Re: [Puppet Users] Hiera data repetition

[Henrik Lindberg]

On 2021-02-27 18:18, Karsten Heymann wrote:

Hi Martin,

regarding your "no lookup" policy, how do you handle for example deep 
merge lookups. They cannot be used with automatic data binding, or am I 
wrong?


Regards
Karsten


You can specify lookup_options per key in the hiera data itself. One of 
the options is if the lookup should be a deep merge or not. This is 
supported for all lookups (automatic or not) and was introduced 
especially to make it possible to do deep merge (and other things) when 
using APL).


Best,
- henrik




Am Sa., 27. Feb. 2021 um 13:06 Uhr schrieb Martin Alfke 
mailto:tux...@gmail.com>>:


Hi

 > On 25. Feb 2021, at 11:59, Dmitry Nurislamov mailto:dmnu...@gmail.com>> wrote:
 >
 > Hello. Sometimes it is desirable to define Hiera variables for
usage in Hiera itself, i.e. variables that won't be looked up from
Puppet manifests. We do this to avoid repetition. Here's an example
of a variable used only in the file it is defined:
 >
 >     _internal_api_host: 'int.api.example.com
'
 >     profile::keepalived::vrrp_script:
 >       ping_internal_api:
 >         script: "curl https://%{lookup('_internal_api_host')}/ping"
 >     profile::nginx::servers:
 >       "%{alias('_internal_api_host')}":
 >         ...
 >
 > Sometimes we also define this kind of variables in one file but
do lookups somewhere else:
 >
 > hieradata/project/foo.yaml:
 >     profile::base::network::interfaces:
 >       eth0:
 >         method: 'static'
 >         address: "%{lookup('_INTERNAL_IP')}/24"
 >
 > hieradata/project/foo/foo1.yaml:
 >     _INTERNAL_IP: '10.1.2.3'
 >
 > For us this became an issue. There are no conventions, and
therefore no consistency in our quite large hiera. Sometimes we
can't even tell whether some variable is looked up from manifests or
is "local" for Hiera. For example, the "_INTERNAL_IP" above is named
"profile::base::network::intern_ip" in some projects.
 >
 > The question is... Is this a normal practice? How do other folks
handle these cases? I couldn't find any information regarding this.
Thanks.

This is part of the way how you can implement hiera.
We heavily use the same pattern to avoid duplicate data.
Unluckily there is (yet?) no best practices written down.

Usually we have a pattern that we strictly follow:
- Never set class parameters on module (technical component or
library module) level. Only set data on profile classes.
- Only do automatic data binding, using profile class namespace on
hiera data, never do explizit lookups in profile classes.
   - e.g.:profile::base::usermgmt::users: {}
- nested lookups always use short key names, usually prefixed with
company or department or team short name
   - e.g. company_ldap_pass

This pattern allows us to strictly separate data which are needed
multiple times in hiera.
Using automatic data binding and the name convention on nested
lookups, we can easily identify if data is consumed by a class or
needed hiera internally.

hth,
Martin


 >
 > --
 > You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
 > To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
.
 > To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/282b3812-287a-4eb0-a838-591f2c3f925an%40googlegroups.com

.

-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/77E8E860-ABA3-4B06-99C6-C294BB0EE750%40gmail.com

.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAL017hDOZ7zoJqT0pbAyXVq4665TPDbOJ5Y-ELwUgzbaSofpKg%40mail.gmail.com 
.



--

Visit my Blog "Puppet on the Edge"

Re: [Puppet Users] puppetlabs/accounts - separate user list and declaration of users

[Henrik Lindberg]

On 2020-09-20 16:31, Devminded wrote:

Hi.

We are using the *puppetlabs/accounts* module to setup user accounts and 
SSH keys but finds it lacking.
We are using *Hiera* and have divided users up by role, type of machine 
and region/environment. The issue here is that if a user should exist on 
multiple groups of machines, but not in others, we /have to repeat the 
entire definition;/ password, groups, ssh-key, etc. for every "group" of 
users. Multiple places to change things.

I had expected it to have two concepts:

  * List of account definitions (passwords, ssh-keys, groups, etc)
  * List of accounts to be applied to a target (with the possibility to
override properties)


*Definitions*
accounts::users:
   joe:
     password: '$6..'
     sshkeys: - 'ssh-rsa ... j...@corp.com'
   sally:
     password: '$6..'
     sshkeys: - 'ssh-rsa ... sa...@corp.com'

*Declare/Apply*
*(*hieradata/accounts/DBA.yaml)
accounts::user_list:
   joe:
   sally:

*(*hieradata/accounts/paymentservice.yaml)
accounts::user_list:
   joe:

Is this possible?
Is it possible using Hiera?
What am I missing?



You could do it by having a unique key per user and then referencing 
those in each list. Here is an example:


user::joe:
  name: 'joe'
  password: '$6..'
  sshkeys: - 'ssh-rsa ... j...@corp.com'
user::sally:
  name: 'sally'
  password: '$6..'
  sshkeys: - 'ssh-rsa ... sa...@corp.com'

# *(*hieradata/accounts/DBA.yaml)
accounts::user_list:
  - '%{alias("user::joe")}
  - '%{alias("user::sally")}

# *(*hieradata/accounts/paymentservice.yaml)
accounts::user_list:
  - '%{alias("user::joe")}

When you lookup `accounts::user_list` you will get an array of hashes.
If you instead would prefer one hash with all users where the keys are 
names you could do something like this:


accounts::user_list:
  joe:'%{alias("user::joe")}
  sally: '%{alias("user::sally")}

Hope that helps.
- henrik

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/366bedce-0c3f-43f8-82d2-d7e854057686n%40googlegroups.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rkabe6%24jub%241%40ciao.gmane.io.

Re: [Puppet Users] parsejson is removing all back slashes that are returned from puppet task

[Henrik Lindberg]

On 2020-09-13 18:40, Raghu Ram Baisani wrote:

Hi

I'm returning a JSON output from the puppet task which is written in 
PowerShell(.ps1) file.

The output returned from the task is a JSON value.
I have a plan in which I'm calling puppet task which is written in 
PowerShell and after getting the result I'm using parsejson function to 
parse the output received inside the plan.

*Example for the JSON returned by task:

*
{
     "height":  "5\\11",
     "name":  "Raghuram"
}
after calling parsejson on the above json string I received below object,
{
     "height":  "511",
     "name":  "Raghuram"
}
the slashes are getting removed in the parsed object of  JSON string.
After googling,
I used this Link 
 and 
put three slashes in the input string.

*Input:*
{
     "height":  "5\\\11",
     "name":  "Raghuram"
}
then also  I got the same output with all the slashes removed.
I need any tricks/tips to mitigate this issue.
*Excepted Output:*
{
     "height":  "5\11",
     "name":  "Raghuram"
}



The thing with backslash escapes is that it is easy to be tricked by the 
representation the original string is written in, and the representation 
that it is presented in. For example if writing this in Ruby:


   a = "5\\11"

then a will be a string that has the characters 'a', `\', '1', '1' since 
the backslash is escaped it results in one. Now, if this is fed to json 
to be parsed it is thus given "5\11" and since "\1" is not a recognized 
escape sequence it just drops the backslash.


If you use three backslashes, the Ruby string "5\\\11" and parse that as 
JSON the parser gets "5\\11" which to JSON means the desired result of 
"5\11" - HOWEVER, if you look at that result in Ruby it presents that as 
a valid Ruby source string and it displays "5\\11" which may lead you to 
believe that it did not work.


Here is an example:

  irb(main):020:0> JSON.parse('{"foo": "5\\\11"}')["foo"].chars
  => ["5", "\\", "1", "1"]

as you can see the backslash char is shown as a string with two backslashes.

And if you do this:

  irb(main):021:0> a = JSON.parse('{"foo": "5\\\11"}')["foo"].bytes
  => [53, 92, 49, 49]

You see that it indeed only has one backslash char in the resulting string.


Hope this helps you.

Best,
- henrik


Thanks
Raghuram Baisani

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/102a0324-ec2a-45c9-b54b-869f780e3328n%40googlegroups.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rjm3bi%2413m%241%40ciao.gmane.io.

Re: [Puppet Users] Is "Sensitive" broken?

[Henrik Lindberg]

On 2020-09-11 20:52, Josh Cooper wrote:



On Wed, Sep 9, 2020 at 11:16 PM 'Dirk Heinrichs' via Puppet Users 
mailto:puppet-users@googlegroups.com>> 
wrote:


Am Mittwoch, den 09.09.2020, 08:59 -0700 schrieb Josh Cooper:


The issue you're running into is due to the sensitive value being
interpolated:

content => "${foo}\n"

If you reference the Sensitive variable directly, then it will
work as expected:

content => $foo


OK, thanks a lot. But then I'd loose the trailing "\n". 



To interpolate sensitive values, you currently have to unwrap the 
sensitive value, interpolate the value, and then rewrap as sensitive:


$var = Sensitive('a')
$var2 = Sensitive("${var.unwrap}\n")

file { '/tmp/sensitive.txt':
   ensure => file,
   content => $var2
}

And it's also quite counterintuitive, isn't it?


Yes, I agree the current behavior is surprising and not easy to work 
with, which is why I filed PUP-10092 :)


Think "exec", where it's sometimes needed to provide a password as
part of the command. One would have to define $password as String
instead of Sensitive and then wrap the whole command in a
Sensitive() call (as Mattias suggested).


Note the `exec` resource specifically treats the entire 
command/unless/onlyif parameters as sensitive, so those values don't 
accidentally end up in logs and reports. Also note this capability is 
available for any provider by passing `sensitive: true` to 
Puppet::Util::Execution.execute 
.




This issue and some possible solutions have been discussed in
https://tickets.puppetlabs.com/browse/PUP-10092

.
For example, Henrik suggested a `rewrap` function
https://tickets.puppetlabs.com/browse/PUP-10093

.


Reg. the solution(s) discussed in there: Wouldn't the addition of a
string concatenation operator (+) solve the problem right away (to
make it content => $foo + "\n")?


That might work, but is a bit magic and may not work if the order is 
reversed (as each type would need to account for concatenation with a 
sensitive):


content => "prefix" + $foo

I'm not sure if it's feasible for puppet to cast the "prefix" string to 
a sensitive so it can be concatenated with foo. Which I think is why 


Puppet does not have string concatenation with `+` since it used to mean
numerical addition if the operands can be converted to numeric. Having + 
mean string concatenation if both operands are strings could be 
introduced in the language since puppet since some time back no longer 
automatically convert numerical strings to numbers.


The implementation would be in the evaluator, and it could treat any 
operation on a Sensitive as an operation on the unwrapped value and with 
a wrap of the result. If that is done it would need to be done to a 
large number of operators


  Sensitive(1) + Sensitive(2) # would yield Sensitive(3)
  Sensitive("foo") + Sensitive("bar") # would yield Sensitive("foobar")

etc... but where should it stop? conditionals and case/selector matches?
Regexp matches etc?

What happens if there is an error when executing an operation on an 
unwrapped value? The code raising the error does not know it was 
sensitive to begin with and could reveal the sensitive value "that was 
wrong" in the eyes of the operation.


For many such reasons, the use of the Sensitive type forces the 
implementor to deal with these things - you unwrapped it, you better not 
spill the secret! And yes, it is a bit cumbersome to do operation on 
sensitive values.


- henrik

Henrik was suggesting the "rewrap" function. That way it's explicit and 
it works regardless of argument order. Also it would handle hashes/arrays.


Josh
--
Josh Cooper | Software Engineer
j...@puppet.com 

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97umre_yBB_NAxX2%3DeaUJeJE4yXSnZCfrKfH99GGx%2BkTexA%40mail.gmail.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop 

Re: [Puppet Users] Puppet Unrecognized escape sequence

[Henrik Lindberg]

On 2020-09-11 08:03, alexey@gmail.com wrote:

Hi everyone!
I receive warnings in the logs, I would like to know how I can ignore 
these warnings so that they are not written to the log?
This is a block of code calling the executable file, each time it is 
called, I get 3 entries in the log:
WARN  [qtp1238512464-45] [puppetserver] Puppet Unrecognized escape 
sequence '\8'
WARN  [qtp1238512464-45] [puppetserver] Puppet Unrecognized escape 
sequence '\b'
WARN  [qtp1238512464-45] [puppetserver] Puppet Unrecognized escape 
sequence '\1'




It would be far better if you modified the source and used \\ to denote 
that it is a literal backslash. This because if you turn of the warning 
(if it can be done at all), you will not know when it is wrong in other 
places).


I know that is not what you wanted to hear...

Best,
- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rjfv46%24oav%241%40ciao.gmane.io.

Re: [Puppet Users] Re: I'm struggling with some node specific heria

[Henrik Lindberg]

On 2020-08-01 16:31, Dan Crisp wrote:

Hello Henrik,

Do you have a hunch to why this is not working?


Don't really have the time to dig in at the detail level.
You already got the advice to use the command line 'puppet lookup' with 
--explain option turned on to see how hiera resolves the lookups.

Usually people figure it out what is wrong based on that output.

A suggestion is to try out 'puppet lookup --explain' on something you 
know works so you get to understand what the tool is doing for you.


Best of luck,
- henrik



Thanks,
Dan.

On Friday, July 31, 2020 at 7:40:22 PM UTC+1, Henrik Lindberg wrote:

On 2020-07-31 19:41, A Manzer wrote:
 > Did you update site.pp to use the include syntax?

That is not needed to make automatic parameter lookup to work.

- henrik

-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f4499e4f-192c-4f26-bb12-caf35e051942o%40googlegroups.com 
<https://groups.google.com/d/msgid/puppet-users/f4499e4f-192c-4f26-bb12-caf35e051942o%40googlegroups.com?utm_medium=email&utm_source=footer>.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rg4fv1%24ab7%241%40ciao.gmane.io.

Re: [Puppet Users] Re: I'm struggling with some node specific heria

[Henrik Lindberg]

On 2020-07-31 19:41, A Manzer wrote:

Did you update site.pp to use the include syntax?


That is not needed to make automatic parameter lookup to work.

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rg1oi3%247sk%241%40ciao.gmane.io.

Re: [Puppet Users] reversing the processing sequence of hiera data

[Henrik Lindberg]

On 2020-07-14 20:49, 'Frank Ihringer' via Puppet Users wrote:

Hi Henrik (yeah, I took my time, but I was otherwise stressed)

good idea and I have tested the 'reverse_each' allready, but it seems 
that everything is reversed (including the sub levels) and therefore the 
hiera data does not make sense anymore after reverting. It would only 
make sense if it could be limited to the top level of the hierarchy. I 
have solved it now in such a way that I have manually reversed the order 
of the aws objects (which is unfortunately error-prone, since every time 
a change must be made here too)





The reverse_each function only iterates over the top level (and in 
reverse) so impossible that it inverts everything that is nested.


- henrik



Best regards

Frank

Am Montag, 22. Juni 2020 15:41:56 UTC+2 schrieb Henrik Lindberg:

On 2020-06-16 13:56, 'Frank Ihringer' via Puppet Users wrote:
 > hello
 > I/'/m just taking my first steps with puppet and aws (puppetlabs/aws
 > module). Setting up resources (controlled by hiera)  works fine
(using
 > .each loop). But if I want to delete the resources afterwards (with
 > absent) I get dependency errors (which is obvious, because the
resources
 > are processed in the same order). I have to do it resource by
resource
 > from the end of the list. Is there a simple way to reverse the
 > processing order (last hiera aws object first) ???
 >
 > I'm hoping someone here can give me an advice ...

There is a `reverse_each()` function in puppet. Is that what you are
looking for ?

- henrik
 >
 > (btw: I'm working with puppet 6)
 >
 > Best regards
 >
 > Frank
 >



--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/875b6586-c8ba-46ca-a5c4-0390f37ac45eo%40googlegroups.com 
<https://groups.google.com/d/msgid/puppet-users/875b6586-c8ba-46ca-a5c4-0390f37ac45eo%40googlegroups.com?utm_medium=email&utm_source=footer>.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/renbuq%24vhm%241%40ciao.gmane.io.

Re: [Puppet Users] Question about Deferred functions

[Henrik Lindberg]

On 2020-07-03 14:09, Vincent Lamers wrote:

Hi All,


as I understood a Deferred function is invoked as the first part of 
enforcing a catalog.


I have a deferred function which depends on the results of a certain 
resource. So I have to make sure the resource is applied before the 
deferred function is executed.

Unfortunately a require function doesn't solve this.

How do I accomplish that?


You cannot do this with Deferred functions. All deferred functions are 
evaluated in undefined order before the catalog is applied. Resources 
are applied after this.


You can view it as an extension of the compilation of the catalog - only 
deferred and taking place on the agent side.


If you cannot solve this with exec resources you may need to implement 
your own resource type.


Best,
- henrik



regards,
Vincent Lamers

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e6fd7208cae846df4d3e6c7931ec92646be9da8f.camel%40atcomputing.nl 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/re231u%24nl6%241%40ciao.gmane.io.

Re: [Puppet Users] reversing the processing sequence of hiera data

[Henrik Lindberg]

On 2020-06-16 13:56, 'Frank Ihringer' via Puppet Users wrote:

hello
I/'/m just taking my first steps with puppet and aws (puppetlabs/aws 
module). Setting up resources (controlled by hiera)  works fine (using 
.each loop). But if I want to delete the resources afterwards (with 
absent) I get dependency errors (which is obvious, because the resources 
are processed in the same order). I have to do it resource by resource 
from the end of the list. Is there a simple way to reverse the 
processing order (last hiera aws object first) ???


I'm hoping someone here can give me an advice ...


There is a `reverse_each()` function in puppet. Is that what you are 
looking for ?


- henrik


(btw: I'm working with puppet 6)

Best regards

Frank

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d14f3b8f-a8fe-40eb-b187-653b1dac9040o%40googlegroups.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rcqcek%243f6l%241%40ciao.gmane.io.

Re: [Puppet Users] Array shuffle

[Henrik Lindberg]

There are a couple of ways to achieve this.

You can write a shuffle function in Ruby, take a copy of the input array 
and return a shuffled copy using Fischer-Yate algorithm.


Or write in Puppet using random numbers and sorting.

Create an array of equal length of the original, containing tuples of 
value and a *unique* random number. This array is then sorted on the 
random value. Here as how that can be done:



function shuffle($original) {
generate_unique_random(size($original))
  .map() |$i, $random | { [$random, $original[$i]] }
  .sort() |$a, $b| { compare($a[0], $b[0])}
  .map() |$pair| { $pair[1] }
}

['blue', 'red', 'green'].shuffle.notice()


Now you need to write the unique random function. This is a bit 
difficult in puppet as there is no unbound iteration (worst case you 
could have a very long series of exactly the same value). What you can 
do however is generate more values (with a wide spread), unique them and 
then slice them to the desires size. Here I multiply by 3 and spread 
result over 10.


function generate_unique_random($size) {
  ($size * 3).map |$seed| {
fqdn_rand(10 * $size, $seed)}
  .unique()[0, $size]
}

Output from the above:

  Notice: Scope(Class[main]): [red, blue, green]

The shuffle is stable per node (you always get the same result).

Hope that helps
- henrik

On 2020-06-10 13:12, Albert Shih wrote:

Hi everyone

I try to do a very simple shuffle in a array but I need the shuffle to by
repeatable like fqdn_rand.

In any other langage it's seem very simple to do a Fischer-Yate but only
with map/reduce like I cannot figure out how to do that.

Regards.

--
Albert SHIH
Observatoire de Paris
Heure local/Local time:
Wed 10 Jun 2020 01:07:12 PM CEST




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/rbu1kq%242f8c%241%40ciao.gmane.io.

Re: [Puppet Users] puppet catalog security?

[Henrik Lindberg]

On 2020-03-28 16:23, Matt Zagrabelny wrote:



On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg 
mailto:henrik.lindb...@puppet.com>> wrote:


On 2020-03-28 14:36, Matt Zagrabelny wrote:
 >
 >
 > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
 > mailto:henrik.lindb...@puppet.com>
<mailto:henrik.lindb...@puppet.com
<mailto:henrik.lindb...@puppet.com>>> wrote:
 >
 >     On 2020-03-28 02:42, Matt Zagrabelny wrote:
 >      > Greetings,
 >      >
 >      > Suppose I have a class foo that host A gets via its
catalog. Suppose
 >      > host B does not have foo in its catalog. Can host B do
anything
 >      > malicious to obtain the sensitive data in foo?
 >      >
 >      > My puppet master is using an ENC to generate the
classification
 >     of each
 >      > host and then a roles + profiles design pattern and hiera for
 >     specific data.
 >      >
 >      > Thanks for any hints or answers!
 >      >
 >
 >     It is important that your server side logic uses $trusted when
 >     classifying on node since other facts cannot be trusted.
 >
 >     If B is compromised a malicious user could spoof facts in a
request and
 >     pretend to be A. It cannot however spoof the certificate - and it
 >     contains the information that is in $trusted.
 >
 >
 > Hey Henrik,
 >
 > Thanks for the reply!
 >
 > Suppose I don't use any facts for classification, but only the ENC
 > assigns a role to the node via its fqdn.
 >

You want the fqdn that is in $trusted - the "regular" fqdn can be
spoofed.


The ENC gets the fqdn on the command line. I'd presume this is trusted 
from the certificate since communication between the master and client 
is predicated on the SSL.


The ENC then "assigns" a class to A.

Is there anything B can do to get module foo added to its catalog if 
only the ENC adds module foo to node's catalogs?




I suppose ENC gets the trusted fqdn, but I don't know.

There is nothing B can do on its own. You naturally have to review your 
puppet code so B cannot simply set a fact and the logic would use that 
to include logic you don't want on B.


- henrik


Thanks,

-m

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com 
<https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com?utm_medium=email&utm_source=footer>.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r5o91p%2430fa%241%40ciao.gmane.io.

Re: [Puppet Users] puppet catalog security?

[Henrik Lindberg]

On 2020-03-28 14:36, Matt Zagrabelny wrote:



On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg 
mailto:henrik.lindb...@puppet.com>> wrote:


On 2020-03-28 02:42, Matt Zagrabelny wrote:
 > Greetings,
 >
 > Suppose I have a class foo that host A gets via its catalog. Suppose
 > host B does not have foo in its catalog. Can host B do anything
 > malicious to obtain the sensitive data in foo?
 >
 > My puppet master is using an ENC to generate the classification
of each
 > host and then a roles + profiles design pattern and hiera for
specific data.
 >
 > Thanks for any hints or answers!
 >

It is important that your server side logic uses $trusted when
classifying on node since other facts cannot be trusted.

If B is compromised a malicious user could spoof facts in a request and
pretend to be A. It cannot however spoof the certificate - and it
contains the information that is in $trusted.


Hey Henrik,

Thanks for the reply!

Suppose I don't use any facts for classification, but only the ENC 
assigns a role to the node via its fqdn.




You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.

- henrik


Class foo which comes through the role and profiles via the ENC has 
sensitive files in its "modules/foo/files/" path.


Can B obtain those files if B is not classified to have foo in its catalog?

Thank you for the help!

-m

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com 
<https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com?utm_medium=email&utm_source=footer>.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r5np3e%243rd%241%40ciao.gmane.io.

Re: [Puppet Users] puppet catalog security?

[Henrik Lindberg]

On 2020-03-28 02:42, Matt Zagrabelny wrote:

Greetings,

Suppose I have a class foo that host A gets via its catalog. Suppose 
host B does not have foo in its catalog. Can host B do anything 
malicious to obtain the sensitive data in foo?


My puppet master is using an ENC to generate the classification of each 
host and then a roles + profiles design pattern and hiera for specific data.


Thanks for any hints or answers!



It is important that your server side logic uses $trusted when 
classifying on node since other facts cannot be trusted.


If B is compromised a malicious user could spoof facts in a request and 
pretend to be A. It cannot however spoof the certificate - and it 
contains the information that is in $trusted.


- henrik


-m

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r5ng3b%24iuk%241%40ciao.gmane.io.

Re: [Puppet Users] Access variable defined in each {}

[Henrik Lindberg]

On 2020-03-19 22:11, Helmut Schneider wrote:

Hi,

class abc {
   keys($netconfig['interfaces']).each |String $interface| {
     if $netconfig['interfaces'][$interface]['ip6'] {
   $myvariable = 'yes'
   break()
     }
   }

   if $myvariable == 'yes' {
     do something
   }
}

How can I access $myvariable?



You cannot access local variables from outside a lambda using the each 
function - its contract is to return the input to allow chaining. What 
you are actually doing is reducing a collection of interfaces to a 
single value - which you can do with the reduce() function. In this 
particular case it seems much simpler as you are really asking if
there is any interface that has something that is true for 'ip6' - you 
can therefore use the `any()` function.


Perhaps something like this:

if $netconfig['interfaces'].any() |$k, $v| { $v['ip6'] =~ NotUndef } {
  # do something
}

No need for a variable or anything - if you do need one do this:

$myvariable = $netconfig['interfaces'].any() |$k, $v| {
  $v['ip6'] =~ NotUndef
}

if $myvariable {
  # do something
}

- henrik



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r50png%241iav%241%40ciao.gmane.io.

Re: [Puppet Users] Nested interpolation

[Henrik Lindberg]

On 2020-03-13 10:45, Helmut Schneider wrote:

Hi,

I'm using something like this:

netconfig:
   hostname:    'BSDHelmut'
   interfaces:
     "%{facts.networking.primary}":
   ip4:  &ip4   '192.168.124.35'
   cidr4:    &cidr4 '192.168.124.35/24'
   ip4aliases:
     - '192.168.124.36/32'
   ip6:  &ip6   'DHCP'

Can I either do something like

- 
"%{lookup('netconfig.interfaces.%{facts.networking.primary}.ip4.helmut')}"

- "text*{ip4}text"

Thank you!


No, you cannot do nested interpolations in hiera directly like that.

You would need to write your own hiera backend function to do that kind 
of combined lookup. It is easier than it sounds.


An alternative to using your own is to use this function as a backend:
https://github.com/hlindberg/tahu/blob/master/lib/puppet/functions/tahu/ppyaml_key.rb

It allows you to write snippets of Puppet Language logic in your data 
files - thus you can do puppet language interpolation and lookup the 
result as a key.


- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r4gepi%24fqn%241%40ciao.gmane.io.

Re: [Puppet Users] Knocking out values

[Henrik Lindberg]

On 2020-03-07 17:53, Helmut Schneider wrote:

Hi,

using Puppet 5.5 and Hiera 3.4.6:

common.yaml:
profiles:
   webserver:
     apache:
   server:
     modules:
   enable:
     - mpm_event
     - status

host.yaml:
profiles:
   webserver:
     apache:
   server:
     modules:
   enable:
     - headers
     - include
     - mpm_prefork
     - ssl
     - --mpm_event

config.pp
   $profiles = lookup({
     "name" => "profiles",
     "merge" => {
   "strategy" => "deep",
   "knockout_prefix" => "--",
     },
     "default_value" => [],
   })

Notice: {"enable"=>["mpm_event", "status", "headers", "include", 
"mpm_prefork", "ssl"]}
Notice: 
/Stage[main]/My_apache::Config/Notify[apacheCfg/modules]/message: 
defined 'message' as {
   'enable' => ['mpm_event', 'status', 'headers', 'include', 
'mpm_prefork', 'ssl']

}

Why isn't mpm_event being removed?



You are running into this: https://tickets.puppetlabs.com/browse/PUP-7428

- henrik

---
Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r45ur5%248tt%241%40ciao.gmane.io.

Re: [Puppet Users] Questions reg. Hiera v3 to v5 migration

[Henrik Lindberg]

On 2020-03-03 11:17, Dirk Heinrichs wrote:

Hi,

while reading through the documentation about migrating to Hiera v5, the 
following questions came to my mind:


  * Can /hiera.yaml be a symlink? Our setup is as such that
each subdirectory (modules, manifests, hiera) of each environment is
a clone of a Git repository, with different branches checked out.
That means that in order to be able to enable per-environment
hierarchies, I'd need to put hiera.yaml into the hiera repository.


I think it should work with a symlink. Report as an issue if it doesn't.


  * Does the eyaml backend NEED to have the path(s) specified? In our
current (v3) setup, we configure eyaml globally and then simply mix
encrypted and uncencrypted values in the files given in the
hierarchy. As I understand the documentation, the eyaml backend now
has its own hierarchy. Is this correct?



It does not have its own hierarchy. You can set up a default data 
provider and that can be the eyaml one as it supports both clear text 
and encrypted yaml content. You will need to repeat the default in each 
of the hiera.yaml files as I don't think the defaults carry over from 
global to env to module hiera.yaml configurations.


Hope that helps.
- henrik



Thanks...

Dirk
--
*Dirk Heinrichs*
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
*Phone*: +49 2226 15966 18
*Email*: dhein...@opentext.com 
*Website*: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, 
Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If 
you are not the intended recipient (or have received this e-mail in 
error) please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese 
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie 
die unbefugte Weitergabe dieser Mail sind nicht gestattet.


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/637cf3f1b30ef085cbf67a27c07150adb2de3889.camel%40opentext.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r3lol8%241914%241%40ciao.gmane.io.

Re: [Puppet Users] Hiera Setup Lookup Complaining

[Henrik Lindberg]

On 2020-02-25 16:51, Dan Crisp wrote:

This is what I have:

---
sshdconfig:
   match_address: "xx.xx.xx.xx"
   permit_root_login: without-password

YAML Lint validates the YAML ok.

However, it doesn't matter what I put in this file (Non YAML or a bunch 
of random characters ) the result is the same so I suspect it's not 
being read.  How can I confirm that the file is actualy being read 
rather than simply sucessfully displayed in the lookup output.


Check permissions on files, it may be silently skipping files that 
cannot be read.

- henrik



On Tuesday, February 25, 2020 at 12:58:02 PM UTC, Henrik Lindberg wrote:

On 2020-02-25 13:42, Dan Crisp wrote:
 > I included the --compile option.  Now (not sure whether as a
result of
 > use --option) I can
 >

see/etc/puppetlabs/code/environments/production/data/nodes/nodename.domain.com.yaml

 > in the output:
 >

Probably because you got a run done by the agent?
Anyway - first step, make sure you see the expected paths being read.
Then, for the file where you expect the key to be found and produce a
value, do check the content of that file - is it valid yaml, is it
representing what you think it represents?

best,
- henrik


 > Searching for "lookup_options"
 >    Global Data Provider (hiera configuration version 5)
 >      No such key: "lookup_options"
 >    Environment Data Provider (hiera configuration version 5)
 >      Using configuration
 > "/etc/puppetlabs/code/environments/production/hiera.yaml"
 >      Merge strategy hash
 >        Hierarchy entry "Per-node data"
 >          Path
 >

"/etc/puppetlabs/code/environments/production/data/nodes/nodename.fixnetix.com.yaml"

 >            Original path: "nodes/%{trusted.certname}.yaml"
 >            No such key: "lookup_options"
 >        Hierarchy entry "Per-OS defaults"
 >          Path
 > "/etc/puppetlabs/code/environments/production/data/os/RedHat.yaml"
 >            Original path: "os/%{facts.os.family}.yaml"
 >            Path not found
 >        Hierarchy entry "Common data"
 >          Path
 > "/etc/puppetlabs/code/environments/production/data/common.yaml"
 >            Original path: "common.yaml"
 >            Path not found
 > Searching for "match_address"
 >    Global Data Provider (hiera configuration version 5)
 >      No such key: "match_address"
 >    Environment Data Provider (hiera configuration version 5)
 >      Using configuration
 > "/etc/puppetlabs/code/environments/production/hiera.yaml"
 >      Hierarchy entry "Per-node data"
 >        Path
 >

"/etc/puppetlabs/code/environments/production/data/nodes/lhcsrvmtrrsl01.fixnetix.com.yaml"

 >          Original path: "nodes/%{trusted.certname}.yaml"
 >          No such key: "match_address"
 >      Hierarchy entry "Per-OS defaults"
 >        Path
 > "/etc/puppetlabs/code/environments/production/data/os/RedHat.yaml"
 >          Original path: "os/%{facts.os.family}.yaml"
 >          Path not found
 >      Hierarchy entry "Common data"
 >        Path
"/etc/puppetlabs/code/environments/production/data/common.yaml"
 >          Original path: "common.yaml"
 >          Path not found
 > Function lookup() did not find a value for the name 'match_address'
 >
 > Still no luck finding the requested value though.
 >
 > Thanks,
 > Dan.
 >
 > On Monday, February 24, 2020 at 7:13:25 PM UTC, Henrik Lindberg
wrote:
 >
 >     Dan Crisp wrote:
 >      >  environment/production/data/nodes/nodename.domain.com.yaml
 >     As you can see in the output - the hiera path expanded to:
 >
 >         Path
 >     "/etc/puppetlabs/code/environments/production/data/nodes/.yaml"
 >
 >     Meaning that trusted.certname was empty. It would be empty if
the node
 >     "nodename.domain.com <http://nodename.domain.com>
<http://nodename.domain.com>" never checked in
 >     with the puppet server to deposit
 >     any facts. It will do that on its first agent run though.
 >
 >     Meanwhile you have to supply your own facts (and trusted) to
do lookups
 >     as it will be done when the node later requests a catalog.
Look at the
 >     help for the various flags to the lookup command to learn how t

Re: [Puppet Users] Hiera Setup Lookup Complaining

[Henrik Lindberg]

On 2020-02-25 13:42, Dan Crisp wrote:
I included the --compile option.  Now (not sure whether as a result of 
use --option) I can 
see/etc/puppetlabs/code/environments/production/data/nodes/nodename.domain.com.yaml 
in the output:




Probably because you got a run done by the agent?
Anyway - first step, make sure you see the expected paths being read.
Then, for the file where you expect the key to be found and produce a 
value, do check the content of that file - is it valid yaml, is it 
representing what you think it represents?


best,
- henrik



Searching for "lookup_options"
   Global Data Provider (hiera configuration version 5)
     No such key: "lookup_options"
   Environment Data Provider (hiera configuration version 5)
     Using configuration 
"/etc/puppetlabs/code/environments/production/hiera.yaml"

     Merge strategy hash
       Hierarchy entry "Per-node data"
         Path 
"/etc/puppetlabs/code/environments/production/data/nodes/nodename.fixnetix.com.yaml"

           Original path: "nodes/%{trusted.certname}.yaml"
           No such key: "lookup_options"
       Hierarchy entry "Per-OS defaults"
         Path 
"/etc/puppetlabs/code/environments/production/data/os/RedHat.yaml"

           Original path: "os/%{facts.os.family}.yaml"
           Path not found
       Hierarchy entry "Common data"
         Path 
"/etc/puppetlabs/code/environments/production/data/common.yaml"

           Original path: "common.yaml"
           Path not found
Searching for "match_address"
   Global Data Provider (hiera configuration version 5)
     No such key: "match_address"
   Environment Data Provider (hiera configuration version 5)
     Using configuration 
"/etc/puppetlabs/code/environments/production/hiera.yaml"

     Hierarchy entry "Per-node data"
       Path 
"/etc/puppetlabs/code/environments/production/data/nodes/lhcsrvmtrrsl01.fixnetix.com.yaml"

         Original path: "nodes/%{trusted.certname}.yaml"
         No such key: "match_address"
     Hierarchy entry "Per-OS defaults"
       Path 
"/etc/puppetlabs/code/environments/production/data/os/RedHat.yaml"

         Original path: "os/%{facts.os.family}.yaml"
         Path not found
     Hierarchy entry "Common data"
       Path "/etc/puppetlabs/code/environments/production/data/common.yaml"
         Original path: "common.yaml"
         Path not found
Function lookup() did not find a value for the name 'match_address'

Still no luck finding the requested value though.

Thanks,
Dan.

On Monday, February 24, 2020 at 7:13:25 PM UTC, Henrik Lindberg wrote:

Dan Crisp wrote:
 >  environment/production/data/nodes/nodename.domain.com.yaml
As you can see in the output - the hiera path expanded to:

    Path
"/etc/puppetlabs/code/environments/production/data/nodes/.yaml"

Meaning that trusted.certname was empty. It would be empty if the node
"nodename.domain.com <http://nodename.domain.com>" never checked in
with the puppet server to deposit
any facts. It will do that on its first agent run though.

Meanwhile you have to supply your own facts (and trusted) to do lookups
as it will be done when the node later requests a catalog. Look at the
help for the various flags to the lookup command to learn how to
give it
values for facts and trusted information.

- henrik


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/51b5a4bd-0e18-42c9-8cc3-9b77bcfd4218%40googlegroups.com 
<https://groups.google.com/d/msgid/puppet-users/51b5a4bd-0e18-42c9-8cc3-9b77bcfd4218%40googlegroups.com?utm_medium=email&utm_source=footer>.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r335k6%24c2e%241%40ciao.gmane.io.

Re: [Puppet Users] Hiera Setup Lookup Complaining

[Henrik Lindberg]

Dan Crisp wrote:
 environment/production/data/nodes/nodename.domain.com.yaml 

As you can see in the output - the hiera path expanded to:

  Path "/etc/puppetlabs/code/environments/production/data/nodes/.yaml"

Meaning that trusted.certname was empty. It would be empty if the node 
"nodename.domain.com" never checked in with the puppet server to deposit 
any facts. It will do that on its first agent run though.


Meanwhile you have to supply your own facts (and trusted) to do lookups 
as it will be done when the node later requests a catalog. Look at the 
help for the various flags to the lookup command to learn how to give it

values for facts and trusted information.

- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r31785%241ub%241%40ciao.gmane.io.

Re: [Puppet Users] Hiera Setup Lookup Complaining

[Henrik Lindberg]

On 2020-02-24 17:06, Dan Crisp wrote:

Hello all,

Strugling to get started with Hiera (all new to me):



First glance that looks ok, as you can see it is not finding your key in
any of the resulting paths. From where (which data file) was it supposed 
to find the key you looked up?


Best,
- henrik



# more /etc/puppetlabs/puppet/hiera.yaml
---
*# Hiera 5 Global configuration file*

version: 5

# defaults:
#   data_hash: yaml_data
# hierarchy:
#  - name: Common
#    data_hash: yaml_data
hierarchy: []

# more environments/production/hiera.yaml
---
version: 5
defaults:
   # The default value for "datadir" is "data" under the same directory 
as the hiera.yaml

   # file (this file)
   # When specifying a datadir, make sure the directory exists.
   # See https://puppet.com/docs/puppet/latest/environments_about.html 
for further details on environments.

    datadir: data
    data_hash: yaml_data
hierarchy:
   - name: "Per-node data"                   # Human-readable name.
     path: "nodes/%{trusted.certname}.yaml"  # File path, relative to 
datadir.


   - name: "Per-OS defaults"
     path: "os/%{facts.os.family}.yaml"

   - name: "Common data"
     path: "common.yaml"

# more environment/production/data/nodes/nodename.domain.com.yaml
---
sshdconfig:
   match_address: "xx.xx.xx.xx"
   permit_root_login: without-password


I don't have many modules:

# puppet module list
Warning: Module 'puppetlabs-stdlib' (v6.1.0) fails to meet some 
dependencies:

   'saz-timezone' (v5.1.1) requires 'puppetlabs-stdlib' (>=2.6.0 < 6.0.0)
Warning: Missing dependency 'stm-debconf':
   'saz-timezone' (v5.1.1) requires 'stm-debconf' (>= 2.0.0 < 3.0.0)
/etc/puppetlabs/code/environments/production/modules
├── fixnetix-base (v0.1.0)
├── puppet-selinux (v3.0.0)
├── puppetlabs-stdlib (v6.1.0)
└── saz-timezone (v5.1.1)
/etc/puppetlabs/code/modules (no modules installed)
/opt/puppetlabs/puppet/modules (no modules installed)

# ls environments/production/modules/base/
appveyor.yml  CHANGELOG.md  data  examples  files  Gemfile  
Gemfile.lock  hiera.yaml  manifests  metadata.json  Rakefile  README.md  
spec  tasks  templates


The moduleshiera.yaml is as follows:

# cat environments/production/modules/base/hiera.yaml
---
version: 5

defaults:  # Used for any hierarchy level that omits these keys.
   datadir: data         # This path is relative to hiera.yaml's directory.
   data_hash: yaml_data  # Use the built-in YAML backend.

hierarchy:
   - name: "osfamily/major release"
     paths:
       - "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
         # Used for Solaris
       - "os/%{facts.os.family}/%{facts.kernelrelease}.yaml"
         # Used to distinguish between Debian and Ubuntu
       - "os/%{facts.os.name}/%{facts.os.release.major}.yaml"
   - name: "nodes"
       - "nodes/%{trusted.certname}.yaml"
   - name: "osfamily"
     paths:
       - "os/%{facts.os.family}.yaml"
       - "os/%{facts.os.name}.yaml"
   - name: 'common'
     path: 'common.yaml'

I get following returned when I lookup:

# puppet lookup match_address --node nodename.domain.com.yaml --explain

Searching for "lookup_options"
   Global Data Provider (hiera configuration version 5)
     No such key: "lookup_options"
   Environment Data Provider (hiera configuration version 5)
     Using configuration 
"/etc/puppetlabs/code/environments/production/hiera.yaml"

     Merge strategy hash
       Hierarchy entry "Per-node data"
         Path 
"/etc/puppetlabs/code/environments/production/data/nodes/.yaml"

           Original path: "nodes/%{trusted.certname}.yaml"
           Path not found
       Hierarchy entry "Per-OS defaults"
         Path "/etc/puppetlabs/code/environments/production/data/os/.yaml"
           Original path: "os/%{facts.os.family}.yaml"
           Path not found
       Hierarchy entry "Common data"
         Path 
"/etc/puppetlabs/code/environments/production/data/common.yaml"

           Original path: "common.yaml"
           Path not found
Searching for "match_address"
   Global Data Provider (hiera configuration version 5)
     No such key: "match_address"
   Environment Data Provider (hiera configuration version 5)
     Using configuration 
"/etc/puppetlabs/code/environments/production/hiera.yaml"

     Hierarchy entry "Per-node data"
       Path "/etc/puppetlabs/code/environments/production/data/nodes/.yaml"
         Original path: "nodes/%{trusted.certname}.yaml"
         Path not found
     Hierarchy entry "Per-OS defaults"
       Path "/etc/puppetlabs/code/environments/production/data/os/.yaml"
         Original path: "os/%{facts.os.family}.yaml"
         Path not found
     Hierarchy entry "Common data"
       Path "/etc/puppetlabs/code/environments/production/data/common.yaml"
         Original path: "common.yaml"
         Path not found
Function lookup() did not find a value for the name 'match_address'

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this gr

Re: [Puppet Users] Could not find data item in any Hiera data file

[Henrik Lindberg]

You can try using the lookup CLI tool with --explain turned on to get 
detailed information about exactly what hiera is reading and what 
decisions it is making when producing a value (or not finding anything).


You can also get that level of detail in your logs by running the server
with --debug turned on.

Armed with that information you should be able to see where hiera is 
doing something you did not expect.


Best,
- henrik

On 2020-02-04 20:33, Sudhir R wrote:



*Hi Team, I am experiencing issue when executing below command on the 
puppet server, can you please assist me in debug the issue..**1.) I 
execute this command on the puppet master server*=> puppet master 
--debug --compile sc-prd-scm-perforce001.eng.are.com 
Error: Could not find data 
item scm_liagent.ini.erb in any*Hiera data file and no default supplied 
at 
/etc/puppet/environments/production/modules/li_agent/manifests/config.pp:13 
on node **sc-prd-scm-perforce001.eng.are.com 
*
Error: Could not find data item scm_liagent.ini.erb in any Hiera data 
file and no default supplied at 
/etc/puppet/environments/production/modules/li_agent/manifests/config.pp:13 
on node sc-prd-scm-perforce001.eng.are.com 

Error: Failed to compile catalog for node 
sc-prd-scm-perforce001.eng.are.com 
: Could not find data item 
scm_liagent.ini.erb in any Hiera data file and no default supplied at 
/etc/puppet/environments/production/modules/li_agent/manifests/config.pp:13 
on node sc-prd-scm-perforce001.eng.are.com 



*
*
*2.) The file does exist under the hiera directory on the puppet server*
[root@sc-prd-scm-puppet002 hiera]# ls -ltr 
/etc/puppet/environments/production/hiera/scm_liagent.ini.erb
-rw-r--r-- 1 puppet puppet 2018 Feb 3 18:50 
/etc/puppet/environments/production/hiera/scm_liagent.ini.erb (edited)



*3.) Hiera configuration as follows*[root@sc-prd-scm-puppet002 
environments]#*cat /etc/puppet/hiera.yaml*

#
## File maintained by Puppet, any changes will be overwritten. ##
#
 DO NOT EDIT 
---
:backends:
- json
- yaml
- file
:json:
:datadir: '/etc/puppet/environments/%{::host_environment}/hiera'
:yaml:
:datadir: '/etc/puppet/environments/%{::host_environment}/hiera'
:file:
:datadir: '/etc/puppet/environments/%{::host_environment}/hiera'
:interpolate: false # defaults to true
:hierarchy:
- "private/node/%{::fqdn}"
- "private/location/%{::host_location}/%{::host_type_function_inst_suffix}"
- "private/location/%{::host_location}/%{::host_type_function}"
- "private/location/%{::host_location}/%{::host_type}"
- "private/location/%{::host_location}/common"
- "private/%{::host_type_function_inst_suffix}"
- "private/%{::host_type_function}"
- "private/%{::host_type}"
- "private/os/%{::operatingsystem}/%{::operatingsystemmajrelease}/common"
- private/common
- "node/%{::fqdn}"
- "location/%{::host_location}/%{::host_type_function_inst_suffix}"
- "location/%{::host_location}/%{::host_type_function}"
- "location/%{::host_location}/%{::host_type}"
- "location/%{::host_location}/common"
- "%{::host_type_function_inst_suffix}"
- "%{::host_type_function}"
- "%{::host_type}"
- "os/%{::operatingsystem}/%{::operatingsystemmajrelease}/common"
- common:merge_behavior: deeper

*4.) Puppet server version*
[root@sc-prd-scm-puppet002 hiera]# puppet master --version
3.8.7

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0e4c2313-6018-43d9-be06-12e33bcc7305%40googlegroups.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/r1e612%2459q%241%40ciao.gmane.io.

Re: [Puppet Users] RFE Proposal: lookup_options in the manifest

[Henrik Lindberg]

On 2019-12-12 02:59, Alan Evans wrote:
I love Automatic Parameter Lookup (APL) and hiera in general.  But one 
thing I have found awkward is that `lookup_options` are found in the 
hiera data.  In general the idea is to separate data from code right?


Exactly, and that is why the options should be in the data because that 
is the place where data structure was defined!


As an example you may not want to have merging at all and override
a value with a complete hash. You don't want to change a manifest to do 
that.


Lookup options do not feel like data to me, but more like something I 
would find in the code the same way in the code I can type class parameters.

> *Proposal*

Create a data type (or function perhaps that returns a data type) that 
tells the APL code HOW to do the lookup.  The lookup key is just the 
class/name of the current param and the rest of the arguments could 
behave like lookup().


|
classfroboz(
Array[String]$my_param =LookupOptions('unique'),
Hash         $options 
=LookupOptions('deep',knockout_prefix=>'-',default_value=>undef),

){# Do Useful Stuff}
|

Or maybe just *Lookup* with a capital *L* or perhaps a function 
*lookup_options()* that returns some internal class/data type that need 
not be visible to the puppet user.


|
classbozfro(
   $some_param =Lookup(Array[String],'unique',undef),
   $another_param =lookup_options(Hash,'deep',{knockout_prefix =>'-'}),
){# Do Useful Stuff}
|



A default value expression is evaluated if there were no data given in 
the manifest and if no data was found when doing a lookup. So, cannot 
use the default value expression to try to influence the lookup as that 
would break the contract of when those are evaluated.



Do you think lookup_options seem out of place in the hiera data?

No they are at the right place.

Would it make more sense as a Data Type or a function() w/ some 
invisible data type that APL uses?


You would then need to invent new syntax.


Does this belong in puppet proper?  Stdlib? (Could it go in stdlib?)

It cannot go into stdlib it would need to be an integral part of the 
language.



You either use APL and stick the options into hiera as needed, or you
do not bind to any APL looked up keys and use an explicit lookup in the
default value expression. If you do that then you can specify the 
options in your manifest.


I recommend using APL.

- henrik


Please discuss.

-Alan

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/50a3ed15-92e1-42f4-99e5-833dd3d12710%40googlegroups.com 
.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qstq39%244frn%241%40blaine.gmane.org.

Re: [Puppet Users] Re: Hiera value not being passed

[Henrik Lindberg]

On 2019-10-04 00:47, Jagga Soorma wrote:
Thanks Henrik.  However, changing my code to do the following still 
shows that warning:


--
class foo (
$nodetype = lookup('nodetype')
){
..blah..
}



You are missing that "automatic" in "automatic parameter lookup" means 
that it does this for you - no need to call lookup at all.


Simply do:

  class foo($nodetype) {
# whatever
  }

And in your hiera (somewhere in a yaml file):

  foo::nodetype: this_is_the_nodetype

Then you can just do this:

  include foo

And it works.

Hope this helps clarify how it works.
- henrik

# puppet apply 
--hiera_config=/root/test/puppetlabs/code/environments/production/hiera.yaml 
--modulepath /root/test/puppetlabs/code/environments/production/modules 
/root/test/puppetlabs/code/environments/production/manifests/site.pp
Warning: The function 'hiera_include' is deprecated in favor of using 
'lookup'. See https://puppet.com/docs/puppet/6.9/deprecated_language.html

    (file & line not available)
Notice: Compiled catalog for node1.test.org in environment production in 
0.03 seconds
Notice: /Stage[main]/Foo/File[/tmp/hello]/ensure: defined content as 
'{md5}87e44021400167b9764b362083d182a1'

Notice: Applied catalog in 0.03 seconds
--

Am I missing something?


On Thursday, October 3, 2019 at 2:47:25 AM UTC-7, Henrik Lindberg wrote:

On 2019-10-02 23:21, Jagga Soorma wrote:
 > Looks like I figured it out.  I was passing the hiera variable
 > incorrectly.  Changed from
 >
 > passing in to class
 > String $nodetype,
 > to
 > $nodetype=hiera('nodetype')
 >

Note that all functions starting with "hiera" are deprecated. Use the
"lookup()" function instead. Google for the docs how to replace
"hiera_include" with a call to "lookup()" and an iteration.

It is much better to use Automatic Parameter Lookup (APL) instead of
doing explicit lookups. Your problem was that they key "nodetype"
should
have been "foo::nodetype" - that would make the correct binding for APL
to work.

Best,
- henrik

 > that seems to have done the trick.
 >
 > On Wed, Oct 2, 2019 at 1:39 PM Jagga Soorma > wrote:
 >>
 >> Hello,
 >>
 >> I am testing out hiera and trying to pass some hiera values to a
 >> module so that it can do specific tasks for a given node which does
 >> not seem to be working.  Here is my setup:
 >>
 >> --
 >> # puppet lookup
 >>
--hiera_config=/root/test/puppetlabs/code/environments/production/hiera.yaml

 >> nodetype
 >> --- mgmt
 >>
 >> # puppet apply
--hiera_config=/root/test/puppetlabs/code/environments/production/hiera.yaml

 >> --modulepath
/root/test/puppetlabs/code/environments/production/modules
 >>
/root/test/puppetlabs/code/environments/production/manifests/site.pp
 >> Warning: The function 'hiera_include' is deprecated in favor of
using
 >> 'lookup'. See
https://puppet.com/docs/puppet/6.9/deprecated_language.html
<https://puppet.com/docs/puppet/6.9/deprecated_language.html>
 >>     (file & line not available)
 >> Error: Evaluation Error: Error while evaluating a Function Call,
 >> Class[Foo]: expects a value for parameter 'nodetype' (file:
 >>
/root/test/puppetlabs/code/environments/production/manifests/site.pp,
 >> line: 2, column: 3) on node node1.test.org <http://node1.test.org>
 >>
 >> # cat
/root/test/puppetlabs/code/environments/production/hiera.yaml |
 >> grep -v '#'
 >> ---
 >> version: 5
 >> defaults:
 >>    datadir: data
 >>    data_hash: yaml_data
 >> hierarchy:
 >>      - name: "Yaml heirarchy"
 >>        data_hash: yaml_data
 >>        paths:
 >>          - "nodes/%{facts.networking.fqdn}.yaml"
 >>          - "roles/common.yaml"
 >>          - 'common.yaml'
 >>
 >> # cat

/root/test/puppetlabs/code/environments/production/data/nodes/node1.test.org.yaml

 >> ---
 >> nodetype: 'mgmt'
 >> classes:
 >>   - foo
 >>
 >> # cat
/root/test/puppetlabs/code/environments/production/manifests/site.pp
 >> node default {
 >>    hiera_include('classes')
 >> }
 >>
 >> # cat

/root/test/puppetlabs/code/environments/production/modules/foo/manifests/init.pp

 >> class foo (
 >>    String $nodetype

Re: [Puppet Users] Re: Hiera value not being passed

[Henrik Lindberg]

On 2019-10-02 23:21, Jagga Soorma wrote:

Looks like I figured it out.  I was passing the hiera variable
incorrectly.  Changed from

passing in to class
String $nodetype,
to
$nodetype=hiera('nodetype')



Note that all functions starting with "hiera" are deprecated. Use the 
"lookup()" function instead. Google for the docs how to replace 
"hiera_include" with a call to "lookup()" and an iteration.


It is much better to use Automatic Parameter Lookup (APL) instead of 
doing explicit lookups. Your problem was that they key "nodetype" should 
have been "foo::nodetype" - that would make the correct binding for APL 
to work.


Best,
- henrik


that seems to have done the trick.

On Wed, Oct 2, 2019 at 1:39 PM Jagga Soorma  wrote:


Hello,

I am testing out hiera and trying to pass some hiera values to a
module so that it can do specific tasks for a given node which does
not seem to be working.  Here is my setup:

--
# puppet lookup
--hiera_config=/root/test/puppetlabs/code/environments/production/hiera.yaml
nodetype
--- mgmt

# puppet apply 
--hiera_config=/root/test/puppetlabs/code/environments/production/hiera.yaml
--modulepath /root/test/puppetlabs/code/environments/production/modules
/root/test/puppetlabs/code/environments/production/manifests/site.pp
Warning: The function 'hiera_include' is deprecated in favor of using
'lookup'. See https://puppet.com/docs/puppet/6.9/deprecated_language.html
(file & line not available)
Error: Evaluation Error: Error while evaluating a Function Call,
Class[Foo]: expects a value for parameter 'nodetype' (file:
/root/test/puppetlabs/code/environments/production/manifests/site.pp,
line: 2, column: 3) on node node1.test.org

# cat /root/test/puppetlabs/code/environments/production/hiera.yaml |
grep -v '#'
---
version: 5
defaults:
   datadir: data
   data_hash: yaml_data
hierarchy:
 - name: "Yaml heirarchy"
   data_hash: yaml_data
   paths:
 - "nodes/%{facts.networking.fqdn}.yaml"
 - "roles/common.yaml"
 - 'common.yaml'

# cat 
/root/test/puppetlabs/code/environments/production/data/nodes/node1.test.org.yaml
---
nodetype: 'mgmt'
classes:
  - foo

# cat /root/test/puppetlabs/code/environments/production/manifests/site.pp
node default {
   hiera_include('classes')
}

# cat 
/root/test/puppetlabs/code/environments/production/modules/foo/manifests/init.pp
class foo (
   String $nodetype,
){
   if $nodetype == 'mgmt' {
 file { "/tmp/hello":
   ensure => file,
   source => 'puppet:///modules/foo/hello.mgmt',
 }
   }
   elsif $nodetype == 'login' {
 file { '/tmp/hello':
   ensure => file,
   source => 'puppet:///modules/foo/hello.login',
 }
   }
}
--

Not sure what I am missing here, but any guidance would be helpful.
Also, let me know if there is a better way to tackle this.

Thanks,
-J





--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qn4g2t%24358l%241%40blaine.gmane.org.

Re: [Puppet Users] accessing out of class/scope variables in template

[Henrik Lindberg]

On 2019-08-16 16:31, Matt Zagrabelny wrote:

Hello,

I'm running puppet 5.5 OSE.

I've got a class foo:

class foo {
     $bar = 'hi'
}

class foo::configure {
     file { '/tmp/foo.conf':
         content => template('foo/foo.conf.erb'),
     }
}

and then in the template:

<%= scope['foo::bar'] %>

but suppose I want to access an out of class variable:

<%= scope['baz::qux'] %>

That does not seem to work. Is there any way to access out of class 
variables in a template?




That should work as long as `baz::qux` has been evaluated before
you evaluate this template.

Can also highly recommend switching to EPP (templates in Puppet 
Language) instead of ERB (tempaltes in Ruby).


Your template would then be:

<%= $foo::bar %>

Best
- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qj6oa7%24mq6%241%40blaine.gmane.org.

Re: [Puppet Users] Sensitive type?

[Henrik Lindberg]

On 2019-06-20 13:31, Jason McMahan wrote:

Good day,
We were attempting to secure passwords appearing in files.
In the node manifest we changed

$password = lookup("user_cred.${username}.${domain_lookup}.password"))
to
$password = 
Sensitive(lookup("user_cred.${username}.${domain_lookup}.password"))


In the resources file it correctly redacted the password, but when i open

C:\ProgramData\PuppetLabs\puppet\var\client_data\catalog\.json

It shows the password in plain text under the section
/etc/puppetlabs/code/environments/sensitive/site/profile/manifests/windows/domain/join.pp

but still redacted under the section

/etc/puppetlabs/code/environments/sensitive/modules/domain_membership/manifests/init.pp

How can redact the password in all locations?

Any help is greatly appreciated, thank you very much.




The catalog contains sensitive information in clear text and sets a flag 
that the resource parameter is sensitive. You must treat a catalog as 
sensitive information.


If you are seeing "redacted" in your catalog that means that compilation 
transformed a Senstivie value into a String and used the string value in 
the catalog. That must be a problem in your manifests (or a module).


The recommended secure way to handle secrets is to use the `Deferred` 
feature in Puppet 6 and to use an external secrets server - for example 
Vault. The Deferred feature make it possible to call functions on the 
agent and this is used to lookup secrets with the agent's credentials.
Thus, there is never a secret in clear text during compilation, and thus 
also not in the catalog. When the looked up value is produced on the 
agent, it sets the clear text value in the resource and sets the flag 
that indicates that it is sensitive. This is a signal to the puppet 
resource harness to redact the information in reports and logs. A custom 
provider may need to be reviewed and modified to ensure that it does not 
spill a secret (for example, it may need to be changed to check if a 
resource attribute is flagged as sensitive before logging it).


Hope that helps.
Best,
- henrik


Jason

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ed5873cf-a60b-4b66-b3f2-ad7f7714f9c3%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qei3ui%242v73%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] merging hashes with puppet lookup function

[Henrik Lindberg]

On 2019-06-09 02:34, Chris Southall wrote:
I'm trying to merge hiera hashes using the lookup function as described 
here:

https://puppet.com/docs/puppet/5.5/hiera_automatic.html#puppet-lookup

Here's my test:

Hiera config file:
==
---
version: 5
defaults:
   datadir: hiera
   data_hash: yaml_data

hierarchy:
   - name: "Test 1"
     path: "test1.yaml"

   - name: "Test 2"
     path: "test2.yaml"
==



File: "test1.yaml"
==
---
simple::package:
   package1:
     ensure: 'installed'
==



File: "test2.yaml"
==
---
simple::package:
   package2:
     ensure: 'installed'
==


Lookup works as expected - the first match is found.
puppet lookup --hiera_config ./hiera.yaml simple::package
==
---
package1:
   ensure: installed
==


When merge strategy set to hash, the lookup returns results from both 
hiera files.

lookup --hiera_config ./hiera.yaml --merge hash simple::package
==
---
package2:
   ensure: installed
package1:
   ensure: installed
==


Everything makes sense to this point.  Now to apply this in a manifest.


Here's my test class, specifying 'hash' merge strategy to lookup()
==
class simple (
   Hash $package = lookup('simple::package', Hash, 'hash', {}),
) {
   create_resources('Package',$package)
}
==


Apply (noop) the module, but only 'package1' gets defined as a package 
resource.  Shouldn't the lookup

have merged the hashes?  ('package2' is definately not already installed)
==
sudo puppet apply --modulepath=${modpath} --hiera_config=${hieraconf} 
--execute "include simple" --test --noop

Info: Loading facts
Info: Loading facts
Notice: Compiled catalog for mynode in environment production in 0.02 
seconds

Info: Applying configuration version '1560036315'
Notice: /Stage[main]/Simple/Package[package1]/ensure: current_value 
'purged', should be 'present' (noop)

Notice: Class[Simple]: Would have triggered 'refresh' from 1 event
Notice: Stage[main]: Would have triggered 'refresh' from 1 event
Notice: Applied catalog in 0.22 seconds
==


I've tried setting the merge strategy in the class lookup function using 
string or hash syntax, with both
'hash' and 'deep' as the strategy, but can't get the class to merge the 
hashes.  Am I missing something

with the lookup function?

$ puppet -V
5.5.14

# hiera -V
3.4.6



By default automatic loopkup uses priority. To change that you should 
use "lookup_option" that is set in your data. This is documented here:

https://puppet.com/docs/puppet/6.4/hiera_merging.html#concept-2997

Hope that helps.
- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qdl8eg%246h5g%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] class invocation conflicts

[Henrik Lindberg]

On 2019-05-20 18:57, Peter Berghold wrote:
So here I am I have a base profile for my Ubuntu (Debian family) 
machines that invokes the class


class{'apt':
     ... some paramters
}

I then invoke the class

class{'postgresql': }

and now Puppet is screaming that the class 'apt' cannot be invoked 
twice.   This seems to be a flaw in Puppet manifests to me.  How to fix?





The best practice is to not use the resource like `class { name: ... }` 
syntax to declare a class and instead use `include name` and letting all 
parameter values come from hiera via automatic parameter lookup.


That way, you can include the class as many times as you like - as the 
parameters are the same every time. Unfortunately, the compiler cannot 
do the same when classes are declared with parameters even if all places 
this is done use the exact same values.


While it is possible to have a single `class { name: ... }` declaration 
with subsequent `include name` declarations, the opposite does not work.


Hope this helps.
- henrik


--

Peter L. Berghold salty.cowd...@gmail.com 

http://devops.berghold.net


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAArvnv2Ya1Vo1R%3D%2B3YW%3DMp%2BubL%2BZR_WFG1J4o_7OKe33tfm4vw%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qbuve5%246tlm%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] help with Hello world puppet file

[Henrik Lindberg]

On 2019-05-12 19:36, chengkai liang wrote:
you have to set modulepath to tell puppet where to find your module: 
https://puppet.com/docs/puppet/5.5/dirs_modulepath.html. The document 
should be good enough to get your started.




If modulepath is not set it would mean the class that the inclusion of a 
class from that module would fail with an error "Could not find class".


You now also mixed in a node expression for 'agent.com' which added yet 
another source of possible errors. Start with just node default, or no 
node expression at all. Just so you eliminate possible error sources.


Make sure your site.pp runs, then add some resource.

- henrik

On Sun, May 12, 2019 at 7:44 AM Asmae Azbeg <mailto:azbegas...@gmail.com>> wrote:


Hi,
I tried what you did to me and he detected the error,
Actually i tried another example and I have the same result
here it is and there are also my puppet.conf files, I do not know
why it does not have [main] and [master] there.
puppet master :
file.png


puppet agent :
file1.PNG

I am really sorry for the inconvenience but i really need your help,
this is my class project
Best,
Asmae

Le dim. 12 mai 2019 à 14:55, Henrik Lindberg
mailto:henrik.lindb...@puppet.com>> a
écrit :

On 2019-05-12 01:06, Asmae Azbeg wrote:
 > Hi everyone ,
 > i installed puppet server and agent version 5.5.10. The 
communication

 > was successful and i want to crreate and deploy the hello
warld file but
 > it was'nt working.
 > I followed the steps in this link:
 > https://puppet.com/docs/puppet/5.4/quick_start_helloworld.html
 > here is my puppet server
 > 59953541_2377841845569398_3417727458516926464_n.png
 > 60273866_317554218919831_679099363892396032_n.png
 > but in the puppet agent  i didn't recieve  the file :
 > fich.PNG
 >
 > i really need your help,
 > thank you in advance ,
 > Asma

Suspect that you are not running the files you think you are.
Test by making an obvious error in the site.pp you think you are
running. If it does not fail, you know you are not using the file.

It is probably looking in the "production" environment directory
and you
seem to have the files outside of any environment... (kind of what
Martin said).

Best,
- henrik

 >
 > --
 > You received this message because you are subscribed to the
Google
 > Groups "Puppet Users" group.
 > To unsubscribe from this group and stop receiving emails from
it, send
 > an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>
 > <mailto:puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>>.
 > To view this discussion on the web visit
 >

https://groups.google.com/d/msgid/puppet-users/CAG5AitKVwUGWtYrKBWO%3DrqxuuEFm1%3DTt%3DjyvbmvHjzUPw13%2B5Q%40mail.gmail.com

 >

<https://groups.google.com/d/msgid/puppet-users/CAG5AitKVwUGWtYrKBWO%3DrqxuuEFm1%3DTt%3DjyvbmvHjzUPw13%2B5Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
 > For more options, visit https://groups.google.com/d/optout.


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

-- 
You received this message because you are subscribed to the

Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/qb9539%244gao%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/CAG5AitLLmCVYm9zJLzoiWMb484L9aQ7Dsufp4Dhj23%2BKGGwnCA%40mail.gmail.com

<https://groups.google.com/d/msgid/puppet-users/CAG5AitLLmCVYm9zJLzoiWMb484L9aQ7Dsufp4Dhj23%2BKGGwnCA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--

Re: [Puppet Users] help with Hello world puppet file

[Henrik Lindberg]

On 2019-05-12 01:06, Asmae Azbeg wrote:

Hi everyone ,
i installed puppet server and agent version 5.5.10. The  communication 
was successful and i want to crreate and deploy the hello warld file but 
it was'nt working.

I followed the steps in this link:
https://puppet.com/docs/puppet/5.4/quick_start_helloworld.html
here is my puppet server
59953541_2377841845569398_3417727458516926464_n.png
60273866_317554218919831_679099363892396032_n.png
but in the puppet agent  i didn't recieve  the file :
fich.PNG

i really need your help,
thank you in advance ,
Asma


Suspect that you are not running the files you think you are.
Test by making an obvious error in the site.pp you think you are 
running. If it does not fail, you know you are not using the file.


It is probably looking in the "production" environment directory and you 
seem to have the files outside of any environment... (kind of what 
Martin said).


Best,
- henrik



--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAG5AitKVwUGWtYrKBWO%3DrqxuuEFm1%3DTt%3DjyvbmvHjzUPw13%2B5Q%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qb9539%244gao%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] converting Puppet reports to JUnit

[Henrik Lindberg]

On 2019-05-10 14:44, Luke Bigum wrote:

Hello,

Has anyone had the need to convert Puppet's YAML reports into another 
format, such as JUnit XML?  I'm thinking of taking the reports of 
Acceptance test runs of Roles (potentially thousands of resources), and 
parsing them into reports for a CI system.  The report format doesn't 
look too complicated, but before I reinvent someone else's wheel, I 
thought I'd check if there's any code I could steal off someone?




I remember using a JUnit compatible report format plugin for rspec.
Maybe that is what you are looking for?

This was quite some time ago and I don't remember its name.

- henrik


Cheers,

-Luke

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a556b4c7-a19e-4a70-a185-02d4e79427a4%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/qb3ssk%247shm%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Replace some text

[Henrik Lindberg]

On 2019-04-07 14:47, KRouth Clinipace wrote:
Question - is it possible to use the puppet regsubst function in place 
of the exec used here (to save spawning a new shell process) ?

kevin



Well, functions are ordinary on the compiling side. If you can figure 
out what to do when compiling that is preferable.


Alternatively, you can call functions on the agent side by using a 
Deferred value that delays the call and makes it on the agent side.
You need Puppet 6 to be able to do that. (And if you need custom logic 
you can write your own function in Ruby using the function API).


To answer if there is a better way we need to understand what you are 
actually doing (I did not try to make sense of what your exec and the 
perl logic actually does...


Best
- henrik


On Friday, May 21, 2010 at 10:28:58 PM UTC-4, Marley Bacelar wrote:

Nice... I solved my probleman using the:
define replace($file, $pattern, $replacement) {
   exec { "/usr/bin/perl -pi -e 's/$pattern/$replacement/' '$file'":
   onlyif => "/usr/bin/perl -ne 'BEGIN { \$ret = 1; } \$ret = 0
if /$pattern/ && ! /$replacement/ ; END { exit \$ret; }' '$file'",
    }
}
Then i my class used:
replace { "/etc/bashrc":
    file => "/etc/bashrc",
    pattern => "PS1",
    replacement => "PS1 DOMAINA.COM "
}
Worked perfectly... Know i will see the other options proposed here.
Thank you evry much guys
-- 
Marley Bacelar

Project Fedora Ambassador
VCP, VSP. VTSP., ITILF, IBM 000-076, IBM 000-330, IBM 000-331
marley...@gmail.com 

2010/5/21 R.I.Pienaar >

 > The vast majority of our text replacement work we do is for
files that
 > have simple key/value pairs with an assignment operator.
 >
 >
 > foo=bar
 > foo: bar
 >
 >
 > etc.
 >
 >
 > We occasionally stray outside this with a regexp replacer, but I
 > totally agree with Daniel here, it's not the most robust
thing in the
 > world.
 >
 >
 > Generally we do this because we want to allow people to customize
 > extra parts of their config files, and we've switched daemons
entirely
 > for some services, simply based upon their ability to cope with a
 > parts.d directory or to have "include" directives of some kind.
 >
 >
 > That allows you to ship an absolute config with a default
include that
 > people are free to modify.
 >


fwiw, the newest version of my concat module supports symlinking
into a concat file, so if you have a config file that you would
like users to drop settings it and you want them to only do so
in a very specific place in a file you can now achieve that by
building your config file and including a user editable file
right where you want it.

Very nice feature to give users some rights without loosing
control of the file or its structure.

It wouldn't be too hard to extend it to make arbitrary user
supplied .d directories for daemons that dont support those :)

http://github.com/ripienaar/puppet-concat



--
R.I.Pienaar

--
You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com
.
To unsubscribe from this group, send email to
puppet...@googlegroups.com .
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
.





-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com
.
To unsubscribe from this group, send email to
puppet...@googlegroups.com .
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/efa23924-e6eb-4338-bdb6-648d01923cee%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received t

Re: [Puppet Users] Syntax of a class reference in Hiera

[Henrik Lindberg]

On 2019-03-12 18:09, Stephen Kenny wrote:


I want to create a directory that will contain NFS mount points.  
Therefore, it makes
sense to have it in place before any of the NFS-related Puppet stuff.  I 
can do it

in either of two ways.

1. In a manifest, with a regular file resource, which contains the line

           before => Class['nfs'],

No problem there.

2. If I try to do this via a lookup of equivalent Hiera data, I see
     something unusual - or maybe just something I don't understand 
properly.


If my Hiera data looks like this:

  '/primary':
     ensure: 'directory'
     mode:   '0755'
     owner: 'root'
     group: 'root'
     before: 'Class[nfs]'

  - I get an error when I run the agent on the node: "Server Error: 
Invalid relationship:
File[/primary] { before => Class[nfs] }, because Class[nfs] doesn't seem 
to be in the catalog".


But if I change "nfs" to "Nfs" - i.e .capitalize the first letter of the 
class *name*,

it works.

I get that resource references should always be capitalized
(require => File['/etc/sysctl.d/recommended.conf']  and so on), but what 
is going on with
the necessity for capitalizing the resource _name_ - "Nfs" in my example 
- when

trying to accomplish the job via lookup and Hiera?

Thanks for any enlightenment,


These two lines are very different:

  before => Class['nfs']
  before: 'Class[nfs]'

The first is a real data type - a reference to a Class with the title 
(i.e. name of class) 'nfs'. The second is a String that is interpreted / 
parsed by the processing for the "before" meta parameter. Apparently it 
does not get it quite right. Please file a ticket in Puppet's JIRA for 
the PUP project.


Before doing this though, if you are on an older version this may have 
been fixed already as the problem sounds vaguely familiar, so please try 
on at least a 5.x version of puppet.


best
- henrik



Stephen Kenny
School of Computer Science
Trinity College
Dublin
Ireland

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2f41b686-c41c-470f-a8a4-be07d1f5f854%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q68uhc%2486aq%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[Henrik Lindberg]

On 2019-03-11 04:01, comport3 wrote:

Hi Henrik,

You're correct - this sample code precedes getting the Hiera 
function/lookup working, I want to be able to do it in Puppet code first.


I've ended up with the following -
```
  $secret_lookup = Deferred('vault_lookup::lookup', 
["secret/client.example.com", 'https://puppet.example.com:8228'])
   notify {mysql_root: message => Deferred('get', [$secret_lookup, 
'mysql_root_password'])}

```

It returns this error -

*Error: Failed to apply catalog: 'dig' parameter 'data' expects a value 
of type Undef or Collection, got Sensitive[Hash]*


Any ideas?



Yeah - sigh... The vault lookup returns an instance of Sensitive which
get / dig cannot dig into. We could possibly allow digging into a 
Sensitive value as the result would also be made sensitive, but that 
function does not do that. (Please file a ticket).


There is unfortunately no way of solving the issue with just Deferred 
since unwrapping a Sensitive is done with a lambda and those cannot be 
deferred. There is a proposal (and an implementation) in ticket 
https://tickets.puppetlabs.com/browse/PUP-9254 where an eval() function 
is added.


Another approach of getting what you want is to write your own custom 
ruby function that does the unwrap and dig.


And lastly - you could avoid having to dig out a detailed value and 
instead look it up separately.


- henrik



On Friday, March 8, 2019 at 8:43:55 PM UTC+11, Henrik Lindberg wrote:

On 2019-03-08 03:13, comport3 wrote:
 > Hi Henrik,
 >
 > Thanks for your reply.
 >
 > I still don't really understand how to use your example - is it an
 > additional custom function written in Ruby that would be
synchronised
 > from the master?
 >
I showed a hiera backend that returns Deferred - but it seems that is
not really what you were asking about (your example is different).

 > How would this be structured or implemented step by step please?
 >
 > This is what's in my current class, with specifically what
doesn't work
 > commented out at the bottom (ignore my custom Vault port, please) -
 >
 > class profile::vaulttest {
 >
 >   $secret_lookup = Deferred('vault_lookup::lookup',
 > ["secret/client.example.com <http://client.example.com>",
'https://puppet.example.com:8228'])
 >
 >    ## Works, returns a hashed array of key/value pairs, I want to
look
 > up a SPECIFIC key and it's value, eg 'mysql_root_password'
 >    notify {mysql_root: message => $secret_lookup}
 >
 >    ## Trying to lookup a key within the array, fails with error
 >    ## Evaluation Error: Operator '[]' is not applicable to an
Object.
 >    #notify {mysql_root: message =>
$secret_lookup[mysql_root_password]}
 >
 > }
 >
 > Help?! :-)
 >

The reason your commented out code does not work is because you are
trying to get the key "mysql_root_password" from a Deferred that has
not
yet been resolved. (It will be resolved later when the catalog is
processed on the agent, but while compiling the Deferred is just an
    instruction to do something later).

You need the following:

    message => Deferred('get', [$secret_lookup, 'mysql_root_password'])

To get what I think you want.

- henrik
 >
 > On Thursday, February 28, 2019 at 4:29:15 AM UTC+11, Henrik
Lindberg wrote:
 >
 >     On 2019-02-27 00:01, comport3 wrote:
 >      > Hi Henrik and Group,
 >      >
 >      > Thank you very much, this sounds like exactly what we are
after.
 >     After
 >      > reviewing
 > https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html>
 >
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html

<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html>>
 >      > we are a little lost as to how to get started. Does anyone
have any
 >      > example code of using a Customer Backend or Puppet
Function in
 >      > conjunction with a Deferred data type lookup for us to
review?
 >     Anything
 >      > including the Vault lookup logic or some 'proof of
concept' code
 >     would
 >      > be a much welcomed starting point.
 >      >
 >
 >     It is actually dead simple - here is an example that returns
a hard
 >     coded deferred. The example is written in the Puppet
Lan

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[Henrik Lindberg]

On 2019-03-08 03:13, comport3 wrote:

Hi Henrik,

Thanks for your reply.

I still don't really understand how to use your example - is it an 
additional custom function written in Ruby that would be synchronised 
from the master?


I showed a hiera backend that returns Deferred - but it seems that is 
not really what you were asking about (your example is different).



How would this be structured or implemented step by step please?

This is what's in my current class, with specifically what doesn't work 
commented out at the bottom (ignore my custom Vault port, please) -


class profile::vaulttest {

  $secret_lookup = Deferred('vault_lookup::lookup', 
["secret/client.example.com", 'https://puppet.example.com:8228'])


   ## Works, returns a hashed array of key/value pairs, I want to look 
up a SPECIFIC key and it's value, eg 'mysql_root_password'

   notify {mysql_root: message => $secret_lookup}

   ## Trying to lookup a key within the array, fails with error
   ## Evaluation Error: Operator '[]' is not applicable to an Object.
   #notify {mysql_root: message => $secret_lookup[mysql_root_password]}

}

Help?! :-)



The reason your commented out code does not work is because you are 
trying to get the key "mysql_root_password" from a Deferred that has not 
yet been resolved. (It will be resolved later when the catalog is 
processed on the agent, but while compiling the Deferred is just an 
instruction to do something later).


You need the following:

  message => Deferred('get', [$secret_lookup, 'mysql_root_password'])

To get what I think you want.

- henrik


On Thursday, February 28, 2019 at 4:29:15 AM UTC+11, Henrik Lindberg wrote:

On 2019-02-27 00:01, comport3 wrote:
 > Hi Henrik and Group,
 >
 > Thank you very much, this sounds like exactly what we are after.
After
 > reviewing
https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html>
 > we are a little lost as to how to get started. Does anyone have any
 > example code of using a Customer Backend or Puppet Function in
 > conjunction with a Deferred data type lookup for us to review?
Anything
 > including the Vault lookup logic or some 'proof of concept' code
would
 > be a much welcomed starting point.
 >

It is actually dead simple - here is an example that returns a hard
coded deferred. The example is written in the Puppet Language, and is
autoloaded just like other functions from "mymodule".

This simple example is a "data hash" kind of backend - it is called
once
and is expected to return a hash with key => value bindings.

    function mymodule::deferred_example(
      Hash                  $options,
      Puppet::LookupContext $context,
    ) {
      # Return a hash with key(s) bound to Deferred value(s)
      { 'the_key' => Deferred('vault_lookup', ['the key']) }
    }

Then there are lots of different things you could do.

The $options hash contains information from hiera.yaml:
- if a path/URI was given or not (and that path existed)
- any custom options given in hiera.yaml for this entry

This means you could configure what the backend would do based on
either
options given directly (a list of keys for which this backend should
return a Deferred), or you can use the path to read such data from a
file, using say a function to read that file as json from the path in
options.

To use this backend simply enter its name in hiera.yaml like you do for
other backend functions.

Another alternative is to write a backend of "lookup key" kind. The
contract there is to return a value per key or that the
$context.not_found() is called (if it does not have a value for the
key).

If you go this route, then the function could for example lookup a key
in hiera that holds the names of keys to lookup in a deferred way.
Or, if you design it so that all deferred parameters can be identified
via their name then you could simply return a Deferred for all keys
that
match a pattern.

Read all the details starting from here:
https://puppet.com/docs/puppet/latest/hiera_custom_backends.html
<https://puppet.com/docs/puppet/latest/hiera_custom_backends.html>

Hope this helps.
- henrik


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr.

Re: [Puppet Users] Problem querying PuppetDB from within a Puppet class

[Henrik Lindberg]

On 2019-02-28 16:12, Henrik Lindberg wrote:
Where in documentation did you get that example? It is wrong so needs to 
be corrected. You definitively need to use `map` to map the result to 
what you want.


Already fixed in later versions of the documentation: ticket is here:
https://tickets.puppetlabs.com/browse/DOCUMENT-816

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q58vm5%245psn%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Problem querying PuppetDB from within a Puppet class

[Henrik Lindberg]

On 2019-02-28 14:46, Dirk Heinrichs wrote:

Am Donnerstag, den 28.02.2019, 13:53 +0100 schrieb Henrik Lindberg:


On 2019-02-28 13:37, Dirk Heinrichs wrote:

following the example in the PuppetDB documentation, I tried this code:

$debian_nodes_query = 'nodes[certname]{facts{name = "operatingsystem"
and value = "Debian"}}'
$debian_nodes = puppetdb_query($debian_nodes_query).each |$value| {


The line above is wrong - you are using each() and it returns its input.


As said, this comes straight from the documentation.

Did you mean to use map() to get an array of the names? That is, like 
this:


   $debian_nodes = puppetdb_query($debian_nodes_query).map |$value| {
 $value["certname"]
   }


That just prints:

Notice: Your debian nodes are

Bye...



Where in documentation did you get that example? It is wrong so needs to 
be corrected. You definitively need to use `map` to map the result to 
what you want.


Try output of all first so you see if you got any, then output the 
mapped result.


- henrik


Dirk

--

*Dirk Heinrichs*
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
*Phone*: +49 2226 15966 18
*Email*: dhein...@opentext.com <mailto:dhein...@opentext.com>
*Website*: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer John Marshall Doolittle, Gordon 
Davies, Christian Waida, Registergericht Amtsgericht Bonn, 
Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If 
you are not the intended recipient (or have received this e-mail in 
error) please notify the sender immediately and destroy this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese 
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie 
die unbefugte Weitergabe dieser Mail sind nicht gestattet.


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/948f3fb601109b2876b32125a84167bcaa4e166e.camel%40opentext.com 
<https://groups.google.com/d/msgid/puppet-users/948f3fb601109b2876b32125a84167bcaa4e166e.camel%40opentext.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q58toh%24u5v%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Problem querying PuppetDB from within a Puppet class

[Henrik Lindberg]

On 2019-02-28 13:37, Dirk Heinrichs wrote:

Hi,

following the example in the PuppetDB documentation, I tried this code:

$debian_nodes_query = 'nodes[certname]{facts{name = "operatingsystem" 
and value = "Debian"}}'
$debian_nodes = puppetdb_query($debian_nodes_query).each |$value| { 


The line above is wrong - you are using each() and it returns its input.
Did you mean to use map() to get an array of the names? That is, like this:

  $debian_nodes = puppetdb_query($debian_nodes_query).map |$value| {
$value["certname"]
  }

- henrik


$value["certname"] }
Notify {"Debian nodes":
 message => "Your debian nodes are ${join($debian_nodes, ', ')}",
}
which prints:

Notice: Your debian nodes are {"certname"=>"host1.example.com"}, 
{"certname"=>"host2.example.com"}


despite the '$value["certname"]'. What would I need to do to print the 
names only? Like:


Notice: Your debian nodes are host1.example.com, host2.example.com

which is what I would expect the code above to do in the first place.

Thanks...

Dirk

--



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q58ll0%24658f%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[Henrik Lindberg]

On 2019-02-27 00:01, comport3 wrote:

Hi Henrik and Group,

Thank you very much, this sounds like exactly what we are after. After 
reviewing https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html 
we are a little lost as to how to get started. Does anyone have any 
example code of using a Customer Backend or Puppet Function in 
conjunction with a Deferred data type lookup for us to review? Anything 
including the Vault lookup logic or some 'proof of concept' code would 
be a much welcomed starting point.




It is actually dead simple - here is an example that returns a hard 
coded deferred. The example is written in the Puppet Language, and is 
autoloaded just like other functions from "mymodule".


This simple example is a "data hash" kind of backend - it is called once
and is expected to return a hash with key => value bindings.

  function mymodule::deferred_example(
Hash  $options,
Puppet::LookupContext $context,
  ) {
# Return a hash with key(s) bound to Deferred value(s)
{ 'the_key' => Deferred('vault_lookup', ['the key']) }
  }

Then there are lots of different things you could do.

The $options hash contains information from hiera.yaml:
- if a path/URI was given or not (and that path existed)
- any custom options given in hiera.yaml for this entry

This means you could configure what the backend would do based on either
options given directly (a list of keys for which this backend should 
return a Deferred), or you can use the path to read such data from a 
file, using say a function to read that file as json from the path in 
options.


To use this backend simply enter its name in hiera.yaml like you do for 
other backend functions.


Another alternative is to write a backend of "lookup key" kind. The 
contract there is to return a value per key or that the 
$context.not_found() is called (if it does not have a value for the key).


If you go this route, then the function could for example lookup a key 
in hiera that holds the names of keys to lookup in a deferred way.
Or, if you design it so that all deferred parameters can be identified 
via their name then you could simply return a Deferred for all keys that 
match a pattern.


Read all the details starting from here: 
https://puppet.com/docs/puppet/latest/hiera_custom_backends.html


Hope this helps.
- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q55ofs%245ttr%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[Henrik Lindberg]

On 2019-02-19 20:15, Grant Davies wrote:
Yes exactly, using the deferred Function to lookup secrets on the agent 
side defined in Hiera. So I want to write some Puppet code in a Profile 
class that specifies where (Vault for us, but could be anything) to 
fetch the secret agent side, how, which key etc. Then reference that in 
Hiera for use in pre existing modules as parameters.


If you want hiera to return instances of Deferred, you can do that by 
writing your own simple hiera kind of backend function (much simpler 
than it sounds).


All it has to do is to return a hash along the lines of:

{ some_key => Deferred('vault_lookup', [params, ...]),
  some_other_key => Deferred(...)
}

The hiera 5 documentation should show how to write those functions.
Also checkout video of my Hiera 5 talk from Puppetconf and ConfigMgmntCamp.

best,
- henrik




On Wed, Feb 20, 2019, 4:42 AM Henrik Lindberg 
mailto:henrik.lindb...@puppet.com> wrote:


On 2019-02-18 01:17, comport3 wrote:
 > Does anyone have any real world examples of referencing Deferred
 > lookups, either in Puppet code or Hiera that you could share?

Vault Lookup shows examples of how to use it to lookup secrets on the
agent side.

https://github.com/voxpupuli/puppet-vault_lookup

You mention hiera as well - what were you thinking about there wrt.
Deferred? Being able to return deferred values from hiera, to be
resolved on the agent? Or something else...

Best,
- henrik

 >
 > --
 > You received this message because you are subscribed to the Google
 > Groups "Puppet Users" group.
 > To unsubscribe from this group and stop receiving emails from it,
send
 > an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>
 > <mailto:puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>>.
 > To view this discussion on the web visit
 >

https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com

 >

<https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com?utm_medium=email&utm_source=footer>.
 > For more options, visit https://groups.google.com/d/optout.


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

-- 
You received this message because you are subscribed to a topic in

the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/E-Q-ok-B0gQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/q4e2bv%247pd%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAE1da7JSO_hCiosb_5sTtAsE4qOx9K6XKzTB6C1Udj1WVKUzCA%40mail.gmail.com 
<https://groups.google.com/d/msgid/puppet-users/CAE1da7JSO_hCiosb_5sTtAsE4qOx9K6XKzTB6C1Udj1WVKUzCA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q4hnc4%244esj%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[Henrik Lindberg]

On 2019-02-18 01:17, comport3 wrote:
Does anyone have any real world examples of referencing Deferred 
lookups, either in Puppet code or Hiera that you could share?


Vault Lookup shows examples of how to use it to lookup secrets on the 
agent side.


https://github.com/voxpupuli/puppet-vault_lookup

You mention hiera as well - what were you thinking about there wrt. 
Deferred? Being able to return deferred values from hiera, to be 
resolved on the agent? Or something else...


Best,
- henrik



--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q4e2bv%247pd%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppetserver 6.0.2 timeouts in the puppetserver log and on the agent side

[Henrik Lindberg]

On 2019-02-11 21:59, Mike Sharpton wrote:

Hello Henrik,

The heap being at 4GB is all the higher I would raise it, as you say GC 
becomes costly with big heaps.  The memory usage ramps up quite quickly 
to well above the configured max heap within minutes.  It comes up to 
about 5.8GB of usage quickly as we manage many resources on many nodes.  
We do not have many environments.  We normally have a production branch 
and only use a preprod branch to move changes up our environment with a 
module that managed the puppet.conf on our nodes.  We will keep looking, 
but I don't see a smoking gun.  Anyone else have any ideas?  Puppet 4 
was able to handle this load with only 4 JRuby workers and 4 Puppet 
servers.  Thanks for your help,


Mike


I suppose you have read this: 
https://puppet.com/docs/puppetserver/6.0/tuning_guide.html


Read your description again. Think it is of value to look at the 
stacktrace you get when the timeout occur. This to figure out what it is

that is timing out.

Best,
- henrik



On Monday, February 11, 2019 at 2:06:11 PM UTC-6, Henrik Lindberg wrote:

On 2019-02-11 14:42, Mike Sharpton wrote:
 > Hey all,
 >
 > We have recently upgraded our environment from Puppetserver 4.2.2 to
 > Puppetserver 6.0.2.  We are running a mix of Puppet 4 and Puppet 6
 > agents until we can get them all upgraded to 6.  We have around 6000
 > nodes, and we had 4 Puppetservers, but we added two more due to
capacity
 > issues with Puppet 6.  The load is MUCH higher with Puppet 6.  To
the
 > question, I am seeing longer and longer agent run times after
about two
 > days of the services running.  The only error in the logs that
seems to
 > have any relation to this is this string.
 >
 > 2019-02-11T04:32:28.409-06:00 ERROR [qtp1148783071-4075] [p.r.core]
 > Internal Server Error: java.io.IOException:
 > java.util.concurrent.TimeoutException: Idle timeout expired:
30001/3 ms
 >
 >
 > After I restart the puppetserver service, this goes away for
about two
 > days.  I think Puppetserver is dying a slow death under this load
(load
 > average of around 5-6).  We are running Puppetserver on vm's that
are
 > 10X8GB and using 6 Jruby workers per Puppetserver and a 4GB heap.  I
 > have not seen any OOM exceptions and the process never crashes.  Has
 > anyone else seen anything like this?  I did some Googling and didn't
 > find a ton of relevant stuff.  Perhaps we need to upgrade to the
latest
 > version to see if this helps?  Even more capacity?  Seems silly. 
Thanks

 > in advance!
 >

There may be a slow memory leak that over time makes the server busy
win
non productive work (scanning for garbage on an ever increasing heap).
If you were to increase capacity you would risk only changing the 2
days
to a couple more, but not actually solving the issue.

Try to look at server memory usage over the two days.

Also, naturally, upgrade to latest and make sure modules are updated as
well.

Do you by any chance have many environments with different versions of
ruby code? The environment isolation "puppet generate types" may be of
help if that is the case as loaded ruby resource types become sticky in
memory.

- henrik

 > Mike
 >
 > --
 > You received this message because you are subscribed to the Google
 > Groups "Puppet Users" group.
 > To unsubscribe from this group and stop receiving emails from it,
send
 > an email to puppet-users...@googlegroups.com 
 > <mailto:puppet-users+unsubscr...@googlegroups.com >.
 > To view this discussion on the web visit
 >

https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com

<https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com>

 >

<https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com?utm_medium=email&utm_source=footer

<https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com?utm_medium=email&utm_source=footer>>.

 > For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr

Re: [Puppet Users] Puppetserver 6.0.2 timeouts in the puppetserver log and on the agent side

[Henrik Lindberg]

On 2019-02-11 14:42, Mike Sharpton wrote:

Hey all,

We have recently upgraded our environment from Puppetserver 4.2.2 to 
Puppetserver 6.0.2.  We are running a mix of Puppet 4 and Puppet 6 
agents until we can get them all upgraded to 6.  We have around 6000 
nodes, and we had 4 Puppetservers, but we added two more due to capacity 
issues with Puppet 6.  The load is MUCH higher with Puppet 6.  To the 
question, I am seeing longer and longer agent run times after about two 
days of the services running.  The only error in the logs that seems to 
have any relation to this is this string.


2019-02-11T04:32:28.409-06:00 ERROR [qtp1148783071-4075] [p.r.core] 
Internal Server Error: java.io.IOException: 
java.util.concurrent.TimeoutException: Idle timeout expired: 30001/3 ms



After I restart the puppetserver service, this goes away for about two 
days.  I think Puppetserver is dying a slow death under this load (load 
average of around 5-6).  We are running Puppetserver on vm's that are 
10X8GB and using 6 Jruby workers per Puppetserver and a 4GB heap.  I 
have not seen any OOM exceptions and the process never crashes.  Has 
anyone else seen anything like this?  I did some Googling and didn't 
find a ton of relevant stuff.  Perhaps we need to upgrade to the latest 
version to see if this helps?  Even more capacity?  Seems silly.  Thanks 
in advance!




There may be a slow memory leak that over time makes the server busy win 
non productive work (scanning for garbage on an ever increasing heap).
If you were to increase capacity you would risk only changing the 2 days 
to a couple more, but not actually solving the issue.


Try to look at server memory usage over the two days.

Also, naturally, upgrade to latest and make sure modules are updated as 
well.


Do you by any chance have many environments with different versions of 
ruby code? The environment isolation "puppet generate types" may be of 
help if that is the case as loaded ruby resource types become sticky in 
memory.


- henrik


Mike

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q3shrm%241nb9%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] knockout_prefix

[Henrik Lindberg]

Judging from the version of Puppet Server you are on a version of Puppet 
that has reached EOL. The hiera 5 support with features like 
lookup_options was released late in the Puppet 4.x series but had some 
issues before stabilizing in Puppet 5.


Can you try this with a newer puppet version? If the issue is still 
there please file a ticket to enable the right people to have a look at 
what could possibly be wrong.


Best,
- henrik

On 2019-02-08 10:42, Helmut Schneider wrote:

Hi,

hiera.conf:
:hierarchy:
   - nodes/%{::fqdn}
   - apps/apache
   - common

apache.yaml:
---
lookup_options:
   variables:
 merge:
   strategy:"deep"
   knockout_prefix: "--"
[...]
profiles:
   webserver:
 apache:
   server:
 configfiles:
   enable:
 02-listen.conf:
   Listen:
 - abc
 - 'localhost:80'
 - 'localhost:443'

host.yaml:
profiles:
   webserver:
 apache:
   server:
 configfiles:
   enable:
 02-listen.conf:
   Listen:
 - --abc
 - '--localhost:80'
 - '--localhost:443'
 - "80"
 - "443"

init.pp:
[...]
   $profiles = lookup({
 "name" => "profiles",
 "merge" => {
   "strategy" => "deep",
   "knockout_prefix" => "--",
#  "sort_merged_arrays" => true,
 },
 "default_value" => [],
   })
[...]

Result:

"02-listen.conf"=>{"Listen"=>["abc", "localhost:80", "localhost:443",
"443"]}

So I expected 'abc', "localhost:80" "localhost:443" to be removed while
'80' was.

helmut@puppet:~$ sudo /opt/puppetlabs/bin/puppetserver -v
puppetserver version: 2.8.1
helmut@puppet:~$

Thank you!




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q3jl6n%2455t9%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Replacing extlookup to look up external things!

[Henrik Lindberg]

On 2019-01-30 01:16, Ben Ford wrote:
Your simplest and most straightforward upgrade path would be to port the 
CSV file to a common.yaml file and then switch to using lookup() with 
hieradata. Later on, you can start differentiating and build a sane data 
hierarchy.


Check out the docs at https://puppet.com/docs/puppet/latest/hiera_quick.html



If you really must keep the CSV format, you can write your own function 
that you use with hiera 5. It is quite simple. I show examples and 
explain how hiera 5 works in this video: 
https://www.slideshare.net/PuppetLabs/puppetconf-2017-hiera-5-the-full-data-enchilada-hendrik-lindberg-puppet


You may want to watch that even if you convert your data to yaml.

Best,
- henrik




On Tue, Jan 29, 2019 at 2:45 PM Robert Inder > wrote:


I'm looking at the possibility of moving our Puppet manifests from
3.8 to Something More Recent (i.e. 6.1)

We have one big CSV file for (mostly) encrypted passwords and the like.
And our existing manifests use extlookup to extract the relevant
entries, via calls like pw =

How should I replace this?
Can someone point me at an example of the simplest possible external
lookup?

Robert.


-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/7d2122c0-72bf-467f-a7d0-cdac4617504b%40googlegroups.com

.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACkW_L6ciVd_FGU7x6Sg%3D-TVpy_rhk1fTW6da31nLNv9XCjNFQ%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q2ul07%246l6o%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Hiera and precedence

[Henrik Lindberg]

On 2019-01-17 18:40, Peter Berghold wrote:
I'm having a revertment to my noob days with respect to how hiera 
works.  (Version 3 for now)


If I have the hierarchy of

- common
- nodes/"%{fqdn}"
- datacenter/"%{fdatacenter}"

if in common.yaml I have "module::parms::server: server1" and in 
nodes/myclient.yaml I have "module::parms::server: server2" and in 
datacenter/NYCA.yaml (and the host presents NYCA as its datacenter) I 
have "module::parms::server: server3" which value will be presented for 
host myclient?


I could have sworn I read the lower down the list of hierarchy a value 
was it would override the one above it. I just read this morning that 
hiera stops at the first value it finds which is a bit of a problem for 
what I'm trying to accomplish.




Hiera has always gone from top to bottom in the list in hiera.yaml
and it returns the first found.

You want "common" (the default) to be last in the list.

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q1s97u%24p5t%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Ternary operator in puppet ?

[Henrik Lindberg]

On 2019-01-16 11:18, Karsten Heymann wrote:

Hi Albert,

Am Mi., 16. Jan. 2019 um 11:09 Uhr schrieb Albert Shih :

Is they are something like the ruby ternary operator ?: in puppet ?


Sort of, it's called selectors:
https://puppet.com/docs/puppet/5.3/lang_conditional.html#selectors



You can also use an if-expression - for example:

$x = if $somevar == 'foo' { 'it is foo' } else { 'it is not foo' }

- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q1n1vv%24o8k%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Concerns about Puppet 4 master serving Puppet 3 clients

[Henrik Lindberg]

On 2019-01-14 16:22, Peter Berghold wrote:
I am about to have our first Puppet 4 Puppet master into our production 
environment. We have a very large community of Puppet 3 "leaf nodes" 
being managed by our old Puppet 3 infrastructure.


What issues might I run into with that and what should I do to mitigate 
this?




It is a quite open ended question unfortunately. You may want to start 
reading here: https://puppet.com/docs/puppet/4.10/upgrade_major_pre.html 
and then come back with more specific questions.


- henrik
--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q1ibju%245tg%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PuppetDB exported resources with hiera-eyaml

[Henrik Lindberg]

On 2019-01-10 10:56, Jocelyn Thode wrote:

Hey,

I'm trying to use exported resources where one of the parameter of the 
resource is a variable from hiera. This variable is retrieved using 
automatic lookup and is encrypted in hiera using hiera-eyaml.


However when the ressource is exported insted of the clear password 
being exported, I get the base64 encoded version of the clear password 
as argument. This does not happen if I don't use a hiera-eyaml encrypted 
password.


Any idea why ?


I think that is because hiera-eyaml ends up returning ASCII-8bit encoded 
clear text strings which is then interpreted as potentially being binary 
and non UTF-8 compliant and therefore sent as a Binary (which gets 
encoded as Base64 text).


This problem should be fixed in hiera-eyaml as it should return Strings 
with UTF8 encoding. This may depend on the encoding of the original yaml 
file that hiera-eyaml read.


It is a bit difficult to check if what I suspect is true. I would write 
a function (or call a simple function such as "with()"), do a lookup and 
pass the value to the function, I would then use a debugger, set a 
breakpoint in the function, and check the encoding
of the string given to the function. To test what hiera-eyaml does 
requires debugging hiera-eyaml.


Some background:

Before puppet 6 the default format was JSON with fallback to PSON if 
strings were ascii-8bit. Since puppet 6, we use "rich-data encoding" by 
default and handle ascii-8bit as being Binary - and by not using PSON.


We did work on issues related to export to PDB from puppet and it may be 
that a newer puppet versions does a better job with ascii-8bit that can 
be converted to UTF-8 without problems.


In summary, I think this should be logged as a ticket for hiera-eyaml.
Feel free to ping me on that ticket if the maintainers of hiera-eyaml 
needs a hand with figuring things out.


Best,

- henrik



Puppet version: 6.0.4

Puppetdb version: 6.1.0

Puppetserver version: 6.0.2



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q18e65%24dpn%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: leading double colons (::) for class instances

[Henrik Lindberg]

On 2019-01-08 15:16, jcbollinger wrote:



On Monday, January 7, 2019 at 3:37:46 PM UTC-6, Matt Zagrabelny wrote:



On Mon, Jan 7, 2019 at 3:31 PM Matt Zagrabelny > wrote:

Greetings puppet-users!

For many years I have been using the following convention for
including my classes:

class foo() {
     include ::profile::bar
}

I know I don't need the leading double colon for including
profile::bar, but at one point in time I thought it may have
been a best practice or it would help prevent some sort of
future pain point.

Is that still true? Was I ever correct?

Needed to spend 30 more seconds reading before hitting send. Sorry
for the noise!

https://github.com/voxpupuli/puppet-lint-absolute_classname-check/issues/3


Thanks for any additional feedback!


I observe that the voxpupuli thread slightly downlplays the scope of the 
issue as it affected Puppet 3.  Puppet's (long since removed) relative 
name resolution scheme looked not just at the namespace in which the 
name was used, as the voxpupuli discussion seems to suggest, but also at 
every ancestor namespace, in order, until ultimately reaching top 
scope.  I'm not sure where to find P3 docs any longer, but this behavior 
is summarized in the description of PUP-121 
, the issue for removing 
that behavior.


That only rarely bit people, but it bit enough people, often enough, 
that for a time it was considered best practice to always use 
fully-qualified names (which is effectively what the `::` prefix 
produces).  But Puppet, Inc. decided that the negatives of relative name 
resolution outweighed the positives, including the positive of 
minimizing breaking changes, so relative name resolution was removed in 
Puppet 4.  Nowadays, the :: prefix is accepted for backwards 
compatibility, but it conveys no additional meaning.




Adding to what John said above:

There is no additional meaning for class names when it starts with '::', 
it does however make a difference when referencing variables. If a 
variable contains '::' (anywhere) it is always taken as an absolute 
reference starting from topscope. Thus something like '$::x' is the 
topscope $x, a '$x' is a local, inherited or topscope variable 'x', and 
'$x::y' and '$::x::y' are exactly the same thing.


- Henrik


John

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/325d0f92-98a4-462c-9378-ae189a22be5c%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/q12hcf%246fs%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Elegant way to supply facts to `puppet apply`

[Henrik Lindberg]

On 2018-11-23 03:27, Abhijeet Rastogi wrote:

Hi everyone,


puppet lookup command has a nice --facts option which accepts a 
structured json/yaml file to upload files.


Why does that option not exist for puppet apply? Is the environment 
variable the only option?




There is a way to make it read other facts than the default getting the 
facts for the node apply is running on. To use that you need to change 
the facts terminus setting 
https://puppet.com/docs/puppet/5.3/indirection.html#yaml-terminus-1


Warning: That is not easy to use.

For puppet lookup we wanted something simpler and choose to expose the 
option directly as it is a common use case to experiment with lookup CLI 
and different facts.


Suggest you file a ticket with a feature request for puppet apply.

Best,
- henrik


Puppet version: 6.0.4

Thanks,
Abhijeet

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c9c7ea63-cd97-4dbc-9c45-ee78e5cb9d4b%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pthght%24egq%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] while installing apache in puppet5 getting below error

[Henrik Lindberg]

On 2018-11-12 18:06, vinodkumar mannem wrote:
I have new to puppet.I am trying to install appache using puppet code 
but getting below error.

please help me how to resolve this issue.

Error: Could not retrieve catalog from remote server: Error 500 on 
SERVER: Server Error: Evaluation Error: A substring operation does not 
accept a String as a character index. Expected an Integer (file: 
/etc/puppetlabs/code/environments/production/modules/mediawiki/manifests/init.pp, 
line: 62, column: 25) on node puppet-slave.us-east-2.compute.internal

Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

this is is my init.pp file code
-

class mediawiki {
$phpmysql = $osfamily?{
   'RedHat' => 'php-mysql',
   'Debian' => 'php5-mysql',
   'Default' => 'php-mysql',
}
package{$phpmysql:
   ensure => 'present',
}
if $osfamily == 'RedHat'{
    package{'php-xml':
    ensure => 'present',
   }
  }
class {'::apache':
    docroot => '/var/www/html',
    mpm_module => 'prefork',
   subscribe  => package[$phpmysql],


The error message and the source does not line up - it says line 62, and 
there are far fewer lines here.


The error is in package[$phpmysql], where "package" is actually a 
string, and so is $phpmysql - you probably wanted "Package[$phpmysql]" 
since an upper case bare word is a reference to a data type.


- henrik


}
class {'::apache::mod::php':}
}


--this is my site.pp file
-
node 'puppet-slave'{
   class{'linux':}
   class{'mediawiki':}
  }
node 'puppet-slave1'{
   class{'linux':}
   class{'mediawiki':}
  }
class linux{
$httpdservice = $osfamily?{
   'RedHat'  => 'httpd',
   'Debian'  => 'apache',
   'Default' => 'httpd',
}
$admintools=['git','nano']
   package{
    $admintools:
    ensure => 'present',
  }

file{'/info.txt':
       ensure => 'present',
       content=> 'this is created by puppet',
  }
}



please somebody help me what could be the problem .how to resolve.


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ab4347f4-f460-4fd9-aedd-d14803f322ec%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/psch7f%244d6%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] create an array of hashes with reduce

[Henrik Lindberg]

On 2018-11-07 10:40, Arnau wrote:

Hi Henrik,

first of all, thanks for your answer.

El mar., 6 nov. 2018 a las 20:12, Henrik Lindberg 
(mailto:henrik.lindb...@puppet.com>>) escribió:

[...]

 > $dirs = ['static','media','photos']
 > $proxy = $dirs.reduce([ { 'path' => '/', 'url' =>
 > "http://localhost:${port}/"; } ]) |$memo, $value| { $memo + [ {
'path' =>
 > "/$value/", 'url' => '!' } ] }
 > notify { "MemoOut: $proxy" : ;}
 >
 > If I puppet apply the above code the output looks like:

Avoid having  notify with a title containing [ ] - it can get very
confusing. Use a title like "testing", and set the message instead.


Ok, thanks. Then:
  notify {"test $name" :
     message => "static_served: ${apache[static_served]}",
  }
produces:
  defined 'message' as 'static_served: [static]'

/I need to enclose the hash in curly braces otherwise it shows the whole 
hash like:/
defined 'message' as 'Message {enable => true, servername => 
application, static_served => [static]}[static_served]'



You give the reduce an array with a hash in it, and you then append to
that array with an array containing a hash. The result will be an
array where each element is a hash.


Yes, exaclty. That's what I need (if I have not missunderstood it) to 
pass tot he proxy_pass parameter in the apache forge module:


  proxy_pass  =>  [
 {  'path'  =>  '/a',  'url'  =>  'http://backend-a/'  },
 {  'path'  =>  '/b',  'url'  =>  'http://backend-b/'  }, ]

[...]

 > I make this an array using any2array (array un puppet 5) so I can
still
 > call the reduce function::
 >
 > $var=(Array("${apache['static_served']}"))
 >
 > so the /reduce /line now looks like:
 >
You are asking Array to create an array out of a string. It will
construct that as an array where each element is a single character
string.


Ah, ok, cause I'm passing the first element of the array and not the 
array to the Array function? and this is becasue of the quoting, right?


You probably wanted

$var = Array($apache['static_served'])

 > $_proxy_pass = $var.reduce([ { 'path' => '/', 'url' =>
 > "http://localhost:${port}/"; } ]) |$memo, $value| { $memo + [ {
'path' =>
 > "/$value/", 'url' => '!' } ] }
 >
 > And here is where everythiong starts to make even less sense:
 >

You are now performing a reduce based on a sequence of single character
strings. This is indeed confusing as you have already gone off the road.


So, at the end it was as simple as calling the reduce function like:
$apache['static_served'].reduce

(I as using a more larger hiera data and, in the very first application, 
the static_serverd array was empty, so reduce was failling all the time 
cause the array was empty... Damn!!


now the code looks like:

if $apache['static_served'] {
     $_proxy_pass =  $apache['static_served'].reduce([ { 'path' => '/', 
'url' => "http://localhost:${port}/"; } ]) |$memo, $value| { $memo + [ { 
'path' => "/$value/", 'url' => '!' } ] }

   }else{
    $_proxy_pass =  [ { 'path' => '/', 'url' => 
"http://localhost:${port}/"; } ]

   }
   notify { "PROXY: $name" :
     message => $_proxy_pass,
   }

But the reduce is now not working:

Notice: {"path"=>"/", "url"=>"http://localhost:56902/"}
Notify[PROXY: application]/message: defined 'message' as {
'path' => '/',
'url' => 'http://localhost:56902/'
}


what am I doing wrong now?



Not sure - but I simplified your code, and this works:

test.pp
--
$apache = { 'static_served' => [ 'test1', 'test2'] }
$port = 

$start_value = [{
  'path' => '/',
  'url'  => "http://localhost:${port}/";
}]
$_proxy_pass = if $apache['static_served'] =~  Array {
  $apache['static_served'].reduce($start_value) |$memo, $value| {
$memo + [{'path' => "/${value}/", 'url' => '!' }]
  }
} else {
  $start_value
}
notice($_proxy_pass)

>> puppet apply test.pp

Notice: Scope(Class[main]): [{path => /, url => http://localhost:/}, 
{path => /test1/, 

Re: [Puppet Users] create an array of hashes with reduce

[Henrik Lindberg]

On 2018-11-06 17:13, Arnau wrote:

Hi all,

I'm using puppet 5.3.

I'd like to build proxy_pass array of hashes using the /reduce 
/puppetbuilt-in function 
and picking the 
values from a nested hash in hiera.


I first played a little bit with the reduce function:

$dirs = ['static','media','photos']
$proxy = $dirs.reduce([ { 'path' => '/', 'url' => 
"http://localhost:${port}/"; } ]) |$memo, $value| { $memo + [ { 'path' => 
"/$value/", 'url' => '!' } ] }

notify { "MemoOut: $proxy" : ;}

If I puppet apply the above code the output looks like:



Avoid having  notify with a title containing [ ] - it can get very 
confusing. Use a title like "testing", and set the message instead.


You give the reduce an array with a hash in it, and you then append to 
that array with an array containing a hash. The result will be an

array where each element is a hash.


Notice: MemoOut: [{path => /, url => http://localhost:189/}, {path => 
/static/, url => !}, {path => /media/, url => !}, {path => /photos/, url 
=> !}]
Notice: /Stage[main]/Main/Node[default]/Notify[MemoOut: [{path => /, url 
=> http://localhost:189/}, {path => /static/, url => !}, {path => 
/media/, url => !}, {path => /photos/, url => !}]]/message: defined 
'message' as 'MemoOut: [{path => /, url => http://localhost:189/}, {path 
=> /static/, url => !}, {path => /media/, url => !}, {path => /photos/, 
url => !}]'


/To my eyes this is an array of hashes, and that's what I need to pass 
to the apache vhost define./


So, now I want to pick the array (list of directories) from a nested 
hash in hiera that look like:


   application:
     apache:
enable: true
       servername: application
       static_served:
         - static

I have a define that picks the above hash The array with the list of 
directories becomes "${apache['static_served']}" inside teh define.

I can print it using notice ${apache['static_served']}":

Notice: static_served: application [static]

This looks like an array but /*is_array */says that this is *not *an 
array anymore.

And this is my first question, why it is not an array anymore?


I make this an array using any2array (array un puppet 5) so I can still 
call the reduce function::


$var=(Array("${apache['static_served']}"))

so the /reduce /line now looks like:


You are asking Array to create an array out of a string. It will
construct that as an array where each element is a single character string.

You probably wanted

$var = Array($apache['static_served'])

Which by the way is a no-op since $apache['static_served'] already is an 
array (as per the hiera data you supplied).


$_proxy_pass = $var.reduce([ { 'path' => '/', 'url' => 
"http://localhost:${port}/"; } ]) |$memo, $value| { $memo + [ { 'path' => 
"/$value/", 'url' => '!' } ] }


And here is where everythiong starts to make even less sense:



You are now performing a reduce based on a sequence of single character 
strings. This is indeed confusing as you have already gone off the road.


Hope this helps you get back on track.

- henrik

If I print the output (using notice $_proxy_pass and )  and I get a 
weird output:


Notice: 
/Stage[main]/.../Python::Virtualenv[application]/Notify[PROXY_PASS: 
[{path => /, url => http://local
host:11080/}, {path => /[/, url => !}, {path => /s/, url => !}, {path => 
/t/, url => !}, {path => /a/, url => !}, {path => /t/, url => !}, {path 
=> /i/, url => !},
  {path => /c/, url => !}, {path => /]/, url => !}]]/message: defined 
'message' as 'PROXY_PASS: [{path => /, url => http://localhost:11080/}, 
{path => /[/, url => !
}, {path => /s/, url => !}, {path => /t/, url => !}, {path => /a/, url 
=> !}, {path => /t/, url => !}, {path => /i/, url => !}, {path => /c/, 
url => !}, {path => /

]/, url => !}]'

reduce is taking all letters from "static" instead of 'static" as the 
first (an uniqe) element from the array


Later, in my code, I configure the proxy_pass in the apache:vhost like:

apache::vhost { "${apache['servername']}":
[...]
proxy_pass     => "$_proxy_pass",
[...]

But, in the apache file, the proxy pass parameters  looks like

ProxyPass path url
  ProxyPassReverse path url
ProxyPass path url
  ProxyPassReverse path url
[...]

So it's picking the keys from the hashes in the above array of hashes 
and not the values.


I don't understand what is going on. Any help will be appreciated.

Best,
Arnau

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAM69jx-wKXmP%3DhfPLsMsrYDeOS7TCTQaQ9XyhUaoWJ9uq%3DeZEg%40mail.gmail.com 

Re: [Puppet Users] Set default param value based on another param

[Henrik Lindberg]

On 2018-10-08 08:44, Eirik Øverby wrote:

Hi,

Sorry for hijacking this thread, but it caught my interest.

My scenario is that I'd like to re-use the title of an nginx server instance 
in, say, the log file for that server instance. However, since I don't want to 
touch the nginx module itself, it seems I have to wrap its server class in one 
of my own to allow setting this kind of defaults - but I have found no way to 
use $title in this way.

The best would be if I could do something like this - assuming nginx::server is 
a module class already defined:
nginx::server {
   default:
 $access_log => "${nginx::logdir}/${mytitle}.log",
 ...,
   ;
   'my-fine-443-server':
 listen_port => 443,
   ;
}

Here it would also be helpful if I could somehow re-use the default values in 
the individual instances too - I might not know what the default values are, 
but I would know what to do with them (append '.log' for instance, or set 
listen_port to the same value as ssl_port or vice versa).

Even being able to do the following would be better than what we're currently 
doing, which is repeating the fully-typed access log line (and all the other 
similar entries) for every instance:
nginx::server { 'my-fine-443-server':
 $access_log => "${nginx::logdir}/${mytitle}.log",
 listen_port => 443,
}

Not sure how I could use functions here either, as I want this to happen at 
instantiation time, not in the module itself.

Am I hoping for too much? Missed something?



I have a bit of a hard time following this. You say assuming 
"nginx::server" is a class, but then it looks like it is a resource 
since it is instantiated with a title. Also don't understand what 
$mytitle is - is that supposed to be $title ?


(so, having complained ;-) some more perhaps useful tips follows...)

If you configure defaults for what you are wrapping via hiera, you can 
lookup the defaults in your wrapper.


If you want to assign multiple things at once. Here is an example:

  class original($foo, $bar, $etc) { }
  class { 'original':
foo => 10,
bar => 20,
etc => 30,
  }
  // multi-assign from declared class, assigns all variables on the left
  // from the class - variables must exist in the class or an error is
  // raised
  [$foo, $bar, $etc] = Class['original']
  notice "${foo}, ${bar}, ${etc}"


There are tickets with a feature request to be able to say things like 
"my class takes the exact same parameters as some other class". We do 
not have an idea for what that would look like at this point. There is a

Like[T] data type in the process of being added, but it would need to
(very tediously) be repeated for every parameter. New syntax in the 
language would be needed to support this a better way (i.e. very long 
fuse on that...)


Best advice; be explicit about defaults, and get them via hiera and use APL.

Hope something of this is of value.

Best,
- henrik


/Eirik


On 7 Oct 2018, at 11:35, Henrik Lindberg  wrote:

If you are on a reasonably modern Puppet version you should do it like this:

class myclass(
  String $base_dir,
  Optional[String] $conf_dir = "${base_dir}/conf"
) {
}

I tested it as well:

  class myclass(
String $base_dir,
Optional[String] $conf_dir = "${base_dir}/conf"
  ) {
notice "base_dir = ${base_dir}, conf_dir = ${conf_dir}"
  }
  class { myclass: base_dir => 'yay' }

With the result:

  Notice: Scope(Class[Myclass]): base_dir = yay, conf_dir = yay/conf

And when executed like this:

  class myclass(
String $base_dir,
Optional[String] $conf_dir = "${base_dir}/conf"
  ) {
notice "base_dir = ${base_dir}, conf_dir = ${conf_dir}"
  }
  class { myclass: base_dir => 'yay', conf_dir => 'not yay' }

The result is:

  Notice: Scope(Class[Myclass]): base_dir = yay, conf_dir = not_yay

Which I think is what you wanted.

If the logic you need for coming up with a default value is complex, it can be 
written as a function to which you present the input as arguments. The above 
could have been written:

function mymodule::conf_default(String $base) { "${base}/conf" }
class myclass(
  String $base_dir,
  Optional[String] $conf_dir = mymodule::conf_default($base_dir)
) {
}

Which for the case you showed is total overkill, but good to know if
you need something more complex in another place in your code.

Hope this helps.
Best,
- henrik




On 2018-10-06 18:15, 'Dan White' via Puppet Users wrote: > You need to do like 
this:
class myClass (
String $base_dir,
Optional[String] $conf_dir,
) {
 if $myClass::conf_dir == undef {
   $myClass::actual_conf_dir = "$myClass::base_dir/conf”
 } else {
 $myClass::actual_conf_dir = $myClass::conf_dir
 }
 … and then use $myClass::actual_conf_dir in the templat

Re: [Puppet Users] Set default param value based on another param

[Henrik Lindberg]

If you are on a reasonably modern Puppet version you should do it like this:

class myclass(
  String $base_dir,
  Optional[String] $conf_dir = "${base_dir}/conf"
) {
}

I tested it as well:

  class myclass(
String $base_dir,
Optional[String] $conf_dir = "${base_dir}/conf"
  ) {
notice "base_dir = ${base_dir}, conf_dir = ${conf_dir}"
  }
  class { myclass: base_dir => 'yay' }

With the result:

  Notice: Scope(Class[Myclass]): base_dir = yay, conf_dir = yay/conf

And when executed like this:

  class myclass(
String $base_dir,
Optional[String] $conf_dir = "${base_dir}/conf"
  ) {
notice "base_dir = ${base_dir}, conf_dir = ${conf_dir}"
  }
  class { myclass: base_dir => 'yay', conf_dir => 'not yay' }

The result is:

  Notice: Scope(Class[Myclass]): base_dir = yay, conf_dir = not_yay

Which I think is what you wanted.

If the logic you need for coming up with a default value is complex, it 
can be written as a function to which you present the input as 
arguments. The above could have been written:


function mymodule::conf_default(String $base) { "${base}/conf" }
class myclass(
  String $base_dir,
  Optional[String] $conf_dir = mymodule::conf_default($base_dir)
) {
}

Which for the case you showed is total overkill, but good to know if
you need something more complex in another place in your code.

Hope this helps.
Best,
- henrik




On 2018-10-06 18:15, 'Dan White' via Puppet Users wrote: > You need to do like 
this:

class myClass (
String $base_dir,
Optional[String] $conf_dir,
) {
 if $myClass::conf_dir == undef {
   $myClass::actual_conf_dir = "$myClass::base_dir/conf”
 } else {
 $myClass::actual_conf_dir = $myClass::conf_dir
 }

 … and then use $myClass::actual_conf_dir in the template
}


On Oct 3, 2018, at 12:41 PM, Jody Des Roches  wrote:

I'd like to set default values for parameters that will be passed to epp 
templates.  However, the default value is based on another parameter.  I 
understand that variables are immutable but this is a parameter that shouldn't 
be touched unless it wasn't set.

Here is an example construct with a few of my syntax attempts.

class myClass (
String $base_dir,
Optional[String] $conf_dir,
) {
#Attempt 1: Failed
if $myClass::conf_dir == undef { $myClass::conf_dir = "$myClass::base_dir/conf" 
}

#Attempt 2: Failed
if !$myClass::conf_dir { $myClass::conf_dir = "$myClass::base_dir/conf" }

#Attempt 3: Failed
unless $myClass::conf_dir { $myClass::conf_dir = "$myClass::base_dir/conf" }
}

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8e2db8c1-7353-4360-adc5-00713e1c0214%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.





--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ppcjse%24qmf%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Remove key&value from hash

[Henrik Lindberg]

On 2018-09-20 10:17, Albert Shih wrote:

Le 19/09/2018 à 16:00:20+0200, Henrik Lindberg a écrit

On 2018-09-19 15:24, Albert Shih wrote:


I'm would like to have a profile for example for apache.

profile::apache

who can pass some hash to apache. For example let's say I've

profile::apache::vhosts:
  vhost1:
  
  vhost2:
  

and I want to do

class profile::apache (
Hash $vhosts
)
{

create_resources('apache::vhost', $vhosts)

}

But now I want to add some parameter who's not in the apache::vhost, for
example :

profile::apache::vhosts:
  vhost1:
- monitored : true

  vhost2:
- monitored : false


so before I can do the

create_resources('apache::vhost', $something)

i need to exclude « monitored » from that hash table. And...I don't know
how to do that. I try map, reduce etc.. and was unable to exclude some
nested key/value from a hash.

Regards



Puppet has a function named tree_each() that can be used to flatten and
filter a tree structure of data. Once filtered it is possible to again
create a Hash out of the result.

Documentation here:
https://puppet.com/docs/puppet/5.5/function.html#treeeach

Here are two examples (both from the documentation; the first from
tree_each(), and the second from Hash.new().


THANKS.I would check on that.



The first example shows the flattened filtered value.
To get the pruned hash in that example, do what is done in
Example 2 at the end - i.e. Hash($flattened_pruned_value, 'hash_tree').

It is really difficult to achieve the same with just reduce() and
filter() functions - you would have to more or less implement


I concur  ;-)


the tree_each() function - but you don't have to since puppet has it :-)

Hope this helps you with what you were trying to do.

Also - note that it may be better for you (instead of filtering your values
and then give the resulting structure to create_reources()), to
iterate over the structure and the simply have conditional logic
around the declaration of resources. That is much less magic to read.


I know that, and generaly that's would be my solution, but the point is
apache::vhost got a *lot* of attributes..and it's very boring to add
all attributes or change my module each time I need a new attributes from
apache::vhost.



Do you know that you can apply a hash of attribute-name to value at 
once? Here is a simple example with a notify setting the message in a 
hash (just to show you how). You can have as many attributes to value 
mappings you like.


$hash = { 'message' => 'set via a wildcard' }
notify { example:
  * => $hash
}

This way, you can look things up from hiera and apply all of the 
attributes at once.


Best,
- henrik





Best
- henrik

Encourage you to play with these examples:

 EXAMPLE 1
# A tree of some complexity (here very simple for readability)
$tree = [
  { name => 'user1', status => 'inactive', id => '10'},
  { name => 'user2', status => 'active', id => '20'}
]
notice $tree.tree_each.filter |$v| {
  $value = $v[1]
  $value =~ Hash and $value[status] == active
}


 EXAMPLE 2

# A hash tree with 'water' at different locations
$h = { a => { b => { x => 'water'}}, b => { y => 'water'} }

# a helper function that turns water into wine
function make_wine($x) { if $x == 'water' { 'wine' } else { $x } }

# create a flattened tree with water turned into wine
$flat_tree = $h.tree_each.map |$entry| { [$entry[0], make_wine($entry[1])] }

# create a new Hash and log it
notice Hash($flat_tree, 'hash_tree')


Nice !!!.

Regards.

--
Albert SHIH
DIO bâtiment 15
Observatoire de Paris
xmpp: j...@obspm.fr
Heure local/Local time:
Thu Sep 20 10:12:55 CEST 2018




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/po2m2g%24qa3%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: hiera can't find facts to read hierarchy files?

[Henrik Lindberg]

On 2018-09-19 17:41, ch...@fuzzyblender.com wrote:

Hi Sean,

I'm having the same issue, and I see what you said, I'm just too new to 
puppet.  Would it be possible for you (or others) to expand on how you 
fixed this (with and example)?


Chris



I had responded to Sean in an email - reposting it here now:

How did you run `puppet lookup` ?
If you gave it a node with --node it will use the stored facts for that 
node, otherwise you have to give it the facts to use for that node.
If not specifying a --node, lookup will use the facts for the host where 
you are running `puppet lookup`.


Maybe that is what is tricking you?

Try running with `puppet apply --debug` when testing - that turns on 
logging of --explain from all lookups including those made via APL.

When you do that, are the path's set?

Still having weird problems? Check your axioms - are you running the 
expected file in the expected environment etc.


- henrik


On Wednesday, November 29, 2017 at 11:15:49 AM UTC-6, Sean wrote:

Thanks to PuppetLab's Mr. Lindberg who helped get my troubleshooting
focused in the right direction.

Basically, I forgot to add my new parameters to the class parameter
definitions in the module's init.pp.

DOH!

On Tuesday, November 28, 2017 at 4:53:42 PM UTC-5, Sean wrote:

Hi,
I'm quite confused about how I could have created this problem. 
I have a module we'll call it "test" which has been using Hiera

v5 module data for the last couple of releases...this works
great on either puppet 4 or 5...as expected.

Last week added a feature, which involved adding 1 new manifest
file (which creates concat::fragment resources), 2 parameters to
a hiera data file, and adding 2 concat file resources, each
named by one of those parameters, to an existing manifest file
(existing.pp below).  Fairly simple and straight forward
change.  The parser passes the syntax checks for everything
involved in the change.

I have tested on both puppet 4 and 5 using a pair of centos7
vms, both produce the same result.

|
# puppet apply -e "include test"
Warning: Unknown variable: 'test::dconf_default_config'. at

/etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
Error: Evaluation Error: Missing title. The title expression
resulted in undef at

/etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
on node localhost.localdomain
|

This parameter is the filename of the concat resource mentioned
above.  Running a puppet lookup (on either v4 or v5) produces
this output for the module data section:

|
Module"test"DataProvider(hiera configuration version 5)
Using configuration
"/etc/puppetlabs/code/environments/production/modules/test/hiera.yaml"
Hierarchy entry "Full Version"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path:"%{facts.os.name
}-%{facts.os.release.full}.yaml"
Pathnot found
Hierarchy entry "Major Version"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path:"%{facts.os.name
}-%{facts.os.release.major}.yaml"
Pathnot found
Hierarchy entry "Distribution Name"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
Original path:"%{facts.os.name }.yaml"
Pathnot found
Hierarchy entry "Operating System Family + Major Version"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path:"%{facts.os.family}-%{facts.os.release.major}.yaml"
Pathnot found
Hierarchy entry "Operating System Family"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
Original path:"%{facts.os.family}.yaml"
Pathnot found
Hierarchy entry "common"

Path"/etc/puppetlabs/code/environments/production/modules/test/data/common.yaml"
Original path:"common.yaml"
No such key:"test::dconf_default_config"

|

See how all the Hierarchy Paths have bad file names?  This leads
me to think that somehow Hiera has lost the ability to parse
facts in my feature branch of this module.  If I check the
master branch out for the "test" module then Hiera produces the
correct datafile names.

How can that be?

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To vie

Re: [Puppet Users] Remove key&value from hash

[Henrik Lindberg]

On 2018-09-19 15:24, Albert Shih wrote:

Hi,

I'm would like to have a profile for example for apache.

   profile::apache

who can pass some hash to apache. For example let's say I've

   profile::apache::vhosts:
 vhost1:
 
 vhost2:
 

and I want to do

class profile::apache (
   Hash $vhosts
   )
{

   create_resources('apache::vhost', $vhosts)

}

But now I want to add some parameter who's not in the apache::vhost, for
example :

   profile::apache::vhosts:
 vhost1:
   - monitored : true
   
 vhost2:
   - monitored : false
   

so before I can do the

   create_resources('apache::vhost', $something)

i need to exclude « monitored » from that hash table. And...I don't know
how to do that. I try map, reduce etc.. and was unable to exclude some
nested key/value from a hash.

Regards



Puppet has a function named tree_each() that can be used to flatten and 
filter a tree structure of data. Once filtered it is possible to again 
create a Hash out of the result.


Documentation here: 
https://puppet.com/docs/puppet/5.5/function.html#treeeach


Here are two examples (both from the documentation; the first from 
tree_each(), and the second from Hash.new().


The first example shows the flattened filtered value.
To get the pruned hash in that example, do what is done in
Example 2 at the end - i.e. Hash($flattened_pruned_value, 'hash_tree').

It is really difficult to achieve the same with just reduce() and
filter() functions - you would have to more or less implement
the tree_each() function - but you don't have to since puppet has it :-)

Hope this helps you with what you were trying to do.

Also - note that it may be better for you (instead of filtering your 
values and then give the resulting structure to create_reources()), to

iterate over the structure and the simply have conditional logic
around the declaration of resources. That is much less magic to read.

Best
- henrik

Encourage you to play with these examples:

 EXAMPLE 1
# A tree of some complexity (here very simple for readability)
$tree = [
 { name => 'user1', status => 'inactive', id => '10'},
 { name => 'user2', status => 'active', id => '20'}
]
notice $tree.tree_each.filter |$v| {
 $value = $v[1]
 $value =~ Hash and $value[status] == active
}


 EXAMPLE 2

# A hash tree with 'water' at different locations
$h = { a => { b => { x => 'water'}}, b => { y => 'water'} }

# a helper function that turns water into wine
function make_wine($x) { if $x == 'water' { 'wine' } else { $x } }

# create a flattened tree with water turned into wine
$flat_tree = $h.tree_each.map |$entry| { [$entry[0], make_wine($entry[1])] }

# create a new Hash and log it
notice Hash($flat_tree, 'hash_tree')






--
Albert SHIH
DIO bâtiment 15
Observatoire de Paris
xmpp: j...@obspm.fr
Heure local/Local time:
Wed Sep 19 14:50:21 CEST 2018




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pntklh%2430b%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Exported resource realized by resource collector, bug?

[Henrik Lindberg]

On 2018-09-14 17:13, Julio Guevara wrote:

/The <| |> operator finds ALL resources (regular, virtual and exported)
that match. It realizes those that are not already realized.

The <<| |>> operator finds ONLY exported resources. /
/
/
If that is the case, maybe documentation is miss-leading since it makes 
a clear distinction between the two types of collectors. 


Yes, it is as it does not say that it works on all kinds of resources 
which allows the reader to think that it is linked to them being 
virtual. Feel free to add a ticket for documentation in Puppet's Jira.


I will see If I 
can come up with another solution for my code but with such limited set 
of logical operators it will be hard. I think It would be easier to just 
make a query with puppetdb_query and then import exported resources that 
match my criteria correctly.


That is what I recommend and what most users end up doing when their use 
case is not super trivial and works with the limitations of the collectors.


Best,
- henrik



Thanks

On Fri, Sep 14, 2018 at 8:07 AM Henrik Lindberg 
mailto:henrik.lindb...@puppet.com>> wrote:


On 2018-09-14 14:47, jcbollinger wrote:
 >
 >
 > On Friday, September 14, 2018 at 3:10:59 AM UTC-5, Johan De Wit
wrote:
 >
 >     Hi,
 >
 >     check this ticket. https://tickets.puppetlabs.com/browse/PUP-6723
 >     <https://tickets.puppetlabs.com/browse/PUP-6723>
 >
 >
 >     It is hard to explain, but the 'and' a resource collector
does niot
 >     behave like the 'boolean and' as we expect this.
 >
 >
 >
 > I don't follow, Jo.  The issue described here is not about the
search
 > expression, but the fact that an /ordinary/ resource collector
imports
 > /exported/ resources declared by the node.  The presence or
details of a
 > search expression is not relevant -- under no circumstances
should this
 > happen.
 >
 > If this behavior is in fact happening, then I'd guess that Puppet is
 > failing to distinguish between (1) resources exported by the
target node
 > and not imported, and (2) resources exported by any arbitrary
node and
 > imported for the target node.  Alternatively, perhaps Puppet is more
 > simply just failing to distinguish between exported and virtual
 > resources declared by the target node.
 >

The <| |> operator finds ALL resources (regular, virtual and exported)
that match. It realizes those that are not already realized.

The <<| |>> operator finds ONLY exported resources.

The query must thus be written to take that into account.
And THAT is where it becomes important how the != and == operators
actually work.

(I am in no way defending the way it works, but it will be very
difficult to change without difficult to find silent backwards
incompatibilities).

- henrik

 >
 > John
 >
 > --
 > You received this message because you are subscribed to the Google
 > Groups "Puppet Users" group.
 > To unsubscribe from this group and stop receiving emails from it,
send
 > an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>
 > <mailto:puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>>.
 > To view this discussion on the web visit
 >

https://groups.google.com/d/msgid/puppet-users/a4c43871-cd4e-4e40-a23b-5fa44bfc0dfc%40googlegroups.com

 >

<https://groups.google.com/d/msgid/puppet-users/a4c43871-cd4e-4e40-a23b-5fa44bfc0dfc%40googlegroups.com?utm_medium=email&utm_source=footer>.
 > For more options, visit https://groups.google.com/d/optout.


-- 


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

-- 
You received this message because you are subscribed to a topic in

the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/6lgqC1HmKQk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/pngbmn%24lqt%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr

Re: [Puppet Users] Re: Exported resource realized by resource collector, bug?

[Henrik Lindberg]

On 2018-09-14 14:47, jcbollinger wrote:



On Friday, September 14, 2018 at 3:10:59 AM UTC-5, Johan De Wit wrote:

Hi,

check this ticket. https://tickets.puppetlabs.com/browse/PUP-6723



It is hard to explain, but the 'and' a resource collector does niot
behave like the 'boolean and' as we expect this.



I don't follow, Jo.  The issue described here is not about the search 
expression, but the fact that an /ordinary/ resource collector imports 
/exported/ resources declared by the node.  The presence or details of a 
search expression is not relevant -- under no circumstances should this 
happen.


If this behavior is in fact happening, then I'd guess that Puppet is 
failing to distinguish between (1) resources exported by the target node 
and not imported, and (2) resources exported by any arbitrary node and 
imported for the target node.  Alternatively, perhaps Puppet is more 
simply just failing to distinguish between exported and virtual 
resources declared by the target node.




The <| |> operator finds ALL resources (regular, virtual and exported) 
that match. It realizes those that are not already realized.


The <<| |>> operator finds ONLY exported resources.

The query must thus be written to take that into account.
And THAT is where it becomes important how the != and == operators
actually work.

(I am in no way defending the way it works, but it will be very 
difficult to change without difficult to find silent backwards 
incompatibilities).


- henrik



John

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a4c43871-cd4e-4e40-a23b-5fa44bfc0dfc%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pngbmn%24lqt%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Exported resource realized by resource collector, bug?

[Henrik Lindberg]

On 2018-09-14 10:10, Johan De Wit wrote:

Hi,

check this ticket. https://tickets.puppetlabs.com/browse/PUP-6723


It is hard to explain, but the 'and' a resource collector does niot 
behave like the 'boolean and' as we expect this.




It is not AND that is different; it is the == and != query operators 
that must be understood. The == acts as "in" but != is an *exact* match 
operator just like in puppet.


So, to find those that have neither 'pre' nor 'post' you would want to
write the following, only you cannot because the NOT operator is not 
supported !!!


<| not(tag == 'pre' or tag == 'post') |>  # gives error for not()

The expression:

  tag != 'pre' and tag != 'post'

works only if tag is not an array (which it almost always is)

Consider this:

@notify { 'a': tag => 'blue' }
@notify { 'b': tag => 'green'}
@notify { 'c': tag => ['blue', 'green'] }
@notify { 'd': tag => 'red' }
@notify { 'e': tag => ['red', 'blue'] }

Notify <| tag != 'blue' and tag != 'green' |> { }

It will realize c, d, and e.

c because the array is != 'blue' and is also != 'green'
d because 'red' != 'blue' and 'red != 'green'
e because again, the array is != to either 'blue' nor 'green'

If you think that you can compare using an array, like this:

<| tag != ['blue', 'green'] |>

then you will also be disappointed because that is also not supported
and will give you an error since array values are not supported in the 
query.


The documentation actually points out that the behavior is undefined for 
arrays and hashes. That is its way of saying "it is a mess". How it

actually works (since way back) is what I described above.

You need to find a different way of structuring your logic.
I doubt that virtual/exported resources and features around those will 
receive much love as there has been talks about dropping both virtual 
and exported resources all together (at the moment we have no better 
replacement for the features they enable, so this will not happen over 
night).


Worth noting is also that using tags extensively is not a very robust 
solution since there is no way you can know if your tags are unique or 
not or if you will find elements by chance that are tagged with 
something from part of a name in some scope. If you must use tags,

use tags that are as unique as possible. (More than one user have been
bitten by this).

Sorry for being the bearer of bad news.
Best,

- henrik



Grts

Jo


-Original message-
*From:* jcbollinger 
*Sent:* Thursday 13th September 2018 15:50
*To:* Puppet Users 
*Subject:* [Puppet Users] Re: Exported resource realized by resource
collector, bug?



On Wednesday, September 12, 2018 at 3:20:12 PM UTC-5, Julio Guevara
wrote:

So I'm working with puppet 5.5.1 and I have encountered what I
think is a bug.

So on my site.pp i have the following line for ordering my
firewall rules:

site.pp
-
if $::kernel == 'Linux' {
# Make sure every firewall rule not pre or post is created in
the middle
Firewall <| tag != 'pre' and tag != 'post' |> {
before +> Class['profiles::fw_rules::post'],
require +> Class['profiles::fw_rules::pre'],
}
}
Then on another class I'm doing the following (This is a class
for a postgresql client):
@@firewall { "222 tcp:5432 pgpool from ${::ipaddress}/32" :
action => 'accept',
source => "${::ipaddress}/32",
dport => '5432',
proto => 'tcp',
tag => [ $tag, 'postgresql_client' ],
}
On the postgresql servers I do:
# Grab all firewall rules created for this cluster
Firewall <<| tag == $tag and tag == 'postgresql_client' |>>

I would expect that the rule to only appear on the postgresql
server, but what ends up happening is that the rule is realized
on both the server and the client.

On the documentation for resource collector

(https://puppet.com/docs/puppet/5.5/lang_collectors.html#exported-resource-collectors

):
Collectors realize virtual resources, are used in chaining
statements, and override resource attributes.

on that very same page we have the following for exported
resource collectors:
An exported resource collector uses a modified syntax that
realizes exported resources
 and
imports resources published by other nodes.

Have anybody else found a similar issue?


I do not recall encountering this issue myself, but I concur that I
expect ordinary resource collectors to /not/ collect exported
resources, no matter what node declares them.  Although exported
resources and exported resource collectors are both syntactically
and semantically /anal

Re: [Puppet Users] New Deferred type and agent data lookups in Puppet 6

[Henrik Lindberg]

On 2018-09-01 01:40, Rob Nelson wrote:

This sounds great. My only concern is that I don’t see tests mentioned in the 
example. Will rspec-puppet be updated at the same time so that we can test 
deferred functions out of the gate? If so, I’d love to see what that looks 
like, in case we have any comments on that. Mocking some things like facts and 
functions is a little clunky at times. Hopefully deferred function mocking will 
be a little easier. Thanks.



There is no difference between a regular function and one that is called 
in a deferred way. You can unit test functions that will run on the 
agent the same way as regular functions.


- henrik
--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pmdm32%245hj%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] user resource on darwin throws "undefined method `each' for nil:NilClass"

[Henrik Lindberg]

On 2018-08-31 20:23, Peter K wrote:

I'm getting this error when I try and create a user on osx:
'''Error: Failed to apply catalog: undefined method `each' for 
nil:NilClass'''


My code looks like this:

'''  class fakeadmin2 {
   user { 'fakeadmin2':
     name    => 'fakeadmin2',
     ensure  => 'present',
     uid       => '504',
     gid       => '501',
     home   => '/Users/fakeadmin2',
   }
}'''

ubuntu server package: puppetserver    2.8.0-1puppetlabs1

puppet master 4.10.9
puppet agent version 4.10.9


Any help with how to debug this would be helpful too.


A stack trace is required to have any guess at what is going wrong. (Run 
puppet apply with --trace)


Also check here (https://puppet.com/docs/puppet/4.10/release_notes.html) 
for release notes for versions newer that 4.10.9 (think we are up to 12 
now).



- henrik


thx

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7114fc76-ba6e-4ecf-a4b9-efe12f5c297b%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pmc2e2%24tdg%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: New Deferred type and agent data lookups in Puppet 6

[Henrik Lindberg]

On 2018-08-31 20:12, Ben Ford wrote:
In general, you're going to want to be cautious about using agent-side 
functions. It might be simpler to gather information during run time in 
some cases, but it makes your catalog more black-box and unpredictable. 
Here are just a couple concerns:


You lose some of the ability to look at the facts and look at the code 
and know what the outcome will be because the enforcement also depends 
on the output of some lazy bound agent function. For example, if you 
have code that uses the $hostname fact, you can validate that the 
$hostname fact actually resolved to something useful and raise an error 
if not. You can even fail the compile and enforce the last cached 
catalog until you can fix it. If that were an agent side function, you 
won't have any warning before things break.


You also make your catalogs less repeatable. For example, if you push 
out a codebase update and it doesn't work how you want it to, then you 
can roll back the code, or the hiera data, or the classification as 
needed. You've got a pretty good expectation that your configuration 
will return to a working state (with obvious exceptions). You could even 
revert to that config version a year later. But if you depend on agent 
side functions, you don't have as strong an expectation because the 
agent state that might affect the output of the function isn't versioned 
with the codebase. It's effectively an uncontrolled variable.


I'm not trying to discourage you from using agent side functions. In 
fact, I'm about to do some work on node_encrypt[1] to make it usable as 
a Deferred function and I'm really excited because that means that on 
Puppet 6, it will no longer be limited to only File types. But I do want 
you to be aware of what you're trading it for so you can make an 
informed decision.




There is an Encrypted data type coming soon along with a decrypt 
function (there is a PR for it, but we are running out of time to 
complete it for puppet 6). Want to help out on that? Ping me.


- henrik

The tl;dr is that these concerns essentially boil down to the fact that 
your configuration state will no longer be fully represented in the 
catalog. So make sure you account for that when evaluating your options.


[1] https://forge.puppet.com/binford2k/node_encrypt

On Fri, Aug 31, 2018 at 10:42 AM Henrik Lindberg 
mailto:henrik.lindb...@puppet.com>> wrote:


On 2018-08-31 13:33, bert hajee wrote:
 > Lindsy,
 >
 > Is it just ment for this use case? I can think of other
situations where
 > in might be vary valuable to fetch a value at run-time on the
agent. Now
 > whenever we have to get the current state, we need to make a
fact. If we
 > can make deferred functions for that that would make things much
more
 > simple. I'm not sure if it the still is "The Puppet way". Like to
hear
 > any thoughts on that.
 >
 > Bert
 >

Consider a cached catalog - with Deferred values that cached catalog
can
stay the same for as long as it is only the deferred values that
need to
change (and that they can be obtained locally or from service).

Without use of cached catalog, Deferred values are good for things
that must or are much better suited to be computed fresh on the agent.

- henrik

 > On Friday, 31 August 2018 02:11:52 UTC+2, Lindsey Smith wrote:
 >
 >     Hi all,
 >
 >     We wanted to let you know about an upcoming capability, the
Deferred
 >     type, that is now present in Puppet 6 nightlies and will be
part of
 >     the Puppet 6.0 release.
 >
 >     A longstanding request has been to allow agents to fetch data for
 >     themselves at catalog application time. One key use case for
this is
 >     getting secrets directly from a store like Conjur, Vault or
Consul.
 >     Without this capability the master has to be in the middle and
 >     secret values are passed in catalogs around more than is
necessary.
 >
 >     The solution in Puppet 6 is the Deferred type. A Deferred value
 >     describes a function call to be made in the future and when
placing
 >     it in a catalog the agent will replace it with the result of
calling
 >     the wrapped function before it continues with application as
normal.
 >
 >     Of course, for the agent to actually fetch data from a
keystore the
 >     function has to exist on the agent side and be loaded during
a run.
 >     In Puppet 6.0, these functions will be downloaded from the master
 >     via pluginsync from the lib/puppet/functionsdirectory in modules,
 >     then loaded during an agent run. Though Deferred is intended
 >     pri

Re: [Puppet Users] Re: New Deferred type and agent data lookups in Puppet 6

[Henrik Lindberg]

On 2018-08-31 13:33, bert hajee wrote:

Lindsy,

Is it just ment for this use case? I can think of other situations where 
in might be vary valuable to fetch a value at run-time on the agent. Now 
whenever we have to get the current state, we need to make a fact. If we 
can make deferred functions for that that would make things much more 
simple. I'm not sure if it the still is "The Puppet way". Like to hear 
any thoughts on that.


Bert



Consider a cached catalog - with Deferred values that cached catalog can 
stay the same for as long as it is only the deferred values that need to 
change (and that they can be obtained locally or from service).


Without use of cached catalog, Deferred values are good for things
that must or are much better suited to be computed fresh on the agent.

- henrik


On Friday, 31 August 2018 02:11:52 UTC+2, Lindsey Smith wrote:

Hi all,

We wanted to let you know about an upcoming capability, the Deferred
type, that is now present in Puppet 6 nightlies and will be part of
the Puppet 6.0 release.

A longstanding request has been to allow agents to fetch data for
themselves at catalog application time. One key use case for this is
getting secrets directly from a store like Conjur, Vault or Consul.
Without this capability the master has to be in the middle and
secret values are passed in catalogs around more than is necessary.

The solution in Puppet 6 is the Deferred type. A Deferred value
describes a function call to be made in the future and when placing
it in a catalog the agent will replace it with the result of calling
the wrapped function before it continues with application as normal.

Of course, for the agent to actually fetch data from a keystore the
function has to exist on the agent side and be loaded during a run.
In Puppet 6.0, these functions will be downloaded from the master
via pluginsync from the lib/puppet/functionsdirectory in modules,
then loaded during an agent run. Though Deferred is intended
primarily for agents running with a master, it does work in the same
way with an agent only.

https://gist.github.com/turbodog/06d3fecef403bfefd9c8174ede4d9174
has
more explanation and walks you through a simple Deferred function
example. Work on this is tracked in PUP-8711
and updating the
Puppet specification for Deferred is a work in progress happening
here: https://github.com/puppetlabs/puppet-specifications/pull/122


If you have other use cases for Deferred we’d love to hear what
those are.

Lindsey


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7c1b7417-abcd-4c17-a237-0681bc9a14bb%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pmbugj%2437k%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: New Deferred type and agent data lookups in Puppet 6

[Henrik Lindberg]

On 2018-08-31 15:12, R.I.Pienaar wrote:



On Fri, 31 Aug 2018, at 15:03, Chadwick Banning wrote:

Would it be safe to consider this in a general context i.e. as enabling
agent-side function execution?


I dont think so - for general function calls to be usable you want to get the 
value and then do some conditional logic on it.  or put it in a variable and 
use it in another resource etc.

That is not what this is for, this is a based placeholder to later be replaced 
by the value - you cannot do any conditionals etc with it.

Imagine something like:

mysql::user{"bob":
   password => Deferred(vault_lookup, "bob_pass")
}

(I am just making this syntax up, this is presumably not how it will look)

Here its fine because its a simple interpolation into a value, you cant do more 
complex things with this design.

Anyway thats my understanding, Henrik might chime in too



Your example is good, except arguments are in an array - so

   password = Deferred(vault_lookup, ["bob_pass"])

Note that a Deferred can take Deferred arguments. That means that the 
deferred arguments will be resolved before the Deferred they are 
arguments to is resolved. It does however not resolve Deferred values 
created on the agent side during the resolution process (so you cannot 
build loops with this).


If wanting to do really advanced things - it is possible to write 
functions that take puppet language source code as argument and

evaluates that in the agent context.

The puppet context that is available is a "scripting context" with the 
same restrictions as for Bolt (you cannot evaluate catalog related

expressions).

The order among the top-level deferred (i.e. various resource attributes 
containing a deferred value) is undefined. And all resolution occurs 
before the catalog is applied. The puppet context used during resolution 
is gone by the time the catalog application starts.


Hope that provides a glimpse into some advanced stuff that could be
implemented with this, as well as some of the constraints regarding
what you cannot do.

- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pmbu8k%24g96%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: New Deferred type and agent data lookups in Puppet 6

[Henrik Lindberg]

On 2018-08-31 18:28, R.I.Pienaar wrote:



On Fri, 31 Aug 2018, at 17:41, Chadwick Banning wrote:

So for this example, there are some sort of limitations as to what the
'vault_lookup' function is able to do internally? I had just assumed that
as long as the function returned a simple value, what the function does
internally was open.

As an example, could Deferred be used to read and extract a value from a
file agent-side?



The function can do whatever it wants but needs to return a value and that 
value has to be used by a resource and not mixed in with some other strings 
etc. In my example deferred as the entire value to a resource property is good, 
deferred and then any derived data from it wont work.

You cant for example, as far as I understand it, have the function lookup a 
piece of data and then use that data in a template via template() and epp().  
Those are processed entirely on the master.


You can have nested Deferred values, they are resolved as you expect.

Have not tried, but I think inline templates would work so you get 
template rendering on the agent side.


- henrik





On Fri, Aug 31, 2018 at 9:12 AM R.I.Pienaar  wrote:




On Fri, 31 Aug 2018, at 15:03, Chadwick Banning wrote:

Would it be safe to consider this in a general context i.e. as enabling
agent-side function execution?


I dont think so - for general function calls to be usable you want to get
the value and then do some conditional logic on it.  or put it in a
variable and use it in another resource etc.

That is not what this is for, this is a based placeholder to later be
replaced by the value - you cannot do any conditionals etc with it.

Imagine something like:

mysql::user{"bob":
   password => Deferred(vault_lookup, "bob_pass")
}

(I am just making this syntax up, this is presumably not how it will look)

Here its fine because its a simple interpolation into a value, you cant do
more complex things with this design.

Anyway thats my understanding, Henrik might chime in too

--
You received this message because you are subscribed to a topic in the
Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/DurqiLnVWMk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1535721137.3301091.1492516568.3EB7087A%40webmail.messagingengine.com
.
For more options, visit https://groups.google.com/d/optout.




--
Chadwick Banning

--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAPwwW9GmasAV7Yz98Nq4YawYoehCuxK_JpH5iTj7sAKMRXeHXw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.






--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pmbto1%24556%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Recent 5.5.x point releases are throwing some warnings for me

[Henrik Lindberg]

On 2018-08-29 15:11, jcbollinger wrote:



On Tuesday, August 28, 2018 at 12:13:15 PM UTC-5, kris.b...@puppet.com 
wrote:



Hi Jon,

As you have read, this is part of our work implementing errors to
enforce the standards set down in PUP-1434.  In particular, your
example '$module_path/seed/manifests/init.pp' looks like it is in
the init file of module 'seed'.  Assuming that is what you meant,
anything starting with 'seed' would be OK in that file, e.g. 'seed',
'seed::remote_file', 'seed::foo::remote_file' would all work.  Note
that as part of point 4. of PUP-1434 (now being implemented in the
work of PUP-9020), you will also not be allowed to put things like
resources in the top level, but instead should include your
resources in a class, define, function, or type declaration.


As a matter of style, the usual recommendation is that furthermore, 
every class and defined type definition be located in its own file 
, 
named as predicted from its fully-qualified name.  Of course, this is 
coupled with assigning an appropriate fully-qualified name.  It is 
important to understand that class and type names in Puppet are 
independent of the pathnames of the files in which the class and type 
definitions appear.  The importance of the pathnames is limited to 
enabling Puppet to /find/ type and class definitions at runtime.





Not quite - what is now starting to be enforced is that definitions
must be made in a file that is on an accepted path for that definition.

Best,
- henrik


John

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/916271cc-6a49-4374-afe2-d6fe0dff297d%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pm68lm%24dfp%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Issue with lookup / hiera in yaml

[Henrik Lindberg]

On 2018-08-16 15:51, Helmut Schneider wrote:

Henrik Lindberg wrote:


If your data looks like this:


variables:
baculaWorkingDirectory: '/var/lib/bacula'


Then you do not have a variables.debug key - you can lookup
variables, or variables.baculaWorkingDirectory


common.yaml:

---
netconfig:
variables:
   debug:   0
   baculaConfPath: '/etc/bacula'
   baculaClientService:'bacula-fd'
   baculaDirectorService:  'bacula-dir'
   baculaStorageService:   'bacula-sd'
   baculaClientPackage:'bacula-client'
   baculaServerPackage:'bacula-server'
   baculaWorkingDirectory: '/var/lib/bacula'
   baculaGID:  'bacula'
   baculaUID:  'bacula'
   apachePackage:   'httpd'
   apacheService:   'httpd'
   fail2banConfPath:'/etc/fail2ban'
   fail2banPackage: 'fail2ban'
   fail2banService: 'fail2ban'
   logrotatePackage:'logrotate'
   openvpnPackage:  'openvpn'
   openvpnService:  'openvpn'
   openvpnConfPath: '/etc/openvpn'
   perlDbiPackage:  'libdbi-perl'
   perlDbdMysqlPackage: 'libdbd-mysql-perl'
   puppetService:   'puppet'
   rootUID: 'root'
   rootGID: 'root'
   rsyslogPackage:  'rsyslog'
   rsyslogService:  'rsyslog'
   snmpdConfPath:   '/etc/snmp'
   snmpdService:'snmpd'
   spamassassinPackage: 'spamassassin'
   syslogUID:   'root'
   syslogGID:   'root'
   ufwConfPath: '/etc/ufw'
   ufwPackage:  'ufw'
   ufwService:  'ufw'

I meanwhile found out that

lookup('variables.baculaWorkingDirectory', String, 'deep')

works while

lookup('variables.baculaWorkingDirectory')

does not. The problem is that in apps/bacula.yaml

WorkingDirectory: "%{lookup('variables.baculaWorkingDirectory')}"

works (but gives an emtpy string as 'variables.baculaWorkingDirectory'
is not found) while

WorkingDirectory: "%{lookup('variables.baculaWorkingDirectory', String,
'deep')}"

does not:

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Function Call, Lookup of key 'profiles' failed: Syntax error in string:
%{lookup('variables.baculaWorkingDirectory', String, 'deep')} at
/etc/puppetlabs/code/modules/config/manifests/init.pp:43:15 on node
h2786452

apps/bacula.yaml:

---
profiles:
   backup:
 bacula:
   defaults:
[...]
 Client:
   FileDaemon:
 "%{::fqdn}-fd":
   FDport:9102
   #WorkingDirectory:
"%{lookup('variables.baculaWorkingDirectory')}"
   WorkingDirectory:
"%{lookup('variables.baculaWorkingDirectory', String, 'deep')}"
[...]



You cannot give arguments to lookup as an interpolation function inside 
of data. Use the commented out variant. Then use lookup_options (in your 
data) to configure that lookup of 'variables' should always be a 'deep' 
merge.


- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pl40fc%241bb%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Issue with lookup / hiera in yaml

[Henrik Lindberg]

On 2018-08-16 14:47, Helmut Schneider wrote:

Helmut Schneider wrote:


common.yaml:
variable:
   baculaWorkingDirectory: '/var/lib/bacula'

variables:
   baculaWorkingDirectory: '/var/lib/bacula'

config.pp:
[...]
   $variables = lookup({
 "name" => "variables",
 "merge" => {
   "strategy" => "deep",
   "knockout_prefix" => "--",
#  "sort_merged_arrays" => true,
 },
 "default_value" => [],
   })
[...]

bacula.pp:
class bacula inherits config {
   $test1 = lookup('variable.baculaWorkingDirectory')
   #$test2 = lookup('variables.baculaWorkingDirectory')
   $baculaWorkingDirectory = $variables['baculaWorkingDirectory']
   notify {"Test": message => $test1}
   #notify {"Test": message => $test2}
   notify {"baculaWorkingDirectory": message =>
$baculaWorkingDirectory} }

Notice: /var/lib/bacula
Notice: /Stage[main]/Bacula/Notify[Test]/message: defined 'message' as
'/var/lib/bacula'
Debug: /Stage[main]/Bacula/Notify[Test]: The container Class[Bacula]
will propagate my refresh event
Notice: /var/db/bacula
Notice: /Stage[main]/Bacula/Notify[baculaWorkingDirectory]/message:
defined 'message' as '/var/db/bacula'

If I uncomment #test2:

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Function lookup() did not find a value for the
name 'variables.baculaWorkingDirectory' on node
bsdhelmut1164.charlieroot.de

What am I missing?


I don't get it:

$test3 = lookup('variables')
notify {"Test3": message => $test3}

Notice: /Stage[main]/Bacula/Notify[variables]/message: defined
'message' as '{"debug"=>0, "baculaConfPath"=>"/etc/bacula",
"baculaClientService"=>"bacula-fd",
"baculaDirectorService"=>"bacula-dir",
"baculaStorageService"=>"bacula-sd",
"baculaClientPackage"=>"bacula-client",
"baculaServerPackage"=>"bacula-server",
"baculaWorkingDirectory"=>"/var/lib/bacula", "baculaGID"=>"bacula",
"baculaUID"=>"bacula", "apachePackage"=>"apache2",
"apacheService"=>"apache2", "fail2banConfPath"=>"/etc/fail2ban",
"fail2banPackage"=>"fail2ban", "fail2banService"=>"fail2ban",
"logrotatePackage"=>"logrotate", "openvpnPackage"=>"openvpn",
"openvpnService"=>"openvpn", "openvpnConfPath"=>"/etc/openvpn",
"perlDbiPackage"=>"libdbi-perl",
"perlDbdMysqlPackage"=>"libdbd-mysql-perl", "puppetService"=>"puppet",
"rootUID"=>"root", "rootGID"=>"root", "rsyslogPackage"=>"rsyslog",
"rsyslogService"=>"rsyslog", "snmpdConfPath"=>"/etc/snmp",
"snmpdService"=>"snmpd", "spamassassinPackage"=>"spamassassin",
"syslogUID"=>"syslog", "syslogGID"=>"adm", "ufwConfPath"=>"/etc/ufw",
"ufwPackage"=>"ufw", "ufwService"=>"ufw", "postfixPackage"=>"postfix",
"postfixService"=>"postfix", "postfixConfPath"=>"/etc/postfix",
"amavisdPackage"=>"amavisd-new", "arjPackage"=>"arj",
"p7zipPackage"=>"p7zip-full", "amavisdConfPath"=>"/etc/amavis/conf.d",
"amavisdService"=>"amavis", "appEtcConfPath"=>"/etc",
"bindConfPath"=>"/etc/bind", "bindPackage"=>"bind9",
"bindService"=>"bind9", "clamavConfPath"=>"/etc/clamav",
"clamavPackage"=>"clamav-daemon",
"clamavService"=>"clamav-daemon-chroot",
"clamavServiceOrg"=>"clamav-daemon", "cronConfPath"=>"/etc/cron.d",
"defaultsEtcConfPath"=>"/etc/default",
"freshclamService"=>"clamav-freshclam-chroot",
"freshclamServiceOrg"=>"clamav-freshclam", "initPath"=>"/etc/init.d",
"logrotateConfPath"=>"/etc/logrotate.d",
"perlSitePath"=>"/usr/local/lib/site_perl",
"postfixLdapSearchPackages"=>["libconfig-inifiles-perl",
"libmime-lite-perl", "libnet-ldap-perl"],
"rsyslogConfPath"=>"/etc/rsyslog.d", "sasl2Service"=>"saslauthd",
"snmpdPackage"=>"snmpd",
"spamassassinConfPath"=>"/etc/mail/spamassassin",
"sudoersConfPath"=>"/etc/sudoers.d"}'

$test2 = lookup('variables.debug')
notify {"Test2": message => $test2}

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Function lookup() did not find a value for the
name 'variables.debug' on node h2786452



If your data looks like this:

>> variables:
>>baculaWorkingDirectory: '/var/lib/bacula'

Then you do not have a variables.debug key - you can lookup variables, 
or variables.baculaWorkingDirectory


Best,
- henrik
--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pl3t9l%2412i%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Help pulling data from hiera hash

[Henrik Lindberg]

On 2018-07-24 03:17, Nick Hasser wrote:
I am required to configure FreeRADIUS with a white list of authorized 
MACs that are allowed on my network. I currently have a module that uses 
a file resource to drop the authorized_macs file selected by hostname of 
the server from my modules file directory. For example, currently 
server1 gets freeradius/files/server1_authorized_macs dropped into the 
proper location.


I am also using ghoneycutt/hosts to manage /etc/hosts on my servers. 
Every devices that is required to be listed in the authorized MACs file 
has an /etc/hosts entry managed via this module and defined in the 
server's yaml file.


I would like to modify my freeradius module to dynamically build the 
authorized_macs file based based on data in hiera instead of managing a 
file per server in my module. I plan to add a key to the existing 
hosts::host_entries hash already in place for the ghoneycutt/hosts 
module that contains the MAC of the host and use that to generate my 
authorized_macs file.


Is the sample code below on the right path for this? This is the first 
time I've done anything more complicated than a simple variable lookup 
in hiera. I haven't tested any of the code below, just trying to get an 
idea if I'm heading down the right path first.


sample hiera node file:
hosts::host_entries::


You have an extra ':' at the end. Drop that.


   'fqdn-1':
     ip: '192.168.1.1'
     host_aliases:
       - 'host-1'
     mac: '00-00-00-00-00-11'
   'fqdn-2':
     ip: '192.168.1.2'
     host_aliases:
       - 'host-2'
     mac: '00-00-00-00-00-22'

freeradius/manifests/config.pp
class config (
   $host_entries = $hosts::host_entries


Use Hash $host_entries = ...
as that will give you automatic type checking - see below:


) {
   validate_hash($host_entries)


With added type checking in the signature, you can skip this 
(deprecated) call to validate_hash()



   $host_entries.each |$host_entry| {


This will result in each entry in the hash to be given to the lambda
as a Tuple of [key, value]; not a hash. You want:

$host_entries.each | $hostname, $values | {


     validate_hash($host_entry)


You can get rid of this validation as well. In your example it would 
also fail because the entries will not be hashes. See above.


If you type your class parameter, you can make it more specific:

class config ( Hash[String, Hash] $host_entries = $hosts::host_entries)

Now you know that it is a hash of string keyed hashes, and there is no
need to check again. You can also be even more detailed with a Struct
data type where you can specify exactly which keys you expect in the 
hash, if they are required or not:


class(
  Hash[String,
Struct[{
  Optional['ip'] => String, # or a Pattern datatype for IP
  Optional['host_aliases'] => Array[String]
  Optional['mac'] => String, # or a Pattern datatype for MAC
}]
  ] $host_entries = ...
)

If you want to you can give the struct type a name and make it 
autoloaded. You can do the same with the Hash if you like.


type HostDetals = Hash[String,
Struct[{
  Optional['ip'] => String, # or a Pattern datatype for IP
  Optional['host_aliases'] => Array[String]
  Optional['mac'] => String, # or a Pattern datatype for MAC
}]

And then write:

class( HostDetails $host_entries = ... )


     $host_entry.each | $title, $attributes| {


The $title will be 'ip', 'mac', 'host_alias', and the $attributes
will be either a string or an Array (at least in your example data)


       validate_hash($attributes)


... so this is clearly wrong.
And if you take the advice to use a data type, you don't need to check 
again here.



       if has_key($attributes, 'mac') {

This is not right.
Simply do:

case $title {
  'ip'  : {
# code for ip
  }
  'max' : {
# code for mac
  }
  'host_aliases': {
# code for host_aliases
  }
}

         #insert code here to add the $mac to the authorized_macs file 
on this server

       }
     }
   }
}




Hope the comments above will help you.

Best,
- henrik


Thanks,
Nick Hasser

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAmyyqoCr-Ni9%3DtKeFYH65vhPxoxKx6xJxO8PBbS0Xaa%2BfCPzw%40mail.gmail.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop 

Re: [Puppet Users] epp: has_key

[Henrik Lindberg]

On 2018-07-19 17:15, Helmut Schneider wrote:

Hi,

---
profiles:
   vpn:
 openvpn:
   defaults:
 client:
   dev:   'tun'
   proto: 'udp'
   resolv-retry:  'infinite'
   nobind:
   user:  'nobody'
   group: 'nogroup'
   persist-key:
   persist-tun:
   ca:'/etc/openvpn/ca-charlieroot.de.crt'
   cert:  '/etc/openvpn/mail.helmut-ritter.de.crt'
   key:   '/etc/openvpn/mail.helmut-ritter.de.key'
   ns-cert-type:  'server'
   # OpenVPN <= 2.3
   comp-lzo:  'yes'
   # OpenVPN > 2.3
   # compress:  'lz4'
   log-append:'/var/log/openvpn.log'
   verb:  '4'
   script-security:   '2'
   up:'/etc/openvpn/update-resolv-conf'

The eep is called by

content => epp("openvpn/etc/openvpn/config.epp", { openvpnConf =>
$openvpnConf, openvpnMode => $openvpnMode, instance => $instance }),

The epp:

<%- | Hash $openvpnConf, String $openvpnMode, String $instance | -%>
<% ({
'Mode' => [
 "$openvpnMode",
],
'Connection' => [
 'remote',
 'proto',
 'dev',
 'persist-tun',
 'nobind',
 'resolv-retry',
 'compress',
 'comp-lzo',
],
'Privileges' => [
 'user',
 'group',
 'persist-key',
],
'Authentication' => [
 'cert',
 'key',
 'ca',
 'ns-cert-type',
],
'Logging' => [
 'verb',
 'log-append',
],
'Misc' => [
 'script-security',
 'plugin',
 'up',
 'down',
],
}).each |$category, $parameters| { -%>
### <%= $category %> ###
<%#= $openvpnConf %>
<% $parameters.each |$parameter| { -%>
<% if $parameter == 'remote' { -%>
<%= $parameter %> <%= $openvpnConf['server'] %> <%=
$openvpnConf['port'] %>
<% } elsif $openvpnConf[$parameter] { -%>
<%= $parameter %> <%= regsubst($openvpnConf[$parameter],
'__INSTANCE__', $instance) %>
<% } elsif defined($openvpnConf[$parameter]) { -%>
<%= $parameter %>
<% } -%>
<% } %>
<% } -%>

The problem: compress does not exist in the hiera but is printed in the
epp. How can I test if the key "compress" exists in the
$openvpnConf-Hash?



You can simply check if the hash has an Undef value for that key.

  $openvpnConf['compress'] == undef

The stdlib module has a function named has_key() that you can use which
checks if the key is present and returns true even if value is set to 
undef. If it really does not matter to you if key is set to undef or 
simply missing it is enough to check if you get an undef value back.


If you are asking how you lookup a key to see if it is in hiera - call
the lookup() function and use an undef default - then check if value was 
undef.


Hope that helps.
- henrik


Thank you.




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/piqkjf%24si1%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Henrik Lindberg]

On 2018-07-16 10:21, Helmut Schneider wrote:

Henrik Lindberg wrote:


On 2018-07-15 15:45, Helmut Schneider wrote:

<%- | Hash $openvpnConf,


It is important that there is no text before the opening <%-
Not sure if you have a blank line there. If so you will get a syntax
error because of the text output before the declaration of the
parameters.


Thank you.

I managed to get it work with the following code:

<%- | Hash $openvpnConf, String $openvpnMode, String $instance | -%>
<% ({
'Mode' => [
 "$openvpnMode",
],
}).each |$category, $parameters| { -%>
### <%= $category %> ###
<% $parameters.each |$parameter| { -%>
<% if $parameter == 'remote' { -%>
<%= $parameter %> <%= $openvpnConf['server'] %> <%=
$openvpnConf['port'] %>
<% } else { -%>
<%= $parameter %> <%= $openvpnConf[$parameter] %>
<% } -%>
<% } %>
<% } -%>

What does not work yet is to add something after <%- | [...] | -%>,
everything I add (here <%= $openvpnMode %>) gives an error. E.g.:

<%- | Hash $openvpnConf, String $openvpnMode, String $instance | -%>
<%= $openvpnMode %>
<% ({
'Mode' => [
 "$openvpnMode",
],
}).each |$category, $parameters| { -%>
### <%= $category %> ###
<% $parameters.each |$parameter| { -%>
<% if $parameter == 'remote' { -%>
<%= $parameter %> <%= $openvpnConf['server'] %> <%=
$openvpnConf['port'] %>
<% } else { -%>
<%= $parameter %> <%= $openvpnConf[$parameter] %>
<% } -%>
<% } %>
<% } -%>

fails with

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Function Call, epp(): Invalid EPP: Ambiguous EPP parameter expression.
Probably missing '<%-' before parameters to remove leading whitespace
at
/etc/puppetlabs/code/modules/openvpn/templates/etc/openvpn/config.epp:2:
20 at /etc/puppetlabs/code/modules/openvpn/manifests/init.pp:29:22 on
node h2786452

How can I fix this?



It is a bug, please file a ticket in puppet's Jira for project PUP.

Looks like it is confused by the use of ( ) around your hash.

I tried this as a workaround:

$template = @(END)
<%-| $x | -%>
<%= $x -%>
<%- $y = {
  'Mode' => [ $x, ],
}
$y.each |$category, $parameters| { -%>
<%= $category %> = <%= $parameters %>
<%- } -%>
END
notice inline_epp($template, x => 'testing')

See you I use an assignment to a local variable $y to get a hash to work 
with.


What epp does is to translate <%= ... %> to a print-string expression.
When that is followed by a left parenthesis it seems to think it is a 
call i.e. as if you had written the following in puppet:


print($x)({...})

Hope that helps you work around the problem.
Best,
- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pihqat%24t2m%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Henrik Lindberg]

On 2018-07-15 15:45, Helmut Schneider wrote:

Henrik Lindberg wrote:


On 2018-07-14 13:47, Johan Fleury wrote:

I meant bool2str, sorry.



https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/README.md#bool2str




Helmut, before digging yourself deeper into problems by using work
around on top of problems - do consider using EPP since it protects
you from the issues of needing to know how puppet represents things
in Ruby; which is complicated as puppet handles things differently in
different parts of the code base for backwards compatibility reasons.

Many of the functions in stdlib are smelly as they are sometimes quite
imprecise and not always correct. The "bool2str" however, does what
it is supposed to, but will error if not given a boolean true or
false.  That is, it will error if given empty string, undef, or the
ruby symbol :undef. (Thus, in your case, you may get another
surprise/error if you try to use that function).

In puppet language (in EPP) you can do this:

$result = if $val { 'it is truthy' } else { 'it is falsey' }


I find the existing documentation in the net very confusing so I
havent' used epp yet. E.g. according to
https://puppet.com/docs/puppet/5.4/lang_template_epp.html this should
work:

content => epp("openvpn/etc/openvpn/config.epp", { openvpnConf =>
$openvpnConf, openvpnMode => $openvpnMode, instance => $instance }),

<%- | Hash $openvpnConf,


It is important that there is no text before the opening <%-
Not sure if you have a blank line there. If so you will get a syntax 
error because of the text output before the declaration of the parameters.



   String $openvpnMode,
   String $category,
   String $parameters,
   String $instance
| -%>

<% ({
'Misc' => [
 'script-security',
 'plugin',
 'up',
 'down',
],
}).each |$category, $parameters| { -%>
<%= $category %>
<% } -%>

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Function Call, epp(): Invalid EPP: Ambiguous EPP parameter expression.
Probably missing '<%-' before parameters to remove leading whitespace
at
/etc/puppetlabs/code/modules/openvpn/templates/etc/openvpn/config.epp:6:
6 at /etc/puppetlabs/code/modules/openvpn/manifests/init.pp:28:22 on
node h2786452.stratoserver.net

The same documentation uses different sysntax, once without '$'

$servers.each |server|


That is wrong, cannot work, should be $server


and then with '$'

$ntp::restrict.flatten.each |$restrict|



That is correct.


What is correct? And what is wrong with the code above? Do I need to
declare only variables that I pass to the epp or also those I create
within the epp?



You do not need to declare those that you create inside of the EPP.
They are like local variables inside the EPP.

Hope that helps.
Best,
- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pig0g2%24vj8%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Henrik Lindberg]

On 2018-07-14 13:47, Johan Fleury wrote:

I meant bool2str, sorry.

https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/README.md#bool2str



Helmut, before digging yourself deeper into problems by using work 
around on top of problems - do consider using EPP since it protects you 
from the issues of needing to know how puppet represents things in Ruby;
which is complicated as puppet handles things differently in different 
parts of the code base for backwards compatibility reasons.


Many of the functions in stdlib are smelly as they are sometimes quite
imprecise and not always correct. The "bool2str" however, does what it 
is supposed to, but will error if not given a boolean true or false.
That is, it will error if given empty string, undef, or the ruby symbol 
:undef. (Thus, in your case, you may get another surprise/error if you

try to use that function).

In puppet language (in EPP) you can do this:

$result = if $val { 'it is truthy' } else { 'it is falsey' }

To get the truthy string if value is neither false nor undef, and 
otherwise the falsey value. (An empty string is truthy).


In EPP (as in the rest of puppet), if parameters are declared with
a data type then you will get automatic parameter checking
and get an error message that explains the difference (expected type
vs. actual data type of given value). In an ERB template you need to
do that all by yourself. As you have seen, not doing that can give you
problems somewhere deep in the middle of the template instead of much 
closer to where the problem actually is.


So, best (as also suggested earlier by Christopher Wood), is to use EPP
and to declare the data types of the parameters the template expects.
If you also declare the data types of the class parameters in the class
where you are using the template you move the issue of argument value
correctness even closer to the source.

Hope this helps.

Best,
- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pif397%24iu4%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] undef / nil / empty in template

[Henrik Lindberg]

On 2018-07-13 19:39, Helmut Schneider wrote:

Christopher Wood wrote:


Nice catch, wouldn't have figured on that.


You gave the hint with "if value.is_a? String" ;)

And now? Is that expected? What can I do, "if
@openvpnConf[parameter].is_a? Symbol"?! And what is a symbol and how do
I check if it empty?

Even more questionmark now...



You may be getting the symbol :undef which is used in some parts of 
puppet to represent puppet undef. In puppet 4x we changed a lot around

undef/nil.

Which version of puppet are you on?

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pib2a2%249a5%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] inline_template not working after migrated to puppet5

[Henrik Lindberg]

On 2018-07-09 18:12, Suresh P wrote:

Hi,

I used following code in puppet3.8.x,  it worked well.

After i migrated to Puppet5 it throws error.

$header="LD_LIBRARY_PATH=$destdir:\$LD_LIBRARY_PATH\n\nexport 
LD_LIBRARY_PATH\n"
$content = inline_template('<%= header+"\n"+ports.map {|port| 
memcache_command+" -m "+memory_per_instance+" -p "+port+" 
&"}.join("\n")+"\n" %>')

file { "$destdir/startmemcached.sh":
     ensure => file,
     owner => $title,
     group => $title,
     mode => '0744',
     content => inline_template($content),
}



You need neither inline_template nor inline_epp - you can do that 
transformation directly in puppet. (Untested rewrite - pardon typos):


$header = "LD_LIBRARY_PATH=$destdir:\$LD_LIBRARY_PATH\n\nexport 
LD_LIBRARY_PATH\n"

$format = "${memcache_command} -m ${memory_per_instance} -p %s &"
$entries = $ports.map |$port| { sprintf($format, $port) }.join("\n")

file { "$destdir/startmemcached.sh":
  ensure => file,
  owner => $title,
  group => $title,
  mode => '0744',
  content => "${header}\n${entries}\n"
}

Hope that is of value,
Best,
- henrik
--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pi05sc%24qed%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] inline_template not working after migrated to puppet5

[Henrik Lindberg]

On 2018-07-09 19:06, Henrik Lindberg wrote:

On 2018-07-09 18:12, Suresh P wrote:

Hi,

I used following code in puppet3.8.x,  it worked well.

After i migrated to Puppet5 it throws error.

$header="LD_LIBRARY_PATH=$destdir:\$LD_LIBRARY_PATH\n\nexport 
LD_LIBRARY_PATH\n"
$content = inline_template('<%= header+"\n"+ports.map {|port| 



You want @header in an ERB - this changed in puppet 4 I think.
Earlier you just referred to the variable name.

If you instead want to, you could switch to using EPP and
modify the syntax slightly (use $ instead of @) and slight change
in how the lambda given is written.

Best,

- henrik

memcache_command+" -m "+memory_per_instance+" -p "+port+" 
&"}.join("\n")+"\n" %>')

file { "$destdir/startmemcached.sh":
 ensure => file,
 owner => $title,
 group => $title,
 mode => '0744',
 content => inline_template($content),


That is also wrong, you have already called inline_template, so $content 
contains the result of the template.


- henrik


}

Error:
Error: Could not retrieve catalog from remote server: Error 500 on 
SERVER: Server Error: Evaluation Error: Error while evaluating a 
Resource Statement, Evaluation Error: Error while evaluating a 
Function Call, Failed to parse inline template: undefined local 
variable or method `header' for 
# (file: 
/home/sas/in2_puppet/environments/production/modules/pkg/manifests/memcache/installmemcache.pp, 
line: 45, column: 12) (file: 
/home/sas/in2_puppet/environments/production/modules/in2/manifests/memcache/common.pp, 
line: 13) on node



Can you help me on this.

Regards,
Suresh







--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pi053m%24359%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] inline_template not working after migrated to puppet5

[Henrik Lindberg]

On 2018-07-09 18:12, Suresh P wrote:

Hi,

I used following code in puppet3.8.x,  it worked well.

After i migrated to Puppet5 it throws error.

$header="LD_LIBRARY_PATH=$destdir:\$LD_LIBRARY_PATH\n\nexport 
LD_LIBRARY_PATH\n"
$content = inline_template('<%= header+"\n"+ports.map {|port| 



You want @header in an ERB - this changed in puppet 4 I think.
Earlier you just referred to the variable name.

If you instead want to, you could switch to using EPP and
modify the syntax slightly (use $ instead of @) and slight change
in how the lambda given is written.

Best,

- henrik

memcache_command+" -m "+memory_per_instance+" -p "+port+" 
&"}.join("\n")+"\n" %>')

file { "$destdir/startmemcached.sh":
     ensure => file,
     owner => $title,
     group => $title,
     mode => '0744',
     content => inline_template($content),
}

Error:
Error: Could not retrieve catalog from remote server: Error 500 on 
SERVER: Server Error: Evaluation Error: Error while evaluating a 
Resource Statement, Evaluation Error: Error while evaluating a Function 
Call, Failed to parse inline template: undefined local variable or 
method `header' for # (file: 
/home/sas/in2_puppet/environments/production/modules/pkg/manifests/memcache/installmemcache.pp, 
line: 45, column: 12) (file: 
/home/sas/in2_puppet/environments/production/modules/in2/manifests/memcache/common.pp, 
line: 13) on node



Can you help me on this.

Regards,
Suresh




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pi04ip%24r1v%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] class parameters that depend on other parameters

[Henrik Lindberg]

On 2018-06-12 22:14, Tim Mooney wrote:

In regard to: Re: [Puppet Users] class parameters that depend on other...:


On 2018-06-12 00:55, Tim Mooney wrote:


[snip some of my original context]


Here's an example:

modules/sandbox/manifests/init.pp:
#
# This module exists only to serve as a sandbox where we can 
experiment with

# puppet code.
#
class sandbox(
   Enum['typeA', 'typeB', 'combined'] $server_type  = 'combined',
   String $service_name = 
$::sandbox::params::service_name,

) inherits ::sandbox::params {

   notice("sandbox initialized.\n")

   notice("\$server_type  = ${server_type}\n")
   notice("\$service_name = ${service_name}\n")

}

modules/sandbox/manifests/params.pp:
#
# a 'sandbox' class for the params pattern.
#
class sandbox::params {

   $_server_type_actual = $::sandbox::server_type

   case $_server_type_actual {
 'combined': {
   $service_name = 'sandbox-typeA+typeB'
 }
 'typeA': {
   $service_name = 'sandbox-typeA'
 }
 'typeB': {
   $service_name = 'sandbox-typeB'
 }
 default: {
   fail("\n\nsandbox::server_type must be one of: combined, 
typeA, typeB\n")

 }
   }

}

Hopefully the *intent* is relatively clear: provide an intelligent 
default

value for $service_name based on what the value is for $server_type, but
allow our "intelligent default" value to be overridden.  If
'sandbox::server_type' is set to 'typeB' in our hiera hierarchy, I want
the *default* value for 'sandbox::service_name' to become 
'sandbox-typeB'.

If the person configuring the machine needs to override that too, they
should be able to, but setting just the first setting should provide
suitable defaults for the others.


[snip some of my original context]

For starters you do not really need a params.pp or inheritance. Simply 
configure all parameters in hiera.


Then, you can produce the default value by calling a function. For 
example like this:


 function mymodule::default_from_a($x) {
   if $x == 'type-A' {
 'sandbox-typeA'
   }
 }
 class example($a, $b = mymodule::default_from_a($a)) {
   notice $a
   notice $b
 }
 class {example: a => 'type-A' }


Thanks for your response Henrik!  The function use is an interesting
approach that I would not have considered.  It works well in the simple
example I presented and accomplishes what I was trying to do.

I'm not sure how I would scale this to something that's "real world" in
size, though.

Let's say you had *many* parameters that you wanted to set defaults for
(but allow overrides on an individual basis) based on a single parameter.
In my environment, the best example where we've used this is to support
the alternate versions of particular packages that are available for
RHEL (and respins) using Software Collections Library (SCL).

For example, on RHEL 6, the standard packages provide php 5.3.3 (plus
some backports and vendor "special sauce").

However, there are alternate versions available from SCL:

 php54-php

 php55-php

 rh-php56-php

 rh-php70-php

So to support various web application requirements, we have modules
that do stuff like (sorry for the lengthy code):

   if $facts['os']['family'] == 'RedHat' {
     if $facts['os']['release']['major'] == '5' {
   #
   # There's no easy httpd 2.4 option for RHEL 5, so barf
   #
   fail("\n\nRHEL 5 is not supported.\n\n")
     } elsif $facts['os']['release']['major'] == '6' {

   # PHP-related settings.
   $php_variant  = hiera('scl::php', 'php54')

   if $php_variant == 'php54' or $php_variant == 'php55' {
     # don't need to include the fpm package, as the phpfpm class 
gets it

     $php_extra_packages   = hiera('scl::php::extra_packages',
   [
   "${php_variant}-runtime",
   $php_variant,
   "${php_variant}-php-cli",
   "${php_variant}-php-ldap",
   "${php_variant}-php-mbstring",
   "${php_variant}-php-pdo",
   ])
     $php_fpm_package_name = "${php_variant}-php-fpm"
     $php_fpm_service_name = $php_fpm_package_name
     $php_fpm_pool_dir = 
"/opt/rh/${php_variant}/root/etc/php-fpm.d"
     $php_fpm_pid_file = 
"/opt/rh/${php_variant}/root/var/run/php-fpm/php-fpm.pid"

     $php_config_dir   = "/opt/rh/${php_variant}/root/etc"
   } elsif $php_variant != 'UNDEF' {
     #
     # for version 5.6.x and later, the name may include rh- at the 
start

     # and many of the paths have changed.
     #
     # don't need to include the fpm package, as the phpfpm class 
gets it

     $php_extra_packages   = hiera('scl::php::extra_packages',
   [
   "${php_variant}-runtime",
   $php_variant,
  

Re: [Puppet Users] Hiera: Using multiple facts in one path

[Henrik Lindberg]

On 2018-06-13 08:19, Dirk Heinrichs wrote:

Hi,

is this possible? For example:

:hierarchy:

   - "kernel/%{::kernel}/%{::kernelmajversion}"

   - "kernel/%{::kernel}"

   - common



yes
- henrik


Thanks...

     Dirk
--


Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pfqe8g%246g6%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] class parameters that depend on other parameters

[Henrik Lindberg]

On 2018-06-12 00:55, Tim Mooney wrote:


Hi All!

We've been long-time users of puppet (opensource).  A lot of our
home-grown modules were written to use direct hiera() calls (and before
that extlookup()) for loading config.  Because of prior limitations
with class parameters, we also mostly avoided parameterized classes and
class inheritance.

Since I converted my site from puppet 3.8.7 to puppetserver 5.x and
puppet-agent 5.3.x, and converted us from hiera 3.x to hiera 5.x, a lot
of the "old ways" we were doing things can and should be modernized.  For
example, I'm embarking on a project to convert all deprecated direct
hiera() calls to use lookup() instead, but before I do that I can also
greatly reduce the number of direct lookup() calls by making better use
of automatic parameter loading for classes, where appropriate.

One area where I've never found a good solution is class parameters that
depend on the value of other class parameters, especially when we want to
provide reasonable defaults for both but we also want to allow overriding
one or both of the parameters.

Here's an example:

modules/sandbox/manifests/init.pp:
#
# This module exists only to serve as a sandbox where we can experiment 
with

# puppet code.
#
class sandbox(
   Enum['typeA', 'typeB', 'combined'] $server_type  = 'combined',
   String $service_name = 
$::sandbox::params::service_name,

) inherits ::sandbox::params {

   notice("sandbox initialized.\n")

   notice("\$server_type  = ${server_type}\n")
   notice("\$service_name = ${service_name}\n")

}

modules/sandbox/manifests/params.pp:
#
# a 'sandbox' class for the params pattern.
#
class sandbox::params {

   $_server_type_actual = $::sandbox::server_type

   case $_server_type_actual {
     'combined': {
   $service_name = 'sandbox-typeA+typeB'
     }
     'typeA': {
   $service_name = 'sandbox-typeA'
     }
     'typeB': {
   $service_name = 'sandbox-typeB'
     }
     default: {
   fail("\n\nsandbox::server_type must be one of: combined, typeA, 
typeB\n")

     }
   }

}



Hopefully the *intent* is relatively clear: provide an intelligent default
value for $service_name based on what the value is for $server_type, but
allow our "intelligent default" value to be overridden.  If
'sandbox::server_type' is set to 'typeB' in our hiera hierarchy, I want
the *default* value for 'sandbox::service_name' to become 'sandbox-typeB'.
If the person configuring the machine needs to override that too, they
should be able to, but setting just the first setting should provide
suitable defaults for the others.

This doesn't work, because there's a chicken-or-the-egg problem here.
Class sandbox inherits from sandbox::params to follow the "params
pattern", so settings in the parent class end up depending upon on
parameters to the child class.

Assuming I don't have any need to support old versions of puppet (anything
before 5.x), what's the current best practice for doing this?



For starters you do not really need a params.pp or inheritance. Simply 
configure all parameters in hiera.


Then, you can produce the default value by calling a function. For 
example like this:


  function mymodule::default_from_a($x) {
if $x == 'type-A' {
  'sandbox-typeA'
}
  }
  class example($a, $b = mymodule::default_from_a($a)) {
notice $a
notice $b
  }
  class {example: a => 'type-A' }


With that, $b will get the value from the function if a value was not 
given and there was no binding in hiera for it.


Running the above produces:

  Notice: Scope(Class[Example]): type-A
  Notice: Scope(Class[Example]): sandbox-typeA


Hope that helps.

- henrik


Thanks,

Tim



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pfob55%243hg%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Dealing with hashes (again)

[Henrik Lindberg]

On 09/05/18 13:36, Arnau wrote:

Hi all,

I  have a hash of hashes in hiera:

cb_data_sync:
   localdata:
     peers: peer1 peer2
     source: /data/1
     target: /data/2
     ssh_key:
       key: XYZ
       type: ssh-rsa
       user: root

Then, in a main class, I call a define using the above data:

class cb_sync(
   Hash $cb_sync = lookup(cb_data_sync),
The lookup here has no effect - it will use APL to do exactly what the 
default expression is doing - thus, it will never be called.

(Not the source of your problem, but you can remove that call).


) {

   $cb_sync.each |$name, $data| {


Variable $name will shadow the meta parameter $name in the outer scope.
better to use a different variable name here. However, doubt this will 
cause the problem.



     cb_sync::rsync{ $name:
       data_sync => $data,
     }
   }

}

so far, so good.

cb_sync::rsync is a define and there I'd like to create a 
ssh_authorized_key from the ssh_key nested hash.


So, my code looks like:

define cb_sync::rsync (
   Hash $data_sync = undef,
) {

     ssh_authorized_key {
       "${name}-ssh_key":
         * => "${data_sync['ssh_key']}",


You are expecting 'ssh_key' to be a key. Your hiera data shows there is 
a "localdata" key under which there is a hash with that key.

So, you end up with an empty hash.

Also, you are using interpolation to interpolate a hash as a string.
That is not right. You probably want this:

* => $data_sync['localdata']['ssh_key']



       }
But puppet complains cause it says that it gets a string  but expects a 
Hash.


Well, you interpolated a hash into a string...


If I "notify" data_sync['ssh_key'] I get:

Notice: {key => XYZ, type => ssh-rsa, user => root}


ok, then maybe your hieradata above is not exactly what you are using?
If that key worked, change what I said you should use above and drop
the 'lokaldata' part.



(which looks like a hash to me,am I wrong?).


A hash in string form (printed) looks very much like a hash in source 
code form, but a Hash it was not.


- henrik



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pcuoa2%249ml%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] converting Hiera v3 to v5 - :merge_behavior: deeper option?

[Henrik Lindberg]

On 01/05/18 17:00, jcbollinger wrote:


CORRECTION:

On Tuesday, May 1, 2018 at 9:52:31 AM UTC-5, jcbollinger wrote:


|
$hash_merge_behavior =lookup(':merge_behavior',String,'unique','hash')
|


... but of course, I meant

|$hash_merge_behavior = lookup(':merge_behavior',String,'first','hash')|



And drop the leading ':' in ":merge_behaviour" ;-)

- henrik



John

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/874d8785-1411-4f6c-9aae-fa2b6de21d46%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pcabo0%24fgb%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] converting Hiera v3 to v5 - :merge_behavior: deeper option?

[Henrik Lindberg]

On 30/04/18 15:18, jcbollinger wrote:



On Saturday, April 28, 2018 at 7:29:29 AM UTC-5, Henrik Lindberg wrote:

On 28/04/18 13:21, du wrote:
 > Thanks all for the responses
 >
 > I realise that the global option is no longer there and I am
trying to
 > set v5 up so that I can get the similar behaviour.
 >
 > On Friday, April 27, 2018 at 6:12:32 PM UTC+1, Henrik Lindberg
wrote:
 >
 >     Depends on what you mean. The 'deep' in hiera 5 is the same
as 'deeper'
 >     in hiera 3. It just works.
 >
 > Yes, it works absolutely fine if I specify hash name explicitly in
 > lookup_options - my issue is that I can't seem to set it using
regex for
 > all hashes that I am retrieving from Hiera.
 >
 >
 >     If you mean that all keys should lookup with strategy 'deep'
then you
 >     use the lookup_options to set that for all keys.
 >
 >   Do you mind sharing an example what setting it for all keys
 > potentially look like - I suspect my regex above may not be correct

The regexp must be anchored at the beginning of the string to be
recognized as a key regexp.

So, use this:

'^.*'



Doesn't that instruct Hiera to use the 'deep' strategy for /all/ lookups 
where no other strategy is explicitly requested?  Will that not, 
therefore, alter the behavior of automated data binding and of most 
calls to the lookup() and hiera() functions?


I'm totally prepared to learn something new today, but to the best of my 
current knowledge, Hiera 5 has no mechanism for controlling merge 
behavior whose scope can be limited to just hiera_hash() calls.




True - the above general regexp rule will apply to all keys irrespective 
of their data type. There is no mechanism to make a regexp rule apply to 
only a particular data type.


- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pc75om%24nnj%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] converting Hiera v3 to v5 - :merge_behavior: deeper option?

[Henrik Lindberg]

On 28/04/18 13:21, du wrote:

Thanks all for the responses

I realise that the global option is no longer there and I am trying to 
set v5 up so that I can get the similar behaviour.


On Friday, April 27, 2018 at 6:12:32 PM UTC+1, Henrik Lindberg wrote:

Depends on what you mean. The 'deep' in hiera 5 is the same as 'deeper'
in hiera 3. It just works.

Yes, it works absolutely fine if I specify hash name explicitly in 
lookup_options - my issue is that I can't seem to set it using regex for 
all hashes that I am retrieving from Hiera.



If you mean that all keys should lookup with strategy 'deep' then you
use the lookup_options to set that for all keys. 

  Do you mind sharing an example what setting it for all keys 
potentially look like - I suspect my regex above may not be correct


The regexp must be anchored at the beginning of the string to be 
recognized as a key regexp.


So, use this:

'^.*'

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pc1pan%24abe%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] hiera command line - search with structured facts (key.subkey)

[Henrik Lindberg]

On 27/04/18 18:12, Louis Coilliot wrote:

Hello,

this work :

hiera -d -c /etc/puppetlabs/puppet/hiera.yaml core::packages 
::environment=production  ::osfamily=RedHat


this does not (at least on my platform) :

hiera -d -c /etc/puppetlabs/puppet/hiera.yaml core::packages 
::environment=production  ::os.family=RedHat


(note the dot between os and family).

In the hiera-rchy I have levels like :

%{::environment}/hieradata/os/%{::os.family}/%{::os.release.major}"

I works fine with lookups in puppet 5 but not from the hiera command line.

I use the hiera command line tool for debugging.

With the last version of hiera.

# hiera -v
3.4.3

My syntax in hiera.yaml is still in version 3.

How do you query with the command line and some structured facts in the 
variable interpolation of the levels in hiera ?


I can't find any doc. or information about that.



Switch to using the lookup CLI instead of hiera CLI.
The hiera CLI is deprecated and has quite a few known problems.

The lookup CLI may not be perfect, but it has a lot of documentation 
(and features).


Best,
- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pbvlkg%24scl%242%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] converting Hiera v3 to v5 - :merge_behavior: deeper option?

[Henrik Lindberg]

On 27/04/18 17:34, du wrote:

Hi

I am in the process of migrating v3 hiera.yaml to v5 and I would like 
all hash merges to merge 'deep' by default, the same way 
:merge_behavior: deeper in v3 parameter provides.



I can't seem to find an easy way to do this after reading the docs - I 
understand lookup_options: need to be set, however it requires class 
parameter to be specified. I tried using regex as below and adding it to 
common.yaml however it does not produce the desired result (it works ok 
if I specify the hash name explicitly, however I am looking to expand 
this behaviour to all lookups, if possible).



Is there an easy way to just migrate :merge_behavior: deeper to v5?


Depends on what you mean. The 'deep' in hiera 5 is the same as 'deeper' 
in hiera 3. It just works.


If you mean that all keys should lookup with strategy 'deep' then you 
use the lookup_options to set that for all keys.


- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pbvlhb%24scl%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] concating a string from itself

[Henrik Lindberg]

On 24/04/18 20:55, Ryan Murphy wrote:
So I've hit a limitation in puppet where I can't modify a variable after 
its been set.  how do I work around this.  I have a manifest that I need 
to be able to build up a list of contacts based on certain facts about a 
server.


Here is an example of my (non functioning) code?  Can anyone give me a 
suggestion of how to work around this limitation?


|
   if 'sql' in $hostname.downcase or $wl_server_type == 'db' {
     $contactgroups = 'Windows Server Admins,Microsoft SQL DBAs'
   }
   else {
     $contactgroups = 'Windows Server Admins'
   }

   if $wl_app in $btssServers or 'adfs' in $hostname.downcase {
     $contactgroups = "${contactgroups},BT Systems Support"
   }

   if $wl_app == 'hea'{
     $contactgroups = "${contactgroups},HEAT Admins"
   }
|




You could do something like this:

$contactgroups = [
  'Windows Server Admins',

  if 'sql' in $hostname.downcase or $wl_server_type == 'db' {
'Microsoft SQL DBAs'
  },

  if $wl_app in $btssServers or 'adfs' in $hostname.downcase {
'BT Systems Support'
  },

  if $wl_app == 'hea' {
'HEAT Admins'
  }
].filter |$x| { $x =~ NotUndef }.join(',')


It creates an array with the values, each "if" produces a value to 
include or undef. The "filter" creates a new array where all undef 
values are dropped, and finally, it calls join to separate them with a 
comma.


Best,
- henrik




In a language like Python I could just append to the string... but I 
can't modify the variable at all in Puppet after its been created.





--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pbo723%24blv%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Accessgin facts hash from manifests

[Henrik Lindberg]

On 23/04/18 08:33, Johan De Wit wrote:

first notify, the index should be quoted 

notify { "OS: $facts['os']['family']": }


That us unfortunately wrong - it will produce the entire $facts hash as 
a string followed by the *text* "['os']['family']".


The correct way is to write:

  notify { "OS: ${facts['os']['family']}": }

Or, if you like:

  notify { "OS: ${facts.dig('os', 'family')}

(or by using the "pick()" function from stdlib which is similar to "dig()")

Best,
- henrik


Grts




-Original message-
*From:* Arnau 
*Sent:* Friday 20th April 2018 14:22
*To:* puppet-users@googlegroups.com
*Subject:* [Puppet Users] Accessgin facts hash from manifests

Hi all,

I'm having the first experiences with puppet 5 & facter 3

In old puppet versions I tend to add debug messages like:

notify { "OS : {::osfamily}: }

and it usually worked.

According to

https://puppet.com/docs/puppet/5.3/lang_facts_and_builtin_vars.html#accessing-facts-from-puppet-code


I can still access the facts using the old way, but it recommend to
use the facts has, so the new code should look like:


   notify { "OS: $facts[os][family]": }

But when I do that I get the full list of facts and [os][family] at
the bottom:


Notice: OS: {agent_specified_environment => test, aio_agent_version
=> 5.5.1, architecture => x86_64, augeas => {version => 1.10.1}
[ TONS OF FACTS ...]  clientversion => 5.5.1, clientnoop =>
false}['os]['family']"

If I use the same syntax in a conditiona statement:

   if $facts['os']['family'] == 'RedHat' {
     notify { "I'm a RedHat": }
   }

then it works:

Notice: /Stage[main]/Common::Yumrepos/Notify[I'm a RedHat]/message:
defined 'message' as 'I\'m a RedHat'

So, what's wrong with the above notify?


TIA,
Arnau


-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-users/CAM69jx_sAms0%3Da%2B5MhHBtnydtPKsUDeAAcera8tXSsaANaTchA%40mail.gmail.com

.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/zarafa.5add7e24.7f1a.78dfd5c52ec466fa%40zarafa7.open-future.be 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pbk789%242rk%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is freeze_main supposed to work this way?

[Henrik Lindberg]

On 17/04/18 16:46, jcbollinger wrote:



On Tuesday, April 17, 2018 at 12:57:19 AM UTC-5, Henrik Lindberg wrote:

I just fixed a bug regarding freeze_main that was found when an
autoloaded class/define made use of a not already loaded custom data
type. The logic raising the error was too simplistic in its check for
the condition under which it should raise an error.

If your problem is not an actual problem, it may be that you ran into
that bug.


I'm afraid that my problem is a /bona fide/ problem in the sense that I 
really am trying to use freeze_main, and when I turn it on, catalog 
building really fails on my real production manifests.


The line number reported in the error message corresponds to the first 
'include' call in the below:


|
iflookup('with_firewall_iptables',Boolean,'first',true){
   include '::sb::iptables::fw_pre'
   include '::sb::iptables::fw_post'

Firewall{
require=>Class['::sb::iptables::fw_pre'],
     before =>Class['::sb::iptables::fw_post'],
}
}
|

, and this is modeled pretty closely on the recommended usage of the 
puppetlabs/firewall module.  Only comments and blank lines precede the 
'if', which appears at top scope, and nothing follows it in the same 
manifest.  That doesn't strike me as corresponding very well to the bug 
you described, but it's difficult for me to be confident about that.


As a workaround, I have simply turned freeze_main back off.  Catalog 
building then succeeds, and the resulting catalog has the effect I 
want.  I would prefer to enable freeze_main for an extra level of safety 
and bug detection, but not being able to use it does not constitute a 
major roadblock.




It is PUP-8637 if you want to try with a version that has the fix.
I believe it was actually the Firewall module that triggered the problem 
reported in that ticket.


- henrik
--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pb555a%24ge1%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is freeze_main supposed to work this way?

[Henrik Lindberg]

On 17/04/18 00:10, jcbollinger wrote:
This Puppet 5.4.0 error message wraps up the situation in a pretty tidy 
package:


Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Function Call, Cannot have code outside of a class/node/define
because 'freeze_main' is enabled (file:
/etc/puppetlabs/code/environments/production/manifests/defaults-firewall.pp,
line: 14, column: 3) on node redacted.machine.xxx


The freeze_main setting is documented 
 to 
trap code other than classes, defined type, and node definitions 
appearing at top scope, /other than in the site manifest/.  The error 
message is complaining about a manifest in its environment's site 
manifest directory, which would not be evaluated at all if Puppet were 
not treating it as part of the site manifest.  So why is Puppet 
complaining?  Is this just a straight-up bug, or is there more to it?




I just fixed a bug regarding freeze_main that was found when an 
autoloaded class/define made use of a not already loaded custom data 
type. The logic raising the error was too simplistic in its check for

the condition under which it should raise an error.

If your problem is not an actual problem, it may be that you ran into 
that bug.


- henrik




--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/pb427c%24h1m%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How can one communicate the $confdir to the catalog builder?

[Henrik Lindberg]

On 12/04/18 14:58, jcbollinger wrote:



On Wednesday, April 11, 2018 at 11:28:12 AM UTC-5, Henrik Lindberg wrote:

On 11/04/18 18:21, jcbollinger wrote:
 > I'm writing a module for Puppet self-management, or at least I
think I
 > am.  I was surprised to not find very much along those lines on the
 > Forge, and maybe I should take that as a bad sign, but I want to
explore
 > it at least a little bit.  Maybe I just didn't find the right search
 > terms -- searching there for "puppet" is not very useful.
 >
 > Anyway, I've run into a snag with a threshold issue: how to find the
 > config file(s) to manage in the first place.  I know where Puppet
stores
 > its config files by default, for various versions of Puppet and for
 > various operational contexts, but with the existence of the
--confdir
 > option that can be specified on a per-run basis, it is not safe to
 > assume that the config files that informed the current Puppet run
is in
 > the default location (and those are the ones I want to manage). 
In any

 > case, I'm lazy, so I'd rather get Puppet to tell me what it already
 > knows than try to recompute it.
 >
 > But there does not seem to be a standard fact that communicates this
 > information (at least, 'puppet facts' does not print one), and
I'm not
 > seeing any appealing ways to extract the necessary information
from a
 > custom fact's runtime context.  I do see at least one nasty,
tricksome,
 > system-dependent way, but I'm more likely to chuck the whole idea
than
 > go there.  Am I missing some clean way to write a custom fact for
this
 > purpose?  Or does someone have an alternative to suggest?
 >

Have you read the documentation regarding $settings ?

https://puppet.com/docs/puppet/5.5/lang_facts_and_builtin_vars.html#puppet-master-variables

<https://puppet.com/docs/puppet/5.5/lang_facts_and_builtin_vars.html#puppet-master-variables>


- henrik



Thanks, Henrik, I'm not sure I had read those in detail, since they come 
under the heading of variables set by the master, and the whole problem 
is that the master doesn't have the wanted information.  Still, having 
now read them, I find that the documentation seems to agree with my 
expectations.  In particular:


Note that, other than $environment and $clientnoop, the agent node’s
settings are not available in manifests. If you wish to expose them
to the master in this version of Puppet, you will have to create a
custom fact.


Creating a custom fact to report on the agent's /dynamic/ $confdir 
setting, as recommended by those docs, is precisely what I would like to 
do.  What I'm struggling with is how the fact implementation can 
determine the value for such a fact, inasmuch as the value I want is a 
property of the puppet (agent) process on whose behalf Facter is 
computing facts.




I recall now that we have a ticket with a request to make agent settings 
available on the master side. No progress on that for quite some time 
though. Not sure if ticket is still open or if it was closed in the last 
big triage. I assume it could be implemented as sending all of the 
settings as one fact. Or - indeed as you plan, just the actual setting 
you are interested in.


- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/paprm7%24t64%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How can one communicate the $confdir to the catalog builder?

[Henrik Lindberg]

On 11/04/18 18:21, jcbollinger wrote:
I'm writing a module for Puppet self-management, or at least I think I 
am.  I was surprised to not find very much along those lines on the 
Forge, and maybe I should take that as a bad sign, but I want to explore 
it at least a little bit.  Maybe I just didn't find the right search 
terms -- searching there for "puppet" is not very useful.


Anyway, I've run into a snag with a threshold issue: how to find the 
config file(s) to manage in the first place.  I know where Puppet stores 
its config files by default, for various versions of Puppet and for 
various operational contexts, but with the existence of the --confdir 
option that can be specified on a per-run basis, it is not safe to 
assume that the config files that informed the current Puppet run is in 
the default location (and those are the ones I want to manage).  In any 
case, I'm lazy, so I'd rather get Puppet to tell me what it already 
knows than try to recompute it.


But there does not seem to be a standard fact that communicates this 
information (at least, 'puppet facts' does not print one), and I'm not 
seeing any appealing ways to extract the necessary information from a 
custom fact's runtime context.  I do see at least one nasty, tricksome, 
system-dependent way, but I'm more likely to chuck the whole idea than 
go there.  Am I missing some clean way to write a custom fact for this 
purpose?  Or does someone have an alternative to suggest?




Have you read the documentation regarding $settings ?
https://puppet.com/docs/puppet/5.5/lang_facts_and_builtin_vars.html#puppet-master-variables

- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/palcu8%24fbe%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Updated manifest, now get Failed to apply catalog: "\xF8\xDD" on UTF-16LE on Windows

[Henrik Lindberg]

On 26/03/18 21:58, jmp242 wrote:
I'm using puppet 5.3.3 and had been using a previous version of my 
module for a long time. Now I added another package to my management and 
started getting an odd error:

Failed to apply catalog: "\xF8\xDD" on UTF-16LE

The actual underlying chocolatey packages install correctly. Any ideas 
what this error means? What I need to debug? I use Gepetto to author the 
edits and check into SVN... It almost sounds like a file format issue, 
but I don't know in Gepetto how to change / fix this.


You may find what you need here: 
https://stackoverflow.com/questions/3751791/how-to-change-default-text-file-encoding-in-eclipse


Best,
- henrik



--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1776d069-6506-4d59-acdf-8309e16af250%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/p9dgju%24c1f%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Hiera Interpolation of data

[Henrik Lindberg]

On 20/03/18 04:19, Gino Lisignoli wrote:

Hello

I'm using hiera with the http backend (as couchdb) which works for data 
lookup, but I want to user data interpolation 
(https://puppet.com/docs/puppet/5.0/hiera_interpolation.html).


At the moment I am trying to do a simple test of:

|
classfoo (
   $bar =lookup("some::path::var")
){
   notify {'bar':
     message =>$bar
}
}
|

Couchdb:
|
{
"some::path::var":"%{::fqdn}"
}
|


But my notify output is always:

Notice: /Stage[main]/Foo::Notify[bar]/message:current_value absent, 
should be %{::fqdn} (noop)


Any ideas why this isn't getting resolved as the fqdn fact?


Afaik, the interpolation should be performed by the backend itself for 
hiera 3 backends. Does other interpolations work with the couchdb 
backend? If not, log a ticket for that backend.


The right path forward is to use hiera 5 and write a hiera 5 backend for 
couchdb. This is as simple as writing a function - probably of the 
"lookup_key" kind. When doing such a lookup, there is a method to call 
on the "lookup context" object given to the function that performs 
interpolation.


Others that have written hiera 5 backend functions have done so quite 
easily and made the hiera 3 backend be capable of supporting both the 
hiera 3 backend API and the new hiera 5 at the same time.


Best,
- henrik


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/p8qsv3%24ui%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet generate types on a standalone directory

[Henrik Lindberg]

On 13/03/18 09:29, Thomas Müller wrote:

Hi

For octocatalog-diff I'd wanted to `puppet generate types` in the 
bootstrap script [1]. But at this stage its just the env extracted into 
a directory and not $environmentpath/${envname}. I couldn't figure out 
how to run `puppet generate types` on just a standalone directory. Is 
this at all possible?


You should be able to give it an environmentpath + the directory name as 
the name of the environment on the command line. (This works because all 
puppet settings are also exposed as flags on the command line).


- henrik


regards
- Thomas



[1] 
https://github.com/github/octocatalog-diff/blob/master/doc/advanced-bootstrap.md


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2e658186-6929-43ba-945d-f8e2ff2572cc%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.



--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/p88taj%24fe1%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.