Re: [Puppet Users] Question about setting master-less server
We've settled on a git repo per module, then using r10k (thinking about moving to librarian-puppet) to pull modules from git onto our nodes. This happens in the wrapper script that we run out of cron that also executes the puppet apply. The advantage here is that if you happen to break puppet, you can still get your fixes pulled onto the node without manual intervention. - Jeff On 03/11/2015 07:32 PM, Hubert Lubaczewski wrote: Hi, I'm trying to learn puppet by using it on a test machine I have. Figured that for single server, it makes sense to use master-less mode. So, my question is like this. To set it up, I figured that: 1. /etc/puppet would be clone of some repo 2. in /etc/puppet/manifests/site.pp, I would add vcsrepo{} that would make sure that puppet will update itself on each run 3. I'll add a cronjob to periodically run puppet apply /etc/puppet/manifests/site.pp Optionally, I would run git pull before actual puppet apply, so that puppet will run on already updated repo. Does it make sense? Am I missing something? I know it's pretty basic, but in one place I had to write quite a lot of manifests/modules for puppet, and finally decided to setup whole machine, on my own, using puppet. Thanks for any help/guidance, depesz -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com mailto:puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b6da6bf0-9152-472b-b54f-85c0cf87b7d1%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/b6da6bf0-9152-472b-b54f-85c0cf87b7d1%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout. This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5501921E.2090409%40bancvue.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: hiera-eyaml - masterless puppet
We're using a couple of techniques: We bake them into our system images, and for ad-hoc we have a Rundeck job that can push the keys onto a host. Haven't had to rotate the keys yet, but I presume that we'd either use the ad-hoc technique, or re-spin the system image and re-deploy the hosts. Since we're moving towards ephemeral/immutable hosts, this works for us. Hope that helps. - Jeff On 03/11/2015 03:05 PM, Heinz Kalkhoff wrote: Jeff, I realize you may not want to share the details, but can you share your strategy on management of the private keys in a masterless setup? Thanks for the reply. Heinz On Wednesday, March 11, 2015 at 9:43:02 AM UTC-4, jeff Adams wrote: We're using eyaml in our masterless setup as well. We've got our hiera.yaml in /etc/puppet, so we don't need to specify the --hiera_config with puppet apply. True that distributing the private key(s) was an interesting issue to solve. - Jeff On 03/11/2015 08:30 AM, Alessandro Franceschi wrote: Sure you can, you have to pass the --hiera_config parameter to the puppet apply command (pointing to your hiera.yaml) and you will need the private key used to encrypt keys on every node (this is maybe the only issue with hiera-eyaml in masterless mode). al On Tuesday, March 10, 2015 at 10:37:30 PM UTC+1, Heinz Kalkhoff wrote: Is it possible to use hiera-eyaml with a masterless puppet setup (e.g. puppet apply)? I want to verify before going down this path as I have been unable to find examples using puppet masterless and hiera-eyaml. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript: mailto:puppet-users+unsubscr...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=emailutm_source=footer https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com mailto:puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/00971302-01db-475f-945e-9c08763b6b46%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/00971302-01db-475f-945e-9c08763b6b46%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout. This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- You received this message because you are subscribed to the Google Groups Puppet
Re: [Puppet Users] Re: hiera-eyaml - masterless puppet
We're using eyaml in our masterless setup as well. We've got our hiera.yaml in /etc/puppet, so we don't need to specify the --hiera_config with puppet apply. True that distributing the private key(s) was an interesting issue to solve. - Jeff On 03/11/2015 08:30 AM, Alessandro Franceschi wrote: Sure you can, you have to pass the --hiera_config parameter to the puppet apply command (pointing to your hiera.yaml) and you will need the private key used to encrypt keys on every node (this is maybe the only issue with hiera-eyaml in masterless mode). al On Tuesday, March 10, 2015 at 10:37:30 PM UTC+1, Heinz Kalkhoff wrote: Is it possible to use hiera-eyaml with a masterless puppet setup (e.g. puppet apply)? I want to verify before going down this path as I have been unable to find examples using puppet masterless and hiera-eyaml. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com mailto:puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout. This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5500465F.10308%40bancvue.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Hiera.yaml not interpolate variables
Pretty sure I ran across this same issue. Try pulling the :: out of the variable name. e.g. %{environment} - Jeff On 05/08/2014 11:21 AM, Israel Calvete wrote: Yes, hiera file is in /etc/puppet/hiera.yaml On Thursday, May 8, 2014 6:15:34 PM UTC+2, Brendan O'Bra wrote: Where is your hiera.yaml located? Default for puppet is /etc/puppet/hiera.yaml On Thu, May 8, 2014 at 8:21 AM, Israel Calvete ical...@gmail.com javascript: wrote: Hi, This is my hiera config. /---/ /:backends: - yaml/ /:hierarchy: - %{::environment}/ /- common/ /:yaml:/ / :datadir: /usr/share/puppet/configuration/%{::environment}/hiera/current/hieradata/ /:puppet:/ / :datasource: data/ It seems if puppet master can't resolve enviroment variable but if I change /%{::environment}/ for a fix value, all works fine. In a client the error is... /err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find data item mysql_monitor_user in any Hiera data file and no default supplied at/ In the puppetmaster ( repupuppet himselft ) the error is ... /err: Could not retrieve catalog from remote server: Error 400 on SERVER: malformed format string - %S at/ Both for line... /$cndb_db = hiera('cndb_db')/ My hiera version is 1.2.1 My puppet version is 2.7.23 Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c57ff48d-af64-4cb4-a81c-19f98ec5bb5b%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/c57ff48d-af64-4cb4-a81c-19f98ec5bb5b%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. -- GVoice: 707.410.0371 LinkedIn: http://www.linkedin.com/in/brendanobra http://www.linkedin.com/in/brendanobra -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com mailto:puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0cafffa8-3153-4770-8ef6-d9a0c0d4622d%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/0cafffa8-3153-4770-8ef6-d9a0c0d4622d%40googlegroups.com?utm_medium=emailutm_source=footer. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/536BAF88.9010501%40bancvue.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Austin Puppet User's meetup
I'm interested, and I may have a co-worker or two interested as well. Thanks! - Jeff On 02/07/2012 09:04 PM, Dan Bode wrote: Hi Austin Puppet Users, I will be in the area in a few weeks and I would like to try to get some of the local users together to talk Puppet and have a few beers. Curious about how much interest there would be for an event on the 23rd of February (location tbd). regards, Dan Bode -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] confused about file ensure/require
I don't think you should be specifying the files part of the source path: Try: source = puppet:///modules/ntp/ntp.conf.debian - Jeff On 06/20/2011 06:12 PM, Craig White wrote: I don't know if it is or isn't being included but the -d -e were certainly useful bits... err: /Stage[main]/Ntp/File[ntp.conf]: Could not evaluate: Could not retrieve information from source(s) puppet:///modules/ntp/files/ntp.conf.debian at /etc/puppet/modules/ntp/manifests/ntp.pp:31 notice: /Stage[main]/Ntp/Service[ntp]: Dependency File[ntp.conf] has failures: true but the file is clearly somewhere... # ls -l /etc/puppet/modules/ntp/files/ntp.conf.debian -rw-r--r-- 1 root root 535 2011-06-13 12:55 /etc/puppet/modules/ntp/files/ntp.conf.debian and as noted below, the source is indicated to be source = puppet:///modules/ntp/files/ntp.conf.debian which is the same 2 questions I started with since I have the 'Puppet Pro' book in my hand and various references on the puppetlabs documentation web pages and I was pretty much of the opinion that this should be working. Craig On Jun 20, 2011, at 3:54 PM, Ken Barber wrote: It does seem like its not being included :-) ... What does: echo # foo /etc/ntp.conf puppet apply -d -e 'include ntp' Do? ken. I thought it should work at least for the 'puppet agent' commands... # cat manifests/site.pp import templates import nodes import modules root@ubuntu:/etc/puppet# cat manifests/templates.pp class baseclass { } node default { include baseclass include ntp include facts } and the nodes all have include baseclass in them Craig -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: execute more commands (beginner talking)
Something like the following should work: exec { subscribe-echo: command = /usr/bin/apt-get -q -q update touch /home/test , logoutput = false, refreshonly = true, subscribe = file[/etc/apt/sources.list] } - Jeff On 10/21/2009 10:09 AM, Reno wrote: exec { subscribe-echo: command = /usr/bin/apt-get -q -q update, logoutput = false, refreshonly = true, subscribe = file[/etc/apt/sources.list] } --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Monitoring the puppetmaster
We had this issue while we were using webrick and ended up with the following in cron running every 15 minutes: if [ `/usr/bin/puppetlast |grep -v puppetlast |sort -n -k 4 |head -n 1|awk '{print \$4}'` -ge 15 ]; then /etc/init.d/puppetmaster restart ;fi - Jeff On 09/22/2009 02:38 PM, Pete Emerson wrote: I'm using 0.24 with Webrick (in the process of migrating to 0.25 / passenger). Occasionally, the puppetmasterd becomes unavailable, and we see error messages along the lines of: Could not call puppetmaster.getconfig: #Errno::ECONNRESET: Connection reset by peer I believe the puppetmasterd does not completely die, so it is still in the process list. I'm wondering what a good way to monitor this would be. I see that I can telnet into port 8140, is there something simple I can send that would give me an indication that everything is okay or not? Any suggestions on monitoring this would be appreciated. Pete --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Installing a lot of packages
We're a Debian shop, with our own internal repository for controlling packages. We use the unattended-upgrades package to perform upgrades and use puppet to instantiate the whole process using a variant of the recipe at the bottom of this page: http://reductivelabs.com/trac/puppet/wiki/Recipes/Debian - Jeff On 09/14/2009 03:12 PM, ELTigre wrote: On Sep 14, 1:56 pm, Peter Meierpeter.me...@immerda.ch wrote: Hi I'd like to know at what level we can use puppet to keep systems up2date. I appreciate if you share some experiences. :-) Hi Pete, Thanks for your soon answer, We've always updated packages of principal services manually and other packages not so important automatically using some cron jobs. BUT, puppet comes to play and we have a lot of servers running in production environment. That's the reason why I'm asking the list. The updating process is complicated because you have to manually do the dirty job. We thought puppet can handle this servers's update job. But I see it's not a good idea. Does anyone in the list use puppet to handle updates on servers? :-) regards, Israel. we don't use puppet at all to keep systems up2date and I don't think it's a good idea either. Your package manager usually does a much better job. To manage bigger installations something like satellite or even an own managed package repository, which you sync with the upstream updates you need and then run a cron only against that repository might be a suitable solution. cheers pete --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
Solved? Re: [Puppet Users] Re: Certificate issue for puppetd on same node as puppetmasterd
My WEBrick's masterhttp.log file was telling a slightly different story: [2009-05-21 11:41:22] ERROR OpenSSL::SSL::SSLError: sslv3 alert bad certificate /usr/lib/ruby/1.8/openssl/ssl.rb:122:in `accept' As it turned out, in my /etc/puppet/manifest/site.pp file the filebucket configuration was pointing to a different puppetmaster host. Once that was fixed to reference the local puppetmaster, my cert errors went away and the manifests applied properly. Hope this helps someone. - Jeff On 05/20/2009 11:24 PM, Greg wrote: Not running Apache - I'm still using a WEBrick based setup, mostly because Apache - Mongrel isn't playing ball... But that's a different story... Further analysis has shown me that there is an error message in WEBrick's masterhttp.log file: [2009-05-21 13:54:30] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno= 0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca /opt/csw/lib/ruby/1.8/openssl/ssl.rb:166:in `accept' At first I thought it had chopped off the alert, but it appears to be complaining about the lack of a CA... The files all appear to be in order - its signing certificates happily enough... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Lock file /var/lib/puppet/state/puppetdlock
We have had this happening occasionally (approx. 1 out of ~120 VMs, every other week or so) on our OpenVZ VMs as well. We're running Debian Etch, and over the past week upgraded to 0.24.5-3, so I'm keeping an eye on things to see if that resolved it for us. - Jeff Paul Lathrop wrote: On Mon, Feb 16, 2009 at 7:39 PM, Luke Kanies l...@madstop.com wrote: Otherwise I've no idea, because you're the first to run into it that I know of. Note that you should be able to run 'puppetd --enable' to remove that stale lock file. I periodically run into this issue as well; it only happens on our Xen VMs. Not sure if that helps. I just have a cron job that runs puppetd --enable on these systems. --Paul --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---