[Puppet Users] passing arguments by name instead of position for functions

['Matt Zagrabelny' via Puppet Users]

Hello,

I have a variety of hashes that have similar content:

$h = {
'foo1' => 'bar',
[...]
'foo99' => 'baz',
'foo100' => 'h',
}

$g = {
'foo1' => 'bar',
[...]
'foo99' => 'baz',
'foo100' => 'g',
}

I'd like to have a function or similar mechanism:

$h = helper_module::get_hash_defaults()

but be able to override various keys/parameters in the get_hash_defaults 
function:

$h = helper_module::get_hash_defaults(
'foo100' => 'h',
)

$h = helper_module::get_hash_defaults(
'foo100' => 'g',
)

but functions only take parameters by position.

Does anyone have any clever hacks I could try to mimic passing arguments by 
name?

Thanks for any help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e39f696b-a908-461b-a5fb-44a52a28e83bn%40googlegroups.com.

Re: [Puppet Users] hiera 5 postgresql backend

['Matt Zagrabelny' via Puppet Users]

On Fri, Apr 15, 2022 at 12:34 PM Matt Zagrabelny  wrote:

> Hi Martin,
>
> Thanks for the email. I understand your concerns about using other
> backends. We have a reasonably small puppet deployment, so I think I will
> try a DB based backend and see how it performs.
>
> In that light, I've downloaded a hiera-mysql2 module from github and
> installed it at:
>
> # tree /usr/share/puppet/modules/hiera-mysql2
> /usr/share/puppet/modules/hiera-mysql2
> ├── CHANGELOG.md
> ├── lib
> │   └── puppet
> │   └── functions
> │   └── mysql2_lookup_key.rb
> ├── LICENSE
> ├── metadata.json
> └── README.md
>
> I've updated my /etc/puppet/hiera.yaml to include an entry for looking up
> data using hiera-mysql2:
>
> # head /etc/puppet/hiera.yaml
> version: 5
>
> defaults:
> datadir: /etc/puppet/code/hiera
> data_hash: yaml_data
>
> hierarchy:
> - name: "MySQL lookup"
>   lookup_key: mysql2_lookup_key
>   options:
>
> And I've restarted my puppetmaster.
>
> When I attempt a lookup, either locally on the puppet master (or on an
> client system via puppet agent -t), I get:
>
> # puppet  lookup foo::bar --explain
> Searching for "lookup_options"
>   Global Data Provider (hiera configuration version 5)
> Using configuration "/etc/puppet/hiera.yaml"
> Hierarchy entry "MySQL lookup"
> Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file:
> /etc/puppet/hiera.yaml)
>
> I did not use "puppet module" to install the module, I just copied the
> files to the directory.
>
> My module path looks good. Notice the last entry in the following path
> output...
>
> # puppet config print modulepath
>
> /etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules
>
> Can anyone help me understand why the puppetmaster isn't seeing the
> hiera-mysql2 module (and function contained therein) ?
>

A little bit more information...

puppet module list does not list the module:

# puppet module list | tail
/usr/share/puppet/modules
├── crayfishx-hiera_mysql (v3.0.1)
├── nanliu-staging (v1.0.4)
├── puppetlabs-apt (v6.1.1)  invalid
├── puppetlabs-concat (v5.1.0)  invalid
├── puppetlabs-mysql (v5.3.0)
├── puppetlabs-postgresql (v5.4.0)
├── puppetlabs-stdlib (v5.0.0)  invalid
├── puppetlabs-translate (v1.1.0)
└── puppetlabs-vcsrepo (v3.0.0)

However, it exists on disk:

# ls -1 /usr/share/puppet/modules
apt
concat
hiera_mysql
hiera-mysql2
mysql
postgresql
staging
stdlib
translate
vcsrepo

Any ideas how to get puppet to see the modules that exist "on disk" ?

Thanks for the help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W-m12adKYAzLSS%2B-1PvE_ytMA6Mue2rqPr0qoYux%2BPBg%40mail.gmail.com.

Re: [Puppet Users] hiera 5 postgresql backend

['Matt Zagrabelny' via Puppet Users]

Hi Martin,

Thanks for the email. I understand your concerns about using other
backends. We have a reasonably small puppet deployment, so I think I will
try a DB based backend and see how it performs.

In that light, I've downloaded a hiera-mysql2 module from github and
installed it at:

# tree /usr/share/puppet/modules/hiera-mysql2
/usr/share/puppet/modules/hiera-mysql2
├── CHANGELOG.md
├── lib
│   └── puppet
│   └── functions
│   └── mysql2_lookup_key.rb
├── LICENSE
├── metadata.json
└── README.md

I've updated my /etc/puppet/hiera.yaml to include an entry for looking up
data using hiera-mysql2:

# head /etc/puppet/hiera.yaml
version: 5

defaults:
datadir: /etc/puppet/code/hiera
data_hash: yaml_data

hierarchy:
- name: "MySQL lookup"
  lookup_key: mysql2_lookup_key
  options:

And I've restarted my puppetmaster.

When I attempt a lookup, either locally on the puppet master (or on an
client system via puppet agent -t), I get:

# puppet  lookup foo::bar --explain
Searching for "lookup_options"
  Global Data Provider (hiera configuration version 5)
Using configuration "/etc/puppet/hiera.yaml"
Hierarchy entry "MySQL lookup"
Unable to find 'lookup_key' function named 'mysql2_lookup_key' (file:
/etc/puppet/hiera.yaml)

I did not use "puppet module" to install the module, I just copied the
files to the directory.

My module path looks good. Notice the last entry in the following path
output...

# puppet config print modulepath
/etc/puppet/code/environments/production/modules:/etc/puppet/code/environments/production/profiles:/etc/puppet/code/environments/production/roles:/etc/puppet/modules:/etc/puppet/profiles:/etc/puppet/roles:/usr/share/puppet/modules

Can anyone help me understand why the puppetmaster isn't seeing the
hiera-mysql2 module (and function contained therein) ?

Thank you for your consideration.

-m

On Thu, Apr 14, 2022 at 1:21 AM Martin Alfke  wrote:

> Hi,
>
> We usually recommend to not use any other backend, except for file based
> backends, due to performance.
> Any other backend must be able to deliver the same lookup speed.
> We did a calculation at a customer and we saw hiera answering 8000 queries
> in less than 1 second using the yaml file backend.
>
> With hiera5 you can of course write new backends.
> Please note that the hiera3 backends are not compatible with hiera5!
> https://puppet.com/docs/puppet/7/hiera_custom_backends.html
>
> Hth,
> Martin
>
>
> On 14. Apr 2022, at 04:30, 'Matt Zagrabelny' via Puppet Users <
> puppet-users@googlegroups.com> wrote:
>
> Greetings,
>
> I'm running puppet 5.5.
>
> Is anyone aware of a hiera 5 Pg backend?
>
> I've tried getting the hiera 3 module [0] working, but am struggling. I'm
> hoping a native hiera 5 will be a smoother experience.
>
> Thanks for the help!
>
> -m
>
> [0] https://github.com/rogeduardo/hiera-psql
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com
> <https://groups.google.com/d/msgid/puppet-users/4EF8FA1E-3BA5-4B4D-B3E5-CCCF24981D03%40gmail.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W3cJx00gwP%3Do0yyWHRMu%2BvV4fvu28L%3DikNORF8K6FH8Q%40mail.gmail.com.

[Puppet Users] hiera 5 postgresql backend

['Matt Zagrabelny' via Puppet Users]

Greetings,

I'm running puppet 5.5.

Is anyone aware of a hiera 5 Pg backend?

I've tried getting the hiera 3 module [0] working, but am struggling. I'm
hoping a native hiera 5 will be a smoother experience.

Thanks for the help!

-m

[0] https://github.com/rogeduardo/hiera-psql

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3U6euXrZfWHLcSWjm-BHrxLq0oir8p2x-O4ExMe1TCrdA%40mail.gmail.com.

Re: [Puppet Users] boolean like operation for puppetdb query

['Matt Zagrabelny' via Puppet Users]

Hey Daniel,

Thanks for the reply and hints about "defined".

I ended up putting the puppetdb code into a function and calling the 
function:

$ cat modules/util/functions/does_host_have_class.pp
function util::does_host_have_class(
String $class
) >> Boolean {
$func_name = "util::does_host_have_class()"

$query = [ 
'resources[certname] {',
'type = "Class"',
'and',
"title = \"${class}\"",
'order by certname',
'}',
]   
$hosts_with_class = puppetdb_query(
join($query, ' ')
).map |$entity| {
$entity["certname"]
}   

"${trusted['certname']}" in $hosts_with_class
}

Cheers!

-m

On Tuesday, February 15, 2022 at 3:22:32 AM UTC-6 daniel.kr...@gmail.com 
wrote:

> Hi,
>
> no answer yet? Or did miss them? I'm not a puppet professional but i may 
> provide some other approaches and an opinion. 
>
> There is the function defined() 
> https://puppet.com/docs/puppet/7/function.html#defined , but it's tricky 
> because you need to be 100% sure that in your example class fail2ban is 
> included before the function call.
> Here is an example:
>
> ❯ cat profile/manifests/test.pp
> class profile::test (
> ) {
>   notify {"this is test.": }
> }
>
> ❯ cat profile/manifests/test2.pp
> class profile::test2 {
>   if defined(Class["profile::test"]) {
> notify { "This ist test2. test is also here.": }
>   } else {
> notify { "This ist test2. i'm alone. i'm cold.": }
>   }
> }
>
> ❯ cat profile/manifests/wrapper1.pp
> class profile::wrapper1 {
>   include profile::test
>   include profile::test2
> }
>
> ❯ cat profile/manifests/wrapper2.pp
> class profile::wrapper2 {
>   include profile::test2
>   include profile::test
> }
>
> Performing puppet runs with ('profile::wrapper1',)
> Info: Using configured environment 'production'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Info: Loading facts
> Info: Caching catalog for bullseye.local
> Info: Applying configuration version '1644913701'
> Notice: this is test.
> Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined 
> 'message' as 'this is test.'
> Notice: This ist test2. test is also here.
> Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. test is also 
> here.]/message: defined 'message' as 'This ist test2. test is also here.'
> Notice: Applied catalog in 16.16 seconds
>
> Performing puppet runs with ('profile::wrapper2',)
> Reading package lists...
> Info: Using configured environment 'production'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Info: Loading facts
> Info: Caching catalog for bullseye.local
> Info: Applying configuration version '1644913738'
> Notice: This ist test2. i'm alone. i'm cold.
> Notice: /Stage[main]/Profile::Test2/Notify[This ist test2. i'm alone. i'm 
> cold.]/message: defined 'message' as 'This ist test2. i\'m alone. i\'m 
> cold.'
> Notice: this is test.
> Notice: /Stage[main]/Profile::Test/Notify[this is test.]/message: defined 
> 'message' as 'this is test.'
> Notice: Applied catalog in 15.80 seconds
>
> For me this wouldn't be reliable enough to use.
>
>
> Another approach would be to create a fact. 
> https://puppet.com/docs/puppet/7/external_facts.html
>
> ❯ cat profile/facts.d/fail2ban.sh
> #!/bin/sh
> FAIL2BAN="/usr/bin/fail2ban-client"
> [ -x ${FAIL2BAN} ] && echo fail2ban_version=$(/usr/bin/fail2ban-client 
> --version)
>
> ❯ cat profile/manifests/test3.pp
> class profile::test3 {
>   if $facts["fail2ban_version"] {
> notify {"The fail2ban version is ${facts['fail2ban_version']}":}
>   }
> }
>
> But this solution has the same drawbacks as yours, it adds to execution 
> time and it can only be true on the second puppetrun.
>
> Imho you should find the point where you include fail2ban and do your 
> stuff there. Or you can wrap fail2ban.
>
>
> I'm sure there are puppetnerds out there with way better advice.
>
> Greetings,
> Daniel
>
>
>
> Am Fr., 11. Feb. 2022 um 22:29 Uhr schrieb 'Matt Zagrabelny' via Puppet 
> Users :
>
>> Greetings,
>>
>> I have a puppetdb installation that I leverage by querying from my 
>> manifests.
>>
>> I'd like to have a boolean-like operation for puppetdb that pretty much 
>> tests if the current node has a given class as part of the catalog. Here is 
>> my current code:
>>
>> $query = [ 
>> 'resources[certname] {',
>> 't

[Puppet Users] boolean like operation for puppetdb query

['Matt Zagrabelny' via Puppet Users]

Greetings,

I have a puppetdb installation that I leverage by querying from my 
manifests.

I'd like to have a boolean-like operation for puppetdb that pretty much 
tests if the current node has a given class as part of the catalog. Here is 
my current code:

$query = [ 
'resources[certname] {',
'type = "Class"',
'and',
"title = \"fail2ban\"",
'and',
"certname = \"${trusted['certname']}\"",
'}',
]
$this_host_has_fail2ban = puppetdb_query(
$query.join(' ')
).map |$entity| {
$entity["certname"]
}

if "${trusted['certname']}" in $this_host_has_fail2ban {
$shall_allow_from_internet = true
}
else {
$shall_allow_from_internet = false
}

Is there a simpler mechanism to find out if a node has a given class in its 
catalog?

Thanks for any help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bc6d5bf6-df6f-4850-ab35-59edc49e13c6n%40googlegroups.com.

[Puppet Users] hiera resources in puppetdb

['Matt Zagrabelny' via Puppet Users]

Greetings,

I use lookup to get data out of hiera:

node some-host {
class { 'foo':
$bar = lookup('bar')
}
}

I'd like to be able to query puppetdb to find out what hosts use various 
hiera keys.

So in the above example. Given bar return some-host.

I know I can write a parser to get the class "foo" that contains the hiera 
key "bar". Then using that class (foo in this case), I could query puppetdb 
with a class and get the host.

I know the hiera keys wouldn't show up in the facts report. I know that the 
hiera keys wouldn't show up in the catalog reports.

Is it possible to create a custom function like so:

my_lookup(key) {
# somehow create a resource that I can query with puppetdb
   # and then use the real lookup:
   return lookup(key);
}

Any ideas about querying puppetdb to get used hiera keys in given hosts?

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/10f366cf-3c51-4956-8e83-c20fcf61226cn%40googlegroups.com.

Re: [Puppet Users] puppet catalog security?

[Matt Zagrabelny]

On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg 
wrote:

> On 2020-03-28 14:36, Matt Zagrabelny wrote:
> >
> >
> > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
> > mailto:henrik.lindb...@puppet.com>> wrote:
> >
> > On 2020-03-28 02:42, Matt Zagrabelny wrote:
> >  > Greetings,
> >  >
> >  > Suppose I have a class foo that host A gets via its catalog.
> Suppose
> >  > host B does not have foo in its catalog. Can host B do anything
> >  > malicious to obtain the sensitive data in foo?
> >  >
> >  > My puppet master is using an ENC to generate the classification
> > of each
> >  > host and then a roles + profiles design pattern and hiera for
> > specific data.
> >  >
> >  > Thanks for any hints or answers!
> >  >
> >
> > It is important that your server side logic uses $trusted when
> > classifying on node since other facts cannot be trusted.
> >
> > If B is compromised a malicious user could spoof facts in a request
> and
> > pretend to be A. It cannot however spoof the certificate - and it
> > contains the information that is in $trusted.
> >
> >
> > Hey Henrik,
> >
> > Thanks for the reply!
> >
> > Suppose I don't use any facts for classification, but only the ENC
> > assigns a role to the node via its fqdn.
> >
>
> You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.
>

The ENC gets the fqdn on the command line. I'd presume this is trusted from
the certificate since communication between the master and client is
predicated on the SSL.

The ENC then "assigns" a class to A.

Is there anything B can do to get module foo added to its catalog if only
the ENC adds module foo to node's catalogs?

Thanks,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com.

Re: [Puppet Users] puppet catalog security?

[Matt Zagrabelny]

On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg 
wrote:

> On 2020-03-28 02:42, Matt Zagrabelny wrote:
> > Greetings,
> >
> > Suppose I have a class foo that host A gets via its catalog. Suppose
> > host B does not have foo in its catalog. Can host B do anything
> > malicious to obtain the sensitive data in foo?
> >
> > My puppet master is using an ENC to generate the classification of each
> > host and then a roles + profiles design pattern and hiera for specific
> data.
> >
> > Thanks for any hints or answers!
> >
>
> It is important that your server side logic uses $trusted when
> classifying on node since other facts cannot be trusted.
>
> If B is compromised a malicious user could spoof facts in a request and
> pretend to be A. It cannot however spoof the certificate - and it
> contains the information that is in $trusted.
>
>
Hey Henrik,

Thanks for the reply!

Suppose I don't use any facts for classification, but only the ENC assigns
a role to the node via its fqdn.

Class foo which comes through the role and profiles via the ENC has
sensitive files in its "modules/foo/files/" path.

Can B obtain those files if B is not classified to have foo in its catalog?

Thank you for the help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com.

[Puppet Users] puppet catalog security?

[Matt Zagrabelny]

Greetings,

Suppose I have a class foo that host A gets via its catalog. Suppose host B
does not have foo in its catalog. Can host B do anything malicious to
obtain the sensitive data in foo?

My puppet master is using an ENC to generate the classification of each
host and then a roles + profiles design pattern and hiera for specific data.

Thanks for any hints or answers!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com.

[Puppet Users] puppetdb query return values

[Matt Zagrabelny]

Greetings,

I've looked through the puppetdb docs, in particular the PQL docs, to find
out if I can extract a single parameter in the return value(s).

I have as a PQL:

resources[parameters] { type = "Postgresql::Server::Pg_hba_rule" and
parameters.address ~ "."}

I'd like to get the "address" parameter. So some pseudocode like:

resources[parameters.address]

I know I can post process the results, but is there a way to get a single
parameter in PQL?

Thanks,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UZuh5jvdFjq5giQbifcM5RU6--oL-KDoLo0SuPMCu2KQ%40mail.gmail.com.

[Puppet Users] Re: vcsrepo with specific identity? - SOLVED

[Matt Zagrabelny]

My usage of the GIT_SSH_COMMAND environment variable was leaking into the
"puppet agent -t" environment and was short-circuiting vcsrepo's use of
GIT_SSH.

I've patched my local copy of the vcsrepo module and have created a PR:

https://github.com/puppetlabs/puppetlabs-vcsrepo/pull/435

Cheers!

-m

On Tue, Dec 3, 2019 at 10:56 AM Matt Zagrabelny  wrote:

> Greetings,
>
> I am attempting to specify an identity with a vcsrepo resource. Such as:
>
> vcsrepo { '/opt/src/repository':
> ensure   => present,
> provider => git,
> revision => 'stable',
> source   => 'ssh://gitol...@git.example.com/repository.git',
> identity => '/root/.ssh/id_rsa__gitolite_access__non_private',
> }
>
> I'm running puppet 5.5 (Debian Buster).
>
> I've tried with both the (Debian) packaged version of puppetlabs vcsrepo
> (1.3.2) and the most recent source release from the forge (3.0.0) and I am
> getting the same results for both:
>
>
> Error: Execution of '/usr/bin/git clone ssh://
> gitol...@git.example.com/repository.git /opt/src/repository' returned
> 128: Cloning into '/opt/src/repository'...
> Permission denied, please try again.
> Permission denied, please try again.
> gitol...@git.example.com: Permission denied (publickey,password).
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
> Error:
> /Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure:
> change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone
> ssh://gitol...@git.example.com/repository.git /opt/src/repository'
> returned 128: Cloning into '/opt/src/repository'...
> Permission denied, please try again.
> Permission denied, please try again.
> gitol...@git.example.com: Permission denied (publickey,password).
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
>
>
> I can get the vcsrepo to work if I utilize the default identity file
> (~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config.
> That is, by not specifying the "identity" parameter things work as expected.
>
> Additionally, I can successfully clone the repo using git using the
> desired identity file:
>
> # GIT_SSH_COMMAND="/usr/bin/ssh -i
> /root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch
> --branch stable ssh://gitol...@git.example.com/repository.git
> Cloning into 'repository'...
> remote: Enumerating objects: 8, done.
> remote: Counting objects: 100% (8/8), done.
> remote: Compressing objects: 100% (6/6), done.
> remote: Total 8 (delta 1), reused 0 (delta 0)
> Receiving objects: 100% (8/8), done.
> Resolving deltas: 100% (1/1), done.
>
> Has anyone had success with specifying the identity file with vcsrepo?
>
> Any hints, tips, or suggestions are very welcome!
>
> Thanks,
>
> -m
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XZr49%2Brck_kdFcgeBtt59e4J8fHbpx%2B_%2BQ%2BonxrXe_zw%40mail.gmail.com.

Re: [Puppet Users] vcsrepo with specific identity?

[Matt Zagrabelny]

On Tue, Dec 3, 2019 at 11:23 AM Yvan Broccard 
wrote:

> Don't forget the "user", "group" and "owner" parameter. For example, from
> one of my manifests :
>

Hmmm


>   -> vcsrepo {'oracle-scripts':
> ensure   => 'latest',
> path => "${hvs_oracle::oradb::admindir}/oracle-scripts",
> provider => 'git',
> source   => 'ssh://git@git:7999/infra/oracle-scripts.git',
> identity => "${oraclehome}/.ssh/id_ed25519",
> revision => 'master',
> user => 'oracle',
> owner=> 'oracle',
> group=> 'oinstall',
>   }
>
>
When I don't use the "identity" parameter things work okay (even without
the user, owner, and group parameters.)

The errors I'm seeing are directly related to git (via puppet) not using
the specified key for authenticating. I don't think I'm seeing issues with
the user, owner, group.

Thank you for the reply,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XqfD0ywR4wz2oWsj4M21p252MiEJQN_mGz3sXv8_cq5g%40mail.gmail.com.

[Puppet Users] vcsrepo with specific identity?

[Matt Zagrabelny]

Greetings,

I am attempting to specify an identity with a vcsrepo resource. Such as:

vcsrepo { '/opt/src/repository':
ensure   => present,
provider => git,
revision => 'stable',
source   => 'ssh://gitol...@git.example.com/repository.git',
identity => '/root/.ssh/id_rsa__gitolite_access__non_private',
}

I'm running puppet 5.5 (Debian Buster).

I've tried with both the (Debian) packaged version of puppetlabs vcsrepo
(1.3.2) and the most recent source release from the forge (3.0.0) and I am
getting the same results for both:


Error: Execution of '/usr/bin/git clone ssh://
gitol...@git.example.com/repository.git /opt/src/repository' returned 128:
Cloning into '/opt/src/repository'...
Permission denied, please try again.
Permission denied, please try again.
gitol...@git.example.com: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Error:
/Stage[main]/Profile___base__gnu/Vcsrepo[/opt/src/repository]/ensure:
change from 'absent' to 'present' failed: Execution of '/usr/bin/git clone
ssh://gitol...@git.example.com/repository.git /opt/src/repository' returned
128: Cloning into '/opt/src/repository'...
Permission denied, please try again.
Permission denied, please try again.
gitol...@git.example.com: Permission denied (publickey,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.


I can get the vcsrepo to work if I utilize the default identity file
(~/.ssh/id_rsa) or by defining the identity file to use in ~/.ssh/config.
That is, by not specifying the "identity" parameter things work as expected.

Additionally, I can successfully clone the repo using git using the desired
identity file:

# GIT_SSH_COMMAND="/usr/bin/ssh -i
/root/.ssh/id_rsa__gitolite_access__non_private" git clone --single-branch
--branch stable ssh://gitol...@git.example.com/repository.git
Cloning into 'repository'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 8 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (8/8), done.
Resolving deltas: 100% (1/1), done.

Has anyone had success with specifying the identity file with vcsrepo?

Any hints, tips, or suggestions are very welcome!

Thanks,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBecdGjVVH3uBrcVd0KHzB90aAR1xob4m3utdjAH3cpw%40mail.gmail.com.

Re: [Puppet Users] puppet catalog find --terminus json on puppet master

[Matt Zagrabelny]

Hey David,

Thanks for the reply!

On Tue, Sep 17, 2019 at 5:58 AM David Schmitt 
wrote:

> The most recent releases of puppetserver have an API endpoint specifically
> designed for this usecase:
> https://puppet.com/docs/puppetserver/latest/puppet-api/v4/catalog.html
>

Okay. I'm only on puppet 5.5.


>
> You'll also need to enable access to that endpoint in auth.conf for the
> server you want to access that API from.
>
> You can experiment with the certless catalog indirector from
> https://github.com/puppetlabs/ace/blob/master/lib/puppet/indirector/catalog/certless.rbto
> integrate into the CLI you're asking about, but that'll likely require some
> work to pass through the required fields.
>

Hmmm... So for 5.5 using this ruby file is about the only option to
generate the catalog on the master?

Thanks for the help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WRHRWeWFmpp5sOpdi%2BBcZcHAPQwEoOq_J5ucQAO51nYg%40mail.gmail.com.

[Puppet Users] puppet catalog find --terminus json on puppet master

[Matt Zagrabelny]

Greetings,

I'm using puppet 5.5.10 (Debian Buster).

>From the puppet master system, I'm trying to get all the resources in a
catalog for a given node.

On a node "foo.example.com" I can with:

foo# puppet catalog find --terminus json | wc -l
6271

but on the master I've tried:

puppet# puppet catalog find --terminus json foo.example.com | wc -l
0

If I try a rest terminus I get:

puppet# puppet catalog find --terminus rest foo.example.com | wc -l
Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not
Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find]
Error: Could not call 'find' on 'catalog': Error 403 on SERVER: Not
Authorized: Forbidden request: /puppet/v3/catalog/git.d.umn.edu [find]
Error: Try 'puppet help catalog find' for usage

Any ideas on how to get a node's catalog from the master?

Thanks,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Xf8ePFU33PoOv4w55DYnuLOw7qN7RYVjSE20ZUJKAvyw%40mail.gmail.com.

[Puppet Users] accessing out of class/scope variables in template

[Matt Zagrabelny]

Hello,

I'm running puppet 5.5 OSE.

I've got a class foo:

class foo {
$bar = 'hi'
}

class foo::configure {
file { '/tmp/foo.conf':
content => template('foo/foo.conf.erb'),
}
}

and then in the template:

<%= scope['foo::bar'] %>

but suppose I want to access an out of class variable:

<%= scope['baz::qux'] %>

That does not seem to work. Is there any way to access out of class
variables in a template?

Thanks for any help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wwt7%3D3oD%3DJeS%3Dm-fiDeOWBdempVzn13CN1ZYUj8QF-9Q%40mail.gmail.com.

Re: [Puppet Users] relationships, ordering, and defined types

[Matt Zagrabelny]

On Tue, Jan 22, 2019 at 4:22 PM Ben Ford  wrote:

> Caps all segments in a defined type name:
>
> before => Bar::Baz['qux'],
>
>
>
Huzzah!

Thanks Ben!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3U-L7%2BjSqMn3iZJ3aUJk%3Dbqr2jjc%2BXXnAJRoKQymJmWYg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] relationships, ordering, and defined types

[Matt Zagrabelny]

Greetings!

I'm running puppet 5.5 on Debian Buster.

This exists:

define bar::baz() {
file { "/tmp/$name": }
}

...somewhere else...

bar::baz { 'qux': }

file { '/tmp/foo':
before => Bar::baz['qux'],
}

But when the catalog gets compiled I get an error:

Evaluation Error: Error while evaluating a Resource Statement, Illegal
class reference

Is it possible to use a defined type with a "before" (or any other
relationship metaparameter) ?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V7E47VzhjNSznYTC_UuH%3DK44GsgLuH9y4vnTFy70i5QA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: leading double colons (::) for class instances

[Matt Zagrabelny]

On Mon, Jan 7, 2019 at 3:31 PM Matt Zagrabelny  wrote:

> Greetings puppet-users!
>
> For many years I have been using the following convention for including my
> classes:
>
> class foo() {
> include ::profile::bar
> }
>
> I know I don't need the leading double colon for including profile::bar,
> but at one point in time I thought it may have been a best practice or it
> would help prevent some sort of future pain point.
>
> Is that still true? Was I ever correct?
>
>
Needed to spend 30 more seconds reading before hitting send. Sorry for the
noise!

https://github.com/voxpupuli/puppet-lint-absolute_classname-check/issues/3

Thanks for any additional feedback!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3X9J%3DA%3DQNNSc9ipExGOv%2B9O_Rd5-u1dfmc1DCbetXf-0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] leading double colons (::) for class instances

[Matt Zagrabelny]

Greetings puppet-users!

For many years I have been using the following convention for including my
classes:

class foo() {
include ::profile::bar
}

I know I don't need the leading double colon for including profile::bar,
but at one point in time I thought it may have been a best practice or it
would help prevent some sort of future pain point.

Is that still true? Was I ever correct?

What is the current best practice for namespacing included classes?

Thanks for any feedback!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XQRV0HpRLMK%2B_POuPpAwSAz8zObvoWNZ6GMvOMea%3DbRw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Use bolt with existing Puppet manifests

[Matt Shields]

I have an existing Puppet open-source install that I use to manage our 
infrastructure.  One of our clients is going to be purchasing our SAAS for 
use in their own datacenter and they are setting up a temporary VPN for us 
to connect to a group of servers to setup, then they'll be terminating the 
VPN and they'll manage them.

Since I don't want to install the Puppet agent, can I use Bolt to call each 
of their servers and run through specific roles/profiles/hiera data?

-matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/09ba25ea-3cf7-428b-a061-fff01e7e3bdd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] serving per-node private data in puppet 5

[Matt Zagrabelny]

Greetings!

I'm working on migrating my puppet 3.7 environment to puppet 5.5 (Debian
testing.)

How are folks serving private per-node data in puppet 5? (i.e. ssh keys,
apache cert and key, etc.)

In both puppet 2.7 and 3.7 I've used:

$ cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom

[private]
path /etc/puppet/environments/production/private/%H
allow *

Have things changed since then? Are there better (or more idiomatic) ways
of serving up private per-node files?

Ideally I would also be able to use the environment to adjust the mount
point. Hand-wavy magic:
path /etc/puppet/environments/%E/private/%H

Hiera has support for top level variables. Our ENC exposes the environmentt:
"environments/%{::environment}/node/%{clientcert}"

Thanks for any hints, help, or discussion!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V1Ff9%3DQo%2BAUO72_UEvJE%2BakR6eKgTmW_PVr021Y8zcvg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent

[Matt Zagrabelny]

Hey Justin,

Thanks for the reply!

On Wed, Oct 31, 2018 at 10:49 PM Justin Stoller  wrote:

> What happens on the agent that is running on the master?
>

Works as expected. Thus indicting the firewall.

Digging deeper... it looks like Debian testing bit me. But I don't blame
them - I know I'm tracking a moving target.

iptables upgraded from 1.6 to 1.8 (and I didn't reboot after). There are
new semantics (iptables-legacy) and the firewall was still blocking 8140 in
the legacy mode. I've rebooted and cleared the legacy chains/tables.

Things work as expected now.

Thanks for the help and hints. It is very appreciated!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W0ooT3P2PKbqHqLyPFN5KDEUXrTieUWvOgEn7-wzo3xg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet master not seeing certificate signing request from agent

[Matt Zagrabelny]

On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny  wrote:

> Greetings,
>
> I'm running puppet 5.5.6 (Debian testing).
>
> I'm having issues getting the master to see the cert signing request from
> an agent.
>
> The firewall isn't an issue. I see the packets hit an "allow" rule on the
> master, but I've also turned the firewall off.
>
> tcpdump shows the packets reaching the server:
>
> 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
> 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
> 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>
> 2607::2a = agent
> 2607::20 = master
>
> I'm not seeing anything from the server:
>
> # puppet master --no-daemonize
> Warning: Accessing 'ca' as a setting is deprecated.
>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in
> `issue_deprecation_warning')
> Warning: The WEBrick Puppet master server is deprecated and will be
> removed in a future release. Please use Puppet Server instead. See
> http://links.puppet.com/deprecate-rack-webrick-servers for more
> information.
>(location:
> /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')
> Notice: Starting Puppet master version 5.5.6
>
> Adding --debug or --verbose didn't seem to yield any extra log messages
> after the "Starting Puppet master..." for when I expected a cert signing
> request message.
>
> and the agent just shows an expiration:
>
> # puppet agent -t --server puppet-5-5
> Warning: Setting cadir is deprecated.
>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
> `issue_deprecation_warning')
> Error: Could not request certificate: execution expired
> Exiting; failed to retrieve certificate and waitforcert is disabled
>
> Any ideas where to look next?
>
>
>
No new updates, but I wanted to add that lsof reports puppet listening:

puppet25053  puppet8u  IPv4 125393  0t0  TCP *:8140
(LISTEN)
puppet25053  puppet9u  IPv6 125394  0t0  TCP *:8140
(LISTEN)

and I'm not seeing anything in the master log file:

[2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted
on /.
[2018-10-31 16:05:35] INFO  WEBrick::HTTPServer#start: pid=25053 port=8140

Confused...

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet master not seeing certificate signing request from agent

[Matt Zagrabelny]

Greetings,

I'm running puppet 5.5.6 (Debian testing).

I'm having issues getting the master to see the cert signing request from
an agent.

The firewall isn't an issue. I see the packets hit an "allow" rule on the
master, but I've also turned the firewall off.

tcpdump shows the packets reaching the server:

2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0

2607::2a = agent
2607::20 = master

I'm not seeing anything from the server:

# puppet master --no-daemonize
Warning: Accessing 'ca' as a setting is deprecated.
   (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in
`issue_deprecation_warning')
Warning: The WEBrick Puppet master server is deprecated and will be removed
in a future release. Please use Puppet Server instead. See
http://links.puppet.com/deprecate-rack-webrick-servers for more information.
   (location: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in
`main')
Notice: Starting Puppet master version 5.5.6

Adding --debug or --verbose didn't seem to yield any extra log messages
after the "Starting Puppet master..." for when I expected a cert signing
request message.

and the agent just shows an expiration:

# puppet agent -t --server puppet-5-5
Warning: Setting cadir is deprecated.
   (location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
`issue_deprecation_warning')
Error: Could not request certificate: execution expired
Exiting; failed to retrieve certificate and waitforcert is disabled

Any ideas where to look next?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3X4NnJKpQiKoB4gW%3D4BctUBHOBHVWCdWcF6U6wembgbig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet.conf ini heading

[Matt Zagrabelny]

On Tue, Oct 30, 2018 at 5:10 PM Justin Stoller  wrote:

>
>
> On Tue, Oct 30, 2018 at 2:34 PM Matt Zagrabelny 
> wrote:
>
>> Greetings,
>>
>> I'm running puppet 5.5.6 (Debian testing.)
>>
>> I'm seeing some curious and inconsistent results from where I put config
>> settings in /etc/puppet/puppet.conf. When I use the [master] heading, the
>> "external_nodes" setting is read by the puppet master:
>>
>> # cat /etc/puppet/puppet.conf
>> [master]
>> node_terminus  = exec
>> external_nodes = /opt/bin/my-enc
>> # systemctl restart puppet-master.service
>> # puppet config print external_nodes
>> none
>>
>>
[...]


> When your master run it uses only certain sections of the config file
> (mainly "master" and "main"[1]), while config print will by default use the
> section "main". You can use the `--section ` flag to act on a
> specific section. If you don't specify a section in the puppet.conf the
> setting will be applied to the "main" section.
>
> eg `puppet config print --section master external_nodes` should give you
> want you want.
>

Indeed it does!

Thanks, Justin!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Wb3CDDv1CUA-UpWL7Jnr2NK7k_5-UJRqoHiv-1Ws6AYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet.conf ini heading

[Matt Zagrabelny]

Greetings,

I'm running puppet 5.5.6 (Debian testing.)

I'm seeing some curious and inconsistent results from where I put config
settings in /etc/puppet/puppet.conf. When I use the [master] heading, the
"external_nodes" setting is read by the puppet master:

# cat /etc/puppet/puppet.conf
[master]
node_terminus  = exec
external_nodes = /opt/bin/my-enc
# systemctl restart puppet-master.service
# puppet config print external_nodes
none

However, if I remove the "master" section heading in the puppet.conf file,
I get the results I expect:

# cat /etc/puppet/puppet.conf
node_terminus  = exec
external_nodes = /opt/bin/my-enc
# systemctl restart puppet-master.service
# puppet config print external_nodes
/opt/bin/my-enc

Should I file a bug or is this somehow expected?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UsJHY%2BpFMXUpM1H4%2BL6FajzPj01x09EqfAcWHnkSqb1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet Agent Hang when PuppetServer Crashes...

[Matt Wise]

We're still tuning, but I ended up dropping our PuppetServer JRubyInstance
count down to 2, and I have the -Xmx setting set to 4GB(!!). I think that
we have a few libraries loaded in that are causing some major bloat, but we
haven't had time to track that down yet.

The big concern I have is not the crashing of the servers... we can handle
that. The main issue is that it seems that the Puppet Agents get into a
hung state and never recover. Thats not a behavior we ever saw on the older
Puppet 3.x clients.

On Mon, Jan 1, 2018 at 9:50 PM, John Gelnaw <jgel...@gmail.com> wrote:

> On Monday, January 1, 2018 at 5:52:10 PM UTC-5, Matt Wise wrote:
>>
>> *Puppet Agent: 5.3.2*
>> *Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS*
>>
>
> I'm running a docker-compose based puppet setup, and had the same
> problem.  Short version was to increase the java heap size for the JRuby
> instances for puppetserver.
>
> Using the docker-compose.yml, I added:
>
> environment:
>   - PUPPETSERVER_JAVA_ARGS=-Xmx1024m
>
> to the puppet stanza, which gets passed to the puppetserver init script.
>
> We also increased the number of JRuby instances to 7, but that might be
> overkill (roughly 200-250 nodes).  That also means 8 gigs of memory on the
> docker host.
>
> The agents would eventually time out, but I seem to recall it was on the
> order of hours for the timeout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/20b2d83e-7752-4f87-995f-3ec2fcde5368%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/20b2d83e-7752-4f87-995f-3ec2fcde5368%40googlegroups.com?utm_medium=email_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B9wXBTFODg4VLw5Zmc0eq9DG-i3YZtR5VSWs_krJFkaQzRHMQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Agent Hang when PuppetServer Crashes...

[Matt Wise]

*Puppet Agent: 5.3.2*
*Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS*

So we've recently started rolling over from our ancient Puppet 3.x system
to a new Puppet 5.x service. The new service consists of a PuppetServer
Docker Image (5.1.4) running in Amazon ECS, and our hosts booting up and
running Puppet Agent 5.3.2. At this point in the migration, we're running
~150-200 hosts on the new Puppet5 system and we replace ~30-80 of them
daily.

We are currently tracking down a problem with our PuppetServers and their
memory usage, which is causing the containers to be OOM'd a few times a day
(~10 OOMs a day across ~20 containers). While we know that we need to fix
this, we've seen a scary behavior on the Puppet Agent side that we could
use some advice with.

It seems that at least a few times a day now we will get a server hung in
the boot process. The `puppet agent -t ...` process will just hang midway
through the run. It seems that these hangs happen when the backend
underlying PuppetServer process that they were connected to gets OOMed and
goes away. Obviously the OOM is a problem.. but frankly I am more concerned
with the Puppet Agent getting wedged for hours and hours without making any
progress.

It seems that when this failure happens, the puppet agent does not ever
time out. It never fails, or throws an error. It just hangs. We've had
these hangs last upwards of 4-5 hours before our systems are automatically
terminated.

We've enabled debug logging, but haven't caught one of these failures yet
with debug mode turned on. In the mean time, are there any  known
regressions or configuration tweaks we need to make to Puppet Agent 5.x
more quick to fail or resilient in this case? I could obviously try to
build in some wrapper around Puppet to catch this behavior .. but I am
hoping that there are just some settings we need to tweak.

Any thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B9wXBTjih5N%3Dc%2B8H3UYnH2Jq7fpOPPY3-kmxoxP891W6xLBfQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] using variables with manifests

[Matt Zagrabelny]

On Tue, Apr 4, 2017 at 4:41 PM, warron.french 
wrote:

> Hello, I need some guidance/direction on what to lookup and where I can
> find an example of how to provide values to a class so that they will be
> used by the class (and the ERBtemplate within).
>
> I want to be able to provide the variable *collector_id* to my class and
> from the Red Hat Satellite Puppet Master provide collector_id =
> mycollector.some.net so that it will be used to generate text and then
> populate -mycollector.some.net in the file after some other text.
>
> I figured something like this is needed; but I am not sure and cannot find
> an example to confirm I am on the correct track:
>
> *class* rsyslog_mgmt (collector_id) {
> file { '/etc/rsyslog.conf':
>ensure  => 'present',
>content => template('rsyslog_mgmt/syslog.conf.erb'),
> }
> }
>
> Then the content of my file syslog.conf.erb would look something like this:
>
> ...snippet...
> *.info;authpriv.*;mail.none;news.none  <%= @collector_id %>
> ...EOF...
>
> Am I on the correct track?  Do I need a $ symbol in front of the
> collector_id within the () at the top in front of the first curly brace
> that starts the class definition?
>

You need the dollar sign:

class blah(
$parameter_1,
) {
..do stuff
}

Search for "parameterized class puppet" for further reading.

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WbVqcH9KMQ-9mcrcDTshfAHDejtd3GZw7%3DHhjwCrXDqg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Role vs hiera

[Matt Zagrabelny]

On Sat, Nov 19, 2016 at 2:27 PM, Martijn <mart...@heemels.com> wrote:
> Op dinsdag 18 oktober 2016 21:50:37 UTC+2 schreef Matt Zagrabelny:
>>
>>
>> If you use an ENC, then you can return the role as a top scope
>> variable and your hiera configs can leverage those top scope
>> variables.
>>
>
>>
>> Let me know if you want the hiera configs.
>>
>> -m
>
>
> Hi Matt,
>
> That's interesting. What are you using for ENC?

Custom python script that uses a custom database to hold node names,
roles, and "production" vs "testing" status.

Since puppet has already claimed the "environment" noun for the
filesystem serving space, I use "context" as the variable name that
holds the "production" vs. "testing" status.

In hiera, we have the following hierarchy, which is repeated in the
hiera.yaml config further down.

1. Node specific hiera data is closest to the node.
2. Whatever role a node is has the next priority for hiera data.
3. The "context" (production vs. testing) is closer to the global
(common) hiera space - so context comes after role.
4. Lastly, the global (common) hiera lookup file.

The 3rd item on the list allows us to have a single place for
application/database passwords with different passwords for testing
and production systems without having to duplicate the password in
some.fqdn.node.yaml files.

Pretend that the following 2-D grid are nodes that have their
respective roles and contexts.

Context
prod | test
roleapp_0_server | app_0_server
roledb_0_server | db_0_server
roleapp_1_server | app_1_server
roledb_1_server | db_1_server
role.  |  .
role.  |  .
role.  |  .

Thus the production app_0_server and db_0_server can easily have a
shared password that is different from the testing app_0_server and
db_0_server due to the vertical slicing of the hierarchy.

> And I'd love to see your hiera configs, please.

% cat /etc/puppet/hiera.yaml
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hiera
:hierarchy:
- "environments/%{::environment}/node/%{clientcert}"
- "environments/%{::environment}/role/%{role}"
- "environments/%{::environment}/context/%{context}"
- "environments/%{::environment}/common"

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VN0-_LpkWAtAzpOrLLzYa92cGvh-b3z_36hp_ivHGkOA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] QUESTION: How can I iterate through the whole list of facters in an erb template?

[Matt Zagrabelny]

On Thu, Nov 10, 2016 at 6:25 AM, Victor Martinez
 wrote:
> Hi there,
>
>I've been looking for a way of creating an erb file which contains all
> the facter values. Any ideas how I can accomplish it? Reason: I'd like to
> generate custom facters per module and populate those facter values as
> Jenkins Labels

Untested:

<%
@facts.each do |key, value|
%->
<%= key %> and <%= value %>
<% end -%>

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WWQ%3DfESunVMb3JyM2%3Dhr5%2BStyUQp58t0tV%3D01EKyvTdg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Role vs hiera

[Matt Zagrabelny]

On Tue, Oct 25, 2016 at 2:09 PM, Ugo Bellavance  wrote:
> Hi,
>
> I was actually wondering if it could be done without an ENC as we don't have
> one for now.

Not sure. I don't think so, though. I would work on getting an ENC set up.

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V9JQiVUre%2BS43ZYWK2iCVtCBVN9wBEuQ6%2BtnXj2cra4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Role vs hiera

[Matt Zagrabelny]

On Tue, Oct 18, 2016 at 1:34 PM, Ugo Bellavance  wrote:
> Hi,
>
> I've seen tutorials where they add the role as a fact in an client and then
> can use the role for hiera data. Is there a better way to do so (ie without
> having to configure anything on the client)?

As a matter of fact there is a better way.

If you use an ENC, then you can return the role as a top scope
variable and your hiera configs can leverage those top scope
variables.

Here is an example where I've scrubbed any of our site data:

# puppet-enc ldap.example.com
---
classes:
  role::directory_server: null
environment: production
parameters:
  context: production
  role: role::directory_server

The "classes" at the top and its "role" are for the classifying of the
ENC, but the "context" and "role" in the  "parameters" near the bottom
are variables that get exposed - hiera is one of the things that can
use those variables.

This works super slick for us.

For what it is worth, we also use a notion of context that allows our
ENC to describe whether a node is a "testing" or "production" type
system - we have hiera lookups based on that data, too.

Let me know if you want the hiera configs.

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VHj6PVSUp0qYbvdR-yF8yhuchbEA%3D57FbUpK0E%3D3AKjQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Agent doesn't receive Catalog, Node.rb on Master shows correct YAML-output (Foreman)

[Matt]

Hi,

I'm having a strange issue with a Foreman setup where my agent don't 
receive their assigned manifests during their run. 


On the puppet master I can run a positive


./node.rb puppet-agent-fqdn


Where I see my whole yaml for the agent which should be applied.


When I do a puppet run this run goes well, no errors, and the agent reports 
back to foreman that there are no changes.


I'm really clueless what to check so can't post any output that show an 
actual issue.


Anyone a clue where to start ?


Thanks,


Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/eefca5d6-eae9-42dc-8f59-2d0c78d522a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Setting resource dependency from hiera problem

[Matt Raso-Barnett]

Hello,
I'm trying to utilise the following pattern in puppet4 to replace the
'create_resources' function:

https://docs.puppet.com/puppet/latest/reference/lang_resources_advanced.html#implementing-the-createresources-function

This works well for me in most usecases, however I'm having trouble
now when trying to specify the resource being created in this way
require another resource.

Here is my example:

I have an nfs::client::mount defined type, that I want to specify the
parameters for via a Hash in hiera, that I'm passing to this code
using the $nfs_mounts hash below:

class role::robinhood::hsm_agent (
  Hash[String,Hash] $nfs_mounts,
) {
  class { 'nfs':
client_enabled => true,
  }
  $nfs_defaults = {
"atboot"  => true,
"options_nfs" =>
'_netdev,tcp,nolock,rsize=32768,wsize=32768,intr,noatime,actimeo=3',
"subscribe"   => Service['network'],
  }
  $nfs_mounts.each |String $name, Hash $nfs_mount| {
Resource['nfs::client::mount'] {
  $name :   * => $nfs_mount;
  default : * => $nfs_defaults;
}
  }
}

Then in hiera for a node I would have something like:

---
classes:
  - "role::robinhood::hsm_agent"
  - "profile::network"

network::if_static:
  'eth0':
ensure: 'up'
ipaddress: '10.41.240.225'
netmask: '255.255.0.0'
  'eth1':
ensure: 'up'
ipaddress: '10.143.240.225'
netmask: '255.255.0.0'

role::robinhood::hsm_agent::nfs_mounts:
  '/mnt/qstar/wbic':
server: '10.143.200.47'
share:  '/srv/qstar/wbic'
require: "Network::If::Static['eth1']"

I'm making use of the NFS module:
https://github.com/derdanne/puppet-nfs and the Network module:
https://github.com/razorsedge/puppet-network in the above.

The network module is creating a resource Network::If::Static['eth1'],
however when I run the above I get the error:

Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Invalid relationship:
Nfs::Client::Mount[/mnt/qstar/wbic] { require =>
Network::If::Static['eth1'] }, because Network::If::Static['eth1']
doesn't seem to be in the catalog
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I don't understand why this isn't working - the
Network::If::Static['eth1'] resource definitely exists, as the above
code works correctly if I remove the 'require' line in hiera, eg:

role::robinhood::hsm_agent::nfs_mounts:
  '/mnt/qstar/wbic':
server: '10.143.200.47'
share:  '/srv/qstar/wbic'

However, it would be really useful for me to be able to specify the
resource dependency in hiera as outlined above, since the interface
for this resource to depend on will change from node to node.

I'm sure I'm overcomplicating this - I can accomplish what I want to
do here by making the resource explicitly in the node's 'role' code,
however I'm really finding it a nice way of working moving more and
more stuff into hashes that I define in Hiera, so I'm really keen to
make this work if it's possible.

Does anyone have any idea what I'm doing wrong here?

Thanks,
Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAPsiXSAJ7hXiBRnzp8wnWbYkVjumhC_cM33rCewAA1q4zTQG_Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] variable scoping and erb templates

[Matt Zagrabelny]

On Tue, Aug 16, 2016 at 8:04 AM, jcbollinger  wrote:
>>
>> On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt  wrote:
>> > What version of Puppet are you running?
>>
>> Debian Jessie:
>>
>> 3.7.2-4
>>
>
>
> That looks like bug PUP-1220.  Note that although the ticket is marked as
> being fixed in Puppet 3.5, commentary on the ticket and details of the
> associated commit make me think that the fix only applies when you use the
> future parser.

Thanks for clearing my confusion, John!

Best,

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W4DAqi9%3D63pwxGUO_jYQkcL6bnSMx_cePPN3z1dVyuyA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] variable scoping and erb templates

[Matt Zagrabelny]

Hi Lowe,

On Tue, Aug 16, 2016 at 1:31 AM, Lowe Schmidt <m...@loweschmidt.se> wrote:
> What version of Puppet are you running?

Debian Jessie:

3.7.2-4

-m

> --
> Lowe Schmidt | +46 723 867 157
>
> On 15 August 2016 at 20:48, Matt Zagrabelny <mzagr...@d.umn.edu> wrote:
>>
>> Greetings!
>>
>> I am hitting a curious question and couldn't find an answer.
>>
>> I can access variables from other classes when using an erb template.
>>
>> Here is my minimal example:
>>
>> # puppet apply variable_scope_test.pp
>> Notice: Compiled catalog for puppet.example.com in environment
>> production in 0.12 seconds
>> Notice: A variable from a different class:
>> Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a
>> different class: ]/message: defined 'message' as 'A variable from a
>> different class: '
>> Notice: Finished catalog run in 0.11 seconds
>>
>> # cd /tmp
>> # head -n -0 variable_scope_test.pp template.erb template_output
>> ==> variable_scope_test.pp <==
>> class scope_example {
>> $variable = "THIS IS A TEST!"
>> include scope_example::sub_class
>> }
>>
>> class scope_example::sub_class {
>> file { '/tmp/template_output':
>> content => template('/tmp/template.erb'),
>> }
>> notify { "A variable from a different class: $variable": }
>> }
>>
>> node 'puppet.example.com' {
>> include scope_example
>> }
>>
>> ==> template.erb <==
>> <%= @variable %>
>>
>> ==> template_output <==
>> THIS IS A TEST!
>>
>> So why is the template allowed to see variables in other classes?
>>
>> I would have ad expected to need to use the variable like:
>>
>> <%= @scope_example::variable %>
>>
>> But it clearly works without adjusting its namespace.
>>
>> Thoughts?
>>
>> Thanks!
>>
>> -m
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAC-wWcSmcHxSC5h169UOBiqq0HJTRtN7C4WfRbmnW02rHgx_OA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XcZQ3ck7ZN8BWf27OT8Oc-suk-hBXZ01v1uXLANQoxGA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] variable scoping and erb templates

[Matt Zagrabelny]

Greetings!

I am hitting a curious question and couldn't find an answer.

I can access variables from other classes when using an erb template.

Here is my minimal example:

# puppet apply variable_scope_test.pp
Notice: Compiled catalog for puppet.example.com in environment
production in 0.12 seconds
Notice: A variable from a different class:
Notice: /Stage[main]/Scope_example::Sub_class/Notify[A variable from a
different class: ]/message: defined 'message' as 'A variable from a
different class: '
Notice: Finished catalog run in 0.11 seconds

# cd /tmp
# head -n -0 variable_scope_test.pp template.erb template_output
==> variable_scope_test.pp <==
class scope_example {
$variable = "THIS IS A TEST!"
include scope_example::sub_class
}

class scope_example::sub_class {
file { '/tmp/template_output':
content => template('/tmp/template.erb'),
}
notify { "A variable from a different class: $variable": }
}

node 'puppet.example.com' {
include scope_example
}

==> template.erb <==
<%= @variable %>

==> template_output <==
THIS IS A TEST!

So why is the template allowed to see variables in other classes?

I would have ad expected to need to use the variable like:

<%= @scope_example::variable %>

But it clearly works without adjusting its namespace.

Thoughts?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WBY9Hg%3DsaiHA2iAt4SRQjBX6XLsAJVj_qLGHJgjuugEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: most idiomatic way to set resource defaults

[Matt Zagrabelny]

On Tue, Jul 12, 2016 at 3:28 PM, Matthew Pounsett
 wrote:
>
>
> On Monday, 11 July 2016 10:31:45 UTC-4, R.I. Pienaar wrote:
>>
>>
>>  best avoid create_resources in puppet 4 :)
>
>
> Why is that?

I can't speak for R.I., but I believe puppet 4 has "first class"
looping constructs. Thus, create_resource "hacks" won't be necessary.

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Uv_UKmrG2W8oMYMLxu4OnSE9Kwv-h1fvDvmNaM8bjK8A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

Eric et al,

Thanks again for your help with this!  I realize how crazy it may seem to 
want to rebuild from source.  My company has become so paranoid of open 
source software due to recent events, that the infosec team now requires us 
to vet (as if that's feasible) FOSS source code before bringing in.  Since 
starting this post, however, I was able to convince the team to bring in 
the PC1 repo.

As someone else has suggested to me, I will have to revisit with Vanagon 
and/or the src RPM in the future.   I would like to know how to build these 
though, so I'll revisit one day for sure. 

Cheers,
Matt

On Thursday, June 9, 2016 at 3:55:49 PM UTC-4, Eric Sorenson wrote:
>
> Matt, I would like to understand this better and help you adopt Puppet 
> into your environment.
>
> This is not a rhetorical question, but it might sound like one: Do you 
> rebuild your linux distribution from source RPMs? Because that is very 
> similar to what the AIO Puppet agent bundle is: a mini distribution with 
> the dependencies ending up in one artifact.
>
> People outside Puppet can (and have) successfully rebuilt AIO, and there 
> are also sucessful packaging efforts that take JUST the Puppet 4 source and 
> build a standalone RPM from it in the manner of the puppet 3 packages:
>
> puppet-4.2.1-3.fc24.src.rpm 
> <http://fedora.osuosl.org/linux/releases/test/24_Beta/Everything/source/tree/Packages/p/puppet-4.2.1-3.fc24.src.rpm>
>
> But our recommendation is to use the all-in-one obviously; it's what's 
> tested extensively and what ships in puppet enterprise. 
>
> --eric
>
> On Wednesday, June 8, 2016 at 2:01:43 AM UTC-7, Matt Larson wrote:
>>
>> Sorry for not getting back soon, Dan.
>>
>> Good question.
>>
>> I work for a draconian company that only allows installing FOSS after our 
>> infosec team has vetted the source code and then built from source; an 
>> impossible hand-waving exercise, I know... but it is what it is.
>>
>> On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote:
>>>
>>> First Silly Question: Why ?
>>> What do you need to do that cannot be done with the RPM's from a 
>>> Puppetlabs repo ?
>>>
>>> Dan White | d_e_...@icloud.com
>>> 
>>> “Sometimes I think the surest sign that intelligent life exists elsewhere 
>>> in the universe is that none of it has tried to contact us.”  (Bill 
>>> Waterson: Calvin & Hobbes)
>>>
>>>
>>> On Jun 03, 2016, at 02:44 PM, Matt Larson <dryhum...@gmail.com> wrote:
>>>
>>>
>>> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
>>> instance, but I'm seeing errors.  I also posted in 
>>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>>  
>>>
>>> The output actually gets pretty far along, but stops at with this error: 
>>> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
>>> If I fix that problem by manually editing the SPEC file, I just get more 
>>> errors, so clearly there is no need to go down a rabbit hole since this 
>>> must work for someone else, right?
>>>
>>> I'm also posted in 
>>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>>
>>> Ideas?
>>>
>>> Thanks in Advance,
>>> Matt
>>>
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to puppet-users...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com
>>>  
>>> <https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a9afa926-20d1-40b4-8725-a571b0058e77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Autorequire defined type from custom type

[Matt Dainty]

As per subject, is it possible to autorequire a defined type within a
custom type?

I've previously done `autorequire(:a_type) do ... end` for both built in
and other custom types but I was wondering if it's possible and therefore
what do I pass to `autorequire()`?

Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160609135937.GD13102%40simulant.bodgit-n-scarper.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

I did try installing via the PC1 (AIO) repo, and it worked ok for me at 
home.  But like I said, can't do that at work.

What is your main concern with AIO?  I don't wanna make a bad step here.   
At first, AIO sounded scary to me... like some alternative to rpm/yum (in 
case of rhel-based distros), but it's still the same packaging mechanism, 
just dedicated repos per collective release, yes?

Thanks for your input,
Matt

On Friday, June 3, 2016 at 6:10:01 PM UTC-4, jcbollinger wrote:
>
>
>
> On Friday, June 3, 2016 at 1:51:10 PM UTC-5, LinuxDan wrote:
>>
>> First Silly Question: Why ?
>> What do you need to do that cannot be done with the RPM's from a 
>> Puppetlabs repo ?
>>
>
> If I were undertaking the exercise, it would be to avoid the AIO 
> structure.  I may one day undertake that exercise, but until now I have 
> instead just avoided upgrading to Puppet 4.
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c9df8020-7d7f-40f0-9a47-4685d13e2e93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

Thanks for helping with this, Stefan!

I tried this, but where are the puppet-agent source RPMs ?

On Friday, June 3, 2016 at 3:51:36 PM UTC-4, Stefan Heijmans wrote:
>
> Have you tried using the source RPMs from here;
>
> https://yum.puppetlabs.com/el/6/PC1/SRPMS/
>
>
> On Friday, June 3, 2016 at 8:44:20 PM UTC+2, Matt Larson wrote:
>>
>>
>> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
>> instance, but I'm seeing errors.  I also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>  
>>
>> The output actually gets pretty far along, but stops at with this error: 
>> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
>> If I fix that problem by manually editing the SPEC file, I just get more 
>> errors, so clearly there is no need to go down a rabbit hole since this 
>> must work for someone else, right?
>>
>> I'm also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>
>> Ideas?
>>
>> Thanks in Advance,
>> Matt
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0ba6d149-b7db-4f8f-9262-84c4ad6b42d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

Sorry for not getting back soon, Dan.

Good question.

I work for a draconian company that only allows installing FOSS after our 
infosec team has vetted the source code and then built from source; an 
impossible hand-waving exercise, I know... but it is what it is.

On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote:
>
> First Silly Question: Why ?
> What do you need to do that cannot be done with the RPM's from a 
> Puppetlabs repo ?
>
> Dan White | d_e_...@icloud.com 
> 
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
>
>
> On Jun 03, 2016, at 02:44 PM, Matt Larson <dryhum...@gmail.com 
> > wrote:
>
>
> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
> instance, but I'm seeing errors.  I also posted in 
> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>  
>
> The output actually gets pretty far along, but stops at with this error: 
> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
> If I fix that problem by manually editing the SPEC file, I just get more 
> errors, so clearly there is no need to go down a rabbit hole since this 
> must work for someone else, right?
>
> I'm also posted in 
> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>
> Ideas?
>
> Thanks in Advance,
> Matt
>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b4cd4c74-bd80-4a73-a6ca-63fb99047d78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trigger apt-get update if packages are to be installed

[Matt Zagrabelny]

On Mon, Jun 6, 2016 at 9:46 AM, Simon Weald  wrote:
> Hi everyone
>
> I've got a little bit of an issue which I'm currently fighting with. At the
> moment, we pass an array of packages to be installed to the package
> resource, however I need to call an apt-get update prior to the package
> installation (in case we add a new repo etc). My snippet below should
> probably give you a good idea of what I want to achieve:
>
> $installpackages = hiera_array('installed-packages')
>
> exec { "apt-update":
>  command => "/usr/bin/apt-get update",
>  refreshonly => true,
> }
>
> package { $installpackages:
>  ensure => 'present',
>  require => Exec['apt-update'],
> }
>
> Obviously my goal is to have the update only run if any packages are
> actually going to be installed - I can't use empty() against the array as it
> will always contain content.
>
> Can anyone suggest how I can achieve this?

We're using the puppetlabs apt resource and a line like:

Apt::Source <| |> -> Package <| |>

to ensure that any Apt::Source is processed before any package installation.

I know this doesn't quite do the updating - we do that daily via cron,
but it does demonstrate the global dependency ordering of sources and
packages.

Hope that helps!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3We9%3DYap2uT93vLzfN5k0VyS%3DJ%2BshC1KnTXDNBFP6xr_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
instance, but I'm seeing errors.  I also posted in 
https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
 


The output actually gets pretty far along, but stops at with this error: 
"install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
If I fix that problem by manually editing the SPEC file, I just get more 
errors, so clearly there is no need to go down a rabbit hole since this 
must work for someone else, right?

I'm also posted in 
https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/

Ideas?

Thanks in Advance,
Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Sidedoor - Puppet Module

[Matt Zagrabelny]

Hi!

On Thu, Jun 2, 2016 at 9:24 AM, Warron French  wrote:
> Is there a limit to the number of questions that I can post to Google Groups
> or this list... in a single day?

Nope. :)

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3X%3DBE3f0%2BXbbAFdFixXC%3DtVdg2SQ_P_Pqx3VX8nLFXFBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Test coverage behaviour changed between 3.x/4.x

[Matt Dainty]

I have an open bug report with the rspec-puppet project
(https://github.com/rodjek/rspec-puppet/issues/316) whereby the coverage from
testing custom functions in my modules are not cumulative but only include
coverage from the last expectation which results in reports showing low
percentages.

Anyway, I've now noticed that if I use Puppet 4.x (4.4.2 in this case) to run
the test suite then I get zero code coverage which I've tracked down to the
fact that the custom functions are shown in the report to be located in
`spec/fixtures/modules//lib/puppet/parser/functions/...` and the
whole of `spec/` is normally filtered out of the coverage report to prevent
the tests themselves and any Ruby code in dependent modules from contributing.

If I go back to Puppet 3.x (3.8.7) then the custom functions are shown to be
located in `lib/puppet/parser/functions/...` again as expected.

I have a small test module that I used to demonstrate the original bug
available here:

https://github.com/bodgit/puppet-test

Is this change in behaviour expected?

Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20160513134022.GC13102%40simulant.bodgit-n-scarper.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] DRY duplicated manifest code

[Matt Zagrabelny]

On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugen  wrote:
> Given the resource you want to apply this pattern to, it can be turned into
> a one-liner with a collector:
>
> file { '/tmp/something':
>   ensure => file,
> }
> File['/tmp/something'] ~> Service <| title == 'apache2' |>

Can you combine the two steps?

file { '/tmp/something':
ensure => file,
} ~> Service <| title == 'apache2' |>

or is that frowned upon, or just not possible?

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WNnW8p09_Da88VcC5oPXMaKt4rV1R4QL3Verva8ap%2BNw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] DRY duplicated manifest code

[Matt Zagrabelny]

On Wed, Mar 23, 2016 at 3:04 PM, Hunter Haugen  wrote:
> Given the resource you want to apply this pattern to, it can be turned into
> a one-liner with a collector:
>
> file { '/tmp/something':
>   ensure => file,
> }
> File['/tmp/something'] ~> Service <| title == 'apache2' |>
>
> This means that if there is a service with a title of apache2 EVER added to
> the catalog, it'll be refreshed on file changes. If the service doesn't
> exist, then the dependency does nothing.
>
> Now, this isn't exactly what you asked since you wanted the variable
> $services_to_notify and didn't say what you're going to do with it, but I
> assume this is what you want? Because collectors are not parse-order
> specific, you can't do variable assignments like $services_to_notify =
> Service <| title == 'apache2' |> (because variables are evaluated in parse
> order and collectors are not).
>
> If you really want to make a function that searches the catalog and returns
> references, it can be done with something like
> `scope.catalog.resource('Service[apache2]')` inside the function I believe,
> though that may not be the exact call.

Thanks for the reply, Hunter. I'll dig in and report back if I've got issues.

Cheers!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XuVMK_xSWvCQ33qmR0Bywyo5xPaa6fJDannH%2BL5ymBZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] DRY duplicated manifest code

[Matt Zagrabelny]

Greetings Puppet Users,

I have a chuck of code I'd like to centralize - you know DRY.

I've looked into a custom function, but I'm uncertain how to get at
the the puppet resources inside of ruby.

Here is the verbatim copy of the chuck in a puppet manifest:

if defined(Service['apache2']) {
$services_to_notify = [
Service['apache2'],
]
}
else {
$services_to_notify = []
}

and here is some hand-wavy pseudocode:

function return_service_array_if_defined($service) {
if defined(Service[$service]) {
return [
Service[$service],
]
}
else {
return []
}
}

Any suggestions or ideas for implementation?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3V6i82smoDO2kwOYJTiurqdD3O_bt%2BaR4RYUGMsqCPgSw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet.conf documentation

[Matt Zagrabelny]

Greetings,

I know that the puppet.conf documentation exists in extreme detail:

http://docs.puppetlabs.com/puppet/3.7/reference/configuration.html

What that page doesn't tell me is if the config items map to the
[agent] or [master] sections of the config file.

Does anyone know if that data exists in an easy to consume location?

On my puppet master system I have the following puppet.conf snippet:

[main]
logdir   = /var/log/puppet
vardir   = /var/lib/puppet
ssldir   = /var/lib/puppet/ssl
rundir   = /var/run/puppet
factpath = $vardir/lib/facter
dns_alt_names= puppet-3-7,puppet-3-7.d.umn.edu
stringify_facts  = false
ordering = manifest
environmentpath  = $confdir/environments
basemodulepath   =
$confdir/modules:$confdir/profiles:/usr/share/puppet/modules

Should I also have the same configs on my clients?

For instance, should stringify_facts be set on the clients?

Thanks for any help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UdKoBuApY8XNsztWQqNRKGJER3LWj9QVJLF-EWdA6FCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment

[Matt Zagrabelny]

Hi Martin,

On Sat, Jan 30, 2016 at 5:03 AM, Martin Alfke <tux...@gmail.com> wrote:
> Hi Matt,
>
> an ENC can set an environment for a node.

Yep. I'm using an ENC to set the environment to 'apt'.

> In case that a node does not specify an environment it will make use of 
> environment production.
> You can specify node environment on the node in puppet.conf in agent section:
>
> [agent]
> environment = apt

Sure. I'd like to avoid setting any environment in the puppet.conf and
only use the ENC *and* not get the warning.

Any ideas?

Thanks for the help!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UifksMBs-UEnBitWdf3HF0b1o6R_Vadwg7%3DFkYmgM%3DeQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment

[Matt Zagrabelny]

Hi Alfredo,

Thanks for the reply.

On Wed, Jan 27, 2016 at 4:47 PM, Alfredo De Luca
<alfredo.del...@gmail.com> wrote:
> Hi Matt.
> AFAIK production is the default environment assigned to all the nodes.

Sure.

> try
> puppet config print environment

Yep, production:

# puppet config print environment
production

So how do I get the warning to go away?

Warning: Local environment: "production" doesn't match server
specified node environment "apt", switching agent to "apt".

Any ideas?

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3UAMWc4dEWsspDnkGNkbiEYKSR5vN-CmxTFbP0RhfLAtQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Warning: Local environment: "production" doesn't match server specified node environment

[Matt Zagrabelny]

Greetings,

I've searched a bit and found some hits for the subject, but nothing that helps.

I'm using an ENC to drive the environment of my nodes.

I don't have "production" defined anywhere in my puppet.conf:

# grep production /etc/puppet/puppet.conf || echo "not there"
not there

and it is not defined on my command-line run:

puppet agent -t --server puppet-3-7 --debug

but I still get a warning about the local environment:

Warning: Local environment: "production" doesn't match server
specified node environment "apt", switching agent to "apt".

Where else (besides the /etc/puppet/puppet.conf and the command-line
option --environment) do I look for the local environment being set?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3U3AFz%2BZzTvHXzLmodL8Tcw6QX1PwPvCDRtAN5fw-3SVw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet 4.3.1 - lookup failing - versioncmp() error

[Matt Watson]

Hey guys, 

I recently came up against an error in 4.3.1 where versioncmp() seems to be 
broken:

Debug: Performing a hiera indirector lookup of lookup_options with options 
{:variables=>Scope(Class[Role::Gr01]), 
:merge=>#>, 
@value_type=#]>>>]>, @options={}>}

I have found some information attempting to deal with the problem as shown 
in the links below, but I still can't fix it. Does anyone know how I can 
deal with this issue?

https://tickets.puppetlabs.com/si/jira.issueviews:issue-html/PUP-5721/PUP-5721.html

https://tickets.puppetlabs.com/browse/PUP-4780

Thanks, 
Matt   

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d8d0baa5-37ed-4475-b83a-26527179b313%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)

[Matt Zagrabelny]

On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny <mzagr...@d.umn.edu> wrote:
> On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis <alte...@alter3d.ca> wrote:
>> Apparently I was a little too quick on the send button.  :(
>>
>> To continue my previous email:
>>
>> Does 'puppet cert list --all' show any certs at all?
>
> Yep:
>
> # puppet cert list --all
> + "puppet-client-1.example.net" (SHA256)
> A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82
> + "puppet-3-7.example.net" (SHA256)
> E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24
> (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net")
>
> I don't remember what I did to get the master to accept the CSR of
> puppet-client-1 earlier, but I did have similar issues where I ran the
> client and the master didn't show any unsigned certs when running
> "puppet cert list".
>
> That was a few weeks ago. I'm just coming back to puppet 3.7 now.

Regenerating the client cert and connecting to the master seems to get
me one step further.

client:

find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete

server:

puppet cert clean puppet-client.example.net

client:

puppet agent -t --server puppet-3-7 --debug

server:

puppet cert list
  "puppet-client.example.net" (SHA256)
E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB

puppet cert sign puppet-client.example.net

client:

puppet agent -t --server puppet-3-7 --debug
[...]
Error: Could not request certificate: SSL_connect returned=1 errno=0
state=unknown state: certificate verify failed: [self signed
certificate in certificate chain for /CN=Puppet CA:
puppet-3-7.example.net]
Exiting; failed to retrieve certificate and waitforcert is disabled

Then performing the above steps, but clearing out all .pem files on
the client seemed to fix the issue.

Cheers!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XrqYOYVQrizt-DddNR8ggtBp-fyqmc0N4XnH_DG2i3wQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet cert list yields no certs

[Matt Zagrabelny]

Greetings,

I am attempting to get a puppet 3.7 install off the ground. Please
don't ask me to upgrade to 4.X series. :)

On the puppet master (puppet-3-7.example.net):
# puppet master --no-daemonize --debug
[...]
Info: Not Found: Could not find certificate puppet-client.example.net
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/certificate/puppet-client.example.net")
Debug: Evaluating match for Route /.*/
Info: Not Found: Could not find certificate puppet-client.example.net

On the puppet client:
# puppet agent -t --server puppet-3-7 --debug
[...]
Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
Debug: Finishing transaction 10544780
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Exiting; no certificate found and waitforcert is disabled

Then on the master:
# puppet cert list
#

I have a 2.7 puppet environment that works very well and I am well
accustomed to dealing with the certs.

The auth.conf file looks okay, too:

# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *

Can anyone help interpret the debug messages above? Or point me in the
correct direction?

Thanks!

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XzboPFXEWW0usdh5miV1AcC5cKfQL045ppokPjdOBcFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet cert list yields no certs

[Matt Zagrabelny]

On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis  wrote:
> Apparently I was a little too quick on the send button.  :(
>
> To continue my previous email:
>
> Does 'puppet cert list --all' show any certs at all?

Yep:

# puppet cert list --all
+ "puppet-client-1.example.net" (SHA256)
A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82
+ "puppet-3-7.example.net" (SHA256)
E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24
(alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net")

I don't remember what I did to get the master to accept the CSR of
puppet-client-1 earlier, but I did have similar issues where I ran the
client and the master didn't show any unsigned certs when running
"puppet cert list".

That was a few weeks ago. I'm just coming back to puppet 3.7 now.

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WFFhbbZTGrwC1bLDYLtSYxTN3XwU-RTNPtAEAYz-7U7g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet cert list yields no certs

[Matt Zagrabelny]

Hey Peter,

On Thu, Jan 7, 2016 at 5:28 PM, Peter Kristolaitis <alte...@alter3d.ca> wrote:
> 'puppet cert list' only shows unsigned certs.
>
> 'puppet cert list --all' will show all certs.

I failed to mention it explicitly:

The client does not have a signed cert. I'm try to get the master to
"accept" the CSR from the client.

-m

>
> On 1/7/2016 6:17 PM, Matt Zagrabelny wrote:
>>
>> Greetings,
>>
>> I am attempting to get a puppet 3.7 install off the ground. Please
>> don't ask me to upgrade to 4.X series. :)
>>
>> On the puppet master (puppet-3-7.example.net):
>> # puppet master --no-daemonize --debug
>> [...]
>> Info: Not Found: Could not find certificate puppet-client.example.net
>> Debug: Routes Registered:
>> Debug: Route /^\/v2\.0/
>> Debug: Route /.*/
>> Debug: Evaluating match for Route /^\/v2\.0/
>> Debug: Did not match path
>> ("/production/certificate/puppet-client.example.net")
>> Debug: Evaluating match for Route /.*/
>> Info: Not Found: Could not find certificate puppet-client.example.net
>>
>> On the puppet client:
>> # puppet agent -t --server puppet-3-7 --debug
>> [...]
>> Debug:
>> /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/private_keys]
>> Debug:
>> /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/public_keys]
>> Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
>> File[/var/lib/puppet/ssl/certs]
>> Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
>> Debug: Finishing transaction 10544780
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Exiting; no certificate found and waitforcert is disabled
>>
>> Then on the master:
>> # puppet cert list
>> #
>>
>> I have a 2.7 puppet environment that works very well and I am well
>> accustomed to dealing with the certs.
>>
>> The auth.conf file looks okay, too:
>>
>> # allow nodes to request a new certificate
>> path /certificate_request
>> auth any
>> method find, save
>> allow *
>>
>> Can anyone help interpret the debug messages above? Or point me in the
>> correct direction?
>>
>> Thanks!
>>
>> -m
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W63er4xJMjhosc6z9fqJhcGTHoMJme%3DCM-4A5LekcrRg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] ENC

[Matt Zagrabelny]

On Fri, Dec 11, 2015 at 11:54 AM, Sergiu Cornea
 wrote:
> Hello guys,
>
> I have an ENC which is producing the right data as far as I could have test
> it (copy and paste it in a yaml file), however, when I am using Puppet
> directly Puppet seems to do nothing with it.

Try running something like:

puppet master --no-daemonize --debug

and read the output.

You should see something like:

Debug: Executing '/var/lib/puppet/fetch_enc.sh yournode.example.com'

Try running that same command:

/var/lib/puppet/fetch_enc.sh yournode.example.com

and see what the output is.

Also, there should be plenty of debugging information in the output of
puppet master --no-daemonize --debug.

Cheers,

-m

> This is my Puppet.conf file and logging shows that this script is being
> executed by the Puppet master, like I've said Puppet doesn't seem to be
> using the data.
>
> [master]
>   node_terminus = exec
>   external_nodes = /var/lib/puppet/fetch_enc.sh
>
> Thank you,
>
> Regards,
> Sergiu
>
> This message and its attachments are private and confidential. If you have
> received this message in error, please notify the sender and remove it and
> its attachments from your system.
>
> The University of Westminster is a charity and a company limited by
> guarantee. Registration number: 977818 England. Registered Office: 309
> Regent Street, London W1B 2UW.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/8cee2af7-cc5a-4a0b-a941-06a070df6f72%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3XHodQUQ5thV9MCco80-XqmT-Suzuoa4HrDab5p0iyA7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppetlabs/mysql forge module - user accounts

[Matt Shields]

I'm using the Puppetlabs/mysql forge module and I have it creating a db and 
adding a few users.  Is there a way to automatically remove any accounts 
that are not defined in my puppet script?  For example, if an admin 
manually created a user?

-matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/475587a1-8b92-48f4-91a0-35d908548d62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

I'm running Puppet 3.7.4-1

On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote:
>
> On 2015-16-11 13:44, Matt Shields wrote: 
> > I'm having an issue with trying to use regex with hostnames that have a 
> > hyphen in their name.  How can I get this to work? 
> > 
> > node /^(.*)-(db00)(.*)$/ { 
> >include role::db 
> > } 
> > 
> > [root@ops-db001 ~]# puppet agent -t 
> > Info: Retrieving pluginfacts 
> > Info: Retrieving plugin 
> > Info: Loading facts 
> > Error: Could not retrieve catalog from remote server: Error 400 on 
> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom 
> > Warning: Not using cache on failed catalog 
> > Error: Could not retrieve catalog; skipping run 
> > 
>
> Which version of Puppet are you using? This problem sounds familiar and 
> may have be fixed in a more recent version of Puppet. 
>
> - henrik 
>
> -- 
>
> Visit my Blog "Puppet on the Edge" 
> http://puppet-on-the-edge.blogspot.se/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20e449dc-5058-4a44-bc0b-abd14d12479e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

Excellent.  That works.  Thank you very much

Matt

On Tue, Nov 17, 2015 at 11:04 AM, R.I.Pienaar <r...@devco.net> wrote:

>
>
> - Original Message -
> > From: "Peter Bukowinski" <pmb...@gmail.com>
> > To: "puppet-users" <puppet-users@googlegroups.com>
> > Sent: Tuesday, November 17, 2015 4:01:38 PM
> > Subject: Re: [Puppet Users] Regex and Hyphen in node definitions
>
> > Is consider removing the ^ and $ anchors. I think I you'll find it works
> without
> > them.
> >
> > -- Peter
> >
> >> On Nov 17, 2015, at 9:57 AM, Matt Shields <m...@mattshields.org> wrote:
> >>
> >> If there are any other suggestions on how to regex the nodes, that
> would be
> >> extremely helpful.  We name our hosts like.
> >>
> >> {clientname}-{purpose}{001-999}
> >> Ex.
> >> ops-db001 -> uses db profile
> >> ops-bidb001 -> uses bidb profile
> >> ops-sdb001 -> uses sdb profile
> >> ops-web001 -> uses web profile
> >>
> >> client1-db001
> >> client1-bidb001
> >> client1-sdb001
> >> client1-web001
>
> anything without - really, so \W would work in this particular case
> /^(.*)\W(db00)(.*)$/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/1210234894.1130888.1447776285234.JavaMail.zimbra%40devco.net
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOTD2YTFEvtF0t698hL%2B0dVmuiHyUBarxnHy-cwNaafGqYzVxQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

If there are any other suggestions on how to regex the nodes, that would be 
extremely helpful.  We name our hosts like. 

{clientname}-{purpose}{001-999}
Ex.
ops-db001 -> uses db profile
ops-bidb001 -> uses bidb profile
ops-sdb001 -> uses sdb profile
ops-web001 -> uses web profile

client1-db001
client1-bidb001
client1-sdb001
client1-web001

Thanks
Matt

On Tuesday, November 17, 2015 at 10:22:03 AM UTC-5, Matt Shields wrote:
>
> I just updated to 3.8.4-1 and I'm still seeing the same issue
>
> On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote:
>>
>> I'm running Puppet 3.7.4-1
>>
>> On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote:
>>>
>>> On 2015-16-11 13:44, Matt Shields wrote: 
>>> > I'm having an issue with trying to use regex with hostnames that have 
>>> a 
>>> > hyphen in their name.  How can I get this to work? 
>>> > 
>>> > node /^(.*)-(db00)(.*)$/ { 
>>> >include role::db 
>>> > } 
>>> > 
>>> > [root@ops-db001 ~]# puppet agent -t 
>>> > Info: Retrieving pluginfacts 
>>> > Info: Retrieving plugin 
>>> > Info: Loading facts 
>>> > Error: Could not retrieve catalog from remote server: Error 400 on 
>>> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom 
>>> > Warning: Not using cache on failed catalog 
>>> > Error: Could not retrieve catalog; skipping run 
>>> > 
>>>
>>> Which version of Puppet are you using? This problem sounds familiar and 
>>> may have be fixed in a more recent version of Puppet. 
>>>
>>> - henrik 
>>>
>>> -- 
>>>
>>> Visit my Blog "Puppet on the Edge" 
>>> http://puppet-on-the-edge.blogspot.se/ 
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

That didn't work.  Same error (Invalid tag)

On Tuesday, November 17, 2015 at 11:01:47 AM UTC-5, Peter Bukowinski wrote:
>
> Is consider removing the ^ and $ anchors. I think I you'll find it works 
> without them.
>
> -- Peter
>
> On Nov 17, 2015, at 9:57 AM, Matt Shields <ma...@mattshields.org 
> > wrote:
>
> If there are any other suggestions on how to regex the nodes, that would 
> be extremely helpful.  We name our hosts like. 
>
> {clientname}-{purpose}{001-999}
> Ex.
> ops-db001 -> uses db profile
> ops-bidb001 -> uses bidb profile
> ops-sdb001 -> uses sdb profile
> ops-web001 -> uses web profile
>
> client1-db001
> client1-bidb001
> client1-sdb001
> client1-web001
>
> Thanks
> Matt
>
> On Tuesday, November 17, 2015 at 10:22:03 AM UTC-5, Matt Shields wrote:
>>
>> I just updated to 3.8.4-1 and I'm still seeing the same issue
>>
>> On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote:
>>>
>>> I'm running Puppet 3.7.4-1
>>>
>>> On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote:
>>>>
>>>> On 2015-16-11 13:44, Matt Shields wrote: 
>>>> > I'm having an issue with trying to use regex with hostnames that have 
>>>> a 
>>>> > hyphen in their name.  How can I get this to work? 
>>>> > 
>>>> > node /^(.*)-(db00)(.*)$/ { 
>>>> >include role::db 
>>>> > } 
>>>> > 
>>>> > [root@ops-db001 ~]# puppet agent -t 
>>>> > Info: Retrieving pluginfacts 
>>>> > Info: Retrieving plugin 
>>>> > Info: Loading facts 
>>>> > Error: Could not retrieve catalog from remote server: Error 400 on 
>>>> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom 
>>>> > Warning: Not using cache on failed catalog 
>>>> > Error: Could not retrieve catalog; skipping run 
>>>> > 
>>>>
>>>> Which version of Puppet are you using? This problem sounds familiar and 
>>>> may have be fixed in a more recent version of Puppet. 
>>>>
>>>> - henrik 
>>>>
>>>> -- 
>>>>
>>>> Visit my Blog "Puppet on the Edge" 
>>>> http://puppet-on-the-edge.blogspot.se/ 
>>>>
>>>> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/puppet-users/e8a7c513-3026-4166-86f8-48658b135700%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c7545e2e-5c1c-4709-9d00-581cf05645f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

I just updated to 3.8.4-1 and I'm still seeing the same issue

On Tuesday, November 17, 2015 at 8:38:33 AM UTC-5, Matt Shields wrote:
>
> I'm running Puppet 3.7.4-1
>
> On Monday, November 16, 2015 at 10:50:00 PM UTC-5, Henrik Lindberg wrote:
>>
>> On 2015-16-11 13:44, Matt Shields wrote: 
>> > I'm having an issue with trying to use regex with hostnames that have a 
>> > hyphen in their name.  How can I get this to work? 
>> > 
>> > node /^(.*)-(db00)(.*)$/ { 
>> >include role::db 
>> > } 
>> > 
>> > [root@ops-db001 ~]# puppet agent -t 
>> > Info: Retrieving pluginfacts 
>> > Info: Retrieving plugin 
>> > Info: Loading facts 
>> > Error: Could not retrieve catalog from remote server: Error 400 on 
>> > SERVER: Invalid tag '-db00.' on node ops-db001.example.dom 
>> > Warning: Not using cache on failed catalog 
>> > Error: Could not retrieve catalog; skipping run 
>> > 
>>
>> Which version of Puppet are you using? This problem sounds familiar and 
>> may have be fixed in a more recent version of Puppet. 
>>
>> - henrik 
>>
>> -- 
>>
>> Visit my Blog "Puppet on the Edge" 
>> http://puppet-on-the-edge.blogspot.se/ 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b20875ea-2277-472b-9785-a0c26f1e6e28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Regex and Hyphen in node definitions

[Matt Shields]

I'm having an issue with trying to use regex with hostnames that have a 
hyphen in their name.  How can I get this to work?

node /^(.*)-(db00)(.*)$/ {
  include role::db
}

[root@ops-db001 ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Invalid tag '-db00.' on node ops-db001.example.dom
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ed1be089-ec26-40d5-8df2-5d372d41c2b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] enabling facts hash

[Matt Zagrabelny]

Greetings,

I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie)
and was reading about the top level $facts hash that holds the
client's facts. The puppet documentation states that it is off by
default in the open source version [1].

"Drawbacks: Only works with Puppet 3.5 or later. Disabled by default
in open source releases prior to Puppet 4.0."

I grepped the configs on my puppet master and didn't see what config I
need to change to enable this feature.

# puppet config print | grep fact
cfacter = false
facts_terminus = facter
inventory_terminus = facter
stringify_facts = true
node_name_fact =
dynamicfacts = memorysize,memoryfree,swapsize,swapfree
pluginfactdest = /var/lib/puppet/facts.d
pluginfactsource = puppet://puppet/pluginfacts
factpath = /var/lib/puppet/lib/facter

Any ideas on how to enable this feature?

Thanks!

-m

[1] 
https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#the-factsfactname-hash

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3WpEdFdyxoOGCPiqoN_stv%2BAaCUmbYUrn_hzm6PMdmxjQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: enabling facts hash - SOLVED

[Matt Zagrabelny]

On Wed, Nov 11, 2015 at 9:42 AM, Matt Zagrabelny <mzagr...@d.umn.edu> wrote:
> Greetings,
>
> I'm getting ready to spin up a puppet 3.7 environment (Debian Jessie)
> and was reading about the top level $facts hash that holds the
> client's facts. The puppet documentation states that it is off by
> default in the open source version [1].
>
> "Drawbacks: Only works with Puppet 3.5 or later. Disabled by default
> in open source releases prior to Puppet 4.0."
>
> I grepped the configs on my puppet master and didn't see what config I
> need to change to enable this feature.
>
> # puppet config print | grep fact
> cfacter = false
> facts_terminus = facter
> inventory_terminus = facter
> stringify_facts = true
> node_name_fact =
> dynamicfacts = memorysize,memoryfree,swapsize,swapfree
> pluginfactdest = /var/lib/puppet/facts.d
> pluginfactsource = puppet://puppet/pluginfacts
> factpath = /var/lib/puppet/lib/facter
>
> Any ideas on how to enable this feature?

>From [2]:

trusted_node_data = true (Puppet master/apply only) — This enables the
$trusted and $facts hashes, so you can start using them in your own
code.

Cheers,

-m

[2] 
http://docs.puppetlabs.com/puppet/3.8/reference/config_important_settings.html

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VznC2qM_NGQ_%2Bi9LPqQ7giv1%3DSwKjEFZ7GfZ5KWuVR4w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Reusable function/class code

[Matt Shields]

I need to do the same process over and over again for numerous users.  What
would be the easy way to create a class or function to wrap the following
code so that each time I need to do the following it's a single line of
code.  Currently what' I've been doing is copying the 35 lines of code and
duplicating it for hundreds of users.

$username_john = hiera ( 'ftp_username_john' )
$password_john = hiera ( 'ftp_password_john' )

user { "${username_john}":
  ensure  => present,
  password=> "${password_john}",
  managehome  => false,
  home=> '/incoming',
  groups  => 'sftpusers',
  shell   => '/sbin/nologin',
}

file { "/sftp/${username_john}":
  ensure  => directory,
  owner   => 'root',
  group   => 'root',
  mode=> '0755',
  require => File['/sftp'],
}

file { "/sftp/${username_john}/incoming":
  ensure  => directory,
  owner   => $username_john,
  group   => 'sftpusers',
  mode=> '0755',
  require => File["/sftp/${username_john}"],
}

file { "/sftp/${username_john}/outgoing":
  ensure  => directory,
  owner   => $username_john,
  group   => 'sftpusers',
  mode=> '0755',
  require => File["/sftp/${username_john}"],
}


Matt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOTD2YS8tqLoruzLB_ty3YS%3DUkgyVspQBm5mG-v%3DA71PQJKg-A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppetdb garbage collection failing

[Matt Jarvis]

 

 count |  name   

---+-

 1 | macaddress_qvb34470225_cd

 1 | mtu_qbr2fb476b3_ff

 1 | speed_qvbfa2ec4e3_15

 1 | macaddress_qvo547572f9_14

 1 | speed_qvo2e200191_c0

 1 | mtu_qbr5eaffca5_fb

 1 | macaddress_qbr0d4ed278_e3

 1 | mtu_qvb8166a899_d1

 1 | speed_qvb4e0d1069_13

 1 | speed_qvbb2d99f31_86

 1 | mtu_qbr65afa39a_9a

 1 | speed_qvb336884d1_12

 1 | speed_qvbf81c2831_4f

 1 | mtu_qbr6d9cbcfc_82

 1 | mtu_qbr441a8d9c_9e

 1 | macaddress_qbrb400a4cf_a3

 1 | mtu_qbr0bdbfadc_6a

 1 | macaddress_qbrf9e0c7d4_7b

 1 | macaddress_qbr3fe74368_2f

 1 | macaddress_qvoc943cbcd_c3

 1 | macaddress_qvb7e04f0db_2b

 1 | mtu_qbrb42e4516_13

 1 | macaddress_qvbefdec85e_5b

 1 | mtu_qbr4575c981_84

 1 | speed_qvbb771b00f_b4

 1 | speed_qvo04f9f59c_d2

 1 | macaddress_qbre4308db4_12

 1 | speed_qvb997d8a21_72

 1 | mtu_qvo699d2518_05

 1 | mtu_qvbc5dcb18f_8b

 1 | mtu_qvb766c608d_7a

 1 | speed_qvo137786a3_ce

 1 | speed_qvo02ec32fd_28

 1 | macaddress_qbr3b6455da_f1

 1 | mtu_qvb993a2dfb_5e

 1 | macaddress_qvo14369bd5_d3


Is that enough of that query result ? We're an OpenStack public cloud 
provider, so in our cluster we have many network interfaces changing a lot 
when new virtual networks and machines are created - those are all related 
to virtual interfaces. Looks like the majority of that table is full of 
them. 

On Monday, September 28, 2015 at 6:45:49 PM UTC+1, Wyatt Alt wrote:
>
> On 09/28/2015 10:39 AM, Wyatt Alt wrote:
>
> On 09/28/2015 05:40 AM, Matt Jarvis wrote:
>
> We seem to have hit a bit of an issue with puppetdb garbage collection. 
> Initial symptoms were exceptions in the puppetdb logs : 
>
> Retrying after attempt 6, due to: org.postgresql.util.PSQLException: This 
> connection has been closed.
>
>
> And on the postgres side :
>
>
> LOG:  incomplete message from client
>
>
> Having turned up the logging on postgres, it appears that the query 
>
>
> DELETE FROM fact_paths fp
>
>   WHERE fp.id in ( $some_ids )  AND NOT EXISTS (SELECT 1 FROM 
> facts f
>
>   WHERE f.fact_path_id in ( $some_more_ids ) AND 
> f.fact_path_id = fp.id
>
> AND f.factset_id <> $26355)
>
>
> is the cuplrit. This query is absolutely massive, with over 26000 id's 
> specified as parameters - as soon as the query is executed, postgres 
> returns incomplete message from client and drops the connection. 
>
>
> puppetdb is 2.3.7-1puppetlabs1
>
> postgres is 9.3
>
>
> Does anyone have any clues what's going on here ?
>
>
> Thanks
>
>
> Matt
>
> DataCentred Limited registered in England and Wales no. 05611763 -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com .
> To view this discussion on the web visit 
> <https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com>
> https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>
> Hey Matt,
>
> I can reproduce this by inserting a value at the beginning of an extremely 
> large array-valued structured fact, but we'll need to know more about your 
> particular data to confirm whether that's your particular issue. This could 
> be some large custom fact you're creating or something generated by a 
> module.
>
> I've created a ticket here around this issue here
> https://tickets.puppetlabs.com/browse/PDB-2003
>
> can you connect to the database via psql and share (either here or in the 
> ticket) the output of
>
> select count(*),name from fact_paths group by name order by count desc;
>
> ?
>
> My hope is that that will identify one or more large structured facts 
> associated with a lot of leaf values, and then we'll need to figure out 
> where they're coming from.
>
> Wyatt
>
>
> Just to clarify, I think the top few rows of that result should be enough 
> to illustrate -- no need to include the whole thing.
>
> Wyatt
>

-- 
DataCentred Limited registered in England and Wales no. 05611763

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/81433280-72d8-4c9d-983d-f4c5227eb1e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppetdb garbage collection failing

[Matt Jarvis]

We seem to have hit a bit of an issue with puppetdb garbage collection. 
Initial symptoms were exceptions in the puppetdb logs :

Retrying after attempt 6, due to: org.postgresql.util.PSQLException: This 
connection has been closed.


And on the postgres side :


LOG:  incomplete message from client


Having turned up the logging on postgres, it appears that the query 


DELETE FROM fact_paths fp

  WHERE fp.id in ( $some_ids )  AND NOT EXISTS (SELECT 1 FROM facts 
f

  WHERE f.fact_path_id in ( $some_more_ids ) AND 
f.fact_path_id = fp.id

AND f.factset_id <> $26355)


is the cuplrit. This query is absolutely massive, with over 26000 id's 
specified as parameters - as soon as the query is executed, postgres 
returns incomplete message from client and drops the connection. 


puppetdb is 2.3.7-1puppetlabs1

postgres is 9.3


Does anyone have any clues what's going on here ?


Thanks


Matt

-- 
DataCentred Limited registered in England and Wales no. 05611763

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5fe3bad3-71a7-4348-a9ff-24d8a0284a1c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Clarification/Question re: Puppet 3.8, Cloud Provisioner, and VMWare

[Matt]

It appears in PE 3.8.1 there is puppetlabs/aws but nothing to replace 
node_vmware functionality to provision vmware vm's.  I cannot find a 
module, am I missing something ?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8bae5697-d40c-472c-85da-0031b862de0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] What's difference between roles and profiles, ENC and Hiera

[Matt Zagrabelny]

On Tue, Mar 31, 2015 at 10:16 AM, Dhaval d.josh...@gmail.com wrote:
 Hello,

 I am starting learning puppet, i want to understand what is the difference
 between roles and profiles and ENV and Hiera ? are all different ways of
 assigning classes or data to host ? can you help to give me brief comparison
 and what's best suited ?

I'd start with googling and watch some videos and then ask more
specific questions.

https://puppetlabs.com/presentations/designing-puppet-rolesprofiles-pattern
http://www.craigdunn.org/2012/05/239/
http://garylarizza.com/blog/2014/02/17/puppet-workflow-part-2/

https://www.youtube.com/watch?v=z9TK-gUNFHk

Enjoy!

-m

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3Ue3Hj4Yc_Th_Kx_CriFUNwSM0QBN8dJDtOwR7EjM%3DGLg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppetlabs-mysql with Percona

[Matt Shields]

Not sure why but it looks like when trying to start Percona, it couldn't
create a pid file because there was no /var/run/mysql directory and no
permissions set.  I had to manually create the folder and set permissions,
now it seems to be working.

 15   package { 'percona-release':
 16 ensure   = present,
 17 source   = '
http://www.percona.com/downloads/percona-release/redhat/0.1-3/perc
 18 provider = rpm,
 19   }
 20
 21   file { '/var/run/mysql':
 22 ensure = directory,
 23 owner  = 'mysql',
 24 group  = 'mysql',
 25   }
 26
 27   $override_options = {
 28 'mysqld'= {
 29   'bind-address'= '0.0.0.0',
 30   'max_connections' = '1024',
 31   'pid-file'= '/var/run/mysql/mysqld.pid',
 32   #  'disable-ssl' = true,
 33 }
 34   }
 35
 36   class { '::mysql::server':
 37 package_name= 'Percona-Server-server-56',
 38 root_password   = ${percona_root},
 39 #remove_default_accounts = true,
 40 service_name= 'mysql',
 41 override_options= $override_options,
 42 require = [ Package['percona-release'] ],
 43   }

Matt

On Thu, Mar 26, 2015 at 8:43 AM, Matt Shields m...@mattshields.org wrote:

 I've tried setting the service_name to mysql in the class definition since
 Percona calls the service mysql instead of mysqld, but I'm still getting
 errors.  Looks like it's now trying to start Percona/mysql but getting
 errors.  Here's the puppet output plus the mysql log.


  31   class { '::mysql::server':
  32 package_name= 'Percona-Server-server-56',
  33 root_password   = ${percona_root},
  34 #remove_default_accounts = true,
  35 service_name= 'mysql',
  36 override_options= $override_options,
  37 require = [ Package['percona-release'] ],
  38   }

 Info: Retrieving pluginfacts
 Info: Retrieving plugin
 Info: Loading facts
 Info: Caching catalog for bidb001
 Info: Applying configuration version '1427372678'
 Notice: /Stage[main]/Profile::Bidb/Package[percona-release]/ensure: created
 Notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure:
 created
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql]/ensure: created
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/my.cnf]/ensure:
 defined content as '{md5}b5f7f94eab5170143b230460be142427'
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql/conf.d]/ensure:
 created
 Error: Could not start Service[mysqld]: Execution of '/sbin/service mysql
 start' returned 1: Starting MySQL (Percona Server).. ERROR! The server quit
 without updating PID file (/var/run/mysqld.pid).
 Wrapped exception:
 Execution of '/sbin/service mysql start' returned 1: Starting MySQL
 (Percona Server).. ERROR! The server quit without updating PID file
 (/var/run/mysqld.pid).
 Error: /Stage[main]/Mysql::Server::Service/Service[mysqld]/ensure: change
 from stopped to running failed: Could not start Service[mysqld]: Execution
 of '/sbin/service mysql start' returned 1: Starting MySQL (Percona
 Server).. ERROR! The server quit without updating PID file
 (/var/run/mysqld.pid).
 Error: Could not prefetch mysql_user provider 'mysql': Execution of
 '/usr/bin/mysql -NBe SELECT CONCAT(User, '@',Host) AS User FROM mysql.user'
 returned 1: ERROR 2002 (HY000): Can't connect to local MySQL server through
 socket '/var/lib/mysql/mysql.sock' (111)
 Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]:
 Dependency Service[mysqld] has failures: true
 Warning:
 /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]:
 Skipping because of failed dependencies
 Notice: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]:
 Dependency Service[mysqld] has failures: true
 Warning: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]:
 Skipping because of failed dependencies
 Notice: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Dependency
 Service[mysqld] has failures: true
 Warning: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Skipping
 because of failed dependencies
 Notice: Finished catalog run in 25.16 seconds

 [root@bidb001 ~]# cat /var/log/mysqld.log
 150326 12:31:45 mysqld_safe Starting mysqld daemon with databases from
 /var/lib/mysql
 2015-03-26 12:31:45 0 [Warning] TIMESTAMP with implicit DEFAULT value is
 deprecated. Please use --explicit_defaults_for_timestamp server option (see
 documentation for more details).
 2015-03-26 12:31:45 21937 [Warning] Using unique option prefix
 myisam_recover instead of myisam-recover-options is deprecated and will be
 removed in a future release. Please use the full name instead.
 2015-03-26 12:31:45 21937 [Note] Plugin 'FEDERATED' is disabled.
 2015-03-26 12:31:45 21937 [Note] InnoDB: Using atomics to ref count buffer
 pool pages
 2015-03-26 12:31:45 21937 [Note] InnoDB: The InnoDB memory heap is disabled
 2015-03-26 12:31:45

Re: [Puppet Users] Re: Puppetlabs-mysql with Percona

[Matt Shields]

 plugins will not work.
2015-03-26 12:31:45 21937 [Note] RSA public key file not found:
/var/lib/mysql//public_key.pem. Some authentication plugins will not work.
2015-03-26 12:31:45 21937 [Note] Server hostname (bind-address): '0.0.0.0';
port: 3306
2015-03-26 12:31:45 21937 [Note]   - '0.0.0.0' resolves to '0.0.0.0';
2015-03-26 12:31:45 21937 [Note] Server socket created on IP: '0.0.0.0'.
2015-03-26 12:31:45 21937 [ERROR] /usr/sbin/mysqld: Can't create/write to
file '/var/run/mysqld.pid' (Errcode: 13 - Permission denied)
2015-03-26 12:31:45 21937 [ERROR] Can't start server: can't create PID
file: Permission denied
150326 12:31:46 mysqld_safe mysqld from pid file /var/run/mysqld.pid ended


Matt

On Wed, Mar 25, 2015 at 8:45 PM, Elisiano Petrini elisi...@gmail.com
wrote:

 Hi Matt,
 you might need to override also ::mysql::server::service_name. I don't
 know what's the service name of percona but it looks like that is not
 'mysqld':

  Error: Could not start Service[mysqld]: Execution of '/sbin/service
 mysqld start' returned 1: mysqld: unrecognized service

 Best Regards,
 Elisiano Petrini


 On Tuesday, March 24, 2015 at 8:27:37 AM UTC-4, Matt Shields wrote:

 Does anyone have an example of provisioning Percona MySQL using the
 puppetlabs-mysql module?

 Here's my puppet code:

  15   package { 'percona-release':
  16 ensure   = present,
  17 source   = 'http://www.percona.com/downloads/percona-release/
 redhat/0.1-3/percona-release-0.1-3.noarch.rpm',
  18 provider = rpm,
  19   }
  20
  21   $override_options = {
  22 'mysqld'= {
  23   'bind-address'= '0.0.0.0',
  24   'max_connections' = '1024',
  25 }
  26   }
  27
  28   class { '::mysql::server':
  29 package_name= 'Percona-Server-server-56',
  30 root_password   = ${percona_root},
  31 remove_default_accounts = true,
  32 override_options= $override_options,
  33 require = [ Package['percona-release'] ],
  34}

 And here's the output I'm getting.

 [root@testing-bidb001 ~]# puppet agent -t
 Info: Retrieving pluginfacts
 Info: Retrieving plugin
 Info: Loading facts
 Info: Caching catalog for testing-bidb001
 Info: Applying configuration version '1427198241'
 Notice: /Stage[main]/Profile::Bidb/Package[percona-release]/ensure:
 created
 Notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure:
 created
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql]/ensure:
 created
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/my.cnf]/ensure:
 defined content as '{md5}8ef60204b1f3c4d7ffd673f9debc5df1'
 Notice: /Stage[main]/Mysql::Server::Config/File[/etc/mysql/conf.d]/ensure:
 created
 Error: Could not start Service[mysqld]: Execution of '/sbin/service
 mysqld start' returned 1: mysqld: unrecognized service
 Wrapped exception:
 Execution of '/sbin/service mysqld start' returned 1: mysqld:
 unrecognized service
 Error: /Stage[main]/Mysql::Server::Service/Service[mysqld]/ensure:
 change from stopped to running failed: Could not start Service[mysqld]:
 Execution of '/sbin/service mysqld start' returned 1: mysqld: unrecognized
 service
 Error: Could not prefetch mysql_user provider 'mysql': Execution of
 '/usr/bin/mysql -NBe SELECT CONCAT(User, '@',Host) AS User FROM mysql.user'
 returned 1: ERROR 2002 (HY000): Can't connect to local MySQL server through
 socket '/var/lib/mysql/mysql.sock' (2)
 Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]:
 Dependency Service[mysqld] has failures: true
 Warning: 
 /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]:
 Skipping because of failed dependencies
 Notice: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]:
 Dependency Service[mysqld] has failures: true
 Warning: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]:
 Skipping because of failed dependencies
 Notice: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]:
 Dependency Service[mysqld] has failures: true
 Warning: /Stage[main]/Mysql::Server/Anchor[mysql::server::end]: Skipping
 because of failed dependencies
 Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_user[@t
 esting-bidb001.useast.fanmanager.com]: Dependency Service[mysqld] has
 failures: true
 Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_user[@t
 esting-bidb001.useast.fanmanager.com]: Skipping because of failed
 dependencies
 Error: Could not prefetch mysql_database provider 'mysql': Execution of
 '/usr/bin/mysql -NBe show databases' returned 1: ERROR 2002 (HY000): Can't
 connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
 Notice: /Stage[main]/Mysql::Server::Account_security/Mysql_database[test]:
 Dependency Service[mysqld] has failures: true
 Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_database[test]:
 Skipping because of failed dependencies
 Notice: 
 /Stage[main]/Mysql::Server::Account_security/Mysql_user[@testing

[Puppet Users] Puppetlabs-mysql with Percona

[Matt Shields]

]: Dependency Service[mysqld] has failures: true
Warning: /Stage[main]/Mysql::Server::Account_security/Mysql_user[
root@127.0.0.1]: Skipping because of failed dependencies
Notice:
/Stage[main]/Mysql::Server::Account_security/Mysql_user[root@testing-bidb001]:
Dependency Service[mysqld] has failures: true
Warning:
/Stage[main]/Mysql::Server::Account_security/Mysql_user[root@testing-bidb001]:
Skipping because of failed dependencies
Notice: Finished catalog run in 20.06 seconds


Matt

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOTD2YSJNzbQJiE-Vh%3D4rZOqeAdFjjg_%2B673NmW7c3nguFCTtA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet 3.7.4 using auth.conf file from github - default acl at end apparently preventing access?

[Matt W]

Has anyone else come up with a solution for this? We just booted a new 
puppet master for the first time in a few weeks and it came up with 
Passenger 5 (we were on 4.0.69) -- and failed. For the time being we've 
patched our code to use an updated repo location with Passenger 4.x, but 
we'd like to be able to use 5. We are seeing the exact same behavior. 
Puppet 3.7.4 (installed via debian packages), Ubuntu 12.04.

On Friday, March 13, 2015 at 5:14:32 PM UTC-7, Johnson Earls wrote:

 Operating System: Oracle Linux 6.5
 Puppet version:  Open Source Puppet 3.7.4 (installed via gems)
 Ruby version: 2.1.0 (locally built package)
 Apache version:  2.2.15
 Passenger version:  5.0.4

 I apologise in advance if this post sounds confused and wanders all over; 
 it mirrors its author in that respect.

 I'm just getting started with puppet.  I've got a small 5-node playground 
 set up to play with.  I set it up using the Installing Puppet: From Gems 
 instructions (since I wanted to use a newer version of ruby than the 1.8.7 
 that Oracle Linux comes with), and I thought everything was going great, 
 getting it running under apache/passenger and everything.  Then I realized 
 I'd forgotten to install the auth.conf file the last time I rebuilt the 
 puppet directories.  As soon as I installed that file and restarted httpd, 
 my agents stopped being able to talk to the server, getting an Error 403 
 Forbidden for every access.

 The errors, listed here, indicate that the server is recognizing that the 
 client is authenticated, so apparently it's just not recognizing the URLs 
 being accessed:

 Warning: Error 403 on SERVER: Forbidden request: 
 rac03n01-dc2.dc2.responsys.com(...) access to /node/
 rac03n01-dc2.dc2.responsys.com [find] authenticated  at :123
 Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional 
 resources using 'eval_generate': Error 403 on SERVER: Forbidden request: 
 rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts 
 [search] authenticated  at :123
 Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not 
 retrieve file metadata for puppet://puppet/pluginfacts: Error 403 on 
 SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to 
 /file_metadata/pluginfacts [find] authenticated  at :123
 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) 
 access to /file_metadata/pluginfacts [find] authenticated  at :123
 Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': Error 403 on SERVER: Forbidden request: 
 rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins 
 [search] authenticated  at :123
 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve 
 file metadata for puppet://puppet/plugins: Error 403 on SERVER: Forbidden 
 request: rac03n01-dc2.dc2.responsys.com(...) access to 
 /file_metadata/plugins [find] authenticated  at :123
 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) 
 access to /file_metadata/plugins [find] authenticated  at :123
 Error: Could not retrieve catalog from remote server: Error 403 on SERVER: 
 Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /catalog/
 rac03n01-dc2.dc2.responsys.com [find] authenticated  at :123
 Error: Could not send report: Error 403 on SERVER: Forbidden request: 
 rac03n01-dc2.dc2.responsys.com(...) access to /report/
 rac03n01-dc2.dc2.responsys.com [save] authenticated  at :123


 I noticed that the URLs listed (/node/..., /catalog/..., /report/..., and 
 /file_metadata/...) are not listed in the auth.conf at all, but are being 
 inserted by the puppet master:

 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ 
 ^/catalog/([^/]+)$' (auth true) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ 
 ^/node/([^/]+)$' (auth true) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/file' (auth 
 ) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default 
 '/certificate_revocation_list/ca' (auth true) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ 
 ^/report/([^/]+)$' (auth true) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default 
 '/certificate/ca' (auth any) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default 
 '/certificate/' (auth any) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default 
 '/certificate_request' (auth any) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/status' 
 (auth true) ACL
 Mar 13 16:43:06 ... puppet-master[13013]: Inserting default 
 '/v2.0/environments' (auth true) ACL

 However,apparently, the default deny-all ACL at the end of auth.conf (at 
 line 123 as shown in the errors above) is preventing those default ACLs 
 from taking effect.

 Once I commented out the default deny-all ACL at the end of auth.conf, my 
 access started working again.

 Am I reading the logs and auth.conf file 

Re: [Puppet Users] Client self-deregistration from PuppetDB

[Matt Wise]

Martijn,
   Sorry for the delay ... but yes, in the future we don't mind sharing
this 'cert-api' code. Unfortunately today its not in a terribly share-able
state. It was quite literally my 2nd python-program ever, written 3+ years
ago, and written in a short-term hacky way because we naively believed that
the PuppetLabs folks would ultimately solve the whole 're-signing
certificates' problem (seriously ... 2011 ...
http://projects.puppetlabs.com/issues/7272).

  At this point, we're in the midst of a full puppet-server-redesign, and
part of that is going to include a ground-up fresh cert-api daemon. Its
simple code, so we should get it done within a few days of beginning, but
we just havn't quite started yet. When we do, though, it'll definitely be
opensourced.

  The basic model is that we set our SSL certs to expire after 30 days. Our
clients run a little cron job daily that says is the cert expiring in the
next 5 days?, and if that is true, it reaches out to our puppet masters
and gets its cert renewed. We've been doing this for years now, with over
20,000 hosts (not simultaneously of course... just the number of hosts
we've launched in 3 years), and had no problems with the model.

  We'll be adding some additional features to the API to support things
like automatic node deregistration in PuppetDB as well.

Matt Wise
Sr. Systems Architect
Nextdoor.com

On Fri, Dec 12, 2014 at 10:40 AM, Martijn mart...@heemels.com wrote:

 Matt, I'd be very interested in that 'cert-api' endpoint code once you've
 had a chance to work on this. Is there a change you could open-source that?
 I think it would be very useful to the community, even if it is imperfect.

 Hope you'll consider it,
 Martijn

 Op vrijdag 12 december 2014 18:18:47 UTC+1 schreef Matt W:

 We already have what we call a 'cert-api' endpoint on our Puppet servers
 that allows our puppet clients to re-up their SSL certs every 15 days (we
 expire them very quickly). Its not unreasonable to add functionality to
 this endpoint allowing a client to request that its own node be destroyed.

  --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/o-X54IznCD8/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com
 https://groups.google.com/d/msgid/puppet-users/2f343d00-13dd-451e-8b91-4ef0c18afcaa%40googlegroups.com?utm_medium=emailutm_source=footer
 .

 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxNyYbSGXojtW%3Dk1uy0tGSq98fsTttfEHu-pS4F4Vg9aTg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Disabling a module on a particular node type ...

[Matt Wise]

We're using Puppet to build up a few docker containers, and we find that
the puppetlabs-firewall module throws some errors during initial
compilation. These errors are ignorable ... but they're obnoxious. Is there
a way to explicitly disable a module from being parsed for a particular
node type?

Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
 Error: /Stage[main]/Main/Resources[firewall]: Failed to generate
 additional resources using 'generate': Command iptables_save is missing


(obviously this is more than just not saying 'include firewall' ... because
the provider/types get parsed regardless of whether or not we 'include
firewall').

Matt Wise
Sr. Systems Architect
Nextdoor.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxPa4NsYzf-afSD3LLNTmOHeMcCs39KOJNFPxC-im21Y4g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Client self-deregistration from PuppetDB

[Matt W]

Thanks... I got a few private responses as well that all seemed to be 
in-line with what I figured we needed to do. Its entirely reasonable for us 
to have our clients 'curl ...' out to some endpoint to remove themselves at 
shutdown time. The concern I have is that I'd like to keep our clients from 
being able to do any other damage to the PuppetDB database while they're at 
it. We obviously want to use the Puppet CertName Whitelist in PuppetDB so 
that only our Puppet servers can send reports/connect to PuppetDB, and none 
of our clients can.

So that said ... I think I may end up going the 'CGI script' route. We 
already have what we call a 'cert-api' endpoint on our Puppet servers that 
allows our puppet clients to re-up their SSL certs every 15 days (we expire 
them very quickly). Its not unreasonable to add functionality to this 
endpoint allowing a client to request that its own node be destroyed.

That said, I have one question. We don't match our puppet 'node_name' to 
our puppet 'cert_name's. That is, our certnames are real FQDNs ... but our 
node names are kind of a combination of an arbitrary node name (like 
web_server) and the certname. They look something like this 
web_proxy_thingy|my.fqdn.her.com. In an ideal world, I would be able to 
tell PuppetDB that the true identifier that I care about is the 'certname' 
not the 'nodename'. That said, I think in our case we're going to have to 
do some hackery to figure this out.

Thanks again for the suggestions though.

On Thursday, December 11, 2014 1:04:59 AM UTC-8, Martin Alfke wrote:

 Hi Matt, 
 On 09 Dec 2014, at 19:58, Matt Wise ma...@nextdoor.com javascript: 
 wrote: 

  We boot up/shut-down 50-100 hosts a day on average... we're exploring 
 PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to 
 be purged based on some checkin time. Is there any way to have our hosts 
 send a signal through the puppet-masters (or directly to puppetdb?) to 
 purge themselves when they're being terminated? 

 You can use the puppetdb rest api: 
 https://docs.puppetlabs.com/puppetdb/2.2/api/index.html 

 In my actual project we disable hosts via VM management system using this 
 API. 
 Works like a charm. 

 hth, 

 Martin 



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6b368c6b-3e35-47a1-87f2-f28850e53370%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Client self-deregistration from PuppetDB

[Matt Wise]

We boot up/shut-down 50-100 hosts a day on average... we're exploring
PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to
be purged based on some checkin time. Is there any way to have our hosts
send a signal through the puppet-masters (or directly to puppetdb?) to
purge themselves when they're being terminated?

Matt Wise
Sr. Systems Architect
Nextdoor.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxPxNXGQnMCwMJoXh-XBap5VNtEGVoRWVCkpy3Sc3SRx3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Using Puppetdb-terminus via rubygems...?

[Matt Wise]

Thanks for that Ken... This morning I found a gem 'md-puppetdb-terminus'
that someone has published that works perfectly, thankfully.

Matt Wise
Sr. Systems Architect
Nextdoor.com

On Mon, Dec 8, 2014 at 2:01 AM, Ken Barber k...@puppetlabs.com wrote:

  We have entirely-gem based Puppet masters (no Ubuntu packages installing
  Puppet)... we're trying to add in the puppetdb-terminus gemfile. We have
 it
  configured, and installed:
 
 
  # gem list | grep -i puppet
  hiera-puppet (1.0.0)
  puppet (3.7.3)
  puppet-catalog-test (0.3.1)
  puppet-lint (1.0.1)
  puppet-syntax (1.3.0)
  puppetdb-terminus (1.0)
  puppetlabs_spec_helper (0.8.2)
  rspec-hiera-puppet (1.0.0)

 That is not an official gem for puppetdb-terminus :-). Someone
 uploaded it in the past, I think its a dud.

 We don't really ship a rubygem, we do have a gemfile however:
 https://github.com/puppetlabs/puppetdb/tree/master/contrib/gem

 That can be used to create your own gem.

  We're running into a problem with our Unicorn/Nginx config though...
 
  puppet-master[17213]: Could not configure routes from
  /etc/puppet/routes.yaml: Could not find terminus puppetdb for indirection
  facts
 
  Is there something special we need to do to the config.ru or something
 so
  that it can find the puppetdb terminus from the gem thats installed?

 That just looks like the necessary ruby library files aren't in place,
 probably due to the bad gem.

 ken.

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/830HwH-1JCY/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CAE4bNTnH4ZQXnsGJpxB-W6SAypsJAsXtU0F%3DFoFXtcoRmTJbTA%40mail.gmail.com
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxPqGFaVDrAd%3D%3DwH0hTXmzR1LJ8QSKEf25dXSnYHj%3DKhEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Using Puppetdb-terminus via rubygems...?

[Matt Wise]

+1

Matt Wise
Sr. Systems Architect
Nextdoor.com

On Mon, Dec 8, 2014 at 9:34 AM, Darin Perusich da...@darins.net wrote:

 On Mon, Dec 8, 2014 at 5:01 AM, Ken Barber k...@puppetlabs.com wrote:
  We have entirely-gem based Puppet masters (no Ubuntu packages installing
  Puppet)... we're trying to add in the puppetdb-terminus gemfile. We
 have it
  configured, and installed:
 
 
  # gem list | grep -i puppet
  hiera-puppet (1.0.0)
  puppet (3.7.3)
  puppet-catalog-test (0.3.1)
  puppet-lint (1.0.1)
  puppet-syntax (1.3.0)
  puppetdb-terminus (1.0)
  puppetlabs_spec_helper (0.8.2)
  rspec-hiera-puppet (1.0.0)
 
  That is not an official gem for puppetdb-terminus :-). Someone
  uploaded it in the past, I think its a dud.

 If this isn't official, would Puppet Labs be willing to have it
 removed or publish the gem?

  We don't really ship a rubygem, we do have a gemfile however:
  https://github.com/puppetlabs/puppetdb/tree/master/contrib/gem
 
  That can be used to create your own gem.
 
  We're running into a problem with our Unicorn/Nginx config though...
 
  puppet-master[17213]: Could not configure routes from
  /etc/puppet/routes.yaml: Could not find terminus puppetdb for
 indirection
  facts
 
  Is there something special we need to do to the config.ru or something
 so
  that it can find the puppetdb terminus from the gem thats installed?
 
  That just looks like the necessary ruby library files aren't in place,
  probably due to the bad gem.
 
  ken.
 
  --
  You received this message because you are subscribed to the Google
 Groups Puppet Users group.
  To unsubscribe from this group and stop receiving emails from it, send
 an email to puppet-users+unsubscr...@googlegroups.com.
  To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CAE4bNTnH4ZQXnsGJpxB-W6SAypsJAsXtU0F%3DFoFXtcoRmTJbTA%40mail.gmail.com
 .
  For more options, visit https://groups.google.com/d/optout.

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/830HwH-1JCY/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CADaviKuX8s3cUms_d7LP7QHR-dtyT%3DMG%3D%3DPz85WJrohiVPqUJA%40mail.gmail.com
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxOi0g3Ey%3Dj2r0SDAHhgF5JBVX4wLRWLRwOPaBYfd9GmCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Using Puppetdb-terminus via rubygems...?

[Matt W]

We have entirely-gem based Puppet masters (no Ubuntu packages installing 
Puppet)... we're trying to add in the puppetdb-terminus gemfile. We have it 
configured, and installed:


# gem list | grep -i puppet
hiera-puppet (1.0.0)
puppet (3.7.3)
puppet-catalog-test (0.3.1)
puppet-lint (1.0.1)
puppet-syntax (1.3.0)
puppetdb-terminus (1.0)
puppetlabs_spec_helper (0.8.2)
rspec-hiera-puppet (1.0.0)


We're running into a problem with our Unicorn/Nginx config though... 

puppet-master[17213]: Could not configure routes from 
/etc/puppet/routes.yaml: Could not find terminus puppetdb for indirection 
facts 

 

Is there something special we need to do to the config.ru or something so 
that it can find the puppetdb terminus from the gem thats installed?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/80b3fd3a-eba9-420d-a2cc-474aec9b051b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet Server 0.2.0

[Matt Zagrabelny]

On Tue, Sep 23, 2014 at 2:03 PM, Gabriel Filion gabs...@lelutin.ca wrote:
 On 23/09/14 12:11 PM, Nate Wolfe wrote:
 We are thrilled to announce the preview release of Puppet Server, our
 newest open source project.
 Puppet Server is a next-generation alternative to our current Puppet
 master, which builds on the
 successful Clojure technology stack underlying projects like PuppetDB.

 so... is it the long term goal to phase out the ruby-based puppet master
 when the clojure-based one is mature enough?

Hopefully someone closer to the situation (and with more authority)
will respond, but yes that is what I was told at a Puppet training
in March.

-m

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W6zzYtDFEVi_BE85WHbVZ-pf9qppANDOudG8SogdXSUA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Announce: Facter 2.2.0

[Matt Wise]

I'll start out by saying that we've worked around the problem ... but, when
you're operating in cloud and constantly booting new machines, dependencies
like Facter are rarely explicitly versioned. That is to say, often you will
see someone pin the version of Puppet that they install, but they may not
pin the version of Facter because its just one of many Puppet dependencies.
That means that its unlikely that people will read the release notes before
they find themselves surprised that Facter is suddenly reporting new and
interesting information.

I honestly think its better practice to revert the change and then plan a
future major version release where you flip that setting. You could add in
a big warning-message that says 'hey, in the next release we're going to
break $lsbmajdistrelease...' which would get peoples attention to.

All of that said, we're fixed now .. so I'll stop griping. :)

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Wed, Aug 27, 2014 at 3:51 PM, Kylo Ginsberg k...@puppetlabs.com wrote:

 On Tue, Aug 26, 2014 at 11:57 PM, Daniele Sluijters 
 daniele.sluijt...@gmail.com wrote:

  Hey,

 I agree with the spirit of the fix but the fact that it isn't mentioned
 anywhere in the release notes is a bit annoying.


 Yep, it's a release notes fail, and it happened because we didn't track
 the change with separate tickets. What happened is we made this change as
 part of adding lsbminordistrelease (FACT-637
 https://tickets.puppetlabs.com/browse/FACT-637) and adding the new 'os'
 structured fact (FACT-614)
 https://tickets.puppetlabs.com/browse/FACT-614, but it wasn't called
 out separately. Anyway that's an explanation, but not really an excuse - we
 dropped the ball on publicizing this change.

 We've added tickets for the changes and pushed updated release notes for
 facter 2.2 here
 https://docs.puppetlabs.com/facter/2.2/release_notes.html.


 I personally also consider this a backwards incompatible release, you're
 changing old behaviour. Albeit for the better, but people depended on that
 behaviour and no prior warning or deprecation warning was issued.


 Although we clearly should have documented this differently, since it's in
 the wild and there's consensus that this change *is* for the better, we'd
 like to leave it be.

 But going forward there's a question about how to handle changes to fact
 *values*. One proposal is that we identify (and of course test against)
 some essential facts that we care a lot about (such as
 'lsbmajdistrelease) and set some rules, like:

 (a) we do not change those in x.y.Z releases
 (b) we highlight it when they DO change in x.Y or X releases


 Do also keep in mind that though we can easily fix our own manifests with
 a regexp match, since the launch of the Forge people have started to use
 more and more modules maintained by others. Unless the maintainer has
 already issued an update you're stuck with manually patching an upstream
 module and carrying that change. Depending on how you deploy your
 environment this might be difficult to do.


 I grep'd my way through forge modules looking for affected modules and
 there are actually just a handful (3 related to postgresql, and 3 others).
 I'll ping those authors to let them know. There's already a fix in for
 puppetlabs-postgresql.

 Btw, one last thing: another plug for the recently announced
 https://groups.google.com/forum/#!topic/puppet-users/gtXrUgQZmJ0 nightly
 repos, which would have exposed this issue if we'd had repos all in place
 ahead of time (this change went in two weeks before release).

 Thanks!

 --
 Kylo Ginsberg
 k...@puppetlabs.com

 *Join us at PuppetConf 2014 http://www.puppetconf.com/, September
 20-24 in San Francisco*
 *Register by September 8th to take advantage of the Final Countdown
 https://www.eventbrite.com/e/puppetconf-2014-tickets-7666774529?discount=FinalCountdown
  *
 *—**save $149!*

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/Ve0L1iW3NeU/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CALsUZFHQ_Pho_%2Bq9VCBMdMhe4DjcZRhvmF5NU74wTU-DXoZ9xg%40mail.gmail.com
 https://groups.google.com/d/msgid/puppet-users/CALsUZFHQ_Pho_%2Bq9VCBMdMhe4DjcZRhvmF5NU74wTU-DXoZ9xg%40mail.gmail.com?utm_medium=emailutm_source=footer
 .

 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxOrMRd4Tgki7kv2kzPfrgP9A6nFs0dCMXj2xLZhvhXXkg%40mail.gmail.com

Re: [Puppet Users] Re: Announce: Facter 2.2.0

[Matt Wise]

+2 here. I support the fix -- but not in a minor-revision of the tool. In
our case, it was indeed a reasonably simple regex change everywhere, but
the potential for failure around puppet-forge modules is massive here. I
strongly recommend reverting this change and releasing it in a 3.xx version
of Facter.

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Wed, Aug 27, 2014 at 5:49 AM, Konrad Scherer 
konrad.sche...@windriver.com wrote:

 On 08/26/2014 04:42 PM, Will Hopper wrote:

 Hi, Mark!


 Thanks for raising your concerns on this. This change was actually
 intentional,
 as we have been reporting the Ubuntu major release incorrectly for some
 time in
 Facter.


 In most platforms, splitting on the first ‘.’ of an X.Y.Z release would
 be a
 sane way of determining the major release, but Ubuntu does its versioning
 a bit
 differently.


 Given the Ubuntu release 10.04, the major version isn't actually 10; it's
 10.04
 and 10.10 isn't a patch release to 10.04. When Ubuntu does do a minor
 release
 for a distribution, they add it as the Z part of the X.Y.Z - for example,
 14.04.1 should have a major release of 14.04 and a minor release of 1,
 not 4.


 Thus, our inclination here is to correct the long-standing, incorrect
 version
 reporting we’ve historically had for Ubuntu.


 A simple, backwards-compatible way to work with this value in your
 existing
 manifests would be to use an approximate regex match on the fact value,
 i.e:
   `if $lsbmajdistrelease =~ /^12/ …`


 I also agree with the rationale of the fix, but I have lsbmajdistrelease
 in my hiera config and this workaround does not work there. A quick grep
 through my puppet manifest repo shows several modules like postgres broken
 by this change [1]. Some warnings, deprecations, clear release notes and
 work to make sure modules are compatible with the change would have made
 this transition much less painful for everyone. A backwards compatible
 release shouldn't require so many code changes to maintain behavior.

 [1]: https://github.com/puppetlabs/puppetlabs-postgresql/blob/
 master/manifests/params.pp#L121

 --
 Konrad Scherer, MTS, Linux Products Group, Wind River


 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit https://groups.google.com/d/
 topic/puppet-users/Ve0L1iW3NeU/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/
 msgid/puppet-users/53FDD3D6.8020908%40windriver.com.

 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxMrbGVo%2BA%3DiM8gd4hTk8kn_FyBZmFb1s9D_ppEiomkoNw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Order preference for defines

[Matt Shields]

I'm running Puppet 3.4.3 and was wondering is there a way to call the
defines below in the order they're written.  The problem I'm having is
while using Opentable/IIS forge module, I want to delete the Default Web
Site which is running on port 80, then create a new site which runs on 80.
 What happens is Puppet is running the second manage site Manager which
creates it but fails to start the virtual host because it hasn't deleted
the Default Web Site yet and there's a port conflict.

 iis::manage_app_pool { 'DefaultAppPool':
   managed_runtime_version = 'v4.0',
 }

 iis::manage_site { 'Default Web Site':
   ensure= absent,
   site_path = '%SystemDrive%\inetpub\wwwroot',
   app_pool  = 'DefaultAppPool',
 }

 iis::manage_site { 'Manager':
   site_path   = 'c:\inetpub\wwwroot',
   port= '80',
   ip_address  = '*',
   app_pool= 'DefaultAppPool',
   update_path = false,
 }


Matt

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOTD2YSHk_WXKjWNwfuq0%2BtyS-hzREhbm7Xc9SxKgFpyY%3DbBCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Announce: Facter 2.2.0

[Matt W]

Hey we got this installed on some new systems yesterday and we found that 
in Ubuntu 12 the `lsbmajdistrelease` fact has changed suddenly from `12` to 
`12.04`! This actually broke quite a few of our manifests, and is 
fundamentally broken I believe. The major dist release version is '12'. Has 
anyone else seen this?

root@dev-mwise-test-array-9-i-8046108d:~# facter -p | grep lsb
 lsbdistcodename = precise
 lsbdistdescription = Ubuntu 12.04.3 LTS
 lsbdistid = Ubuntu
 lsbdistrelease = 12.04

 *lsbmajdistrelease = 12.04*lsbrelease = 
 core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch
 os = {release={full=12.04, major=12.04}, name=Ubuntu, 
 family=Debian, 
 lsb={release=core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch,
  
 majdistrelease=12.04, distcodename=precise, 
 distrelease=12.04, distdescription=Ubuntu 12.04.3 LTS, 
 distid=Ubuntu}}
 root@dev-mwise-test-array-9-i-8046108d:~# dpkg --list | grep -i facter
 ii  facter2.2.0-1puppetlabs1   
  Ruby module for collecting simple facts about a host operating system
 root@dev-mwise-test-array-9-i-8046108d:~#


and after downgrading Facter..

 Processing triggers for man-db ...
 Setting up facter (2.1.0-1puppetlabs1) ...
 root@dev-mwise-test-array-9-i-8046108d:~# facter -p | grep lsb
 lsbdistcodename = precise
 lsbdistdescription = Ubuntu 12.04.3 LTS
 lsbdistid = Ubuntu
 lsbdistrelease = 12.04

 *lsbmajdistrelease = 12*lsbrelease = 
 core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch
  


On Monday, August 25, 2014 4:45:27 PM UTC-7, Adrien Thebo wrote:

 Facter 2.2.0 is a backward-compatible features-and-fixes release in the 
 Facter 2 series. The release adds structured versions of several core fact 
 types and contains backports of facts that were merged into Facter master 
 but were not released in Facter 2.0.1.

 Headline features
   - new structured facts: os, system_uptime, processors

 To download Facter, follow the instructions here: 
 http://docs.puppetlabs.com/guides/install_puppet/pre_install.html

 Release notes are available here: 
 http://docs.puppetlabs.com/facter/latest/release_notes.html
 To see a complete list of issues fixed in this release: 
 https://tickets.puppetlabs.com/issues/?filter=12624
 We're tracking bugs people find in this release with the Affected 
 Version field set to 2.2.0: 
 https://tickets.puppetlabs.com/issues/?filter=12623

 -- 
 Adrien Thebo | Puppet Labs
  

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ebb623d9-ed4b-4c54-9f7c-e2b464859d4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Confused Puppet Manifest ... Possible caching issue?

[Matt Wise]

Its tricky because we use an ELB in front of the puppet masters, and we
know that the calls to the /node/node_name REST API are coming from the
ELB, but because of the way we have the ELB configured (pure TCP
passthrough), we don't get the extra headers like the x_forwarded_for
header. This makes it hard to tell where the requests for the node
information are coming from. That said, it feels odd that the puppet master
itself would reach out to its own Node API to get node information, rather
than just using the information passed in for the catalog request.

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Mon, Aug 25, 2014 at 7:29 AM, jcbollinger john.bollin...@stjude.org
wrote:



 On Friday, August 22, 2014 9:38:20 AM UTC-5, Matt W wrote:

 Even with the caching disabled, I think we ran into this again. Can one
 of the puppet-devs chime in here and let me know what might be going on?



 I am not among the Puppet developers, but I think I already touched on the
 likely problem in your other thread.  You have multiple nodes are
 identifying themselves to Puppet as the same machine, and if you rely on
 facts that differ among identity-sharing nodes then you are poking at
 exactly the point where your shared-identity model breaks down.

 Even so, I think your approach would probably work if you serialized
 catalog requests, e.g. by using the built-in webrick server, since it seems
 likely that you are experiencing a race on the server.  Specifically, I
 suspect you'll find that those calls to the REST API are all originating
 from the master itself.  If an ENC is in use then it would be high on my
 list of suspects.


 John

  --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/EorzYWGEUUE/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/17f251ea-b694-4c65-9b92-7150b693ba3e%40googlegroups.com
 https://groups.google.com/d/msgid/puppet-users/17f251ea-b694-4c65-9b92-7150b693ba3e%40googlegroups.com?utm_medium=emailutm_source=footer
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxMg_RZPTAVnFa3sfTc41hjHgCB1FBLbhD7MNBnCaNoU0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet 'node data' when using common node_names?

[Matt Wise]

Comments inline

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Mon, Aug 25, 2014 at 6:55 AM, jcbollinger john.bollin...@stjude.org
wrote:



 On Saturday, August 23, 2014 12:46:59 PM UTC-5, Matt W wrote:

 Will,
   Thanks for the response. I know its a bit of a unique model -- but when
 you think about it, it makes a decent amount of sense. We run hundreds of
 nodes that are fundamentally similar



 And therein is one of the key problems: similar, not identical.  If
 any node facts (including $hostname, $fqdn, etc.) vary among these hosts
 that are identifying themselves to the master as the *same machine*, then
 you are putting yourself at risk for problems.  Moreover, if security
 around your puppet catalogs is a concern for you, then be aware that
 positioning your node-type certificates as a shared resource makes it far
 more likely that they will be breached.  Additionally, you cannot limit
 which machines can get configuration from your master.


To be very clear, we do not share certs across nodes. We absolutely use
independent certs and sign them uniquely -- in fact, bug #7244
https://projects.puppetlabs.com/issues/7244 was opened by me specifically
for improving the security around SSL certs and auto signing. We make heavy
use of dynamic CSR facts to securely sign our keys.

More specifically, we've been waiting for the CSR attribute system to allow
us to embed the puppet 'node type' (note, not identifier) in the SSL certs
so that clients can't possibly retrieve a node type that isn't their own. (Bug
#7243 https://projects.puppetlabs.com/issues/7243). It looks like this
has been finally implemented, so we'll be looking into using it very soon (
here
https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#extension-requests-permanent-certificate-data
).



 Lest it didn't catch your eye as it went by, I re-emphasize that Puppet is
 built around the idea that a machine's SSL certname is a unique machine
 identifier within the scope of your certificate authority.  What you are
 doing can work with Puppet, but you will run into issues such as the file
 naming effects you asked about.



 .. i.e. this is a web server, it gets the XYZ package installed and
 this is a web server, it gets the ABC package installed. Using hostnames
 to identify the systems node-definition makes very little sense and leaves
 quite a bit of room for error. Explicitly setting the node-type as a fact
 allows us to re-use the same node types but for many different environments
 and keeps host-names out of the mix.



 Classifying based on a fact instead of based on host name is a fine idea,
 provided that you are willing to trust clients to give their type
 accurately to the server.  Having accepted that risk, however, you do not
 by any means need the node-type fact to be expressed to the master as the
 node's *identity*.  It could as easily be expressed via an ordinary fact.

 In particular, your site manifest does not need a separate node block for
 each node [identity], nor even to enumerate all the known node names.  In
 fact, it doesn't need any node blocks at all if you are not going to
 classify based on node identity.  Even if you're using an ENC, it is
 possible for it to get the node facts to use for classification.


Using a combination of both our nodes self-identifying themselves as well
as the puppet node name architecture allows us to leverage the security of
the 'auth' config file, while also having dynamically configured nodes
where hostname doesn't matter. Realistically, hostnames are a terrible
method for security ... someone could always break into a 'www' server and
rename it to 'prod-db-thingy' and have it match the regex and subsequently
get the database puppet manifest. (Just as a stupid simple example).

For what its worth, our old model was a single 'default' node type and a
simple fact ('base_class=my_web_server'). This worked extremely well, but
left us more open to basically any client being able to request any catalog
compilation. The auth-file in this world was effectively useless for
preventing already-verified nodes from doing bad things.




 For example, I can quickly boot up a prod-mwise-dev-test-web-sever-thingy
 using the same node definition as our prod-frontend-host for some
 testing, without worrying about the hostname regex structure.



 And you could do that, too, with a plain fact.




   Anyways that said ... what I'm really interested in knowing is why the
 puppet-agents are pulling DOWN their node information from the puppet
 masters?



 Can you say a bit more about that?  What do you see that suggests agents
 are pulling down node information other than their catalogs (and later,
 any 'source'd files)?


With nearly every puppet catalog compile, we also see GET requests like
this:

10.216.61.76 - XXX - puppet GET /production/node/xyz? HTTP/1.1 200 13733
 - - 0.021


Where 10.216.61.76 is *not* the local IP of the puppet master... its the
remote

Re: [Puppet Users] Confused Puppet Manifest ... Possible caching issue?

[Matt Wise]

The log shows the remote connecting IP -- but the IP is the ELB in front of
our puppet servers. Unfortunately because we're doing pure TCP-passthrough,
ELB logging itself is not useful either in this case. :/

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Mon, Aug 25, 2014 at 2:08 PM, Felix Frank 
felix.fr...@alumni.tu-berlin.de wrote:

 On 08/14/2014 07:24 PM, Matt Wise wrote:
 
  1. What is the purpose of calling the Node API? Is the agent doing
  this? Why?

 That's a good one. Does your log not indicating where those calls
 originate?

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/EorzYWGEUUE/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/53FBA5C9.3020804%40Alumni.TU-Berlin.de
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxO%3DEXgLJ_iHeo%3DOY2bW83DmTJyr-5x%2BNGS1POpc9Zc4mQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet 'node data' when using common node_names?

[Matt Wise]

Will,
  Thanks for the response. I know its a bit of a unique model -- but when
you think about it, it makes a decent amount of sense. We run hundreds of
nodes that are fundamentally similar .. i.e. this is a web server, it gets
the XYZ package installed and this is a web server, it gets the ABC
package installed. Using hostnames to identify the systems node-definition
makes very little sense and leaves quite a bit of room for error.
Explicitly setting the node-type as a fact allows us to re-use the same
node types but for many different environments and keeps host-names out of
the mix. For example, I can quickly boot up a
prod-mwise-dev-test-web-sever-thingy using the same node definition as
our prod-frontend-host for some testing, without worrying about the
hostname regex structure.

  Anyways that said ... what I'm really interested in knowing is why the
puppet-agents are pulling DOWN their node information from the puppet
masters? Is it possible that they do an upload of node information, then
ask for that information back, then somehow use the downloaded information
for their catalog request? I could see some interesting race conditions if
that was the case.

Matt Wise
Sr. Systems Architect
Nextdoor.com


On Fri, Aug 22, 2014 at 7:11 PM, Wil Cooley wcoo...@nakedape.cc wrote:


 On Aug 22, 2014 7:37 AM, Matt W m...@nextdoor.com wrote:
 
  Anyone have any thoughts on this?
 

 I have to say, using an identical node name as a way of assigning the
 node's role is an interesting approach. I would not be surprised if you
 run into other difficulties with this approach; some even harder to find.
 Even something like an appended unique identifier, such as from the host
 ID, MAC address, serial number, hashed SHA1, etc would have been better.

 Be that as it may, life would be dull if we didn't have to live with the
 sins of the past. You might check the config guide
 https://docs.puppetlabs.com/references/3.6.latest/configuration.html but
 in thinking about it, if you found a setting and tried to use a fact in it,
 you'd probably just get the master's fact.

 The reports, at least, should be easy - since they're pluggable, you could
 copy the existing lib/puppet/reports/store.rb to a new name  module and
 tweak the storage location.

 Wil

  On Thursday, August 14, 2014 10:39:16 AM UTC-7, Matt W wrote:
 
  We noticed that our puppet reports and our puppet node data stored on
 our puppet servers is always written out in the form of the 'node name'. So
 when we use a node name like 'prod_webserver' across many webserver
 machines, we get a tree of reports and node data like this:
 
  /var/lib/puppet/yaml/node/prod_web.yaml
  /var/lib/puppet/yaml/facts/prod_web.yaml
  /var/lib/puppet/reports/prod_web
  /var/lib/puppet/reports/prod_web/201408130200.yaml
  /var/lib/puppet/reports/prod_web/201408140811.yaml
  /var/lib/puppet/reports/prod_web/201408121328.yaml
  /var/lib/puppet/reports/prod_web/201408130743.yaml
  /var/lib/puppet/reports/prod_web/201408140454.yaml
 
 
  Where each of those reports likely reflects a compilation run for a
 different host... and the facts/node files at the top are getting
 constantly re-written as new clients come in.
 
  Is there a way to change the behavior of the data there to be written
 out based on the ${::fqdn} of the host (or certname) rather than its node
 name?
 
  (our client puppet configs ...)
 
  [main]
  ...
  node_name = facter
  node_name_fact = puppet_node
 
 
  (a client puppet fact file...)
 
  puppet_node=prod_web
  puppet_environment=production
  package=frontend=some-version-here
  app_group=us1
 
  --
  You received this message because you are subscribed to the Google
 Groups Puppet Users group.
  To unsubscribe from this group and stop receiving emails from it, send
 an email to puppet-users+unsubscr...@googlegroups.com.
  To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/40c0048d-fc90-4006-99da-98bfa9ba94a7%40googlegroups.com
 .
 
  For more options, visit https://groups.google.com/d/optout.

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Puppet Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/puppet-users/adxt68xO210/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CAMmm3r5MwNDV%3DCEnxVrr4pL1w_Xi3byR5xphPxPZH3%3D2XgJdXQ%40mail.gmail.com
 https://groups.google.com/d/msgid/puppet-users/CAMmm3r5MwNDV%3DCEnxVrr4pL1w_Xi3byR5xphPxPZH3%3D2XgJdXQ%40mail.gmail.com?utm_medium=emailutm_source=footer
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr

[Puppet Users] Re: Puppet 'node data' when using common node_names?

[Matt W]

Anyone have any thoughts on this?

On Thursday, August 14, 2014 10:39:16 AM UTC-7, Matt W wrote:

 We noticed that our puppet reports and our puppet node data stored on our 
 puppet servers is always written out in the form of the 'node name'. So 
 when we use a node name like 'prod_webserver' across many webserver 
 machines, we get a tree of reports and node data like this:

 /var/lib/puppet/yaml/node/prod_web.yaml
 /var/lib/puppet/yaml/facts/prod_web.yaml
 /var/lib/puppet/reports/prod_web
 /var/lib/puppet/reports/prod_web/201408130200.yaml
 /var/lib/puppet/reports/prod_web/201408140811.yaml
 /var/lib/puppet/reports/prod_web/201408121328.yaml
 /var/lib/puppet/reports/prod_web/201408130743.yaml
 /var/lib/puppet/reports/prod_web/201408140454.yaml


 Where each of those reports likely reflects a compilation run for a 
 different host... and the facts/node files at the top are getting 
 constantly re-written as new clients come in.

 Is there a way to change the behavior of the data there to be written out 
 based on the ${::fqdn} of the host (or certname) rather than its node name?

 (our client puppet configs ...)

 [main]
 ...
 node_name = facter
 node_name_fact = puppet_node


 (a client puppet fact file...)

 puppet_node=prod_web
 puppet_environment=production
 package=frontend=some-version-here
 app_group=us1



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/40c0048d-fc90-4006-99da-98bfa9ba94a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Confused Puppet Manifest ... Possible caching issue?

[Matt W]

Even with the caching disabled, I think we ran into this again. Can one of 
the puppet-devs chime in here and let me know what might be going on?

On Thursday, August 14, 2014 10:25:06 AM UTC-7, Matt W wrote:

 I've got a pretty strange issue here. Imagine we have two servers... 
 *ServerA* and *ServerB*. Last night *ServerB* pulled down some 
 configuration bits from our puppet servers and tried to re-name itself to 
 *ServerA*.

 How? Well theres two things that may have triggered this behavior.

 1. We use a custom Puppet Node Name fact to set our node names, rather 
 than the hostnames:

 [main]
 ...
 # Use the fact 'puppet_node' as our node classifier rather than the 
 hostname.
 node_name = facter
 node_name_fact = puppet_node


 2. We have Nginx proxy_cache all of our GET/HEAD requests to avoid 
 hammering the Puppet Master processes with calls to the mostly static 
 content like templates:

 # Never, ever, ever cache our certificate or API requests... 
 always pass them to the puppet master.
 location ~ /(.*)/certificate(.*)/(.*)$ { proxy_pass 
 http://unicorn; }
 # If a request comes in for the 'master' environment, do not cache it at 
 all
 location ~ /master/(.*)$ { proxy_pass http://unicorn; }
 location / {
 # Cache all requests to the Puppet Unicorn process for at 
 least 10 minutes.
 proxy_cache nginx;
 proxy_cache_methods GET HEAD;
 proxy_cache_key $scheme$proxy_host$request_uri;
 proxy_cache_valid 10m;
 proxy_cache_valid 404 1m;
 proxy_ignore_headers X-Accel-Expires Expires Cache-Control 
 Set-Cookie;
 proxy_pass http://unicorn;
 }


 Digging into the logs, it looks like we're caching a bit too much and are 
 actually caching the /env/node/puppet node name queries. Here you can 
 see that we generate the results once, then return cached results on the 
 next several queries:

 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.021
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000


 So, I have two questions ..

 1. What is the purpose of calling the Node API? Is the agent doing this? 
 Why?
 2. Is it possible that if an agent called the node api and got its own 
 node information that was wrong, it could then request an invalid catalog?

 (Note, we're running Puppet 3.4.3 behind Nginx with Unicorn... and yes, 
 even though we use a single node name for these machines, they use 
 different 'facts' to define which packages and roles they are serving up...)

 Matt Wise
 Sr. Systems Architect
 Nextdoor.com
  

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/92841fde-fd41-4d87-889c-90fa7d302352%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Confused Puppet Manifest ... Possible caching issue?

[Matt Wise]

I've got a pretty strange issue here. Imagine we have two servers...
*ServerA* and *ServerB*. Last night *ServerB* pulled down some
configuration bits from our puppet servers and tried to re-name itself to
*ServerA*.

How? Well theres two things that may have triggered this behavior.

1. We use a custom Puppet Node Name fact to set our node names, rather than
the hostnames:

[main]
 ...
 # Use the fact 'puppet_node' as our node classifier rather than the
 hostname.
 node_name = facter
 node_name_fact = puppet_node


2. We have Nginx proxy_cache all of our GET/HEAD requests to avoid
hammering the Puppet Master processes with calls to the mostly static
content like templates:

# Never, ever, ever cache our certificate or API requests... always
 pass them to the puppet master.
 location ~ /(.*)/certificate(.*)/(.*)$ { proxy_pass http://unicorn;
 }
 # If a request comes in for the 'master' environment, do not cache it at
 all
 location ~ /master/(.*)$ { proxy_pass http://unicorn; }
 location / {
 # Cache all requests to the Puppet Unicorn process for at
 least 10 minutes.
 proxy_cache nginx;
 proxy_cache_methods GET HEAD;
 proxy_cache_key $scheme$proxy_host$request_uri;
 proxy_cache_valid 10m;
 proxy_cache_valid 404 1m;
 proxy_ignore_headers X-Accel-Expires Expires Cache-Control
 Set-Cookie;
 proxy_pass http://unicorn;
 }


Digging into the logs, it looks like we're caching a bit too much and are
actually caching the /env/node/puppet node name queries. Here you can
see that we generate the results once, then return cached results on the
next several queries:

GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.021
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000
 GET /production/node/nsp_node_prod? HTTP/1.1 200 13834 - - 0.000


So, I have two questions ..

1. What is the purpose of calling the Node API? Is the agent doing this?
Why?
2. Is it possible that if an agent called the node api and got its own
node information that was wrong, it could then request an invalid catalog?

(Note, we're running Puppet 3.4.3 behind Nginx with Unicorn... and yes,
even though we use a single node name for these machines, they use
different 'facts' to define which packages and roles they are serving up...)

Matt Wise
Sr. Systems Architect
Nextdoor.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOHkZxP02XbPEb29ZnkYztgGtgBZ-BVShkqcyPbduZ1saCSbyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.