[Puppet Users] passing arguments by name instead of position for functions
Hello, I have a variety of hashes that have similar content: $h = { 'foo1' => 'bar', [...] 'foo99' => 'baz', 'foo100' => 'h', } $g = { 'foo1' => 'bar', [...] 'foo99' => 'baz', 'foo100' => 'g', } I'd like to have a function or similar mechanism: $h = helper_module::get_hash_defaults() but be able to override various keys/parameters in the get_hash_defaults function: $h = helper_module::get_hash_defaults( 'foo100' => 'h', ) $h = helper_module::get_hash_defaults( 'foo100' => 'g', ) but functions only take parameters by position. Does anyone have any clever hacks I could try to mimic passing arguments by name? Thanks for any help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e39f696b-a908-461b-a5fb-44a52a28e83bn%40googlegroups.com.
Re: [Puppet Users] hiera 5 postgresql backend
On Fri, Apr 15, 2022 at 12:34 PM Matt Zagrabelny wrote: > Hi Martin, > > Thanks for the email. I understand your concerns about using other > backends. We have a reasonably small puppet deployment, so I think I will > try a DB based backend and see how it performs. > > In that light, I've downloaded a hiera-mysql2 module from github and > installed it at: > > # tree /usr/share/puppet/modules/hiera-mysql2 > /usr/share/puppet/modules/hiera-mysql2 > ├── CHANGELOG.md > ├── lib > │ └── puppet > │ └── functions > │ └── mysql2_lookup_key.rb > ├── LICENSE > ├── metadata.json > └── README.md > > I've updated my /etc/puppet/hiera.yaml to include an entry for looking up > data using hiera-mysql2: > > # head /etc/puppet/hiera.yaml > version: 5 > > defaults: > datadir: /etc/puppet/code/hiera > data_hash: yaml_data > > hierarchy: > - name: "MySQL lookup" > lookup_key: mysql2_lookup_key > options: > > And I've restarted my puppetmaster. > > When I attempt a lookup, either locally on the puppet master (or on an > client system via puppet agent -t), I get: > > # puppet lookup foo::bar --explain > Searching for "lookup_options" > Global Data Provider (hiera configuration version 5) > Using configuration "/etc/puppet/hiera.yaml" > Hierarchy entry "MySQL lookup" > Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file: > /etc/puppet/hiera.yaml) > > I did not use "puppet module" to install the module, I just copied the > files to the directory. > > My module path looks good. Notice the last entry in the following path > output... > > # puppet config print modulepath > > /etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules > > Can anyone help me understand why the puppetmaster isn't seeing the > hiera-mysql2 module (and function contained therein) ? > A little bit more information... puppet module list does not list the module: # puppet module list | tail /usr/share/puppet/modules ├── crayfishx-hiera_mysql (v3.0.1) ├── nanliu-staging (v1.0.4) ├── puppetlabs-apt (v6.1.1) invalid ├── puppetlabs-concat (v5.1.0) invalid ├── puppetlabs-mysql (v5.3.0) ├── puppetlabs-postgresql (v5.4.0) ├── puppetlabs-stdlib (v5.0.0) invalid ├── puppetlabs-translate (v1.1.0) └── puppetlabs-vcsrepo (v3.0.0) However, it exists on disk: # ls -1 /usr/share/puppet/modules apt concat hiera_mysql hiera-mysql2 mysql postgresql staging stdlib translate vcsrepo Any ideas how to get puppet to see the modules that exist "on disk" ? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W-m12adKYAzLSS%2B-1PvE_ytMA6Mue2rqPr0qoYux%2BPBg%40mail.gmail.com.
Re: [Puppet Users] hiera 5 postgresql backend
Hi Martin, Thanks for the email. I understand your concerns about using other backends. We have a reasonably small puppet deployment, so I think I will try a DB based backend and see how it performs. In that light, I've downloaded a hiera-mysql2 module from github and installed it at: # tree /usr/share/puppet/modules/hiera-mysql2 /usr/share/puppet/modules/hiera-mysql2 ├── CHANGELOG.md ├── lib │ └── puppet │ └── functions │ └── mysql2_lookup_key.rb ├── LICENSE ├── metadata.json └── README.md I've updated my /etc/puppet/hiera.yaml to include an entry for looking up data using hiera-mysql2: # head /etc/puppet/hiera.yaml version: 5 defaults: datadir: /etc/puppet/code/hiera data_hash: yaml_data hierarchy: - name: "MySQL lookup" lookup_key: mysql2_lookup_key options: And I've restarted my puppetmaster. When I attempt a lookup, either locally on the puppet master (or on an client system via puppet agent -t), I get: # puppet lookup foo::bar --explain Searching for "lookup_options" Global Data Provider (hiera configuration version 5) Using configuration "/etc/puppet/hiera.yaml" Hierarchy entry "MySQL lookup" Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file: /etc/puppet/hiera.yaml) I did not use "puppet module" to install the module, I just copied the files to the directory. My module path looks good. Notice the last entry in the following path output... # puppet config print modulepath /etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules Can anyone help me understand why the puppetmaster isn't seeing the hiera-mysql2 module (and function contained therein) ? Thank you for your consideration. -m On Thu, Apr 14, 2022 at 1:21 AM Martin Alfke wrote: > Hi, > > We usually recommend to not use any other backend, except for file based > backends, due to performance. > Any other backend must be able to deliver the same lookup speed. > We did a calculation at a customer and we saw hiera answering 8000 queries > in less than 1 second using the yaml file backend. > > With hiera5 you can of course write new backends. > Please note that the hiera3 backends are not compatible with hiera5! > https://puppet.com/docs/puppet/7/hiera_custom_backends.html > > Hth, > Martin > > > On 14. Apr 2022, at 04:30, 'Matt Zagrabelny' via Puppet Users < > puppet-users@googlegroups.com> wrote: > > Greetings, > > I'm running puppet 5.5. > > Is anyone aware of a hiera 5 Pg backend? > > I've tried getting the hiera 3 module [0] working, but am struggling. I'm > hoping a native hiera 5 will be a smoother experience. > > Thanks for the help! > > -m > > [0] https://github.com/rogeduardo/hiera-psql > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com?utm_medium=email_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com > <https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com?utm_medium=email_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W3cJx00gwP%3Do0yyWHRMu%2BvV4fvu28L%3DikNORF8K6FH8Q%40mail.gmail.com.
[Puppet Users] hiera 5 postgresql backend
Greetings, I'm running puppet 5.5. Is anyone aware of a hiera 5 Pg backend? I've tried getting the hiera 3 module [0] working, but am struggling. I'm hoping a native hiera 5 will be a smoother experience. Thanks for the help! -m [0] https://github.com/rogeduardo/hiera-psql -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com.
Re: [Puppet Users] boolean like operation for puppetdb query
Hey Daniel, Thanks for the reply and hints about "defined". I ended up putting the puppetdb code into a function and calling the function: $ cat modules/util/functions/does_host_have_class.pp function util::does_host_have_class( String $class ) >> Boolean { $func_name = "util::does_host_have_class()" $query = [ 'resources[certname] {', 'type = "Class"', 'and', "title = \"${class}\"", 'order by certname', '}', ] $hosts_with_class = puppetdb_query( join($query, ' ') ).map |$entity| { $entity["certname"] } "${trusted['certname']}" in $hosts_with_class } Cheers! -m On Tuesday, February 15, 2022 at 3:22:32 AM UTC-6 daniel.kr...@gmail.com wrote: > Hi, > > no answer yet? Or did miss them? I'm not a puppet professional but i may > provide some other approaches and an opinion. > > There is the function defined() > https://puppet.com/docs/puppet/7/function.html#defined , but it's tricky > because you need to be 100% sure that in your example class fail2ban is > included before the function call. > Here is an example: > > ❯ cat profile/manifests/test.pp > class profile::test ( > ) { > notify {"this is test.": } > } > > ❯ cat profile/manifests/test2.pp > class profile::test2 { > if defined(Class["profile::test"]) { > notify { "This ist test2. test is also here.": } > } else { > notify { "This ist test2. i'm alone. i'm cold.": } > } > } > > ❯ cat profile/manifests/wrapper1.pp > class profile::wrapper1 { > include profile::test > include profile::test2 > } > > ❯ cat profile/manifests/wrapper2.pp > class profile::wrapper2 { > include profile::test2 > include profile::test > } > > Performing puppet runs with ('profile::wrapper1',) > Info: Using configured environment 'production' > Info: Retrieving pluginfacts > Info: Retrieving plugin > Info: Retrieving locales > Info: Loading facts > Info: Caching catalog for bullseye.local > Info: Applying configuration version '1644913701' > Notice: this is test. > Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined > 'message' as 'this is test.' > Notice: This ist test2. test is also here. > Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. test is also > here.]/message: defined 'message' as 'This ist test2. test is also here.' > Notice: Applied catalog in 16.16 seconds > > Performing puppet runs with ('profile::wrapper2',) > Reading package lists... > Info: Using configured environment 'production' > Info: Retrieving pluginfacts > Info: Retrieving plugin > Info: Retrieving locales > Info: Loading facts > Info: Caching catalog for bullseye.local > Info: Applying configuration version '1644913738' > Notice: This ist test2. i'm alone. i'm cold. > Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. i'm alone. i'm > cold.]/message: defined 'message' as 'This ist test2. i\'m alone. i\'m > cold.' > Notice: this is test. > Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined > 'message' as 'this is test.' > Notice: Applied catalog in 15.80 seconds > > For me this wouldn't be reliable enough to use. > > > Another approach would be to create a fact. > https://puppet.com/docs/puppet/7/external_facts.html > > ❯ cat profile/facts.d/fail2ban.sh > #!/bin/sh > FAIL2BAN="/usr/bin/fail2ban-client" > [ -x ${FAIL2BAN} ] && echo fail2ban_version=$(/usr/bin/fail2ban-client > --version) > > ❯ cat profile/manifests/test3.pp > class profile::test3 { > if $facts["fail2ban_version"] { > notify {"The fail2ban version is ${facts['fail2ban_version']}":} > } > } > > But this solution has the same drawbacks as yours, it adds to execution > time and it can only be true on the second puppetrun. > > Imho you should find the point where you include fail2ban and do your > stuff there. Or you can wrap fail2ban. > > > I'm sure there are puppetnerds out there with way better advice. > > Greetings, > Daniel > > > > Am Fr., 11. Feb. 2022 um 22:29 Uhr schrieb 'Matt Zagrabelny' via Puppet > Users : > >> Greetings, >> >> I have a puppetdb installation that I leverage by querying from my >> manifests. >> >> I'd like to have a boolean-like operation for puppetdb that pretty much >> tests if the current node has a given class as part of the catalog. Here is >> my current code: >> >> $query = [ >> 'resources[certname] {', >> 't
[Puppet Users] boolean like operation for puppetdb query
Greetings, I have a puppetdb installation that I leverage by querying from my manifests. I'd like to have a boolean-like operation for puppetdb that pretty much tests if the current node has a given class as part of the catalog. Here is my current code: $query = [ 'resources[certname] {', 'type = "Class"', 'and', "title = \"fail2ban\"", 'and', "certname = \"${trusted['certname']}\"", '}', ] $this_host_has_fail2ban = puppetdb_query( $query.join(' ') ).map |$entity| { $entity["certname"] } if "${trusted['certname']}" in $this_host_has_fail2ban { $shall_allow_from_internet = true } else { $shall_allow_from_internet = false } Is there a simpler mechanism to find out if a node has a given class in its catalog? Thanks for any help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/bc6d5bf6-df6f-4850-ab35-59edc49e13c6n%40googlegroups.com.
[Puppet Users] hiera resources in puppetdb
Greetings, I use lookup to get data out of hiera: node some-host { class { 'foo': $bar = lookup('bar') } } I'd like to be able to query puppetdb to find out what hosts use various hiera keys. So in the above example. Given bar return some-host. I know I can write a parser to get the class "foo" that contains the hiera key "bar". Then using that class (foo in this case), I could query puppetdb with a class and get the host. I know the hiera keys wouldn't show up in the facts report. I know that the hiera keys wouldn't show up in the catalog reports. Is it possible to create a custom function like so: my_lookup(key) { # somehow create a resource that I can query with puppetdb # and then use the real lookup: return lookup(key); } Any ideas about querying puppetdb to get used hiera keys in given hosts? -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/10f366cf-3c51-4956-8e83-c20fcf61226cn%40googlegroups.com.
Re: [Puppet Users] puppet catalog security?
On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg wrote: > On 2020-03-28 14:36, Matt Zagrabelny wrote: > > > > > > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg > > mailto:henrik.lindb...@puppet.com>> wrote: > > > > On 2020-03-28 02:42, Matt Zagrabelny wrote: > > > Greetings, > > > > > > Suppose I have a class foo that host A gets via its catalog. > Suppose > > > host B does not have foo in its catalog. Can host B do anything > > > malicious to obtain the sensitive data in foo? > > > > > > My puppet master is using an ENC to generate the classification > > of each > > > host and then a roles + profiles design pattern and hiera for > > specific data. > > > > > > Thanks for any hints or answers! > > > > > > > It is important that your server side logic uses $trusted when > > classifying on node since other facts cannot be trusted. > > > > If B is compromised a malicious user could spoof facts in a request > and > > pretend to be A. It cannot however spoof the certificate - and it > > contains the information that is in $trusted. > > > > > > Hey Henrik, > > > > Thanks for the reply! > > > > Suppose I don't use any facts for classification, but only the ENC > > assigns a role to the node via its fqdn. > > > > You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed. > The ENC gets the fqdn on the command line. I'd presume this is trusted from the certificate since communication between the master and client is predicated on the SSL. The ENC then "assigns" a class to A. Is there anything B can do to get module foo added to its catalog if only the ENC adds module foo to node's catalogs? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com.
Re: [Puppet Users] puppet catalog security?
On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg wrote: > On 2020-03-28 02:42, Matt Zagrabelny wrote: > > Greetings, > > > > Suppose I have a class foo that host A gets via its catalog. Suppose > > host B does not have foo in its catalog. Can host B do anything > > malicious to obtain the sensitive data in foo? > > > > My puppet master is using an ENC to generate the classification of each > > host and then a roles + profiles design pattern and hiera for specific > data. > > > > Thanks for any hints or answers! > > > > It is important that your server side logic uses $trusted when > classifying on node since other facts cannot be trusted. > > If B is compromised a malicious user could spoof facts in a request and > pretend to be A. It cannot however spoof the certificate - and it > contains the information that is in $trusted. > > Hey Henrik, Thanks for the reply! Suppose I don't use any facts for classification, but only the ENC assigns a role to the node via its fqdn. Class foo which comes through the role and profiles via the ENC has sensitive files in its "modules/foo/files/" path. Can B obtain those files if B is not classified to have foo in its catalog? Thank you for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com.
[Puppet Users] puppet catalog security?
Greetings, Suppose I have a class foo that host A gets via its catalog. Suppose host B does not have foo in its catalog. Can host B do anything malicious to obtain the sensitive data in foo? My puppet master is using an ENC to generate the classification of each host and then a roles + profiles design pattern and hiera for specific data. Thanks for any hints or answers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com.
[Puppet Users] puppetdb query return values
Greetings, I've looked through the puppetdb docs, in particular the PQL docs, to find out if I can extract a single parameter in the return value(s). I have as a PQL: resources[parameters] { type = "Postgresql::Server::Pg_hba_rule" and parameters.address ~ "."} I'd like to get the "address" parameter. So some pseudocode like: resources[parameters.address] I know I can post process the results, but is there a way to get a single parameter in PQL? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UZuh5jvdFjq5giQbifcM5RU6--oL-KDoLo0SuPMCu2KQ%40mail.gmail.com.
[Puppet Users] Re: vcsrepo with specific identity? - SOLVED
My usage of the GIT_SSH_COMMAND environment variable was leaking into the "puppet agent -t" environment and was short-circuiting vcsrepo's use of GIT_SSH. I've patched my local copy of the vcsrepo module and have created a PR: https://github.com/puppetlabs/puppetlabs-vcsrepo/pull/435 Cheers! -m On Tue, Dec 3, 2019 at 10:56 AM Matt Zagrabelny wrote: > Greetings, > > I am attempting to specify an identity with a vcsrepo resource. Such as: > > vcsrepo { '/opt/src/repository': > ensure => present, > provider => git, > revision => 'stable', > source => 'ssh://gitol...@git.example.com/repository.git', > identity => '/root/.ssh/id_rsa__gitolite_access__non_private', > } > > I'm running puppet 5.5 (Debian Buster). > > I've tried with both the (Debian) packaged version of puppetlabs vcsrepo > (1.3.2) and the most recent source release from the forge (3.0.0) and I am > getting the same results for both: > > > Error: Execution of '/usr/bin/git clone ssh:// > gitol...@git.example.com/repository.git /opt/src/repository' returned > 128: Cloning into '/opt/src/repository'... > Permission denied, please try again. > Permission denied, please try again. > gitol...@git.example.com: Permission denied (publickey,password). > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > Error: > /Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure: > change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone > ssh://gitol...@git.example.com/repository.git /opt/src/repository' > returned 128: Cloning into '/opt/src/repository'... > Permission denied, please try again. > Permission denied, please try again. > gitol...@git.example.com: Permission denied (publickey,password). > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > > > I can get the vcsrepo to work if I utilize the default identity file > (~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config. > That is, by not specifying the "identity" parameter things work as expected. > > Additionally, I can successfully clone the repo using git using the > desired identity file: > > # GIT_SSH_COMMAND="/usr/bin/ssh -i > /root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch > --branch stable ssh://gitol...@git.example.com/repository.git > Cloning into 'repository'... > remote: Enumerating objects: 8, done. > remote: Counting objects: 100% (8/8), done. > remote: Compressing objects: 100% (6/6), done. > remote: Total 8 (delta 1), reused 0 (delta 0) > Receiving objects: 100% (8/8), done. > Resolving deltas: 100% (1/1), done. > > Has anyone had success with specifying the identity file with vcsrepo? > > Any hints, tips, or suggestions are very welcome! > > Thanks, > > -m > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XZr49%2Brck_kdFcgeBtt59e4J8fHbpx%2B_%2BQ%2BonxrXe_zw%40mail.gmail.com.
Re: [Puppet Users] vcsrepo with specific identity?
On Tue, Dec 3, 2019 at 11:23 AM Yvan Broccard wrote: > Don't forget the "user", "group" and "owner" parameter. For example, from > one of my manifests : > Hmmm > -> vcsrepo {'oracle-scripts': > ensure => 'latest', > path => "${hvs_oracle::oradb::admindir}/oracle-scripts", > provider => 'git', > source => 'ssh://git@git:7999/infra/oracle-scripts.git', > identity => "${oraclehome}/.ssh/id_ed25519", > revision => 'master', > user => 'oracle', > owner=> 'oracle', > group=> 'oinstall', > } > > When I don't use the "identity" parameter things work okay (even without the user, owner, and group parameters.) The errors I'm seeing are directly related to git (via puppet) not using the specified key for authenticating. I don't think I'm seeing issues with the user, owner, group. Thank you for the reply, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XqfD0ywR4wz2oWsj4M21p252MiEJQN_mGz3sXv8_cq5g%40mail.gmail.com.
[Puppet Users] vcsrepo with specific identity?
Greetings, I am attempting to specify an identity with a vcsrepo resource. Such as: vcsrepo { '/opt/src/repository': ensure => present, provider => git, revision => 'stable', source => 'ssh://gitol...@git.example.com/repository.git', identity => '/root/.ssh/id_rsa__gitolite_access__non_private', } I'm running puppet 5.5 (Debian Buster). I've tried with both the (Debian) packaged version of puppetlabs vcsrepo (1.3.2) and the most recent source release from the forge (3.0.0) and I am getting the same results for both: Error: Execution of '/usr/bin/git clone ssh:// gitol...@git.example.com/repository.git /opt/src/repository' returned 128: Cloning into '/opt/src/repository'... Permission denied, please try again. Permission denied, please try again. gitol...@git.example.com: Permission denied (publickey,password). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Error: /Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone ssh://gitol...@git.example.com/repository.git /opt/src/repository' returned 128: Cloning into '/opt/src/repository'... Permission denied, please try again. Permission denied, please try again. gitol...@git.example.com: Permission denied (publickey,password). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. I can get the vcsrepo to work if I utilize the default identity file (~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config. That is, by not specifying the "identity" parameter things work as expected. Additionally, I can successfully clone the repo using git using the desired identity file: # GIT_SSH_COMMAND="/usr/bin/ssh -i /root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch --branch stable ssh://gitol...@git.example.com/repository.git Cloning into 'repository'... remote: Enumerating objects: 8, done. remote: Counting objects: 100% (8/8), done. remote: Compressing objects: 100% (6/6), done. remote: Total 8 (delta 1), reused 0 (delta 0) Receiving objects: 100% (8/8), done. Resolving deltas: 100% (1/1), done. Has anyone had success with specifying the identity file with vcsrepo? Any hints, tips, or suggestions are very welcome! Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBecdGjVVH3uBrcVd0KHzB90aAR1xob4m3utdjAH3cpw%40mail.gmail.com.
Re: [Puppet Users] puppet catalog find --terminus json on puppet master
Hey David, Thanks for the reply! On Tue, Sep 17, 2019 at 5:58 AM David Schmitt wrote: > The most recent releases of puppetserver have an API endpoint specifically > designed for this usecase: > https://puppet.com/docs/puppetserver/latest/puppet-api/v4/catalog.html > Okay. I'm only on puppet 5.5. > > You'll also need to enable access to that endpoint in auth.conf for the > server you want to access that API from. > > You can experiment with the certless catalog indirector from > https://github.com/puppetlabs/ace/blob/master/lib/puppet/indirector/catalog/certless.rbto > integrate into the CLI you're asking about, but that'll likely require some > work to pass through the required fields. > Hmmm... So for 5.5 using this ruby file is about the only option to generate the catalog on the master? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WRHRWeWFmpp5sOpdi%2BBcZcHAPQwEoOq_J5ucQAO51nYg%40mail.gmail.com.
[Puppet Users] puppet catalog find --terminus json on puppet master
Greetings, I'm using puppet 5.5.10 (Debian Buster). >From the puppet master system, I'm trying to get all the resources in a catalog for a given node. On a node "foo.example.com" I can with: foo# puppet catalog find --terminus json | wc -l 6271 but on the master I've tried: puppet# puppet catalog find --terminus json foo.example.com | wc -l 0 If I try a rest terminus I get: puppet# puppet catalog find --terminus rest foo.example.com | wc -l Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find] Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find] Error: Try 'puppet help catalog find' for usage Any ideas on how to get a node's catalog from the master? Thanks, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Xf8ePFU33PoOv4w55DYnuLOw7qN7RYVjSE20ZUJKAvyw%40mail.gmail.com.
[Puppet Users] accessing out of class/scope variables in template
Hello, I'm running puppet 5.5 OSE. I've got a class foo: class foo { $bar = 'hi' } class foo::configure { file { '/tmp/foo.conf': content => template('foo/foo.conf.erb'), } } and then in the template: <%= scope['foo::bar'] %> but suppose I want to access an out of class variable: <%= scope['baz::qux'] %> That does not seem to work. Is there any way to access out of class variables in a template? Thanks for any help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wwt7%3D3oD%3DJeS%3Dm-fiDeOWBdempVzn13CN1ZYUj8QF-9Q%40mail.gmail.com.
Re: [Puppet Users] relationships, ordering, and defined types
On Tue, Jan 22, 2019 at 4:22 PM Ben Ford wrote: > Caps all segments in a defined type name: > > before => Bar::Baz['qux'], > > > Huzzah! Thanks Ben! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U-L7%2BjSqMn3iZJ3aUJk%3Dbqr2jjc%2BXXnAJRoKQymJmWYg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] relationships, ordering, and defined types
Greetings! I'm running puppet 5.5 on Debian Buster. This exists: define bar::baz() { file { "/tmp/$name": } } ...somewhere else... bar::baz { 'qux': } file { '/tmp/foo': before => Bar::baz['qux'], } But when the catalog gets compiled I get an error: Evaluation Error: Error while evaluating a Resource Statement, Illegal class reference Is it possible to use a defined type with a "before" (or any other relationship metaparameter) ? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3V7E47VzhjNSznYTC_UuH%3DK44GsgLuH9y4vnTFy70i5QA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: leading double colons (::) for class instances
On Mon, Jan 7, 2019 at 3:31 PM Matt Zagrabelny wrote: > Greetings puppet-users! > > For many years I have been using the following convention for including my > classes: > > class foo() { > include ::profile::bar > } > > I know I don't need the leading double colon for including profile::bar, > but at one point in time I thought it may have been a best practice or it > would help prevent some sort of future pain point. > > Is that still true? Was I ever correct? > > Needed to spend 30 more seconds reading before hitting send. Sorry for the noise! https://github.com/voxpupuli/puppet-lint-absolute_classname-check/issues/3 Thanks for any additional feedback! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3X9J%3DA%3DQNNSc9ipExGOv%2B9O_Rd5-u1dfmc1DCbetXf-0g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] leading double colons (::) for class instances
Greetings puppet-users! For many years I have been using the following convention for including my classes: class foo() { include ::profile::bar } I know I don't need the leading double colon for including profile::bar, but at one point in time I thought it may have been a best practice or it would help prevent some sort of future pain point. Is that still true? Was I ever correct? What is the current best practice for namespacing included classes? Thanks for any feedback! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XQRV0HpRLMK%2B_POuPpAwSAz8zObvoWNZ6GMvOMea%3DbRw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Use bolt with existing Puppet manifests
I have an existing Puppet open-source install that I use to manage our infrastructure. One of our clients is going to be purchasing our SAAS for use in their own datacenter and they are setting up a temporary VPN for us to connect to a group of servers to setup, then they'll be terminating the VPN and they'll manage them. Since I don't want to install the Puppet agent, can I use Bolt to call each of their servers and run through specific roles/profiles/hiera data? -matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/09ba25ea-3cf7-428b-a061-fff01e7e3bdd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] serving per-node private data in puppet 5
Greetings! I'm working on migrating my puppet 3.7 environment to puppet 5.5 (Debian testing.) How are folks serving private per-node data in puppet 5? (i.e. ssh keys, apache cert and key, etc.) In both puppet 2.7 and 3.7 I've used: $ cat /etc/puppet/fileserver.conf # This file consists of arbitrarily named sections/modules # defining where files are served from and to whom [private] path /etc/puppet/environments/production/private/%H allow * Have things changed since then? Are there better (or more idiomatic) ways of serving up private per-node files? Ideally I would also be able to use the environment to adjust the mount point. Hand-wavy magic: path /etc/puppet/environments/%E/private/%H Hiera has support for top level variables. Our ENC exposes the environmentt: "environments/%{::environment}/node/%{clientcert}" Thanks for any hints, help, or discussion! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3V1Ff9%3DQo%2BAUO72_UEvJE%2BakR6eKgTmW_PVr021Y8zcvg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent
Hey Justin, Thanks for the reply! On Wed, Oct 31, 2018 at 10:49 PM Justin Stoller wrote: > What happens on the agent that is running on the master? > Works as expected. Thus indicting the firewall. Digging deeper... it looks like Debian testing bit me. But I don't blame them - I know I'm tracking a moving target. iptables upgraded from 1.6 to 1.8 (and I didn't reboot after). There are new semantics (iptables-legacy) and the firewall was still blocking 8140 in the legacy mode. I've rebooted and cleared the legacy chains/tables. Things work as expected now. Thanks for the help and hints. It is very appreciated! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W0ooT3P2PKbqHqLyPFN5KDEUXrTieUWvOgEn7-wzo3xg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: puppet master not seeing certificate signing request from agent
On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny wrote: > Greetings, > > I'm running puppet 5.5.6 (Debian testing). > > I'm having issues getting the master to see the cert signing request from > an agent. > > The firewall isn't an issue. I see the packets hit an "allow" rule on the > master, but I've also turned the firewall off. > > tcpdump shows the packets reaching the server: > > 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 > > 2607::2a = agent > 2607::20 = master > > I'm not seeing anything from the server: > > # puppet master --no-daemonize > Warning: Accessing 'ca' as a setting is deprecated. >(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in > `issue_deprecation_warning') > Warning: The WEBrick Puppet master server is deprecated and will be > removed in a future release. Please use Puppet Server instead. See > http://links.puppet.com/deprecate-rack-webrick-servers for more > information. >(location: > /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') > Notice: Starting Puppet master version 5.5.6 > > Adding --debug or --verbose didn't seem to yield any extra log messages > after the "Starting Puppet master..." for when I expected a cert signing > request message. > > and the agent just shows an expiration: > > # puppet agent -t --server puppet-5-5 > Warning: Setting cadir is deprecated. >(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in > `issue_deprecation_warning') > Error: Could not request certificate: execution expired > Exiting; failed to retrieve certificate and waitforcert is disabled > > Any ideas where to look next? > > > No new updates, but I wanted to add that lsof reports puppet listening: puppet25053 puppet8u IPv4 125393 0t0 TCP *:8140 (LISTEN) puppet25053 puppet9u IPv6 125394 0t0 TCP *:8140 (LISTEN) and I'm not seeing anything in the master log file: [2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted on /. [2018-10-31 16:05:35] INFO WEBrick::HTTPServer#start: pid=25053 port=8140 Confused... -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet master not seeing certificate signing request from agent
Greetings, I'm running puppet 5.5.6 (Debian testing). I'm having issues getting the master to see the cert signing request from an agent. The firewall isn't an issue. I see the packets hit an "allow" rule on the master, but I've also turned the firewall off. tcpdump shows the packets reaching the server: 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0 2607::2a = agent 2607::20 = master I'm not seeing anything from the server: # puppet master --no-daemonize Warning: Accessing 'ca' as a setting is deprecated. (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in `issue_deprecation_warning') Warning: The WEBrick Puppet master server is deprecated and will be removed in a future release. Please use Puppet Server instead. See http://links.puppet.com/deprecate-rack-webrick-servers for more information. (location: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main') Notice: Starting Puppet master version 5.5.6 Adding --debug or --verbose didn't seem to yield any extra log messages after the "Starting Puppet master..." for when I expected a cert signing request message. and the agent just shows an expiration: # puppet agent -t --server puppet-5-5 Warning: Setting cadir is deprecated. (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in `issue_deprecation_warning') Error: Could not request certificate: execution expired Exiting; failed to retrieve certificate and waitforcert is disabled Any ideas where to look next? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3X4NnJKpQiKoB4gW%3D4BctUBHOBHVWCdWcF6U6wembgbig%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet.conf ini heading
On Tue, Oct 30, 2018 at 5:10 PM Justin Stoller wrote: > > > On Tue, Oct 30, 2018 at 2:34 PM Matt Zagrabelny > wrote: > >> Greetings, >> >> I'm running puppet 5.5.6 (Debian testing.) >> >> I'm seeing some curious and inconsistent results from where I put config >> settings in /etc/puppet/puppet.conf. When I use the [master] heading, the >> "external_nodes" setting is read by the puppet master: >> >> # cat /etc/puppet/puppet.conf >> [master] >> node_terminus = exec >> external_nodes = /opt/bin/my-enc >> # systemctl restart puppet-master.service >> # puppet config print external_nodes >> none >> >> [...] > When your master run it uses only certain sections of the config file > (mainly "master" and "main"[1]), while config print will by default use the > section "main". You can use the `--section ` flag to act on a > specific section. If you don't specify a section in the puppet.conf the > setting will be applied to the "main" section. > > eg `puppet config print --section master external_nodes` should give you > want you want. > Indeed it does! Thanks, Justin! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wb3CDDv1CUA-UpWL7Jnr2NK7k_5-UJRqoHiv-1Ws6AYA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet.conf ini heading
Greetings, I'm running puppet 5.5.6 (Debian testing.) I'm seeing some curious and inconsistent results from where I put config settings in /etc/puppet/puppet.conf. When I use the [master] heading, the "external_nodes" setting is read by the puppet master: # cat /etc/puppet/puppet.conf [master] node_terminus = exec external_nodes = /opt/bin/my-enc # systemctl restart puppet-master.service # puppet config print external_nodes none However, if I remove the "master" section heading in the puppet.conf file, I get the results I expect: # cat /etc/puppet/puppet.conf node_terminus = exec external_nodes = /opt/bin/my-enc # systemctl restart puppet-master.service # puppet config print external_nodes /opt/bin/my-enc Should I file a bug or is this somehow expected? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UsJHY%2BpFMXUpM1H4%2BL6FajzPj01x09EqfAcWHnkSqb1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Puppet Agent Hang when PuppetServer Crashes...
We're still tuning, but I ended up dropping our PuppetServer JRubyInstance count down to 2, and I have the -Xmx setting set to 4GB(!!). I think that we have a few libraries loaded in that are causing some major bloat, but we haven't had time to track that down yet. The big concern I have is not the crashing of the servers... we can handle that. The main issue is that it seems that the Puppet Agents get into a hung state and never recover. Thats not a behavior we ever saw on the older Puppet 3.x clients. On Mon, Jan 1, 2018 at 9:50 PM, John Gelnaw <jgel...@gmail.com> wrote: > On Monday, January 1, 2018 at 5:52:10 PM UTC-5, Matt Wise wrote: >> >> *Puppet Agent: 5.3.2* >> *Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS* >> > > I'm running a docker-compose based puppet setup, and had the same > problem. Short version was to increase the java heap size for the JRuby > instances for puppetserver. > > Using the docker-compose.yml, I added: > > environment: > - PUPPETSERVER_JAVA_ARGS=-Xmx1024m > > to the puppet stanza, which gets passed to the puppetserver init script. > > We also increased the number of JRuby instances to 7, but that might be > overkill (roughly 200-250 nodes). That also means 8 gigs of memory on the > docker host. > > The agents would eventually time out, but I seem to recall it was on the > order of hours for the timeout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/20b2d83e-7752-4f87-995f-3ec2fcde5368%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/20b2d83e-7752-4f87-995f-3ec2fcde5368%40googlegroups.com?utm_medium=email_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B9wXBTFODg4VLw5Zmc0eq9DG-i3YZtR5VSWs_krJFkaQzRHMQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet Agent Hang when PuppetServer Crashes...
*Puppet Agent: 5.3.2* *Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS* So we've recently started rolling over from our ancient Puppet 3.x system to a new Puppet 5.x service. The new service consists of a PuppetServer Docker Image (5.1.4) running in Amazon ECS, and our hosts booting up and running Puppet Agent 5.3.2. At this point in the migration, we're running ~150-200 hosts on the new Puppet5 system and we replace ~30-80 of them daily. We are currently tracking down a problem with our PuppetServers and their memory usage, which is causing the containers to be OOM'd a few times a day (~10 OOMs a day across ~20 containers). While we know that we need to fix this, we've seen a scary behavior on the Puppet Agent side that we could use some advice with. It seems that at least a few times a day now we will get a server hung in the boot process. The `puppet agent -t ...` process will just hang midway through the run. It seems that these hangs happen when the backend underlying PuppetServer process that they were connected to gets OOMed and goes away. Obviously the OOM is a problem.. but frankly I am more concerned with the Puppet Agent getting wedged for hours and hours without making any progress. It seems that when this failure happens, the puppet agent does not ever time out. It never fails, or throws an error. It just hangs. We've had these hangs last upwards of 4-5 hours before our systems are automatically terminated. We've enabled debug logging, but haven't caught one of these failures yet with debug mode turned on. In the mean time, are there any known regressions or configuration tweaks we need to make to Puppet Agent 5.x more quick to fail or resilient in this case? I could obviously try to build in some wrapper around Puppet to catch this behavior .. but I am hoping that there are just some settings we need to tweak. Any thoughts? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B9wXBTjih5N%3Dc%2B8H3UYnH2Jq7fpOPPY3-kmxoxP891W6xLBfQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] using variables with manifests
On Tue, Apr 4, 2017 at 4:41 PM, warron.frenchwrote: > Hello, I need some guidance/direction on what to lookup and where I can > find an example of how to provide values to a class so that they will be > used by the class (and the ERBtemplate within). > > I want to be able to provide the variable *collector_id* to my class and > from the Red Hat Satellite Puppet Master provide collector_id = > mycollector.some.net so that it will be used to generate text and then > populate -mycollector.some.net in the file after some other text. > > I figured something like this is needed; but I am not sure and cannot find > an example to confirm I am on the correct track: > > *class* rsyslog_mgmt (collector_id) { > file { '/etc/rsyslog.conf': >ensure => 'present', >content => template('rsyslog_mgmt/syslog.conf.erb'), > } > } > > Then the content of my file syslog.conf.erb would look something like this: > > ...snippet... > *.info;authpriv.*;mail.none;news.none <%= @collector_id %> > ...EOF... > > Am I on the correct track? Do I need a $ symbol in front of the > collector_id within the () at the top in front of the first curly brace > that starts the class definition? > You need the dollar sign: class blah( $parameter_1, ) { ..do stuff } Search for "parameterized class puppet" for further reading. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WbVqcH9KMQ-9mcrcDTshfAHDejtd3GZw7%3DHhjwCrXDqg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Sat, Nov 19, 2016 at 2:27 PM, Martijn <mart...@heemels.com> wrote: > Op dinsdag 18 oktober 2016 21:50:37 UTC+2 schreef Matt Zagrabelny: >> >> >> If you use an ENC, then you can return the role as a top scope >> variable and your hiera configs can leverage those top scope >> variables. >> > >> >> Let me know if you want the hiera configs. >> >> -m > > > Hi Matt, > > That's interesting. What are you using for ENC? Custom python script that uses a custom database to hold node names, roles, and "production" vs "testing" status. Since puppet has already claimed the "environment" noun for the filesystem serving space, I use "context" as the variable name that holds the "production" vs. "testing" status. In hiera, we have the following hierarchy, which is repeated in the hiera.yaml config further down. 1. Node specific hiera data is closest to the node. 2. Whatever role a node is has the next priority for hiera data. 3. The "context" (production vs. testing) is closer to the global (common) hiera space - so context comes after role. 4. Lastly, the global (common) hiera lookup file. The 3rd item on the list allows us to have a single place for application/database passwords with different passwords for testing and production systems without having to duplicate the password in some.fqdn.node.yaml files. Pretend that the following 2-D grid are nodes that have their respective roles and contexts. Context prod | test roleapp_0_server | app_0_server roledb_0_server | db_0_server roleapp_1_server | app_1_server roledb_1_server | db_1_server role. | . role. | . role. | . Thus the production app_0_server and db_0_server can easily have a shared password that is different from the testing app_0_server and db_0_server due to the vertical slicing of the hierarchy. > And I'd love to see your hiera configs, please. % cat /etc/puppet/hiera.yaml --- :backends: - yaml :yaml: :datadir: /etc/puppet/hiera :hierarchy: - "environments/%{::environment}/node/%{clientcert}" - "environments/%{::environment}/role/%{role}" - "environments/%{::environment}/context/%{context}" - "environments/%{::environment}/common" -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VN0-_LpkWAtAzpOrLLzYa92cGvh-b3z_36hp_ivHGkOA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] QUESTION: How can I iterate through the whole list of facters in an erb template?
On Thu, Nov 10, 2016 at 6:25 AM, Victor Martinezwrote: > Hi there, > >I've been looking for a way of creating an erb file which contains all > the facter values. Any ideas how I can accomplish it? Reason: I'd like to > generate custom facters per module and populate those facter values as > Jenkins Labels Untested: <% @facts.each do |key, value| %-> <%= key %> and <%= value %> <% end -%> -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WWQ%3DfESunVMb3JyM2%3Dhr5%2BStyUQp58t0tV%3D01EKyvTdg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Tue, Oct 25, 2016 at 2:09 PM, Ugo Bellavancewrote: > Hi, > > I was actually wondering if it could be done without an ENC as we don't have > one for now. Not sure. I don't think so, though. I would work on getting an ENC set up. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3V9JQiVUre%2BS43ZYWK2iCVtCBVN9wBEuQ6%2BtnXj2cra4Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Role vs hiera
On Tue, Oct 18, 2016 at 1:34 PM, Ugo Bellavancewrote: > Hi, > > I've seen tutorials where they add the role as a fact in an client and then > can use the role for hiera data. Is there a better way to do so (ie without > having to configure anything on the client)? As a matter of fact there is a better way. If you use an ENC, then you can return the role as a top scope variable and your hiera configs can leverage those top scope variables. Here is an example where I've scrubbed any of our site data: # puppet-enc ldap.example.com --- classes: role::directory_server: null environment: production parameters: context: production role: role::directory_server The "classes" at the top and its "role" are for the classifying of the ENC, but the "context" and "role" in the "parameters" near the bottom are variables that get exposed - hiera is one of the things that can use those variables. This works super slick for us. For what it is worth, we also use a notion of context that allows our ENC to describe whether a node is a "testing" or "production" type system - we have hiera lookups based on that data, too. Let me know if you want the hiera configs. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VHj6PVSUp0qYbvdR-yF8yhuchbEA%3D57FbUpK0E%3D3AKjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet Agent doesn't receive Catalog, Node.rb on Master shows correct YAML-output (Foreman)
Hi, I'm having a strange issue with a Foreman setup where my agent don't receive their assigned manifests during their run. On the puppet master I can run a positive ./node.rb puppet-agent-fqdn Where I see my whole yaml for the agent which should be applied. When I do a puppet run this run goes well, no errors, and the agent reports back to foreman that there are no changes. I'm really clueless what to check so can't post any output that show an actual issue. Anyone a clue where to start ? Thanks, Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/eefca5d6-eae9-42dc-8f59-2d0c78d522a8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Setting resource dependency from hiera problem
Hello, I'm trying to utilise the following pattern in puppet4 to replace the 'create_resources' function: https://docs.puppet.com/puppet/latest/reference/lang_resources_advanced.html#implementing-the-createresources-function This works well for me in most usecases, however I'm having trouble now when trying to specify the resource being created in this way require another resource. Here is my example: I have an nfs::client::mount defined type, that I want to specify the parameters for via a Hash in hiera, that I'm passing to this code using the $nfs_mounts hash below: class role::robinhood::hsm_agent ( Hash[String,Hash] $nfs_mounts, ) { class { 'nfs': client_enabled => true, } $nfs_defaults = { "atboot" => true, "options_nfs" => '_netdev,tcp,nolock,rsize=32768,wsize=32768,intr,noatime,actimeo=3', "subscribe" => Service['network'], } $nfs_mounts.each |String $name, Hash $nfs_mount| { Resource['nfs::client::mount'] { $name : * => $nfs_mount; default : * => $nfs_defaults; } } } Then in hiera for a node I would have something like: --- classes: - "role::robinhood::hsm_agent" - "profile::network" network::if_static: 'eth0': ensure: 'up' ipaddress: '10.41.240.225' netmask: '255.255.0.0' 'eth1': ensure: 'up' ipaddress: '10.143.240.225' netmask: '255.255.0.0' role::robinhood::hsm_agent::nfs_mounts: '/mnt/qstar/wbic': server: '10.143.200.47' share: '/srv/qstar/wbic' require: "Network::If::Static['eth1']" I'm making use of the NFS module: https://github.com/derdanne/puppet-nfs and the Network module: https://github.com/razorsedge/puppet-network in the above. The network module is creating a resource Network::If::Static['eth1'], however when I run the above I get the error: Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Invalid relationship: Nfs::Client::Mount[/mnt/qstar/wbic] { require => Network::If::Static['eth1'] }, because Network::If::Static['eth1'] doesn't seem to be in the catalog Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run I don't understand why this isn't working - the Network::If::Static['eth1'] resource definitely exists, as the above code works correctly if I remove the 'require' line in hiera, eg: role::robinhood::hsm_agent::nfs_mounts: '/mnt/qstar/wbic': server: '10.143.200.47' share: '/srv/qstar/wbic' However, it would be really useful for me to be able to specify the resource dependency in hiera as outlined above, since the interface for this resource to depend on will change from node to node. I'm sure I'm overcomplicating this - I can accomplish what I want to do here by making the resource explicitly in the node's 'role' code, however I'm really finding it a nice way of working moving more and more stuff into hashes that I define in Hiera, so I'm really keen to make this work if it's possible. Does anyone have any idea what I'm doing wrong here? Thanks, Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAPsiXSAJ7hXiBRnzp8wnWbYkVjumhC_cM33rCewAA1q4zTQG_Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] variable scoping and erb templates
On Tue, Aug 16, 2016 at 8:04 AM, jcbollingerwrote: >> >> On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt wrote: >> > What version of Puppet are you running? >> >> Debian Jessie: >> >> 3.7.2-4 >> > > > That looks like bug PUP-1220. Note that although the ticket is marked as > being fixed in Puppet 3.5, commentary on the ticket and details of the > associated commit make me think that the fix only applies when you use the > future parser. Thanks for clearing my confusion, John! Best, -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W4DAqi9%3D63pwxGUO_jYQkcL6bnSMx_cePPN3z1dVyuyA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] variable scoping and erb templates
Hi Lowe, On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt <m...@loweschmidt.se> wrote: > What version of Puppet are you running? Debian Jessie: 3.7.2-4 -m > -- > Lowe Schmidt | +46 723 867 157 > > On 15 August 2016 at 20:48, Matt Zagrabelny <mzagr...@d.umn.edu> wrote: >> >> Greetings! >> >> I am hitting a curious question and couldn't find an answer. >> >> I can access variables from other classes when using an erb template. >> >> Here is my minimal example: >> >> # puppet apply variable_scope_test.pp >> Notice: Compiled catalog for puppet.example.com in environment >> production in 0.12 seconds >> Notice: A variable from a different class: >> Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a >> different class: ]/message: defined 'message' as 'A variable from a >> different class: ' >> Notice: Finished catalog run in 0.11 seconds >> >> # cd /tmp >> # head -n -0 variable_scope_test.pp template.erb template_output >> ==> variable_scope_test.pp <== >> class scope_example { >> $variable = "THIS IS A TEST!" >> include scope_example::sub_class >> } >> >> class scope_example::sub_class { >> file { '/tmp/template_output': >> content => template('/tmp/template.erb'), >> } >> notify { "A variable from a different class: $variable": } >> } >> >> node 'puppet.example.com' { >> include scope_example >> } >> >> ==> template.erb <== >> <%= @variable %> >> >> ==> template_output <== >> THIS IS A TEST! >> >> So why is the template allowed to see variables in other classes? >> >> I would have ad expected to need to use the variable like: >> >> <%= @scope_example::variable %> >> >> But it clearly works without adjusting its namespace. >> >> Thoughts? >> >> Thanks! >> >> -m >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAC-wWcSmcHxSC5h169UOBiqq0HJTRtN7C4WfRbmnW02rHgx_OA%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XcZQ3ck7ZN8BWf27OT8Oc-suk-hBXZ01v1uXLANQoxGA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] variable scoping and erb templates
Greetings! I am hitting a curious question and couldn't find an answer. I can access variables from other classes when using an erb template. Here is my minimal example: # puppet apply variable_scope_test.pp Notice: Compiled catalog for puppet.example.com in environment production in 0.12 seconds Notice: A variable from a different class: Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a different class: ]/message: defined 'message' as 'A variable from a different class: ' Notice: Finished catalog run in 0.11 seconds # cd /tmp # head -n -0 variable_scope_test.pp template.erb template_output ==> variable_scope_test.pp <== class scope_example { $variable = "THIS IS A TEST!" include scope_example::sub_class } class scope_example::sub_class { file { '/tmp/template_output': content => template('/tmp/template.erb'), } notify { "A variable from a different class: $variable": } } node 'puppet.example.com' { include scope_example } ==> template.erb <== <%= @variable %> ==> template_output <== THIS IS A TEST! So why is the template allowed to see variables in other classes? I would have ad expected to need to use the variable like: <%= @scope_example::variable %> But it clearly works without adjusting its namespace. Thoughts? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: most idiomatic way to set resource defaults
On Tue, Jul 12, 2016 at 3:28 PM, Matthew Pounsettwrote: > > > On Monday, 11 July 2016 10:31:45 UTC-4, R.I. Pienaar wrote: >> >> >> best avoid create_resources in puppet 4 :) > > > Why is that? I can't speak for R.I., but I believe puppet 4 has "first class" looping constructs. Thus, create_resource "hacks" won't be necessary. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Uv_UKmrG2W8oMYMLxu4OnSE9Kwv-h1fvDvmNaM8bjK8A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo
Eric et al, Thanks again for your help with this! I realize how crazy it may seem to want to rebuild from source. My company has become so paranoid of open source software due to recent events, that the infosec team now requires us to vet (as if that's feasible) FOSS source code before bringing in. Since starting this post, however, I was able to convince the team to bring in the PC1 repo. As someone else has suggested to me, I will have to revisit with Vanagon and/or the src RPM in the future. I would like to know how to build these though, so I'll revisit one day for sure. Cheers, Matt On Thursday, June 9, 2016 at 3:55:49 PM UTC-4, Eric Sorenson wrote: > > Matt, I would like to understand this better and help you adopt Puppet > into your environment. > > This is not a rhetorical question, but it might sound like one: Do you > rebuild your linux distribution from source RPMs? Because that is very > similar to what the AIO Puppet agent bundle is: a mini distribution with > the dependencies ending up in one artifact. > > People outside Puppet can (and have) successfully rebuilt AIO, and there > are also sucessful packaging efforts that take JUST the Puppet 4 source and > build a standalone RPM from it in the manner of the puppet 3 packages: > > puppet-4.2.1-3.fc24.src.rpm > <http://fedora.osuosl.org/linux/releases/test/24_Beta/Everything/source/tree/Packages/p/puppet-4.2.1-3.fc24.src.rpm> > > But our recommendation is to use the all-in-one obviously; it's what's > tested extensively and what ships in puppet enterprise. > > --eric > > On Wednesday, June 8, 2016 at 2:01:43 AM UTC-7, Matt Larson wrote: >> >> Sorry for not getting back soon, Dan. >> >> Good question. >> >> I work for a draconian company that only allows installing FOSS after our >> infosec team has vetted the source code and then built from source; an >> impossible hand-waving exercise, I know... but it is what it is. >> >> On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote: >>> >>> First Silly Question: Why ? >>> What do you need to do that cannot be done with the RPM's from a >>> Puppetlabs repo ? >>> >>> Dan White | d_e_...@icloud.com >>> >>> “Sometimes I think the surest sign that intelligent life exists elsewhere >>> in the universe is that none of it has tried to contact us.” (Bill >>> Waterson: Calvin & Hobbes) >>> >>> >>> On Jun 03, 2016, at 02:44 PM, Matt Larson <dryhum...@gmail.com> wrote: >>> >>> >>> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) >>> instance, but I'm seeing errors. I also posted in >>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ >>> >>> >>> The output actually gets pretty far along, but stops at with this error: >>> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". >>> If I fix that problem by manually editing the SPEC file, I just get more >>> errors, so clearly there is no need to go down a rabbit hole since this >>> must work for someone else, right? >>> >>> I'm also posted in >>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ >>> >>> Ideas? >>> >>> Thanks in Advance, >>> Matt >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet-users...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com?utm_medium=email_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a9afa926-20d1-40b4-8725-a571b0058e77%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Autorequire defined type from custom type
As per subject, is it possible to autorequire a defined type within a custom type? I've previously done `autorequire(:a_type) do ... end` for both built in and other custom types but I was wondering if it's possible and therefore what do I pass to `autorequire()`? Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20160609135937.GD13102%40simulant.bodgit-n-scarper.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo
I did try installing via the PC1 (AIO) repo, and it worked ok for me at home. But like I said, can't do that at work. What is your main concern with AIO? I don't wanna make a bad step here. At first, AIO sounded scary to me... like some alternative to rpm/yum (in case of rhel-based distros), but it's still the same packaging mechanism, just dedicated repos per collective release, yes? Thanks for your input, Matt On Friday, June 3, 2016 at 6:10:01 PM UTC-4, jcbollinger wrote: > > > > On Friday, June 3, 2016 at 1:51:10 PM UTC-5, LinuxDan wrote: >> >> First Silly Question: Why ? >> What do you need to do that cannot be done with the RPM's from a >> Puppetlabs repo ? >> > > If I were undertaking the exercise, it would be to avoid the AIO > structure. I may one day undertake that exercise, but until now I have > instead just avoided upgrading to Puppet 4. > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c9df8020-7d7f-40f0-9a47-4685d13e2e93%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Trouble creating a release RPM from puppetlabs/puppet source repo
Thanks for helping with this, Stefan! I tried this, but where are the puppet-agent source RPMs ? On Friday, June 3, 2016 at 3:51:36 PM UTC-4, Stefan Heijmans wrote: > > Have you tried using the source RPMs from here; > > https://yum.puppetlabs.com/el/6/PC1/SRPMS/ > > > On Friday, June 3, 2016 at 8:44:20 PM UTC+2, Matt Larson wrote: >> >> >> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) >> instance, but I'm seeing errors. I also posted in >> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ >> >> >> The output actually gets pretty far along, but stops at with this error: >> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". >> If I fix that problem by manually editing the SPEC file, I just get more >> errors, so clearly there is no need to go down a rabbit hole since this >> must work for someone else, right? >> >> I'm also posted in >> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ >> >> Ideas? >> >> Thanks in Advance, >> Matt >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0ba6d149-b7db-4f8f-9262-84c4ad6b42d8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo
Sorry for not getting back soon, Dan. Good question. I work for a draconian company that only allows installing FOSS after our infosec team has vetted the source code and then built from source; an impossible hand-waving exercise, I know... but it is what it is. On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote: > > First Silly Question: Why ? > What do you need to do that cannot be done with the RPM's from a > Puppetlabs repo ? > > Dan White | d_e_...@icloud.com > > “Sometimes I think the surest sign that intelligent life exists elsewhere in > the universe is that none of it has tried to contact us.” (Bill Waterson: > Calvin & Hobbes) > > > On Jun 03, 2016, at 02:44 PM, Matt Larson <dryhum...@gmail.com > > wrote: > > > I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) > instance, but I'm seeing errors. I also posted in > https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ > > > The output actually gets pretty far along, but stops at with this error: > "install: cannot stat ext/redhat/puppet.conf: no such file or directory". > If I fix that problem by manually editing the SPEC file, I just get more > errors, so clearly there is no need to go down a rabbit hole since this > must work for someone else, right? > > I'm also posted in > https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ > > Ideas? > > Thanks in Advance, > Matt > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users...@googlegroups.com . > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com?utm_medium=email_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b4cd4c74-bd80-4a73-a6ca-63fb99047d78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Trigger apt-get update if packages are to be installed
On Mon, Jun 6, 2016 at 9:46 AM, Simon Wealdwrote: > Hi everyone > > I've got a little bit of an issue which I'm currently fighting with. At the > moment, we pass an array of packages to be installed to the package > resource, however I need to call an apt-get update prior to the package > installation (in case we add a new repo etc). My snippet below should > probably give you a good idea of what I want to achieve: > > $installpackages = hiera_array('installed-packages') > > exec { "apt-update": > command => "/usr/bin/apt-get update", > refreshonly => true, > } > > package { $installpackages: > ensure => 'present', > require => Exec['apt-update'], > } > > Obviously my goal is to have the update only run if any packages are > actually going to be installed - I can't use empty() against the array as it > will always contain content. > > Can anyone suggest how I can achieve this? We're using the puppetlabs apt resource and a line like: Apt::Source <| |> -> Package <| |> to ensure that any Apt::Source is processed before any package installation. I know this doesn't quite do the updating - we do that daily via cron, but it does demonstrate the global dependency ordering of sources and packages. Hope that helps! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3We9%3DYap2uT93vLzfN5k0VyS%3DJ%2BshC1KnTXDNBFP6xr_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo
I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) instance, but I'm seeing errors. I also posted in https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ The output actually gets pretty far along, but stops at with this error: "install: cannot stat ext/redhat/puppet.conf: no such file or directory". If I fix that problem by manually editing the SPEC file, I just get more errors, so clearly there is no need to go down a rabbit hole since this must work for someone else, right? I'm also posted in https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/ Ideas? Thanks in Advance, Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Sidedoor - Puppet Module
Hi! On Thu, Jun 2, 2016 at 9:24 AM, Warron Frenchwrote: > Is there a limit to the number of questions that I can post to Google Groups > or this list... in a single day? Nope. :) -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3X%3DBE3f0%2BXbbAFdFixXC%3DtVdg2SQ_P_Pqx3VX8nLFXFBQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Test coverage behaviour changed between 3.x/4.x
I have an open bug report with the rspec-puppet project (https://github.com/rodjek/rspec-puppet/issues/316) whereby the coverage from testing custom functions in my modules are not cumulative but only include coverage from the last expectation which results in reports showing low percentages. Anyway, I've now noticed that if I use Puppet 4.x (4.4.2 in this case) to run the test suite then I get zero code coverage which I've tracked down to the fact that the custom functions are shown in the report to be located in `spec/fixtures/modules//lib/puppet/parser/functions/...` and the whole of `spec/` is normally filtered out of the coverage report to prevent the tests themselves and any Ruby code in dependent modules from contributing. If I go back to Puppet 3.x (3.8.7) then the custom functions are shown to be located in `lib/puppet/parser/functions/...` again as expected. I have a small test module that I used to demonstrate the original bug available here: https://github.com/bodgit/puppet-test Is this change in behaviour expected? Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20160513134022.GC13102%40simulant.bodgit-n-scarper.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] DRY duplicated manifest code
On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugenwrote: > Given the resource you want to apply this pattern to, it can be turned into > a one-liner with a collector: > > file { '/tmp/something': > ensure => file, > } > File['/tmp/something'] ~> Service <| title == 'apache2' |> Can you combine the two steps? file { '/tmp/something': ensure => file, } ~> Service <| title == 'apache2' |> or is that frowned upon, or just not possible? -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WNnW8p09_Da88VcC5oPXMaKt4rV1R4QL3Verva8ap%2BNw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] DRY duplicated manifest code
On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugenwrote: > Given the resource you want to apply this pattern to, it can be turned into > a one-liner with a collector: > > file { '/tmp/something': > ensure => file, > } > File['/tmp/something'] ~> Service <| title == 'apache2' |> > > This means that if there is a service with a title of apache2 EVER added to > the catalog, it'll be refreshed on file changes. If the service doesn't > exist, then the dependency does nothing. > > Now, this isn't exactly what you asked since you wanted the variable > $services_to_notify and didn't say what you're going to do with it, but I > assume this is what you want? Because collectors are not parse-order > specific, you can't do variable assignments like $services_to_notify = > Service <| title == 'apache2' |> (because variables are evaluated in parse > order and collectors are not). > > If you really want to make a function that searches the catalog and returns > references, it can be done with something like > `scope.catalog.resource('Service[apache2]')` inside the function I believe, > though that may not be the exact call. Thanks for the reply, Hunter. I'll dig in and report back if I've got issues. Cheers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XuVMK_xSWvCQ33qmR0Bywyo5xPaa6fJDannH%2BL5ymBZA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] DRY duplicated manifest code
Greetings Puppet Users, I have a chuck of code I'd like to centralize - you know DRY. I've looked into a custom function, but I'm uncertain how to get at the the puppet resources inside of ruby. Here is the verbatim copy of the chuck in a puppet manifest: if defined(Service['apache2']) { $services_to_notify = [ Service['apache2'], ] } else { $services_to_notify = [] } and here is some hand-wavy pseudocode: function return_service_array_if_defined($service) { if defined(Service[$service]) { return [ Service[$service], ] } else { return [] } } Any suggestions or ideas for implementation? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3V6i82smoDO2kwOYJTiurqdD3O_bt%2BaR4RYUGMsqCPgSw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet.conf documentation
Greetings, I know that the puppet.conf documentation exists in extreme detail: http://docs.puppetlabs.com/puppet/3.7/reference/configuration.html What that page doesn't tell me is if the config items map to the [agent] or [master] sections of the config file. Does anyone know if that data exists in an easy to consume location? On my puppet master system I have the following puppet.conf snippet: [main] logdir = /var/log/puppet vardir = /var/lib/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter dns_alt_names= puppet-3-7,puppet-3-7.d.umn.edu stringify_facts = false ordering = manifest environmentpath = $confdir/environments basemodulepath = $confdir/modules:$confdir/profiles:/usr/share/puppet/modules Should I also have the same configs on my clients? For instance, should stringify_facts be set on the clients? Thanks for any help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UdKoBuApY8XNsztWQqNRKGJER3LWj9QVJLF-EWdA6FCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Hi Martin, On Sat, Jan 30, 2016 at 5:03 AM, Martin Alfke <tux...@gmail.com> wrote: > Hi Matt, > > an ENC can set an environment for a node. Yep. I'm using an ENC to set the environment to 'apt'. > In case that a node does not specify an environment it will make use of > environment production. > You can specify node environment on the node in puppet.conf in agent section: > > [agent] > environment = apt Sure. I'd like to avoid setting any environment in the puppet.conf and only use the ENC *and* not get the warning. Any ideas? Thanks for the help! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UifksMBs-UEnBitWdf3HF0b1o6R_Vadwg7%3DFkYmgM%3DeQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Hi Alfredo, Thanks for the reply. On Wed, Jan 27, 2016 at 4:47 PM, Alfredo De Luca <alfredo.del...@gmail.com> wrote: > Hi Matt. > AFAIK production is the default environment assigned to all the nodes. Sure. > try > puppet config print environment Yep, production: # puppet config print environment production So how do I get the warning to go away? Warning: Local environment: "production" doesn't match server specified node environment "apt", switching agent to "apt". Any ideas? -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3UAMWc4dEWsspDnkGNkbiEYKSR5vN-CmxTFbP0RhfLAtQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment
Greetings, I've searched a bit and found some hits for the subject, but nothing that helps. I'm using an ENC to drive the environment of my nodes. I don't have "production" defined anywhere in my puppet.conf: # grep production /etc/puppet/puppet.conf || echo "not there" not there and it is not defined on my command-line run: puppet agent -t --server puppet-3-7 --debug but I still get a warning about the local environment: Warning: Local environment: "production" doesn't match server specified node environment "apt", switching agent to "apt". Where else (besides the /etc/puppet/puppet.conf and the command-line option --environment) do I look for the local environment being set? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3U3AFz%2BZzTvHXzLmodL8Tcw6QX1PwPvCDRtAN5fw-3SVw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet 4.3.1 - lookup failing - versioncmp() error
Hey guys, I recently came up against an error in 4.3.1 where versioncmp() seems to be broken: Debug: Performing a hiera indirector lookup of lookup_options with options {:variables=>Scope(Class[Role::Gr01]), :merge=>#>, @value_type=#]>>>]>, @options={}>} I have found some information attempting to deal with the problem as shown in the links below, but I still can't fix it. Does anyone know how I can deal with this issue? https://tickets.puppetlabs.com/si/jira.issueviews:issue-html/PUP-5721/PUP-5721.html https://tickets.puppetlabs.com/browse/PUP-4780 Thanks, Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d8d0baa5-37ed-4475-b83a-26527179b313%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)
On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny <mzagr...@d.umn.edu> wrote: > On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis <alte...@alter3d.ca> wrote: >> Apparently I was a little too quick on the send button. :( >> >> To continue my previous email: >> >> Does 'puppet cert list --all' show any certs at all? > > Yep: > > # puppet cert list --all > + "puppet-client-1.example.net" (SHA256) > A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 > + "puppet-3-7.example.net" (SHA256) > E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 > (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") > > I don't remember what I did to get the master to accept the CSR of > puppet-client-1 earlier, but I did have similar issues where I ran the > client and the master didn't show any unsigned certs when running > "puppet cert list". > > That was a few weeks ago. I'm just coming back to puppet 3.7 now. Regenerating the client cert and connecting to the master seems to get me one step further. client: find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete server: puppet cert clean puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug server: puppet cert list "puppet-client.example.net" (SHA256) E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB puppet cert sign puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug [...] Error: Could not request certificate: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-3-7.example.net] Exiting; failed to retrieve certificate and waitforcert is disabled Then performing the above steps, but clearing out all .pem files on the client seemed to fix the issue. Cheers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XrqYOYVQrizt-DddNR8ggtBp-fyqmc0N4XnH_DG2i3wQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet cert list yields no certs
Greetings, I am attempting to get a puppet 3.7 install off the ground. Please don't ask me to upgrade to 4.X series. :) On the puppet master (puppet-3-7.example.net): # puppet master --no-daemonize --debug [...] Info: Not Found: Could not find certificate puppet-client.example.net Debug: Routes Registered: Debug: Route /^\/v2\.0/ Debug: Route /.*/ Debug: Evaluating match for Route /^\/v2\.0/ Debug: Did not match path ("/production/certificate/puppet-client.example.net") Debug: Evaluating match for Route /.*/ Info: Not Found: Could not find certificate puppet-client.example.net On the puppet client: # puppet agent -t --server puppet-3-7 --debug [...] Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet] Debug: Finishing transaction 10544780 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Exiting; no certificate found and waitforcert is disabled Then on the master: # puppet cert list # I have a 2.7 puppet environment that works very well and I am well accustomed to dealing with the certs. The auth.conf file looks okay, too: # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * Can anyone help interpret the debug messages above? Or point me in the correct direction? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XzboPFXEWW0usdh5miV1AcC5cKfQL045ppokPjdOBcFA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitiswrote: > Apparently I was a little too quick on the send button. :( > > To continue my previous email: > > Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WFFhbbZTGrwC1bLDYLtSYxTN3XwU-RTNPtAEAYz-7U7g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hey Peter, On Thu, Jan 7, 2016 at 5:28 PM, Peter Kristolaitis <alte...@alter3d.ca> wrote: > 'puppet cert list' only shows unsigned certs. > > 'puppet cert list --all' will show all certs. I failed to mention it explicitly: The client does not have a signed cert. I'm try to get the master to "accept" the CSR from the client. -m > > On 1/7/2016 6:17 PM, Matt Zagrabelny wrote: >> >> Greetings, >> >> I am attempting to get a puppet 3.7 install off the ground. Please >> don't ask me to upgrade to 4.X series. :) >> >> On the puppet master (puppet-3-7.example.net): >> # puppet master --no-daemonize --debug >> [...] >> Info: Not Found: Could not find certificate puppet-client.example.net >> Debug: Routes Registered: >> Debug: Route /^\/v2\.0/ >> Debug: Route /.*/ >> Debug: Evaluating match for Route /^\/v2\.0/ >> Debug: Did not match path >> ("/production/certificate/puppet-client.example.net") >> Debug: Evaluating match for Route /.*/ >> Info: Not Found: Could not find certificate puppet-client.example.net >> >> On the puppet client: >> # puppet agent -t --server puppet-3-7 --debug >> [...] >> Debug: >> /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]: >> Autorequiring File[/var/lib/puppet/ssl/private_keys] >> Debug: >> /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]: >> Autorequiring File[/var/lib/puppet/ssl/public_keys] >> Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring >> File[/var/lib/puppet/ssl/certs] >> Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet] >> Debug: Finishing transaction 10544780 >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate_request for puppet-client.example.net >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate_request for puppet-client.example.net >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Exiting; no certificate found and waitforcert is disabled >> >> Then on the master: >> # puppet cert list >> # >> >> I have a 2.7 puppet environment that works very well and I am well >> accustomed to dealing with the certs. >> >> The auth.conf file looks okay, too: >> >> # allow nodes to request a new certificate >> path /certificate_request >> auth any >> method find, save >> allow * >> >> Can anyone help interpret the debug messages above? Or point me in the >> correct direction? >> >> Thanks! >> >> -m >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W63er4xJMjhosc6z9fqJhcGTHoMJme%3DCM-4A5LekcrRg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] ENC
On Fri, Dec 11, 2015 at 11:54 AM, Sergiu Corneawrote: > Hello guys, > > I have an ENC which is producing the right data as far as I could have test > it (copy and paste it in a yaml file), however, when I am using Puppet > directly Puppet seems to do nothing with it. Try running something like: puppet master --no-daemonize --debug and read the output. You should see something like: Debug: Executing '/var/lib/puppet/fetch_enc.sh yournode.example.com' Try running that same command: /var/lib/puppet/fetch_enc.sh yournode.example.com and see what the output is. Also, there should be plenty of debugging information in the output of puppet master --no-daemonize --debug. Cheers, -m > This is my Puppet.conf file and logging shows that this script is being > executed by the Puppet master, like I've said Puppet doesn't seem to be > using the data. > > [master] > node_terminus = exec > external_nodes = /var/lib/puppet/fetch_enc.sh > > Thank you, > > Regards, > Sergiu > > This message and its attachments are private and confidential. If you have > received this message in error, please notify the sender and remove it and > its attachments from your system. > > The University of Westminster is a charity and a company limited by > guarantee. Registration number: 977818 England. Registered Office: 309 > Regent Street, London W1B 2UW. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/8cee2af7-cc5a-4a0b-a941-06a070df6f72%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XHodQUQ5thV9MCco80-XqmT-Suzuoa4HrDab5p0iyA7Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppetlabs/mysql forge module - user accounts
I'm using the Puppetlabs/mysql forge module and I have it creating a db and adding a few users. Is there a way to automatically remove any accounts that are not defined in my puppet script? For example, if an admin manually created a user? -matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/475587a1-8b92-48f4-91a0-35d908548d62%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Regex and Hyphen in node definitions
I'm running Puppet 3.7.4-1 On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote: > > On 2015-16-11 13:44, Matt Shields wrote: > > I'm having an issue with trying to use regex with hostnames that have a > > hyphen in their name. How can I get this to work? > > > > node /^(.*)-(db00)(.*)$/ { > >include role::db > > } > > > > [root@ops-db001 ~]# puppet agent -t > > Info: Retrieving pluginfacts > > Info: Retrieving plugin > > Info: Loading facts > > Error: Could not retrieve catalog from remote server: Error 400 on > > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom > > Warning: Not using cache on failed catalog > > Error: Could not retrieve catalog; skipping run > > > > Which version of Puppet are you using? This problem sounds familiar and > may have be fixed in a more recent version of Puppet. > > - henrik > > -- > > Visit my Blog "Puppet on the Edge" > http://puppet-on-the-edge.blogspot.se/ > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20e449dc-5058-4a44-bc0b-abd14d12479e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Regex and Hyphen in node definitions
Excellent. That works. Thank you very much Matt On Tue, Nov 17, 2015 at 11:04 AM, R.I.Pienaar <r...@devco.net> wrote: > > > - Original Message - > > From: "Peter Bukowinski" <pmb...@gmail.com> > > To: "puppet-users" <puppet-users@googlegroups.com> > > Sent: Tuesday, November 17, 2015 4:01:38 PM > > Subject: Re: [Puppet Users] Regex and Hyphen in node definitions > > > Is consider removing the ^ and $ anchors. I think I you'll find it works > without > > them. > > > > -- Peter > > > >> On Nov 17, 2015, at 9:57 AM, Matt Shields <m...@mattshields.org> wrote: > >> > >> If there are any other suggestions on how to regex the nodes, that > would be > >> extremely helpful. We name our hosts like. > >> > >> {clientname}-{purpose}{001-999} > >> Ex. > >> ops-db001 -> uses db profile > >> ops-bidb001 -> uses bidb profile > >> ops-sdb001 -> uses sdb profile > >> ops-web001 -> uses web profile > >> > >> client1-db001 > >> client1-bidb001 > >> client1-sdb001 > >> client1-web001 > > anything without - really, so \W would work in this particular case > /^(.*)\W(db00)(.*)$/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/1210234894.1130888.1447776285234.JavaMail.zimbra%40devco.net > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOTD2YTFEvtF0t698hL%2B0dVmuiHyUBarxnHy-cwNaafGqYzVxQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Regex and Hyphen in node definitions
If there are any other suggestions on how to regex the nodes, that would be extremely helpful. We name our hosts like. {clientname}-{purpose}{001-999} Ex. ops-db001 -> uses db profile ops-bidb001 -> uses bidb profile ops-sdb001 -> uses sdb profile ops-web001 -> uses web profile client1-db001 client1-bidb001 client1-sdb001 client1-web001 Thanks Matt On Tuesday, November 17, 2015 at 10:22:03 AM UTC-5, Matt Shields wrote: > > I just updated to 3.8.4-1 and I'm still seeing the same issue > > On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote: >> >> I'm running Puppet 3.7.4-1 >> >> On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote: >>> >>> On 2015-16-11 13:44, Matt Shields wrote: >>> > I'm having an issue with trying to use regex with hostnames that have >>> a >>> > hyphen in their name. How can I get this to work? >>> > >>> > node /^(.*)-(db00)(.*)$/ { >>> >include role::db >>> > } >>> > >>> > [root@ops-db001 ~]# puppet agent -t >>> > Info: Retrieving pluginfacts >>> > Info: Retrieving plugin >>> > Info: Loading facts >>> > Error: Could not retrieve catalog from remote server: Error 400 on >>> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom >>> > Warning: Not using cache on failed catalog >>> > Error: Could not retrieve catalog; skipping run >>> > >>> >>> Which version of Puppet are you using? This problem sounds familiar and >>> may have be fixed in a more recent version of Puppet. >>> >>> - henrik >>> >>> -- >>> >>> Visit my Blog "Puppet on the Edge" >>> http://puppet-on-the-edge.blogspot.se/ >>> >>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Regex and Hyphen in node definitions
That didn't work. Same error (Invalid tag) On Tuesday, November 17, 2015 at 11:01:47 AM UTC-5, Peter Bukowinski wrote: > > Is consider removing the ^ and $ anchors. I think I you'll find it works > without them. > > -- Peter > > On Nov 17, 2015, at 9:57 AM, Matt Shields <ma...@mattshields.org > > wrote: > > If there are any other suggestions on how to regex the nodes, that would > be extremely helpful. We name our hosts like. > > {clientname}-{purpose}{001-999} > Ex. > ops-db001 -> uses db profile > ops-bidb001 -> uses bidb profile > ops-sdb001 -> uses sdb profile > ops-web001 -> uses web profile > > client1-db001 > client1-bidb001 > client1-sdb001 > client1-web001 > > Thanks > Matt > > On Tuesday, November 17, 2015 at 10:22:03 AM UTC-5, Matt Shields wrote: >> >> I just updated to 3.8.4-1 and I'm still seeing the same issue >> >> On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote: >>> >>> I'm running Puppet 3.7.4-1 >>> >>> On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote: >>>> >>>> On 2015-16-11 13:44, Matt Shields wrote: >>>> > I'm having an issue with trying to use regex with hostnames that have >>>> a >>>> > hyphen in their name. How can I get this to work? >>>> > >>>> > node /^(.*)-(db00)(.*)$/ { >>>> >include role::db >>>> > } >>>> > >>>> > [root@ops-db001 ~]# puppet agent -t >>>> > Info: Retrieving pluginfacts >>>> > Info: Retrieving plugin >>>> > Info: Loading facts >>>> > Error: Could not retrieve catalog from remote server: Error 400 on >>>> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom >>>> > Warning: Not using cache on failed catalog >>>> > Error: Could not retrieve catalog; skipping run >>>> > >>>> >>>> Which version of Puppet are you using? This problem sounds familiar and >>>> may have be fixed in a more recent version of Puppet. >>>> >>>> - henrik >>>> >>>> -- >>>> >>>> Visit my Blog "Puppet on the Edge" >>>> http://puppet-on-the-edge.blogspot.se/ >>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users...@googlegroups.com . > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com?utm_medium=email_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c7545e2e-5c1c-4709-9d00-581cf05645f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Regex and Hyphen in node definitions
I just updated to 3.8.4-1 and I'm still seeing the same issue On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote: > > I'm running Puppet 3.7.4-1 > > On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote: >> >> On 2015-16-11 13:44, Matt Shields wrote: >> > I'm having an issue with trying to use regex with hostnames that have a >> > hyphen in their name. How can I get this to work? >> > >> > node /^(.*)-(db00)(.*)$/ { >> >include role::db >> > } >> > >> > [root@ops-db001 ~]# puppet agent -t >> > Info: Retrieving pluginfacts >> > Info: Retrieving plugin >> > Info: Loading facts >> > Error: Could not retrieve catalog from remote server: Error 400 on >> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom >> > Warning: Not using cache on failed catalog >> > Error: Could not retrieve catalog; skipping run >> > >> >> Which version of Puppet are you using? This problem sounds familiar and >> may have be fixed in a more recent version of Puppet. >> >> - henrik >> >> -- >> >> Visit my Blog "Puppet on the Edge" >> http://puppet-on-the-edge.blogspot.se/ >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b20875ea-2277-472b-9785-a0c26f1e6e28%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Regex and Hyphen in node definitions
I'm having an issue with trying to use regex with hostnames that have a hyphen in their name. How can I get this to work? node /^(.*)-(db00)(.*)$/ { include role::db } [root@ops-db001 ~]# puppet agent -t Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid tag '-db00.' on node ops-db001.example.dom Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ed1be089-ec26-40d5-8df2-5d372d41c2b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] enabling facts hash
Greetings, I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie) and was reading about the top level $facts hash that holds the client's facts. The puppet documentation states that it is off by default in the open source version [1]. "Drawbacks: Only works with Puppet 3.5 or later. Disabled by default in open source releases prior to Puppet 4.0." I grepped the configs on my puppet master and didn't see what config I need to change to enable this feature. # puppet config print | grep fact cfacter = false facts_terminus = facter inventory_terminus = facter stringify_facts = true node_name_fact = dynamicfacts = memorysize,memoryfree,swapsize,swapfree pluginfactdest = /var/lib/puppet/facts.d pluginfactsource = puppet://puppet/pluginfacts factpath = /var/lib/puppet/lib/facter Any ideas on how to enable this feature? Thanks! -m [1] https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#the-factsfactname-hash -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WpEdFdyxoOGCPiqoN_stv%2BAaCUmbYUrn_hzm6PMdmxjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: enabling facts hash - SOLVED
On Wed, Nov 11, 2015 at 9:42 AM, Matt Zagrabelny <mzagr...@d.umn.edu> wrote: > Greetings, > > I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie) > and was reading about the top level $facts hash that holds the > client's facts. The puppet documentation states that it is off by > default in the open source version [1]. > > "Drawbacks: Only works with Puppet 3.5 or later. Disabled by default > in open source releases prior to Puppet 4.0." > > I grepped the configs on my puppet master and didn't see what config I > need to change to enable this feature. > > # puppet config print | grep fact > cfacter = false > facts_terminus = facter > inventory_terminus = facter > stringify_facts = true > node_name_fact = > dynamicfacts = memorysize,memoryfree,swapsize,swapfree > pluginfactdest = /var/lib/puppet/facts.d > pluginfactsource = puppet://puppet/pluginfacts > factpath = /var/lib/puppet/lib/facter > > Any ideas on how to enable this feature? >From [2]: trusted_node_data = true (Puppet master/apply only) — This enables the $trusted and $facts hashes, so you can start using them in your own code. Cheers, -m [2] http://docs.puppetlabs.com/puppet/3.8/reference/config_important_settings.html -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3VznC2qM_NGQ_%2Bi9LPqQ7giv1%3DSwKjEFZ7GfZ5KWuVR4w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Reusable function/class code
I need to do the same process over and over again for numerous users. What would be the easy way to create a class or function to wrap the following code so that each time I need to do the following it's a single line of code. Currently what' I've been doing is copying the 35 lines of code and duplicating it for hundreds of users. $username_john = hiera ( 'ftp_username_john' ) $password_john = hiera ( 'ftp_password_john' ) user { "${username_john}": ensure => present, password=> "${password_john}", managehome => false, home=> '/incoming', groups => 'sftpusers', shell => '/sbin/nologin', } file { "/sftp/${username_john}": ensure => directory, owner => 'root', group => 'root', mode=> '0755', require => File['/sftp'], } file { "/sftp/${username_john}/incoming": ensure => directory, owner => $username_john, group => 'sftpusers', mode=> '0755', require => File["/sftp/${username_john}"], } file { "/sftp/${username_john}/outgoing": ensure => directory, owner => $username_john, group => 'sftpusers', mode=> '0755', require => File["/sftp/${username_john}"], } Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOTD2YS8tqLoruzLB_ty3YS%3DUkgyVspQBm5mG-v%3DA71PQJKg-A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppetdb garbage collection failing
count | name ---+- 1 | macaddress_qvb34470225_cd 1 | mtu_qbr2fb476b3_ff 1 | speed_qvbfa2ec4e3_15 1 | macaddress_qvo547572f9_14 1 | speed_qvo2e200191_c0 1 | mtu_qbr5eaffca5_fb 1 | macaddress_qbr0d4ed278_e3 1 | mtu_qvb8166a899_d1 1 | speed_qvb4e0d1069_13 1 | speed_qvbb2d99f31_86 1 | mtu_qbr65afa39a_9a 1 | speed_qvb336884d1_12 1 | speed_qvbf81c2831_4f 1 | mtu_qbr6d9cbcfc_82 1 | mtu_qbr441a8d9c_9e 1 | macaddress_qbrb400a4cf_a3 1 | mtu_qbr0bdbfadc_6a 1 | macaddress_qbrf9e0c7d4_7b 1 | macaddress_qbr3fe74368_2f 1 | macaddress_qvoc943cbcd_c3 1 | macaddress_qvb7e04f0db_2b 1 | mtu_qbrb42e4516_13 1 | macaddress_qvbefdec85e_5b 1 | mtu_qbr4575c981_84 1 | speed_qvbb771b00f_b4 1 | speed_qvo04f9f59c_d2 1 | macaddress_qbre4308db4_12 1 | speed_qvb997d8a21_72 1 | mtu_qvo699d2518_05 1 | mtu_qvbc5dcb18f_8b 1 | mtu_qvb766c608d_7a 1 | speed_qvo137786a3_ce 1 | speed_qvo02ec32fd_28 1 | macaddress_qbr3b6455da_f1 1 | mtu_qvb993a2dfb_5e 1 | macaddress_qvo14369bd5_d3 Is that enough of that query result ? We're an OpenStack public cloud provider, so in our cluster we have many network interfaces changing a lot when new virtual networks and machines are created - those are all related to virtual interfaces. Looks like the majority of that table is full of them. On Monday, September 28, 2015 at 6:45:49 PM UTC+1, Wyatt Alt wrote: > > On 09/28/2015 10:39 AM, Wyatt Alt wrote: > > On 09/28/2015 05:40 AM, Matt Jarvis wrote: > > We seem to have hit a bit of an issue with puppetdb garbage collection. > Initial symptoms were exceptions in the puppetdb logs : > > Retrying after attempt 6, due to: org.postgresql.util.PSQLException: This > connection has been closed. > > > And on the postgres side : > > > LOG: incomplete message from client > > > Having turned up the logging on postgres, it appears that the query > > > DELETE FROM fact_paths fp > > WHERE fp.id in ( $some_ids ) AND NOT EXISTS (SELECT 1 FROM > facts f > > WHERE f.fact_path_id in ( $some_more_ids ) AND > f.fact_path_id = fp.id > > AND f.factset_id <> $26355) > > > is the cuplrit. This query is absolutely massive, with over 26000 id's > specified as parameters - as soon as the query is executed, postgres > returns incomplete message from client and drops the connection. > > > puppetdb is 2.3.7-1puppetlabs1 > > postgres is 9.3 > > > Does anyone have any clues what's going on here ? > > > Thanks > > > Matt > > DataCentred Limited registered in England and Wales no. 05611763 -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users...@googlegroups.com . > To view this discussion on the web visit > <https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com> > https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com > . > For more options, visit https://groups.google.com/d/optout. > > Hey Matt, > > I can reproduce this by inserting a value at the beginning of an extremely > large array-valued structured fact, but we'll need to know more about your > particular data to confirm whether that's your particular issue. This could > be some large custom fact you're creating or something generated by a > module. > > I've created a ticket here around this issue here > https://tickets.puppetlabs.com/browse/PDB-2003 > > can you connect to the database via psql and share (either here or in the > ticket) the output of > > select count(*),name from fact_paths group by name order by count desc; > > ? > > My hope is that that will identify one or more large structured facts > associated with a lot of leaf values, and then we'll need to figure out > where they're coming from. > > Wyatt > > > Just to clarify, I think the top few rows of that result should be enough > to illustrate -- no need to include the whole thing. > > Wyatt > -- DataCentred Limited registered in England and Wales no. 05611763 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/81433280-72d8-4c9d-983d-f4c5227eb1e6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppetdb garbage collection failing
We seem to have hit a bit of an issue with puppetdb garbage collection. Initial symptoms were exceptions in the puppetdb logs : Retrying after attempt 6, due to: org.postgresql.util.PSQLException: This connection has been closed. And on the postgres side : LOG: incomplete message from client Having turned up the logging on postgres, it appears that the query DELETE FROM fact_paths fp WHERE fp.id in ( $some_ids ) AND NOT EXISTS (SELECT 1 FROM facts f WHERE f.fact_path_id in ( $some_more_ids ) AND f.fact_path_id = fp.id AND f.factset_id <> $26355) is the cuplrit. This query is absolutely massive, with over 26000 id's specified as parameters - as soon as the query is executed, postgres returns incomplete message from client and drops the connection. puppetdb is 2.3.7-1puppetlabs1 postgres is 9.3 Does anyone have any clues what's going on here ? Thanks Matt -- DataCentred Limited registered in England and Wales no. 05611763 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Clarification/Question re: Puppet 3.8, Cloud Provisioner, and VMWare
It appears in PE 3.8.1 there is puppetlabs/aws but nothing to replace node_vmware functionality to provision vmware vm's. I cannot find a module, am I missing something ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8bae5697-d40c-472c-85da-0031b862de0d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] What's difference between roles and profiles, ENC and Hiera
On Tue, Mar 31, 2015 at 10:16 AM, Dhaval d.josh...@gmail.com wrote: Hello, I am starting learning puppet, i want to understand what is the difference between roles and profiles and ENV and Hiera ? are all different ways of assigning classes or data to host ? can you help to give me brief comparison and what's best suited ? I'd start with googling and watch some videos and then ask more specific questions. https://puppetlabs.com/presentations/designing-puppet-rolesprofiles-pattern http://www.craigdunn.org/2012/05/239/ http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/ https://www.youtube.com/watch?v=z9TK-gUNFHk Enjoy! -m -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3Ue3Hj4Yc_Th_Kx_CriFUNwSM0QBN8dJDtOwR7EjM%3DGLg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Puppetlabs-mysql with Percona
Not sure why but it looks like when trying to start Percona, it couldn't create a pid file because there was no /var/run/mysql directory and no permissions set. I had to manually create the folder and set permissions, now it seems to be working. 15 package { 'percona-release': 16 ensure = present, 17 source = ' http://www.percona.com/downloads/percona-release/redhat/0.1-3/perc 18 provider = rpm, 19 } 20 21 file { '/var/run/mysql': 22 ensure = directory, 23 owner = 'mysql', 24 group = 'mysql', 25 } 26 27 $override_options = { 28 'mysqld'= { 29 'bind-address'= '0.0.0.0', 30 'max_connections' = '1024', 31 'pid-file'= '/var/run/mysql/mysqld.pid', 32 # 'disable-ssl' = true, 33 } 34 } 35 36 class { '::mysql::server': 37 package_name= 'Percona-Server-server-56', 38 root_password = ${percona_root}, 39 #remove_default_accounts = true, 40 service_name= 'mysql', 41 override_options= $override_options, 42 require = [ Package['percona-release'] ], 43 } Matt On Thu, Mar 26, 2015 at 8:43 AM, Matt Shields m...@mattshields.org wrote: I've tried setting the service_name to mysql in the class definition since Percona calls the service mysql instead of mysqld, but I'm still getting errors. Looks like it's now trying to start Percona/mysql but getting errors. Here's the puppet output plus the mysql log. 31 class { '::mysql::server': 32 package_name= 'Percona-Server-server-56', 33 root_password = ${percona_root}, 34 #remove_default_accounts = true, 35 service_name= 'mysql', 36 override_options= $override_options, 37 require = [ Package['percona-release'] ], 38 } Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for bidb001 Info: Applying configuration version '1427372678' Notice: /Stage[main]/Profile::Bidb/Package[percona-release]/ensure: created Notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure: created Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql]/ensure: created Notice: /Stage[main]/Mysql::Server::Config/File[/etc/my.cnf]/ensure: defined content as '{md5}b5f7f94eab5170143b230460be142427' Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql/conf.d]/ensure: created Error: Could not start Service[mysqld]: Execution of '/sbin/service mysql start' returned 1: Starting MySQL (Percona Server).. ERROR! The server quit without updating PID file (/var/run/mysqld.pid). Wrapped exception: Execution of '/sbin/service mysql start' returned 1: Starting MySQL (Percona Server).. ERROR! The server quit without updating PID file (/var/run/mysqld.pid). Error: /Stage[main]/Mysql::Server::Service/Service[mysqld]/ensure: change from stopped to running failed: Could not start Service[mysqld]: Execution of '/sbin/service mysql start' returned 1: Starting MySQL (Percona Server).. ERROR! The server quit without updating PID file (/var/run/mysqld.pid). Error: Could not prefetch mysql_user provider 'mysql': Execution of '/usr/bin/mysql -NBe SELECT CONCAT(User, '@',Host) AS User FROM mysql.user' returned 1: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111) Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Skipping because of failed dependencies Notice: Finished catalog run in 25.16 seconds [root@bidb001 ~]# cat /var/log/mysqld.log 150326 12:31:45 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql 2015-03-26 12:31:45 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). 2015-03-26 12:31:45 21937 [Warning] Using unique option prefix myisam_recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 2015-03-26 12:31:45 21937 [Note] Plugin 'FEDERATED' is disabled. 2015-03-26 12:31:45 21937 [Note] InnoDB: Using atomics to ref count buffer pool pages 2015-03-26 12:31:45 21937 [Note] InnoDB: The InnoDB memory heap is disabled 2015-03-26 12:31:45
Re: [Puppet Users] Re: Puppetlabs-mysql with Percona
plugins will not work. 2015-03-26 12:31:45 21937 [Note] RSA public key file not found: /var/lib/mysql//public_key.pem. Some authentication plugins will not work. 2015-03-26 12:31:45 21937 [Note] Server hostname (bind-address): '0.0.0.0'; port: 3306 2015-03-26 12:31:45 21937 [Note] - '0.0.0.0' resolves to '0.0.0.0'; 2015-03-26 12:31:45 21937 [Note] Server socket created on IP: '0.0.0.0'. 2015-03-26 12:31:45 21937 [ERROR] /usr/sbin/mysqld: Can't create/write to file '/var/run/mysqld.pid' (Errcode: 13 - Permission denied) 2015-03-26 12:31:45 21937 [ERROR] Can't start server: can't create PID file: Permission denied 150326 12:31:46 mysqld_safe mysqld from pid file /var/run/mysqld.pid ended Matt On Wed, Mar 25, 2015 at 8:45 PM, Elisiano Petrini elisi...@gmail.com wrote: Hi Matt, you might need to override also ::mysql::server::service_name. I don't know what's the service name of percona but it looks like that is not 'mysqld': Error: Could not start Service[mysqld]: Execution of '/sbin/service mysqld start' returned 1: mysqld: unrecognized service Best Regards, Elisiano Petrini On Tuesday, March 24, 2015 at 8:27:37 AM UTC-4, Matt Shields wrote: Does anyone have an example of provisioning Percona MySQL using the puppetlabs-mysql module? Here's my puppet code: 15 package { 'percona-release': 16 ensure = present, 17 source = 'http://www.percona.com/downloads/percona-release/ redhat/0.1-3/percona-release-0.1-3.noarch.rpm', 18 provider = rpm, 19 } 20 21 $override_options = { 22 'mysqld'= { 23 'bind-address'= '0.0.0.0', 24 'max_connections' = '1024', 25 } 26 } 27 28 class { '::mysql::server': 29 package_name= 'Percona-Server-server-56', 30 root_password = ${percona_root}, 31 remove_default_accounts = true, 32 override_options= $override_options, 33 require = [ Package['percona-release'] ], 34} And here's the output I'm getting. [root@testing-bidb001 ~]# puppet agent -t Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for testing-bidb001 Info: Applying configuration version '1427198241' Notice: /Stage[main]/Profile::Bidb/Package[percona-release]/ensure: created Notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure: created Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql]/ensure: created Notice: /Stage[main]/Mysql::Server::Config/File[/etc/my.cnf]/ensure: defined content as '{md5}8ef60204b1f3c4d7ffd673f9debc5df1' Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql/conf.d]/ensure: created Error: Could not start Service[mysqld]: Execution of '/sbin/service mysqld start' returned 1: mysqld: unrecognized service Wrapped exception: Execution of '/sbin/service mysqld start' returned 1: mysqld: unrecognized service Error: /Stage[main]/Mysql::Server::Service/Service[mysqld]/ensure: change from stopped to running failed: Could not start Service[mysqld]: Execution of '/sbin/service mysqld start' returned 1: mysqld: unrecognized service Error: Could not prefetch mysql_user provider 'mysql': Execution of '/usr/bin/mysql -NBe SELECT CONCAT(User, '@',Host) AS User FROM mysql.user' returned 1: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_user[@t esting-bidb001.useast.fanmanager.com]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_user[@t esting-bidb001.useast.fanmanager.com]: Skipping because of failed dependencies Error: Could not prefetch mysql_database provider 'mysql': Execution of '/usr/bin/mysql -NBe show databases' returned 1: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_database[test]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_database[test]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_user[@testing
[Puppet Users] Puppetlabs-mysql with Percona
]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_user[ root@127.0.0.1]: Skipping because of failed dependencies Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_user[root@testing-bidb001]: Dependency Service[mysqld] has failures: true Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_user[root@testing-bidb001]: Skipping because of failed dependencies Notice: Finished catalog run in 20.06 seconds Matt -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOTD2YSJNzbQJiE-Vh%3D4rZOqeAdFjjg_%2B673NmW7c3nguFCTtA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: puppet 3.7.4 using auth.conf file from github - default acl at end apparently preventing access?
Has anyone else come up with a solution for this? We just booted a new puppet master for the first time in a few weeks and it came up with Passenger 5 (we were on 4.0.69) -- and failed. For the time being we've patched our code to use an updated repo location with Passenger 4.x, but we'd like to be able to use 5. We are seeing the exact same behavior. Puppet 3.7.4 (installed via debian packages), Ubuntu 12.04. On Friday, March 13, 2015 at 5:14:32 PM UTC-7, Johnson Earls wrote: Operating System: Oracle Linux 6.5 Puppet version: Open Source Puppet 3.7.4 (installed via gems) Ruby version: 2.1.0 (locally built package) Apache version: 2.2.15 Passenger version: 5.0.4 I apologise in advance if this post sounds confused and wanders all over; it mirrors its author in that respect. I'm just getting started with puppet. I've got a small 5-node playground set up to play with. I set it up using the Installing Puppet: From Gems instructions (since I wanted to use a newer version of ruby than the 1.8.7 that Oracle Linux comes with), and I thought everything was going great, getting it running under apache/passenger and everything. Then I realized I'd forgotten to install the auth.conf file the last time I rebuilt the puppet directories. As soon as I installed that file and restarted httpd, my agents stopped being able to talk to the server, getting an Error 403 Forbidden for every access. The errors, listed here, indicate that the server is recognizing that the client is authenticated, so apparently it's just not recognizing the URLs being accessed: Warning: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /node/ rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [search] authenticated at :123 Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated at :123 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated at :123 Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [search] authenticated at :123 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated at :123 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated at :123 Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /catalog/ rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 Error: Could not send report: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /report/ rac03n01-dc2.dc2.responsys.com [save] authenticated at :123 I noticed that the URLs listed (/node/..., /catalog/..., /report/..., and /file_metadata/...) are not listed in the auth.conf at all, but are being inserted by the puppet master: Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/catalog/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/file' (auth ) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_revocation_list/ca' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/report/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/ca' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_request' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/status' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/v2.0/environments' (auth true) ACL However,apparently, the default deny-all ACL at the end of auth.conf (at line 123 as shown in the errors above) is preventing those default ACLs from taking effect. Once I commented out the default deny-all ACL at the end of auth.conf, my access started working again. Am I reading the logs and auth.conf file
Re: [Puppet Users] Client self-deregistration from PuppetDB
Martijn, Sorry for the delay ... but yes, in the future we don't mind sharing this 'cert-api' code. Unfortunately today its not in a terribly share-able state. It was quite literally my 2nd python-program ever, written 3+ years ago, and written in a short-term hacky way because we naively believed that the PuppetLabs folks would ultimately solve the whole 're-signing certificates' problem (seriously ... 2011 ... http://projects.puppetlabs.com/issues/7272). At this point, we're in the midst of a full puppet-server-redesign, and part of that is going to include a ground-up fresh cert-api daemon. Its simple code, so we should get it done within a few days of beginning, but we just havn't quite started yet. When we do, though, it'll definitely be opensourced. The basic model is that we set our SSL certs to expire after 30 days. Our clients run a little cron job daily that says is the cert expiring in the next 5 days?, and if that is true, it reaches out to our puppet masters and gets its cert renewed. We've been doing this for years now, with over 20,000 hosts (not simultaneously of course... just the number of hosts we've launched in 3 years), and had no problems with the model. We'll be adding some additional features to the API to support things like automatic node deregistration in PuppetDB as well. Matt Wise Sr. Systems Architect Nextdoor.com On Fri, Dec 12, 2014 at 10:40 AM, Martijn mart...@heemels.com wrote: Matt, I'd be very interested in that 'cert-api' endpoint code once you've had a chance to work on this. Is there a change you could open-source that? I think it would be very useful to the community, even if it is imperfect. Hope you'll consider it, Martijn Op vrijdag 12 december 2014 18:18:47 UTC+1 schreef Matt W: We already have what we call a 'cert-api' endpoint on our Puppet servers that allows our puppet clients to re-up their SSL certs every 15 days (we expire them very quickly). Its not unreasonable to add functionality to this endpoint allowing a client to request that its own node be destroyed. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/o-X54IznCD8/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxNyYbSGXojtW%3Dk1uy0tGSq98fsTttfEHu-pS4F4Vg9aTg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Disabling a module on a particular node type ...
We're using Puppet to build up a few docker containers, and we find that the puppetlabs-firewall module throws some errors during initial compilation. These errors are ignorable ... but they're obnoxious. Is there a way to explicitly disable a module from being parsed for a particular node type? Debug: Puppet::Type::Firewall::ProviderIptables: [instances] Error: /Stage[main]/Main/Resources[firewall]: Failed to generate additional resources using 'generate': Command iptables_save is missing (obviously this is more than just not saying 'include firewall' ... because the provider/types get parsed regardless of whether or not we 'include firewall'). Matt Wise Sr. Systems Architect Nextdoor.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxPa4NsYzf-afSD3LLNTmOHeMcCs39KOJNFPxC-im21Y4g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Client self-deregistration from PuppetDB
Thanks... I got a few private responses as well that all seemed to be in-line with what I figured we needed to do. Its entirely reasonable for us to have our clients 'curl ...' out to some endpoint to remove themselves at shutdown time. The concern I have is that I'd like to keep our clients from being able to do any other damage to the PuppetDB database while they're at it. We obviously want to use the Puppet CertName Whitelist in PuppetDB so that only our Puppet servers can send reports/connect to PuppetDB, and none of our clients can. So that said ... I think I may end up going the 'CGI script' route. We already have what we call a 'cert-api' endpoint on our Puppet servers that allows our puppet clients to re-up their SSL certs every 15 days (we expire them very quickly). Its not unreasonable to add functionality to this endpoint allowing a client to request that its own node be destroyed. That said, I have one question. We don't match our puppet 'node_name' to our puppet 'cert_name's. That is, our certnames are real FQDNs ... but our node names are kind of a combination of an arbitrary node name (like web_server) and the certname. They look something like this web_proxy_thingy|my.fqdn.her.com. In an ideal world, I would be able to tell PuppetDB that the true identifier that I care about is the 'certname' not the 'nodename'. That said, I think in our case we're going to have to do some hackery to figure this out. Thanks again for the suggestions though. On Thursday, December 11, 2014 1:04:59 AM UTC-8, Martin Alfke wrote: Hi Matt, On 09 Dec 2014, at 19:58, Matt Wise ma...@nextdoor.com javascript: wrote: We boot up/shut-down 50-100 hosts a day on average... we're exploring PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to be purged based on some checkin time. Is there any way to have our hosts send a signal through the puppet-masters (or directly to puppetdb?) to purge themselves when they're being terminated? You can use the puppetdb rest api: https://docs.puppetlabs.com/puppetdb/2.2/api/index.html In my actual project we disable hosts via VM management system using this API. Works like a charm. hth, Martin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6b368c6b-3e35-47a1-87f2-f28850e53370%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Client self-deregistration from PuppetDB
We boot up/shut-down 50-100 hosts a day on average... we're exploring PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to be purged based on some checkin time. Is there any way to have our hosts send a signal through the puppet-masters (or directly to puppetdb?) to purge themselves when they're being terminated? Matt Wise Sr. Systems Architect Nextdoor.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxPxNXGQnMCwMJoXh-XBap5VNtEGVoRWVCkpy3Sc3SRx3w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Using Puppetdb-terminus via rubygems...?
Thanks for that Ken... This morning I found a gem 'md-puppetdb-terminus' that someone has published that works perfectly, thankfully. Matt Wise Sr. Systems Architect Nextdoor.com On Mon, Dec 8, 2014 at 2:01 AM, Ken Barber k...@puppetlabs.com wrote: We have entirely-gem based Puppet masters (no Ubuntu packages installing Puppet)... we're trying to add in the puppetdb-terminus gemfile. We have it configured, and installed: # gem list | grep -i puppet hiera-puppet (1.0.0) puppet (3.7.3) puppet-catalog-test (0.3.1) puppet-lint (1.0.1) puppet-syntax (1.3.0) puppetdb-terminus (1.0) puppetlabs_spec_helper (0.8.2) rspec-hiera-puppet (1.0.0) That is not an official gem for puppetdb-terminus :-). Someone uploaded it in the past, I think its a dud. We don't really ship a rubygem, we do have a gemfile however: https://github.com/puppetlabs/puppetdb/tree/master/contrib/gem That can be used to create your own gem. We're running into a problem with our Unicorn/Nginx config though... puppet-master[17213]: Could not configure routes from /etc/puppet/routes.yaml: Could not find terminus puppetdb for indirection facts Is there something special we need to do to the config.ru or something so that it can find the puppetdb terminus from the gem thats installed? That just looks like the necessary ruby library files aren't in place, probably due to the bad gem. ken. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/830HwH-1JCY/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTnH4ZQXnsGJpxB-W6SAypsJAsXtU0F%3DFoFXtcoRmTJbTA%40mail.gmail.com . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxPqGFaVDrAd%3D%3DwH0hTXmzR1LJ8QSKEf25dXSnYHj%3DKhEg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Using Puppetdb-terminus via rubygems...?
+1 Matt Wise Sr. Systems Architect Nextdoor.com On Mon, Dec 8, 2014 at 9:34 AM, Darin Perusich da...@darins.net wrote: On Mon, Dec 8, 2014 at 5:01 AM, Ken Barber k...@puppetlabs.com wrote: We have entirely-gem based Puppet masters (no Ubuntu packages installing Puppet)... we're trying to add in the puppetdb-terminus gemfile. We have it configured, and installed: # gem list | grep -i puppet hiera-puppet (1.0.0) puppet (3.7.3) puppet-catalog-test (0.3.1) puppet-lint (1.0.1) puppet-syntax (1.3.0) puppetdb-terminus (1.0) puppetlabs_spec_helper (0.8.2) rspec-hiera-puppet (1.0.0) That is not an official gem for puppetdb-terminus :-). Someone uploaded it in the past, I think its a dud. If this isn't official, would Puppet Labs be willing to have it removed or publish the gem? We don't really ship a rubygem, we do have a gemfile however: https://github.com/puppetlabs/puppetdb/tree/master/contrib/gem That can be used to create your own gem. We're running into a problem with our Unicorn/Nginx config though... puppet-master[17213]: Could not configure routes from /etc/puppet/routes.yaml: Could not find terminus puppetdb for indirection facts Is there something special we need to do to the config.ru or something so that it can find the puppetdb terminus from the gem thats installed? That just looks like the necessary ruby library files aren't in place, probably due to the bad gem. ken. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTnH4ZQXnsGJpxB-W6SAypsJAsXtU0F%3DFoFXtcoRmTJbTA%40mail.gmail.com . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/830HwH-1JCY/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADaviKuX8s3cUms_d7LP7QHR-dtyT%3DMG%3D%3DPz85WJrohiVPqUJA%40mail.gmail.com . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxOi0g3Ey%3Dj2r0SDAHhgF5JBVX4wLRWLRwOPaBYfd9GmCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Using Puppetdb-terminus via rubygems...?
We have entirely-gem based Puppet masters (no Ubuntu packages installing Puppet)... we're trying to add in the puppetdb-terminus gemfile. We have it configured, and installed: # gem list | grep -i puppet hiera-puppet (1.0.0) puppet (3.7.3) puppet-catalog-test (0.3.1) puppet-lint (1.0.1) puppet-syntax (1.3.0) puppetdb-terminus (1.0) puppetlabs_spec_helper (0.8.2) rspec-hiera-puppet (1.0.0) We're running into a problem with our Unicorn/Nginx config though... puppet-master[17213]: Could not configure routes from /etc/puppet/routes.yaml: Could not find terminus puppetdb for indirection facts Is there something special we need to do to the config.ru or something so that it can find the puppetdb terminus from the gem thats installed? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/80b3fd3a-eba9-420d-a2cc-474aec9b051b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Announce: Puppet Server 0.2.0
On Tue, Sep 23, 2014 at 2:03 PM, Gabriel Filion gabs...@lelutin.ca wrote: On 23/09/14 12:11 PM, Nate Wolfe wrote: We are thrilled to announce the preview release of Puppet Server, our newest open source project. Puppet Server is a next-generation alternative to our current Puppet master, which builds on the successful Clojure technology stack underlying projects like PuppetDB. so... is it the long term goal to phase out the ruby-based puppet master when the clojure-based one is mature enough? Hopefully someone closer to the situation (and with more authority) will respond, but yes that is what I was told at a Puppet training in March. -m -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W6zzYtDFEVi_BE85WHbVZ-pf9qppANDOudG8SogdXSUA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Announce: Facter 2.2.0
I'll start out by saying that we've worked around the problem ... but, when you're operating in cloud and constantly booting new machines, dependencies like Facter are rarely explicitly versioned. That is to say, often you will see someone pin the version of Puppet that they install, but they may not pin the version of Facter because its just one of many Puppet dependencies. That means that its unlikely that people will read the release notes before they find themselves surprised that Facter is suddenly reporting new and interesting information. I honestly think its better practice to revert the change and then plan a future major version release where you flip that setting. You could add in a big warning-message that says 'hey, in the next release we're going to break $lsbmajdistrelease...' which would get peoples attention to. All of that said, we're fixed now .. so I'll stop griping. :) Matt Wise Sr. Systems Architect Nextdoor.com On Wed, Aug 27, 2014 at 3:51 PM, Kylo Ginsberg k...@puppetlabs.com wrote: On Tue, Aug 26, 2014 at 11:57 PM, Daniele Sluijters daniele.sluijt...@gmail.com wrote: Hey, I agree with the spirit of the fix but the fact that it isn't mentioned anywhere in the release notes is a bit annoying. Yep, it's a release notes fail, and it happened because we didn't track the change with separate tickets. What happened is we made this change as part of adding lsbminordistrelease (FACT-637 https://tickets.puppetlabs.com/browse/FACT-637) and adding the new 'os' structured fact (FACT-614) https://tickets.puppetlabs.com/browse/FACT-614, but it wasn't called out separately. Anyway that's an explanation, but not really an excuse - we dropped the ball on publicizing this change. We've added tickets for the changes and pushed updated release notes for facter 2.2 here https://docs.puppetlabs.com/facter/2.2/release_notes.html. I personally also consider this a backwards incompatible release, you're changing old behaviour. Albeit for the better, but people depended on that behaviour and no prior warning or deprecation warning was issued. Although we clearly should have documented this differently, since it's in the wild and there's consensus that this change *is* for the better, we'd like to leave it be. But going forward there's a question about how to handle changes to fact *values*. One proposal is that we identify (and of course test against) some essential facts that we care a lot about (such as 'lsbmajdistrelease) and set some rules, like: (a) we do not change those in x.y.Z releases (b) we highlight it when they DO change in x.Y or X releases Do also keep in mind that though we can easily fix our own manifests with a regexp match, since the launch of the Forge people have started to use more and more modules maintained by others. Unless the maintainer has already issued an update you're stuck with manually patching an upstream module and carrying that change. Depending on how you deploy your environment this might be difficult to do. I grep'd my way through forge modules looking for affected modules and there are actually just a handful (3 related to postgresql, and 3 others). I'll ping those authors to let them know. There's already a fix in for puppetlabs-postgresql. Btw, one last thing: another plug for the recently announced https://groups.google.com/forum/#!topic/puppet-users/gtXrUgQZmJ0 nightly repos, which would have exposed this issue if we'd had repos all in place ahead of time (this change went in two weeks before release). Thanks! -- Kylo Ginsberg k...@puppetlabs.com *Join us at PuppetConf 2014 http://www.puppetconf.com/, September 20-24 in San Francisco* *Register by September 8th to take advantage of the Final Countdown https://www.eventbrite.com/e/puppetconf-2014-tickets-7666774529?discount=FinalCountdown * *—**save $149!* -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/Ve0L1iW3NeU/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CALsUZFHQ_Pho_%2Bq9VCBMdMhe4DjcZRhvmF5NU74wTU-DXoZ9xg%40mail.gmail.com https://groups.google.com/d/msgid/puppet-users/CALsUZFHQ_Pho_%2Bq9VCBMdMhe4DjcZRhvmF5NU74wTU-DXoZ9xg%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxOrMRd4Tgki7kv2kzPfrgP9A6nFs0dCMXj2xLZhvhXXkg%40mail.gmail.com
Re: [Puppet Users] Re: Announce: Facter 2.2.0
+2 here. I support the fix -- but not in a minor-revision of the tool. In our case, it was indeed a reasonably simple regex change everywhere, but the potential for failure around puppet-forge modules is massive here. I strongly recommend reverting this change and releasing it in a 3.xx version of Facter. Matt Wise Sr. Systems Architect Nextdoor.com On Wed, Aug 27, 2014 at 5:49 AM, Konrad Scherer konrad.sche...@windriver.com wrote: On 08/26/2014 04:42 PM, Will Hopper wrote: Hi, Mark! Thanks for raising your concerns on this. This change was actually intentional, as we have been reporting the Ubuntu major release incorrectly for some time in Facter. In most platforms, splitting on the first ‘.’ of an X.Y.Z release would be a sane way of determining the major release, but Ubuntu does its versioning a bit differently. Given the Ubuntu release 10.04, the major version isn't actually 10; it's 10.04 and 10.10 isn't a patch release to 10.04. When Ubuntu does do a minor release for a distribution, they add it as the Z part of the X.Y.Z - for example, 14.04.1 should have a major release of 14.04 and a minor release of 1, not 4. Thus, our inclination here is to correct the long-standing, incorrect version reporting we’ve historically had for Ubuntu. A simple, backwards-compatible way to work with this value in your existing manifests would be to use an approximate regex match on the fact value, i.e: `if $lsbmajdistrelease =~ /^12/ …` I also agree with the rationale of the fix, but I have lsbmajdistrelease in my hiera config and this workaround does not work there. A quick grep through my puppet manifest repo shows several modules like postgres broken by this change [1]. Some warnings, deprecations, clear release notes and work to make sure modules are compatible with the change would have made this transition much less painful for everyone. A backwards compatible release shouldn't require so many code changes to maintain behavior. [1]: https://github.com/puppetlabs/puppetlabs-postgresql/blob/ master/manifests/params.pp#L121 -- Konrad Scherer, MTS, Linux Products Group, Wind River -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/ topic/puppet-users/Ve0L1iW3NeU/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/ msgid/puppet-users/53FDD3D6.8020908%40windriver.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxMrbGVo%2BA%3DiM8gd4hTk8kn_FyBZmFb1s9D_ppEiomkoNw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Order preference for defines
I'm running Puppet 3.4.3 and was wondering is there a way to call the defines below in the order they're written. The problem I'm having is while using Opentable/IIS forge module, I want to delete the Default Web Site which is running on port 80, then create a new site which runs on 80. What happens is Puppet is running the second manage site Manager which creates it but fails to start the virtual host because it hasn't deleted the Default Web Site yet and there's a port conflict. iis::manage_app_pool { 'DefaultAppPool': managed_runtime_version = 'v4.0', } iis::manage_site { 'Default Web Site': ensure= absent, site_path = '%SystemDrive%\inetpub\wwwroot', app_pool = 'DefaultAppPool', } iis::manage_site { 'Manager': site_path = 'c:\inetpub\wwwroot', port= '80', ip_address = '*', app_pool= 'DefaultAppPool', update_path = false, } Matt -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOTD2YSHk_WXKjWNwfuq0%2BtyS-hzREhbm7Xc9SxKgFpyY%3DbBCA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Announce: Facter 2.2.0
Hey we got this installed on some new systems yesterday and we found that in Ubuntu 12 the `lsbmajdistrelease` fact has changed suddenly from `12` to `12.04`! This actually broke quite a few of our manifests, and is fundamentally broken I believe. The major dist release version is '12'. Has anyone else seen this? root@dev-mwise-test-array-9-i-8046108d:~# facter -p | grep lsb lsbdistcodename = precise lsbdistdescription = Ubuntu 12.04.3 LTS lsbdistid = Ubuntu lsbdistrelease = 12.04 *lsbmajdistrelease = 12.04*lsbrelease = core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch os = {release={full=12.04, major=12.04}, name=Ubuntu, family=Debian, lsb={release=core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch, majdistrelease=12.04, distcodename=precise, distrelease=12.04, distdescription=Ubuntu 12.04.3 LTS, distid=Ubuntu}} root@dev-mwise-test-array-9-i-8046108d:~# dpkg --list | grep -i facter ii facter2.2.0-1puppetlabs1 Ruby module for collecting simple facts about a host operating system root@dev-mwise-test-array-9-i-8046108d:~# and after downgrading Facter.. Processing triggers for man-db ... Setting up facter (2.1.0-1puppetlabs1) ... root@dev-mwise-test-array-9-i-8046108d:~# facter -p | grep lsb lsbdistcodename = precise lsbdistdescription = Ubuntu 12.04.3 LTS lsbdistid = Ubuntu lsbdistrelease = 12.04 *lsbmajdistrelease = 12*lsbrelease = core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch On Monday, August 25, 2014 4:45:27 PM UTC-7, Adrien Thebo wrote: Facter 2.2.0 is a backward-compatible features-and-fixes release in the Facter 2 series. The release adds structured versions of several core fact types and contains backports of facts that were merged into Facter master but were not released in Facter 2.0.1. Headline features - new structured facts: os, system_uptime, processors To download Facter, follow the instructions here: http://docs.puppetlabs.com/guides/install_puppet/pre_install.html Release notes are available here: http://docs.puppetlabs.com/facter/latest/release_notes.html To see a complete list of issues fixed in this release: https://tickets.puppetlabs.com/issues/?filter=12624 We're tracking bugs people find in this release with the Affected Version field set to 2.2.0: https://tickets.puppetlabs.com/issues/?filter=12623 -- Adrien Thebo | Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ebb623d9-ed4b-4c54-9f7c-e2b464859d4a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Confused Puppet Manifest ... Possible caching issue?
Its tricky because we use an ELB in front of the puppet masters, and we know that the calls to the /node/node_name REST API are coming from the ELB, but because of the way we have the ELB configured (pure TCP passthrough), we don't get the extra headers like the x_forwarded_for header. This makes it hard to tell where the requests for the node information are coming from. That said, it feels odd that the puppet master itself would reach out to its own Node API to get node information, rather than just using the information passed in for the catalog request. Matt Wise Sr. Systems Architect Nextdoor.com On Mon, Aug 25, 2014 at 7:29 AM, jcbollinger john.bollin...@stjude.org wrote: On Friday, August 22, 2014 9:38:20 AM UTC-5, Matt W wrote: Even with the caching disabled, I think we ran into this again. Can one of the puppet-devs chime in here and let me know what might be going on? I am not among the Puppet developers, but I think I already touched on the likely problem in your other thread. You have multiple nodes are identifying themselves to Puppet as the same machine, and if you rely on facts that differ among identity-sharing nodes then you are poking at exactly the point where your shared-identity model breaks down. Even so, I think your approach would probably work if you serialized catalog requests, e.g. by using the built-in webrick server, since it seems likely that you are experiencing a race on the server. Specifically, I suspect you'll find that those calls to the REST API are all originating from the master itself. If an ENC is in use then it would be high on my list of suspects. John -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/EorzYWGEUUE/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/17f251ea-b694-4c65-9b92-7150b693ba3e%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/17f251ea-b694-4c65-9b92-7150b693ba3e%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxMg_RZPTAVnFa3sfTc41hjHgCB1FBLbhD7MNBnCaNoU0Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Puppet 'node data' when using common node_names?
Comments inline Matt Wise Sr. Systems Architect Nextdoor.com On Mon, Aug 25, 2014 at 6:55 AM, jcbollinger john.bollin...@stjude.org wrote: On Saturday, August 23, 2014 12:46:59 PM UTC-5, Matt W wrote: Will, Thanks for the response. I know its a bit of a unique model -- but when you think about it, it makes a decent amount of sense. We run hundreds of nodes that are fundamentally similar And therein is one of the key problems: similar, not identical. If any node facts (including $hostname, $fqdn, etc.) vary among these hosts that are identifying themselves to the master as the *same machine*, then you are putting yourself at risk for problems. Moreover, if security around your puppet catalogs is a concern for you, then be aware that positioning your node-type certificates as a shared resource makes it far more likely that they will be breached. Additionally, you cannot limit which machines can get configuration from your master. To be very clear, we do not share certs across nodes. We absolutely use independent certs and sign them uniquely -- in fact, bug #7244 https://projects.puppetlabs.com/issues/7244 was opened by me specifically for improving the security around SSL certs and auto signing. We make heavy use of dynamic CSR facts to securely sign our keys. More specifically, we've been waiting for the CSR attribute system to allow us to embed the puppet 'node type' (note, not identifier) in the SSL certs so that clients can't possibly retrieve a node type that isn't their own. (Bug #7243 https://projects.puppetlabs.com/issues/7243). It looks like this has been finally implemented, so we'll be looking into using it very soon ( here https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#extension-requests-permanent-certificate-data ). Lest it didn't catch your eye as it went by, I re-emphasize that Puppet is built around the idea that a machine's SSL certname is a unique machine identifier within the scope of your certificate authority. What you are doing can work with Puppet, but you will run into issues such as the file naming effects you asked about. .. i.e. this is a web server, it gets the XYZ package installed and this is a web server, it gets the ABC package installed. Using hostnames to identify the systems node-definition makes very little sense and leaves quite a bit of room for error. Explicitly setting the node-type as a fact allows us to re-use the same node types but for many different environments and keeps host-names out of the mix. Classifying based on a fact instead of based on host name is a fine idea, provided that you are willing to trust clients to give their type accurately to the server. Having accepted that risk, however, you do not by any means need the node-type fact to be expressed to the master as the node's *identity*. It could as easily be expressed via an ordinary fact. In particular, your site manifest does not need a separate node block for each node [identity], nor even to enumerate all the known node names. In fact, it doesn't need any node blocks at all if you are not going to classify based on node identity. Even if you're using an ENC, it is possible for it to get the node facts to use for classification. Using a combination of both our nodes self-identifying themselves as well as the puppet node name architecture allows us to leverage the security of the 'auth' config file, while also having dynamically configured nodes where hostname doesn't matter. Realistically, hostnames are a terrible method for security ... someone could always break into a 'www' server and rename it to 'prod-db-thingy' and have it match the regex and subsequently get the database puppet manifest. (Just as a stupid simple example). For what its worth, our old model was a single 'default' node type and a simple fact ('base_class=my_web_server'). This worked extremely well, but left us more open to basically any client being able to request any catalog compilation. The auth-file in this world was effectively useless for preventing already-verified nodes from doing bad things. For example, I can quickly boot up a prod-mwise-dev-test-web-sever-thingy using the same node definition as our prod-frontend-host for some testing, without worrying about the hostname regex structure. And you could do that, too, with a plain fact. Anyways that said ... what I'm really interested in knowing is why the puppet-agents are pulling DOWN their node information from the puppet masters? Can you say a bit more about that? What do you see that suggests agents are pulling down node information other than their catalogs (and later, any 'source'd files)? With nearly every puppet catalog compile, we also see GET requests like this: 10.216.61.76 - XXX - puppet GET /production/node/xyz? HTTP/1.1 200 13733 - - 0.021 Where 10.216.61.76 is *not* the local IP of the puppet master... its the remote
Re: [Puppet Users] Confused Puppet Manifest ... Possible caching issue?
The log shows the remote connecting IP -- but the IP is the ELB in front of our puppet servers. Unfortunately because we're doing pure TCP-passthrough, ELB logging itself is not useful either in this case. :/ Matt Wise Sr. Systems Architect Nextdoor.com On Mon, Aug 25, 2014 at 2:08 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 08/14/2014 07:24 PM, Matt Wise wrote: 1. What is the purpose of calling the Node API? Is the agent doing this? Why? That's a good one. Does your log not indicating where those calls originate? -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/EorzYWGEUUE/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53FBA5C9.3020804%40Alumni.TU-Berlin.de . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxO%3DEXgLJ_iHeo%3DOY2bW83DmTJyr-5x%2BNGS1POpc9Zc4mQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Puppet 'node data' when using common node_names?
Will, Thanks for the response. I know its a bit of a unique model -- but when you think about it, it makes a decent amount of sense. We run hundreds of nodes that are fundamentally similar .. i.e. this is a web server, it gets the XYZ package installed and this is a web server, it gets the ABC package installed. Using hostnames to identify the systems node-definition makes very little sense and leaves quite a bit of room for error. Explicitly setting the node-type as a fact allows us to re-use the same node types but for many different environments and keeps host-names out of the mix. For example, I can quickly boot up a prod-mwise-dev-test-web-sever-thingy using the same node definition as our prod-frontend-host for some testing, without worrying about the hostname regex structure. Anyways that said ... what I'm really interested in knowing is why the puppet-agents are pulling DOWN their node information from the puppet masters? Is it possible that they do an upload of node information, then ask for that information back, then somehow use the downloaded information for their catalog request? I could see some interesting race conditions if that was the case. Matt Wise Sr. Systems Architect Nextdoor.com On Fri, Aug 22, 2014 at 7:11 PM, Wil Cooley wcoo...@nakedape.cc wrote: On Aug 22, 2014 7:37 AM, Matt W m...@nextdoor.com wrote: Anyone have any thoughts on this? I have to say, using an identical node name as a way of assigning the node's role is an interesting approach. I would not be surprised if you run into other difficulties with this approach; some even harder to find. Even something like an appended unique identifier, such as from the host ID, MAC address, serial number, hashed SHA1, etc would have been better. Be that as it may, life would be dull if we didn't have to live with the sins of the past. You might check the config guide https://docs.puppetlabs.com/references/3.6.latest/configuration.html but in thinking about it, if you found a setting and tried to use a fact in it, you'd probably just get the master's fact. The reports, at least, should be easy - since they're pluggable, you could copy the existing lib/puppet/reports/store.rb to a new name module and tweak the storage location. Wil On Thursday, August 14, 2014 10:39:16 AM UTC-7, Matt W wrote: We noticed that our puppet reports and our puppet node data stored on our puppet servers is always written out in the form of the 'node name'. So when we use a node name like 'prod_webserver' across many webserver machines, we get a tree of reports and node data like this: /var/lib/puppet/yaml/node/prod_web.yaml /var/lib/puppet/yaml/facts/prod_web.yaml /var/lib/puppet/reports/prod_web /var/lib/puppet/reports/prod_web/201408130200.yaml /var/lib/puppet/reports/prod_web/201408140811.yaml /var/lib/puppet/reports/prod_web/201408121328.yaml /var/lib/puppet/reports/prod_web/201408130743.yaml /var/lib/puppet/reports/prod_web/201408140454.yaml Where each of those reports likely reflects a compilation run for a different host... and the facts/node files at the top are getting constantly re-written as new clients come in. Is there a way to change the behavior of the data there to be written out based on the ${::fqdn} of the host (or certname) rather than its node name? (our client puppet configs ...) [main] ... node_name = facter node_name_fact = puppet_node (a client puppet fact file...) puppet_node=prod_web puppet_environment=production package=frontend=some-version-here app_group=us1 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/40c0048d-fc90-4006-99da-98bfa9ba94a7%40googlegroups.com . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/adxt68xO210/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMmm3r5MwNDV%3DCEnxVrr4pL1w_Xi3byR5xphPxPZH3%3D2XgJdXQ%40mail.gmail.com https://groups.google.com/d/msgid/puppet-users/CAMmm3r5MwNDV%3DCEnxVrr4pL1w_Xi3byR5xphPxPZH3%3D2XgJdXQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr
[Puppet Users] Re: Puppet 'node data' when using common node_names?
Anyone have any thoughts on this? On Thursday, August 14, 2014 10:39:16 AM UTC-7, Matt W wrote: We noticed that our puppet reports and our puppet node data stored on our puppet servers is always written out in the form of the 'node name'. So when we use a node name like 'prod_webserver' across many webserver machines, we get a tree of reports and node data like this: /var/lib/puppet/yaml/node/prod_web.yaml /var/lib/puppet/yaml/facts/prod_web.yaml /var/lib/puppet/reports/prod_web /var/lib/puppet/reports/prod_web/201408130200.yaml /var/lib/puppet/reports/prod_web/201408140811.yaml /var/lib/puppet/reports/prod_web/201408121328.yaml /var/lib/puppet/reports/prod_web/201408130743.yaml /var/lib/puppet/reports/prod_web/201408140454.yaml Where each of those reports likely reflects a compilation run for a different host... and the facts/node files at the top are getting constantly re-written as new clients come in. Is there a way to change the behavior of the data there to be written out based on the ${::fqdn} of the host (or certname) rather than its node name? (our client puppet configs ...) [main] ... node_name = facter node_name_fact = puppet_node (a client puppet fact file...) puppet_node=prod_web puppet_environment=production package=frontend=some-version-here app_group=us1 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/40c0048d-fc90-4006-99da-98bfa9ba94a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Confused Puppet Manifest ... Possible caching issue?
Even with the caching disabled, I think we ran into this again. Can one of the puppet-devs chime in here and let me know what might be going on? On Thursday, August 14, 2014 10:25:06 AM UTC-7, Matt W wrote: I've got a pretty strange issue here. Imagine we have two servers... *ServerA* and *ServerB*. Last night *ServerB* pulled down some configuration bits from our puppet servers and tried to re-name itself to *ServerA*. How? Well theres two things that may have triggered this behavior. 1. We use a custom Puppet Node Name fact to set our node names, rather than the hostnames: [main] ... # Use the fact 'puppet_node' as our node classifier rather than the hostname. node_name = facter node_name_fact = puppet_node 2. We have Nginx proxy_cache all of our GET/HEAD requests to avoid hammering the Puppet Master processes with calls to the mostly static content like templates: # Never, ever, ever cache our certificate or API requests... always pass them to the puppet master. location ~ /(.*)/certificate(.*)/(.*)$ { proxy_pass http://unicorn; } # If a request comes in for the 'master' environment, do not cache it at all location ~ /master/(.*)$ { proxy_pass http://unicorn; } location / { # Cache all requests to the Puppet Unicorn process for at least 10 minutes. proxy_cache nginx; proxy_cache_methods GET HEAD; proxy_cache_key $scheme$proxy_host$request_uri; proxy_cache_valid 10m; proxy_cache_valid 404 1m; proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie; proxy_pass http://unicorn; } Digging into the logs, it looks like we're caching a bit too much and are actually caching the /env/node/puppet node name queries. Here you can see that we generate the results once, then return cached results on the next several queries: GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.021 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 So, I have two questions .. 1. What is the purpose of calling the Node API? Is the agent doing this? Why? 2. Is it possible that if an agent called the node api and got its own node information that was wrong, it could then request an invalid catalog? (Note, we're running Puppet 3.4.3 behind Nginx with Unicorn... and yes, even though we use a single node name for these machines, they use different 'facts' to define which packages and roles they are serving up...) Matt Wise Sr. Systems Architect Nextdoor.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92841fde-fd41-4d87-889c-90fa7d302352%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Confused Puppet Manifest ... Possible caching issue?
I've got a pretty strange issue here. Imagine we have two servers... *ServerA* and *ServerB*. Last night *ServerB* pulled down some configuration bits from our puppet servers and tried to re-name itself to *ServerA*. How? Well theres two things that may have triggered this behavior. 1. We use a custom Puppet Node Name fact to set our node names, rather than the hostnames: [main] ... # Use the fact 'puppet_node' as our node classifier rather than the hostname. node_name = facter node_name_fact = puppet_node 2. We have Nginx proxy_cache all of our GET/HEAD requests to avoid hammering the Puppet Master processes with calls to the mostly static content like templates: # Never, ever, ever cache our certificate or API requests... always pass them to the puppet master. location ~ /(.*)/certificate(.*)/(.*)$ { proxy_pass http://unicorn; } # If a request comes in for the 'master' environment, do not cache it at all location ~ /master/(.*)$ { proxy_pass http://unicorn; } location / { # Cache all requests to the Puppet Unicorn process for at least 10 minutes. proxy_cache nginx; proxy_cache_methods GET HEAD; proxy_cache_key $scheme$proxy_host$request_uri; proxy_cache_valid 10m; proxy_cache_valid 404 1m; proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie; proxy_pass http://unicorn; } Digging into the logs, it looks like we're caching a bit too much and are actually caching the /env/node/puppet node name queries. Here you can see that we generate the results once, then return cached results on the next several queries: GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.021 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000 So, I have two questions .. 1. What is the purpose of calling the Node API? Is the agent doing this? Why? 2. Is it possible that if an agent called the node api and got its own node information that was wrong, it could then request an invalid catalog? (Note, we're running Puppet 3.4.3 behind Nginx with Unicorn... and yes, even though we use a single node name for these machines, they use different 'facts' to define which packages and roles they are serving up...) Matt Wise Sr. Systems Architect Nextdoor.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOHkZxP02XbPEb29ZnkYztgGtgBZ-BVShkqcyPbduZ1saCSbyQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.