'puppet5' repo/release package will 
remain as-is so you can stay pinned to that until you're ready to move.


EOL / Lifecycle of Older versions
The 5.x versions are incorporated into the upcoming PE2018.1 LTS, so the 
branches that feed into those versions will be open for changes. But they need 
to be targeted bug fixes that won't introduce instability into the components, 
so please be judicious when targeting non-master branches with your PRs.
The 4.x series (puppet-agent 1.10, puppet-server 2.8, etc) will be going EOL 
towards the end of 2018. They're already on "deep LTS" mode and only critical 
security fixes and hyper-targeted backports are landing on these branches.

Please let me know if you have any questions. I'm pretty excited about this 
release; the slightly longer development timeline and milestone build process 
should enable more interesting features and a smoother upgrade path.

--eric0


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B7C7D473-4A38-46EE-9969-9D37BAEF7C03%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet agent 1.10.12

[Eric Sorenson]

Yep, this was an error in the build/ship process - we're scrubbing them out 
now. Sorry for the confusion.

--eric0

On Wednesday, April 18, 2018 at 12:25:23 AM UTC-7, Brent wrote:
>
> Just a question
>
> Shouldn't the puppet 5 packages not be in 
> http://apt.puppetlabs.com/pool/stretch/PC1/p/puppet-agent/ removed?
>
> Regards
>
> Brent
> On 18/04/2018 09:18, Brent Clark wrote:
>
> Good day Guys
>
> Anyone else having a problem where the upgrade tries to jump to version 
> 5.3.6-1stretch?
>
> I just want 1.10.12RELEASE.
>
> Regards
>
> Brent
>
> On 18/04/2018 07:00, Garrett Guillotte wrote:
>
> Puppet agent 1.10.12 is a bug-fix release that includes updates for Puppet 
> 4.10.11 , Facter 
> 3.6.10 , Hiera 
> 3.3.3 (which contains no user-facing changes), and pxp-agent 1.5.7. It also 
> contains updates to curl and fixes for Ruby security issues. For details, 
> see https://puppet.com/docs/puppet/4.10/release_notes_agent.html
> There was no public Puppet agent 1.10.11 release.
>
> -- 
> *Garrett Guillotte*
> Technical Writer
> garrett.guillo...@puppet.com
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAP7LywFVkyGtvb4_3epVpdJN%2B1gOFzvekxouZrpBVSf26u4ekg%40mail.gmail.com
>  
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2311bd85-003a-4bda-8bbf-7d8f9cc6f63c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Pre-generated certificates?

[Eric Sorenson]

Yeah, it's a bit of an outlier workflow but I figured I'd ask. The
deafening silence indicates it's probably not a use-case we need to treat
specially.

--eric0

On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters <watter...@gmail.com>
wrote:

> I've done this for a few nodes but I'm not sure how this would be an
> improvement over just enabling autosign.  Private keys should remain
> private to a node and should never be transmitted over the network if
> possible.
>
> On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote:
>>
>> Is anybody out there pre-generating certificates for your agents? I've
>> heard whispered tales of some folks doing this but we're starting work on
>> improving the CA / signing / revocation workflow and it'd be great to talk
>> to somebody directly. The workflow would be using 'puppet cert generate' on
>> the master/CA then distributing both the private key and the resulting
>> certificate in some secure, out-of-band mechanism (cloud-init?) to the
>> nodes, so the agent finds the CA cert as well as its own key/cert pair
>> ready and waiting when it starts up, bypassing the CSR
>> generation/submission completely.
>>
>> --eric0
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/puppet-users/rmC7RsQEUwU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Pre-generated certificates?

[Eric Sorenson]

Is anybody out there pre-generating certificates for your agents? I've 
heard whispered tales of some folks doing this but we're starting work on 
improving the CA / signing / revocation workflow and it'd be great to talk 
to somebody directly. The workflow would be using 'puppet cert generate' on 
the master/CA then distributing both the private key and the resulting 
certificate in some secure, out-of-band mechanism (cloud-init?) to the 
nodes, so the agent finds the CA cert as well as its own key/cert pair 
ready and waiting when it starts up, bypassing the CSR 
generation/submission completely.

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/09846c69-cc85-4cfc-a4ed-f19d24b34776%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] The 2018 Puppet User Survey is up!

[Eric Sorenson]

Hey all, we're running a survey for the next couple of weeks to get a better 
understanding of who's using Puppet, what the mix of operating systems and 
Puppet versions looks like, and how we could make better Puppet products in the 
future. It's going to be open for the next couple of weeks; once it's done I'll 
summarize the results and post some (hopefully interesting) insights from your 
responses.   It's only a few questions and should take less than 5 minutes to 
complete, plus as an added incentive, for every response we'll donate $3 to the 
EFF!

I made a quick blog post about it here: 
https://puppet.com/blog/2018-puppet-user-survey

And here's a direct link to the survey: 
https://www.surveygizmo.com/s3/4227485/puppet-users

--eric0

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/606CDA72-24CA-4051-966D-CD13A99D64A9%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet 4 EOL?

[Eric Sorenson]

Close, the PE2016.4 LTS uses Puppet 4 and is supported through October 
2018. 

--eric0

On Monday, February 12, 2018 at 9:15:20 AM UTC-8, R.I. Pienaar wrote:
>
>
>
> On Mon, 12 Feb 2018, at 17:43, Sven vd wrote: 
> > Hi, 
> > 
> > Currently our infrastructure and code is written with and run by puppet 
> 4 
> > opensource. 
> > 
> > We are using https://yum.puppetlabs.com/el/7/PC1/x86_64/ repos for 
> updates 
> > of our installed software, puppetserver, puppetdb, puppet agent. 
> > 
> > Since puppet 5 was released the puppet 5 packages shifted to another 
> repo 
> > https://yum.puppetlabs.com/puppet/el/7/x86_64/. We are not using this 
> repo 
> > since we are currently on puppet 4 codebase. 
> > 
> > So the question is, how long will the 
> > https://yum.puppetlabs.com/el/7/PC1/x86_64/  repo get updates (security 
> > fixed, improvements etc) and when is open source puppet 4 considered End 
> Of 
> > Life? 
>
>
> if you look at the Puppet Enterprise support cycle and figure out which is 
> the last one with Puppet 4 then you will know when 4 will be EOL.  If I 
> read it right it looks to be around July 2018. 
>
> Upgrade to Puppet 5 from 4 is pretty trivial, so should be easy for you to 
> follow along. 
>
> -- 
> R.I.Pienaar / www.devco.net / @ripienaar 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cdf21006-55db-4f07-bf9b-4463435495fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Best way to change settings on an individual node

[Eric Sorenson]

Hi Jack, for puppet enterprise there's a built-in workflow for assigning 
classes to nodes - the phrase you're looking for is called "node 
classification" in puppet-speak.  here's the relevant 
doc: 
https://puppet.com/docs/pe/2017.3/managing_nodes/grouping_and_classifying_nodes.html

hope this helps!
--eric0

On Thursday, November 2, 2017 at 5:37:29 AM UTC-7, jackandn...@gmail.com 
wrote:
>
> Hi,
> I'm a new puppet enterprise user (first post!) and I need to change 
> some settings on an individual node.  The module is created and it works in 
> my testing, but every method of applying the module to one machine feels 
> like I'm doing it wrong. What is the best way to accomplish this?  Feel 
> free to point me to some documentation, if I'm simply missing something. 
>
> Thanks,
>
> Jack
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b6469759-3713-46d7-ab69-88149b5bb10b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Bolt 0.6.0 released!

[Eric Sorenson]

Bolt 0.6.0 is released!  This is a feature release of the open-source task 
runner, which includes:

- the ability to read a newline-separated list of nodes from a file using 
'--nodes @file.txt' or from stdin via '--nodes -'
- prompting for a password securely rather than requiring it on the command 
line, if you use the '-p' flag with no argument - thanks to Diana Zvulun @deezx 
for contributing this!
- Bolt now applies command line options, such as --user, --when executing a 
plan with bolt run plan. 

Additionally, a security-related bug was fixed where previously Bolt would did 
not securely verify keys for hosts it had not connected to before.

Complete release notes and more info about bolt: 
https://puppet.com/docs/bolt/0.x/bolt_overview.html

--eric0

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/71CB9F3D-562E-4CF5-9CD0-17885A2E50FE%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Bolt 0.5.1

[Eric Sorenson]

Hi, I'm super excited to announce the initial open-source release of Bolt, a 
new project that lets you easily run commands, scripts, tasks, and task plans 
across your infrastructure.

It's got its own product page on the puppet site: 
https://puppet.com/products/puppet-bolt 
<https://puppet.com/products/puppet-bolt>

Or you can go straight to the tech docs: 
https://puppet.com/docs/bolt/0.5/bolt_overview.html 
<https://puppet.com/docs/bolt/0.5/bolt_overview.html>

If you have real-time questions about Bolt or Puppet Tasks, you can join the 
conversation on slack.puppet.com <http://slack.puppet.com/> #puppet-tasks.

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/37AF0FFE-142D-4BB2-950D-C0CB09C7C079%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Platform 5.2 available!

[Eric Sorenson]

A new release of the Puppet Platform is available. As a reminder, we're doing 
monthly releases of the platform components (Agent, Server and PuppetDB) which 
are tested and released together. 

Puppet 5.2.0 is a feature and improvement release in the Puppet 5 series that 
also includes several bug fixes. This release ensures that translated strings 
can be loaded in the puppet gem. You can find more information in the Puppet 
5.2 release notes: https://docs.puppet.com/puppet/latest/release_notes.html 

Puppet agent 5.2.0 also includes a new release of Facter, Facter 3.9, which 
contains a new experimental fact, `hypervisors`. This fact returns the names of 
any detected hypervisors and any collected metadata about them.

PuppetDB 5.1.0 is a bugfix and performance release. It contains significant 
schema migrations, most notably for fact storage. It also improves handling of 
binary data in several places. For more information, see the detailed PuppetDB 
release notes: https://docs.puppet.com/puppetdb/latest/release_notes.html

Puppet Server 5.1 contains several new features and bug fixes. New features 
include:
• Automatic CRL refresh on certificate revocation
• Puppet agents retry requests on a configurable delay if Puppet Server 
is busy
• Autosigning supports CA certificate bundles
• Administrators can add Java JARs to be loaded on startup
For more information, see the Puppet Server 5.1 release notes: 
https://docs.puppet.com/puppetserver/latest/release_notes.html 

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4AF9D2B2-38EB-4884-AF90-B0A464F9679F%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Server 2.8.0 available

[Eric Sorenson]

Puppet Server 2.8.0 is now available.  This is a backwards-compatible feature 
release for Puppet 4.x sites, which contains one notable new feature and a few 
bugfixes as well.

The headline feature is that the puppetserver now automatically reloads the CRL 
(certificate revocation list) when a node's certificate is revoked, where 
previously a revoked cert was considered valid until the puppetserver was 
restarted. This feature should make it easier to reprovision nodes with the 
same name/certificate identity as a revoked node, plus reduce manual work when 
revoking. (TK-149)

A special community thank-you goes to Matthias Hörmann, who reported and helped 
troubleshoot SERVER-1671, which is also fixed in this release.


For the full list of changes, check out the release notes: 
https://docs.puppet.com/puppetserver/2.8/release_notes.html#puppet-server-280

To download and install puppet server, follow these instructions: 
https://docs.puppet.com/puppetserver/2.8/install_from_packages.html


Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CD46E4D8-26BA-4389-991E-CF4F9C4D6E58%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet 5.0.1: JSON to PSON automatic downgrade doesn't account for binary facts

[Eric Sorenson]

Hi Dominic, thanks for tracking this down and documenting it so thoroughly. 
Some responses inline:

On Tuesday, August 1, 2017 at 9:56:28 PM UTC-7, Dominic Scheirlinck wrote:
>
> Thought I'd leave a note about an issue I ran into when upgrading to 
> Puppet 5.0.1, in case someone else is wrestling with the same thing (also 
> just to provide a result for some poor person Googling it after me). Turned 
> out to be a whole bunch of factors:
>
> - The default serialization format is now JSON (previously PSON), which 
> doesn't support arbitrary binary data (only UTF-8 strings)
> - PUP-7602 is supposed to automatically downgrade back to PSON if there's 
> binary data in the catalog
> - But this doesn't seem to account for binary facts - you get an error on 
> apply: "Error: Failed to apply catalog: Could not render to json: source 
> sequence is illegal/malformed utf-8" 
>
> I surmise that a binary fact is at fault because of a debug message from 
> Facter: "Debug: Facter: Received a log message with invalid encoding:"fact 
> \"ec2_userdata\" has resolved to [...]" (escaped data follows) - and 
> because I'm not shipping binary in my catalog otherwise. This is 
> particularly annoying if you're using local VMs to test your puppet server 
> upgrade, because you won't run into it until you run it on your production 
> EC2 node :)
>
> The EC2 user data is gzipped to work around a user_data size limitation. 
> (i.e. 
> https://www.terraform.io/docs/providers/template/d/cloudinit_config.html#gzip)
>  
> - I guess I'm not close enough to the limit that I could pay the size 
> penalty and base-64 encode the compressed user-data as well - but you can't 
> change user data while the instance is running, so it's not nice as a 
> workaround.
>

Yeah, this is one of the main shifts between pson and json. Since there's 
not type hinting for facter, we assume everything's a string, and while 
pson used to best-effort deal with binary encodings, json won't support it. 
 Seems like you could either un-gzip the user data or b64 encode it.
 

>
> I've seen the Facter blocklists documentation, but it doesn't make it 
> clear whether you can block a specific fact instead of the whole EC2 
> blockgroup - or more accurately, it appears I can't. (I am using 
> ec2_metadata, to get ['placement']['availability-zone'] so I don't want to 
> block the group - I'd only want to block the ec2_userdata fact). I guess I 
> could try overwriting the value with a blank string (a la 
> https://tickets.puppetlabs.com/browse/FACT-1354?focusedCommentId=410038=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-410038
> )?
>

Unfortunately the blocklist is currently at the level of the resolution 
group, as you've discovered. The overwrite would work OK and be pretty 
simple, assuming you don't actually *need* any of the userdata for Puppet 
to run. 

>
> For now, I've just reverted to PSON serialization. That's not deprecated, 
> right? (Just the default was changed?)
>

That's right. One thing to note though... json is way faster. If you can 
get around this, the performance gains probably make it worthwhile to shift 
to json.
 

>
> (Also, I'd file a JIRA ticket, but I'm not sure whether support for binary 
> fact values is desired or necessary, whether Facter should be giving up on 
> passing a fact if it has a binary value, or whether a PUP-7602-style 
> serialization fallback would be better, etc.)
>
>
It'd be great to have a bug on this to talk over the options.  Thanks again 
for the sleuthing!

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0469acb1-8a00-4faf-addc-727c14cff624%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Can I find out about another node?

[Eric Sorenson]

The best way to do this is to use puppetdb, which you can then query from 
manifests using the puppetdb_query() function.

Your query would look like (untested but i think this is right...)

$nodes_array = puppetdb_query('inventory[certname] { resources { type = 
"OurSystem" } }')

(You may see references to "exported resources" which accomplishes a 
similar goal but IMO querying is better because it has a superset of 
exported resource functionality and you don't need to know beforehand which 
resources you want to mark as being 'collectable'.)

HTH
--eric0

On Wednesday, July 5, 2017 at 7:34:26 AM UTC-7, Robert Inder wrote:
>
> I'm using Puppet (3.8) to set up installations of a system for different 
> clients.
>
> We have a number of servers running "live" installations, 
> and others running corresponding development installations.
>
> There is a module for the system, and each node has a separate
> instance for each client that that machine is to support.
>
> I'd like to tell the development system for a given client 
> where to find the corresponding "live" installation.
>
> Can I do that?  Can an instance of a OurSystem resource for client
> "Edinburgh"  on node "devel9"  determine which other
> node also has an instance of OurSystem for "Edinburgh"?
>
> Robert.
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2af106e9-9cc0-43fc-a381-65974f4d1959%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 5 Platform released!

[Eric Sorenson]

I have run out of superlatives to try to express how excited I am for this 
release: the Puppet 5 Platform is available for download now.

The primary goals of this release are to harmonize numbering across the major 
components (Puppet Agent, PuppetDB, Puppet Server) to "5", as a first step 
towards delivering these components as a unified platform; include Hiera 5 with 
eyaml as a built-in capability; provide clean UTF-8 support; move network comms 
to fast, interoperable JSON. Our current Ruby versions are EOL'ed, so we're 
moving to MRI Ruby 2.4 on the agent and (opt-in) jruby9k on the server. The 
PE-only puppet-server metrics service is now open-sourced. 

In addition to the features, there are some substantial performance boosts 
waiting for you. According to our perf testing (thanks Doug!):

• Puppet 5 Agent run-times were 30% lower at equivalent loads. (Average 
of 8 seconds vs 5.5 seconds)
• Puppet 5 Server CPU utilization was at least 20% lower than Puppet 4 
in all scenarios.
• CPU utilization for Puppet 5 PuppetDB and PostgreSQL were also lower 
in all scenarios.
• Puppet 5 catalog compile times reported by Puppet Server were between 
7-10% lower than Puppet 4.
• Puppet 5 scaled to an additional 40% increase in the number of agents 
while Puppet 4 agent run-times became dangerously high.

This is a "semver major" with some backwards incompatibilities, but we have 
worked very hard to retain module compatibility with Puppet 4.x modules. With a 
few careful (and hopefully rarely used) exceptions, module code that works 
under Puppet 4 should not need revision to work under Puppet 5. 

For a full list of changes and download instructions, check out the full 
release notes: https://docs.puppet.com/puppet/5.0/release_notes.html 
<https://docs.puppet.com/puppet/5.0/release_notes.html>

I'd like to send out huge thanks to the Puppet teams who worked on this release 
and to community members who provided feedback on both the design discussions 
and early preview releases — extra special thanks to Josh Cooper for 
shepherding this out the door. It has a special significance for me since it's 
version five and (by total coincidence!) yesterday was my five year anniversary 
at Puppet :) I think it's going to be a great release series.

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/81AB014B-1F4C-4658-9F9E-DCDD648C03D7%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: new Puppet 5 Platform nightly builds available

[Eric Sorenson]

tl;dr: There are new builds in the 'puppet5-nightly' repos. Please give them a 
spin and let us know what you find!

Since we pushed the first builds of what will become the Puppet 5 Platform 
packages into the repos, a *lot* has been going on. We're nearing code-complete 
on the release and it seemed like a good time to push out some pipin' hot 
builds and remind everyone that it's coming Real Soon Now[tm].

Just to get it out of the way -- I say this every time I talk about Puppet 5 
and this post is no exception:
*** No puppet module code that works on Puppet 4 will need changing for Puppet 
5 ***

Additionally:
*** Puppet 3 agents can talk to Puppet 5 masters running under 
puppet-server-5.x ***

There are some changes that I think are pretty awesome but are a bit deep under 
the hood. The main one, and the primary reason we are really interested in your 
feedback on the current builds, is that all of the network comms use standard 
JSON. Previously there was a mix of YAML and PSON ("pure" json, meaning pure 
ruby, meaning it couldn't use any of the perf optimizations in jruby or MRI's 
built-in json libraries). In addition to increasing interoperability, we expect 
this to have significant performance speedups for pretty much everyone. 

Speaking of Ruby, another significant change (and one of the main reasons we 
incurred a semver major-version bump) is that the agent ruby version is now MRI 
Ruby 2.4.1. On the puppet-server side, we have opt-in support for JRuby 9k, 
which is a Ruby 2.x compliant interpreter. So plugin code should be more 
consistent between agents and masters, but gems installed into the Ruby 
runtimes will need reinstallation (because /usr/lib/ruby/gems/x.y.z is 
version-dependent).

If this is news to you, check out the original thread on puppet-dev:
https://groups.google.com/d/topic/puppet-dev/-H1pHJM6NLE/discussion

and here's the blog post from when the repositories first went live:
https://puppet.com/blog/full-visibility-and-control-of-your-infrastructure-new-puppet-releases

If you just want to dive in, try out Puppet 5 Platform by installing the 
"puppet5-nightly-release" package from https://apt.puppet.com/ or 
https://yum.puppet.com/ for deb- and rpm-based Linux distributions. For Mac or 
Windows systems, go to https://downloads.puppet.com/ and click on mac/ or 
windows/, then navigate to the puppet5-nightly subdirectory.

Please try these builds out in your vagrant environments, sandboxes, and labs! 
Let us know what you run into - if you tag your JIRA tickets with an "Affected 
Version" field of "PUP 5.0.0" this causes alarm bells to ring in Puppet HQ :)

Cheers
--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9BEF42BD-2455-4C05-8E90-CB04D8F6BCB4%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Ticket Backlog triages

[Eric Sorenson]

Hi All – we're trying to get on top of the backlogs of Jira tickets. Those of 
you who have been around for a while might remember this was the original 
purpose of the "Triage-A-Thon" events, when we parcelled out batches of Redmine 
tickets for categorization, clean-up, and prioritization. (Hi, @kartar!)

I wanted to let everyone know that this activity is going on, so if you see 
updates on long-dormant Jira tickets it doesn't come as a surprise. Although 
the commentary as we're dispositioning the tickets is boilerplate copy-pasta, 
these are not automatic mass-closures. Teams are going through the tickets in 
batches and spending some time on each one. If you get mail about a ticket that 
you feel is dispositioned incorrectly (such as "Cannot reproduce", when you can 
provide a repro case), please re-open them.

Additionally, if you're interested in helping out, the query we're working 
through is publicly available here:
https://tickets.puppetlabs.com/issues/?filter=25600#

The workflow and response text for triaging tickets is available here:
https://docs.puppet.com/community/puppet_projects_workflow.html#workflow-for-bugs

The benefit at the end of all of this will be that we will be able to provide 
much better response time for new issues as they come in.

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B4C79B78-F85E-42E9-A0D9-5830D4640843%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Hiera fails to interpolate data path for a specific node

[Eric Thompson]

On Monday, March 13, 2017 at 11:26:41 AM UTC-7, Wei Jianwen wrote:
>
> Hi,
>
> After upgrading openproductionource Puppet to version 4.9, I followed the 
> Hiera guide 
> https://docs.puppet.com/puppet/4.9/hiera_hierarchy.html#most-hierarchies-interpolate-variables
>  to 
> feed some data to it. I found that for some node, 'puppet lookup' failed to 
> interpolate variables in yaml setting, which lead to incorrect lookup 
> results.
>

Hi Jianwen, 

what version of puppet are you using?  This is a known issue in puppet 
4.9.0.  have you tried upgrading to puppet 4.9.3?
 

> Any suggestion is welcome.
>
>
> Best,
>
> Jianwen
>
>
> Steps to reproduce this issue
>
> 1. Install Puppet server on puppet. 
> pi.sjtu.edu.cn .
> 2. Install Puppet agents on puppet.pi.sjtu.edu.cn, slurm1.pi.sjtu.edu.cn and 
> mu05.pi.sjtu.edu.cn. Sign certificates for them.
> 3. Delete global hiera setting `/etc/puppetlabs/code/hiera.yaml`.
>
> # rm -f /etc/puppetlabs/code/hiera.yaml
> 4. Create an environment named `production`. 
>
> # mkdir 
> -p /etc/puppetlabs/code/environments/production/{hieradata,maifests,modules}
>
> 5. Create the Hiera conf file for the production environment in 
> `/etc/puppetlabs/code/environments/production/hiera.yaml`
>
> *---*
> *version: 5*
> *defaults:*
> *  datadir: hieradata*
> *  data_hash: yaml_data*
>
> *hierarchy:*
> *  - name: "Per-node data"*
> *path: "nodes/%{trusted.certname}.yaml"*
>
> *  - name: "common"*
> *path: "common.yaml"*
>
> 6. Add common data in 
> `/etc/puppetlabs/code/environments/production/hieradata/common.yaml`:
>
> ---
> group: Compute Nodes
>
>
> 7a. Add per-node hiera data for slurm1.pi.sjtu.edu.cn in 
> `/etc/puppetlabs/code/environments/production/hieradata/nodes/slurm1.pi.sjtu.edu.cn.yaml`:
>
> ---
>
> group: SLURM
>
>
> 7b. Add per-node hiera data for puppet.pi.sjtu.edu.cn in 
> `/etc/puppetlabs/code/environments/production/hieradata/nodes/puppet.pi.sjtu.edu.cn.yaml`:
>
>
> ---
>
> group: Puppet Server
>
>
> 8a. Lookup group for puppet.pi.sjtu.edu.cn and successfully get "Puppet 
> Server" stored in `puppet.pi.sjtu.edu.cn.yaml`.
>
> *# puppet lookup group --node puppet.pi.sjtu.edu.cn 
>  --explain*
>
> *Searching for "lookup_options"*
>
> *  Global Data Provider (hiera configuration version 5)*
>
> *No such key: "lookup_options"*
>
> *  Environment Data Provider (hiera configuration version 5)*
>
> *Using configuration 
> "/etc/puppetlabs/code/environments/production/hiera.yaml"*
>
> *Merge strategy hash*
>
> *  Hierarchy entry "Per-node data"*
>
> *Path 
> "/etc/puppetlabs/code/environments/production/hieradata/nodes/puppet.pi.sjtu.edu.cn.yaml"*
>
> *  Original path: "nodes/%{trusted.certname}.yaml"*
>
> *  No such key: "lookup_options"*
>
> *  Hierarchy entry "common"*
>
> *Path 
> "/etc/puppetlabs/code/environments/production/hieradata/common.yaml"*
>
> *  Original path: "common.yaml"*
>
> *  No such key: "lookup_options"*
>
> *Searching for "group"*
>
> *  Global Data Provider (hiera configuration version 5)*
>
> *No such key: "group"*
>
> *  Environment Data Provider (hiera configuration version 5)*
>
> *Using configuration 
> "/etc/puppetlabs/code/environments/production/hiera.yaml"*
>
> *Hierarchy entry "Per-node data"*
>
> *  Path 
> "/etc/puppetlabs/code/environments/production/hieradata/nodes/puppet.pi.sjtu.edu.cn.yaml"*
>
> *Original path: "nodes/%{trusted.certname}.yaml"*
>
> *Found key: "group" value: "Puppet Server"*
>
> 8b. Lookup group for puppet.pi.sjtu.edu.cn and successfully get "Compute 
> Nodes" stored in `common.yaml`.
>
> *# puppet lookup group --node mu05.pi.sjtu.edu.cn 
>  --explain*
>
> *Searching for "lookup_options"*
>
> *  Global Data Provider (hiera configuration version 5)*
>
> *No such key: "lookup_options"*
>
> *  Environment Data Provider (hiera configuration version 5)*
>
> *Using configuration 
> "/etc/puppetlabs/code/environments/production/hiera.yaml"*
>
> *Merge strategy hash*
>
> *  Hierarchy entry "Per-node data"*
>
> *Path 
> "/etc/puppetlabs/code/environments/production/hieradata/nodes/mu05.pi.sjtu.edu.cn.yaml"*
>
> *  Original path: "nodes/%{trusted.certname}.yaml"*
>
> *  Path not found*
>
> *  Hierarchy entry "common"*
>
> *Path 
> "/etc/puppetlabs/code/environments/production/hieradata/common.yaml"*
>
> *  Original path: "common.yaml"*
>
> *  No such key: "lookup_options"*
>
> *Searching for "group"*
>
> *  Global Data Provider (hiera configuration version 5)*
>
> *No such key: "group"*
>
> *  Environment Data Provider (hiera configuration version 5)*
>
> *Using configuration 
> "/etc/puppetlabs/code/environments/production/hiera.yaml"*
>
> *Hierarchy entry "Per-node data"*
>
> *  Path 
> 

[Puppet Users] Re: noob problem: Could not find a directory environment named 'development'

[Eric Sorenson]

Hi Peter, this is a known problem that is tracked 
in https://tickets.puppetlabs.com/browse/PUP-6739

--eric0

On Friday, February 17, 2017 at 11:53:50 AM UTC-8, Peter K wrote:
>
> I fixed my site.pp and that got my hiera lookups working...but I still 
> dont' understand the puppet config results.
> -peter
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cc142983-8f66-495c-b1f4-0f0eee00cc10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: hiera deep hash merges broken

[Eric Sorenson]

That's great to hear François, thank you for testing the patch! Our plan at 
this point is to accumulate a couple more fixes and ship a new build by 
Tuesday 21 Feb -

I don't want to generate a new build containing only the fix in PUP-7215 
because 
(a) there is QA work underway on the current release that may turn up new 
things that need fixing by the end of the week
(b) there is a simple workaround in PUP-7216 which is that you can 
s/hiera_hash/lookup/ as the function that you call.  

--eric0

On Wednesday, February 15, 2017 at 10:35:32 AM UTC-8, François Lafont wrote:
>
> On 02/15/2017 05:44 PM, Moses Mendoza wrote: 
>
> > Thanks all for the reports. A fix is in progress / en route, trackable 
> via 
> > https://tickets.puppetlabs.com/browse/PUP-7215 
>
> Ah ok, thanks Moses for the information. 
>
> I have tested in my testing VM and the commit of Thomas Hallgren seems 
> to work well. :) 
>
> François Lafont 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f434713b-bb4d-4446-95af-e864d3e57123%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5

[Eric Sorenson]

Hey, it looks like everyone found this, but I wanted to add that we updated 
this document with the hiera.yaml v5 format late last week, so if you were 
looking for it outside of the google doc, it's up and running.

https://docs.puppet.com/puppet/4.9/lookup_quick.html#there-are-two-hierayaml-formats-now

This is an interim update while the docs team work on the full update, 
which will be out in the next week or two.

--eric0

On Tuesday, February 14, 2017 at 9:22:53 AM UTC-8, Bob wrote:
>
> The spec appears to be here -
>
> https://docs.puppet.com/puppet/4.9/lookup_quick.html
>
> On Wednesday, February 8, 2017 at 8:37:32 AM UTC+13, Joshua Schaeffer 
> wrote:
>>
>> Okay I see that they are actually preparing to release Puppet 4.9.2 which 
>> is supposed to fix these issues. Does this mean they will release a new 
>> puppet-agent package part of the PC1? Where can I go to track the progress 
>> of this minor release?
>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5f3712f1-90a2-4f19-8447-9bffdbc77239%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.9.0 released!

[Eric Sorenson]

Hi All,

I’m excited to announce the release of Puppet Agent 1.9.0, which includes 
Puppet 4.9.0. There’s lots of good stuff in this release, but a few highlights 
include: 

• Hiera 5 - a successor of the experimental Puppet lookup feature - is 
built into Puppet 4.9. This allows you to have Hiera data embedded in modules 
as well as per-environment hierarchies, provides an "explain" feature for easy 
debugging, and has significant performance improvements. Read more here: 
https://docs.puppet.com/puppet/latest/lookup_quick.html

• Fixes for several bugs related to Unicode and UTF-8 support in 
Puppet. 

• New fact: `cloud`. This new top-level fact is intended for 
discovering whether a node is running on a given public cloud provider. In this 
first release, it currently detects whether a Linux-based node is running in 
Azure, and provides that information in the cloud.provider fact.

Deprecations in this release include deprecations of several Puppet faces, as 
well as Puppet support for the Ruby 2.0 series. 

For a complete list of Puppet 4.9.0 features, bug fixes, and deprecations, 
please see the release notes at 
https://docs.puppet.com/puppet/4.9/release_notes.html. 

Special thanks to community member Shawn Ferry for contributing several fixes 
for Puppet on Solaris. 

Two caveats: 

In Puppet 4.9.0, we removed the vendored `semantic` gem, replacing it with 
`semantic_puppet`.  We learned this causes an issue with any module based on 
https://github.com/garethr/puppet-module-skeleton/, since the skeleton loads 
the `semantic` gem from Puppet's vendor dir to validate a module's 
metadata.json.  We’re planning to ship a Puppet 4.9.1 gem ASAP that will warn 
that this has been removed (but does not fail directly). 
https://tickets.puppetlabs.com/browse/PUP-7156

Additionally, if you have a "classic" hiera.yaml config file in an environment 
root (perhaps because your control repository has one checked in, and r10k 
deploys it into /etc/puppet/code/environments//hiera.yaml), you'll 
see the error "a hiera.yaml version 3 cannot be used in an environment". This 
will become a warning instead of a hard error, and until then you can move it 
into a subdirectory where it will be ignored. 
https://tickets.puppetlabs.com/browse/PUP-7165

New Platform Support 

• This release adds puppet-agent packages for Fedora 25. 

EOL Platforms 

As of this release, we are no longer providing puppet-agent packages for the 
following platforms:
• Ubuntu 10.04 (Lucid)
• Ubuntu 15.10 (Wily)
• Mac OS X 10.9
• SLES 10
• Fedora 22

To install or upgrade Puppet Agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html

For information on upcoming platform end-of-life (EOL) for Puppet Agent, please 
see our Platform Support Lifecycle page: 
https://puppet.com/content/platform-support-lifecycle


Eric Sorenson - eric.soren...@puppet.com 
director of product, puppet ecosystem

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7BBBDDE1-3606-45EA-8B6A-D95647EE18FF%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

[Eric Sorenson]

On Monday, January 9, 2017 at 6:56:34 AM UTC-8, John Gelnaw wrote:
>
> On Sunday, January 8, 2017 at 2:31:33 PM UTC-5, Rob Nelson wrote:
>>
>> There are a lot of very valid issues and concerns you bring up here. I do 
>> want to start by saying, however, that puppet 4 is more than 6 months old - 
>> about 20 months to be precise - and most of the significant language 
>> changes were introduced somewhat earlier in the future parser in puppet 3. 
>> These changes should be easier to take in for sure, but that is at least 3x 
>> more to catch up on. I hope that doesn't sound like a harsh response, but I 
>> think it's more accepted that after 1.5-2 years, most moving projects will 
>> require significant re-learning.
>>
>
> I've been using "future parser" in Puppet 3 for a while-- I absolutely had 
> to have iteration, and a few other features, so I *thought* I had been 
> keeping up with puppet development.
>
> I had a similar reaction to the OP when I looked at the NTP code-- 
> "ek!!!".
>
> Although knowing that it's optional is a good thing, and knowing it's 
> available is also good-- it is something of an overwhelming example of 
> "wall of code".  Then again, for those who say NTP is simple-- I point and 
> laugh in your general direction.  The fact that NTP *can* be as simple as a 
> drift file and an NTP host, doesn't mean it's always that easy, and I 
> respect the amount of effort in making that module work. 
>

> Having said that, my ntp class is a bit simpler, and resembles the classic 
> "package / file / service" puppet class, because that's all my site 
> requires. 
>

I'd like to point out that this ntp module is also deliberately a test case 
for *all* of the puppet 4 language features, and as such is kind of a 
"reference module", so it certainly could be simpler but is intended to 
both do something useful and provide a working example of things like EPP 
and the type system. Helen Campbell wrote up a walk-through of the features 
that she and David Schmitt implemented in it here: 
 https://puppet.com/blog/ntp-puppet-4-language-update


Most of my bitterness towards puppet comes from the 3.x series, where the 
> API was a moving target, and upgrading to the "latest" puppet 3.x package 
> could break your world.  It's gotten significantly better, but I'm still 
> only about halfway up the puppet 3.x --> 4.x cliff.  ;)
>

Can you give me an example of backwards-incompatible API changes in the 3.x 
series? I'm not being snarky; we had long debates (way too long, in some 
cases) about semantic versioning and did extra work to not introduce 
breaking changes into the 3.x. The goal was rebuilding trust that new 
versions behave like you'd expect given the version number, so I'm dismayed 
to hear that those efforts failed and things broke for you anyway :(

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/abc1ef48-403c-4073-8d20-b22654946279%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Problem with test run

[Eric Sorenson]

Hi Joe, It's an agent-side setting (the facts are "stringified" on the 
agent before the server ever sees them) so it needs to happen on the 
agents. But if you're not currently managing your config file with puppet 
itself you can use a module like 
this: https://forge.puppet.com/cjtoolseram/puppetconf

just make sure to set stringify_facts in the 'main' or 'agent' sections of 
the config and you should be good to go.



On Tuesday, January 3, 2017 at 2:40:54 PM UTC-8, Joe wrote:
>
> Rob, is there a way to set 'stringify_facts = false' globally on the 
> puppet server or this must be done on all clients? I just hit this with a 
> puppetlabs module and setting to false on the agent worked. Obviously I 
> would rather set t once on the server.
>
> Thanks
>
> On Sunday, November 6, 2016 at 10:44:09 AM UTC-7, ddough...@gmail.com 
> wrote:
>>
>> facter tells me this:
>>
>> os => {"family"=>"RedHat", "name"=>"OracleLinux", 
>> "release"=>{"major"=>"6", "full"=>"6.6", "minor"=>"6"}}
>>
>> but puppet agent --test tells me this:
>>
>> [root@q061oracl0901 puppet]# puppet agent --test
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Loading facts
>> Error: Could not retrieve catalog from remote server: Error 500 on 
>> SERVER: {"message":"Server Error: Evaluation Error: Error while evaluating 
>> a Resource Statement, Data Provider type mismatch: Got String when a 
>> hash-like object was expected to access value using 'name' from key '
>> facts.os.name' on node 
>> q061oracl0901.dqscust.local","issue_kind":"RUNTIME_ERROR"}
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>> [root@q061oracl0901 puppet]#
>>
>> Client is v3.8.7
>>
>> Running Foreman1.13 on the server.  
>>
>> I can telnet to 8140 from the client to the server.  The agent was 
>> running successfully for a while.  I added the grub2 class and removed it. 
>>  I also put the client into a host group.  I've now removed it to try to 
>> troubleshoot the problem.  Any ideas?
>>
>> Thanks,
>> Dan
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/21f380e6-2e30-49f2-b362-35eecf7bce9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Single Enterprise Puppet Master to support 2 Control Repos

[Eric Sorenson]

Hi Thomas, have you tried the `puppet generate type` workflow described on 
that doc to avoid the problems with environment bleed-through? You said you 
failed w/the elasticsearch module and I'm wondering if that is because the 
`generate` stuff is not working, or whether there's another part of the 
problem.

On Monday, November 28, 2016 at 10:24:29 AM UTC-8, Thomas Müller wrote:
>
>
>
> Am Montag, 28. November 2016 19:06:55 UTC+1 schrieb Rob Nelson:
>>
>> This will work but I would caution against it. Only recently has per 
>> environment segregation been implemented and there are still some issues 
>> present (I believe most fixes showed up in 4.8.0 but not sure). You don't 
>> want the same module at two different versions for each group being mixed 
>> and matched improperly. But, it's a judgement call if that's more worrisome 
>> than an extra PE master. 
>>
>
>
> I can confirm that the issue with different versions of the same module in 
> different environments with native ruby types/providers is a real problem. 
> Just encountered it with the elasticsearch module which we wanted to 
> upgrade. I utterly failed because new types were added and some types 
> changed. 
>
> If multiple independent teams are working on the same master you will 
> likely hit this issue faster than with only one team.
>
> https://docs.puppet.com/puppet/latest/reference/environment_isolation.html 
> 
>  
>
> - Thomas
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0beaf7b8-4218-4de2-9eac-73ff5e597597%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Upcoming End-of-Life for Puppet 3 & older versions of component projects

[Eric Sorenson]

Hi all, 
In July, we announced the end-of-life for Puppet Enterprise 3.x but I realized 
I've not been super clear about what that means for the open-source versions of 
its component projects. There's now a general statement on the Enterprise 
Support Lifecycle page:

https://puppet.com/misc/puppet-enterprise-lifecycle

And to be very specific, once Puppet Enterprise 3.x goes end-of-life on 
December 31 2016, there will be no further releases of the following major 
series of projects:

Puppet 3.x
PuppetDB 2.x and 3.x
Puppet Server 1.x
Hiera 1.x and 2.x
Facter 2.x

If you're still using Puppet 3, there's a ton of helpful resources on Upgrade 
home page:

https://docs.puppet.com/upgrade/

We had a whole track at PuppetConf dedicated to the subject and you can watch 
the videos if you're more of a visual learner. The talks are all clustered 
together in this youtube playlist, starting with Rob Nelson's "Enjoying the 
Journey from Puppet 3 to 4" here:

https://www.youtube.com/watch?v=FWnj0xQOZN8=23=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

For realtime help, you can drop into the #upgraders channel on the Puppet 
Community Slack; sign up at https://slack.puppet.com/ if you're not already 
logged in.

Thanks and happy upgrading!
--eric0

Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet ecosystem product manager

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/AEAEDE3E-6985-4929-9E0C-567221D5DB7F%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Prevent certificate collisions due to servers going up and down with same hostname

[Eric Sorenson]

Hi Iván - I think there are a couple of approaches that could work for you.

1 - you could continue to provision as you do today, but include a step in 
the shut-down that cleans a certificate. It is possible to add a rule to 
the auth.conf file that permits access to puppet's HTTPS endpoints which 
allows a node to delete its own certificate.  There's a blog post about it 
here:

http://www.nightbluefruit.com/blog/2015/02/allowing-puppet-agents-manage-their-own-certificates/

But I would suggest doing something a little nicer with the auth.conf 
rules, like this for /etc/puppetlabs/puppetserver/conf.d/auth.conf
{
"allow" : "$1",
"match-request" : {
"method" : "delete",
"path" : "/puppet-ca/v1/certificate_status/([^/]+)$",
"query-params" : {},
"type" : "path"
},
"name" : "nodes deleting their own certs",
"sort-order" : 500
}

2 - You can indeed re-use the same cert and key for all your nodes. I have 
used this setup in production and it works pretty well but it is not a 
common best practice.  I have a write-up of how to do it 
here: https://gist.github.com/ahpook/1182243  but it is probably a bit out 
of date now.  

I would suggest going to option #1 but either could work for you.  hope 
this helps!

--eric0

On Tuesday, October 25, 2016 at 7:42:47 AM UTC-7, Iván del Castillo Zamora 
wrote:
>
> Hi!
>
> We have a setup with a puppetmaster CA and several servers (AWS instances) 
> which are spawned depending on the workload. On a daily basis from 50 to 
> 100 instances can be spawned and shutdown (not at the same time), and what 
> occurs is that a new server can have the IP and hostname . When a new 
> certificate is created due to a new instance, this goes down after a while 
> and if right after that a new instance with this just released IP (an IP 
> 1.2.3.4 sets the hostname ip-1-2-3-4 in AWS, for example) is spawned, we 
> get the usual SSL error as the private key has changed (a new one was 
> generated in the last instance). 
> I have tried a quite dirty solution which involved a task running almost 
> continuously which took every certificate from the SSL folder in the 
> puppetmaster, and as the hostname(certname) includes the IP(just replace - 
> with .), the script checked every IP against the whole list of IPs we have 
> up at that moment, but in the end we are facing some race conditions due to 
> timings so it just worked fine for a while.
>
> It seems that we need a solution that is in sync with the state of the 
> server when it boots up and it is shut down. Not all instances involved in 
> this are located in a "Auto Scaling Group", so a solution I checked related 
> to send notifications to a SNS queue sadly would not work for us.
>
> We though of a solution which involved creating a new certificate, which 
> should be stored in disk and add the directive certname in puppet.conf so 
> every server presents the same certificate with the same private key and 
> cert. We are already using autosign and as the puppetserver is only on the 
> local network and firewalled it should not be a security issue to share the 
> same certificate among our servers. We tested it manually, but we are 
> afraid we will face another issue we did not foresee as it happened with 
> the task I mentioned before.
>
> Has anyone tried any of these solutions or are using a different approach?
>
> Thanks a lot!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/79367be2-ccb5-4494-9fe7-1fa7cc8f7260%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet ossec module install/configuration help.

[Eric Adkins]

System Deets:
Puppet Server version: 3.8.7
  Mix of Windows/*nix OS Puppet Agents (server newer than all Agent 
versions)

I have taken the following steps to implement puppet ossec module by wazuh 
installation.

   1. Configured puppet/server agent and confirmed they can communicate. [ 
   puppet agent -t ]
   2. Confirmed ossec module installed on Server at 
   /etc/puppet/modules/ossec*
   3. Therefore next step I see, which I need help with, is the required 
   settings/configurations necessary to setup module to install ossec-agent on 
   ALL puppet agents. To do so, I attempted to build my own site.pp with the 
   following content:
   
Node default { }

Class { “ossec::client”:

ossec_server_ip => “Ossec.Server.IP.Address”

}

Note: site.pp currently located at directory /etc/puppet/manifests/site.pp


I assumed that all the required puppet content was pre-configured into the 
installed module, with condition that I must correctly adapt that module to 
my unique environment settings. Puppet Wazuh Ossec Module Official 
Documentation 

If this is not the case I would greatly appreciate some clarity on what 
tasks I am expected/required to perform after installing ossec puppet 
module on puppet server, to result in the install of ossec agents to ALL 
puppet agents in environment using puppet ossec module. Please let me know 
if additional information is required to answer the question. Thanks in 
advance for your patients in helping me understand puppet workings. 


I would also be interested in smoke testing solution for the Puppet ossec 
module if someone has any thoughts on that. 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b4b8e6a3-a181-4663-b06a-a645b6091134%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Struggling with setting up a Manageable Puppet Infrastructure?

[Eric Sorenson]

Awesome, Ger! Your talks and blog posts are always great and the puppet 
infra you recommend is very clean. Best wishes for your class.

--eric0

On Friday, July 1, 2016 at 3:42:18 AM UTC-7, Ger Apeldoorn wrote:
>
> Hi all!
>
> I see people struggle with their Puppet setups over and over again. It 
> doesn’t fit right, makes it hard for people to work together and changes 
> are risky and complicated. The smallest change might be the one that makes 
> your servers keel over.
>
> I have found that there is a sound infrastructure that has proven its 
> robustness and flexibility in many companies.
>
> Unfortunately, there are a lot of people that are still struggling. I have 
> done talks about the Manageable Puppet Infrastructure at conferences and 
> have had setup instructions on my site for years, but although some people 
> could get by with this, it was still lacking a bit.
>
> In the last few weeks, I have been working on an online course/tutorial at 
> udemy.com. This course (Build your own Manageable Puppet Infrastructure) 
> consists of hours of practical video lectures and you can follow me 
> step-by-step to setup your own MPI.
>
> *The end-result of taking this course is a production-ready Manageable 
> Puppet Infrastructure.*
>
> If you act fast; this link will be valid until *July 8th* and gives you a 
> *40% 
> discount*.
>
>
> https://www.udemy.com/manageable-puppet-infrastructure/?couponCode=PUPUSERS40
>
> Kind regards,
> Ger
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3a40baf6-cede-4346-b5e2-1981354af2a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet's CA with an external issued CA-Certificate

[Eric Sorenson]

This is not fully supported yet, but can work with a couple of caveats - 
the question has come up a few times recently.

Can you please try my draft HOWTO documentation at this gist, and let me 
know how it works for you? You can reply here or comment on the gist if 
there are specific lines that you run into trouble with.

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

On Thursday, June 23, 2016 at 11:17:37 PM UTC-7, Christoph Fiehe wrote:
>
> This is exactly the use case, I require in my scenario. I must have 
> several Puppet CAs, each acting as intermediate CA that has an individual 
> CA certificate signed by a single root CA. Each intermediate CA signes the 
> certificates of some puppet agents. I have created a small picture to show 
> you how the scenario should look like.The root puppetmaster acts as a 
> bootstrapping node that should set up different nodes as puppetmaster when 
> someone assignes the puppetmaster role to this new node.
>
>
>
>
> 
>
> Has anybody an idea, if this scenario can be realized with the help of 
> Puppet? The most interesting question is how Puppet behaves when you assign 
> "ca = true" to an agent node and assign "ca_server =  CA>".
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d3846c57-7694-4fa7-b1e8-60dbb830f879%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Eric Sorenson]

On Thu, 9 Jun 2016, Rob Nelson wrote:


Eric

Sidebar question I've always had. There's the puppet gem that is commonly
used for rspec-puppet. Could that gem (plus its deps, facter, hiera, etc.)
suffice for some or all use cases?


Sure, there are definitely people who run the whole stack from gems. (There 
are other people who call those people crazy, but that's a different 
conversation)


This becomes weirder with Facter 3 due to the C++ components; right now the 
puppet Gemfile specifies facter-2.4.4, which works fine but at some point 
there may be divergence between that gem and the latest mainline C++-facter.



Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1606221447050.10015%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Eric Sorenson]

Matt, I would like to understand this better and help you adopt Puppet into 
your environment.

This is not a rhetorical question, but it might sound like one: Do you 
rebuild your linux distribution from source RPMs? Because that is very 
similar to what the AIO Puppet agent bundle is: a mini distribution with 
the dependencies ending up in one artifact.

People outside Puppet can (and have) successfully rebuilt AIO, and there 
are also sucessful packaging efforts that take JUST the Puppet 4 source and 
build a standalone RPM from it in the manner of the puppet 3 packages:

puppet-4.2.1-3.fc24.src.rpm 
<http://fedora.osuosl.org/linux/releases/test/24_Beta/Everything/source/tree/Packages/p/puppet-4.2.1-3.fc24.src.rpm>

But our recommendation is to use the all-in-one obviously; it's what's 
tested extensively and what ships in puppet enterprise. 

--eric

On Wednesday, June 8, 2016 at 2:01:43 AM UTC-7, Matt Larson wrote:
>
> Sorry for not getting back soon, Dan.
>
> Good question.
>
> I work for a draconian company that only allows installing FOSS after our 
> infosec team has vetted the source code and then built from source; an 
> impossible hand-waving exercise, I know... but it is what it is.
>
> On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote:
>>
>> First Silly Question: Why ?
>> What do you need to do that cannot be done with the RPM's from a 
>> Puppetlabs repo ?
>>
>> Dan White | d_e_...@icloud.com
>> 
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> On Jun 03, 2016, at 02:44 PM, Matt Larson <dryhum...@gmail.com> wrote:
>>
>>
>> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
>> instance, but I'm seeing errors.  I also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>  
>>
>> The output actually gets pretty far along, but stops at with this error: 
>> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
>> If I fix that problem by manually editing the SPEC file, I just get more 
>> errors, so clearly there is no need to go down a rabbit hole since this 
>> must work for someone else, right?
>>
>> I'm also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>
>> Ideas?
>>
>> Thanks in Advance,
>> Matt
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/07f2aed4-eb2b-4d32-aebb-e05dd0377817%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple CA setup.

[Eric Sorenson]

Check out this WIP doc where I describe how to get intermediate certs 
working. It *is* possible but there are a couple of caveats described in 
the doc.

If anyone's motivated to try this out and let me know how it works for you 
I'd be hugely appreciative. I got it to "works for me" level of readiness 
but would like some further validation so we can move it up to being a 
supported configuration with the bugs ironed out:

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

On Wednesday, June 8, 2016 at 9:34:25 AM UTC-7, Salty Old Cowdawg wrote:
>
> @Dan White:  that link was pretty much what I was looking for.  I take it 
> then you have openssl sign certs for each master (grand and remote) and 
> configure Puppet to use those certs. 
>
> The tricky part is going to be installing the new certs in production.  
> Sorta like changing a tire when the car is still moving. 
>
> On Wed, Jun 8, 2016 at 10:57 AM Dan White  wrote:
>
>> Could the regional masters be set up as intermediate certificate 
>> authorities ?
>> I found a link that describes the basics.
>>
>> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
>>
>> Dan White | d_e_wh...@icloud.com
>> 
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> On Jun 08, 2016, at 10:40 AM, Peter Berghold  
>> wrote:
>>
>> In the puppet setup that I have where I work it has been increasingly 
>> more desirable if not required to have each of our data centers be able to 
>> operate standalone. Because of this I've been Googling around looking for a 
>> methodology to allow multiple certificate authorities in puppet. Currently 
>> we have our grand master puppet server in one Data Center and we have 
>> several Puppet Masters in other data centers in geographically diverse 
>> areas. When a new client is added with our current setup that new client 
>> has to reach out and get it certificate signed by The Grandmaster. This is 
>> getting us through setting up puppet currently but long-term this is 
>> undesirable.
>>
>> Can anybody point me to a methodology for setting up multiple certificate 
>> authorities that actually works? Looks like the pages on the topic I have 
>> read so far are outdated.
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aebdd4da-b782-4a9f-9d6f-b8902d8359a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Agent 1.5.1 available

[Eric Sorenson]

Puppet Agent 1.5.1 is now available. This is a bugfix release that includes 
Puppet and Facter versions with a handful of fixes; no other components are 
update from the Puppet Agent 1.5.0 release a couple of weeks ago.

Notably, a couple of erroneous facts on Solaris are now correct 
("solaris_zones" and "productname"); Chuck Schweitzer found (and Thomas 
Hallgren fixed) a problem using Data in Modules with Hiera; and the 
Henrik/Thomas wrecking crew also fixed a problem with autorequires that broke 
puppetlabs-aws and puppet-archive, among other modules.

Check out the full release notes here: 
https://docs.puppet.com/puppetserver/latest/release_notes.html

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html


Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4B23907C-50EA-40E6-A7D9-E1A8819465D8%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] History of possible usage of EPP URIs in the form of "'puppet:////.epp"?

[Eric Sorenson]

I'm CC'ing Jo Rhett directly here in case he doesn't come across this 
organically --

The only place the puppet:/// syntax has ever been valid is in the 'source' 
attribute for File resources; the epp function, like template(), is 
expanded on the master during compilation and the contents are included in 
the catalog so it doesn't make sense to include a URL reference (which 
would be expanded on the agent).

--eric0

On Sunday, May 22, 2016 at 6:33:36 PM UTC-7, David Karr wrote:
>
> On 05/22/2016 06:22 PM, Henrik Lindberg wrote: 
> > On 23/05/16 03:07, David Karr wrote: 
> >> On Sunday, May 22, 2016 at 5:37:22 PM UTC-7, Henrik Lindberg wrote: 
> >> 
> >> On 23/05/16 02:26, David Karr wrote: 
> >> > In "Learning Puppet 4", there are a couple of variations of calls 
> >> to the 
> >> > "epp" function.  Some of them use the syntax that I find in the 
> >> actual 
> >> > Puppet docs, which is just "/.epp", but some of 
> them 
> >> use 
> >> > something that looks more like a URI, like 
> >> > "puppet:.epp".  I've determined that the former 
> >> is the 
> >> > only syntax that Puppet 4 accepts, unless I'm missing some 
> >> configuration 
> >> > option.  Did Puppet ever use the "puppet:.epp" 
> >> syntax, 
> >> > and if so, what was the history of that going away? 
> >> > 
> >> 
> >> It would be great if you could include pointers to where the 
> >> different 
> >> notations can be found. 
> >> 
> >> 
> >> You mean within the book?  If that's what you mean, I can provide 
> >> approximate search locations, but I'm reading the book on Safari, so I 
> >> don't have page numbers. 
> >> 
> > Duh, book - I did not read carefully enough. :-) I though you found 
> > examples in the puppet documentation or puppet site. 
>
> I had a feeling there was some confusion there.  :) I had earlier found 
> the official doc page (that you reference below), and it references the 
> "/.epp" syntax, which is the only one I found to work.  I 
> did report this in the book errata list, if it matters. 
>
> By your lack of an answer to my original actual question, I'm guessing 
> you know of no ancient Puppet implementation history where the 
> "puppet:.epp" syntax was valid? Although the syntax as 
> described this way in the book obviously doesn't work in Puppet 4 (and 
> the docs are consistent with that), I find it hard to believe the author 
> came up with this syntax on a lark :) , which makes me think that this 
> used to be valid at some point in the past. 
>
> > 
> >> The first occurrence is where the "epp()" function syntax is first 
> >> mentioned, in chapter 13, section "Using Puppet EPP Templates". On this 
> >> page, it has two clear examples, one using the "/.epp" 
> >> form, and the other using the "puppet:.epp" form, and 
> >> the text that describes the required syntax only mentions the latter. 
> >> 
> >> The next occurrence is in chapter 14, section "Calling Other Modules", 
> >> and this example uses the "puppet:.epp" syntax. 
> >> 
> >> I believe these are the only locations within the book that talk about 
> >> the syntax of the argument to the "epp()" function. 
> >> 
> >> 
> >> 
> >> IIRC, the implementation of EPP use the same resolution to find a 
> >> template as the ERB template support does, so some investigation is 
> >> needed to find the real answer. The documentation / examples may 
> >> be in 
> >> error too. 
> >> 
> >> 
> >> The book indicated that the ERB template syntax uses 
> >> "/.epp", but I didn't test that. 
> >> 
> > 
> > The official documentation is here: 
> > 
> https://docs.puppet.com/puppet/latest/reference/lang_template.html#referencing-files
>  
> > 
>
> Yup, found that already.  Thanks. 
>
> > 
> > - henrik 
> > 
> >> 
> >> -- 
> >> You received this message because you are subscribed to the Google 
> >> Groups "Puppet Users" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> >> an email to puppet-users+unsubscr...@googlegroups.com 
> >> . 
> >> To view this discussion on the web visit 
> >> 
> https://groups.google.com/d/msgid/puppet-users/9b00b220-6501-4209-827a-4368dacac105%40googlegroups.com
>  
> >> 
> >> <
> https://groups.google.com/d/msgid/puppet-users/9b00b220-6501-4209-827a-4368dacac105%40googlegroups.com?utm_medium=email_source=footer>.
>  
>
> >> 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cb657005-1e41-411a-9761-2cfee295ce31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Announce: Puppet Agent 1.5.0, Puppet Server 2.4.0

[Eric Sorenson]

On May 19, 2016, at 5:54 PM, Eric Sorenson <eric.soren...@puppet.com 
<mailto:eric.soren...@puppet.com>> wrote:
> 
>   * Puppet 4.5.0 - Also primarily a bugfix release, with improvements in the 
> type system and a few hotly awaited fixes for systemd and the DNF package 
> manager. The release notes mention new functions (including a function named 
> "new") that need

... to be added to the type reference on the website, but for now you can check 
out the inline docs at:
 https://github.com/puppetlabs/puppet/tree/master/lib/puppet/functions 
<https://github.com/puppetlabs/puppet/tree/master/lib/puppet/functions>

(WHUPS! Thanks Rob Nelson for pointing out my half-baked sentence.)

Eric Sorenson - eric.soren...@puppet.com <mailto:eric.soren...@puppet.com> - 
freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3FE92236-E9CE-45CD-B7EB-0094A55BBBD2%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Agent 1.5.0, Puppet Server 2.4.0

[Eric Sorenson]

I'm excited to announce a new batch of backwards-compatible feature releases 
for the Puppet Agent and Server.  There's a lot to take in here, so check out 
the release notes and take the code for a test-drive before you yell out 
"YOLO!" and upgrade all of production.

Puppet Server 2.4.0 - A slew of bugfixes and an enhancement to the 
trapperkeeper auth.conf implementation that allows you to use certificate 
extensions in your auth.conf rules. So for example you can assign your trusted 
management nodes a certificate that contains new authorization extensions 
indicating they ought to have higher privilege, then match those extensions in 
the rules that permit cert management or catalog request commands, avoiding the 
need to keep a list of privileged hostnames in your auth.conf.
Check out the full release notes here: 
https://docs.puppet.com/puppetserver/latest/release_notes.html 
<https://docs.puppet.com/puppetserver/latest/release_notes.html>

Puppet Agent 1.5.0 - All-in-one Agent package contains updated component 
versions, including a new feature release of Puppet.
  * Ruby 2.1.9 update
  * Puppet 4.5.0 - Also primarily a bugfix release, with improvements in the 
type system and a few hotly awaited fixes for systemd and the DNF package 
manager. The release notes mention new functions (including a function named 
"new") that needs
  * Facter 3.1.7 - Bugfixes for GCE and one particularly nasty recursion / 
fork-bomb that could happen if facter was invoked from inside a fact (I know...)
  * Hiera 3.2.0 - There's a backwards-compatible change that moves the default 
location of hiera.yaml out of the 'codedir' and back into 'config'. Read up on 
the backstory at HI-490 or on the puppet-dev thread[1], but the tl;dr is that 
we realized having this file (whose contents are frequently managed by puppet) 
inside the code dir (which is managed by r10k) was a mistake, and this change 
unwinds that, hopefully without introducing any additional badness. 
Release notes for each of these are linked from the main puppet-agent note: 
https://docs.puppet.com/puppet/4.5/reference/release_notes_agent.html 
<https://docs.puppet.com/puppet/4.5/reference/release_notes_agent.html>

Special community shout-out to Matthew Gyurgyik (whose name I admit i 
copy-pasted from JIRA) for working through the systemd issues! 

Eric Sorenson - eric.soren...@puppet.com <mailto:eric.soren...@puppet.com> - 
freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[1]: https://groups.google.com/d/topic/puppet-dev/NQBK0vdp2E0/discussion 
<https://groups.google.com/d/topic/puppet-dev/NQBK0vdp2E0/discussion>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5F9C86BD-A678-44B2-91CC-C371F17F912E%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Upgrading Puppet from 2.7 to 4

[Eric Sorenson]

Hi Chris, in addition to all the practical advice for moving through the 
upgrade cycles that you have gotten already, I would suggest taking a step 
back and analyzing your existing code-base to understand what the actual 
business function of the existing code is for the nodes. You can spend a 
ton of time doing things like adjusting syntax and eliminating deprecation 
warnings on a module, only to find out that the only host that is using 
that module was turned off a year ago and nobody noticed! 

So it might help to just draw out with a whiteboard or sticky notes what 
the existing mapping of puppet code to groups of machines looks like, what 
you think it SHOULD look like, and talk it over with your management/team 
to make sure the new setup is going the right direction. It's possible that 
you can save yourself a ton of work, plus be able to build a really good 
plan of the most valuable places to spend time. 

--eric0

On Monday, May 9, 2016 at 4:12:43 AM UTC-7, christg76 wrote:
>
> Thanks to everyone for the comments! I think I first need to do some 
> preliminary testing in order to assess the quality of the code and to see 
> what the real challenges are, and to ultimately decide on a strategy, ie 
> upgrade vs transition/migration.
> Ramin K: OS of the Master is Debian Wheezy. Have you actually done the 
> upgrade?
> Andrew Grimberg: This approach in fact sounds as if its the best way, 
> considering also what Henrik says below about new 
> versions/modules/tooling/practices. But it sounds like a massive amount of 
> work, particularly since we do not have any unit tests or similar in place. 
> Did you have any unit tests in place with the old code, or if not are you 
> implementing them with the new code?
>
> Chris
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5bde60c1-2f44-45f3-b659-6d9bb3b0de93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: possibility for autosign (or disable certificate control) for any host within one environment

[Eric Sorenson]

Puppet needs certificates in order to work, but you can autosign any 
incoming request without manual intervention using autosign:

https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

--eric0

On Thursday, May 12, 2016 at 5:29:44 AM UTC-7, Mr Dandy wrote:
>
> Is it possible to configure the Puppetmaster for special environment that 
> does not chase hostname/certificates, without signing and it was publicly 
> available?
>
> My case: I've have some manifests and modules which i want to use on any 
> workstation in my office. Because all workstation have different names and 
> they may be the same (or change) - for this environment is necessary to 
> switch off any control over certificates, it is a public environment that can 
> benefit anyone without any action from puppet server ( puppet sign ... )
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e1a576e6-ca43-4552-ae22-cd7a925205f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: use_srv_records doesn't work

[Eric Sorenson]

Hi Sinux, what version of puppet are you using? There was a bug in this 
area but it was fixed quite a while ago, in Puppet 3.1.0: 
 https://projects.puppetlabs.com/issues/18161

Can you paste the output of `puppet -tv --debug 2>&1 | grep SRV`

it should have some lines like:

Debug: Searching for SRV records for domain: dummy.example.com
Debug: Found 0 SRV records for: _x-puppet-ca._tcp.dummy.example.com


Note that if you already have a signed cert for the host, a CRL and CA 
certificate, the agent will not contact the CA server.

On Thursday, May 12, 2016 at 7:11:17 AM UTC-7, sinux shen wrote:
>
> hi there,
>
> I am in the middle of setting multiple master with single CA, if I 
> statically set:
> ca_server = 
> server = 
> in puppet.conf, it works well,
>
> but to make if more smart, I use srv settings, here is my conf:
> [main]
> vardir = /var/lib/puppet
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
> use_srv_records = true
> srv_domain = mydomain.example.com
>
> [agent]
> listen   = true
> pluginsync   = true
> report   = true
> ignoreschedules  = true
> daemon   = false
> classfile= $vardir/classes.txt
>
> I found that when agent run, it didn't query SRV record like 
> _x-puppet-ca._tcp for getting CA Server, instead, it assume that "puppet" 
> is the CA server and trying to talk to it, but in our environment, we don't 
> use "puppet" as the CA server's hostname,  it does tried to resovle 
> _x-puppet._tcp and _x-puppet-fileserver._tcp though, can anyone please take 
> a look or give me some hint please.
>
> BTW, even I specifically set ca_server in the "main" part together with 
> use_srv_records, it still doesn't work
>
> Thanks
> Sinux
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/53a0b9c4-1480-4e43-88f1-8d772a44f3a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

[Eric Sorenson]

On Friday, May 13, 2016 at 2:57:57 PM UTC-7, Dan Mahoney wrote:
>
> Hey there puppet-users deinzens. 
>
> One of my puppet agents helpfully reminded me that my root CA cert is due 
> to expire within a few months, and I'm wondering what the best way to go 
> about rolling it over would be. 
>
> A lot of my reading suggests something like "burn everything involving 
> certificates to the ground and start your entire CA infrastructure over 
> from scorched earth" is an approximation of the way to go. 
>

Hi Dan, this is a good and timely post. I'm working on some related issues
regarding Puppet's CA that may help you out. Your thinking on this is 
roughly correct -- things are a lot harder than they need to be, but the
above advice to nuke everything and start over is both overly simplistic
and wrong-headed.

Note that my comments here are specifically about the Clojure CA that
is included in puppetserver, not the Ruby CA; most things apply to both
but the past couple of years of server-side bugfixes and development energy
have gone into the Clojure CA, and Puppet 5 will consolidate
all the CA-side cert lifecycle onto this codebase. 
 

>
> From the various looks and reading I've done, this was one of those parts 
> of puppet that had some serious technical debt involved in authoring it. 
>
> I've likened puppet's SSL config to how I might manage an SSL cert on my 
> webserver/clients, and I'm seeing a disconnect, since many of the things 
> I'd do in those cases don't work here.. 
>

You're right that the agent SSL code is very old and badly needs an 
overhaul.
For some interesting historical context, check out this Redmine bug and
the related issues that it links to:

https://projects.puppetlabs.com/issues/3143
 

> In short -- I think the following problems still exist: 
>
> * There's still no support for putting multiple certificate files as the 
> puppet CA -- all must still be signed by a common root entity.  Is this 
> correct?  (In the "web" analogy, my browser could have lots of built-in 
> and additional trust-points, both corporate and as-shipped). 
>

Have you verified experientially that this doesn't work in current Puppet
versions? I am working on one variant of this (chain-of-trust with root
and intermediate CA in $ssldir/certs/ca.pem) and it does work. That's
slightly different to what you're saying though, which is that any issuer
in that file should be considered valid. Due to some confusion in the
CA code (see https://tickets.puppetlabs.com/browse/SERVER-1315 ) the
ca_crt.pem which the agent downloads can't contain a bundle, but I believe
if you "pre-seed" a valid bundle into that location the agent code will do
the right thing.

You're right that the agent does not support a CApath, in openssl parlance: 
a directory
of hashed CA certs, any of which are valid. The server side farms out its 
SSL verification
to the underlying web stack, so it ought to be tolerant of agents issued 
from
multiple CAs checking in. I haven't tried this angle yet.
 

>
> * There's no directive I can find whereby puppet agents can, within N days 
> of expiry, re-request their certificate, while maintaining a valid one in 
> the meantime.  On the puppet master, a duplicate cert is treated as an 
> absolute error and must be purged from both sides with extreme prejudice 
> and started over. 
>

The first part is true, the second is controlled by the 
'allow-duplicate-certs' CA setting
which will allow later requests to overwrite newer ones. 
 

>
> * There's no way the puppet master itself can have multiple trust points. 
> (I.e. old CA and new CA) -- in the real world, of course, I can have 
> multiple CA files from which I can trust clients, for example, for SMTP 
> auth. 
>

* Puppet has no concept of a CA Path, rather than a CA file.  And since 
> certificates are multi-line blocks in text files, they're a real pain to 
> manipulate with Augeas or shell scripts. 
>

As I said above, on the master the cert verification is delegated to the
web server layer (jetty in the case of the puppetserver, apache or nginx
or (gah) webrick for non-puppetserver setups). So agent verification on the 
master has a lot more going for it than the agents verifying the master's
identity. 
 

>
> * There's no way the master can say "multiple public keys for the same 
> cert are bad, but we will re-sign *existing* keys that are merely near 
> expiry." (Which is a thing we might do in PGP).  And even if we could 
> define such a policy, there's no support in the agent to do such a thing. 
>
 

>
> * There's no way to have the puppet-master auto-sign a cert, based on the 
> presence of some sort of file or hash on the node, similar to the above. 
>

There's nothing built-in that does either of these things. But policy-based
autosigning provides an API that lets you do this based on some
'a priori' knowledge you have of the node: 

https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

This is an interesting line of thought 

[Puppet Users] Why can't I see my external facts from inside a Ruby script?

[Eric Rodriguez]

Running Facter v2.4.6, Puppet 3.8.6 on Ubuntu Trusty
One Puppet master host and one Agent

I have a custom Puppet report and I'd like to read some of my external 
Facts from within this report. I can see the external Fact from the cli and 
ALSO when running:

ruby -e "require 'facter'; puts Facter.value(:external_fact)"


I don't understand why this is. My external facts are in 
/etc/facter/facts.d/external.json.

Any idea what I am doing wrong here? Why can't I see this custom Fact from 
a Puppet report?

Thanks...

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0890b9b6-f833-48ce-bb0a-884f930fb57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Server 2.3.2 Available (SECURITY)

[Eric Sorenson]

Hi all, hot on the heels of yesterday's releases 
we have a new Puppet Server release up today: 2.3.2.

This is primarily a security fix which addresses a 
LOW RISK (3.5 CVSS3 score) security hole described at:
https://puppet.com/security/cve/cve-2016-2785

Read the full release notes here:
https://docs.puppet.com/puppetserver/2.3/release_notes.html#puppet-server-232

For more information on the Puppet Server including 
installation and upgrade instructions, read this:
https://docs.puppet.com/puppetserver/2.3/index.html


Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/774b5ec0-9993-4eaa-9e9a-e08abc6a622e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 3.8.7 available!

[Eric Sorenson]

Puppet 3.8.7 is now available for download. This is a backwards-compatible 
bugfix release that includes a couple of backported fixes from 4.x to the 
"future" parser, improvements for Puppet's launchd and systemd service 
providers, and other miscellaneous patches. 

Read the release notes here for the changelog:
https://docs.puppet.com/puppet/3.8/reference/release_notes.html#puppet-387

And view the whole list of bugs included in the release here:
https://tickets.puppetlabs.com/issues/?filter=19117

For installation and upgrade instructions, read this:
https://docs.puppet.com/puppet/3.8/reference/pre_install.html

Special community shout-out for this release goes to Clay Caviness for the 
launchd bug report and pull request in PUP-6073. You rock, Clay!

Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4e5d3aa5-a0b6-4506-b19b-5703bbad6df8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is there a solid EOL date for the Puppet 3.8 release family?

[Eric Sorenson]

Oh boy. It could, I guess, it's HTML so anything is possible.  But the 
canonical location for the component versions is on the docs site which is its 
own CMS and it's a lot of data:

https://docs.puppetlabs.com/pe/latest/overview_version_table.html



On Mar 22, 2016, at 1:50 PM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote:

> Security releases are really all that's important to most compliance-focused 
> orgs.
> 
> Could that page link to the versions of each sub-component that is included?
> 
> Thanks!
> 
> Trevor
> 
> On Tue, Mar 22, 2016 at 11:37 AM, Eric Sorenson <eric.soren...@puppetlabs.com 
> <mailto:eric.soren...@puppetlabs.com>> wrote:
> Sorry for the slow reply, we had some internal ducks to get in a row.  The 
> enterprise support page now shows the current support dates for all the 
> recent series:
> 
> https://puppetlabs.com/misc/puppet-enterprise-lifecycle 
> <https://puppetlabs.com/misc/puppet-enterprise-lifecycle>
> 
> As a practical matter we're going to provide open-source releases of 
> components of a particular PE series for as long as that PE series is 
> supported; outside of security fixes though, the content of releases behind 
> the current one will be driven largely by customer requests. 
> 
> --eric0
> 
> On Wednesday, March 16, 2016 at 9:57:05 AM UTC-7, Trevor Vaughan wrote:
> Certainly possible, but deductions aren't stated facts on URLs that you can 
> put in front of management.
> 
> Trevor
> 
> On Wed, Mar 16, 2016 at 10:41 AM, Miguel Di Ciurcio Filho 
> <mig...@instruct.com.br <mailto:mig...@instruct.com.br>> wrote:
> On Wed, Mar 16, 2016 at 10:12 AM, Trevor Vaughan <tvaug...@onyxpoint.com 
> <mailto:tvaug...@onyxpoint.com>> wrote:
> > Thanks Carthik. Unfortunately, we need to know this for all of the
> > components, FOSS or otherwise.
> >
> 
> I think one can deduce that, if PE 3 series has an EOL set to July 28,
> 2016, all FOSS components present there will most definitely not be
> supported anymore also.
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users%2bunsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com>.
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.
> 
> 
> 
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 <tel:%28410%29%20541-6699>
> 
> -- This account not approved for unencrypted proprietary information --
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com?utm_medium=email_source=footer>.
> 
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.
> 
> 
> 
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> 
> -- This account not approved for unencrypted proprietary information --
> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "Puppet Users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/puppet-users/15QSPcvkGDI/unsubscribe 
> <https://groups.google.com/d/topic/puppet-users/15QSPcvkGDI/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to 
> puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CANs%2BFoW04-0UUP4%2BkJCdkFvWky%3DV1E7O9Rqn-8Xt7tw9NTPHVg%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/puppet-users/CANs%2BFoW04-0UUP4%2BkJCdkFvWky%3DV1E7O9Rqn-8Xt7tw9NTPHVg%40mail.gmail.com?utm_medium=email_source=footer>.
> For more opti

Re: [Puppet Users] Is there a solid EOL date for the Puppet 3.8 release family?

[Eric Sorenson]

Sorry for the slow reply, we had some internal ducks to get in a row.  The 
enterprise support page now shows the current support dates for all the 
recent series:

https://puppetlabs.com/misc/puppet-enterprise-lifecycle

As a practical matter we're going to provide open-source releases of 
components of a particular PE series for as long as that PE series is 
supported; outside of security fixes though, the content of releases behind 
the current one will be driven largely by customer requests. 

--eric0

On Wednesday, March 16, 2016 at 9:57:05 AM UTC-7, Trevor Vaughan wrote:
>
> Certainly possible, but deductions aren't stated facts on URLs that you 
> can put in front of management.
>
> Trevor
>
> On Wed, Mar 16, 2016 at 10:41 AM, Miguel Di Ciurcio Filho <
> mig...@instruct.com.br> wrote:
>
>> On Wed, Mar 16, 2016 at 10:12 AM, Trevor Vaughan  
>> wrote:
>> > Thanks Carthik. Unfortunately, we need to know this for all of the
>> > components, FOSS or otherwise.
>> >
>>
>> I think one can deduce that, if PE 3 series has an EOL set to July 28,
>> 2016, all FOSS components present there will most definitely not be
>> supported anymore also.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
>
> -- This account not approved for unencrypted proprietary information --
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announcing Puppet Server 2.3.0 / Puppet 4.4.0

[Eric Sorenson]

I'm really excited to announce the arrival of new feature releases:
Puppet 4.4.0 and Puppet Server 2.3.0. The headline feature here is 
Static Catalogs: file resources with 'puppet:///' source attributes
will now include the checksum of the file inside the catalog, rather
than requiring additional http requests to the master as the catalog
is being applied. This both dramatically improves performance and closes
a "loophole" where agents could get file content that didn't match the
catalog's original intent.  You can read more (much, much more) about this
on the doc site: 
http://docs.puppetlabs.com/puppet/4.4/reference/static_catalogs.html

In addition, there are several other noteworthy features including an
awesome community contribution:
* Felix Frank worked tirelessly to close a very long-standing feature
  request that ties in with static catalogs: HTTP(S) file sources.
  Now you can use plain http webservers as the `source` for file resources,
  so if you have content that's large in size or managed outside Puppet's
  fileserver, you can just point at it. Vielen dank, Felix! (PUP-1073)
  
* There's a new API endpoint in the Puppet Server, `environment_classes`, 
that
  improves upon the old resource_types endpoint to enumerate classes, their
  parameters, and default values. (SERVER-1110)

* The Puppet Server now reloads configuration immediately upon receiving a 
  HUP signal, lowering restart times if you are changing values. (SERVER-86)

* The Puppet 4 Language continues to improve: now you can alias Types 
directly
  in your manifests, there's a new Iterable type, and you can now reference
  earlier parameters in a class, define, or function. (various tickets)

There's a lot more, so please read the release notes for details:

Puppet Server: 
http://docs.puppetlabs.com/puppetserver/latest/release_notes.html
Puppet: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html

Puppet 4.4.0 is contained inside the puppet-agent-1.4.0 package that Melissa
announced yesterday, as well as being independently downloadable as a gem or
tarball

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1eaaa14c-943d-4ec0-bd19-9e45ba5ce625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: puppet catalog compilation job queue idea

[Eric Sorenson]

The first and most significant chunk of the direct puppet work, namely a 
production-ready version of "static catalogs" is going out in Puppet 4.4.0. 
You can preview the documentation for it 
here: 
https://github.com/puppetlabs/puppet-docs/blob/master/source/puppet/4.4/reference/static_catalogs.md

Future work is around the other stuff you mentioned - especially 
precompilation. 

--eric0

On Tuesday, March 8, 2016 at 7:02:40 AM UTC-8, R.I. Pienaar wrote:
>
> I believe the thing thats happening here is called Direct Puppet, there 
> were some puppet conf talks about this you might want to look at the 
> videos. 
>
> But it's around reworking the compile flow so you can pre-compile things, 
> re-run 
> earlier compiled things, redo the static catalogs and even rewriting the 
> compiler 
> in C++ 
>
> There are stuff happening on Jira at the moment, but I'd guess lots of 
> this will 
> be PE only if recent blogs are anything to go by 
>
> - Original Message - 
> > From: "jcbollinger"  
> > To: "puppet-users"  
> > Sent: Tuesday, 8 March, 2016 15:51:31 
> > Subject: Re: [Puppet Users] Re: puppet catalog compilation job queue 
> idea 
>
> > On Monday, March 7, 2016 at 7:57:33 PM UTC-6, SG Madurai wrote: 
> >> 
> >> Hi John, Thank you for the update. 
> >> 
> >> Pardon me if i am asking about things that have been clarified/ settled 
> >> already. 
> >> 
> >> From what i understand, agent run times are primarily determined by 
> >> - catalog compilation time at master 
> >> - the time for agent to apply catalog on its node 
> >> 
> >> 
> > 
> > Both of those are contributors.  The former is rarely a major one. 
>  There 
> > is also time spent by the agent computing facts, which is usually even 
> > less, but can be costly if costly custom facts are installed. 
> > 
> > Also, catalog application often is not an agent-only activity, as it 
> > commonly involves the agent obtaining files from the master's file 
> server. 
> > This can be very expensive for both the agent and the master. 
> > 
> > 
> > 
> >> So was basically wondering if there is an option to separate these 2 
> >> functions and manage these 2 independent of each other (at times 
> convenient 
> >> for each of these activities) 
> >> 
> >> 
> > 
> > Nodes have as much control as they want to exercise of when and how 
> often 
> > they perform catalog runs.  If they run the agent in daemon mode then 
> they 
> > can configure the run interval, but they also have the option of running 
> it 
> > at the times they choose via a scheduler, such as cron, or on-demand 
> either 
> > manually or via a remote-control system such as MCollective. 
> > 
> > The master does perform some caching to speed catalog building, but as I 
> > already said, it is impractical for it to cache whole catalogs for 
> direct 
> > service to clients.  The problem here lies in determining accurately and 
> > efficiently when cached catalogs are stale. 
> > 
> > 
> > 
> >> If these concerns shouldn't arise with running multiple puppet masters 
> w/ 
> >> puppet db (or by imply upgrading...we are on v3.8 btw), then will 
> explore 
> >> that option first. 
> >> 
> > 
> > 
> > If your master(s) do not adequately serve the catalog request load, then 
> > the quickest solution is often to empower them by running more 
> puppetmatser 
> > threads, adding CPU, adding RAM, increasing network bandwidth, and/or 
> > shutting down other services.  "Shutting down other services" might 
> include 
> > moving PuppetDB to a separate machine.  Do also attend to the 
> possibility 
> > of uneven load: some kinds of site configurations lend themselves to 
> highly 
> > uneven load on the master, such that it sometimes gets transiently 
> > overloaded even though it has sufficient capacity for its average load. 
> > 
> > If individual catalog compilations are taking a long time, then it is 
> > probably worthwhile investigating why that is.  It may well be the case 
> > that you can realize substantial improvements by modifying your manifest 
> > set.  If the master is bogged down at the file server then you are 
> probably 
> > managing either large numbers of files or very large files, or both, in 
> an 
> > inefficient way; this is an area where it is relatively easy to shoot 
> > yourself in the foot. 
> > 
> > If none of those alternatives yield the catalog service bandwidth you 
> need, 
> > then the next logical step is multiple masters. 
> > 
> > 
> >> 
> >> I couldn't be sure if these configuration options (multiple puppet 
> masters 
> >> w/ puppet db) by itself can take care of the issues we are facing with 
> >> agent runs  in our environment 
> >> (timeouts, slowness..) 
> >> 
> >> We have one puppet master (v3.8) managing 150-200 nodes in an 
> environment. 
> >> 
> > 
> > 
> > That's a fairly substantial load for a single master, but whether it's 
> at 
> > or beyond the capacity you should expect depends 

[Puppet Users] Announce: Puppet 3.8.5 available

[Eric Sorenson]

Puppet 3.8.5 is now available. This is a bugfix release that contains 
performance improvements to catalog compilation and Mac OS X service 
management, along with fixes for Windows agents and the Puppet 4 language 
parser. See the full release notes here:

http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html

For installation and upgrade instructions, see this doc:

http://docs.puppetlabs.com/puppet/3.8/reference/pre_install.html

A special community shout-out for this release to Github user 'earsdown' 
for the PR to fix PUP-5212, which added HTTP proxy support to the PIP 
package provider. 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.4 available

[Eric Sorenson]

Puppet Agent 1.3.4 is now available! This is a bugfix release of the
all-in-one Puppet 4 based installer, which bundles Ruby, Facter, Puppet,
and other components into a single package for all supported operating
systems.

Notable changes in this release:
* Support for Ubuntu 'Wily Werewolf'
* Puppet 4.3.2 - big batch of bugfixes, for everything from the new
  "puppet lookup" command to catalog performance profiling to the
  yumrepo provider. Plus bonus speed boosts for all catalog compilation!
  See full Puppet release notes for details: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html
* Facter and Hiera got version bumps to support the new Ubuntu packages;
  Facter has one functionality fix (FACT-1246) but Hiera does not contain
  code changes.

See the release notes for the puppet agent package here:
http://docs.puppetlabs.com/puppet/latest/reference/release_notes_agent.html

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/232a99d4-176e-4052-bfd3-554793a1c05b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Serving files from custom mount point in Puppet 4

[Eric Sorenson]

On Jan 12, 2016, at 6:21 AM, kashif <kashif.a...@gmail.com> wrote:

> Hi Eric
> 
> rpm -qa | grep puppet
> puppet-agent-1.3.2-1.el6.x86_64
> puppetlabs-release-pc1-1.0.0-1.el6.noarch
> puppetserver-2.2.1-1.el6.noarch
> 
> cat /etc/puppetlabs/puppet/fileserver.conf
> 
> [site_files]
>path /etc/puppetlabs/codes/files
>allow *


This should be /etc/puppetlabs/code/files ...

> 
> I haven't changed auth.conf file 
> cat /etc/puppetlabs/puppetserver/conf.d/auth.conf
> 
>  [ ... ]
> Test manifest
> 
> file { '/root/puppet_test':
>source => "puppet:///site_files/puppet-test",
>ensure => present,
>  }
> 
> Error
> Puppet Not authorized to call find on /file_metadata/site_files/puppet-test 
> with {:links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore", 
> :rest=>"site_files/puppet-test"
> 

This message is on the agent, there should be a corresponding message in the 
server logs -- can you include that if you still have trouble after fixing the 
'codes' -> 'code' path in fileserver.conf?

Eric Sorenson - eric.soren...@puppetlabs.com 
<mailto:eric.soren...@puppetlabs.com> - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4589B455-3D30-4210-93D8-8E47BEE13BC7%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Serving files from custom mount point in Puppet 4

[Eric Sorenson]

It is not deprecated at all.

Can you please post your configuration (fileserver.conf, auth.conf, and the 
puppet manifest which causes the error) along with the exact error messages?

--eric0

On Monday, January 11, 2016 at 1:57:34 AM UTC-8, kashif wrote:
>
> Hi
>
> Is serving files from custom mount point depreciated in puppet 4? I 
> configured fileserver.conf file in same way as  in puppet 3 but it is not 
> working. I could not find any explicit statement in puppet 4 documents 
> about custom mount points. Has any one managed to serve from custom mount 
> point in puppet 4?
>
> Thanks
>
> Kashif
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/52abb73e-2dd1-45f1-b974-761c24fbab85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-server 1.1.3 and 2.2.1 available!

[Eric Sorenson]

New bugfix releases of Puppet Server for Puppet 3.x and 4.x installations are
now available. The primary change for both of these releases is a fix for a
memory leak triggered by enabling the `max-requests-per-instance` setting.

Check out the release notes here:
http://docs.puppetlabs.com/puppetserver/latest/release_notes.html

Here are the installation and upgrade instructions for Puppet Server 2.x /
Puppet 4.x sites:
http://docs.puppetlabs.com/puppetserver/2.2/install_from_packages.html

And here are the instructions for Puppet Server 1.x / Puppet 3.x sites:
http://docs.puppetlabs.com/puppetserver/1.1/install_from_packages.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1512091708520.2130%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.2 available

[Eric Sorenson]

Puppet Agent 1.3.2 is now available. This is a follow-up release to 
Monday's 1.3.1 release which includes a fix to the root CA bundle included 
in the package.

In puppet-agent 1.3.0 and 1.3.1, the included bundle of CA certificates was 
smaller than the system bundles used in puppet-agent 1.2.7 and earlier, 
which could cause Puppet features that rely on the omitted CA certificates 
to fail. This release resolves the issue by expanding the certificate 
bundle to be more comparable to the set provided by other vendors.

You can see links to the full release notes for puppet-agent and individual 
components here: 

http://docs.puppetlabs.com/puppet/4.3/reference/about_agent.html 

To install or upgrade puppet-agent, follow the getting started directions: 

http://docs.puppetlabs.com/puppet/4.3/reference/index.html 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
puppet platform // coffee // techno // bicycles 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/13fe3408-88ab-49e1-b7c5-2c2367b21cc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.1 available.

[Eric Sorenson]

Puppet Agent 1.3.1 is now available. This is a bugfix release of the 
all-in-one agent, which bundles up Ruby, Puppet, Facter, and other components 
into a single package.


This release includes the following updates:

* Facter 3.1.3 fixes a regression where the `puppetversion` fact was not
  reported.
* Puppet 4.3.1 fixes a bug where variables like `calling_module` were not
  available in hiera.
* pxp-agent 1.0.1 fixes an internal race condition between the completion of
  an action command and the corresponding metadata file being updated.

You can see links to the full release notes for puppet-agent and individual 
components here:


http://docs.puppetlabs.com/puppet/4.3/reference/about_agent.html

To install or upgrade puppet-agent, follow the getting started directions:

http://docs.puppetlabs.com/puppet/4.3/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1511301353230.91886%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 3.8.4 available

[Eric Sorenson]

Puppet 3.8.4 is available. This is a bugfix release which fixes a performance 
problem with directory environments, a security vulnerability when Puppet 
generated its CA key, and a small grab-bag of other bugs.

You can see the full release notes here:

https://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html#puppet-384

Here's the complete list of bugs fixed in the release:

https://tickets.puppetlabs.com/issues/?filter=15901

To install or upgrade puppet, follow the installation guide:

https://docs.puppetlabs.com/guides/install_puppet/pre_install.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/C61C6148-3DCB-43B7-A521-B2BE412EF757%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent-1.2.7 available

[Eric Sorenson]

Puppet Agent 1.2.7 is now available. This is a minor release of the all-in-one 
agent, which bundles up Ruby, Puppet, Facter, and other components into a 
single package.


The primary purpose of this release is to prepare for upcoming Puppet 
Enterprise support for Solaris and AIX. Notable changes in this release:


* Puppet 4.2.3 - updated from 4.2.2 (Solaris and AIX improvements, fixes to
  tag filtering, performance, etc)
* Facter 3.1.1 - updated from 3.1.0 (Solaris and AIX fixes)
* Hiera 3.0.4 - updated from 3.0.3 (only acceptance test changes)
* Packaging fixes to puppet-agent itself (for Mac OS X, Solaris, AIX)

You can see the full release notes for puppet-agent and links to the 
individual components here:


http://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

New for this release, this page now describes changes to the puppet-agent 
package itself, independent of the component release notes.


To install or upgrade puppet-agent, follow the getting started directions:

http://docs.puppetlabs.com/puppet/4.2/reference/index.html


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Announce: puppet-agent-1.2.5 now available!

[Eric Sorenson]

Puppet Agent 1.2.5 is out! This is a new minor release of the all-in-one agent
bundle which contains no updated component code, but fixes bugs in packaging
and service management.

* Includes mcollective 2.8.6, which fixes an issue when trying to start
  mcollectived on Solaris 10.
* Changes the package filenames on Mac OS X to use major and minor versions,
  e.g. puppet-agent-1.2.5-1.osx10.10.dmg, instead of codenames, e.g.
  puppet-agent-1.2.5-1.yosemite.dmg

You can find out more about the all-in-one puppet-agent package here:
https://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

The installation and upgrade instructions are linked from the main docs page:
https://docs.puppetlabs.com/puppet/4.2/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Security: Potential exposure of CA key under puppetserver

[Eric Sorenson]

A couple of updates:

- Yes, a CVE will be issued.

- The remediation steps below are a little wonky, and my subject line is 
inaccurate. The same exposure happens for CA keys generated by running a 
webrick 'puppet master', or passenger-based packages, or by puppet server. 
By far the simplest thing is to make sure your privatekeydir 
($ssldir/private_keys) and CA private keys ($ssldir/ca/ca_key.pem) are 
"chmod o-rwx" rather than running the 'puppet cert' or 'agent' commands as 
I said below.

- In addition to the CA key being exposed, if you used puppetserver to 
generate your _host_ key on the CA, that key and the 'privatekeydir' 
directory will have too-lenient permissions.

--eric0

On Tuesday, September 29, 2015 at 9:47:57 PM UTC-7, Eric Sorenson wrote:
>
> We've identified and are fixing a condition in puppet where the 
> auto-generated 
> CA private key is created with too-leinent permissions. We feel the 
> exposure is 
> pretty limited (it would require a local user account on the CA system, to 
> discover and copy/modify the CA key before additional puppet commands run) 
> but 
> will be releasing patched versions which do not have the problem. I wanted 
> to 
> post this publicly so users could evaluate their own site and remediate if 
> necessary, in advance of an upstream software release. 
>
> You could be affected if: 
> - you used puppet server or puppet master to automatically generate a CA 
>keypair and certificate and have NEVER restarted the process 
> - you never subsequently ran a puppet agent, cert, or other subcommands 
>which use the certificate subsystem, on the host with the CA keypair. 
>
> You will not be affected if: 
> - you run Puppet Enterprise to initialize your CA 
> - you have ever run 'puppet agent' or other 'puppet cert' commands as root 
> on the host with the keypair. 
> - you have ever restarted your puppet master/puppet server process. Ever. 
> Really. 
>
> The immediate fix is to either: 
> - run `puppet agent` as root on the server which has the CA key 
> - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` 
>
> A huge thank you/merci to Francois Lafont for reporting this issue. 
>
> For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 
>
> Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
> puppet platform // coffee // techno // bicycles 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/502f17b2-85ed-4a99-a56b-379f4f407402%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Security: Potential exposure of CA key under puppetserver

[Eric Sorenson]

We've identified and are fixing a condition in puppet where the auto-generated
CA private key is created with too-leinent permissions. We feel the exposure is
pretty limited (it would require a local user account on the CA system, to
discover and copy/modify the CA key before additional puppet commands run) but
will be releasing patched versions which do not have the problem. I wanted to
post this publicly so users could evaluate their own site and remediate if
necessary, in advance of an upstream software release.

You could be affected if:
- you used puppet server or puppet master to automatically generate a CA
  keypair and certificate and have NEVER restarted the process
- you never subsequently ran a puppet agent, cert, or other subcommands
  which use the certificate subsystem, on the host with the CA keypair.

You will not be affected if:
- you run Puppet Enterprise to initialize your CA
- you have ever run 'puppet agent' or other 'puppet cert' commands as root on 
the host with the keypair.
- you have ever restarted your puppet master/puppet server process. Ever. 
Really.

The immediate fix is to either:
- run `puppet agent` as root on the server which has the CA key
- as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem`

A huge thank you/merci to Francois Lafont for reporting this issue.

For more details, see https://tickets.puppetlabs.com/browse/PUP-5274

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Announce: Puppet-Agent 1.2.4, Puppet 4.2.2, Facter 3.1.0

[Eric Sorenson]

Puppet Agent 1.2.4 is out! This is a new minor release of the all-in-one
agent bundle which incorporates updates to Puppet, Facter, Hiera, and 
Mcollective.


* Puppet 4.2.2, a bugfix release which includes an important Windows security
  fix: 
https://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html#puppet-422

* Facter 3.1.0, a backwards-compatible feature release of Facter which adds
  support for OpenBSD and Solaris facts, improves the network interface facts,
  and fixes a regression that caused Docker containers on systemd hosts to
  erroneously report themselves not to be virtual:
  https://docs.puppetlabs.com/facter/3.1/release_notes.html#facter-310

* Mcollective 2.8.5, which reverted a problem renaming the mcollective service
  on Mac OS X and improves the init script on SUSE.

* Hiera 3.0.3, which is a tag-only release (necessary for tooling, no
  functional changes)

You can find out more about the all-in-one puppet-agent package here:
https://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

The installation and upgrade instructions are linked from the main docs page:
https://docs.puppetlabs.com/puppet/4.2/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] send all puppet messages to rsyslog

[eric odell]

How to get all puppet agent/master logs to rsyslog? intend to ship all 
puppet agent/master messages to central loghost and parse with logstash and 
ship to elasticsearch. Currently puppet logs some messages to 
/var/log/messages via rsyslog  while puppet daemons write directly to 
/var/log/puppet/*.

puppet client/master syslogfacility  set to daemon:

puppet master --configprint syslogfacility
daemon

Thought that setting rsyslog to catch all logs with syslog facility of 
daemon:

grep daemon /etc/rsyslog.conf 
daemon.*/var/log/daemon

should do the trick but this logs very little in /var/log/daemon while 
puppet continues to log most everything to /var/log/puppet/*

Also puppet logging to rsyslog may be poor choice when dealing with long 
multiline error messages...
Have considered running logstash directly on each puppet node/master but 
want to see if I can ship all puppet logs to central rsyslog server which 
already has logstash running...

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f0581c8f-b08d-4668-960a-8bf649b2522e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] How to use multiple versions of same module

[Eric Berg]

Seems like a problem that people run into all the time, but I haven't found 
any info on this topic that is in the least satisfying.

I have a monolithic puppet repo that is several years old, and which has 
one main module with several dozen manifests along with files and 
templates.  Currently, this code uses 3rd party/forge modules that are 
pretty old, and I'd like to update the 3rd party modules (stuff like apt, 
nginx, node, stdlib, etc...), but I need to do it selectively, since many 
of our manifests may break in a major-version upgrade.

As I create proper modules from the manifests that we have now, the 
existing module should continue to use the versions they're currently 
using and the new ones should be able to use the latest versions of these 
modules.

Simply installing modules, for example by using 'puppet module install' 
updates the current version of the module, which resides in our git repo in 
the modules subdir.

Ultimately, it seems that we should move to librarian puppet, but I'm not 
sure that that solves the basic problem, which is that I need to have 
multiple versions of the same modules.

How do I accomplish this?

Thanks.

Eric

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/835e1fdd-83fc-436e-b1ad-3bee874ff0b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: PL policy toward fixing known bugs in PE 3.8.x

[Eric Sorenson]

On Fri, 26 Jun 2015, Vince Skahan wrote:


yup - appreciate the responselet me know if you want me to open a
ticket to get this into the next 3.8.x (via my work email).


Yep, that's definitely the way to go. https://support.puppetlabs.com/

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

Last night we rolled a patch release which includes a fix for FACT-1055, a
regression which inadvertently broke backward compatibility for external facts
that are not pluginsync'ed from modules: 
https://tickets.puppetlabs.com/browse/FACT-1055


The new AIO bundle (puppet-agent-1.2.1) is available in all of the Puppet
Collection 1 repositories.

I also neglected to mention in the original announcement that we now have
package repositories for Debian Jessie and Mac OS X Mavericks (10.9) and
Yosemite (10.10) and these OSes will be part of the regular release pipelines
going forward.

On Wed, 24 Jun 2015, Eric Sorenson wrote:


There's a new All-in-One Puppet Agent release available! This release bundles
new versions of several component projects and is downloadable now through 
the Puppet Collection 1 repository.


* Puppet 4.2 includes several features and bug fixes, and officially 
deprecates
  Windows 2003. Release notes here: 
http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html

* Facter 3, the rewritten C++-based facter, is now the baseline Facter
  implementation. Read more here: 
https://puppetlabs.com/blog/speeding-up-puppet-on-windows

* Hiera 3 is included, which contains a change to the default
  hierarchy and datadir location. This is technically a semver break, so 
it's
  a new major version. The gory details: 
http://docs.puppetlabs.com/hiera/3.0/release_notes.html


Get installation instructions and read about Puppet Collections, our 
Linux-distribution-style repositories for Puppet related projects, here: 
https://puppetlabs.com/blog/welcome-puppet-collections


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles



Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

We got a bug report about Facter 3 not picking up external facts that 
aren't pluginsynced from modules; this was an unexpected regression and 
we're rolling out a quick Facter 3.0.1 which fixes the issue. You can see 
more details here:  

https://docs.puppetlabs.com/facter/3.0/release_notes.html#regression--break-cant-find-manually-installed-external-facts


The bug itself is being tracked here: 
https://tickets.puppetlabs.com/browse/FACT-1055 
https://www.google.com/url?q=https%3A%2F%2Ftickets.puppetlabs.com%2Fbrowse%2FFACT-1055sa=Dsntz=1usg=AFQjCNH_TSw9zJ7JJzMzeJ-4x-kkgYkUZg

Thanks to Erik Dalén and James Ralston for raising this issue and testing 
the fix.

--eric0

On Wednesday, June 24, 2015 at 7:23:28 PM UTC-7, Eric Sorenson wrote:

 There's a new All-in-One Puppet Agent release available! This release 
 bundles 
 new versions of several component projects and is downloadable now through 
 the 
 Puppet Collection 1 repository. 

 * Puppet 4.2 includes several features and bug fixes, and officially 
 deprecates 
 Windows 2003. Release notes here: 
 http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html 
 * Facter 3, the rewritten C++-based facter, is now the baseline Facter 
 implementation. Read more here: 
 https://puppetlabs.com/blog/speeding-up-puppet-on-windows 
 * Hiera 3 is included, which contains a change to the default 
 hierarchy and datadir location. This is technically a semver break, so 
 it's 
 a new major version. The gory details: 
 http://docs.puppetlabs.com/hiera/3.0/release_notes.html 

 Get installation instructions and read about Puppet Collections, our 
 Linux-distribution-style repositories for Puppet related projects, here: 
 https://puppetlabs.com/blog/welcome-puppet-collections 

 Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
 puppet platform // coffee // techno // bicycles 


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d16dc6ed-dfbe-4467-8208-1f6455ea0fd8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PL policy toward fixing known bugs in PE 3.8.x

[Eric Sorenson]

On Thursday, June 25, 2015 at 2:43:34 PM UTC-7, Vince Skahan wrote:

 I'm fiddling with PE 3.8.1 to understand the pros+cons of potentially 
 updating our 3.7.0 PE server to that as a path toward the coming soon 4.x 
 version of PE.

 Unfortunately, even doing the initial module installations to 3.8.1 
 immediately showed issues. In this case, I ran into the error in module.rb 
 mentioned in PUP 3121 and fixed with the two-line patch in 
 https://github.com/puppetlabs/puppet/pull/3310 - trivial bug, trivial 
 patch to PE. 

 According to the PUP the bug was fixed in 4.0.0 (great) but not fixed in 
 the PE 3.8.x versions that came out after that (not so great).  
 Hand-patching my PE setup fixed the issue, but there's something that 
 doesn't feel right about needing to hand-patch a commercial product to get 
 it to work.


Hi Vince, thanks for the note. I'm sorry you ran into this issue.
 

 Questions:

- why wasn't it fixed in the 3.8.1 PE commercial product ?  If PE is 
your flagship commercial product, why would you 'not' backport trivial 
fixes like this for your 'paying' customers ?


We absolutely do backport upstream fixes into the commercial releases, for 
exactly the reasons that you describe. We do not backport *every* change, 
as that gets insanely complicated really quickly. It's generally safer and 
less confusing to regularly rebase onto newer upstream releases instead of 
cherry-picking individual fixes. 

The process generally is that customers who are getting bit by bugs raise 
support requests through the commercial support team, who work with product 
management (my team) and the developers to get fixes prioritized, coded and 
released.  This particular bug didn't have any commercial support tickets 
associated with it, nor any high community priority around it, so it just 
slotted into the normal flow of upstream-into-product release train.


- what, if anything, are you fixing in the 3.8.x PE commercial product 
at this point ?

 So, PE3.8.0 released April 28 and PE 3.8.1 released June 18; this might be 
too few data points to draw a trendline, but should show that we're 
actively maintaining and improving the line. Going back a little further, 
we maintained PE2.8 for 18 months into the lifecycle of the PE3.x series, 
which should be a proof point that it's not just talk. These were security 
and bugfix releases that contained either bumped OSS component versions 
where possible, or cherry-picked bugfixes that came in according to the 
process I outlined above.


- what can we expect in term of bug fixes in the 6 or more month 
window between Open Source 4.x and PE 4.x in terms of supporting your 
'paying' customers ?

 I'm not sure why you keep putting quotes around 'paying'. It's real, 
actual money from real customers, who we love a lot. :)

Do you mean fixes into the PE3.x series? Or fixes to 4.x that happen in 
open-source? The 4.0-4.1-4.2 release cycle in OSS since April is exactly 
this: responding to community bugs, filing off the rough edges, and 
preparing it to ship in PE this summer.


- 

 I guess I'm not understanding the business model here.  It's great you're 
 moving forward to 4.0 and it's improvements, but if your for-pay product 
 has bugs that will be around for a year plus (ex: this one) until your 
 commercial 4.0-based product eventually appears, even assuming we jump 
 day-one to that (we wouldn't, as 'that' will need time to mature), why 
 would we pay the money to run buggy software ?


Some of this is due to the long delay in getting Open-Source Puppet 4.0 out 
the door. The 'master' puppet branch had been accumulating fixes like this 
one throughout 2014 in anticipation of a Nov 2014 Puppet 4 release, which 
ended up not happening until April 2015. The open-source to commercial flow 
tends to be about 3 months for any given version, absent the distortion 
caused by these big major version bumps (which we're trying to minimize by 
doing more frequent, smaller versions going forward).

Literally all software has bugs. It's about having an escalation path from 
the support side to fix the ones you care about, plus enough value-add 
features, scale improvements, and workflows from the product to make it 
valuable to you.
 


 Confused in the PL approach toward support of their 'commercial' vs. 'open 
 source' product lines.


Hope this helps. You can see the release timeline and support lifecycle I 
was talking about 
here: https://puppetlabs.com/misc/puppet-enterprise-lifecycle

--eric0

-- 
Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet

[Puppet Users] Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

There's a new All-in-One Puppet Agent release available! This release bundles
new versions of several component projects and is downloadable now through the 
Puppet Collection 1 repository.


* Puppet 4.2 includes several features and bug fixes, and officially deprecates
   Windows 2003. Release notes here: 
http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html
* Facter 3, the rewritten C++-based facter, is now the baseline Facter
   implementation. Read more here: 
https://puppetlabs.com/blog/speeding-up-puppet-on-windows
* Hiera 3 is included, which contains a change to the default
   hierarchy and datadir location. This is technically a semver break, so it's
   a new major version. The gory details: 
http://docs.puppetlabs.com/hiera/3.0/release_notes.html

Get installation instructions and read about Puppet Collections, our 
Linux-distribution-style repositories for Puppet related projects, here: 
https://puppetlabs.com/blog/welcome-puppet-collections


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

Re: [Puppet Users] Open Source 4.0 version identifier vs. very different rpm and dpkg package versions

[Eric Sorenson]

On Mon, 22 Jun 2015, Jason Slagle wrote:

On 6/22/15, 3:08 PM, Vince Skahan vinceska...@gmail.com wrote:


On Thursday, June 18, 2015 at 4:18:37 PM UTC-7, Ken Bowley wrote:

This is better than what is currently being used, but I'm strongly in the AIO
idea to be stupid.  Split it into multiple packages and use proper
dependencies like every other sane packaging system has done for a long, long
time.

If all you do is bump the version of facter, then only have me download and
install the meta package that depends on the new facter, and the new facter
package, not everything.


Agree.   Thought I'd chime in (late) as the original poster.

Versioning starting with 4.x is a good start, but I still think your AIO
approach is wrong.

Have collector rpms that 'require' the pieces of the puzzle and package
hiera/etc. in individually bundled standalone packages.  If you do that:
* you can keep versioning facter to 2.x.y if you want
* you can keep versioning puppetserver any way you want
* and just version the collection (bundle, pick a term) with the 4.x.x
identifier you want to publicize as release-4.x.x


If all anybody had to deal with were $osfamily==redhat systems, I feel pretty 
certain this is exactly what we'd do. But it's just not. Just to start from 
first principles, the primary goals of the packaging project were:


- unify the agent across open-source and PE so testing, delivery, and upgrades
  are as smooth as possible
- provide a consistently great out-of-the-box experience so you can get fresh
  Puppet versions with batteries included on any supported OS

I love metapackages too, but short of porting yum to Windows, Mac OS X, and 
Solaris I don't see how they meet those requirements.



To update the client, 'yum update puppet' and have it update the sub-pieces it
needs (hiera/mco/etc.)


So this happens today, it's just in all in one package :)


To update the server, 'yum update puppetserver' and have it do the server
piece.


And this is actually what happens today.


Lastly, if it's me, I would not bundle the agent/client stuff 'in' the
puppetserver package.  I would 'require' the client-stuff to be co-installed
with the server stuff using the packaging mechanisms the os providers already
give you.


This is also what happens today; there is no agent stuff in the puppetserver 
package.


(in other words, release 'empty' rpms that require x and y and z - works 
great if you don't cause dependency hell by getting too fancy)



FWIW, +1 from me too.  It seems like a lot of places that do packaging like
this end up doing it this way.


Fair enough.


If I¹m only doing a security update to facter, I shouldn¹t have to replace a
gigantic bundle with whatever else it pulls In.  I can see you release
management people hating this later, as well as security teams.


So the puppet-agent package is 17 megabytes on EL7, so gigantic is a bit of 
an overstatement here. Agreed that the release pipeline is more complicated, 
and I can definitely understand the desire to just update the one thing that 
needs a bugfix.



I suspect this confusion will hinder deployment ­ the AIO packaging is
certainly in the cons category for us.


I really want to understand this, because it's a big deal. (My life goal at 
this point is to get as many people as possible upgraded to Puppet 4, so 
anything that gets in the way of that is a problem!) There's been a bunch of 
different points in the thread, some of them about the numbering and some 
about the packaging itself; what would reduce the confusion for you?


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

Re: [Puppet Users] Open Source 4.0 version identifier vs. very different rpm and dpkg package versions

[Eric Sorenson]

On Thu, 7 May 2015, jcf wrote:



I don't think that reflects a firm grasp of the nature of the problem.  The issue is that 
the new thing here is not the thing that the package's version number should 
be describing in the first place.  I don't care about the newness of AIO layout and 
packaging, and I don't expect many others will either.  People don't install Puppet for 
its packaging.  I do care about the versions of various components of the system, but not 
everyone will, and anyway, we have already established that an AIO package's version 
number is not a good vehicle for communicating information about versions of auxilliary 
components.  Focus on what's important.  To your audience.


I am also pretty baffled that this is considered hard, or even a matter for 
debate. Principle of Least Surprise, or just have the contents match the tin.


FWIW I find this argument pretty compelling and would like to advance the
version number of the next release of puppet-agent to '4.something'.

Our current thinking is that this will be a matched to the puppet version, 
with an extra digit on the end of the version number that indicates component 
revisions other than Puppet itself.


So specifically, the next release will be puppet-agent-4.2.0.0; a hypothetical 
rev to include a not-very-hypothetical openssl update would be included in a 
puppet-agent-4.2.0.1 package.


(We can't use the release field as suggested up-thread, because some packaging 
systems don't view numbers not part of the 'version' field to be an upgrade.)


Does that align more closely with the least-surprising thing, to you?

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: puppetserver and LDAP terminus

[Eric Sorenson]

Hi Steve, thanks for tracking this down! The LDAP node terminus is a useful 
but pretty cobwebby corner of Puppet (IIRC it predates the existence of the 
External Node Classifier API which is what most sites are using now). So as 
you found its docs do not get a lot of love and there are no acceptance/CI 
tests that cover its use.

I have a couple of comments inline. Our education team ran across this 
issue, which is why I'm replying to a months-old thread. We're tracking it 
in JIRA at https://tickets.puppetlabs.com/browse/SERVER-711

On Tuesday, February 3, 2015 at 2:40:50 PM UTC-8, Steve Huston wrote:

 So, I've spent another day beating on this problem and finally 
 achieved success.  We started with: 

  # puppetserver gem install ruby-ldap 

 Nobody pointed out, either here or in the documentation, that when 
 using puppetserver you have to use jruby-ldap instead.  Once I did 
 that, the gem installed, yay!  But it still didn't work.  When the 
 server attempted to do a lookup it would still report that the search 
 failed, even though tcpdump showed it asking for the CN and getting 
 the right answer. 

 After quite a bit of prodding and help from a colleague I found that 
 jruby-ldap does not have a to_hash method in LDAP::Entry.  This was 
 confirmed by a bit of code and comment at the top of 

 https://github.com/alibby/ldap_authenticated/blob/master/lib/ldap_authenticated.rb
  
 https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Falibby%2Fldap_authenticated%2Fblob%2Fmaster%2Flib%2Fldap_authenticated.rbsa=Dsntz=1usg=AFQjCNHByxK-zpNHjvHylNOMedsrd7ciBw
  

 I inserted that code into the ruby module, since I would have to 
 manually upgrade that but the puppetserver RPM might get upgraded (and 
 wipe out that change), and got a little further.  Now, however, it 
 failed with another error: Puppet Cannot reassign variable macaddress 
 on node syrinx.astro.princeton.edu 


It seems like the to_hash change would be better off as a patch to the 
upstream module vs a monkey-patch in Puppet. 
 


 On our old server running under passenger, if I look at 
 /var/lib/puppet/yaml/node/syrinx.astro.princeton.edu I see there's 
 both a macaddress and a macAddress, so I realized what's going on 
 - the downcase in that code snippet is causing two facts to appear at 
 once. 


That's not great either :( 


 All in all, this tells me a few things: 

 1) The documentation for using LDAP with the new puppetserver needs to 
 be updated to reflect not only that one must use 'jruby-ldap' (and 
 puppetserver gem install at that) but that the tests listed (running 
 ruby -rpuppet -e 'p Puppet.features.ldap?' and such) are incorrect as 
 they will report 'true' if you have the gem installed through the 
 normal system commands but puppetserver will not see it. 


That's true. Would you be willing to work up a pull request against the 
puppet-docs repo with the things you've learned? The source markdown for 
the guide is here:

https://github.com/puppetlabs/puppet-docs/blob/master/source/guides/ldap_nodes.markdown
 


 2) There needs to be a patch, perhaps somewhere in puppetserver, that 
 makes sure the jruby-ldap LDAP::Entry class has a 'to_hash' method (or 
 code around the necessity of needing it), for example: 

 if RUBY_PLATFORM =~ /^java.*/i 
   class LDAP::Entry 
  def to_hash 
 h = {} 
 get_attributes.each { |a| h[a.to_sym] = self[a] } 
 h[:dn] = [dn] 
 h 
  end 
   end 
 end 


As I said, I think this would be better as an upstream patch to the 
jruby-ldap project, especially since you found another project that had to 
do the same thing.  Carrying individual monkey-patches against upstream 
projects is a practice that rarely ends well in my experience.

 

 3) I discovered when I spun up my VM this morning that puppetserver 
 failed to start because it wanted to create a /var/run/puppet (which 
 it does not appear to actually use thereafter).  Since /var/run is on 
 a tmpfs on RHEL7, and owned by root, yet the puppetserver process runs 
 as user 'puppet', this will fail on every reboot.  Admittedly I'm not 
 running the puppetlabs RPM, but our package maintainer does a very 
 good job of making sure that the scripts and setups are duplicated if 
 he rebuilds something - please correct me if the logic to recreate 
 this directory is included somewhere and I can point it out to him to 
 fix in our repository. 


This one is fixed in Puppet Server 1.0.8 and 2.1.0: 
https://tickets.puppetlabs.com/browse/SERVER-336

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f2cb5d50-7ea5-45a0-9e5e-c117eda82fe3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 4.1 and Facter 2.4.4 available!

[Eric Sorenson]

Hi, Puppet 4.1 and Facter 2.4.4 have been released and rolled up into a new 
Puppet Agent All-in-One package (puppet-agent-1.1.0).

Puppet 4.1.0 is a feature release in the Puppet 4 series. This release's main 
focus was improvements to the Puppet language, but it also includes some 
improvements to resource types and a few miscellaneous fixes.
Also notable in this release: we're officially deprecating Rack and 
WEBrick-based Puppet master servers.

You can read the full release notes for Puppet here: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html

Facter 2.4.4 is a bug fix release in the Facter 2.4 series. It also deprecates 
the `--puppet` command line option, since it caused circular load dependencies. 
To run Facter in Puppet's context, you should use the `puppet facts` command 
instead.

The full release notes for Facter are here: 
https://docs.puppetlabs.com/facter/2.4/release_notes.html

You can download the updated puppet-agent-1.1.0 packages by following the 
directions here:

Linux: https://docs.puppetlabs.com/puppet/4.1/reference/install_linux.html
Windows: https://docs.puppetlabs.com/puppet/4.1/reference/install_windows.html

The releases are available as individual files on http://rubygems.org (as gems) 
and http://downloads.puppetlabs.com/ (as tarballs).

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/AC05992E-5300-498F-94BE-598A612DAAEB%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: check if user exist

[Eric Sorenson]

The canonical way to do this is like this:

http://serverfault.com/questions/350230/how-can-i-have-puppet-only-set-password-when-creating-a-user

There's an open feature request 
here: https://tickets.puppetlabs.com/browse/PUP-1331

Feel free to add yourself as a watcher and add a comment describing your 
use case, those help bugs bubble up to the top.


On Friday, May 8, 2015 at 6:11:22 AM UTC-7, jcbollinger wrote:



 On Thursday, May 7, 2015 at 11:22:43 PM UTC-5, Alfredo De Luca wrote:

 Hi John.
 I am aware that if I say userxx ensure is present will work but what I 
 want is the first time create the user aNd set a default password but then 
 when the user changes it own pass I just wanna check if is present and not 
 resetting the password.


 Then as I said, create and use a custom fact to evaluate the user's 
 existence prior to the catalog request.  Also, consider configuring agents 
 to not apply cached catalogs.

 You could perhaps create a custom provider for the User type, too, to 
 perform the evaluation at the time of application.  That could work to 
 achieve the behavior you describe, but it will probably produce anomolies 
 in the form of reported updates to the affected user(s) that in fact change 
 nothing.


 John




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4de5b415-4c14-4eae-9c29-42cdd929e00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] All-in-One Release Candidates for EL7 available

[Eric Sorenson]

Many of you probably saw this on The Twitternets but I figured I would post 
here as well: There are now release candidate builds of Puppet 4 and 
Puppet-Server 2 available for EL7. The long-form writeup is at 
bit.ly/1FBUJUN or you can jump straight to the installation 
instructions: http://docs.puppetlabs.com/puppet/pre4.0/reference/

Please give it a try!

--eric0


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a423b7bb-d878-4cde-9a0b-7cc48bf869c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.