from:"John"

Honestly, I believe you would benefit from reading this over a bit...

https://docs.puppet.com/puppet/5.0/lang_template_erb.html


On Tuesday, August 22, 2017 at 4:37:35 PM UTC-5, John wrote:
>
> So I added the following to sshd_config.erb
>
> <%- if hostname = MyHost -%>
> Port = 
> <%- end -%>
>
> But it did not provide the expected results.  The puppet run finished 
> cleanly, but the sshd_config remained unchanged.
>
> Does that syntax look alright?
>
> TIA
>
> On Tuesday, August 22, 2017 at 12:36:15 PM UTC-4, John wrote:
>>
>> I've pulled down the SAZ SSH module and implemented across my network. 
>>  It works great.
>>
>> However, I need to implement the following change:
>>
>> If hostname = host1 or host2 or host3
>>   then
>> port = 
>> fi
>>
>> I just want to change the default sshd port for a few hosts.
>>
>> How do I do that?
>> 
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4a22f5df-272b-4ce6-9cad-fd60e564440f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Hiera 5 + Puppet 5 File Backend

Henrik,

Thanks for the feedback.  My concern stems, really, from being able to use 
this with Puppet.  I would think that I should be able to specify a 
filename and/or filepath that contain a "." without having to escape those 
myself.  The backend should handle that, in my opinion.  You can image if a 
user/developer wanted to have a domain-oriented folder structure with 
multiple domains, how that could get extremely hard to read quickly... 
"/path/to/file/domain1\.example\.com" and then the variable would have to 
be unescaped for all other references to that variable.  That seems silly. 
 I appreciate your time on this, but I feel like there has to be a better 
solution, I just haven't found it yet.  I am still working on making this 
code work...

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/049d195d-1ea0-4c00-9165-c195bf67ed01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet SSHD port based on hostname

2017-08-22 Thread John

So I added the following to sshd_config.erb

<%- if hostname = MyHost -%>
Port = 
<%- end -%>

But it did not provide the expected results.  The puppet run finished 
cleanly, but the sshd_config remained unchanged.

Does that syntax look alright?

TIA

On Tuesday, August 22, 2017 at 12:36:15 PM UTC-4, John wrote:
>
> I've pulled down the SAZ SSH module and implemented across my network.  It 
> works great.
>
> However, I need to implement the following change:
>
> If hostname = host1 or host2 or host3
>   then
> port = 
> fi
>
> I just want to change the default sshd port for a few hosts.
>
> How do I do that?
> 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/467a45f7-1171-4d7e-9a00-3c715db82790%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet SSHD port based on hostname

It looks like you should be able to pass it as a Hash of "options"... 

https://github.com/saz/puppet-ssh/search?utf8=%E2%9C%93&q=port&type=

On Tuesday, August 22, 2017 at 11:36:15 AM UTC-5, John wrote:
>
> I've pulled down the SAZ SSH module and implemented across my network.  It 
> works great.
>
> However, I need to implement the following change:
>
> If hostname = host1 or host2 or host3
>   then
> port = 
> fi
>
> I just want to change the default sshd port for a few hosts.
>
> How do I do that?
> 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1c86488f-7d74-4b8f-a93f-5682e71d12e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet SSHD port based on hostname

2017-08-22 Thread John

I've pulled down the SAZ SSH module and implemented across my network.  It 
works great.

However, I need to implement the following change:

If hostname = host1 or host2 or host3
  then
port = 
fi

I just want to change the default sshd port for a few hosts.

How do I do that?



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/07b2f4be-f286-401a-8538-d4cde4f06308%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Hiera 5 + Puppet 5 File Backend


>
> Henrik,


I have something that appears to be at least "attempting" to find the 
proper files.  The issue I am currently running into is that the "key" or 
file that I am looking for is being "chopped" at the first ".", which in 
this case is actually in a folder name, not the file extension.  Do you 
know how to avoid that?

*# File Backend for Hiera*
*Puppet::Functions.create_function(:'file_backend') do*

*  dispatch :file_backend do*
*param "String", :key*
*param "Hash", :options*
*param "Puppet::LookupContext", :context*
*  end*

*  argument_mismatch :missing_path do*
*param 'Hash', :options*
*param 'Puppet::LookupContext', :context*
*  end*

*  def file_backend(key, options, context)*
*hieradir   = context.interpolate(options['hieradir'])*
*searchroot = context.interpolate(options['searchroot'])*
*searchpath = hieradir + searchroot*
*if (File.exists?("#{searchpath}/#{key}"))*
*  data = File.read("#{searchpath}/#{key}")*
*else*
*  context.explain() { "SearchPath: #{searchpath}, Key: #{key}"}*
*  context.not_found()*
*end*
*  end*

*  def missing_path(options, context)*
*"one of 'path', 'paths', 'glob', 'globs', or 'mapped_paths' must be 
declared in hiera.yaml when using this file_backend function"*
*  end*
*end*

When looking up '*/etc/dd-agent/checks.d/filename.py'* I receive a `*Function 
lookup() did not find a value for the name 
'/etc/dd-agent/checks.d/filename.py*`.

The debugging from the puppet lookup outputs *KEY: /etc/dd-agent/checks *which 
does not contain the rest of the filename or path.

Thoughts ?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7a86b718-434c-42ff-ad50-649f276c75ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Hiera 5 + Puppet 5 File Backend

Henrik,

Whether the existing YAML/JSON/HOCON backend is referenced, everything is 
using the context of `path` to do the lookups.  The issues with this in 
regards to a file backend, is I am unsure as to how to access the value or 
file being looked up.  The `path` for the other backends is statically 
defined and they load the content accordingly.  Do you know how to access 
the value being looked up or if that is even possible in this context ?


*context.cached_file_data(path) do |content|*

Path in this case is the full URI to the YAML file being ingested, for 
instance. But I need to append the variable being looked up to that in 
order to find the file I am seeking.
I believe that is the missing piece I need to make this all work. Any 
insight would be appreciated. Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/28c0c2d2-b350-47d6-a775-e282abd4f158%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Hiera 5 + Puppet 5 File Backend

Henrik,

I would also like to add that having the ability to serve up binary files, 
not just ASCII files would also be a great bonus.  Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7375977a-235a-4904-a7c6-07634a43e4c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Hiera 5 + Puppet 5 File Backend

Henrik,

Thanks for helping... I tried originally using the hiera-file backend but, 
there's too much code to update since the repo hasn't been touched in 
nearly 2+ years.  So I went down the path of trying to modify the json_data 
and/or yaml_data backends to suit my needs, since I noticed the biggest 
delta between the two files was the loading of the respective JSON or YAML. 
 

I am unsure as to what the exact expectations are when returning the data 
within the *_data.rb backend.

If you can assist in starting with either the json_data or yaml_data ruby 
files and modifying them to work with what I need, I would be forever 
grateful.

Here are my requirements and expectations...
1. Using lookup() should return/query the same way as it currently does for 
variables.
2. I want to be able to specify a "filepath" like "/etc/hosts" which would 
then be appended at the end of the search path, so 
"environments/%{environment}", for example.
3. The contents of "environment/%{environment}/etc/hosts" would then be 
returned.
3. The backend should only return the contents of the first match, as I 
won't want duplicative entries within the files.
4. Anything else that may make sense to modify would be good.

I appreciate any assistance you can provide.  Thanks!

On Monday, August 21, 2017 at 3:34:41 PM UTC-5, Henrik Lindberg wrote:
>
> On 21/08/17 22:18, John Baird wrote: 
> > I see the "yaml_data" and "json_data" backends, but unfortunately, I'm 
> > not a Ruby developer and trying to mock those into a file_data backend 
> > is proving frustratingly obnoxious.  Honestly, I wish a "file_data" 
> > backend was included by default as I feel there a TON of value in it's 
> > existence, but that's another topic. 
> > 
> > Basically, from the documentation 
> > at https://docs.puppet.com/puppet/5.0/hiera_custom_data_hash.html, I am 
> > able to make a custom backend, but unable to get it to parse the 
> > directory structure properly and retrieve the entire contents of the 
> file. 
> > 
> > If you have something that would work, I would love to get it working on 
> > my end. 
> > 
>
> You can write functions in the puppet language as well as in Ruby if 
> that is more convenient for you. Then depending on what the format of 
> the data file you want read is, you could either use an existing 
> function that reads JSON/YAML etc. If there is no reader you would be 
> best off to write a separate function that can read a particular format, 
> and then use that to parse the file and serve data from it using a hiera 
> 5 backend compliant function. 
>
> The functions that just read a file and returns it a a hash are very 
> simple 
> (
> https://github.com/puppetlabs/puppet/blob/master/lib/puppet/functions/json_data.rb)
>  
>
> which is basically JSON.parse and some error handling around that. 
>
> I would expect a custom backend function that you write to be given an 
> argument that is the absolute path to the file you want read. That is 
> given in the hiera.yaml. 
>
> Is it that you want a structure that defines the keys and that the files 
> themselves are the resulting value? (Have not looked at hiera-file 
> backend). If so, then it sounds like just translating the key to lookup 
> to a path (splitting on '::' and and joining with '/') plus appending 
> that to a base path where the files are to be found (given as an option 
> when adding the function to the hiera.yaml hierarchy). Then reading that 
> file or producing a "not found" if the file does not exists. 
>
> If you have the start of this in Ruby somewhere I am happy to help you 
> review and point out what to change. 
>
> Best, 
> - henrik 
>
> > On Monday, August 21, 2017 at 3:14:42 PM UTC-5, Henrik Lindberg wrote: 
> > 
> > On 21/08/17 22:03, John Baird wrote: 
> >  > There was an old hiera 3.X hiera-file backend now owned on github 
> by 
> >  > voxpupuli... does anyone have a working example of how to 
> > reproduce this 
> >  > in Puppet 5 with the next data_hash contexts?  Puppet's 
> > documentation 
> >  > seems woefully lacking in this area. 
> >  > 
> >  > Basically, I would like to be able to serve up `/etc/hosts` file 
> > from 
> >  > hiera backend, for example. 
> >  > 
> > That should be incredibly simple to achieve with hiera 5. 
> > What is it that you feel is lacking in terms of documentation? 
> > 
> > - henrik 
> > 
> > 
> > -- 
> > 
> > Visit my Blog "Puppet on the Edge&

Re: [Puppet Users] Hiera 5 + Puppet 5 File Backend

I see the "yaml_data" and "json_data" backends, but unfortunately, I'm not 
a Ruby developer and trying to mock those into a file_data backend is 
proving frustratingly obnoxious.  Honestly, I wish a "file_data" backend 
was included by default as I feel there a TON of value in it's existence, 
but that's another topic.

Basically, from the documentation 
at https://docs.puppet.com/puppet/5.0/hiera_custom_data_hash.html, I am 
able to make a custom backend, but unable to get it to parse the directory 
structure properly and retrieve the entire contents of the file.

If you have something that would work, I would love to get it working on my 
end.

On Monday, August 21, 2017 at 3:14:42 PM UTC-5, Henrik Lindberg wrote:
>
> On 21/08/17 22:03, John Baird wrote: 
> > There was an old hiera 3.X hiera-file backend now owned on github by 
> > voxpupuli... does anyone have a working example of how to reproduce this 
> > in Puppet 5 with the next data_hash contexts?  Puppet's documentation 
> > seems woefully lacking in this area. 
> > 
> > Basically, I would like to be able to serve up `/etc/hosts` file from 
> > hiera backend, for example. 
> > 
> That should be incredibly simple to achieve with hiera 5. 
> What is it that you feel is lacking in terms of documentation? 
>
> - henrik 
>
>
> -- 
>
> Visit my Blog "Puppet on the Edge" 
> http://puppet-on-the-edge.blogspot.se/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9154ad28-5f52-40b9-87a6-62ba6ac89e85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Hiera 5 + Puppet 5 File Backend

There was an old hiera 3.X hiera-file backend now owned on github by 
voxpupuli... does anyone have a working example of how to reproduce this in 
Puppet 5 with the next data_hash contexts?  Puppet's documentation seems 
woefully lacking in this area.

Basically, I would like to be able to serve up `/etc/hosts` file from hiera 
backend, for example.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3ecfec90-12ee-47c4-a29a-61799f4ddced%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] interpolation of puppet fact, with quotes, into erb template

2017-08-18 Thread John

 i have this bit of code here

   <% @microservices.sort.each do |service,val| -%>
  upstream <%= service %> {
server <% val['endpoint']['{domain_suffix}'] = "@domain_suffix" -%> 
resolve;
  }
  <% end -%>

i'm trying to do a string replacement of the @domain_suffix puppet fact, 
however ruby requires quotes around this value. however, with the quotes, 
that value cannot be rendered in the template.

i'm sure ruby can do this another way however i don't know it very well.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3602cd93-e227-4b40-b824-75390abdd792%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet5 + Hiera not actually including classes during run

2017-08-15 Thread John Baird

Ok, so we can all move on, nothing to see here!  This appears to be an 
artifact of having previously (unintentionally) installed puppet 3.X.  As a 
result, hiera 2.0.0 was installed.  I believe that this version of hiera to 
be incompatible and as a result, after a clean rebuild, everything is 
running as expected...

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f1d39d4e-5272-41b2-b613-0355790dd6a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet5 + Hiera not actually including classes during run

2017-08-15 Thread John Baird

I should also add, running masterless Puppet 5.0.1 on Ubuntu 16.04 if any 
of that matters.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bdb1c4bb-8681-4e24-b3db-0627e39c02e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet5 + Hiera not actually including classes during run

2017-08-15 Thread John Baird

root@example1:~# puppet apply --noop -e 'class { apt: }' --modulepath 
/root/puppet/modules/ --environment=dev 
--environmentpath=/root/puppet/environments --hiera_config 
/root/puppet/hiera.yaml
Notice: Compiled catalog for example1 in environment dev in 0.13 seconds
Notice: /Stage[main]/Apt/File[preferences]/ensure: current_value 'absent', 
should be 'file' (noop)
Notice: 
/Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content:
 
current_value '{md5}b9de0ac9e2c9854b1bb213e362dc4e41', should be 
'{md5}0962d70c4ec78bbfa6f3544ae0c41974' (noop)
Notice: Class[Apt::Update]: Would have triggered 'refresh' from 2 events
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Would have triggered 
'refresh' from 1 event
Notice: Class[Apt::Update]: Would have triggered 'refresh' from 1 event
Notice: Apt::Setting[conf-update-stamp]: Would have triggered 'refresh' 
from 1 event
Notice: Class[Apt]: Would have triggered 'refresh' from 2 events
Notice: Stage[main]: Would have triggered 'refresh' from 2 events
Notice: Applied catalog in 0.03 seconds


root@example1:~# puppet lookup classes --hiera_config puppet/hiera.yaml 
--modulepath=/root/puppet/modules --environment=dev 
--environmentpath=/root/puppet/environments
---
- apt


root@example1:~# puppet apply --modulepath /root/puppet/modules/ 
--hiera_config /root/puppet/hiera.yaml --environment=dev 
--environmentpath="/root/puppet/environments" 
/root/puppet/environments/dev/site.pp
Notice: Compiled catalog for example1 in environment dev in 0.03 seconds
Notice: Applied catalog in 0.01 seconds

root@example1:~# cat /root/puppet/environments/dev/site.pp 
node default {
  lookup('classes')
}

root@example1:~# tree /root/hieradata/
/root/hieradata/
├── nodes
│   └── example1.yaml
└── README.md

root@example1:~# cat /root/hieradata/nodes/example1.yaml 
---
classes:
  - apt



So, I can see that hiera can find the proper class.  I can see that running 
in noop mode with the same options actually runs the class.  When I run 
puppet without manually running noop, nothing happens.  This is not limited 
to the apt class as there are about 10 classes that should clearly be 
installing/configuring, etc...  but there's nothing actually happening...

I feel like I missed something somewhere, but not seeing it.  Has anyone 
seen this before?


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e0ddcded-1e38-41b3-8e60-d876a62b5b64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Creating a user without a shadow entry

2017-07-28 Thread John Gelnaw

On Monday, July 24, 2017 at 5:33:09 PM UTC-4, William Korb wrote:
>
> Hello fellow Puppeteers and thanks in advance for any assistance you may 
> be able to offer.
>
> We have a rather non-standard requirement on our Puppet-managed Linux 
> systems, and I'm trying to figure out if/how Puppet can satisfy it.
>
> We use some of our servers to run Oracle database software. If you are 
> familiar with Oracle DBs and Grid Infrastructure, then you know that if the 
> user and/or groups are unknown when a server boots that the Oracle stack 
> will not start properly. As such, even though we use WINBIND to join our 
> servers to our M$ Active Directory domain, we want to have the oracle user 
> be local...kind of...so that it's known at boot time even if there is an 
> issue with the AD/WINBIND connection.
>
> The solution up to now was to use the same UID as generated by WINBIND to 
> add an entry to /etc/passwd. However, we don't want the encrypted stored 
> password to exist on every server, so we instead leave out the entry for 
> /etc/shadow, and WINBIND is smart enough to authenticate the user to AD for 
> us (and at boot time, the local presence of the oracle entry in /etc/passwd 
> is sufficient to allow the oracle stack to start properly).
>
> With that in mind, is there any way to get an "oracle" entry added to 
> /etc/passwd, create HOME directory and profiles, etc. without also ending 
> up with an /etc/shadow entry?
>

With winbind / krb5 authentication, you don't need any password set on the 
account-- just leave the password field in /etc/shadow as "!".

In short-- create the account without a password.  In our enterprise, due 
to the rather large size of our AD domain (more than 100k groups), we gave 
up on winbind-- we use puppet to create 'local' accounts that are all 
handled via PAM to authenticate against the AD realm via kerberos.  We pull 
the SID from AD via ldap to calculate the RID, so we have persistent UID's 
across servers, and puppet adds/removes users based on AD group membership. 
 It's a bit complicated (huge understatement!), but the end result is that 
we have accounts in /etc/passwd and /etc/shadow, but they have no 
passwords, and can only authenticate via krb5 (ie, AD).

In the case of oracle (we have a few as well), we create the grid and 
oracle accounts as actual local accounts with no password (via puppet) and 
give the DBA's the ability to sudo to those accounts.  Obviously, we also 
have passwordless login disabled.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a05a0ea3-ff0d-4db8-b27c-030fbac69393%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Patch Automation By Puppet

2017-06-04 Thread John Gelnaw


Having been foolish enough to say "Sure, we can do that" in response to the 
relatively complicated patch scenario my supervisor wanted us to implement, 
I can offer advice, if not code-- Our code is heavily dependent on our 
environment, and probably wouldn't make much sense.  It's also fairly 
hideous, so I'd rather not incriminate myself.  ;)

The biggest lesson I learned when trying to do patching with puppet, is if 
it's anything beyond "package { ensure => latest }", don't do it with 
puppet.  

Puppet is very good at configuration management-- But not so good at 
process management, by which I mean, puppet isn't very good at making a 
sequence of events happen in the right order, at the right time.

Initially, I tried to manage the patch process directly with puppet, and it 
nearly broke my brain... and the end result wasn't terribly stable, or easy 
to debug.  Now that I've become much better at Puppet, it might have turned 
out differently, but I still try to live by the rule that Puppet manages 
configurations, rather than processes.

So I use puppet to deliver the appropriate scripts and configuration files 
that I use for my patch process-- I have a Debian wrapper script, and a Red 
Hat wrapper script, both of which read configuration files-- I have a cron 
job or two which does the prep work for the patch cycle, and I keep the 
patch configuration data inside Hiera-- otherwise, all the patch "logic" 
takes place on the managed host, rather than the puppet server.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8a7767e8-6f4e-4f82-bd32-886fe2e4bdb8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] stop service after install

2017-05-17 Thread John Gelnaw

On Wednesday, May 17, 2017 at 5:06:33 PM UTC-4, Poil wrote:
>
> I'm agree with "Debian is just by design stupid, thinks starting all 
> services"
> All other integration are really fine, but  auto-starting after install is 
> terrible for all configuration management :
> Change a path (mysql binary log for example), a mount point (a LV for 
> mysql) before installing : Nope you can't
> You have to write a hack to remove all autostart from the package before 
> installing it that's incredible.
>
> I dream about a Debian mix with RedHat, RPM, no auto-start but all the 
> configuration system from Debian (splited-conf for apache php ... and tools 
> to manage your modules
>

Well, what you're complaining about is the package maintainers, not the 
OS-- it's the post install scripts that start up the services.  You might 
want to look into openSuSE-- RPM based, but package configuration tends to 
be more modular than Red Hat.  The openSuSE build service is also a nice 
feature.

You'll still run into the same thing with openSuSE and Red Hat-- RHEL7, if 
you install "nfs-utils" (traditionally the "nfs client" package-- but now 
it's the server package too), for example, you get the NFS server 
installed, running, set to auto-start, with portmapper running.

And I'm sure for every person who gripes about package X installing itself 
as 'autostart', you'll find at least one person who complains that they've 
got to enable the service after installation.

Personally, I don't care-- ultimately, I use puppet to ensure the package 
is installed, configured, and the service is enabled how *I* want it. 
 Nearly all of my configuration changes are linked to the service, so if I 
update a config file, the service is automatically restarted.  That's kind 
of the whole point of puppet.

Calling an OS "stupid" because they made decisions you disagree with is 
short-sighted.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c94494b2-a5f0-4132-8b8c-041baf174627%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Have Puppet remove a user when the associated class which created it is removed

2017-05-17 Thread John Gelnaw

On Friday, May 5, 2017 at 2:22:27 PM UTC-4, James Perry wrote:
>
> As I keep tweaking our Puppet/Foreman setup, I was wondering if it was 
> somehow possible to auto-magically remove uses when the associated class is 
> removed from the server.  All of our Puppet code is under source code 
> management and requires a full change approval process to implement. 
>
> I thought of doing custom facts and then checking them against all user 
> classes, but that seemed like it would use a ton of overhead.  
>
> Another idea was to do a define that had a default of absent for a user 
> and then pass "present" as a parameter to have the user created, but that 
> seemed like it would still need some "magic" that most likely end up 
> getting really deep in coding to ensure that the user didn't get pulled off 
> a box where it needed to exist. 
>
> I'm not sure this is even possible other than how I have done it in the 
> past where I created 2 users classes. One that adds it and another that 
> removed it. The process is a bit clunky but it does work. 
>
> Anyone had any success making something like this work? 
>

Sort of?  The problem is, my implementation is very different from yours. 
 I'm managing users via YAML.  You can manage users (including removing 
them) via the user resource, so I'm creating YAML data (on the fly, but 
that's not a requirement) that gets consumed by a create_resources call.  I 
do management by invoking:

  resources { user:
purge  => true,
unless_system_user => $auth_base
  }

where $auth_base is the highest possible uid for a system user (usually 
999).  Then any users that aren't known to the puppet catalog are zorched.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f542a16c-029e-4d0a-8a24-0c1fed838d0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] stop service after install

2017-05-17 Thread John Gelnaw

On Monday, May 15, 2017 at 8:16:38 AM UTC-4, R.I. Pienaar wrote:
>
>
> debian will not overwrite configs on package install - suggest you put a 
> config down that does what you want first. 
>

Or, I dunno, maybe he could could tie the service to the config file, and 
restart apache when the config file changes, and "require" the apache2 
class as part of his nginx setup.

So Puppet would install apache (starting the service), install the config 
file (restarting apache), and then install nginx.

class apache2  {

  $pkglist = ['apache2', 'apache2-dev',  ]

  package { $pkglist:
 ensure   => latest,
 alias=> 'apache2'
  }
  file { '/etc/apache2/conf.d/ports.conf':
content => 'Listen 127.0.0.1:80',
require => Package['apache2'],
notify  => Service['apache2']
  }
  service { 'apache2':
ensure  => running,
refreshonly => true
  } 
}

class nginx  {

  require apache2

  package { ... } 

  service { ... }

}

That's just off the top of my head, and isn't really The Right Way, but 
it's got all the components.

> Debian is just by design stupid, thinks starting all services 
> unconfigured on install is a good idea, suggest you use a OS designed to 
> be used on servers and not peoples basements. 
>

That is probably the single worst piece of advice I've seen on this forum. 
 It's hostile, short-sighted, and not terribly useful.

Debian has been a better "server" OS for years, in that it supports 
in-place upgrades, and makes it easier to control which packages are 
installed from which repositories.

Our environment has about 200 web and database servers, about 60% of which 
are Red Hat, and the rest are Debian.  They're both perfectly good 
operating systems for production servers, but they do require the admin be 
open-minded enough to actually learn the differences between the two 
paradigms-- otherwise, you might as well run Windows.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a3979ccc-0761-4a26-8a3d-26d38ff7f6bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Need to put iterative value in a file

2017-05-05 Thread John Gelnaw

The two ways I can think of, you can use ssh_authorized_key as part of a 
defined type, or you can create a file resource with a template, and use 
iteration within the template.

Iteration within the template requires "future parser" or Puppet 4.x.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cbd90eb2-1cf8-42b3-9dbb-dea7e6c84d34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to dynamically change sudoers

2017-04-21 Thread John Gelnaw

I use a template for a single /etc/sudoers:

# /etc/sudoers # 
# This file MUST be edited with the 'visudo' command as root. 
# 
# Of course, if you do, Puppet will completely rewrite it 30 minutes later. 
# 
 
Defaultsenv_reset 
 
<% unless @cmd_aliases.empty? -%> 
# Cmnd alias specification 
 
<%- @cmd_aliases.each_pair do |key, val| -%> 
Cmnd_Alias <%= key %> = <%= val %> 
<%- end -%> 
<% end -%> 
 
<% unless @host_aliases.empty? -%> 
# Host alias specification 
 
<%- @host_aliases.each_pair do |key, val| -%> 
Host_Alias <%= key %> = <%= val %> 
<%- end -%> 
<% end -%> 
 
<%- if @sudoers -%> 
# User alias specification 
 
<%- @sudoers.each_pair do |key, val| -%> 
User_Alias <%= key %>   = <%= val %> 
<%- end -%> 
<% end -%> 
 
<%- if @user_priv -%> 
# User Privilege Specifications 
 
<%- @user_priv.each_pair do |key, val| -%> 
<%= key %>  <%= val %> 
<%- end -%> 
<% end -%>

And then in YAML I use a fairly primitive definition and load up the 
variables using a deep merge:

sudo::user_aliases: 
  NOPWD: 
- user1 
sudo::user_priv: 
  NOPWD: 
- "ALL = NOPASSWD: ALL"


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/61c9ecfb-0005-4919-98f3-25faf56169fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: removing "minimum_uid=1000" value from all my pam config files

2017-03-31 Thread John Gelnaw

On Thursday, March 30, 2017 at 1:58:46 PM UTC-4, Peter K wrote:
>
> I'm trying to remove a specific configuration value, "minimum_uid=1000", 
> from multiple lines in several files (currently 5 files) in /etc/pam.d/.
> A typical line looks like this:
> auth [success=1 default=ignore]  pam_ldap.so use_first_pass 
> minimum_uid=1000
>
> I've tried exec and sed, but I couldn't figure out the necessary escaping 
> to get the filename variable to parse (here I test with 'abc'):
> define removeMinimumUID(){
> exec { '${filename}':
>   command => "/usr/bin/sed -i \'s|abc|cab|g\' ${filename}",
>   onlyif => '/usr/bin/test -e ${filename}',
>   refresh => '/usr/bin/true',
>   provider => 'posix',
>   logoutput => on_failure,
> }
> }
>
> RemoveMinimumUID { "/mnt/NY_Interactive/dev/peter/puppet/abc.txt": }
>
> Error:
> Executing: '/usr/bin/sed -i 's|abc|cab|g' '^[[0m
> ^[[mNotice: 
> /Stage[main]/Main/Removeminimumuid[/mnt/NY_Interactive/dev/peter/puppet/abc.txt]/Exec[${filename}]/returns:
>  
> /usr/bin/sed: no input files^[[0m
>
> If I substitute the fully qualified filename with the filename variable on 
> the 'commmand' parameter line, the script runs fine.
>
>
>
> Then I tried stdlibs' file_line but I couldn't figure out how to replace a 
> substring without identifying the entire replacement string:
>
>
> file { '/home/peter/dev/puppet/abc.txt':
>   ensure => present,
> }->
> file_line { 'Append a line to /home/peter/dev/puppet/abc.txt':
>   path => '/home/peter/dev/puppet/abc.txt',
>   line => 'cab',
>   multiple => true,
>   match   => "abc$",
> }
>
>
Check your quotes-- you can't interpolate a variable within single quotes. 

Personally, I went a bit more brute-force:

exec { '/usr/bin/sed -i -e s/uid=1000/uid=900/ *': 
cwd => '/etc/pam.d', 
subscribe   => File['/etc/krb5.conf'], 
refreshonly => true 
}

But getting rid of minimum UID completely might have unexpected behavior-- 
do you really want to manage your root password via PAM_LDAP?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/496c4fc3-2fe6-4db9-ad57-dc09174de488%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Subscribe for external module resources

2017-03-14 Thread John Gelnaw

On Tuesday, March 14, 2017 at 11:40:26 AM UTC-4, Warron French wrote:
>
> Gleb, you are running a cronjob to control the interval at which your 
> Puppet Clients are checking in?
>
> Did you know that you could instead use the option of *runinterval *within 
> the /etc/puppet/puppet.conf file instead?  
>
> In case you would like to see the help page on it, here:  
> https://docs.puppet.com/puppet/3.8/configuration.html#runinterval
>

Speaking for myself, I run from cron because:

 * it means the daemon isn't running the rest of the time.
 * If the vmware farm reboots my servers en masse, I've potentially got 
dozens of servers checking in simultaneously.
 * While upstart and systemd have made things easier, the older sysv style 
init wasn't that good at keeping a service running if it crashed
* I use puppet to ensure the right services are running

Although every 10 minutes seems a bit excessive-- If I need a server to run 
more than twice an hour, I use mcollective to initiate a run.

I use fqdn_rand() to pick a consistent random number between 0-29, and 
create a crontab entry that runs every "N" and "N+30" minutes.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d23c793d-e240-46f3-8114-07ed14fa0013%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Configure Puppet master as a universal caching proxy server

2017-03-13 Thread John Gelnaw

On Monday, March 13, 2017 at 10:23:28 AM UTC-4, Patryk Bęza wrote:
>
> I'm Puppet's new user and I have a simple question regarding Puppet 
> design: *is it possible to configure Puppet master as a universal, OS 
>  agnostic 
>  caching proxy server for 
> packages served for clients?* I know that some GNU/Linux 
>  
> distributions have such proxies – eg. Debian 
>  has apt-cacher 
> .
>

No.  However, squid can be configured to do such, and I use it as a proxy 
for rpm/deb downloads.  I'm even running it on the same server as my puppet 
master, because the puppet server is the one box our firewalled systems are 
allowed to talk to.

 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/91bb64ff-03ac-48a5-a181-e4293d2fa96d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

2017-03-06 Thread John Gelnaw

On Monday, March 6, 2017 at 9:16:45 AM UTC-5, jcbollinger wrote:
>
>
> On Sunday, March 5, 2017 at 6:56:11 PM UTC-6, John Gelnaw wrote:
>
>> I created a second "mount point" in puppet via fileserver.conf, pointing 
>> to a location outside the puppet git tree, so I could use 
>> "puppet:///downloads/" as a source, synchronized that directory 
>> to a local directory on the workstation using "ensure => directory", 
>> "recurse => true", and "purge => true", then had that resource notify an 
>> exec of "yum install -y *rpm"-- because yum will automatically handle 
>> dependencies, sequence, and upgrades.
>>
>> Then any time you drop a new rpm into the directory on the puppet server, 
>> the client automatically downloads and installs and/or upgrades the 
>> packages.
>>
>> Not the "Right Way", no, but it does work, and takes less work to add new 
>> packages (my way, drop new RPM in location accessible only by puppet-- 
>> yum/package way, add package to http:// accessible repo, update repo 
>> metadata, and (if needed) add package to node catalog if it's a new package 
>> vs. an upgraded existing package).
>>
>
>
> That's a viable option.  I'd say that its main advantage is avoiding any 
> need to update your manifest set or Hiera data when you want to add a new 
> package to the group.  Even that isn't a big win, however: in my 
> environment, it's a one-liner to add a package to my big list of local 
> packages to manage.  Nevertheless, it is one fewer piece to get aligned in 
> the right direction, and there is some value in that.
>
> All the costs of such an approach should be taken into account, however.  
> One of the more obvious ones is that the full set of RPMs will be 
> maintained locally on each client machine. This could be mitigated by 
> putting the packages on a network drive, so as to avoid any downloading at 
> all, but that does come with its own trade offs.
>
> Another cost is somewhat increased security exposure. If someone can 
> obtain sufficient privilege to put their own RPM into the directory 
> containing the local RPM copies, then Puppet will install it along with all 
> the others.  That constitutes a privilege escalation attack if it takes 
> more privilege to install packages than it does to drop files in the target 
> directory.
>

Except the directory gets forcibly sync'd with the puppet server before any 
RPM's are processed.  Any locally added files not present on the server 
will be zapped.
 

> Additionally, this approach does not afford an easy way to *remove* 
> packages, though it may be that package removal is rarely needed.
>

Same approach as yum/package-- "package { 'foo' : ensure => absent }", 
although one needs to remember to remove it from the server side first.  ;)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8610fb84-a8f4-49bf-b890-b9875c86bcbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

2017-03-05 Thread John Gelnaw

On Friday, March 3, 2017 at 8:31:00 AM UTC-5, Michael Watters wrote:
>
> This would be the ideal but you *can* use the rpm provider when needed. 
>  For example:
>
> package { 'jdk':
> ensure  => installed,
> provider => 'rpm',
> source  => '/pub/oracle/jdk-8-linux-x64.rpm',
> }
>
>
> This will install the rpm using the defined source path.  In our 
> environment the /pub directory is available to all nodes via nfs
>

But it won't handle a number of issues in the original post-- RPM 'a' 
before 'b', and invoke script 'c' once packages a and b are installed.  Of 
course, you can do that with a number of puppet metaparameters.

I agree with everyone else that the "Right Way" is to create a yum repo, 
and install the packages via the package provider.  You can use notify / 
subscribe to control sequencing, or use the chaining arrows.

However, a long time ago, I solved this problem the wrong way-- and if 
you're going to do it the wrong way, you should at least do it right.  ;)

My original use was installing 2 .rpm or .deb files (depending on OS), 
without storing binaries in my git repo (the amount of pain it took to 
excise the vmware-tools installer out of my git repo was... enlightening. 
 If wisdom comes from making mistakes, I could compete with Solomon).  I 
had a second use case of a set of lab workstations installing an arbitrary 
number of RPM files containing various custom software applications, and 
that turned out to be something I'm still using this method for today.

I created a second "mount point" in puppet via fileserver.conf, pointing to 
a location outside the puppet git tree, so I could use 
"puppet:///downloads/" as a source, synchronized that directory 
to a local directory on the workstation using "ensure => directory", 
"recurse => true", and "purge => true", then had that resource notify an 
exec of "yum install -y *rpm"-- because yum will automatically handle 
dependencies, sequence, and upgrades.

Then any time you drop a new rpm into the directory on the puppet server, 
the client automatically downloads and installs and/or upgrades the 
packages.

Not the "Right Way", no, but it does work, and takes less work to add new 
packages (my way, drop new RPM in location accessible only by puppet-- 
yum/package way, add package to http:// accessible repo, update repo 
metadata, and (if needed) add package to node catalog if it's a new package 
vs. an upgraded existing package).

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/12e5a418-cce9-4a1d-b39b-139a9b2859ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Could not find class defined for specific environment when running puppet agent

2017-02-22 Thread John Gelnaw

I would ignore everything past "Using cached catalog from environment
'ops'" in your debugging, as it's cached and therefore probably represents
a previous state of the puppet master catalog.

Especially for testing, you can replace your puppet run with:

service puppet stop && puppet agent --test --server puppetmaster.domain.ca
--environment ops

since --test means "--onetime --verbose --no-daemonize" and a couple of
cache-disabling options as well, so you'll eliminated cache data, and
simplify your troubleshooting.

You don't really need the server or environment either, since you've got
them defined in your puppet.conf, so really, you should be able to use:

puppet agent --test

Having said that, error 500 is a pretty broad error, which usually means
"something went wrong". In this case, I suspect it's telling you the truth
that it can't find the users::opsuser class-- which means either the puppet
server can't read the file (selinux or file permissions, or what's happened
to me too many times to ignore, a typo in the class definition :) ), or
it's actually looking in the production environment.

The only reason I can think of why it would be looking in the production
environment would be if node.rb told it to.

What happens when you manually run:

/etc/puppetlabs/code/environments/node.rb node.domain.ca

I suspect node.rb will spit out an "environment: production" yaml string,
which is overriding the "environment ops" in your config / run statement.

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/84bee0ea-a73b-419d-9777-e4dec60ce928%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Specifying dependency ordering inside of lambda functions

2017-02-20 Thread John Gelnaw

I can think of three options:

1) Break the user / group definitions into their own classes, and "require" 
the group class in your user definition class.

2) In some cases, Puppet does an implicit require-- it's possible your code 
would work as-is, and the catalog would recognize the need to create groups 
first.  I don't know if this is expected behavior or not any longer, but 
perhaps one of the devs could comment.  Since they're defined in the same 
class, I would hope Puppet would be smart enough to recognize the need to 
define a group before defining a user that's a member of that group.

3) Don't worry about it-- let it fail.  I run puppet twice per hour, and if 
it can't define the user because the group is missing, it can still define 
the group on the first pass.  Then the next pass, the user will get 
created, because this time the group already exists.  Ugly, mildly 
irritating, but still effective.  Obviously, this isn't a good option if 
you're paying attention to the exit status of the puppet run, but if you're 
just running the puppet agent every so often, should be fine.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f7bc6ea2-9d6a-411a-878c-5368f30f5a09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Why do my SERVER certs get revoked?

2017-02-14 Thread John Gelnaw

On Tuesday, February 14, 2017 at 11:56:27 AM UTC-5, Dayton Jones wrote:
>
> I'm intermittently getting 
>  Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server 
> certificate B: certificate verify failed: [certificate revoked for 
> /CN=my.puppet.master] 
>
> when clients try to connect...this is very random and could go months 
> without the error, but I've got it several times in the last 3 days.  The 
> "fix" is stop the puppetmaster, remove it's certs/regen and restart 
> puppetmaster and then have the clients reattempt the connection...
>
> But WHY is the cert getting revoked?  What can I look at to see why this 
> happens, I've checked the logs but don't see anything that sticks out... 
>  Server/clients are all synced and agree on the time, DNS is working 
> properly... any pointers would be greatly appreciated.
>

Check your time on client and server.   

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2fef0a46-770c-4090-bdb4-82e2cd49a51a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: MCollective server cannot connect to ActiveMQ broker

2017-01-31 Thread John Gelnaw

On Tuesday, January 31, 2017 at 3:36:20 AM UTC-5, Isabell Cowan wrote:
>
> I've been trying all do to set up MCollective on my puppet cluster.  No 
> matter what I do, I can't seem to get the MCollective server to connect. 
>  The MCollective server(s) are running mostly on Ubnutu Xenial.  The 
> ActiveMQ broker (5.14.3) is running on Debian Stretch.  I'm running puppet 
> 4.x on all nodes. I've used every transport connector I can thing if, and 
> they all fail to connect.  Let me dump some log files at you.
>
> In mcollective.log I'm getting `Connection reset by peer`:
>

Any time I see "connection reset by peer", my first instinct is that there 
is some device in between that's breaking the traffic.

Unfortunately, one of the newer "tricks" is so-called intelligent firewalls 
that base their rules on traffic, not ports-- so the initial connection may 
be allowed, but data transfer, not so much.

Have you tried using nmap from the mcollective server against the 61614 
port on the broker? 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9804f683-20f4-415a-b1c2-b62e0f22546d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to read in file into array of hashes to use build start script template

2017-01-22 Thread John Gelnaw

On Friday, January 20, 2017 at 12:28:02 PM UTC-5, James Perry wrote:
>
> Thanks.
>
> The reason I have a CSV is that is what is provided from the users out of 
> their own private database where they keep this data. I have to take the 
> detail as it is given. Now I can manually process the data to be how I 
> think I want, but I'm trying to keep this as simple as possible for the 
> other team members (KISS principal).  
>
> For the custom ENC, the new environment is Foreman over top of Puppet. 
>  Can I use a Puppet ENC when Foreman is setup to do that itself? 
>

I have a very complex ENC myself, so the idea of merging the Foreman ENC 
with my own ENC appeals to me-- Ultimately, they're both just spitting out 
YAML.

My current line of attack is to have my ENC (configured already within 
puppet) call the Foreman node.rb script, merge the two data structures and 
output the resulting YAML, but the migration to puppet 4.x has priority at 
the moment.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d3a3ebb3-f33e-4e2d-8d97-2696c1f4584a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

2017-01-13 Thread John Gelnaw

Set up hiera correctly, add a yaml file to your hierarchy, and and 
translate the CSV file to YAML:

I'm a perl geek, so:
#!/bin/perl

while(<>)  {
  chomp; 
  tr/A-Z/a-z/;
  my @a = split(/\,/);
  push(@{$hash{$a[0]}}, $a[1]);
}
for my $srv (sort(keys(%hash)))  {
  print "startup::$srv\n";
  for my $cmd (@{$hash{$srv}})  {
print "  - $cmd\n";
  }
}


... yes, that array syntax in the hash is hideous.  ;)

Also, I know I should be using CSV and YAML modules, but the example was 
simple enough.

That should produce something like:

startup::servera:
  - /usr/local/bin/prog start databasea
  - /usr/local/bin/prog start databaseb 
startup::serverb:
  - /usr/local/bin/prog start database123

Although I'd probably drop the "/usr/local/bin/prog start", since it seems 
to be common to all.

Then a class:

class startup  {

  $array = hiera(startup::$hostname, "none")

  if (! $array == "none") {
   < do stuff >
 }
}



I'm assuming serverb doesn't need to know servera's business (loading the 
entire thing on every server seems wasteful to me), but if it does, change 
the yaml to:

startup:
  servera:
- command 1
- command 2
  serverb:
- command 1

And then just load the entire hash:

$hash = hiera("startup")

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/496ef25d-311f-4a9c-8a4f-52abf292d6e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

2017-01-13 Thread John Gelnaw


Set up hiera correctly, add a yaml file to your hierarchy, and and 
translate the CSV file to YAML:

I'm a perl geek, so:
#!/bin/perl

while(<>)  {
  chomp; 
  tr/A-Z/a-z/;
  my @a = split(/\,/);
  push(@{$hash{$a[0]}}, $a[1]);
}
for my $srv (sort(keys(%hash)))  {
  print "startup::$srv\n";
  for my $cmd (@{$hash{$srv}})  {
print "  - $cmd\n";
  }
}



startup::servera:
  - /usr/local/bin/prog start databasea
  - /usr/local/bin/prog start databaseb 
startup::serverb:
  - /usr/local/bin/prog start database123

Although I'd probably drop the "/usr/local/bin/prog start", since it seems 
to be common to all.

Then a class:

class startup  {

  $array = hiera(startup::$hostname, "none")

  if (! $array == "none") {

   < do stuff >
 }

}

I'm assuming serverb doesn't need to know servera's 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4f045170-082b-4c6c-95df-e3d0e80ad3c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

2017-01-10 Thread John Gelnaw

On Tuesday, January 10, 2017 at 3:19:45 PM UTC-5, Eric Sorenson wrote:
>
>
> I'd like to point out that this ntp module is also deliberately a test 
> case for *all* of the puppet 4 language features, and as such is kind of a 
> "reference module", so it certainly could be simpler but is intended to 
> both do something useful and provide a working example of things like EPP 
> and the type system. Helen Campbell wrote up a walk-through of the features 
> that she and David Schmitt implemented in it here:  
> https://puppet.com/blog/ntp-puppet-4-language-update
>

Understood.
 

> Most of my bitterness towards puppet comes from the 3.x series, where the 
>> API was a moving target, and upgrading to the "latest" puppet 3.x package 
>> could break your world.  It's gotten significantly better, but I'm still 
>> only about halfway up the puppet 3.x --> 4.x cliff.  ;)
>>
>
> Can you give me an example of backwards-incompatible API changes in the 
> 3.x series? I'm not being snarky; we had long debates (way too long, in 
> some cases) about semantic versioning and did extra work to not introduce 
> breaking changes into the 3.x. The goal was rebuilding trust that new 
> versions behave like you'd expect given the version number, so I'm dismayed 
> to hear that those efforts failed and things broke for you anyway :(
>

Unfortunately, I don't remember specifics-- looking in my git log, I had to 
freeze the version at 3.4.3.  Some feature (not mentioned in my git log) 
went from "deprecated" to "fail" in the jump from 3.4.3 to 3.5, and 
upgrading to 3.5.x or later caused my puppet master to stop working.

I'm thinking it might have actually been a change in the future parser, 
which I was (and still am) using fairly heavily in my AD-based user 
management.  Is it possible that the future parser stopped accepting 
hyphens around then?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6d377003-44f2-436d-a126-c4722ff6339f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

2017-01-10 Thread John Gelnaw

On Tuesday, January 10, 2017 at 12:37:14 AM UTC-5, R.I. Pienaar wrote:

> > So how many times have you verified you didn't talk to an evil CA when 
> you 
> > originally connected an agent? 
>
> Every time? I logged into my known CA using a non Puppet means, I know 
> it's 
> the known CA because of SSH safety checks and I sign the client I expect 
> to 
> sign on this known CA using the information at hand - the client 
> fingerprint 
> that I visually confirm. 

But when you connect agent "A" to server "B", unlike SSH, there's no option 
of confirming the server's identity.

If I've connected to a rogue CA, I would expect it to autosign my cert 
request as quickly as possible, and start spamming bad catalogs at my agent.

Verifying the correct agent fingerprint when you sign the cert is not the 
time to be paranoid, merely a time to be cautious (in case you hand out any 
restricted information such as passwords in your catalogs).

> And the thing is, if I delete that cached file, it promptly (and as near 
> as 
> > I can tell, blindly) downloads the ca.pem file anyway. 
>
> But this is not enough, the new ca.pem isn't all you need, you need certs 
> signed 
> by the new ca too. 
>

Now, that's where things get interesting.  I mentioned before that I 
generated a new CA, signed with the old private key.  All of my existing 
agent certs kept working.

When it comes to certificate wizardry, I'm not a master-- mid level 
apprentice would be a better description, but the certificate wizard in my 
office was unsurprised that I didn't need to generate new certs.

> Turns out it's not news to anyone that this is needed and if you look in 
> Jira there is a whole group of tickets covering exactly that and afaik 
> it's quite high priority. I am sure constructive input on those will be 
> appreciated. 
>
> This is why I've previously, when you contacted me off list, also asked 
> the same question to you: Have you filed any tickets or are you just 
> ranting to make yourself feel better? 
>

I didn't actually see a response to my offline comments-- I assumed they 
got bit bucketed, so I came back here.

Historically, I've contributed to one issue a long time ago, haven't filed 
new issues, because frankly, there was nothing in the discussion I felt I 
could contribute to, other than "current system bad, pls fix!".

As for ranting, I have had two major complaints about puppet, and I 
expressed both here-- hopefully in a civil fashion.  Neither has been a 
show stopper, but both have been a source of frustration.

> To expand on the issue with redownloading CA and blind trust, lets 
> consider a situation I am often in. 
>
> My laptop laptop1.mycorp.local is Puppet managed, have a cert and 
> a CA.  My laptop is using DHCP because I travel a lot and it uses 
> the default 'puppet' name for the master.
>

Now, I don't want to be misunderstood here, so I'll speak plainly:

Non FQDN's are the work of satan.  If you can't be bothered to specify the 
fully-qualified domain name for your One True puppet master, that's your 
fault.

> I go to evilcorp.local who gives me a DHCP host name 
> sucker1.evilcorp.local, 
> my Puppet agent makes a new cert automagically for this name, sends 
> it off to be signed by puppet1.evilcorp.local who in turn auto signs 
> it, I cache the new ca.pem and we're off.  It runs a exec{} that 
> rsyncs my whole ~ off to its NAS neatly bypassing any disk encryption 
> I might have and so steals all my other clients code and secrets I 
> happen to have on my laptop. 
>
> Except this doesn't happen because it doesn't redownload the CA. 
> Not redownloading the CA is CRITICAL.  And yes naming things still 
> suck, calling it a cache is a mistake, not treating it like a cache 
> is not. 
>

What you've described is your laptop blindly trusting the DHCP server and 
the local DNS server, and doesn't properly use DNS (let alone DNSSEC) to 
verify it's talking to the same puppet master it's registered with.

The whole point of SSL is that I have a certificate that proves to the 
server I am who I claim to be.  The server ALSO has a certificate that 
proves it's who it claims to be.

If your only safeguard against not getting hijacked by evil puppet masters 
is to not renegotiate a soon-to-be-expired CA, then puppet has a flawed 
security model.

This is very different from WHY ARENT YOU DOWNLOADING JUST ANY RANDOM 
> ca.pem YOU ARE GIVEN THIS WILL FIX ALL THE PROBLEMS WHY ARE YOU SUCH 
> IDIOTS?  As per your emails. 
>

If you interpreted my emails (posts) that way, I'm very sorry-- My original 
complaint was that there was no functionality to update a 
valid-but-about-to-expire CA with a new one, without manually deleting the 
existing CA, and blindly trusting the new CA.

The fact that I was able to generate a valid new CA that was still 
recognized by my existing agent certificates apparently escaped you.

At no time did I intend to suggest that any operation (including renewing 
the agent c

Re: [Puppet Users] Over-engineering rant

2017-01-09 Thread John Gelnaw

On Monday, January 9, 2017 at 2:39:38 PM UTC-5, R.I. Pienaar wrote:
>
>
> Because if i can convince your client to connect to $evil_ca, then what? 
> How's it to know its a new legit ca and not a new bad ca? 
>

The same way it "knew" when you originally provisioned it-- It didn't.  In 
fact, the agent, by default, displays the *request* fingerprint-- but never 
the server fingerprint, and doesn't give me a chance to verify it.

So how many times have you verified you didn't talk to an evil CA when you 
originally connected an agent?

And the thing is, if I delete that cached file, it promptly (and as near as 
I can tell, blindly) downloads the ca.pem file anyway.

The entire point of a public/private key system is the ability to trust. 
 The agent can trust the server, the server can trust the agent.

The lack of ability to renew that trust *before* it expires is a serious 
failure-- Recently, my initial 5 year CA expired.  The "conventional 
wisdom" was to REBUILD MY ENTIRE ENTERPRISE.  If I'd had to do that, 
there's a good chance I'd have reevaluated my 5 year old decision to go 
with puppet-- not saying I wouldn't have wound up with puppet anyway, but 
I'd have looked much, much harder at competing products, which have made 
huge progress in 5 years.

Fortunately, based on a suggestion here, I was able to sign a new CA with 
the same private key used to create the original CA, and replace that CA 
before everything stopped working.  Then, using mcollective, I removed the 
cached ca.pem file, and let puppet download the new ca.pem.  Of course, the 
workstations that were off for the month of July came back and couldn't do 
anything, because the original CA had expired, and the only way to fix them 
at that point was to manually log in and clean up the mess.

If the CA is valid, and the client cert is valid, there's no reason on 
earth why the agent and CA shouldn't be able to renegotiate a certificate. 
 There's no reason why the CA shouldn't be able to tell the client "Oh, you 
have the old CA, here, have a new one", since the agent has, in theory, a 
valid copy of the original CA which it can use to validate the connection.

Otherwise, you have to delete the certificates from the master and the 
agent, regenerate the request from the agent, and re-sign the cert on the 
master-- and you can't tell me that's a more secure process than a 
negotiated, verified renewal / update-- not to mention a massive time 
waster that goes completely against the philosophy of *having* centralized 
management.  It's too much dev, not enough ops.  :)

I've written a script to automate renewing the agent cert-- but it's ugly, 
and as you point out, it opens up the possibility for someone to 
impersonate my existing CA.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/12d735a7-554c-4687-9043-95f916f62af6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

2017-01-09 Thread John Gelnaw

On Monday, January 9, 2017 at 10:10:08 AM UTC-5, R.I. Pienaar wrote:
>
>
> so we're on the same page are you just saying in general the NTP module 
> has too much 
> going on and its too huge for a "simple" piece of software? 
>

Mostly, it was the unexpected syntax.  Somehow, I completely missed any 
references to data typing.  I'm not even *opposed* to it-- although there's 
a very lazy part of me that says it needs to remain optional.  :)

While the puppet 3 version is, quite frankly, hideous, I understand why 
it's that way, and it's at least formatted nicely, so it's easily read.

The puppet 4 version looks cluttered (even though it's much simpler, it 
APPEARS more cluttered because it's not a table any longer), and was a 
paradigm shift I was unprepared for.

But reading through it makes sense.

Although-- I think I'd consider (optionally) moving the params to an 
external file, for readability, if nothing else. 

In both the puppet 3.x and 4.x examples, you've got a whole lot of 
information jammed into the "first line" (that has 50+ parameters) that can 
overwhelm a novice user.

Whatever happened to yaml-in-modules as a concept?  I'd think using 
something like that for parameter definitions would be a much cleaner 
approach.

Maybe something like:

params.yaml:
classes:
  ntp:
config_epp:
  type: string
  required: false

... but that may be too much caffeine talking.  ;)

> and Data now uses Hiera, its a LOT LESS code in Puppet 4 and fewer 
> dependencies 
> etc 
>
> Just want to understand the actual complaint part of this distinctly from 
> the rant 
> part of this mail thread. 
>

Not even sure it was a complaint-- Just a bit of culture shock as an 
unknown feature crept up on me.

Heck, you should have seen me trying to find out what the "@@" syntax meant 
(puppetdb has been somewhat unstable until recently in my environment, so 
I've never spent much time on it, and didn't have a need for exported 
resources).

Puppet, as a language, however, has been a moving target for years-- at one 
point in the 3.x days, I had to switch to a fixed version to keep my puppet 
server from becoming incompatible with my existing code-- but that also 
meant I couldn't easily get security updates, because puppet doesn't 
understand "Update to latest version below version 'x'".  Things have 
improved considerably, but it's a still a full time job keeping up with the 
changes.

But if you want rants:

  * why won't my puppet agents download a new CA from the puppet master 
when I update it?  Why do I have to manually delete the "cached" 
/var/lib/puppet/ssl/certs/ca.pem file in order to get the new ca.pem file 
downloaded?  That's not cached, that's stored.  ;)
  * similarly, having to manually delete / renew agent certs is painful 
because you have to be logged in on both the agent and the master-- an 
auto-renew feature would be nice.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/81e3c8a8-cb23-4fd7-bdc1-d44f8bbb4c84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

2017-01-09 Thread John Gelnaw

On Sunday, January 8, 2017 at 2:31:33 PM UTC-5, Rob Nelson wrote:
>
> There are a lot of very valid issues and concerns you bring up here. I do 
> want to start by saying, however, that puppet 4 is more than 6 months old - 
> about 20 months to be precise - and most of the significant language 
> changes were introduced somewhat earlier in the future parser in puppet 3. 
> These changes should be easier to take in for sure, but that is at least 3x 
> more to catch up on. I hope that doesn't sound like a harsh response, but I 
> think it's more accepted that after 1.5-2 years, most moving projects will 
> require significant re-learning.
>

I've been using "future parser" in Puppet 3 for a while-- I absolutely had 
to have iteration, and a few other features, so I *thought* I had been 
keeping up with puppet development.

I had a similar reaction to the OP when I looked at the NTP code-- 
"ek!!!".

Although knowing that it's optional is a good thing, and knowing it's 
available is also good-- it is something of an overwhelming example of 
"wall of code".  Then again, for those who say NTP is simple-- I point and 
laugh in your general direction.  The fact that NTP *can* be as simple as a 
drift file and an NTP host, doesn't mean it's always that easy, and I 
respect the amount of effort in making that module work.

Having said that, my ntp class is a bit simpler, and resembles the classic 
"package / file / service" puppet class, because that's all my site 
requires. 

Most of my bitterness towards puppet comes from the 3.x series, where the 
API was a moving target, and upgrading to the "latest" puppet 3.x package 
could break your world.  It's gotten significantly better, but I'm still 
only about halfway up the puppet 3.x --> 4.x cliff.  ;)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a5811429-31ea-4c8b-998f-35b133c714b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] lspci via facter

2017-01-08 Thread John Gelnaw


I've been using the following code for a really long time now-- I think I 
'borrowed' it from someone else.

# videocards.rb 
 
 
controllers = [] 
output = %x{lspci} 
output.each_line {|s| 
controllers.push($1) if s =~ /VGA compatible controller: (.*)/ 
} 
 
for vc in 0...controllers.length 
thecard = "videocard" + vc.to_s 
Facter.add(thecard) do 
setcode do 
controllers[vc] 
end 
end 
end


Obviously it's only going to work if lspci is in the path when puppet runs.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/66d00b30-884d-41fb-9ee4-fed94a24844c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Array Iteration for Community Edition of Puppet(3.8)

2017-01-01 Thread John Gelnaw

On Sunday, January 1, 2017 at 2:41:16 AM UTC-5, R.I. Pienaar wrote:
>
>
> Puppet 3 is now dead, upgrade to Puppet 4 - it's free - and you too can 
> enjoy 
> features designed to solve your problem 
>

While understandable, that's something of an irritating answer-- It 
underlies a problem I've felt puppet has had since the 1.x days-- Any 
feature you're using can stop working with little warning, unless you 
follow the puppetlabs blogs closely.

Newer changes aren't quite as drastic as banning hyphens from a class name, 
but it can still be a major pain when you have a bunch of puppet code that 
used to work.  :)

It also does a nice job of completely ignoring the user's question.

@Joe:  The iteration feature is available in Puppet 3.7.x and later, but 
you need to enable the "future parser"-- which is also the first step in 
upgrading smoothly to puppet 4.x.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b65eabdd-b7f1-4155-bd6b-44c774bd6156%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

2016-12-21 Thread John Gelnaw


Hate replying to myself.  As you noticed, "profile" and "datacenter" are 
also not defined.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9cc28a52-645d-44ff-9755-76bae1654c8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

2016-12-21 Thread John Gelnaw

On Wednesday, December 21, 2016 at 11:37:38 AM UTC-5, Denny Fuchs wrote:
>
> hi,
>
> I try to understand the example from 
> https://rnelson0.com/2015/02/02/deploying-mysql-with-puppet-without-disabling-selinux/comment-page-1/
>  
> with MySQL.
>
> At this moment, most parts are working, except role/mysql.yaml . It seems, 
> that this file isn't noticed by hiera/puppet:
>
> :yaml:
>   :datadir: "/etc/puppet/environments/%{environment}/hieradata"
>
> :hierarchy:
>   - "node/%{::fqdn}"
>   - "role/%{::role}"
>   - "profile/%{::profile}"
>   - "operatingsystem/%{::operatingsystem}/%{::operatingsystemmajrelease}"
>   - "operatingsystem/%{::operatingsystem}"
>   - "osfamily/%{::osfamily}"
>   - "datacenter/%{::datacenter}"
>   - "virtual/%{::is_virtual}"
>   - common
>
>
Everything you're using in your hiera.yaml is OK except the role line-- 
"role" is not a fact (unless you have a custom fact defining it), or a 
top-level variable, so you'll need to define it before any hiera calls that 
might use it.

  ./manifests/site.pp
>
> hiera_include('classes', '')
> node default {
>   $role = hiera('role')
>   include $role
> }
>

Here, you define $role, but you're pulling it from hiera as well-- where is 
this variable defined?

I suspect that if you add:

$role = 'mysql'

to your role/manifests/mysql_server.pp file, that things may improve-- but 
you're also declaring it in your default node definition (or trying to), 
and one thing puppet doesn't tolerate well is defining the same variable 
twice.


   

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1200b36c-8dd0-413b-8a3a-2017fafba16f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: r10k, git and .gitignore

2016-12-19 Thread John Gelnaw


We used Gavin's approach and created a "downloads" mount within Puppet, so 
Puppet still handles the file transfer, but it's from a different set of 
directories outside of the git repo(s).

Also, for anyone creating .deb / .rpm package files, if you aren't using 
'fpm', you should be.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/69b3bf0e-d8ab-46b3-881b-04cb595aa2ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet does not like ~ in file name

2016-11-10 Thread John Gelnaw

On Thursday, November 10, 2016 at 12:55:21 PM UTC-5, Fabrice Bacchella 
wrote:
>
>
> > Le 10 nov. 2016 à 18:22, Rob Nelson > a 
> écrit : 
> > 
> > That said, who decided a tilde to start a file name was good for 
> anything but a temp file??? I understand you have no choice as a user, but 
> someone somewhere, somewhen, chose it :( 
>
> because in the sort algorithm from glob, ~ is one of the only the very few 
> characters that goes after z and it's printable, look at LC_COLLATE in 
> http://pubs.opengroup.org/onlinepubs/007908775/xbd/locale.html#tag_005_003_002
> .


First, a tilde in a filename is a special character in most shells-- you're 
setting yourself up for pain, and unexpected behavior.

Secondly, on many linux systems, run-parts (the engine behind cron.hourly) 
will not run a script with a tilde in the name, since it will only match 
the regex /[A-Za-z0-9_]+/

If you're concerned about order, number them all. 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0ae89c4f-93bd-4e7b-a352-d3de38d4bb8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Problems with new PE 2016.4 install

2016-11-04 Thread John McCabe

Hi Jonathan,
Could you also share the facter version/path and the OS that you've 
encountered this on.

facter --version
which facter

I ask because the `facter -p mountpoints` output you're getting doesn't 
match what I see, which shows output for physical mounts only, for example:

root@masterlocal:~/puppet-enterprise-2016.4.0-ubuntu-16.04-amd64# facter -p 
mountpoints
{
  / => {
available => "15.62 GiB",
available_bytes => 16771174400,
capacity => "16.00%",
device => "/dev/mapper/localhost--vg-root",
filesystem => "ext4",
options => [
  "rw",
  "relatime",
  "errors=remount-ro",
  "data=ordered"
],
size => "18.60 GiB",
size_bytes => 19966849024,
used => "2.98 GiB",
used_bytes => 3195674624
  },
  /boot => {
available => "419.11 MiB",
available_bytes => 439472128,
capacity => "11.13%",
device => "/dev/sda1",
filesystem => "ext2",
options => [
  "rw",
  "relatime",
  "block_validity",
  "barrier",
  "user_xattr",
  "acl"
],
size => "471.60 MiB",
size_bytes => 494512128,
used => "52.49 MiB",
used_bytes => 5504
  }
}

Thanks,
John

On Friday, 4 November 2016 03:07:07 UTC-7, Jonathan Gazeley wrote:
>
> No, I haven't knowingly changed anything about Facter's configuration. 
> In fact the config file I'm using is migrated from a previous Puppet 3 
> install and explicitly has stringify_facts = false. 
>
> Thanks, 
> Jonathan 
>
> On 03/11/16 17:41, Peter Huene wrote: 
> > On Thu, Nov 3, 2016 at 10:30 AM, Justin Stoller   
> > <mailto:jus...@puppet.com >> wrote: 
> > 
> > 
> > 
> > On Thu, Nov 3, 2016 at 2:52 AM, Jonathan Gazeley 
> >  
> > <mailto:jonathan...@bristol.ac.uk >> wrote: 
> > 
> > Hi folks, 
> > 
> > I've been running open-source Puppet 3.x for years but this week 
> > I'm dabbling with a new installation of PE 2016.4. I installed 
> > from the pointy-clicky installer and so far the PE server only 
> > has itself in the inventory, but is failing to do a puppet run. 
> > It bails with this error: 
> > 
> > Could not retrieve catalog from remote server: Error 500 on 
> > SERVER: Server Error: Evaluation Error: Error while evaluating a 
> > Resource Statement, Evaluation Error: Error while evaluating a 
> > Method call, 'dig' parameter 'data' expects a Collection value, 
> > got String at 
> > 
> /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/master/puppetserver.pp:673:42
>  
>
> > on node puppet4-prod.resnet.bris.ac.uk 
> > <http://puppet4-prod.resnet.bris.ac.uk> 
> > 
> > I think that manifest is something that came with PE and not 
> > something I've installed, so I've no idea where to start. Any 
> ideas? 
> > 
> > 
> > Looking at that line in the puppet configuration it seems that we're 
> > digging into the mountpoints: 
> > 
> > $tmp_mount_options = $::mountpoints.dig( '/tmp', 'options' ) 
> > 
> > 
> > Dig expects to be called on a collection[1], and reading the error I 
> > would assume that the fact `mountpoints` is returning a string or 
> > that the "/tmp" key within the fact is returning a string. Which is 
> > not how Facter should be behaving[2]. 
> > 
> > 
> > Perhaps we're picking up a (deprecated for forever now) `stringify_facts 
> > = true` in Puppet's settings, perhaps from a previous installation? 
> > 
> > My guess is that Facter is operating correctly since this fact is tested 
> > against the schema definition to verify it is always a map. 
> > 
> > 
> > 
> > Have you changed anything relating to Facter or its configuration? 
> > 
> > 
> >  - Justin 
> > 
> > 
> > 1. https://docs.puppet.com/puppet/4.8/reference/function.html#dig 
> > <https://docs.puppet.com/puppet/4.8/reference/function.html#dig> 
> > 2. https://docs.puppet.com/facter/latest/core_facts.html#mountpoints 
> > <https://docs.puppet.com/facter/latest/core_facts.html#mountpoints> 
> > 
> > 
> > Thanks, 
> > J

[Puppet Users] Re: Very frequent "Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key." on Windows

2016-10-17 Thread John Gelnaw

On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote:
>
> Thanks for your reply Andrew, sadly I guess that wont be an option as the 
> pain of resigning the actual certificate for erroneous hosts are less the 
> re-signing every certificate for all existing hosts. After all we are in 
> the process of upgrading to Puppet 4 so hopefully one of the side effects 
> of that upgrade is that this error goes away as a part of the process. 
> Thanks though, one should always train ones cut'n'paste skills ;-).
>

If you have an mcollective environment, you could turn on auto-sign, use 
mcollective to whack the local ca/host certs, and then use mcollective to 
trigger a puppet run (which would auto-request a new certificate).

Since my puppet environment is now 5 years old, I'm experiencing a rolling 
expiration of puppet agent certs, and I wrote a script that lives on the 
puppet master that checks for impending expirations, and if it finds them, 
it runs:

puppet cert clean 
mco puppet resource exec "rm -rf /var/lib/puppet/ssl/*" -W fqdn=
mco puppet runonce -W fqdn=
puppet cert sign 

... there's a bit of a tricky timing issue that (usually) doesn't matter, 
since we configure mcollective to actually use the puppet agent's 
certificate/key pair.

If you're doing this on Windows, the equivalent powershell-fu shouldn't be 
too tough.  You'd probably want to stop the puppet service on the agent, 
nuke the certs/keys, and then invoke a single synchronous run of puppet to 
request the new certificate.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e24b013b-dd7f-4790-90e1-a090d47ecaaa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Warning: Unable to fetch my node definition, but the agent run will continue:

2016-10-17 Thread John Gelnaw

Some things to keep in mind for successful ENC scripts...

First, on the agent, run:

# facter fqdn

This is the node name that will be reported to the puppet master 
(equivalent to 'hostname -f').  If it doesn't match expectations, fix that 
first-- preferably via DNS, but /etc/hosts is a valid solution if necessary.

Other thing(s) to make sure of with your ENC code:

  * don't output any text that isn't YAML
  * don't return any exit code other than 0, unless you want your puppet 
runs to halt on ENC error
  * Don't use tabs when generating your yaml.  ;)

That means any debug text needs to go to stderr (or a log file), and you 
need exception handlers for everything.

And in the "probably obvious" category, I construct one large data 
structure in memory containing all the output I want in my YAML, and then 
dump that structure via a YAML library, rather than trying to format the 
output myself.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/379a62f8-1727-43ba-85b9-cc1c6bd22427%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] R10K in an existing infrastructure OR How to write yourself into a corner.

2016-09-29 Thread John Warburton

Thanks Rob

On Thursday, 29 September 2016, Rob Nelson  wrote:

> Whoops, it's called lab_config in that project (site_config is my private
> repo for the home lab) and can be found at https://github.com/
> puppetinabox/lab_config. There's not as much to that since it's a
> reference project, but for example DNS updates are pushed out every 15
> minutes from it (agents check in every 30 minutes, though), so it's just a
> matter of pushing a change to 'master' in that repo and boom, deployed
> within the hour.
>
> On Thursday, September 29, 2016, John Warburton  > wrote:
>
>>
>> On Thursday, 29 September 2016, Rob Nelson  wrote:
>>
>>> The 'site_configs' module is pretty equivalent to the 'data' module you
>>> propose - odd config files, SSL certs, etc.
>>
>>
>> Rob
>>
>> I can't find site_configs on the forge or google. Any pointers?
>>
>> Thanks
>>
>> John
>>
>>
>> --
>> John Warburton
>> Ph: 0417 299 600
>> Email: jwarbur...@gmail.com
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/puppet-users/CAAJLFxXZSAxxUY-6sRR7f_3dZEAriMqzHgfrxzfcjY
>> UM1XFvaw%40mail.gmail.com
>> <https://groups.google.com/d/msgid/puppet-users/CAAJLFxXZSAxxUY-6sRR7f_3dZEAriMqzHgfrxzfcjYUM1XFvaw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
>
> Rob Nelson
> rnels...@gmail.com 
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com
> 
> .
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/CAC76iT-aiwZcD1-7B%3DYy0brzbRrpz0-
> Z6Ck9_ULsDJE7D%2B-CKw%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAC76iT-aiwZcD1-7B%3DYy0brzbRrpz0-Z6Ck9_ULsDJE7D%2B-CKw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
John Warburton
Ph: 0417 299 600
Email: jwarbur...@gmail.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAJLFxVuAhY%3DQqGMJBS37yA4VgBkYSxLejU78wC_C7tzYGK0hw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] R10K in an existing infrastructure OR How to write yourself into a corner.

2016-09-28 Thread John Warburton

On Thursday, 29 September 2016, Rob Nelson  wrote:

> The 'site_configs' module is pretty equivalent to the 'data' module you
> propose - odd config files, SSL certs, etc.


Rob

I can't find site_configs on the forge or google. Any pointers?

Thanks

John


-- 
John Warburton
Ph: 0417 299 600
Email: jwarbur...@gmail.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAJLFxXZSAxxUY-6sRR7f_3dZEAriMqzHgfrxzfcjYUM1XFvaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Moment of duhh.... Trying to wrap my head around some condition statements.

2016-09-27 Thread John Gelnaw


if ($productname =~ /Z640/)  {

  file { ... }
  exec { ... } 

}

'productname' is a fact which usually represents your system model.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/dc1b05d1-ac92-4401-822e-2b60ad2f27b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: How to handle predictable network interface names

2016-08-27 Thread John Gelnaw


I went the other direction-- we deploy all of our servers (and most of our 
workstations) via cobbler, so all new RHEL 7 and CentOS 7 boxes have 
"net.ifnames=0" in the default profile, both pre and post install.

I don't agree with upstream's complaint... udev-persistent rules, while a 
bit of a hack, work just fine, especially when the vast majority of 
workstations and servers I support have exactly one ethernet device and no 
wireless.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6d34beb1-33cb-495f-bea4-91a56db0e564%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Environment Classification Conflict

2016-08-19 Thread John Baird

I have followed the instructions
here:
https://docs.puppet.com/pe/2016.2/console_classes_groups.html#creating-environment-node-groups.

This states that ALL environments that are created should be a child under
"production". This makes sense because I would want it to inherit all of
the default things that puppet does to nodes out of the box.

When I add a node to the new environment, we shall call it
"new_environment", puppet runs fine.

I then create a "node classification group" under "new_environment". The
existence of the group is not the issue until I assign the node to the
"node classification group". Puppet then complains about conflicts.

I really haven't modified much for there to even be conflicts. This seems
like normal SOP and yet it's not resolving itself.

I have set the variable "environment=new_environment" in the
"new_environment" environment. There are no other classes or variables
assigned.

Do I need to include the two default classes from "PE Agent" and "PE
Mcollective" in every environment I create??? That seems silly

*Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node node1: Classification of node1 failed due to
a classification conflict: The node was classified into groups named
"new_class_group", "PE Agent", and "PE MCollective" that defined
conflicting values for the environment.*

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d154af21-eabc-45a5-a765-3e395ca33c66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Hiera Lookups Fail with variables

I was using calling_class as an example.  %{calling_module} used to work, 
but now does not.  Are you aware of what should be used instead?  Things 
like %{::hostname} do not work either.  

My other real concern is that when using something like 
"%{calling_module}/random_thing", there is no lookup for "/random_thing" 
when calling_module is not interpolated as I would expect it to since it 
should see it as a nil value.

On Tuesday, July 19, 2016 at 4:59:50 PM UTC-5, Gavin Williams wrote:
>
> John
>
> Yes, the 'common1' and 'common2' tiers are being ignored because 
> 'calling_class' doesn't expand to anything when running on the command line.
>
> Try running 
> hiera -d 'dhcpd::package_name' environment=production calling_class=*x*
> replacing x with the corresponding class_name you'd expect to be 
> resolving... 
>
> Gav
>
> On Tuesday, 19 July 2016 22:29:41 UTC+1, John Baird wrote:
>>
>> If you look at the hiera debug output from the last reply I posted, it 
>> clearly shows that several folders with variables are not looked at when it 
>> should be.  Even if it doesn't find data in those folders, hiera should 
>> still explicitly show that it is TRYING to look there, but that doesn't 
>> happen.  It clearly is not searching where it should be, which is why 
>> everything is failing unless it's all hard-coded, which is obviously not 
>> ideal.
>>
>> On Tuesday, July 19, 2016 at 2:16:10 AM UTC-5, John Baird wrote:
>>>
>>> Attempting to use hiera to hold all of my node-specific variables.  It 
>>> has been some time since I have run a puppet server, but I know it's not 
>>> THAT hard.  That being said, my modules run fine, but hiera is not looking 
>>> them up correctly.  It appears that any lines that contain any variables in 
>>> the hiera.yaml are ignore and are not searched.  Any assistance would be 
>>> great!  I'm sure it's something small, but sooo confused...
>>>
>>>
>>> HIERA.YAML
>>> --
>>> ---
>>> :backends:
>>>   - yaml
>>> :yaml:
>>>   :datadir: "/opt/local/modules/hieradata"
>>> :hierarchy:
>>>   - '%{calling_module}/%{::hostname}'
>>>   - '%{calling_module}/common'
>>>   - common
>>>
>>>
>>> hiera -d 'dhcpd::package_name' environment=production
>>> DEBUG: 2016-07-18 20:48:38 -0400: Hiera YAML backend starting
>>> DEBUG: 2016-07-18 20:48:38 -0400: Looking up dhcpd::package_name in YAML 
>>> backend
>>> DEBUG: 2016-07-18 20:48:38 -0400: Looking for data source common
>>> DEBUG: 2016-07-18 20:48:38 -0400: Cannot find datafile 
>>> /opt/local/modules/hieradata/common.yaml, skipping
>>> nil
>>>
>>>
>>> ---
>>> :backends:
>>>   - yaml
>>> :yaml:
>>>   :datadir: "/opt/local/modules/hieradata"
>>> :hierarchy:
>>>   - '%{calling_module}/%{::hostname}'
>>>   - '%{calling_module}/common'
>>>   - common
>>>   - puppet_test
>>>
>>> hiera -d 'dhcpd::package_name' environment=production
>>> DEBUG: 2016-07-18 20:49:30 -0400: Hiera YAML backend starting
>>> DEBUG: 2016-07-18 20:49:30 -0400: Looking up dhcpd::package_name in YAML 
>>> backend
>>> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source common
>>> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
>>> /opt/local/modules/hieradata/common.yaml, skipping
>>> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source puppet_test
>>> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
>>> /opt/local/modules/hieradata/puppet_test.yaml, skipping
>>> nil
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/096a7c43-6461-4f69-a9ee-d683fb71edb9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Hiera Lookups Fail with variables

If you look at the hiera debug output from the last reply I posted, it 
clearly shows that several folders with variables are not looked at when it 
should be.  Even if it doesn't find data in those folders, hiera should 
still explicitly show that it is TRYING to look there, but that doesn't 
happen.  It clearly is not searching where it should be, which is why 
everything is failing unless it's all hard-coded, which is obviously not 
ideal.

On Tuesday, July 19, 2016 at 2:16:10 AM UTC-5, John Baird wrote:
>
> Attempting to use hiera to hold all of my node-specific variables.  It has 
> been some time since I have run a puppet server, but I know it's not THAT 
> hard.  That being said, my modules run fine, but hiera is not looking them 
> up correctly.  It appears that any lines that contain any variables in the 
> hiera.yaml are ignore and are not searched.  Any assistance would be great! 
>  I'm sure it's something small, but sooo confused...
>
>
> HIERA.YAML
> --
> ---
> :backends:
>   - yaml
> :yaml:
>   :datadir: "/opt/local/modules/hieradata"
> :hierarchy:
>   - '%{calling_module}/%{::hostname}'
>   - '%{calling_module}/common'
>   - common
>
>
> hiera -d 'dhcpd::package_name' environment=production
> DEBUG: 2016-07-18 20:48:38 -0400: Hiera YAML backend starting
> DEBUG: 2016-07-18 20:48:38 -0400: Looking up dhcpd::package_name in YAML 
> backend
> DEBUG: 2016-07-18 20:48:38 -0400: Looking for data source common
> DEBUG: 2016-07-18 20:48:38 -0400: Cannot find datafile 
> /opt/local/modules/hieradata/common.yaml, skipping
> nil
>
>
> ---
> :backends:
>   - yaml
> :yaml:
>   :datadir: "/opt/local/modules/hieradata"
> :hierarchy:
>   - '%{calling_module}/%{::hostname}'
>   - '%{calling_module}/common'
>   - common
>   - puppet_test
>
> hiera -d 'dhcpd::package_name' environment=production
> DEBUG: 2016-07-18 20:49:30 -0400: Hiera YAML backend starting
> DEBUG: 2016-07-18 20:49:30 -0400: Looking up dhcpd::package_name in YAML 
> backend
> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source common
> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
> /opt/local/modules/hieradata/common.yaml, skipping
> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source puppet_test
> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
> /opt/local/modules/hieradata/puppet_test.yaml, skipping
> nil
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7d88bb09-f707-4261-ba43-afca43823f6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Hiera Lookups Fail with variables

All files should be readable as they are either 755 or 644.  Even if they 
don't exist, hiera should still attempt to "Search" that path and show me 
what directories it is searching when doing so with debug on.  Since it is 
not showing the directories with variables, it, for some reason, is 
skipping them alltogether.

another example:

---
:backends:
  - yaml
:yaml:
  :datadir: "/opt/local/modules/hieradata"
:hierarchy:
  - common1/%{calling_class}
  - common2/%{calling_class}
  - common3
  - puppet_test

hiera -d 'dhcpd::package_name' environment=production
DEBUG: 2016-07-19 13:12:49 -0400: Hiera YAML backend starting
DEBUG: 2016-07-19 13:12:49 -0400: Looking up dhcpd::package_name in YAML 
backend
DEBUG: 2016-07-19 13:12:49 -0400: Looking for data source common3
DEBUG: 2016-07-19 13:12:49 -0400: Cannot find datafile 
/opt/local/modules/hieradata/common3.yaml, skipping
DEBUG: 2016-07-19 13:12:49 -0400: Looking for data source puppet_test
DEBUG: 2016-07-19 13:12:49 -0400: Cannot find datafile 
/opt/local/modules/hieradata/puppet_test.yaml, skipping
nil

common1 and common2 are completely ignored.

On Tuesday, July 19, 2016 at 5:48:59 AM UTC-5, Rob Nelson wrote:
>
> It cannot find the files. Do they exist and are they readable to the user 
> you are running hiera/the puppet master service as?
>
> On Monday, July 18, 2016, John Baird > 
> wrote:
>
>> Attempting to use hiera to hold all of my node-specific variables.  It 
>> has been some time since I have run a puppet server, but I know it's not 
>> THAT hard.  That being said, my modules run fine, but hiera is not looking 
>> them up correctly.  It appears that any lines that contain any variables in 
>> the hiera.yaml are ignore and are not searched.  Any assistance would be 
>> great!  I'm sure it's something small, but sooo confused...
>>
>>
>> HIERA.YAML
>> --
>> ---
>> :backends:
>>   - yaml
>> :yaml:
>>   :datadir: "/opt/local/modules/hieradata"
>> :hierarchy:
>>   - '%{calling_module}/%{::hostname}'
>>   - '%{calling_module}/common'
>>   - common
>>
>>
>> hiera -d 'dhcpd::package_name' environment=production
>> DEBUG: 2016-07-18 20:48:38 -0400: Hiera YAML backend starting
>> DEBUG: 2016-07-18 20:48:38 -0400: Looking up dhcpd::package_name in YAML 
>> backend
>> DEBUG: 2016-07-18 20:48:38 -0400: Looking for data source common
>> DEBUG: 2016-07-18 20:48:38 -0400: Cannot find datafile 
>> /opt/local/modules/hieradata/common.yaml, skipping
>> nil
>>
>>
>> ---
>> :backends:
>>   - yaml
>> :yaml:
>>   :datadir: "/opt/local/modules/hieradata"
>> :hierarchy:
>>   - '%{calling_module}/%{::hostname}'
>>   - '%{calling_module}/common'
>>   - common
>>   - puppet_test
>>
>> hiera -d 'dhcpd::package_name' environment=production
>> DEBUG: 2016-07-18 20:49:30 -0400: Hiera YAML backend starting
>> DEBUG: 2016-07-18 20:49:30 -0400: Looking up dhcpd::package_name in YAML 
>> backend
>> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source common
>> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
>> /opt/local/modules/hieradata/common.yaml, skipping
>> DEBUG: 2016-07-18 20:49:30 -0400: Looking for data source puppet_test
>> DEBUG: 2016-07-18 20:49:30 -0400: Cannot find datafile 
>> /opt/local/modules/hieradata/puppet_test.yaml, skipping
>> nil
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/34a20f55-02a2-49c7-88d2-28885636dab2%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/34a20f55-02a2-49c7-88d2-28885636dab2%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> -- 
>
> Rob Nelson
> rnel...@gmail.com 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/225d2505-8678-44cb-89ca-95ef1a481b56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Hiera Lookups Fail with variables