Re: [Puppet Users] Ruby Class or other API for controlling puppet/mcollective
Not knowing your entire goal but what you could use is the mcollective-client gem in your rails application and have the puppet mcollective agent, which PuppetLabs made, and you can run puppet related commands like you would with "puppet resource". So right now you can do something like "puppet resource user root" and it will return back the definition how it would look in puppet. You can also make changes, using the previous example, by adding on in the command the property fields in key=value format (e.g. puppet resource user root password='') On Wed, Jun 19, 2013 at 4:47 AM, bjoern pohl wrote: > HI, > i'm currently trying to develop a task-driven rails-based frontend for > some tasks that puppet/mcollective is doing in the background ( basically > some user-management and some asset queries...). > > But i'm currently stuck at finding some puppet/mcollective API classes for > ruby. (you'll only find results for using ruby within puppet, which is of > course more obvious). > Is there anything besides the depreciated DSL API and the http REST > interface? > > > thanks & best regards, > Björn > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger
It looks like its trying to use a specific rack gem version but you do not have that version installed or you have two versions installed and its picking up the latest. It could be that you also have another passenger application where the versions conflict? (can't activate rack (~> 1.1.0, runtime) for [], already activated rack-1.5.2 for []) (process 8729, thread #): On Fri, Feb 22, 2013 at 7:17 PM, Tom Blich wrote: > Had puppet-dashboard-1.2.21 running via instructions provided here: > > http://docs.puppetlabs.com/dashboard/passenger.html > > Upgraded to puppet-dashboard-1.2.22 and now get the following error: > > [ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 > 19:12:17.188 ]: *** Exception RuntimeError in > PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~> 1.1.0, > runtime) for [], already activated rack-1.5.2 for []) (process 8729, thread > #): > from ./config/../vendor/rails/railties/lib/initializer.rb:271:in > `require_frameworks' > from ./config/../vendor/rails/railties/lib/initializer.rb:134:in `process' > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send' > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run' > from ./config/environment.rb:14 > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in > `gem_original_require' > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require' > from config.ru:4 > from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in > `instance_eval' > from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in > `initialize' > from config.ru:1:in `new' > from config.ru:1 > [Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down > [Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not configured > [hint: SSLSessionCache] > [Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Fri Feb 22 19:13:37 2013] [warn] module php5_module is already loaded, > skipping > [Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for digest > authentication ... > [Fri Feb 22 19:13:37 2013] [notice] Digest: done > [Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 > Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 OpenSSL/1.0.0-fips > configured -- resuming normal operations > > Not sure how to fix it. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Oh and to add to my message. The benefit of this is there is no tomfoolery with multiple CAs and the confusion that will cause. If the concern is about letting one puppet client connect to two different pools then you can limit who can retrieve their catalog either through the auth.conf or directives via apache/nginx directives. The only time a new CA would be required is if you cant isolate via auth.conf or apache/ngnix and that would depend on the topology of your network. If you are concerned with a rogue server then you have autosign off then this is less of a issue because you actually have to authorize, by signing the certificate, the client to connect to any puppet master/pool signed by the CA. On Fri, Feb 22, 2013 at 10:31 AM, Matthew Black wrote: > I think you're missing what I'm trying to convey. When you run via > Apache or Nginx you are doing SSL termination at the apache and > forwarding the requests to a puppetmaster application if you use say > passenger. Its not so different than an F5. While I'm not giving you > exact details on how to do it I'm giving you enough information to > know its possible. > > The value of ca_server defaults to "puppet", that means the > certificate of the server it connects to must have that name in the > cert and the DNS must match. When you start up the first puppet > master, the CA server and not with mod_passenger, it will > auto-generate the CA cert because the value of ca defaults to true if > its not otherwise specified in the puppet conf. > > Essentially each puppet master that isnt the CA server is basically > just a puppet client meaning when it does its first run it will > generate a key, csr, and then try to connect to "puppet". You dont > actually need a cert for a puppet master if you do the ssl termination > at the load balancer. I provided a copy of my apache conf used for a > puppetmaster. As long as the puppetmasterd rack is installed it will > function as a puppetmaster with that config. > > You need to generate a signed certificate from the CA for the load > balancer dns. Lets say your DNS for one pool is > puppetpool01.example.com, that is the cert name you need to generate > and install on the apache/nginx load balancer. You need to also > configure the load balancer to validate the ssl cert from the client > against the CA. Specific parameters need to be passed to puppet, which > is specified in the apache conf below. In each puppet master that is > load balanced in its conf file in the master section you need to put > these two lines > > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > You want to go the mod_passenger route then you can do ssl termination > otherwise to do the tcp proxy is a real pain in the ass (been there, > done that, never again). > > Below is an example of my apache conf where the communication is > unencrypted because of the ssl termination at the load balancer. > > As long as the cert on the load balancer is signed by the CA and you > set it up to pass the correct headers if the SSL cert is validated > against the CA then you do not need multiple CA's. > > That way this setup you can revoke a certificate from one place > instead of trying to figure out which CA you need to revoke it from. > In each of my datacenters I have at the very minimum two F5 VIPs that > go to 4 different puppet masters each with one common CA. I have at > the current moment 6 datacenters, meaning I have 25 puppetmasters (24 > servers, 1 CA). > > Hopefully this clarifies the point I am conveying. I know my apache > configs, specifically for mod_passenger, might need tweaking but this > actually works really good. Also if you pick up one of the puppet > books, I forget which one exactly, they actually tell you how do the > proxying with apache in a similar fashion to what I explained. > > # > Apache Conf > # > > Listen 18140 > > PassengerHighPerformance on > PassengerMaxPoolSize 12 > PassengerPoolIdleTime 30 > PassengerMaxRequests 10 > PassengerStatThrottleRate 120 > PassengerUseGlobalQueue on > RackAutoDetect On > RailsAutoDetect On > > ServerName ppm001.example.com > DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ > RackBaseURI / > > Options None > AllowOverride None > Order allow,deny > allow from all > > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > SetEnvIf X-Forwarded-Proto "https" HTT
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
I think you're missing what I'm trying to convey. When you run via Apache or Nginx you are doing SSL termination at the apache and forwarding the requests to a puppetmaster application if you use say passenger. Its not so different than an F5. While I'm not giving you exact details on how to do it I'm giving you enough information to know its possible. The value of ca_server defaults to "puppet", that means the certificate of the server it connects to must have that name in the cert and the DNS must match. When you start up the first puppet master, the CA server and not with mod_passenger, it will auto-generate the CA cert because the value of ca defaults to true if its not otherwise specified in the puppet conf. Essentially each puppet master that isnt the CA server is basically just a puppet client meaning when it does its first run it will generate a key, csr, and then try to connect to "puppet". You dont actually need a cert for a puppet master if you do the ssl termination at the load balancer. I provided a copy of my apache conf used for a puppetmaster. As long as the puppetmasterd rack is installed it will function as a puppetmaster with that config. You need to generate a signed certificate from the CA for the load balancer dns. Lets say your DNS for one pool is puppetpool01.example.com, that is the cert name you need to generate and install on the apache/nginx load balancer. You need to also configure the load balancer to validate the ssl cert from the client against the CA. Specific parameters need to be passed to puppet, which is specified in the apache conf below. In each puppet master that is load balanced in its conf file in the master section you need to put these two lines ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY You want to go the mod_passenger route then you can do ssl termination otherwise to do the tcp proxy is a real pain in the ass (been there, done that, never again). Below is an example of my apache conf where the communication is unencrypted because of the ssl termination at the load balancer. As long as the cert on the load balancer is signed by the CA and you set it up to pass the correct headers if the SSL cert is validated against the CA then you do not need multiple CA's. That way this setup you can revoke a certificate from one place instead of trying to figure out which CA you need to revoke it from. In each of my datacenters I have at the very minimum two F5 VIPs that go to 4 different puppet masters each with one common CA. I have at the current moment 6 datacenters, meaning I have 25 puppetmasters (24 servers, 1 CA). Hopefully this clarifies the point I am conveying. I know my apache configs, specifically for mod_passenger, might need tweaking but this actually works really good. Also if you pick up one of the puppet books, I forget which one exactly, they actually tell you how do the proxying with apache in a similar fashion to what I explained. # Apache Conf # Listen 18140 PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 30 PassengerMaxRequests 10 PassengerStatThrottleRate 120 PassengerUseGlobalQueue on RackAutoDetect On RailsAutoDetect On ServerName ppm001.example.com DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ RackBaseURI / Options None AllowOverride None Order allow,deny allow from all SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 SetEnvIf X-Forwarded-Proto "https" HTTPS=1 LogLevel error ErrorLog "|/usr/sbin/cronolog /var/log/httpd/puppetmaster_error_log.%Y%m%d -l /var/log/httpd/puppetmaster_error_log" CustomLog "|/usr/sbin/cronolog /var/log/httpd/puppetmaster_access_log.%Y%m%d -l /var/log/httpd/puppetmaster_access_log" combined # On Thu, Feb 21, 2013 at 9:36 AM, wrote: > Dear Matt, > > > On Wednesday, February 20, 2013 10:39:51 PM UTC, Matt wrote: >> >> I run an F5 load balancer with SSL termination at the F5 and I dont >> need to put the CA cert anywhere except the F5. The actual CA signs >> the certs. The CA cert is only really used to authenticate the client >> cert. This gives the appearance to my puppet clients that I only have >> one puppet master when in actuality I have around 4-5 per VIP. > > > Unfortunately, I dont have F5 available and all I can have is software based > load balancing, either in form of Haproxy (most probably) or Nginx (less > probably). > >> >> >> As for your last part I'm not really seeing how you think you would >> need a puppetmaster per user. > > > As one puppetmaster can use one CA at a time to sign/revoke certificates, if > you'd have multiple users, you would need multiple puppetmasters, to be sure > that two (or more) users can use different CA's at the s
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
I run an F5 load balancer with SSL termination at the F5 and I dont need to put the CA cert anywhere except the F5. The actual CA signs the certs. The CA cert is only really used to authenticate the client cert. This gives the appearance to my puppet clients that I only have one puppet master when in actuality I have around 4-5 per VIP. As for your last part I'm not really seeing how you think you would need a puppetmaster per user. On Wed, Feb 20, 2013 at 2:59 PM, wrote: > Dear Matt, > > > On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: >> >> I think you're trying to over complicate the situation here. >> >> Yes its a single point of failure but unfortunately that is not going >> to change anytime between now and maybe 6 months. > > > I am aware of that, and I am fine with that. > >> >> >> You do not need multiple CAs to use multiple puppet masters. The >> client needs to have the setting ca_server set to the Puppet Master >> that is the CA. You need to configure that Puppet master with ca = >> true. The puppet masters you create need to be configured with ca = >> false. You can have 300 different puppet masters and each client can >> connect to the different ones as needed. > > > The thing is, the puppetmasters are exposed to puppet clients via > loadbalancer, so they actually appear as one puppetmaster, therefore, they > all need to have the same CA installed. > >> >> >> If you need to limit which clients can connect to which puppet masters >> then you should look at the auth.conf file. >> >> As for a web interface around certificate signing, when each client >> connects into the CA it will submit its request and if autosign is >> turned off it should be setup to wait for certificate. The web >> interface can be a wrapper around the puppet cert face so you can get >> a list of certificates signed and whats waiting to be signed. You can >> even set it up to revoke or clean out a certificate. You do not need >> to call to the command line to do this either, you can interface with >> the puppet api from rubygems. > > > That, again, would require running puppetmaster per user, something I > really, really want to avoid. > >> >> >> >> On Tue, Feb 19, 2013 at 3:15 PM, wrote: >> > Dear Felix, >> > >> > I think you're getting it wrong, let me clarify it a bit. The goal of >> > this >> > is to be able to write web interface for generating puppetmasters CA's >> > and >> > client certificates on demand. An example: install 3 puppetmasters with >> > loadbalancer in front. Use web interface to generate CA and certificates >> > for >> > chosen clients (lets say, 10 machines). Deploy such generated CA's on >> > puppetmasters, and relevant bits on puppet clients to authorize them >> > against >> > these puppetmasters. Whenever there's need for change, use that CA via >> > web >> > interface to add and delete client certificates, redeploy them on >> > puppetmasters and so on. This, while doable via Subprocess functions >> > (Python >> > is the language of choice for me, but that doesnt really matters) and >> > calls >> > to relevant puppet system commands is extremely ugly and not flexible >> > solution. I would love to do it via openssl library, but to do so, I'd >> > need >> > to have a workable way to build CA's and sign (and revoke) client certs >> > via >> > openssl command - so far I cant reach that goal. I hope this makes more >> > sense now. >> > >> > Regards, >> > S. >> > >> > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: >> >> >> >> On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: >> >> > after creating CA and client cert and applying them to puppetmaster, >> >> > it >> >> > complains with: >> >> >> >> Wait, what? You create a new CA, even after agents have already been >> >> certified, then create new agent certificates? >> >> >> >> If your CA changes, you will have to terminate all the (now deprecated) >> >> agent certificates and sign new certificates for all agents. >> >> >> >> Basically, I would expect the outcome you are observing, and you should >> >> just follow the instructions given in your log excerpt. Note that you >> >> are *not* supposed to remove the CA from the master, only the copy of >> >> the agent's certificate. >> >> >> >> HTH, >> >> Felix >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to puppet-users...@googlegroups.com. >> > To post to this group, send email to puppet...@googlegroups.com. >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
I think you're trying to over complicate the situation here. Yes its a single point of failure but unfortunately that is not going to change anytime between now and maybe 6 months. You do not need multiple CAs to use multiple puppet masters. The client needs to have the setting ca_server set to the Puppet Master that is the CA. You need to configure that Puppet master with ca = true. The puppet masters you create need to be configured with ca = false. You can have 300 different puppet masters and each client can connect to the different ones as needed. If you need to limit which clients can connect to which puppet masters then you should look at the auth.conf file. As for a web interface around certificate signing, when each client connects into the CA it will submit its request and if autosign is turned off it should be setup to wait for certificate. The web interface can be a wrapper around the puppet cert face so you can get a list of certificates signed and whats waiting to be signed. You can even set it up to revoke or clean out a certificate. You do not need to call to the command line to do this either, you can interface with the puppet api from rubygems. On Tue, Feb 19, 2013 at 3:15 PM, wrote: > Dear Felix, > > I think you're getting it wrong, let me clarify it a bit. The goal of this > is to be able to write web interface for generating puppetmasters CA's and > client certificates on demand. An example: install 3 puppetmasters with > loadbalancer in front. Use web interface to generate CA and certificates for > chosen clients (lets say, 10 machines). Deploy such generated CA's on > puppetmasters, and relevant bits on puppet clients to authorize them against > these puppetmasters. Whenever there's need for change, use that CA via web > interface to add and delete client certificates, redeploy them on > puppetmasters and so on. This, while doable via Subprocess functions (Python > is the language of choice for me, but that doesnt really matters) and calls > to relevant puppet system commands is extremely ugly and not flexible > solution. I would love to do it via openssl library, but to do so, I'd need > to have a workable way to build CA's and sign (and revoke) client certs via > openssl command - so far I cant reach that goal. I hope this makes more > sense now. > > Regards, > S. > > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: >> >> On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: >> > after creating CA and client cert and applying them to puppetmaster, it >> > complains with: >> >> Wait, what? You create a new CA, even after agents have already been >> certified, then create new agent certificates? >> >> If your CA changes, you will have to terminate all the (now deprecated) >> agent certificates and sign new certificates for all agents. >> >> Basically, I would expect the outcome you are observing, and you should >> just follow the instructions given in your log excerpt. Note that you >> are *not* supposed to remove the CA from the master, only the copy of >> the agent's certificate. >> >> HTH, >> Felix > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Installation from the scratch
Is both servers clock in sync?
On Fri, Feb 15, 2013 at 4:20 AM, Calero wrote:
> Hi all,
>
>
>
> I'm trying to understand how puppet works, and my idea is to learn
> installing a new environment from the scratch.
>
>
>
> I have the following:
>
>
>
> Master:
>
>
>
> cat /etc/debian_version
>
> 6.0.6
>
> puppet --version
>
> 3.1.0
>
> cat /etc/hosts
>
> 127.0.1.1 puppetmaster.domain.namepuppetmaster puppet
>
>
>
> Client:
>
>
>
> cat /etc/SuSE-release
>
> SUSE Linux Enterprise Server 11 (x86_64)
>
> VERSION = 11
>
> PATCHLEVEL = 2
>
>
>
> puppet --version
>
> 2.6.12
>
> cat /etc/hosts
>
> 127.0.0.1 puppetclient01.domain.name puppetclient01
>
> 192.168.203.128 puppet puppetmaster.domain.name
>
>
>
> puppet agent --test
>
> info: Creating a new SSL key for puppetclient01.domain.name
>
> warning: peer certificate won't be verified in this SSL session
>
> warning: peer certificate won't be verified in this SSL session
>
> info: Creating a new SSL certificate request for puppetclient01.domain.name
>
> info: Certificate Request fingerprint (md5):
> 88:B5:17:BF:DD:39:90:ED:0D:1A:9D:3C:A7:51:8C:D3
>
> warning: peer certificate won't be verified in this SSL session
>
> warning: peer certificate won't be verified in this SSL session
>
> warning: peer certificate won't be verified in this SSL session
>
> Exiting; no certificate found and waitforcert is disabled
>
>
>
> Once I sign it in the server….
>
>
>
> puppetclient01:~ # puppet agent --test
>
> warning: peer certificate won't be verified in this SSL session
>
> info: Caching certificate for puppetclient01.domain.name
>
> err: Could not retrieve catalog from remote server: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed
>
> warning: Not using cache on failed catalog
>
> err: Could not retrieve catalog; skipping run
>
>
>
> puppet agent --test
>
> err: Could not retrieve catalog from remote server: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed
>
> warning: Not using cache on failed catalog
>
> err: Could not retrieve catalog; skipping run
>
> --
>
>
>
> In this point is where i'm struck right now, i have deleted several times
> all certificates both hosts and i'm getting the same kind of error.
>
>
>
> And this is the ouput if i try to do it in the same server.
>
>
>
> --
>
> puppet agent --test
>
> Warning: Unable to fetch my node definition, but the agent run will
> continue:
>
> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
> B: certificate verify failed: [certificate signature failure for
> /CN=puppetmaster.domain.name]
>
> Info: Retrieving plugin
>
> Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
> using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server
> certificate B: certificate verify failed: [certificate signature failure for
> /CN=puppetmaster.domain.name]
>
> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
> failed: [certificate signature failure for /CN=puppetmaster.domain.name]
> Could not retrieve file metadata for
> puppet://puppetmaster.domain.name/plugins: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed:
> [certificate signature failure for /CN=puppetmaster.domain.name]
>
> Error: Could not retrieve catalog from remote server: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed:
> [certificate signature failure for /CN=puppetmaster.domain.name]
>
> Warning: Not using cache on failed catalog
>
> Error: Could not retrieve catalog; skipping run
>
> Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
> read server certificate B: certificate verify failed: [certificate signature
> failure for /CN=puppetmaster.domain.name]
>
>
>
>
>
> Thanks
>
>
>
>
> This email is sent on behalf of Northgate Information Solutions Limited and
> its associated companies ("Northgate") and is strictly confidential and
> intended solely for the addressee(s).
>
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact Northgate
> immediately on +44 (0)1442 232424 quoting the name of the sender and the
> addressee then delete it from your system.
>
> Northgate has taken reasonable precautions to ensure that no viruses are
> contained in this email, but does not accept any responsibility once this
> email has been transmitted. You should scan attachments (if any) for
> viruses.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsub
Re: [Puppet Users] Run Puppet Against Master with Local node.pp Manifest?
You would not need to pull the entire SVN, puppet modules, to test out one specific module. The only time you would need to have multiple modules is if there is inter-dependency. You do not need to setup a new puppet master or upload files to the puppet master if your purpose is to test out a new or update module (puppet apply wont talk to the puppet master). Even if you have custom facts, functions, providers, and types they would be executed just the same in puppet apply with the module just like they would on the master. On Thu, Feb 14, 2013 at 5:14 AM, Ralph Bolton wrote: > Pulling our whole puppet master from SVN is indeed an option. It seems like > a bit of work, but it's possible. > > The issue of trying to unit test a puppet install seems to be somewhat > addressed by the Puppet solution, although I could see that we could either > poke a node.pp manifest onto the real Puppet Master and then run "puppet > apply" on our test VM, or else build a 'fake' Puppet Master in the manner > you suggest. I guess I could do that on a build box, and then have the it > spin up a VM, and have the VM just puppet off the build box. > > I see a great deal of funky scripting in my future ;-) > > Thanks everyone for your suggestions - it's all been very helpful. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Run Puppet Against Master with Local node.pp Manifest?
You should be versioning all your puppet manifests and modules. You can then write a simple script to pull down the changes. Once you have the files you can have the manfiests and modules folder look exactly like the puppet master and then type something like this to test. puppet apply /etc/puppet/manifests/site.pp If you want to test one module you can create that node.pp file, which imports the module. You will need to create a modules directory and place your module in that directory then type from command line puppet apply /path/to/node.pp --modulepath=/path/to/modules/dir Ensure that modulepath is to the modules directory you created and not the module itself. On Tue, Feb 12, 2013 at 5:35 AM, Ralph Bolton wrote: > Thanks for the suggestion. I did wonder about copying all the modules and > configs off the Puppet Master onto the test box. My concern is really just > about keeping that lot up to date, and most importantly to make sure that it > behaves the same as it would do if it came from the Master. It could be done > this way, but I'm worried it seems simple now, but will turn into a headache > later on. If this is the only way to do it, then I guess I'll just have to > suck it up :-( > > This might sound daft, but where's the security issue? If I'm root on a box, > and I want to do some wacky install on it, then I already can, regardless of > what Puppet thinks. This wouldn't allow me to change anything on the Puppet > Master, so I wouldn't be able to alter any boxes except the one I'm on. What > additional concern would there be for having this as a feature? > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] semi-standalone puppet mode
Without fully understanding your modules and how they interact you can always take a copy of the site manifest and modules with the node and then do something like this puppet apply /etc/puppet/manifests/site.pp --modulepath=/etc/puppet/modules I typically do something similar when testing a module without a puppet master. On Tue, Feb 12, 2013 at 8:03 AM, Ivan Lysov wrote: > Hi All! > > I do manage some hosts with puppet and it's pretty great. > But among those hosts htere are some boxes that are sometimes taken away > from my network, used for demonstrations somewhere outside and return back. > And I want puppet to manage those hosts even when they are away and alone. > And of course I want them to fetch the latest catalogs on the moment they > appear in domestic network. > > I even wrote an ugly script that does something like "puppet catalog > download" and then apply on every boot, but this is ugly, smells and > obviousless. > Had somebody invented something like that and how? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
Yes because as part of the fix it checks on the CA, when its signing the cert, whether it can support 256 or not. If it does not it drops down to a lower SHA. If you look at the pull request that is part of the ticket, specifically the changes. If you scroll down to the certificate_signer.rb change it will make more sense. https://github.com/puppetlabs/puppet/pull/1413/files On Wed, Feb 13, 2013 at 10:37 AM, Luigi Martin Petrella wrote: > Matthew, you are right, this explain ALMOST everything > > "Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in > this case, which runs version 0.9.7 with patches and doesn’t support sha256. > I don’t mind the idea of compiling 1.0.x but the issue still seems to stand > that you can’t choose the digest method anymore – there is an apparent use > of SHA256 regardless of what option you choose." > > But > > If I use as master RH4 with openssl-lib 0.9.7 I have no problem connecting > the others RH4 nodes. This means tha Puppet don't use always SHA256, but > only If it is available from openssl library. Right? > > So, there are two ways (one harder then the other for me) to solve the issue > at openssl level: > 1. install opensslib rpm for RH5 on RH4 (but there are a lot of missing > dependencies) > 2. downgrade openssl lib on Centos 6.3 master from 1.0.0 to 0.9.7 > ??? > > Since --digest option won't work, is there any other way to force puppet not > to use SHA256?? > > > > > > On 13 February 2013 16:16, Matthew Black wrote: >> >> I think this issue is related to your issue since the version >> discussed is 0.9.7. >> >> http://projects.puppetlabs.com/issues/17295 >> >> What you will need to do is more than likely is update the openssl on >> the agent. I dont think it will work too well but you can try to take >> the srpm from rhel 5 or 6 and build it for rhel 4 >> >> >> On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella >> wrote: >> > Master: >> > Centos 6.3 , Puppet 3.1.0 >> > Ubuntu, Puppet 3.1.0 >> > >> > Agent: >> > Redhat 4, Puppet 3.1.0 >> > >> > Yesterday something strange happened: >> > we tryied to connect RedHat agent with a Puppet Enterprise Master on >> > Centos >> > 6.3, and there wasn't any certificate problems and everything worked. >> > Today we are trying with the same configuratione, but It appeared the >> > same >> > validation errore described before >> > >> > >> > >> > On 13 February 2013 14:12, Matthew Black wrote: >> >> >> >> What is the versions of the puppet are being used on the client and >> >> the server? Assuming master is running on Linux, what distro and >> >> release is the master running on? >> >> >> >> I suspect the openssl might be the issue on the client. >> >> >> >> >> >> >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella >> >> wrote: >> >> > Felix, why do you think the problem is related to the "--waitforcert" >> >> > option? >> >> > I tryied to run "puppet agent -t --waitforcert 100" , and after >> >> > signing >> >> > the >> >> > request on master, on agent I receive this message: >> >> > >> >> > Error: Could not request certificate: Unsupported digest algorithm >> >> > (SHA256). >> >> > Error: Failed to apply catalog: Unsupported digest algorithm >> >> > (SHA256). >> >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values >> >> > mismatch >> >> > >> >> > >> >> > >> >> > >> >> > On 13 February 2013 13:15, Felix Frank >> >> > >> >> > wrote: >> >> >> >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> >> >> > All cert problems are either time sync or certificate name issues. >> >> >> > So >> >> >> > it's one of those two. >> >> >> >> >> >> A bold assertion. It may hold true as far as puppet is concerned, >> >> >> though. >> >> >> >> >> >> I generally advise to take the time and lern about x509 and >> >> >> openssl's >> >> >> interface, so one can inspect the actual certificates in question. >> >> >> >> >> >> > E
Re: [Puppet Users] Certificate verify fails without indications
I think this issue is related to your issue since the version discussed is 0.9.7. http://projects.puppetlabs.com/issues/17295 What you will need to do is more than likely is update the openssl on the agent. I dont think it will work too well but you can try to take the srpm from rhel 5 or 6 and build it for rhel 4 On Wed, Feb 13, 2013 at 8:31 AM, Luigi Martin Petrella wrote: > Master: > Centos 6.3 , Puppet 3.1.0 > Ubuntu, Puppet 3.1.0 > > Agent: > Redhat 4, Puppet 3.1.0 > > Yesterday something strange happened: > we tryied to connect RedHat agent with a Puppet Enterprise Master on Centos > 6.3, and there wasn't any certificate problems and everything worked. > Today we are trying with the same configuratione, but It appeared the same > validation errore described before > > > > On 13 February 2013 14:12, Matthew Black wrote: >> >> What is the versions of the puppet are being used on the client and >> the server? Assuming master is running on Linux, what distro and >> release is the master running on? >> >> I suspect the openssl might be the issue on the client. >> >> >> >> On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella >> wrote: >> > Felix, why do you think the problem is related to the "--waitforcert" >> > option? >> > I tryied to run "puppet agent -t --waitforcert 100" , and after signing >> > the >> > request on master, on agent I receive this message: >> > >> > Error: Could not request certificate: Unsupported digest algorithm >> > (SHA256). >> > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). >> > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values >> > mismatch >> > >> > >> > >> > >> > On 13 February 2013 13:15, Felix Frank >> > wrote: >> >> >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> >> > All cert problems are either time sync or certificate name issues. So >> >> > it's one of those two. >> >> >> >> A bold assertion. It may hold true as far as puppet is concerned, >> >> though. >> >> >> >> I generally advise to take the time and lern about x509 and openssl's >> >> interface, so one can inspect the actual certificates in question. >> >> >> >> > Exiting; no certificate found and waitforcert is >> >> > disabled| >> >> >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> >> >> If you haven't, that's your problem right there. >> >> >> >> HTH, >> >> Felix >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to puppet-users+unsubscr...@googlegroups.com. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to puppet-users+unsubscr...@googlegroups.com. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Certificate verify fails without indications
What is the versions of the puppet are being used on the client and the server? Assuming master is running on Linux, what distro and release is the master running on? I suspect the openssl might be the issue on the client. On Wed, Feb 13, 2013 at 7:59 AM, Luigi Martin Petrella wrote: > Felix, why do you think the problem is related to the "--waitforcert" > option? > I tryied to run "puppet agent -t --waitforcert 100" , and after signing the > request on master, on agent I receive this message: > > Error: Could not request certificate: Unsupported digest algorithm (SHA256). > Error: Failed to apply catalog: Unsupported digest algorithm (SHA256). > Error: Could not send report: SSL_CTX_use_PrivateKey:: key values mismatch > > > > > On 13 February 2013 13:15, Felix Frank > wrote: >> >> On 02/11/2013 10:51 PM, Jo Rhett wrote: >> > All cert problems are either time sync or certificate name issues. So >> > it's one of those two. >> >> A bold assertion. It may hold true as far as puppet is concerned, though. >> >> I generally advise to take the time and lern about x509 and openssl's >> interface, so one can inspect the actual certificates in question. >> >> > Exiting; no certificate found and waitforcert is >> > disabled| >> >> Hmm, so did you *ever* use --waitforcert on your agent side? >> >> If you haven't, that's your problem right there. >> >> HTH, >> Felix >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Module to add another puppetmaster?
Never used Netscalers but if its just as simple as adding a server to a pool like on the F5 device its something that can be given to a NOC or L2 resources to do. On Thu, Dec 27, 2012 at 10:27 PM, Tom Fox wrote: > Thanks. Good point about the cert. Unfortunately Netscalers are the standard > in my environment and to the best of my knowledge there is no love from > puppet for them so pool management will still require some key pressing. > > > > > Matthew Black wrote: > > The fastest way to rapidly scale is to have SSL terminated at the load > balancer so you do not need to update the the ssl certificate. The > configuration to do it depends on what is being used for the load > balancer. If you are using an F5 LTM then you can easily handle the > SSL termination at the F5 and add new puppet servers to the pool with > the F5 module from puppetlabs. > > If you are using Apache then you would follow the same principle with > the SSL terminated at the Apache load balancer. If you use > mod_passenger you are already terminating SSL at the Apache layer so > its not too different at that point. > > On Thu, Dec 27, 2012 at 2:08 PM, Tom Fox wrote: > > I'm working on getting my system setup for rapid scaling. Without resorting > to some ugly hacks what is the preferred method of adding more > puppetmasters? My puppetmasters sit behind a load balancer vip so the > certificate needs to be updated when I add a puppetmaster. > > Does anyone have a module written for this already? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Module to add another puppetmaster?
The fastest way to rapidly scale is to have SSL terminated at the load balancer so you do not need to update the the ssl certificate. The configuration to do it depends on what is being used for the load balancer. If you are using an F5 LTM then you can easily handle the SSL termination at the F5 and add new puppet servers to the pool with the F5 module from puppetlabs. If you are using Apache then you would follow the same principle with the SSL terminated at the Apache load balancer. If you use mod_passenger you are already terminating SSL at the Apache layer so its not too different at that point. On Thu, Dec 27, 2012 at 2:08 PM, Tom Fox wrote: > I'm working on getting my system setup for rapid scaling. Without resorting > to some ugly hacks what is the preferred method of adding more > puppetmasters? My puppetmasters sit behind a load balancer vip so the > certificate needs to be updated when I add a puppetmaster. > > Does anyone have a module written for this already? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to scale puppet with F5 load balancer?
The best I was able to do is when you generate the certificate for the puppet master you use dns alt names flag to specify the alternative names for the puppet master. That is the only way I was able to make it work in my environment with the F5. On Sat, Jul 7, 2012 at 6:17 PM, Hai Tao wrote: > How can I configure F5 load balancer to be infront of multiple puppet masters? > > The SSL will break as the server name if different, hostname of the > VIP on the LB vs hostnames of each masters, right? > > Can you shed some light? > > Thanks. > > -- > Hai Tao > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Compiled catalog arount 70s
One more thing to keep in mind, the more templates you are compiling also adds to time. On Sat, Jan 28, 2012 at 11:11 AM, Antidot SAS wrote: > Thx for answering, I really appreciated your investment, you gave some > serious lead to search, I'll see on Monday and let you know if something > comes up. As far as swapping, no sign on the server. > > > > > On Fri, Jan 27, 2012 at 11:40 PM, jcbollinger > wrote: >> >> >> >> On Jan 27, 11:10 am, Antidot SAS wrote: >> > Here are the info you wanted: >> > OS: Debian squeeze >> > Puppet: installed from gem version 2.7.9 >> > As I sayed the hardware is an old Poweredge SC1425 with 4 Xeon 2,8 Ghz >> > with >> > 2 Go of Memory >> > >> > Apparently the code is preety ugly since the compiled time is big, I >> > have >> > just share the code:https://github.com/jmauro/puppet-user >> >> >> The code is pretty, but very complicated, especially for the >> relatively simple job it seems to be trying to do. Clearly that code >> is not your first cut at this, so did older versions exhibit the same >> poor compile times? If you go back through your revision history, >> perhaps you can find the change that made compile times spike. >> >> Also, Brice's suggestion to check for swapping is a good one, >> especially because Puppet sometimes uses a lot of memory. Although >> your hardware is a bit old, it should be up to this task so long as it >> hasn't too many competing demands on it. >> >> Since your catalog eventually does compile, it might be useful to look >> at the result, available in YAML form. You might discover that it is >> a lot more complicated than you thought, and that would yield clues to >> what needs to be cut back. >> >> If all else fails, try disabling as much of the code as possible, then >> watch compilation times as you re-enable it bit by bit. I suspect >> that you will find some particular part that consumes the lion's share >> of the compilation time. >> >> >> John >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Database calls in puppet manifests
You can look into creating custom functions in ruby to pull back the data. Additionally you could create the manifests in ruby dsl. On Fri, Jan 6, 2012 at 10:25 AM, Jeff Sussna wrote: > (How) do folks handle situations where puppet variables need to be > populated from dynamic database queries? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet for Oracle Enterprise Linux
Can you provide the resource defined in the error message? On Thu, Dec 1, 2011 at 8:38 PM, Douglas Garstang wrote: > Finally got the dependancies sorted out, and on the first run on the > client, I am seeing: > > Dec 1 20:37:35 ip-10-123-21-192 puppet-agent[2562]: Failed to apply > catalog: Parameter ensure failed: Provider must have features > 'versionable' to set 'ensure' to '9.5.3-1' at > /etc/puppet/devmp/modules/openam/manifests/common.pp:9 > > I thought puppet on OEL was identical to Redhat? Don't see this error on > redhat. > > Doug. > > On Thu, Dec 1, 2011 at 5:21 PM, Douglas Garstang > wrote: >> Rayson, >> >> Thanks. Having all sorts of issues with that. Our server is running >> 2.6.2, which means that the client packages needs to have 2.6.2 or >> older, but when I try and install older versions of puppet, I get >> dependancy failures :( >> >> Doug. >> >> On Thu, Dec 1, 2011 at 4:37 PM, Rayson Ho wrote: >>> There are only a few minor differences between RHEL, CentOS, and >>> Oracle Linux... so if a package works on RHEL, then it also works on >>> Oracle Linux. >>> >>> IIRC, if you point to the correct repo, you can even update Oracle >>> Linux with CentOS repo. Further, Oracle has a public yum for Oracle >>> Linux even for users not paying for the "Oracle Unbreakable Linux >>> Support" subscription: >>> >>> http://public-yum.oracle.com/ >>> >>> BTW, "Puppet Enterprise 2.0" officially supports Oracle Linux: >>> >>> http://docs.puppetlabs.com/pe/2.0/install_system_requirements.html >>> >>> Rayson >>> >>> = >>> Grid Engine / Open Grid Scheduler >>> http://gridscheduler.sourceforge.net/ >>> >>> Scalable Grid Engine Support Program >>> http://www.scalablelogic.com/ >>> >>> >>> On Thu, Dec 1, 2011 at 7:16 PM, Douglas Garstang >>> wrote: My bad had to do a yum clean all. D'oh. On Thu, Dec 1, 2011 at 4:15 PM, Douglas Garstang wrote: > Gonzalo, > > Nope. Ran: > > rpm -Uvh > http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm > > and got the epel repo. Then I ran: > > $ yum repolist > Loaded plugins: security > http://epel.mirror.freedomvoice.com/5/x86_64/repodata/d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2: > [Errno 14] HTTP Error 404: Not Found > Trying other mirror. > http://mirror.its.uidaho.edu/pub/epel/5/x86_64/repodata/d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2: > [Errno 14] HTTP Error 404: Not Found > Trying other mirror. > http://ftp.linux.ncsu.edu/pub/epel/5/x86_64/repodata/d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2: > [Errno 14] HTTP Error 404: Not Found > Trying other mirror. > http://mirror.us.leaseweb.net/epel/5/x86_64/repodata/d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2: > [Errno 14] HTTP Error 404: Not Found > Trying other mirror. > epel/primary_db > > | 0 B 00:00 > ftp://mirror.cs.princeton.edu/pub/mirrors/fedora-epel/5/x86_64/repodata/d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2: > [Errno -3] Error performing checksum > Trying other mirror. > > and so on and so on. Funny cuz that long number file > d7e9a86e48be583371a8d5a3055017b313dd6cc92d57147c6c8ee03b50a0312b-primary.sqlite.bz2 > doesn't exist when I look at it with a web browser... > > Doug. > > On Thu, Dec 1, 2011 at 4:09 PM, Gonzalo Servat wrote: >> Try the EPEL repo -- http://fedoraproject.org/wiki/EPEL. >> >> - Gonzalo >> >> On Fri, Dec 2, 2011 at 11:07 AM, Douglas Garstang >> >> wrote: >>> >>> On Thu, Dec 1, 2011 at 4:03 PM, Michael Stahnke >>> wrote: >>> > Puppet works fine on OEL. You can add yum.puppetlabs.com as a repo >>> > and use the el based stuff. >>> > >>> > rpm -Uvh >>> > http://yum.puppetlabs.com/el/5/products/i386/puppetlabs-release-5-1.noarch.rpm >>> > >>> > That should get you going. >>> > >>> > >>> > Mike >>> >>> Mike, >>> >>> Almost see below. As I said, there are NO other repo's installed. >>> I guess puppet doesn't provide ruby-augeas... >>> >>> >>> $ yum install puppet >>> Loaded plugins: security >>> Setting up Install Process >>> Resolving Dependencies >>> --> Running transaction check >>> ---> Package puppet.i386 0:2.7.1-1 set to be updated >>> --> Processing Dependency: facter >= 1.5 for package: puppet >>> --> Processing Dependency: ruby-augeas for package: puppet >>> ---> Package puppet.x86_64 0:2.7.1-1 set to be updated >>> --> Processing Dependency: ruby-augeas for package: puppet >>> --> Running transaction check >>> ---> Package facter.i386 0:1.6.0-1
Re: [Puppet Users] Exec {rake db:mgirate } not working
One thing you might want to try, which could resolve the issue is use cwd
meta for exec. I would also split the actions up, like below, with
refreshonly meta set to true so it doesnt execute them on every puppet run.
You would need a resource that would trigger them, like package install or
something.
exec { "redmine-db-migrate":
command => "rake db:migrate",
refreshonly => true
}
exec { "redmine-install-gems":
command => "rake gems:install",
refreshonly => true,
notify => Exec[redmine-db-migrate]
}
On Fri, Oct 7, 2011 at 5:03 PM, damniamgood wrote:
> Hello,
>I have master and agent puppet server setup and i am running
> the manifest which includes the exec block
>
> exec{"install-gems":
> command => "cd /opt/redmine/current && rake gems:install && rake
> db:migrate",
> }
>
>
> When i run on the client side , the execution of the install-gems
> fails and returns non-zero.
>
> Can you possibly tell the reason ?
>
> Is there any other way to handle this.?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Hostname fact doesn't handle hostnames with periods
You are confusing Standards (RFC) and POSIX. They are typically mutually exclusive in their roles. RFC dictates the standards the information should be presented. POSIX dictates the API that the information is obtained. The difference can be plainly seen in message protocols, like smtp. http://nemo.its.uiowa.edu/reference/sendmail-rfc.html I would rather facter had a way to override fact definitions, so I could use custom facts for things like hostname. Instead of having Facter.add(:hostname) it would be Facter.replace(:hostname), then the problem would be solved by creating a custom hostname and domain facts for people who want to go against the standards. In fact the idea of replacing facts with custom facts might be handy in other situations and I vote to have that added instead of changing how facter pulls information. Although until sometime as that is in place you can always modify the hostname.rb and domain.rb in facter lib to present the data the way you want it for your environment. On Fri, Oct 7, 2011 at 11:54 AM, easybeats wrote: > Hi Tim, > > > IMO, you've got to be clear what the underlying information model that > > puppet / facter supports is. In particular, if you simply say that the > > facts are the data reported by the underlying tools, then you've got > > zero abstraction of the model and it's 'an exercise for the user to > > handle the differences between platforms. > > I agree with you there needs to be clarity as to what standard/ > information model is to be supported. To me there are two standards in > operation here and an assumption being made. > > At this time to me DNS is assumed to be the only valid overarching > "directory service" and "naming standard". > > POSIX the underlying Unix standard makes no such assumptions as to > which overarching directory service or naming standard will be in > operation. Hypothetically should a site admin choose to support WINS > (heaven forbid) or some other standard, POSIX which has portability in > mind caters for that. I concede DNS is the most widely used directory > standard, naming service around but it is still an assumption. > > If DNS is the only valid naming standard that can apply to the > hostname is to the exclusion of IEEE Std 1003.1-2008 (POSIX:2008) > which to my knowledge doesn't comment on the restriction of character > sets for hostnames, so currently puppet at this point in time can not > report on a POSIX compliant hostname from the Kernel if it contains a > period (.). (NB if puppet were to support this I'm suggesting a > different fact so as to not interfer with current operations) > > http://pubs.opengroup.org/onlinepubs/9699919799/functions/uname.html > > If to support multiplatform (IE Windows), one must allow for and > consider other valid directory naming standards and directory services > and or the underlying OS standard. > > > Alternatively, you can > > define a canonical ontology and how the different tools map onto that > > ontology. Even with such an ontology, you probably need to include > > platform specific types in the data model. > > fwiw, I'm also a big fan of encouraging best practice in the use of > > the tools, so in this instance, the teaching/documentation would show > > how to avoid naming pitfalls introduced by differences in standards > > and how to remediate an environment that's fallen into such a trap. > > Otherwise, the tools get bogged down in handling nasty > > inconsistencies, which are impossible to cope with cleanly in code as > > they depend on implicit or explicit customer organisational policies - > > and the tool gets blamed for any shortfalls, while the organisation > > keeps digging itself deeper into the trap. > > I agree with promoting best practice, however which standard(s) is/are > to be supported on a given platform should be taken into account. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Hostname fact doesn't handle hostnames with periods
I think you missed the point I was trying to convey. Anyway you want to try to flip it, you are still going against the grain with using a period in the hostname. Even libc it states what a hostname is and what a fqdn is, see below. So if libc defines a hostname like below, then facter will be the least of your issues down the road. In DNS, the full host name is properly called the FQDN (Fully Qualified Domain Name) and consists of the hostname, then a period, then the domain name. The domain name itself usually has multiple components separated by periods. So for example, a system's hostname may be ‘chicken’ and its domain name might be ‘ai.mit.edu’, so its FQDN (which is its host name) is ‘chicken.ai.mit.edu’. http://www.gnu.org/s/hello/manual/libc/Host-Identification.html On Oct 3, 2011, at 6:59 PM, Doug Balmer wrote: > about. In fact, I think if you were to use periods it would confuse > DNS resolve because it follows the same convention as stated in the > RFC. If I were external trying to look up host.server.domain.com, my > DNS would try to look for a nameserver for server.domain.com. You > would still be forced to use a new zone file for server.domain.com. > > man resolv.conf > See options ndots > > If I have a host with FQDN foo.bar.example.com and I have "options > ndots:2\nsearch example.com" in /etc/resolv.conf then I can resolve "foo.bar". > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Hostname fact doesn't handle hostnames with periods
If facter switched to using uname on unix/linux, it would be a problem. If I type uname -n it will spit out the fqdn to me. If I type hostname -s, it gives me the short, the actual hostname. I don't think a switch like that will solve the original issue provided. On Oct 4, 2011, at 6:20 AM, Ken Barber wrote: > So again quoting Dexter (who should really be participating in this > discussion himself :-P). Perhaps a more POSIX purist set of facts > based around the posix/opengroup standards would be desirable: > > http://pubs.opengroup.org/onlinepubs/009604599/basedefs/sys/utsname.h.html > http://pubs.opengroup.org/onlinepubs/009695399/utilities/uname.html > > For example ... > > uname_nodename: is uname -n only and isn't contrived > uname_release: is uname -r > uname_version: is uname -v > ...etc... > > This duplicates a lot of facts in behaviour - but sticks to the posix > compliance interpretation only. I'm not 100% on weither this is the > correct approach but the idea sounds sane enough - the question is > really if it is core worthy or not. If this is implemented how many > people would prefer or use this directly (besides Doug of course - who > has made his sentiments clear :-P)? > > My main concern here is that this implementation is not truly > cross-platform - only POSIX specific (which is pretty good coverage > anyway - but not complete). The point and vision of facter (and most > puppet resources) is to provide cross-os compatibility where possible > if anything providing a later that binds POSIX and other non-posix OS > to one type of data ... so I see these facts as binding puppet content > to POSIX only machines. So while the interface may be there ... we > would want to be careful to avoid using it directly in cross-os > resources and puppet code. Having said that, this would not be the > first time we have had to provide OS specific facts :-). > > IMO - If implemented I can envision providing this interface and on > POSIX machines just using these facts to glean things like > 'kernelversion' on compatible machines instead of duplicating the > uname -v call again. > > ken. > > On Mon, Oct 3, 2011 at 11:59 PM, Doug Balmer wrote: >>> about. In fact, I think if you were to use periods it would confuse >>> DNS resolve because it follows the same convention as stated in the >>> RFC. If I were external trying to look up host.server.domain.com, my >>> DNS would try to look for a nameserver for server.domain.com. You >>> would still be forced to use a new zone file for server.domain.com. >> >> man resolv.conf >> See options ndots >> If I have a host with FQDN foo.bar.example.com and I have "options >> ndots:2\nsearch example.com" in /etc/resolv.conf then I can resolve >> "foo.bar". >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] RFC: Being able to exclude resources from reporting.
I could see a use case for it. When generating the facts.yaml for use with mcollective, the reports are showing always at 1 change because of that even if I set the log level to debug. That file will always change every run because the information stored in facter is changes with each run. I can't think of another use case but I'm sure there might be others. On Oct 4, 2011, at 1:30 PM, Daniel Pittman wrote: > On Tue, Oct 4, 2011 at 10:16, Nigel Kersten wrote: > >> As per: https://projects.puppetlabs.com/issues/7555 >> it looks like we've got some use cases around excluding some resources from >> being reported on to reduce noise. > > This feels like solving the problem on the wrong side to me. > >> Should we implement a metaparameter like this? Do the use cases justify >> breaking the consistency of the model (report on everything) ? > > This is worse than that: it bakes in the assumption that the reports > are *not* a graph, or that we can just discard structural elements in > that graph, by allowing us to ditch what would otherwise be a vertex. > > One of the proposed enhancements to the report - which I think is > hugely valuable - is that we return the augmented graph from the > client side, where things like file recursion, or autorequires, can > change the catalog we sent down. Excluding something from that may be > a huge structural change, and it is certainly going to make > correlation between that graph and the original catalog extremely > difficult to discover. > > So, no, I do not believe we should support this. Better, I think, to > support that feature in our reporting tools, or make it easier for > people to build that in their tools. > > Daniel > -- > ⎋ Puppet Labs Developer – http://puppetlabs.com > ♲ Made with 100 percent post-consumer electrons > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] mysql database
No that is one of the ways to do it. The alternative is to write your own provider and type. As for whether your method is correct, if it is working for you and scales then its the correct procedure for you. On Sun, Oct 2, 2011 at 11:41 AM, CHEBRIAN wrote: > Hi, > > How to create mysql database thru puppet. I fired thru exec . it it > creating. but i feel it is not a correct procedure. Please share your > suggestions > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] run puppet service type with specific user
Take a look at http://www.yolinux.com/TUTORIALS/LinuxTutorialInitProcess.html I forget exactly the usage of the daemon but you need to include the functions, which is shown at the init script example. If you read that functions file it will give you an idea of how to use it to start up a service and have it run as a different user. On Sat, Sep 24, 2011 at 7:31 AM, Dieter De Meyer wrote: > Thanks for the reply. > > I modified the rc script to run as a user. > But now I'm facing the following problem: > I have to include some nasty puppet code for adding the service before i > can use the service resource type. > And the service resource type returns ok, but the service is in fact not > started. > When i do it manually, it requires a password for that user. > So, I tried to manage the user with puppet and provided a password, but get > the message: > Provider useradd does not support features manages_passwords; not managing > attribute password > I know this is a problem with Puppet and CentOS, but I have ruby-shadow and > shadow-utils installed on my CentOS 6.0 VM. > > I also don't know if this is going to help with starting the service. > I want to use the service type to start the service with a specific user, > but without asking for a password. > > Any help would be appreciated. > > Regards. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/9sm5V3MccfoJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Source of external node data?
It depends on the job you want to do. My project we use an oracle db backend to store our whole environment information for application deployments. So we have a ruby DSL class that is an entry point where it looks up the node in the database and processes it depending on its function. The solution depends on how complex you need it to be. On Sep 15, 2011, at 5:32 PM, Douglas Garstang wrote: > I asked this question a few weeks ago. Didn't get a reply, so I > thought I'd try again. > > Where are people more likely to source external node data from? > > a) By using extlookup, hiera etc within each puppet module to load > data specific to that module, OR > b) Having the external node script source everything at once from, say > a database, and then dump all the variables that the node will ever > need. > > ? > > Doug. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Deployment of applications
Thats because puppet isn't a tool meant to build applications from source. You could do it but its one of those things where it doesn't make sense. If you need to build from SVN, you might as well look at something like Jenkins that can monitor an SCM and pull out changes and do a bunch of things around it. Then package it up into an RPM, which puppet handles nicely from my experience. run deck might be a good solution for you on your problem in terms of deploying to one system first before the others. If you had the knowledge with writing web applications you could easily use MCollective to do that too and put a nice GUI in front of the job. On Sep 13, 2011, at 6:33 PM, Ashley Penney wrote: > can't think of any other good way to say "do a one time run of > project::build_core on the following matching nodes: x, y, z". I am really > just using rundeck for the equivalent of that. Other things I would think of > using this for is handling deploying a bunch of servers where server 1 has to > be fully provisioned before 2 and on 2 at least one service has to be up > before 3 can do its thing. It's something that's still a hassle to do well > within Puppet. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: how to do conditional check?
Not sure if it does, I'm going with the assumption it would not.
Though there is a Dir.exists that you could use.
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com]
On Behalf Of Sans
Sent: Tuesday, June 14, 2011 1:54 PM
To: Puppet Users
Subject: [Puppet Users] Re: how to do conditional check?
On Jun 14, 6:12 pm, "Matthew Black" wrote:
> I haven’t used torque or yaim but what you want to do in a fact is
something
> like this to determine installation.
>
> if File.exists?('/path/to/config')
>
Does it work for directory as well?
-San
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: how to do conditional check?
I haven’t used torque or yaim but what you want to do in a fact is something
like this to determine installation.
if File.exists?('/path/to/config')
end
I don’t usually install anything on a system without doing it in puppet, so
I don’t typically write facts to find out if something is installed or not.
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com]
On Behalf Of Sans
Sent: Tuesday, June 14, 2011 10:01 AM
To: Puppet Users
Subject: [Puppet Users] Re: how to do conditional check?
On Jun 14, 2:48 pm, Patrick wrote:
>
> 1) Why not use puppet to decide if Torque should be installed in the first
place? Then you can use that logic to decide if the file should be
created/put in place?
I can't: "torque" is a vital part of the middleware, which needs to be
installed and configured at the time of middleware installation. And n
the other hand, I use Puppet to prepare the environment for the
middleware to be installed (by yaim). After that installation (and
initial configuration), I wanna make sure that "config" file is always
there with correct values.
> 2) Does is matter if you create the file if the package isn't installed?
As I explained above, if the I create the [especially] the directory-
path, yaim will skip a things, thinking it's an upgrade or re-install,
even though installing for first time.
Hope, I've made it a bit clearer now. Cheers!!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: how to do conditional check?
Sounds like what you want to do is to create a fact to find out that status
of whether torque is installed or not.
As for the configuration file, without better understanding the contents of
the file, I would in conjunction with the fact do a file resource surrounded
by an if statement that utilizes the fact. If its something that is pretty
much the same across the board except for some values, like host names or
what not, then you could use templates to create the file and keep it that
way.
so for example
if $torque_installed == true {
file { '/var/torque/mom_priv/config':
ensure => present,
content => template(...)
}
}
On Mon, Jun 13, 2011 at 8:00 PM, Sans wrote:
> Well, the file I mention is actually one of the Torque (formerly PBS
> batch system) "config" file (location: /var/torque/mom_priv/config),
> which is auto generated by "yaim" but the thing is: if the file is
> already there "yaim" won't touch it. Let's just say that I don't want
> yaim to create this file (it messes it up very often and ended up with
> wrong value) but wanna make sure that the file is in correct shape,
> otherwise jobs won't run properly. On the other hand, that file
> doesn't mean anything at all, if Torque is not install in the first
> place. That's why I want to put that check in. Cheers!!
>
>
>
>
> On Jun 13, 6:50 pm, "Matthew Black" wrote:
> > After reading the other responses my question to you is what exactly are
> you
> > attempting to do?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: how to do conditional check?
After reading the other responses my question to you is what exactly are you attempting to do? -Original Message- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Sans Sent: Monday, June 13, 2011 5:22 AM To: Puppet Users Subject: [Puppet Users] Re: how to do conditional check? Any suggestion from anyone else? Is there a way to check "if a directory (or file) already exists, then do something" in Puppet? Cheers!! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: How do I enable repositories and install packages
It fails because the yum repository by default is requiring the package be signed. If you update the repo configuration, with the option below, you would not need to do a --nogpgcheck with the package install. The only other time that this option would not work is if you are doing a localinstall via yum, which there is no repo configuration involved. gpgcheck=0 -Original Message- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of hyzhang Sent: Friday, June 03, 2011 1:11 PM To: Puppet Users Subject: [Puppet Users] Re: How do I enable repositories and install packages Thank you all for the response. I applied the patch. It seems work partially, but failed due to packages is not signed. So that raises another question - is there a puppet patch for "nogpgcheck"? On Jun 1, 12:41 pm, Jacob Helwig wrote: > If you want to enable the repositories on a per-package basis as was > shown in the examples (with the --enablerepo flag), then you'll > definitely want to watch & vote for #4113[1]. > > If you want to have the repositories always enabled, then you should be > able to do that through the yum configuration. I'm not all that > familiar with the details though since I've tended not to use the RPM > based systems. > > [1]http://projects.puppetlabs.com/issues/4113 > > -- > Jacob Helwig > > On Wed, 01 Jun 2011 09:31:51 -0700, Nathan Clemons wrote: > > > The package resource type will allow you to install packages via Yum, but > > does not (last I checked) support specifying repos to enable/disable (which > > I'd dearly love if it was added). > > > Which means you either get to write your own extension to package to add > > that functionality, or use exec. > > > -- > > Nathan Clemons > >http://www.livemocha.com > > The worlds largest online language learning community > > > On Wed, Jun 1, 2011 at 9:19 AM, hyzhang wrote: > > > > Hi, > > > > My shell script is as below. How do I translate them to puppet > > > language? I think I can use exec directly. But is there a better way? > > > > /usr/bin/yum clean all > > > /bin/echo -e "\n/usr/bin/yum -y --enablerepo=base,rpmforge install > > > mplayer mplayer-skins" > > > /usr/bin/yum -y --enablerepo=base,rpmforge install mplayer mplayer- > > > skins > > > > /usr/bin/yum clean all > > > /bin/echo -e "\n/usr/bin/yum -y --nogpgcheck install RealPlayer > > > AdobeReader_enu flash-plugin" > > > /usr/bin/yum -y --nogpgcheck install RealPlayer AdobeReader_enu flash- > > > plugin > > > > /usr/bin/yum clean all > > > /bin/echo -e "\n/usr/bin/yum -y --enablerepo=base install pidgin" > > > /usr/bin/yum -y --enablerepo=base install pidgin > > > > Thanks, > > > -Haiyan > > > > signature.asc > < 1KViewDownload -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] ruby dsl manifests
Thanks for the reply, from what you said it might be better for me to go about it in a different direction. On Thu, Jun 2, 2011 at 1:07 AM, Dan Bode wrote: > you should be able to do something like: > > call_function(:defined, 'Foo['bar']') > > just keep in mind that the defined function (or anything for resource > detection) is parse order dependent which can lead to unexpected results. > > > On Wed, Jun 1, 2011 at 9:04 PM, Matt wrote: > >> I've been searching and havent found an answer yet. Is there a scope >> or variable that I can parse to find out if a resource is defined? I >> know there is the defined command in puppet manifests. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How to check if a package exists
You can put a requires in the file resource
require => Package["packagename"]
then it will install the package first then put in the symlink.
On Sat, Apr 30, 2011 at 5:12 AM, Sans wrote:
> Dear all,
>
> I'm trying to do this. Say for example, I want this link: "liblcgdm.so
> -> liblcgdm.so.1.8.0" to be present on the client only if "lcgdm-
> libs-1.8.0-1sec.sl5" is already listed. I already have this to create
> the link:
>
> file {
>'liblcgdm.so':
> ensure => symlink,
> name => '/opt/lcg/lib/liblcgdm.so',
> target => 'liblcgdm.so.1.8.0';
> }
>
> but how do I check the existence of that particular package
> beforehand? Thanks in advance for your time. Cheers!!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority
I had to add this to my puppet conf files for the master section. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY The one error you see from generating the cert is fine because its trying to delete the non-existent CSR, which is because you generated. On Sat, Mar 5, 2011 at 6:06 PM, Mohamed Lrhazi wrote: > I guess it's the tweaks fo 2.6" that I must be missing... > Here is my process: > > On puppetmaster1: > > sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl > sudo puppet cert --generate --certdnsnames > puppet.uis.example.com:puppet.example.com:puppet > puppet-prod.uis.example.com > sudo puppet cert --generate --certdnsnames > puppet-test.uis.example.com:puppet-test.example.com:puppet-test > pirates.uis.example.com > > Note: these last two commands seem to work, even though they also > print an error: > > The first command for example prints this: > notice: Signed certificate request for ca > notice: Rebuilding inventory file > notice: puppet-prod.uis.example.com has a waiting certificate request > notice: Signed certificate request for puppet-prod.uis.example.com > notice: Removing file Puppet::SSL::CertificateRequest > puppet-prod.uis.example.com at > '/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem' > notice: Removing file Puppet::SSL::CertificateRequest > puppet-prod.uis.example.com at > '/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem' > err: Could not call generate: Could not find certificate request for > puppet-prod.uis.example.com > > Why is that? > > anyways, continuing, I edit puppet.conf to add: > > [master] >certname=puppet-prod.uis.example.com >ca=true > > Now starting puppet master seems to work fine, no errors. > > Now, on puppetmaster2: > > sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl > > copy these thre files from puppetmaster1, to puppetmaster2 > > /var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem > /var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem > /var/lib/puppet/ssl/ca/ca_crt.pem > > I put the certs in /var/lib/puppet/ssl/certs and the key in > /var/lib/puppet/ssl/private_keys > > Edit puppet.conf to have: > [master] >certname=pirates.uis.example.com >ca=false >ca_server=puppet-prod.uis.example.com > > > Now starting the puppet master fails with error: > > Could not run: Could not retrieve certificate for > pirates.uis.example.com and not running on a valid certificate > authority > > What am I doing wrong? > > Thanks, > Mohamed. > > > > On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black wrote: > > That process still works, but you need to have a CA puppet master, a > non-CA > > puppet master, and one client for that to work. The client needs to be > told > > where the CA server is though which in that link tells you how to update > the > > puppet.conf. > > I use this process and it works great, there was some tweaking needing > for > > it to work for 2.6 > > > > > > > > > > On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi wrote: > >> > >> I just run into the same issue... I was trying to follow this > >> procedure: http://bodepd.com/wordpress/?p=7 > >> > >> My goal is to be able to run my nodes against either of two > >> puppetmasters > >> > >> My first master starts fine, but the second dies with this same error: > >> > >> Could not run: Could not retrieve certificate for > >> and not running on a valid certificate authority > >> > >> Is the procedure outdated? Is it supposed to work with puppet 2.6 ? > >> > >> Thanks, > >> Mohamed. > >> > >> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao wrote: > >> > Hi Experts, > >> > > >> > I'm trying to generate my own certificates (all of them, including > certs > >> > for > >> > CA, server and client) for puppet to use. > >> > > >> > and I'm getting "Could not run: Could not retrieve certificate for > >> > puppetsrv > >> > and not running on a valid certificate authority" > >> > > >> > Just wondering what the problem could be? > >> > > >> > What I did is: > >> > > >> > 1. generate a self signed CA cert, and save the files to ca.crt, > ca.prk, > >> > ca.puk, ca.pass. > >> > 2. generate a keypair, request, then sign with the above CA and save > the > >> > files ssldir/public_keys/puppetsrv.pem,
Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority
That process still works, but you need to have a CA puppet master, a non-CA puppet master, and one client for that to work. The client needs to be told where the CA server is though which in that link tells you how to update the puppet.conf. I use this process and it works great, there was some tweaking needing for it to work for 2.6 On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi wrote: > I just run into the same issue... I was trying to follow this > procedure: http://bodepd.com/wordpress/?p=7 > > My goal is to be able to run my nodes against either of two > puppetmasters > > My first master starts fine, but the second dies with this same error: > > Could not run: Could not retrieve certificate for > and not running on a valid certificate authority > > Is the procedure outdated? Is it supposed to work with puppet 2.6 ? > > Thanks, > Mohamed. > > On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao wrote: > > Hi Experts, > > > > I'm trying to generate my own certificates (all of them, including certs > for > > CA, server and client) for puppet to use. > > > > and I'm getting "Could not run: Could not retrieve certificate for > puppetsrv > > and not running on a valid certificate authority" > > > > Just wondering what the problem could be? > > > > What I did is: > > > > 1. generate a self signed CA cert, and save the files to ca.crt, ca.prk, > > ca.puk, ca.pass. > > 2. generate a keypair, request, then sign with the above CA and save the > > files ssldir/public_keys/puppetsrv.pem, > ssldir/private_keys/puppetsrv.pem, > > ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem > > (All certs work fine with openssl verify) > > 3. Puppet configuration file: > > ca = false > > cakey=$ssldir/ca.prk > > passfile=$ssldir/ca.pass > > cacert=$ssldir/ca.crt > > capub=$ssldir/ca.puk > > 4. run puppet master: > > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname > > puppetsrv > > > > Full log (added some breakpoints and printed some tracebacks): > > debug: Failed to load library 'selinux' for feature 'selinux' > > debug: Failed to load library 'ldap' for feature 'ldap' > > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring > > File[/opt/cloudcrv/confpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]: > Autorequiring > > File[/opt/cloudcrv/varpuppet/run] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]: > Autorequiring > > File[/opt/cloudcrv/varpuppet/ssl/certs] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring > > File[/opt/cloudcrv/varpuppet/ssl] > > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: Autorequiring > > File[/opt/cloudcrv/varpuppet/log] > > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring > > File[/opt/cloudcrv/confpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]: > > Autorequiring File[/opt/cloudcrv/varpuppet/ssl] > > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring > > File[/opt/cloudcrv/confpuppet] > > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring > > File[/opt/cloudcrv/confpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]: > > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys] > > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring > > File[/opt/cloudcrv/varpuppet/ssl] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring > > File[/opt/cloudcrv/varpuppet/ssl] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring > > File[/opt/cloudcrv/varpuppet/ssl] > > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring > > File[/opt/cloudcrv/varpuppet] > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s) > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode changed > > '755' to '750' > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure > > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s) > > debug: /File[/opt/cloudcrv/varp
Re: [Puppet Users] learning, but puppet does not detect change
I think there is some confusion, where is the ntp manifest located? Is it in
its own module or the site manifest directory. If its the latter, then you
need to import that manifest into the site manifest. If its a module, then
you still need to do the import for the module.
Try updating your site manifest with an import of ntp.
So your site manifest should be
import "nodes"
import "ntp"
On Fri, Mar 4, 2011 at 2:19 PM, mark bradley wrote:
> Hi,
>
> My site.pp:
> [root@S manifests]# cat /etc/puppet/manifests/site.pp
> import "nodes.pp"
> [root@S manifests]#
>
> I copied ntp.pp into init.pp as you've suggested:
> [root@S manifests]# cp ntp.pp init.pp
> [root@S manifests]# diff ntp.pp init.pp
> [root@S manifests]#
>
> I started the server as follows:
>
> [root@S training]# puppet master --debug
>
> The results of running the command normally:
> [root@S ~]# puppet agent --test --server=S.domain.com
>
> info: Caching catalog for S.domain.com
> info: Applying configuration version '1299265059'
>
> notice: Finished catalog run in 0.07 seconds
> [root@S ~]#
> with the (master) output in the log file as:
> Mar 4 14:07:50 S puppet-master[5716]: Expiring the node cache of
> S.domain.com
> Mar 4 14:07:50 S puppet-master[5716]: Not using expired node for
> S.domain.com from cache; expired at Fri Mar 04 14:06:50 -0500 2011
> Mar 4 14:07:50 S puppet-master[5716]: Caching node for S.domain.com
> Mar 4 14:07:51 S puppet-master[5716]: Compiled catalog for S.domain.comin
> environment production in 0.24 seconds
> Mar 4 14:07:51 S puppet-agent[7169]: Caching catalog for S.domain.com
> Mar 4 14:07:51 S puppet-agent[7169]: Applying configuration version
> '1299265059'
> Mar 4 14:07:51 S puppet-agent[7169]: Finished catalog run in 0.07 seconds
>
> The output from your suggested command (with -d -v) provided as an
> attachment.
>
> root@S manifests]# puppet agent --test --server=S.domain.com -d -v
> >/tmp/bar.txt
> [root@S manifests]# wc -l /tmp/bar.txt
> 214 /tmp/bar.txt
> [root@S manifests]#
>
> Thanks very much for any help,
> Mark
>
>
>
> On Sat, Feb 26, 2011 at 10:15 PM, yzhk...@gmail.com
> wrote:
> > 1、site.pp: import "nodes.pp"
> > 2、ntp.ppshould be $module_path/manifests/init.pp
> > 3、puppet agent --test --server=S -d -v
> >
> > Have a look
> > at
> http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Best_Practice
> >
> > On Sun, Feb 27, 2011 at 8:01 AM, mark bradley
> wrote:
> >>
> >> Hi,
> >>
> >> I've just installed Puppet on two CentOS 5.5 servers, "S" for "A". "A"
> >> does not have the ntp package installed nor of course ntp running.
> >>
> >> The Puppet server is started on "S" with the ntp class from this
> >> tutorial: http://bitfieldconsulting.com/puppet-tutorial (included
> >> below) however when I run the agent on "A" it don't produce a notice
> >> that a change needs to be applied:
> >>
> >> root@A ~]# puppet agent --test --server=S
> >> info: Caching catalog for A.domain.com
> >> info: Applying configuration version '1298756440'
> >> notice: Finished catalog run in 0.07 seconds
> >> [root@A ~]#
> >>
> >> Apparently it should not notifying me that ntp needs to be installed
> >> and started.
> >>
> >> ntp.pp on S:
> >> class ntp {
> >>package { "ntp":
> >> ensure => installed
> >>}
> >>service { "ntp":
> >> ensure => running
> >>}
> >> }
> >>
> >> nodes.pp on S:
> >> node A {
> >>include ntp
> >> }
> >>
> >> Did I miss some crucial set in the installation or configuration? I
> >> know it's seeing the files since if I introduce syntax errors into
> >> them Puppet complains.
> >>
> >> Thanks for any help,
> >> Mark
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscr...@googlegroups.com.
> >> For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
> >>
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from t
Re: [Puppet Users] apache vhosts in puppet
looks like you're not including the apache class, which has the definition
that puppet is complaining about.
On Wed, Mar 2, 2011 at 7:58 PM, Tim Dunphy wrote:
> hello puppet list!!
>
> I sincerely appreciate your help in the past and hope you don't mind
> me bouncing this scenario off of you. I am attempting to define apache
> vhosts with a puppet module but things are not going according to plan
> at the moment
>
>
> ## error
>
>
> [root@kromep1 ~]# puppetd --test
> info: Caching catalog for kromep1.example.net
> err: Could not run Puppet configuration client: Could not find
> dependent Service[httpd] for
> File[/etc/httpd/conf.d/web1.ops.example.com.conf] at
> /etc/puppet/modules/apache/manifests/virtual_host.pp:11
>
> ## /etc/puppet/modules/apache/init.pp
>
> class apache {
>
>$packagelist = ["httpd","webalizer","mod_ssl"]
>
>package { $packagelist:
> ensure => "installed"
>}
>
> apache::apache_files {
> "/etc/httpd/conf/httpd.conf":
>source => "puppet:///apache/httpd.conf"
> }
>
> service { "httpd":
> enable => "true",
> ensure => "running",
> hasrestart => "true",
> hasstatus => "true",
> require => Package["httpd"]
> }
>
> }
>
>
> ## /etc/puppet/modules/apache/manifests/virtual_host.pp
>
>
> define apache::virtual_host($ip, $ensure = "enabled") {
> $file = "/etc/httpd/conf.d/$name.conf"
> $document_root = "/var/www/html/$name"
>
> file { $file:
> ensure => $ensure ? {
> enabled => present,
> disabled => absent },
> content => template("apache/virtual_host.erb"),
> notify => Service["httpd"]
> }
>
> file { $document_root:
>ensure => $ensure ? {
> enabled => directory,
> disabled => absent },
>require => File["$file"]
> }
> }
>
> # /etc/puppet/modules/apache/templates/virutal_host.erb
>
> >
> DocumentRoot <%= document_root %>
> ServerName <%= name %>
>
>
>
>
> ## /etc/puppet/manifests/nodes.pp
>
> node 'mclient.example.net' inherits webserver {
> }
>
>
> node 'kromep1.example.net' inherits mailserver {
>apache::virtual_host { "ext-kromep1.ops.example.com":
> ip => "50.xx.xxx.255"
> }
>apache::virtual_host { "web1.ops.example.com":
> ip => "50.xx.xxx.255"
>}
> }
> node 'kromep2.example.net' inherits webserver {
> apache::virtual_host { "web2.ops.example.com":
> ip => "174.xx.xxx.60"
>}
>
>
> }
> node 'kromedb1.example.net' inherits dbserver {
> }
>
>
> I would like to take this opportunity to thank you again. the puppet
> community has been amazing!! all help that has been rendered and any
> that may be is sincerely appreciated!
>
> tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] problems creating a user
The virtual user is in a class, that class is included at the basenode. I did put a log message in there and on the master it is loading the class. From the master perspective it looks like everything is fine. On Tue, Feb 1, 2011 at 1:50 PM, Nan Liu wrote: > Really silly question here, is the virtual user in a class? In the > basenode are you including the class that contains the virtual user? > If the virtual user is in a class, can you put a notify resource in > there to make sure the class is included as expected? > > HTH, > > Nan > > On Tue, Feb 1, 2011 at 10:39 AM, Matthew Black wrote: >> I tried what you suggested and it seems to have made no difference, I >> am still getting the same error. >> >> On Tue, Feb 1, 2011 at 1:30 PM, Jeff McCune wrote: >>> On Tue, Feb 1, 2011 at 1:20 PM, Matthew Black wrote: >>>> Inside my basenode definiton, which is being inherited by another node >>>> definition it is doing >>>> >>>> realize(User["admin"],Group["admin"]) >>>> >>>> The strange thing is if remove the specified node definition and just >>>> have the basenode it works correctly. >>> >>> This may be a bug then. >>> >>> In general, I prefer User <| title == admin |> over >>> realize(User["admin"]), so you may want to try that. >>> >>> I'd also try using two realize calls with only one resource per call >>> and trying an array: >>> >>> realize([ User["admin"], Group["admin"] ]) >>> >>> Hope this helps, >>> -- >>> Jeff McCune >>> http://www.puppetlabs.com/ >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] problems creating a user
I tried what you suggested and it seems to have made no difference, I am still getting the same error. On Tue, Feb 1, 2011 at 1:30 PM, Jeff McCune wrote: > On Tue, Feb 1, 2011 at 1:20 PM, Matthew Black wrote: >> Inside my basenode definiton, which is being inherited by another node >> definition it is doing >> >> realize(User["admin"],Group["admin"]) >> >> The strange thing is if remove the specified node definition and just >> have the basenode it works correctly. > > This may be a bug then. > > In general, I prefer User <| title == admin |> over > realize(User["admin"]), so you may want to try that. > > I'd also try using two realize calls with only one resource per call > and trying an array: > > realize([ User["admin"], Group["admin"] ]) > > Hope this helps, > -- > Jeff McCune > http://www.puppetlabs.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] problems creating a user
Inside my basenode definiton, which is being inherited by another node
definition it is doing
realize(User["admin"],Group["admin"])
The strange thing is if remove the specified node definition and just
have the basenode it works correctly.
On Tue, Feb 1, 2011 at 12:59 PM, Jeff McCune wrote:
> How are you realizing the user?
>
> --
> Jeff McCune - (+1-503-208-4484)
>
> On Feb 1, 2011, at 12:54 PM, Matt wrote:
>
>> I have this problem where I'm trying to create a user and the error
>> message I am getting is:
>>
>> err: Could not run Puppet configuration client: Could not find user
>> admin
>>
>> Here is what I have in the manifest and I am realizing the user at the
>> basenode level and all my nodes inherit the basenode.
>>
>> @user { "admin":
>> ensure => present,
>> uid => 1100,
>> gid => 1100,
>> comment => "Admin User",
>> shell => "/bin/bash",
>> managehome => "true",
>> }
>> @group { "admin":
>> ensure => present,
>> gid => 1100
>> }
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Propagating local config changes from a client to the puppetmaster
The issue becomes that while it would offer you a time saver in the short term, it would give you headaches later with security and as you try to expand out your puppet infrastructure, which you will have to do once you reach at the very least 50 hosts. The best solution that I could offer is you would want to publish files to a source control repository and basically have the puppetmaster populate the working copy from the copy in source control. This offers a bit of control when you try to only push out production changes to production systems, and also ensure that if you have multiple puppet masters that they will have the correct file. On Tue, Nov 30, 2010 at 7:58 AM, gdb wrote: > Hi, > > I'm using puppet with a centralized puppetmaster pushing config to > many client nodes. Most of the configuration files that puppet > manages are static and served via the puppet fileserver (running on > the puppetmaster). I often find myself making changes to a node's > config file, testing those changes, and then manually adding those > changes to the corresponding file on the puppetmaster. Is there any > way for me to cut out this last step? That is, does puppet have any > support for propagating config changes from a client node back to the > puppetmaster? In the case of static files, it seems that puppet has > enough information to determine which client config files should be > pushed back to the puppetmaster, so this seems at least theoretically > possible. > > Thanks, > > Greg > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ?
There was a big change from 0.25 to 2.6 and I believe you need to upgrade both client and server from what I remember. The best way to do is get a remote execution daemon like func and you could issue a command to all servers like "yum upgrade puppet". -Original Message- From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com] On Behalf Of Matt Wallace Sent: Wednesday, November 10, 2010 11:56 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Process to upgrade from 0.24.8 to 2.6.x ? On Wednesday 10 Nov 2010 10:30:02 nemo wrote: > Hello, > > I'm really kind of newbie in the Puppet's world but this tool is quite > impressive. So I wish to thank the authors first and all people > participating to this amazing project. > > Now get straight to business :) I'm responsible of a platform > containing almost 100 servers all managed by Puppet in version 0.24.8 > (clients and server). I know this is an outdated version and I'm in > the process of upgrading to the latest version. > > Hence what should be the best approach to upgrade ? For information, > servers run centos 5.5 64bit If you've got Epel installed, pull puppet from there instead of rpmforge - it's 0.25.$something and we're running it without issue here. The only caveat as far as I am aware is to upgrade the server first, then the clients, but I'm sure I'll be corrected on that if I'm wrong! :) We're not looking to upgrade to 0.26 any time soon because we don't need any of the fancy features (yet!). Cheers, M. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] use current array element when declaring multiple resources using an array
What you are looking for is a loop which does not exist in puppet, except
for templates.
I've never tried it but I've speculated it could be possible to create a
manifest template and then use puppet to generate that manifest file in a
similar fashion you are looking to do.
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com]
On Behalf Of luke.bigum
Sent: Wednesday, November 10, 2010 10:19 AM
To: Puppet Users
Subject: [Puppet Users] use current array element when declaring multiple
resources using an array
Hi list,
When declaring multiple resources at once with an array like this:
file { [ "foo", "bar" ]: ... }
Is there a way to access the current array element so as to pass this
value as a parameter? So the "foo" resource has a parameter value
"foo" and "bar" with a parameter value "bar"?
This is a broken example showing that Puppet looks to be evaluating
"owner => $array1" in it's entirety (and perhaps only taking the first
element for a File resource?):
$array1 = [ "/tmp/one", "/tmp/two", "/tmp/three" ]
file { $array1:
ensure => present,
owner => $array1,
}
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/one
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
What I want to see is:
err: /Stage[main]/Test/File[/tmp/three]: Could not evaluate: Could not
find user /tmp/three
err: /Stage[main]/Test/File[/tmp/two]: Could not evaluate: Could not
find user /tmp/two
err: /Stage[main]/Test/File[/tmp/one]: Could not evaluate: Could not
find user /tmp/one
Is there an equivalent of Perl's $_ variable? Perhaps with some
inline_template Ruby magic? This would make some config I'm trying to
write a great deal more concise.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: multiple package installation at same location
An alternative is to have puppet push out the contents of the RPM instead of
trying to install from RPM. The problem with RPM is its not designed to have
two different packages owning the same files, but there are ways around it.
You would need to install the RPM via the RPM command with --force to make
RPM ignore the conflict.
-Original Message-
From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com]
On Behalf Of Bakul
Sent: Tuesday, November 09, 2010 11:14 AM
To: Puppet Users
Subject: [Puppet Users] Re: multiple package installation at same location
I know that would be better option but it's not possible to do it at
this point (due to some non-technical issue). Is there anyway this can
be handled in puppet.
Thanks.
On Nov 5, 8:26 am, jcbollinger wrote:
> On Nov 4, 3:28 pm, Bakul wrote:
>
>
>
>
>
>
>
>
>
> > I'm trying to install 2 packages where 2nd packages replaces certain
> > files from first packages.
>
> > package { "jboss":
> > provider => yum,
> > ensure => latest
>
> > }
>
> > package { "jboss-fix":
> > provider => yum,
> > ensure => latest
>
> > }
>
> > This seems to error out with message like "file ... from install of
> > jboss-fix conflicts with file from package jboss"
>
> > On command line I can use "sudo yum -y install jboss jboss-fix" and it
> > works (or use rpm with "replacefiles" option for second rpm).
>
> You should be able to configure yum to always act as if the -y switch
> had been passed. See the "assumeyes" parameter.
>
> However, packages replacing others' files is a bad idea. That's why
> by default it requires confirmation or special options. I urge you to
> consider instead building packages that do not require such
> treatment. If you download the jboss source RPM, you should be able
> to quickly build an alternative jboss rpm that incorporates your
> changes. (Perhaps you would call *that* "jboss-fix".) You can make
> such an alternative package satisfy other packages' dependencies on
> jboss by appropriate use of the "Provides:" header.
>
> Regards,
>
> John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] file_exists function
I am still new to the ruby language and I figured I'd share my file_exists
function to see if it is the correct approach and to offer it out there for
people who may have the same issue. We build our vhosts based off a template
and have come across the need to add in items for specific customers in
their vhost. The problem is if you file() and the file does not exist puppet
throws an error and does not continue to run that manifest. The solution was
to add in a file_exists function to allow us to bypass that issue.
require 'puppet'
module Puppet::Parser::Functions
newfunction(:file_exists, :type => :rvalue) do |args|
if File.exists?(args[0])
return 1
else
return 0
end
end
end
define customer::vhost($env, $url = "", $aliases = "") {
if file_exists("customers/$name/$env/web/httpd.conf") == 1 {
$extra = file("customers/$name/$env/web/httpd.conf")
}
file { "$name.conf":
path => "/etc/httpd/conf.d/$name.conf",
owner => root,
group => root,
mode => 644,
require => Package["httpd"],
content => template("customers/cust-vhost.erb"),
}
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
