[Puppet Users] Re: fixtures from Puppetfile in puppetlabs_spec_helper

[Nan Liu]

On Thursday, May 12, 2016 at 4:39:36 AM UTC-7, Rudy Gevaert wrote:
>
> Does anyone know a way to integrate rspec-puppet and more 
> specific puppetlabs_spec_helper to get its fixtures from a Puppetfile?
>
> It's a PITA to each time update the fixtures file if you update your 
> Puppetfile in your control repo. (Our context is that roles and profiles 
> are located in our puppet control repo and we want to check against the 
> versions of the modules defined in the Puppetfile)
>
> By default we don't run deploy modules with r10k on our local machine.
>

You can do it the other way around, because .fixtures.yml is yaml and 
Puppetfile is ruby. This basically loads .fixtures.yml and converts it to a 
working Puppetfile:

https://gist.github.com/nanliu/2bae638725308cf50d26

HTH,

Nan 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c79899e7-c40e-42a9-a0fb-e7d0c858bc81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Problem with order and ensure_resource.

[Nan Liu]

On Monday, March 30, 2015 at 6:14:36 AM UTC-7, jcbollinger wrote:
>
>
>
> On Saturday, March 28, 2015 at 9:37:35 AM UTC-5, Nan Liu wrote:
>>
>> On Friday, March 27, 2015 at 5:49:54 PM UTC-7, Shawn Sterling wrote:
>>
>  
>>
>> I will avoid any module that uses ensure_resources from this point on.
>>>
>>
>> Isn't that rather drastic, considering it's an issue with one module, and 
>> a problem with class containment implementation of that module?
>>
>
>
> It's only drastic if fixing third-party modules so that they don't use 
> ensure_resources() any more is a viable alternative for you.  The 
> ensure_resources() function simply does not reasonably serve the module 
> compatibility goals that are its *raison d'**être*.  An ordinary resource 
> declaration is better for that purpose, notwithstanding the fact that it 
> may conflict with another declaration.  Furthermore, use of 
> ensure_resources() creates a thorny resource containment problem, whether 
> that's what's actually in play in Shawn's case or not.
>

ensure_packages/resources is not the source resource containment problem, 
it's due to how that particular modules init.pp is structured and written. 
There are reasons to use/not use this function, but that is not one of it's 
problems.

Thanks,

Nan


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/771e314e-d5c2-4415-8193-9dbbebe1ae7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Problem with order and ensure_resource.

[Nan Liu]

On Friday, March 27, 2015 at 5:49:54 PM UTC-7, Shawn Sterling wrote:
>
>
>
> On Friday, March 27, 2015 at 6:45:05 AM UTC-7, jcbollinger wrote:
>>
>> ensure_resource() is not a resource declaration; it is a function call 
>> that under some circumstances causes a resource to be declared.  It does 
>> not return a value, and therefore cannot be valid operand for the chain 
>> operators.
>>
>
> Okay, makes sense. 
>  
>
>> Those are all perfectly reasonable approaches.  If they don't work then 
>> I'm inclined to conclude that class 'redis' does not properly contain the 
>> resources it declares.  This may be a result of declaring them via 
>> ensure_resource() 
>> -- especially if the affected resources are first declarded elsewhere -- 
>> or it may be a classic case of failing to contain other classes.
>>
>
> Glad I'm not loosing my mind. :)
>

Arioch's puppet-redis needs an anchor resource to wrap the classes declared 
in the init.pp. You can establish a relationship if you specify an existing 
class with resources (rather the the redis class which only contain 
classes):

repo::epel::add { $epel_packages:
  before => Class['::redis::preinstall'],
}

You could tell me to not use ensure_resources, but I'm not. I'm using 
>>> someone else's module and trying to enforce order at the profile level.
>>>
>>
>> And I *do* tell you not to use ensure_resources(), whether in your own 
>> code or indirectly via someone else's modules.  The only way 
>> ensure_resources() works correctly and reliably is if every resource it 
>> governs is declared *only* via one or more ensure_resources() calls, 
>> with the same parameters and relevant in-scope resource defaults at the 
>> site of every such call.  Even then, "correctly" does not extend to 
>> containment, and cannot do so without creating a grave risk of dependency 
>> cycles.  The ensure_resources() function is not a correct -- nor even a 
>> reasonable -- solution to *any* problem.  That a third party module uses 
>> it is enough reason for me to avoid that module.
>>
>
> I will avoid any module that uses ensure_resources from this point on.
>

Isn't that rather drastic, considering it's an issue with one module, and a 
problem with class containment implementation of that module?

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9d42c317-4025-45f4-a08a-6c74f6aea667%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] user ensure absent :No command localdelete defined for provider

[Nan Liu]

On Mon, Nov 3, 2014 at 3:16 AM, Andreas Dvorak 
wrote:
>
> I have a modul accounts to create user. That is working fine. Today I
> would like to remove a user but it does not work.
> Unfortunately I don't understand the error. Can you please have a look?
>
> Error: No command localdelete defined for provider
> Error:
> /Stage[main]/Accounts/Accounts::Virtual[testuser]/User[testuser]/ensure:
> change from present to absent failed: No command localdelete defined for
> provider
>

Sounds like a bug resolved by PUP-1510.
https://github.com/puppetlabs/puppet/pull/2300

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCXkeX_mbaNctU9PaGyKgsLe%2B1BTXvBD8gzkKkijwVmFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] vmware-vcsa module !!!

[Nan Liu]

On Wed, Oct 8, 2014 at 1:49 AM, Rakesh Kathpal  wrote:

> I have a esx host installed and a standalone centos server.
>
> what I am trying to do is via foreman
>
> - Setting up the module for centos server
> - So that it can install vcsa on my esx server.
>
> I end up getting error as
>
> Info: Applying configuration version '1412754558'
> Debug: PuppetX::Puppetlabs::Transport::Ssh initializing connection to:
> 192.168.1.26
> Debug: Executing on 192.168.1.26:
> vpxd_servicecfg eula read
> Debug: Execution result:
> sh: vpxd_servicecfg: not found
>
> Error: /Stage[main]/Vcsas/Vcsa[demo]/Vcsa_eula[demo]: Could not evaluate:
> odd number of arguments for Hash
> /var/lib/puppet/lib/puppet/provider/vcsa_eula/default.rb:15:in `[]'
> /var/lib/puppet/lib/puppet/provider/vcsa_eula/default.rb:15:in `exists?'
> /usr/lib/ruby/vendor_ruby/puppet/property/ensure.rb:81:in `retrieve'
>
>
> Please node this is a vanilla esx server, do I need to do anything else
> before applying the module..
>

The module is intended to run against a vcenter server appliance (5.0-5.5
versions), not an ESX server. You will need to use ovftool or other means
to import the appliance first. vpxd_servicecfg is a command that should be
available on the vcenter appliance. There's also an outstanding issue with
5.5 related to a sshd setting, there's more info here:
https://github.com/vmware/vmware-vcsa/issues/19

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDpgMBpGO3dn2Vg8ER%2B_rfPu6ZiFLwa2J3ZnuO60XxvjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Custom Providers and Third Party Gems

[Nan Liu]

On Fri, Oct 3, 2014 at 7:23 AM, jcbollinger 
wrote:

>
>
> On Thursday, October 2, 2014 12:54:06 PM UTC-5, Chris Pitman wrote:
>>
>> Hey everyone,
>>
>> I'm hoping someone can enlighten me here: Why is it so hard/complicated
>> to use third party gems when developing a custom provider? It seems to me
>> that pulling in gems should be priority #1, since it allows providers to
>> leverage a lot of development already done in the ruby community.
>>
>
>
> I cannot speak to the Puppet implementation issues involved here, but
> speaking from under my sysadmin hat, I will say that relying on any gems is
> the *last* thing I want any module I use to do.  My systems already have
> package management under control, thank you, and I do not want gems to
> complicate that.  I'll grant an exception to gems encapsulated in and
> managed via native packages, but what's the point of that, really?
>

Puppet modules like f5, vcenter (the list goes on), need additional
libraries like savon, nokogiri, rbvmomi, etc. You might not use those
modules, but for me it's helpful if module installation/puppet agent run
can bring in these dependencies when appropriate. As much as I like
packages, gems are really a practical way to provide these dependencies for
the multitude of use case from bundler, system ruby, puppet enterprise
ruby, and even Windows (yes I know). In lots of cases a native package is
desirable, and I've seen the horrors of trying to build a gem, but the
ecosystem is simply too complicated to dismiss gems and mandate native
packages as the one true solution.

However, right now it is complicated:
>>
>> 1. I have to get my users downstream to install gem dependencies before
>> using any resources related to the provider. There is no way for me to
>> annotate the module itself for these dependencies, and no support for
>> automatically pulling them down.
>>
>>
>
> If a certain module depended on gems, and if, despite my better judgement,
> I wanted to use it anyway, then the *next* last thing I would want it to
> do is automatically install gems on my master as part of its own
> installation.
>

I don't think the tool should make assumptions and automatically install
gems dependencies, but it should be an option. At least something like
'puppet module list_gem_dep' would be nice to have.


> 2. "Features" offer very limited capability (as far as I understand), and
>> are poorly documented. The only documentation is on how to link providers
>> and types using features, not on how to require ruby libraries. There is no
>> way for anything other than a type to specify requiring a feature. For
>> example, what if a provider requires a gem?
>>
>> 3. "Features" only protect part of the lifecycle. Even without a feature
>> present, puppet still attempts to resolve auto-require relationships. This
>> makes sense based on how things work, but what am I supposed to do if I
>> need a third party gem there?
>>
>>
>
> I agree that the Features feature is not suitable for your purpose.
> Features are not designed or intended for what you want to do.
>
>
>
>> 4. Some gem dependencies need to be present on both the puppet master (in
>> the master's environment) and on the node. There is no way for me to
>> transparently take care of this for users.
>>
>
>
> You can address the node installation issue via your module
> implementation.  Yes, that makes the module more complicated.
>
>
>
>>
>> So, am I just missing something? Is there some secret hook in the puppet
>> source that makes dealing with gems better? Should I just start
>> distributing this provider as a package, and ignore "puppet module", r10k,
>> etc? Or are there any changes coming down the pipeline that will make this
>> work better?
>>
>>
>
> I'm sure I'm in the minority, but I would indeed prefer to receive your
> module on my master via a native package (i.e. an RPM).
>
> Supposing that it were instead delivered via the module tool, I agree that
> it would be very good if the module metadata could document dependencies on
> external software such as gems and native applications, and it would be
> outstanding if the module tool could check those dependencies and maybe
> even *offer* to install any missing ones.
>

Absolutely, you can repackage modules as packages for distribution on your
platform. But it's not practical to ask module authors to package modules
and it's gem dependencies for distribution for every platform (maybe an
opportunity to have a toolchain around it). For your stated use case, you
aren't a consumer of 'puppet module install' or r10k.

Respectfully,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqAFt_9bAixAjKA2D-C%3Dg7_%2Ba00FQagJ9KvrdBB08SRRWQ%40mail.gmail.com.
For more o

Re: [Puppet Users] Custom Providers and Third Party Gems

[Nan Liu]

Maybe post to puppet-dev to get the developer's feedback?

On Thu, Oct 2, 2014 at 10:54 AM, Chris Pitman  wrote:

> Hey everyone,
>
> I'm hoping someone can enlighten me here: Why is it so hard/complicated to
> use third party gems when developing a custom provider? It seems to me that
> pulling in gems should be priority #1, since it allows providers to
> leverage a lot of development already done in the ruby community.
>
> However, right now it is complicated:
>
> 1. I have to get my users downstream to install gem dependencies before
> using any resources related to the provider. There is no way for me to
> annotate the module itself for these dependencies, and no support for
> automatically pulling them down.
>

You can install gem dependency on the client as part of the puppet run.
This was added around 2.7: http://projects.puppetlabs.com/issues/14822

But there are some issues that require clearing the ruby gem path cache:
https://tickets.puppetlabs.com/browse/PUP-1879

I don't always have the latest puppet version, so this was a work around
(as always should be accompanied with horrible disclaimer):

# Try one last time since PUP-1879 isn't always available:
unless defined? ::Faraday
  Gem.clear_paths unless defined? ::Bundler
  require 'faraday_middleware'
end
@connection = ::Faraday.new(url)

I was hoping in the type to autorequire class where the packages were
installed, but was only able to get normal resources to work:

autorequire(:package) do
  'faraday_middleware'
end

2. "Features" offer very limited capability (as far as I understand), and
> are poorly documented. The only documentation is on how to link providers
> and types using features, not on how to require ruby libraries. There is no
> way for anything other than a type to specify requiring a feature. For
> example, what if a provider requires a gem?
>

The method missing code for Puppet.features.? is not just for
checking gem availability, it also attempts to load the gem:

require 'some_feature' if Puppet.features.some_feature?

PUP-3032 adds a new setting. For the agent it should be
always_cache_features=false, and =true for performance reasons on the
server: https://tickets.puppetlabs.com/browse/PUP-3032.

3. "Features" only protect part of the lifecycle. Even without a feature
> present, puppet still attempts to resolve auto-require relationships. This
> makes sense based on how things work, but what am I supposed to do if I
> need a third party gem there?
>
> 4. Some gem dependencies need to be present on both the puppet master (in
> the master's environment) and on the node. There is no way for me to
> transparently take care of this for users.
>

Yeah, this one is annoying, and the best solution I can come up with at the
moment is a master manifest, or a master gemfile in the site module. Also
there's no way to have multiple gem versions on the master. The new
puppet-server project is suppose to offer more isolation, but I'm not
exactly sure how it will be able to do this.

So, am I just missing something? Is there some secret hook in the puppet
> source that makes dealing with gems better? Should I just start
> distributing this provider as a package, and ignore "puppet module", r10k,
> etc? Or are there any changes coming down the pipeline that will make this
> work better?
>

Yes, I agree we should have better tools, puppet module and r10k seems like
good candidates. We need to agree how to specify master specific gems in
the module metadata, and hopefully not something that reinvents the wheel.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqAr-pOnfdvykGKqY%2B%3DLhFJUf6_25E6BJodJuBM9zpYdbw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Exit Puppet when a custom Hiera backend is not found

[Nan Liu]

On Wed, Oct 1, 2014 at 5:42 AM, Vaidik Kapoor 
wrote:

> Hi Guys,
>
> I am using masterless Puppet. And My situation is that I am using a custom
> Hiera backend called hiera-regex. The process of using it is that you
> have to have hiera-regex installed on your target machine.
>
> If sometime for some reason, hiera-regex is not installed, hiera still
> looks up for the key in hierarchy and starts using that key which it was
> not suppose to use in the presence of hiera-regex. Ideally, I would want
> Puppet to exit when it does not find hiera-regex backend installed. But
> as of now, Puppet only prints a notice() which can be easily missed and can
> leave your node in an unwanted state.
>
> Is it possible to somehow configure Puppet/hiera for masterless setup to
> not continue at all if hiera is configured to use a custom backend and that
> backend is not installed?
>
> Here is my hiera.yaml file:
>
> ---
> :backends:
> - regex  # this is the custom backend (hiera-regex)
> - yaml
>
> :regex:
> :datadir: /etc/puppet/hiera
>
> :yaml:
> :datadir: /etc/puppet/hiera
>
> :hierarchy:
> - "%{fqdn}"
> - base
>
>
> Expecting some help on this. I have posted the same question on
> stackoverflow as well:
> http://stackoverflow.com/questions/26133604/exit-puppet-when-hiera-backend-is-not-found
>

Perform a data lookup for a non relevant key that only exists in the
hiera-regex backend or fail the catalog.

if !hiera('hiera::regex') { fail('hiera-regex backend does not appear to be
loaded') }

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCf%2BnF9wFp-5Q4rWMZ%2B5wHNjxeLbdpxr_G%2BMRTkUMTM8A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] class/subclass relationship ordering and containment

[Nan Liu]

TLDR summary:

1. include/require class does not provide containment.
2. anchor is just a empty resource for containment.
3. contain class provides containment without the need for anchor
4. contain may cause unnecessary relationship, so use it only when
appropriate
5. The original purpose for inherits, resource parameter override, is
rarely used. These days it's mostly a hack to have module data. classes
inherit params class which only contain puppet variables and no resources.
(I won't get into this and only focus on the previous points)

On Fri, Sep 19, 2014 at 4:01 PM, Mike Reed  wrote:

> Hello all,
>
> I have a question about class and subclass relationships and what is/isn't
> the ideal way to go about such a thing.  Please bear with me  as I'm still
> refining my understanding of containment. Let's say I have a puppet module
> which manages the install of puppet and has the following pieces (currently
> using puppet v.3.4.3):
>
> *init.pp*
> class puppet {
>   # evaluate supporting classes
>   include puppet::params
>   include puppet::config
>   include puppet::service
>
>   anchor { 'puppet::begin' : } ->
>   class { '::puppet::params' : } ->
>   class { '::puppet::config' : } ~>
>   class { '::puppet::service' : } ->
>   anchor { 'puppet::end' : }
> }
>
> *params.pp*
> class puppet::params {
> # puppet general params
>   $puppet_path= '/etc/puppet'
>   $puppet_config_template = 'puppet/puppet.conf.erb'
>   $puppet_package = 'puppet'
>   $puppet_common_package  = 'puppet-common'
>   $puppet_service_ensure  = 'running'
>   $puppet_service_enable  = true
>   $puppet_prod_version= '3.6.2-1puppetlabs1'
>   $puppet_dev_version = '3.6.2-1puppetlabs1'
>   validate_string($puppet_path)
>   validate_string($puppet_config_template)
>   validate_string($puppet_package)
>   validate_string($puppet_common_package)
>   validate_string($puppet_service_ensure)
>   validate_bool($puppet_service_enable)
>   validate_string($puppet_prod_version)
>   validate_string($puppet_dev_version)
>

validate don't serve any purpose here, since you setting these values to a
specific value.


> }
>
> *config.pp*
> class puppet::config (
>
>   $puppet_config_path = $::puppet::params::puppet_config_path,
>   $puppet_config_template = $::puppet::params::puppet_config_template,
>   $puppet_service = $::puppet::params::puppet_service,
>
> ) inherits puppet::params {
>
>   file { 'puppet.conf' :
> ensure  => present,
> path=> "${puppet_config_path}/",
> content => template("${puppet_config_template}"),
> notify  => Service["${puppet_service}"],
>   }
> }
>
> *service.pp*
> class puppet::service (
>
>   $puppet_package = $::puppet::params::puppet_package,
> ***truncated variables for sake of a long post***
>
> ) inherits puppet::config {
>
>   package { "${puppet_package}":
> ensure  => "${puppet_prod_version}",
>   }
>
>   package { "${puppet_common_package}":
> ensure  => "${puppet_prod_version}",
>   }
>
>   service { "${puppet_service}":
> ensure => "${puppet_service_ensure}",
> name   => "${puppet_service}",
> enable => "${puppet_service_enable}",
> hasrestart => true,
> hasstatus  => true,
> subscribe  => Package["${puppet_config_template}"],
>   }
> }
>
> Based on the above, I've left a few things which I feel don't belong but
> for the sake of my questions, they're included.
>
> Per the above init.pp, I've added an anchor to force ordering.  My
> understanding is that this has nothing to do with application-order and
> more to do with parse-order.  With that said, I have a few questions:
>

The anchor is not parse-order, it to server as a ghost containment resource
for the class. The syntax short hand is what confusing. You can totally
rewrite as following:

  class { '::puppet::params' : require => Anchor['puppet::begin']}
  class { '::puppet::config' : } ~>
  class { '::puppet::service' : before => Anchor['puppet::end']}
  anchor { ['puppet::begin', 'puppet::end']: }


> 1.  By adding the 'include' in init.pp, my understanding is that simply
> says to 'evaluate' the subclasses but does not indicate an order to which
> subclasses are to be applied.  Is that correct?
>

Mostly.


> 2.  I think the 'inherits' function is depreciated but should each
> instance be replaced with a 'contain' (based on the order I want)
> throughout my subclass manifests?  My understanding is that I should never
> 'contain' more than one subclass within the same module as puppet will be
> confused on ordering.
>

The inherits params class data pattern can't be replaced by contain.
contain is a new function that is used to eliminate the need for anchor.

3.  I rather like the idea of the anchor in the init.pp because I only have
> one place to go to, in order to see the relationship of the subclasses.
> With the introduction of the 'contain' feature, I feel like the anchor is
> no longer needed; however, is there a preferred way of ordering

Re: [Puppet Users] Example of how to use require with hiera?

[Nan Liu]

On Thu, Sep 18, 2014 at 6:19 PM, Daniel Johnson  wrote:

> Things like
>
> require: File['somefile']
>
> or
>
> require:
>   File: somefile
>
> both crash, and burn.
>
> Not having a require also causes failure as it tries to do things it
> can't without the prerequisite.
>
> After hours of searching I couldn't find any examples to work from.


If you are building a resource hash for create_resources, it's just quoted
string:

---
notify:
  example1:
message: "first"
  example2:
message: "second"
require: "Notify[example1]"

create_resources(notify, hiera('notify'))

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqA5jNoPgy62tA33675Z1xJ_LV7K7gzjfLMgA1nvPrWZuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] List of properties in provider

[Nan Liu]

On Wed, Sep 17, 2014 at 6:26 AM, Frederik Wagner  wrote:

> Hi everyone,
>
> currently I'm writing a custom provider to configure mailing lists.
>
> In the provider I'm writing I need to access the list of all
> properties (set or unset) defined in the type via 'newproperty'. I'm
> wondering if there's a way to do that. It feels strange if there
> wouldn't.
>
> What I need to do:
> Since upon initial creation of a mailing list not all properties can
> be set, I need to put all defined properties into the @property_hash
> to have them finally set by the flush method. Therefore I need code
> like:
>
> def exists?
>   ... create mailing list...
>
>   all_properties_from_type.each { |prop|
> @property_hash[prop] = @resource[prop] unless @resource[prop].nil?
>   }
> end
>
> Thanks for any help.
>
> Bye
>

I don't know what your type is called (replace mailing_list with your type
name):

Puppet::Type.type(:mailing_list).properties.each { ... }

FYI, puppet-dev is probably the better mailing list for these questions
since the puppet core dev monitor that and would know if the internal API
have been updated recently.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqA6SK1eyYCpRByzcuOEFeEWHxtDC2_QHbjG_mYHphkaVw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Reloading missing gems in a custom provider during the run

[Nan Liu]

On Wed, Sep 17, 2014 at 6:48 AM, Karolis Pabijanskas <
k.pabijans...@gmail.com> wrote:
>
> I have a custom type and provider that are depending on a rest-client gem.
>
> After the pluginsync, when providers get loaded, I do this to avoid it
> failing:
>
>  30 begin
>  31   require 'rest-client'
>  32 rescue LoadError => e
>  33   Puppet.info "You need the `rest-client` gem for this to work."
>  34 end
>
>
> The rest-client is not present before the run, thus I get an Info message:
> "Info: You need the `rest-client` gem for this to work."
>
> The rest-client gem is then installed before the code that uses this type
> is run, but the actual provider still thinks the rest-client is not present
> (as it was loaded without it), thus it fails to run.
>
> Is there any way to force puppet to reload the provider before the
> associated custom type is run, or anything else I can do?
>

In older versions of puppet use puppet feature to determine availability. I
think the cutover is somewhere in 3.x where you only need to require the
gem. Assuming require 'rest-client' is specified in the provider, two
possibility:

1. resource order. this can be fixed via autorequire in the custom type to
require either the class where rest-client gem is specified or the package
rest-client.
2. the rest-client gem is not installed in puppet's ruby library path. For
example puppet enterprise should be installed via /opt/puppet/bin/gem, and
on versions of Ubuntu/Debian you may have multiple versions of Ruby (puppet
might be installed for Ruby 1.8 while the default gem path is for Ruby 1.9).

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqAWoHqgQavKjNJKuasYOPxMbB_OHEVjisaaFinq7DEBVg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Permission Denied with concatfragments.sh

[Nan Liu]

On Thu, Sep 11, 2014 at 5:46 AM, Matthew Hyclak  wrote:

> I'm facing a very strange problem and I'm honestly not sure where to look.
> Any pointers would be great. I have a system I'm using the hunner/wordpress
> module and for some reason when it tries to build the wp-config.php file,
> concatfragments.sh fails. The strange part is that the apache module uses
> the same script to build /etc/httpd/conf/ports.conf and it works fine.
>
> Here's the debug output of both the apache and wordpress modules:
>
> Debug: Exec[concat_/etc/httpd/conf/ports.conf](provider=posix): Executing
> check '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_etc_httpd_conf_ports.conf/fragments.concat.out" -d
> "/var/lib/puppet/concat/_etc_httpd_conf_ports.conf" -t'
> Debug: Executing '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_etc_httpd_conf_ports.conf/fragments.concat.out" -d
> "/var/lib/puppet/concat/_etc_httpd_conf_ports.conf" -t'
> ...
> Debug: Exec[concat_/opt/wordpress/wp-config.php](provider=posix):
> Executing check '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php" -t'
> Debug: Executing '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php" -t'
> Debug:
> /Stage[main]/Wordpress::App/Concat[/opt/wordpress/wp-config.php]/Exec[concat_/opt/wordpress/wp-config.php]/unless:
> sh: /var/lib/puppet/concat/bin/concatfragments.sh: Permission denied
> Debug: Exec[concat_/opt/wordpress/wp-config.php](provider=posix):
> Executing '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php"'
> Debug: Executing '/var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php"'
> Notice:
> /Stage[main]/Wordpress::App/Concat[/opt/wordpress/wp-config.php]/Exec[concat_/opt/wordpress/wp-config.php]/returns:
> sh: /var/lib/puppet/concat/bin/concatfragments.sh: Permission denied
> Error: /var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php" returned 126
> instead of one of [0]
> Error:
> /Stage[main]/Wordpress::App/Concat[/opt/wordpress/wp-config.php]/Exec[concat_/opt/wordpress/wp-config.php]/returns:
> change from notrun to 0 failed:
> /var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php" returned 126
> instead of one of [0]
> Notice:
> /Stage[main]/Wordpress::App/Concat[/opt/wordpress/wp-config.php]/File[/opt/wordpress/wp-config.php]:
> Dependency Exec[concat_/opt/wordpress/wp-config.php] has failures: true
> Warning:
> /Stage[main]/Wordpress::App/Concat[/opt/wordpress/wp-config.php]/File[/opt/wordpress/wp-config.php]:
> Skipping because of failed dependencies
>
> If I run /var/lib/puppet/concat/bin/concatfragments.sh -o
> "/var/lib/puppet/concat/_opt_wordpress_wp-config.php/fragments.concat.out"
> -d "/var/lib/puppet/concat/_opt_wordpress_wp-config.php" by hand, it
> returns 0 as normal.
>
> Anyone have any pointers where to look for the issue? The fragments all
> seem to be fine on file permissions and SELinux is disabled.
>
> [root@www concat]# ls -lR
> .:
> total 12
> drwxr-xr-x 2 root   root   4096 Sep 11 08:36 bin
> drwxr-x--- 3 root   root   4096 Apr 28 09:23 _etc_httpd_conf_ports.conf
> drwxr-x--- 3 apache apache 4096 Sep 11 08:30 _opt_wordpress_wp-config.php
>
> ./bin:
> total 4
> -rwxr-xr-x 1 root root 3945 Sep 11 08:36 concatfragments.sh
>
> ./_etc_httpd_conf_ports.conf:
> total 12
> drwxr-x--- 2 root root 4096 Jun 23 11:35 fragments
> -rw-r- 1 root root  195 Sep 11 08:36 fragments.concat
> -rw-r- 1 root root  195 Apr 28 09:23 fragments.concat.out
>
> ./_etc_httpd_conf_ports.conf/fragments:
> total 12
> -rw-r- 1 root root 164 Apr 28 09:23 10_Apache ports header
> -rw-r- 1 root root  10 Apr 28 09:23 10_Listen 80
> -rw-r- 1 root root  21 Jun 23 11:35 10_NameVirtualHost *_80
>
> ./_opt_wordpress_wp-config.php:
> total 12
> drwxr-x--- 2 apache apache 4096 Sep 11 08:30 fragments
> -rw-r- 1 apache apache 3371 Sep 11 08:31 fragments.concat
> -rw-r- 1 apache apache 3371 Sep 11 08:31 fragments.concat.out
>
> ./_opt_wordpress_wp-config.php/fragments:
> total 8
> -rw-r- 1 root apache 1052 Sep 11 08:30 10_wp-config.php keysalts
> -rw-r- 1 root apache 2319 Sep 11 08:30 20_wp-config.php body
>

Maybe an exec default lurking somewhere caused the concat exec to run as a
non-root user. Try addi

Re: [Puppet Users] suppress notice for file resource recursive

[Nan Liu]

On Thu, Sep 4, 2014 at 1:19 PM, Constantin Wolber <
constantin.wol...@gmail.com> wrote:
>
> i searched quite a bit in the documentations and through google but did
> not find a suitable solution.
>
> I am using the file resource to change the ownership of a directory
> recursively. What happens is that for every single file a notice is
> generated for change of user and of group. Since I'm using some reports on
> the puppetmaster this puts a lot of uninteresting information in those
> reports. So is there any chance of suppressing those notices?
>
> I only found a solution for a manual run but not for an automatic run.
> Since the --logdest would also suppress notices that are interesting in
> other situations.
>

You can drop the resource loglevel to debug,

file { '/tmp/a':
  ensure => directory,
  recurse => true,
  loglevel => 'debug',
}

This will suppress the change message unless you run puppet agent with the
flag --debug, but you should still see the refresh notice if something
changes.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCmyXkCnmeou-CV8GirvbcaEjx1goJN9DkLaNZNyOrYNg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How best to accomplish geographic location of clients?

[Nan Liu]

On Tue, Sep 2, 2014 at 1:31 PM, randal cobb  wrote:

> Hello all,
>
> I have a small problem I'm trying to resolve, and I'm bowing to the
> masters for suggestions.   Our development organization uses VMware and
> desktop VMs to perform development efforts;  I've come up with mechanisms
> to populate these VMs using puppet to install all the tools they need, such
> as Eclipse, Maven, JDKs, etc. but I'm faced with an issue that I have put
> off until now:  using geographically located tools and servers.  In my
> environment, we have several geographically located "mirror" or "slave"
> servers for key infrastructure environments such as Nexus, Sonar,
> Subversion, etc.  So, while all of our "master" servers are located in
> data-centers in the US, we will have "slave" versions of them located in
> other countries, such as Brazil, India, Canada, etc.   So, on to my
> question:  Is there a way for Puppet to detect where a client is running,
> geographically?   For example, if a VM starts up in Hyderabad, India, I
> want to add host entries to the VM that point services like SVN, Nexus,
> Sonar, Jenkins, etc. to local slaves.  I already have manifests to set the
> host entries appropriately for a given location, so this is the easy part.
>  To add a wrinkle, my company has added rules so that ALL VMs that
> end-users can run on their desktops or laptops MUST use NAT ip addresses,
> so I can't easily use an IP subnet to calculate what the best hosts to use
> are.
>
> So, might anyone have any suggestions or ideas of how I might try to
> accomplish this?
>

anycast. Ok, in all seriousness, you can either write a custom fact using
geoip lookup if the WAN address is reliable. Or you need pass location info
to the VM via ovf properties and read it back as a custom fact
using vmtoolsd. See
http://blogs.vmware.com/vapp/2009/07/selfconfiguration-and-the-ovf-environment.html
for more info on the second option.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCn4CaRY701b%3DjZTv7f1P4BOiWmZyvQ_7E8E%2B1Wms1ALw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] custom facter fact not available from client

[Nan Liu]

On Tue, Sep 2, 2014 at 12:20 PM, Mike Reed  wrote:

> Hello all,
>
> I'm attempting to create a custom fact to identify the network to which a
> node belongs to. Below is the fact definition (I realize this fact isn't
> complete but wanted to test what I have so far):
>
> require 'facter'
> Facter.add('network_geo') do
>   setcode do
> hostname   = Facter.value(:hostname)
> hostname_array = hostname.split('-')
>
> # debug info
> puts "My network is #{hostname_array}"
>   end
> end
>
> I then added the fact into a module named sys_ident and more specifically,
> into a directory like so: /modules/sys_ident/lib/facter/network_geo.rb
>
> For debugging purposes, I created a quick init.pp for the sys_ident module
> and added this:
>
> class sys_ident {
>   notify{"My network identity is: ${network_geo}" :}
>   notify{"My hostname identity is: ${hostname}" :}
> }
>
> I then turned on pluginsync on both the puppetmaster and client within
> puppet.conf.
>
> After an initial run on my puppet client, I'm getting the following:
>
> seanconnery-02:/$ sudo puppet agent -tv
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Loading facts in /var/lib/puppet/lib/facter/network_geo.rb
> My network is ["seanconnery", "02"]
> My network is ["seanconnery", "02"]
> Info: Caching catalog for seanconnery-02.domain
> Info: Applying configuration version '1409685071'
> Notice: My network identity is:
> Notice: /Stage[main]/Sys_ident/Notify[My network identity is: ]/message:
> defined 'message' as 'My network identity is: '
> Notice: My hostname identity is: seanconnery-02
> Notice: /Stage[main]/Sys_ident/Notify[My hostname identity is:
> seanconnery-02]/message: defined 'message' as 'My hostname identity is:
> seanconnery-02'
> Notice: Finished catalog run in 0.04 seconds
>
> As you can see from the output, I'm not receiving the expected output from
> my "network_geo" notify parameter (also not sure why I'm getting the "My
> network" twice.  If I run facter from the puppet client, I get nothing in
> return:
>
> seanconnery-02:/$ facter -p network_geo
>
> For good measure, running the same command with the "hostname" fact
> produces this:
>
> seanconnery-02:/$ facter -p hostname
> seanconnery-02
>
> Based on the output from my client run, it does look like the fact is
> making it to the client but I can't seem to actually invoke it.
>
> I feel that things are generally in the right place and after considerable
> troubleshooting, the only thing I can think of is a potential
> order-of-operations problem.
>
> Does anybody have any suggestions as to why this may be occurring?
>

The puts command simply print a message and never returned a value for the
fact. You probably meant something along the lines of:

 Facter.add('network_geo') do
  setcode do
hostname_array =  Facter.value(:hostname).split('-')

# debug info
puts "My network is #{hostname_array}"
hostname_array.first
  end
end

If you are developing facts, it's much easier to just drop into IRB and get
everything working there rather than doing round trip debugging between
puppet and facter:

irb(main):001:0> require 'facter'
=> true
irb(main):002:0> Facter.value("hostname")
=> "demo-1"
irb(main):003:0> Facter.value("hostname").split('-')
=> ["demo", "1"]

irb(main):006:0>  Facter.add('network_geo') do
irb(main):007:1*   setcode do
irb(main):008:2* hostname_array =  Facter.value(:hostname).split('-')
irb(main):009:2>
irb(main):010:2* # debug info
irb(main):011:2* puts "My network is #{hostname_array}"
irb(main):012:2> hostname_array.first
irb(main):013:2>   end
irb(main):014:1> end
irb(main):015:0> Facter.value(:network_geo)
My network is ["demo", "1"]
=> "demo"

If you run your existing fact in irb, you'll see the output is nil instead:

Facter.value(:network_geo)
My network is ["demo", "1"]
=> nil

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDr59xOL69BfCezu_oTVWvmegYHcrD6f1Nbf77wom1JJw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] More than one array passed to a definition

[Nan Liu]

Puppet array expansion of resources titles doesn't perform any expansion 
for resource properties. There might be another way in experimental 
parser, but here's two options.


1. structure the data so you can pass it to create_resource:
$hash_of_resources = { 'name1' => { 'port' => 'port1'}, 'name2' => { 
'port' => 'port2' } }

create_resource('instance', $hash_of_resources)

2. Modify the define type to lookup the value within a hash with the 
resource title as the key:

# change define type to look up port value via resource name as hash key
# do not specify $name as a variable, it's implicit
define instances ( $port ) {
   $port_file = $port[$name]
   file { "${name}":
   ensure => present,
   path => "/path/${port_file}"
   }
}

$array1 = ['name1', 'name2']
$array2 = ['port1', 'port2']

# this makes it [ ['name1', 'port1'], ['name2', 'port2'] ]
$zip = zip($array1, $array2)

# I can't find a to_hash function in stdlib, but essentially a hideous 
way to generate: { 'name1' => 'port1', 'name2' => 'port2' }

$port = parseyaml(inline_template("<%= Hash[*@zip.flatten(1)].to_yaml %>"))

instances { $array1:
  port => $port,
}

HTH,

Nan

Fran Rodríguez 
August 29, 2014 at 4:40 AM
Hi group,

Im trying to do something with to arrays:

array1 = ['name1', 'name2']
array2 = ['port1', 'port2']

The arrays has the same number of elements and what i want to do it is 
passing to a define function:


instances { $array1:; $array2:; }

The instances define does something simple:

define instances ( $name, $port ) {
   file { "${name}":
   ensure => present,
   path => "/path/${port}"
   }
}

I thing im missing something about iteration with define function 
because puppet say:


Error 400 on SERVER: Must pass name to Instances[name1]

Could somebody tell me what im doing wrong or point to me in the 
correct direction?¿


Thanks and cheers
--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1d39746a-dc24-4584-b640-35a96fe1e8af%40googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5400B9DF.2090606%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Safe Way to Deploy New Setup?

[Nan Liu]

On Fri, Aug 29, 2014 at 7:24 AM, thehailo  wrote:
>
> I'm taking over a Puppet setup which was built on 2.7 and broken during a
> huge migration a few months back (before my time, so I don't have much info
> to go off). I figure since I'm basicaly starting from scratch (literally
> the only thing anyone can tell me the old setup did was manage sudoers),
> I'd start with a newer version, 3.6. I want to play it safe just in case an
> ensure putting this new box up doesn't break anything checking into it. I'm
> waiting on the old manifest files to see exactly what the old setup was
> doing, so my big question is what's a safe way to deploy and test this
> setup? I've been given a fresh VM but it uses the same IP/DNS as the old
> box. I could just block traffic at the firewall but production systems are
> checking in, so I just want to cover my bases. If a system from the old 2.7
> checks in and I have no manifests in the new setup, will it have any effect
> or just keep the old setup until I push something newer?
>

Really not much of a concern for multiple reasons. If you don't have the
old CA certs, the agents will not connect to the new master. If the
manifest is blank, you will overwrite the old catalog on the agents, but it
won't be changing anything on the agent.

If you are interested what the old system was managing, see if the cached
catalog still exists on the agent. The catalog will contain all the
resources the old puppet master was managing.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBMKq2P7hTM%3DXpOFAfpgScmEJJ89Wn-%2BbxRE5Gdc%2BAbuQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet cloud provisioner used in module

[Nan Liu]

On Tue, Aug 26, 2014 at 3:55 AM, John Bencic  wrote:

> from what i see the puppet cloud provisioner module seems to be a command
> line tool
>
> does anyone know if there is any way (apart from an exec call) to call the
> module from another module
>
>
> what i want to do is
>  - define a list of nodes (somewhere)
>  - check my vm environment if these nodes already exist
>  - make a call to provision the missing boxes
>
> that way i could spin up dev/test environment from my puppet server
>
> am i going about this the wrong way ?
>
> Makes sense, but instead of cloud provisioner, to implement it in Puppet,
it requires type/providers and would look similar to this:
https://github.com/puppetlabs/puppetlabs-gce_compute

You can also look at Terraform.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDCFzVSFFMgVsx0j%2BZqDuT-%3DL3UboVsmNeHfOyQ8PCvxQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Cisco: No error, but no Applying

[Nan Liu]

On Fri, Aug 22, 2014 at 12:10 PM, Nathan Brito  wrote:

> I'm trying to apply settings on a Cisco Catalyst 2960S through the puppet,
> but I can not.
>
> When I give the "device #puppet verbose" command, the puppet does not
> return me error but does not apply the manifest.
>
>
> *Follows the return of the command:*
>
> #puppet device --verbose
>> Info: starting applying configuration to switch.mydomain at
>> telnet://admin:admin@switch.mydomain
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Caching catalog for switch.mydomain
>> Info: Applying configuration version '1408732346'
>> Notice: Finished catalog run in 0.05 seconds
>
>
>
> */etc/puppet/puppet.conf:*
>
> [main]
>> logdir=/var/log/puppet
>> vardir=/var/lib/puppet
>> ssldir=/var/lib/puppet/ssl
>> rundir=/var/run/puppet
>> factpath=$vardir/lib/facter
>> #templatedir=$confdir/templates
>> [master]
>> # These are needed when the puppetmaster is run by passenger
>> # and can safely be removed if webrick is used.
>> ssl_client_header = SSL_CLIENT_S_DN
>> ssl_client_verify_header = SSL_CLIENT_VERIFY
>> dns_alt_names = puppetmaster,puppetmaster.mydomain
>
>
> */etc/puppet/device.conf*
>
> [switch.mydomain]
>> type cisco
>> url telnet://admin:admin@switch.mydomain
>>
>
>
> *Manifest: /etc/puppet/manifests/switch.pp*
>
>
>> interface {
>>   "GigabitEthernet0/1":
>> description => "puppet test",
>> }
>> }
>
>

I think this needs to be under a node that matches your device.conf
setting, so site.pp:

node switch.mydomain {
  interface { ...
  }
}

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqAiHGEQ3AemE_7-4EXO7D2uxBK2mecAEv%2Bp%3DqWHuTmg9w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] integration with agent-side password management tool

[Nan Liu]

On Thu, Aug 7, 2014 at 10:47 PM, Thomas Müller 
wrote:
>
> We have some requirement to integrated with a password management tool.
> We only have access to the credentials on the agent-side and we may not
> put them into a fact.
>
> two possible solutions come to mind:
>
> - we could create ruby functions to query the credentials. If they could
> be used in erb templates and if they could be evaluated on agent-side. But
> I think the whole ERB template is parsed on the master-side - is this
> assumption correct?
>

The built in template function processes the ERB on the master. However you
can use something like datacat if you want client side templates:

https://github.com/richardc/puppet-datacat

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqAAu579tX6ej0Pb0wEXqqQMas%3DEp2y9OqY_%2ByAqqrFOCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Change Hostname on Puppet Master

[Nan Liu]

On Wed, Aug 6, 2014 at 12:28 AM, Juan Sierra Pons 
wrote:

> 2014-08-05 23:23 GMT+02:00 Gabriel Filion :
> > On 05/08/14 01:28 PM, Nan Liu wrote:
> >> Please don't resign all client certificates. All you need to do is
> >> recreate a puppet master certificate with dns alt name accepting both
> >> the old and new puppet master hostname. Because passenger and other
> >> configuration may already refer to the existing pem file name, it's
> >> easier to just add the new hostname to the dns_alt_names accept list
> >
> > ah, thanks a lot for this. I was sure there was a more clever way to do
> > this :)
> >
> > --
> > Gabriel Filion
> >
>
> Hi,
>
> I didn't know it either. :)
>
> This drive me to ask a related question: Can the same approach be used
> when the certificate expires?
>

Sure. Should work the same.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDigtq4A7VSKZB1Ttq3fqPuseiH4jb4dvSvfhcYjdv-wg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Change Hostname on Puppet Master

[Nan Liu]

On Tue, Aug 5, 2014 at 10:11 AM, Gabriel Filion  wrote:

> Hey there,
>
> On 05/08/14 10:45 AM, Danny Roberts wrote:
> > We have a requirement to change the Host name of our Puppet Master (not
> > a great idea but sadly out of my control). I could not find any
> > documentation on this subject, does nayone know the process for doing
> > something like this?
> >
> > Or would it need to be a complete rebuild then re-import of our Puppet
> code?
>
> I did this some time ago and ended using the "stupid" method. So if
> there's a better way than what I'll describe, please someone step in.
>
> What really matters when you rename your master is your master SSL
> certificate. Clients will be verifying if the puppet master's hostname
> matches the one advertised by the certificate.
>
> So when I changed the hostname, I had to create a new certificate for
> the master, and then recreate certificates for clients and
> "re-registering" all clients to the master. e.g.:
>
> on all clients:
>  * wipe out /var/lib/puppet/ssl
>  * run puppet agent -t --waitforcert 10
>  * on master, sign client certificate
>
> this was very time-consuming though.
>

Please don't resign all client certificates. All you need to do is recreate
a puppet master certificate with dns alt name accepting both the old and
new puppet master hostname. Because passenger and other configuration may
already refer to the existing pem file name, it's easier to just add the
new hostname to the dns_alt_names accept list:

Backup your puppet master ssl directory, so you can just retry if something
didn't go as planned.

# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
...

# remove your old puppet master cert.
puppet cert -c oldmaster

# search the ssl dir and it should not have any files with the oldmaster
certname

# generate new master cert (same name as old one, but accept new_hostname
in dns_alt_names):
puppet cert -g oldmaster
--dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt

# you may need to copy the files to some locations if you found files not
removed after the cert clean step

At this point you can add a host entry on one of your agents and test via:
puppet agent -t --server new_hostname --noop

You should not have to touch any client cert, that's only necessary if you
need to change your CA cert which is a pain when it expires.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCAUEdWujqa6UW%2BfzgJ1y3Db5bjGSOE8Qh5UU_ErqUhCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Query puppetdb from puppet manifest

[Nan Liu]

On Thu, Jul 3, 2014 at 12:00 PM, Schofield  wrote:

> What are most people using to query the puppetdb for data from within
> puppet manifest files these days?  Is there any thing official from
> PuppetLabs to do this?
>

Best tool at the moment: https://github.com/dalen/puppet-puppetdbquery

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCE%2BMnDXZnnn5%3DHiXMUaHgUE9d6PcWariU%2BAdB3mVM_JQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Server acceptance unit testing

[Nan Liu]

On Mon, Jun 16, 2014 at 10:52 PM, John Warburton 
wrote:

> Hi Everyone
>
> We want to unit test our servers with something like serverspec, but we do
> not have the coding skills in the team to write ruby/rspec, and we want a
> low barrier to entry for writing tests
>
>
>
> Our site isn't small with 3.5K servers, 200 modules, 400 manifests
> covering 3K resources. Each server averages about 650 resources
>
>
>
> I was wondering what others do for server acceptance testing given a
> similar set of requirements. Based on my quick reviews on what is out
> there, Jenkins with perl's Test::Harness looks a good fit, which is a
> little scary
>
>
>
> Am I missing something?
>

If you are looking for something that's low barrier of entry and shell is
your target, have you considered something like bats?
https://github.com/sstephenson/bats

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqB_kX8VUYwb2BHwaTpfCi%2B%2BFqxH3J4ono67tdU_3ve5Aw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet agent on esx host

[Nan Liu]

kaustubh chaudhari wrote:


Can we install puppet agent on ESX host.



Not aware of a way to install puppet agent.



1. I am provisioning the hosts with PXE and Kickstart in the post
install, i wish to install puppet agent and mange the host with the same.
Like hardning, network config etc.



All ESX customizations are either done via API, or over ssh (ssh 
file_line in vmware_lib).




2. Use vmware/vcenter module to manage the new host, add it to the
appropriated datacenter, configure network. etc



The vcenter module requires a proxy host to communicate to vCenter/ESX. 
Puppet is installed on the proxy host and not vcenter appliance or ESX.


HTH,

Nan

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5373900D.3080306%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: rspec-puppet: how to pass undef as parameter value?

[Nan Liu]

On Tue, Apr 22, 2014 at 4:34 AM, Remi Ferrand <
remi.mathieu.ferr...@gmail.com> wrote:

> Hi Nan,
>
> thanks for your answer.
> With this modification:
>
> diff --git a/spec/classes/puppetrspec_spec.rb
> b/spec/classes/puppetrspec_spec.rb
> index 9d06d79..80fae58 100644
> --- a/spec/classes/puppetrspec_spec.rb
> +++ b/spec/classes/puppetrspec_spec.rb
> @@ -22,7 +22,7 @@ describe 'puppetrspec', :type => :class do
>  context 'with ensure undef' do
>
>  let :params do {
> -:ensure => '# WHAT SHOULD WE USE HERE TO PASS PUPPET
> undef VALUE ?#'
> +:ensure =>  :undef
>  } end
>
>  it 'should have File with ensure absent' do
>
>
> it fails with this error:
>
> % rake spec
> /usr/bin/ruby -S rspec spec/classes/puppetrspec_spec.rb --color
> .F
>
> Failures:
>
>   1) puppetrspec with ensure undef should have File with ensure absent
>  Failure/Error: should contain_file(filename).with_ensure('absent')
>  Puppet::Error:
>Could not parse for environment production: Syntax error at ':';
> expected '}' at line 4 on node ...
>  # ./spec/classes/puppetrspec_spec.rb:30
>
> Finished in 1.51 seconds
> 2 examples, 1 failure
>
> Failed examples:
>
> rspec ./spec/classes/puppetrspec_spec.rb:29 # puppetrspec with ensure
> undef should have File with ensure absent
>
>
> Same error with this modification:
>
> diff --git a/spec/classes/puppetrspec_spec.rb
> b/spec/classes/puppetrspec_spec.rb
> index 9d06d79..63faa11 100644
> --- a/spec/classes/puppetrspec_spec.rb
> +++ b/spec/classes/puppetrspec_spec.rb
> @@ -21,9 +21,9 @@ describe 'puppetrspec', :type => :class do
>
>  context 'with ensure undef' do
>
> -let :params do {
> -:ensure => '# WHAT SHOULD WE USE HERE TO PASS PUPPET
> undef VALUE ?#'
> -} end
> +let(:params) {{
> +:ensure =>  :undef
> +}}
>
>
> If you have any other idea, let me know :-)
>

So internally it appears to be :undef, and I thought that would work for
rspec, but clearly not.
https://github.com/puppetlabs/puppet/blob/master/spec/unit/parser/ast/leaf_spec.rb#L101

Trying to set it to Puppet::Parser::AST::Undef resulted in the wrong
behavior with "if $var {...}". I may have mixed this up with a puppet
function where I needed to return undef. I guess I shouldn't count on my
memory at this hour of the day.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBGogT4Fig6fsH5drRjyRPyJcTmnkxBYh2gSOYyfutaUg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: rspec-puppet: how to pass undef as parameter value?

[Nan Liu]

On Tue, Apr 22, 2014 at 3:08 AM, Remi Ferrand <
remi.mathieu.ferr...@gmail.com> wrote:

> Thank you for your answer, but with my tests it seems that passing Ruby
> *nil* value to puppet doesn't result in puppet *undef* value...
> This is strange considering that puppet *undef* value results in ruby
> *nil* value in templates...
>

Off the top of my head, I think it's a symbol:

let(:params) {{
  :package_provider => :undef,
}}

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDs8jsbAyndQfxgA0KF_yvEro-1kstxm7pDbR%2BtSeTm%3DQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] selecting a command in a provider based on class variable?

[Nan Liu]

On Fri, Apr 11, 2014 at 7:15 PM, Tim Mooney  wrote:
>
> The tl;dr version:
>
> Can anyone point me at an example of an existing provider that selects
> a particular command based not on a facter fact or whether a particular
> path exists, but instead on a variable from a puppet class?
>
> The full version:
>
> We have puppet 3.4.2 on master and all agents, generally from the
> PuppetLabs packages for OpenSource puppet.
>
> Red Hat has begun providing alternate (updated) versions of some packages
> as part of its "Software Collections Library", aka SCL.  If you have
> a RHEL 6.5 system subscribed to the appropriate software collections
> channel, it's entirely possible to have something like this:
>
> $ rpm -q -f /usr/bin/mysql
> mysql-5.1.73-3.el6_5.x86_64
> $ rpm -q -f /opt/rh/mysql55/root/usr/bin/mysql
> mysql55-mysql-5.5.36-1.1.el6.x86_64
>
> For a provider that relies on the mysql command-line tool to accomplish
> certain tasks, it's no longer a great solution to just do
>
> commands :mysql => 'mysql'
>
> I also don't want to just have it always use the binary from
> /opt/rh/mysql55/root/usr/bin/mysql if it's present, since it's at least
> conceivable that one might need to use a particular version of the client
> when accessing a particular database.
>
> The best idea I've come up with is to have the provider decide which
> specific version of a command to use based on a variable that has already
> been set in the class, but I haven't found any examples of providers that
> do that.  If anyone can point me at some prior art, I would greatly
> appreciate it.
>

An example of pe_gem v.s. package built in ruby gem provider:
https://github.com/puppetlabs/puppetlabs-pe_gem

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqD06H9mha4A4TAQXActPau1HGdCzHgfT%2B_BJxP8UhNHag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Hiera Performance Testing

[Nan Liu]

On Mon, Apr 14, 2014 at 12:35 PM, David Danzilio
wrote:

> Unfortunately, and I probably should've mentioned this in the OP, we're
> currently stuck on the 2.7 series.
>

You should be able to run puppet master --compile  and time it to
get a coarse measurement of before and after. Just make sure you take a
good random sample from a variety of systems with different classes.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqC0O0As8K0ATD5%2BizdTKJ%3DKocA0hRcw5CsPhZuXr8F67Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Emergency Certificate Revocation Procedure

[Nan Liu]

On Tue, Apr 8, 2014 at 12:57 AM, Tom  wrote:

>
> In light of the recently publicised vulnerability in OpenSSL versions
> provided on RHEL6/CentOS6 http://heartbleed.com/, do you have any
> recommendations on a procedure to regenerate new master certificates and
> then revoke, clean and re-sign all client SSL certificates?
>
> I think it'd be great in my organisation to have a bullet proof procedure
> for the future, as well as getting around this currently problem.
>
> Thanks for any assistance.
>

Puppet Labs had a CVE around a puppet master certificate issue. It only
replaces the master cert, but from what I recall a module automates this
step. You can see if the remediation tool kit is still suitable for this
purpose:

http://puppetlabs.com/security/cve/cve-2011-3872

http://puppetlabs.com/security/cve/cve-2011-3872/faq#q9
http://puppetlabs.com/security/cve/cve-2011-3872/faq#q11

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet resource for custom providers

[Nan Liu]

On Wed, Dec 18, 2013 at 8:33 AM, Giulio Eulisse wrote:
>
> I've written a custom Package provider, however when I try to query for
> packages using via:
>
> > puppet resource Package
>
> it only shows me those coming via the default provider.
>
> Any idea of what I might be doing wrong? I'm using 3.2.4.
>

The provider is probably missing self.instances method required to populate
this data.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqDagj_J6tU8QPtmzmTPr%2BET%2Bt78Zpmgo7YPhXYDmYbbpQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] New to puppet and recieving mcollective error

[Nan Liu]

On Fri, Dec 13, 2013 at 2:05 PM, Alan Renouf  wrote:

> Im new to puppet and installed it in my home lab to mess with, when i
> installed it i used the hostname rather than FQDN so went back and changed
> puppet and reran the certificate tool to regenerate the certificates etc,
> the agent works fine now but i am getting an mccollective error i think, is
> there anything in the config i need to change for mccollective after
> altering the name to the FQDN?  My error is below..  Thanks!
>
>
> root@testnix:~# puppet agent --test
>
> Info: Retrieving plugin
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/puppetdb_server_status.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/iptables_persistent_version.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/windows.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/pe_version.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/postgres_default_version.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/root_home.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/ip6tables_version.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/iptables_version.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/staging_http_get.rb
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/facter_dot_d.rb
>
> Info: Loading facts in
> /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
>
> Info: Caching catalog for testnix.home.lan
>
> Info: Applying configuration version '1386955608'
>
> Notice:
> /Stage[main]/Pe_mcollective::Server/File[/etc/puppetlabs/mcollective/server.cfg]/content:
>
> --- /etc/puppetlabs/mcollective/server.cfg 2013-06-07 11:09:23.0
> -0700
>
> +++ /tmp/puppet-file20131213-2681-oblovd 2013-12-13 09:24:46.579199297
> -0800
>
> @@ -1,22 +1,55 @@
>
> -topicprefix = /topic/
>
> +# Centrally managed by Puppet version 3.3.1 (Puppet Enterprise 3.1.0)
>
> +topicprefix = /topic/
>
>  main_collective = mcollective
>
> -collectives = mcollective
>
> -libdir = /opt/puppet/libexec/mcollective/
>
> -logfile = /var/log/pe-mcollective/mcollective.log
>
> -loglevel = info
>
> -daemonize = 1
>
> +collectives = mcollective
>
> +libdir  = /opt/puppet/libexec/mcollective/
>
> +logfile = /var/log/pe-mcollective/mcollective.log
>
> +loglevel= info
>
> +daemonize   = 1
>
>
>
> +identity = testnix.home.lan
>
>  # Plugins
>
> -securityprovider = psk
>
> -plugin.psk = unset
>
> +securityprovider   = ssl
>
> +plugin.ssl_server_private =
> /etc/puppetlabs/mcollective/ssl/mcollective-private.pem
>
> +plugin.ssl_server_public =
> /etc/puppetlabs/mcollective/ssl/mcollective-public.pem
>
> +plugin.ssl_client_cert_dir = /etc/puppetlabs/mcollective/ssl/clients/
>
> +plugin.ssl_serializer = yaml
>
>
>
> -connector = stomp
>
> -plugin.stomp.host = localhost
>
> -plugin.stomp.port = 61613
>
> -plugin.stomp.user = mcollective
>
> -plugin.stomp.password = secret
>
> +connector = activemq
>
> +plugin.activemq.pool.size = 1
>
> +plugin.activemq.pool.1.host = puppetmaster.home.lan
>
> +plugin.activemq.pool.1.port = 61613
>
> +plugin.activemq.pool.1.user = mcollective
>
> +plugin.activemq.pool.1.password = ngT4ya8aAEnWHaoEsLQl
>
> +plugin.activemq.pool.1.ssl = true
>
> +plugin.activemq.pool.1.ssl.ca =
> /etc/puppetlabs/mcollective/ssl/mcollective-cacert.pem
>
> +plugin.activemq.pool.1.ssl.key =
> /etc/puppetlabs/mcollective/ssl/mcollective-private.pem
>
> +plugin.activemq.pool.1.ssl.cert =
> /etc/puppetlabs/mcollective/ssl/mcollective-cert.pem
>
>
>
>  # Facts
>
>  factsource = yaml
>
>  plugin.yaml = /etc/puppetlabs/mcollective/facts.yaml
>
>
>
> +# Puppet Classes
>
> +classesfile = /var/opt/lib/pe-puppet/classes.txt
>
> +
>
> +# Puppet Agent plugin configuration
>
> +plugin.puppet.command = /opt/puppet/bin/puppet agent
>
> +plugin.puppet.config  = /etc/puppetlabs/puppet/puppet.conf
>
> +
>
> +plugin.puppet.splay = true
>
> +plugin.puppet.splaylimit = 120
>
> +
>
> +# Periodcally broadcast metdata for registration purposes.
>
> +# This registration plugin will broadcast current Facter fact values.
>
> +registration = Meta
>
> +# registerinterval is intentionally "long" to prevent systems from being
> overly
>
> +# chatty on the message bus by default.  If you want a higher frequency,
> this
>
> +# may be set to 300 (5 minutes)
>
> +registerinterval = 600
>
> +
>
> +# authorization
>
> +rpcauthorization = 1
>
> +rpcauthprovider = action_policy
>
> +plugin.actionpolicy.allow_unconfigured = 1
>
> +direct_addressing = 1
>
>
> *Error: Could not back up /etc/puppetlabs/mcollective/server.cfg:
> Connection refused - connect(2)*
>
> *Error: Could not back up /etc/puppetlabs/mcollective/server.cfg:
> Connection refused - connect(2)*
>
> *Error:
> /Stage[main]/Pe_mcollect

Re: [Puppet Users] using puppet device

[Nan Liu]

On Thu, Dec 12, 2013 at 12:08 AM, Markus Burger
wrote:

> Hi,
>
> On 11-12-2013 10:51:08, Dan Bode wrote:
> > Hi all,
> >
> > I had a bit of time to research the existing device code to see if I can
> > use it for an integration with two specific use cases:
> >
> > 1. discovery/inventory -  access hardware inventory and store it
> somewhere
> > where it can be retrieved.
> >
> > So far, device supports this use case.
> > - specify a list of device endpoints in device.conf
> > - run puppet device to get their facts to serve as inventory (although
> > puppet device looks like it gets facts and requests catalogs, I will
> > probably call the facts method directly to just get the facts)
> > - have the front end query these facts from PuppetDB
> >
> > 2. management - manage the process of bringing up a cluster from scratch
> >
> > This is the use case where puppet device is problematic.
> >
> > In this use case, an external system needs to specify how a collection of
> > resources should be configured. The types of these resources are
> > heterogeneous, for example:
> >
> > - Server
> > - Storage
> > - Network
> > - add Port
> > - create server
> >
> > These hardware configuration rules (and their dependencies) map pretty
> > cleanly to the Puppet DSL and the Resource/Graph model. Where a manifests
> > represents multiple devices and multiple endpoints.
> >
> > I had the following issues with puppet device for this use case:
> >
> > 1. It iterates through the endpoints and configures them one at a time
> >
> > This is probably the biggest barrier. I need to keep track of a
> collection
> > of resources that target multiple endpoints and apply them in a certain
> > order. Looking at the device code it seems to just iterate through the
> > endpoints in device.conf and configure them one at a time.
>
> I currently use a simple solution to work around this problem where
> i create the device.conf through an external process on the fly and
> specify my
> devices and there dependencys in a yaml file, run them in order and just
> check the exit code.
>
> it looks something like this:
>
> ---
> defaults:
>   scheme: sshios
>   port: 22
>   userinfo: foo:bar
>   query: crypt=true
>   cmd: /usr/bin/puppet device --verbose --environment=network
> --detailed-exit-codes --deviceconfig={{DEVCFG}} || [ $? -eq 2 ]
>
> devices:
>   dc1:
> sw-dc1-01.foo.bar:
>   deps:
> - *
> sw-dc1-02.foo.bar:
> sw-dc1-03.foo.bar:
>   deps:
> - sw-dc1-02.foo.bar
> str-dc1-01.foo.bar:
>   scheme: netapp
>   deps:
> - sw-dc1-01.foo.bar
>
>
> >
> > I spent some time thinking about the current device command and how I
> might
> > use it to configure workflows across multiple endpoints.
> > - on the puppet master, keep a queue (or list) for each endpoint that
> needs
> > to be configured
> > - have an external process (the dispatcher) that keeps track of the
> > configuration that needs to be applied (along with their endpoints) and
> > stores the resources that represent that configuration into the correct
> > queue for it's endpoint.
> > - have an ENC that checks the certname of a device when it checks in,
> maps
> > it to a queue, and clears all entries for a queue (for it to apply)
> > - If the dispatcher keeps track of all of the resources that it put onto
> > which queue, it can track the report for those devices to know when it's
> > entire job is completed.
> >
> > The above explanation is the best way I could think of to use the
> existing
> > device, but it is cumbersome enough that it warrants not using the device
> > model.
> >
> > 2. it does not allow for the specification of dependencies between
> multiple
> > device endpoints. It only allows for certain endpoints to be processed
> in a
> > certain order.
> >
> > This is pretty much the same as #1, but worth mentioning separately.
> >
> > 3. It invents its own command line for doing things (it does not cleanly
> > operate with puppet resource, puppet apply, puppet agent with represents
> a
> > major loss of functionality)
> >
> > 4. Management of device.conf
> >
> > The existence of device.conf creates its own management issues. You need
> to
> > assign a single node to a single device, you have to manage the process
> for
> > getting the credentials to that device, you have to figure out how many
> > devices/which device

Re: [Puppet-dev] Re: [Puppet Users] using puppet device

[Nan Liu]

On Thu, Dec 12, 2013 at 7:21 AM, Dan Bode  wrote:
>
>
> On Thu, Dec 12, 2013 at 1:46 AM, Nan Liu  wrote:
>
>> On Wed, Dec 11, 2013 at 8:51 AM, Dan Bode  wrote:
>>>
>>> I had a bit of time to research the existing device code to see if I can
>>> use it for an integration with two specific use cases:
>>>
>>
>> I'm not sure what issues are still actively worked on, and I'm keeping an
>> eye on the redmine migration to see what gets ported over. I've had onsite
>> discussion with PL developers, and I would love to get more feedback and
>> roadmap for devices v.s. transport. For now, I'm staying with transport
>> resources. Comments below.
>>
>>
>>> 1. discovery/inventory -  access hardware inventory and store it
>>> somewhere where it can be retrieved.
>>>
>>> So far, device supports this use case.
>>> - specify a list of device endpoints in device.conf
>>> - run puppet device to get their facts to serve as inventory (although
>>> puppet device looks like it gets facts and requests catalogs, I will
>>> probably call the facts method directly to just get the facts)
>>> - have the front end query these facts from PuppetDB
>>>
>>
>> puppet device facts are not really invoked via facter, and have some
>> gotchas (such as symbol keys). They are tucked away in
>> lib/puppet/util/network_devices//facts.rb. However since
>> facter is not available for puppet device, the only win for device is
>> inventory in puppetdb. The missing functionality can be implemented as a
>> resource for transport solution which exports facts via puppet face.
>>
>
> I can't think of a case where I need facts from a device to make a
> configuration decisions. Perhaps I'm just not far enough into it :)
>

In theory you should be able to detect the device version and use the
appropriate provider. In practice, the one place I could use this
functionality required different versions of rubygem to even connect to the
device.

 2. management - manage the process of bringing up a cluster from scratch
>>>
>>> This is the use case where puppet device is problematic.
>>>
>>> In this use case, an external system needs to specify how a collection
>>> of resources should be configured. The types of these resources are
>>> heterogeneous, for example:
>>>
>>> - Server
>>> - Storage
>>> - Network
>>> - add Port
>>> - create server
>>>
>>> These hardware configuration rules (and their dependencies) map pretty
>>> cleanly to the Puppet DSL and the Resource/Graph model. Where a manifests
>>> represents multiple devices and multiple endpoints.
>>>
>>
>> This is one of the main reason I'm using transport since it expresses
>> cross node dependency using the existing DSL.
>>
>>
>>> I had the following issues with puppet device for this use case:
>>>
>>> 1. It iterates through the endpoints and configures them one at a time
>>>
>>> This is probably the biggest barrier. I need to keep track of a
>>> collection of resources that target multiple endpoints and apply them in a
>>> certain order. Looking at the device code it seems to just iterate through
>>> the endpoints in device.conf and configure them one at a time.
>>>
>>> I spent some time thinking about the current device command and how I
>>> might use it to configure workflows across multiple endpoints.
>>> - on the puppet master, keep a queue (or list) for each endpoint that
>>> needs to be configured
>>> - have an external process (the dispatcher) that keeps track of the
>>> configuration that needs to be applied (along with their endpoints) and
>>> stores the resources that represent that configuration into the correct
>>> queue for it's endpoint.
>>> - have an ENC that checks the certname of a device when it checks in,
>>> maps it to a queue, and clears all entries for a queue (for it to apply)
>>> - If the dispatcher keeps track of all of the resources that it put onto
>>> which queue, it can track the report for those devices to know when it's
>>> entire job is completed.
>>>
>>> The above explanation is the best way I could think of to use the
>>> existing device, but it is cumbersome enough that it warrants not using the
>>> device model.
>>>
>>> 2. it does not allow for the specification of dependencies between
>>> multiple device endpoints. It only allows for certain e

Re: [Puppet Users] using puppet device

[Nan Liu]

On Wed, Dec 11, 2013 at 8:51 AM, Dan Bode  wrote:
>
> I had a bit of time to research the existing device code to see if I can
> use it for an integration with two specific use cases:
>

I'm not sure what issues are still actively worked on, and I'm keeping an
eye on the redmine migration to see what gets ported over. I've had onsite
discussion with PL developers, and I would love to get more feedback and
roadmap for devices v.s. transport. For now, I'm staying with transport
resources. Comments below.


> 1. discovery/inventory -  access hardware inventory and store it somewhere
> where it can be retrieved.
>
> So far, device supports this use case.
> - specify a list of device endpoints in device.conf
> - run puppet device to get their facts to serve as inventory (although
> puppet device looks like it gets facts and requests catalogs, I will
> probably call the facts method directly to just get the facts)
> - have the front end query these facts from PuppetDB
>

puppet device facts are not really invoked via facter, and have some
gotchas (such as symbol keys). They are tucked away in
lib/puppet/util/network_devices//facts.rb. However since
facter is not available for puppet device, the only win for device is
inventory in puppetdb. The missing functionality can be implemented as a
resource for transport solution which exports facts via puppet face.


> 2. management - manage the process of bringing up a cluster from scratch
>
> This is the use case where puppet device is problematic.
>
> In this use case, an external system needs to specify how a collection of
> resources should be configured. The types of these resources are
> heterogeneous, for example:
>
> - Server
> - Storage
> - Network
> - add Port
> - create server
>
> These hardware configuration rules (and their dependencies) map pretty
> cleanly to the Puppet DSL and the Resource/Graph model. Where a manifests
> represents multiple devices and multiple endpoints.
>

This is one of the main reason I'm using transport since it expresses cross
node dependency using the existing DSL.


> I had the following issues with puppet device for this use case:
>
> 1. It iterates through the endpoints and configures them one at a time
>
> This is probably the biggest barrier. I need to keep track of a collection
> of resources that target multiple endpoints and apply them in a certain
> order. Looking at the device code it seems to just iterate through the
> endpoints in device.conf and configure them one at a time.
>
> I spent some time thinking about the current device command and how I
> might use it to configure workflows across multiple endpoints.
> - on the puppet master, keep a queue (or list) for each endpoint that
> needs to be configured
> - have an external process (the dispatcher) that keeps track of the
> configuration that needs to be applied (along with their endpoints) and
> stores the resources that represent that configuration into the correct
> queue for it's endpoint.
> - have an ENC that checks the certname of a device when it checks in, maps
> it to a queue, and clears all entries for a queue (for it to apply)
> - If the dispatcher keeps track of all of the resources that it put onto
> which queue, it can track the report for those devices to know when it's
> entire job is completed.
>
> The above explanation is the best way I could think of to use the existing
> device, but it is cumbersome enough that it warrants not using the device
> model.
>
> 2. it does not allow for the specification of dependencies between
> multiple device endpoints. It only allows for certain endpoints to be
> processed in a certain order.
>
> This is pretty much the same as #1, but worth mentioning separately.
>
> 3. It invents its own command line for doing things (it does not cleanly
> operate with puppet resource, puppet apply, puppet agent with represents a
> major loss of functionality)
>
> 4. Management of device.conf
>
> The existence of device.conf creates its own management issues. You need
> to assign a single node to a single device, you have to manage the process
> for getting the credentials to that device, you have to figure out how many
> devices/which devices go to which nodes as you scale out to a large number
> of device endpoints.
>
> *Solution:*
>
> The transport model (as created by Nan Liu) seems to get around the issues
> mentioned above and would allow a pretty clean integration path.
>
> For folks not familiar with the transport model. It uses regular types and
> providers that accept a parameter called transport that can be used to
> indicate that it should be applied against some remote endpoint.
>
> For example:
>
> Transport { '

Re: [Puppet Users] Re: validate hiera database against a schema

[Nan Liu]

On Mon, Dec 2, 2013 at 9:44 AM, jcbollinger wrote:

>
>
> On Friday, November 29, 2013 2:58:19 AM UTC-6, David Portabella wrote:
>>
>> is there a way to validate a hiera database against a schema?
>>
>
>
> Not that I know of, no.  Did you have a particular schema language in mind?
>

Ken Barber done some work a while back with Kwalify, which could be
suitable for this purpose:

https://github.com/puppetlabs/puppetlabs-kwalify

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBzLkVghKJTAg8f-5n-%2ByWoh%2B7%2BGN%2B5bAdTuAA8oNXJSg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] username/password combo for custom provider (couchbase)

[Nan Liu]

On Tue, Jul 16, 2013 at 2:09 AM, Jakov Sosic  wrote:

> On 07/16/2013 02:56 AM, Nan Liu wrote:
>
> > If that's not the issue, then I'm not sure. I'll try to put together
> > the transport module when I get some spare time.
>
> Reference is not a problem, but fetching parameters from that resource
> is... As I can see in vmware modules, there is a
> PuppetX::PuppetLabs::Transport module with retrieve method, and I'm not
> sure if I'm supposed to write something along that lines for my
> 'transport-alike' resource also?


This was long overdue, but finally had a opportunity to extend native
puppet resource to manage remote resource via transport. The specific
implementation uses ssh:

  transport { 'esx':
username => $username,
password => $password,
server => $server,
  }

  service { 'SSH':
ensure => 'running',
provider => 'ssh',
transport => Transport['esx'],
  }

This was written to run against an ESXi server to update some sshd config:
https://github.com/vmware/vmware-vmware_lib

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCPKx%2Bnckx0Kb1fx1RvPry%2BpvYDcKBhNf9BpHk8RGDAkg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet resource details using http api or puppetdb api

[Nan Liu]

On Wed, Nov 6, 2013 at 10:10 AM, Nan Liu  wrote:

> On Tue, Nov 5, 2013 at 8:50 PM, Riju Francis wrote:
>
>> Is there a way to get the package version or service status using the
>> puppet api calls?
>>
>> Following resource commands show version/status in the output:
>> puppet resource package iptables
>> puppet resource service iptables
>>
>> Can the api be used to get similar output?
>>
>
>  Puppet resource command is a face, so you can query via:
>
> > require 'puppet'
> > require 'puppet/indirector/face'
>
> > puts Puppet::Face[:resource, '0.0.1'].find('package/linecache').to_pson
>
>
> {"title":"linecache","exported":false,"tags":["package","linecache"],"type":"Package","parameters":{"provider":"gem","configfiles":"keep","loglevel":"notice","ensure":["0.46"]}}
>
> Look in the source code and there's additional examples such as listing
> all resource of a type:
>
> all_users = Puppet::Face[:resource, '0.0.1'].search("user")
>

Bla, have to read more carefully since subject makes a difference here, if
you want to search puppet db use (which also supplies a puppet face):

https://github.com/dalen/puppet-puppetdbquery

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqCUP9fcgv%2BuGg5FL8dM9Qiy_Q1LwXV9Nzheen5kyCU%2BXQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet resource details using http api or puppetdb api

[Nan Liu]

On Tue, Nov 5, 2013 at 8:50 PM, Riju Francis  wrote:

> Is there a way to get the package version or service status using the
> puppet api calls?
>
> Following resource commands show version/status in the output:
> puppet resource package iptables
> puppet resource service iptables
>
> Can the api be used to get similar output?
>

 Puppet resource command is a face, so you can query via:

> require 'puppet'
> require 'puppet/indirector/face'

> puts Puppet::Face[:resource, '0.0.1'].find('package/linecache').to_pson

{"title":"linecache","exported":false,"tags":["package","linecache"],"type":"Package","parameters":{"provider":"gem","configfiles":"keep","loglevel":"notice","ensure":["0.46"]}}

Look in the source code and there's additional examples such as listing all
resource of a type:

all_users = Puppet::Face[:resource, '0.0.1'].search("user")

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBa_v4%3D3uHDR2h8SpwDb0kjdYJW%2BHLDz-icxETrsry5Ag%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet create_resources function unable to enforce resource order

[Nan Liu]

On Thu, Oct 24, 2013 at 7:23 AM, MM  wrote:

> So I have a hiera data like this,
>
> org.vim.Vim64:
> name: org.vim.Vim64
> ensure: installed
> provider: npackd
> vim-pathogen:
> name: vim-pathogen
> ensure: installed
> provider: npackd
> require: org.vim.Vim64
>
> and I feed these data into create_resources function, yet puppet will
> complain cannnot require org.vim.Vim64 as there's no title for it.  Is
> there a way to get this to work?
>

You also need to specify the resource type.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: template - need to fail if referencing undefined var

[Nan Liu]

This is essentially the behavior of stdlib pick function.

$required_var = pick(hiera("var_a"), hiera("var_b"))

Which could be improved to allow a custom error message:
https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/lib/puppet/parser/functions/pick.rb#L24

Nan


On Wed, Oct 16, 2013 at 10:48 AM, Spencer Krum wrote:

> I've developed the following pattern. Please don't hate.
>
> [nibz@pdxudev01 sandbox]$ cat testpuppetfailtemplate.sh
>
> $bar = 'lies'
>
> $derp=inline_template("<%= @bar || scope.function_fail(['die']) %>")
> notify { $derp: }
>
> Which produces:
>
> [nibz@pdxudev01 sandbox]$ puppet apply testpuppetfailtemplate.sh
> Notice: lies
> Notice: /Stage[main]//Notify[lies]/message: defined 'message' as 'lies'
> Notice: Finished catalog run in 0.09 seconds
>
> Then commenting out $bar
>
> [nibz@pdxudev01 sandbox]$ puppet apply testpuppetfailtemplate.sh
> Error: Failed to parse inline template: die at
> /home/nibz/sandbox/testpuppetfailtemplate.sh:4 on node
> pdxudev01.devtst.go2uti.com
> Error: Failed to parse inline template: die at
> /home/nibz/sandbox/testpuppetfailtemplate.sh:4 on node
> pdxudev01.devtst.go2uti.com
>
> :)
>
>
>
> On Wednesday, July 17, 2013 8:29:07 AM UTC-7, jcbollinger wrote:
>>
>>
>>
>> On Monday, July 15, 2013 11:25:50 AM UTC-5, Brano Zarnovican wrote:
>>>
>>> Hi,
>>>
>>> I have the following code snippet
>>>
>>> node default {
>>> # $var_a   .. is undefined
>>> $var_b = hiera("var_b", undef)
>>> $var_c = undef
>>>
>>> file { "/var/tmp/foo.txt": content => inline_template("
>>>
>>> <% if @var_a %>
>>> var_b = <%= @var_a %>
>>> <% else %>
>>> <% info(\"var_a is undefined\") %>
>>> <% end -%>
>>>
>>> <% if @var_b %>
>>> var_b = <%= @var_b %>
>>> <% else %>
>>> <% info(\"var_b is undefined\") %>
>>> <% end -%>
>>>
>>> <% if @var_c %>
>>> var_c = <%= @var_c %>
>>> <% else %>
>>> <% info(\"var_c is undefined\") %>
>>> <% end -%>
>>>
>>> "
>>> ), }
>>> }
>>>
>>> Applying it, will generate these two info messages.
>>>
>>> Info: template[inline]: var_a is undefined
>>> Info: template[inline]: var_c is undefined
>>> var_b =
>>>
>>> What I would like puppet to do is to fail if template is referencing a
>>> variable which is not defined, without having to wrap it with
>>> if-else-fail()-end.
>>>
>>> Another strange thing I've noticed that "undef" behaves differently if
>>> it is a default value for hiera lookup (see var_b vs var_c).
>>>
>>> Actually, my code looks more like..
>>>
>>> $var_a = hiera("var_a")
>>> $var_b = hiera("var_b")
>>> $var_c = hiera("var_c")
>>> file {"..": content => template(hiera("tmpl_name")) }
>>>
>>> That will fail if any variable a,b,c is undefined in hiera, no matter if
>>> it is used in template or not. I can rewrite it to
>>>
>>> $var_a = hiera("var_a", undef)
>>> $var_b = hiera("var_b", undef)
>>> $var_c = hiera("var_c", undef)
>>> file {"..": content => template(hiera("tmpl_name")) }
>>>
>>> This will not fail even if variable used by the template is undefined.
>>> The value is quietly replaced by empty string.
>>>
>>> In other words, I would like to delay the failure from hiera() lookup to
>>> the time when it is actually used in template. Can it be done without
>>> explicitly testing it with "if" inside template ?
>>>
>>> Thanks,
>>>
>>> BranoZ
>>>
>>> PS: we are (or soon be) on puppet 3.2.
>>>
>>>
>>
>> You have a couple of separate issues here, but first a little background
>> to make sure we're on the same page: templates are evaluated by the master,
>> not by agents, so the only form of failure a template can exhibit is to
>> interrupt catalog compilation with a synthetic parse error.  It cannot
>> cause application of the associated resource to fail on the agent.
>>
>> With that said, a template can call Puppet function via the 'scope'
>> object available to it.  In particular, if you want a template evaluation
>> to fail as I describe, then it can invoke the fail() function:
>>
>> <% scope.function_fail('variable foo is not set') %>
>>
>>
>> Now, as a separate matter, you are correct that hiera will translate the
>> default value 'undef' to an empty string.  It will never return an undef
>> value (I'm not sure that even makes sense).  A common approach is to
>> instead choose a default value that you are confident will not appear as a
>> valid value in your data.  One conventional choice is 'NOTSET'.  Your code
>> then tests for that special value instead of (or in addition to) testing
>> whether the variable is defined.
>>
>>
>> John
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you ar

[Puppet Users] Re: [Puppet-dev] Status of Data in modules

[Nan Liu]

On Fri, Oct 11, 2013 at 1:09 PM, Eric Sorenson  wrote:

>
> Thanks to everyone who kicked the tires on the experimental data in
> modules feature included in Puppet 3.3.0. We got a lot of feedback, some
> cool proof-of-concept modules, and a definitive conclusion to the
> experiment.
>

Thanks for sending a summary.


> The idea of including a module-specific hiera backend is centered around
> one primary use case: replacing the 'params class pattern', a common idiom
> in Puppet modules that's described in the [Using Parameterized
> Classes][param-classes] guide. The problem that most testers ran into
> though is that for non-trivial modules they ended up having to re-implement
> the Puppet DSL logic encoded in their params.pp in convoluted, non-obvious
> ways. The solutions to this led to more contortions until we'd ended up
> with the ability to execute parser functions in the right-hand-side of a
> yaml value. So something which started out trying to help separate data
> from code ended up putting code back into data!
>
> Additionally, even after multiple attempts to simplify the surface area
> and user experience with the bindings system (described in ARM-9) that
> underlay the data-in-modules implementation, users still found its
> complexity daunting. There are some important bits of scaffolding (like an
> actual type system for Puppet!) that will prove valuable as more of the
> future parser and evaluator work that Henrik is building makes its way into
> the product, but in the final analysis the data in modules feature was the
> wrong vehicle to introduce them.
>

Yep, in trivial cases hiera data layer can approximate conditional in
params.pp, but the I can see how the complexity ramps up rapidly.

Refocusing on the problems users were trying to solve (and here I have to
> give shout-outs to Ashley Penney for his [puppetlabs-ntp][] branch and the
> dynamic duo of Spencer Krug/William van Hevelingen for their [startrek][]
> module) and the problems with the 'params' pattern lent some clarity. We've
> gotten into a situation of disparity with regard to hiera and data
> bindings, because data bindings enable module _users_ to use their
> site-wide hiera data but don't provide moduel _authors_ the same
> affordance. But rather than introduce additional complexity, we can close
> the gap for existing code patterns.
>
> So the proposed solution at this point is:
> - enable an implicit data-binding lookup against the hiera-puppet backend
> for a value of 'classname::variable' in the file
> 'modules/classname/manifests/params.pp', which simplifies class definition
> and provides consistency with other hiera backends. As a module author,
> you'd still leave your logic for variables in params.pp, but they'd be
> implicitly looked up via data bindings as the class is declared, after
> consulting site-wide hiera.
>

So this is only limited to class variables? and this is still compatible
with inherits params class (to ease migration)?


> - remove the user-facing '--binder' functionality
> - fix known problems with the hiera-puppet lookups ([Redmine
> 15746][15746], namely, but if there are others that are important to you
> please speak up!)
>
> To show how this would work, I'll rework the ['smart parameter defaults'
> example][param-classes] I linked above, with my commentary behind `##`
> comments:
>
> # /etc/puppet/modules/webserver/manifests/params.pp
>
> class webserver::params {   ## nothing changes here...
>  $packages = $operatingsystem ? {
>/(?i-mx:ubuntu|debian)/=> 'apache2',
>/(?i-mx:centos|fedora|redhat)/ => 'httpd',
>  }
>  $vhost_dir = $operatingsystem ? {
>/(?i-mx:ubuntu|debian)/=> '/etc/apache2/sites-enabled',
>/(?i-mx:centos|fedora|redhat)/ => '/etc/httpd/conf.d',
>  }
> }
>
> # /etc/puppet/modules/webserver/manifests/init.pp
>
> class webserver(  ## inheritance is gone, and
>  $packages,   ## data bindings look up the defaults
>  $vhost_dir   ## as webserver::params::vhost_dir
> ) {
>
>  package { $packages: ensure => present }
>
>  file { 'vhost_dir':
>path   => $vhost_dir,
>ensure => directory,
>mode   => '0750',
>owner  => 'www-data',
>group  => 'root',
>  }
> }
>
> # /etc/puppet/manifests/site.pp
>
> node default {
>   class { 'webserver': }  ## no params needed, they're in hiera
>
> ## then in one of my site-wide hiera layers, I can override
> ## the value without modifying the module or class declaration
>
> # /etc/puppet/hieradata/snowflake.domain.com.yaml
> webserver::vhost_dir: '/some/other/dir'
>
> This way the module author (who probably has the most work to do and needs
> the expressiveness of the DSL) can provide default data, but site
> administrators can still override it using mechanisms they're already using.
>
> Note too that this is the next iteration, not necessarily the end state.
> It'

Re: [Puppet Users] Cloud Provisioning

[Nan Liu]

On Tue, Aug 27, 2013 at 4:45 PM, Chris McDermott  wrote:

> I'm looking for ways to manage multiple public cloud resources. Ideally I
> would like to support the following providers:
>
> AWS
> GCE
> Rackspace
> Digital Ocean
> Linode
>
> And I would like to be able to manage everything - instances, volumes,
> load balancers, IP addresses, database instances, etc. Even VPC's and their
> equivalents.
>
> I know this is totally pie-in-the-sky and there's nothing that meets all
> those needs right now, which is OK - I'm happy to pick something with good
> foundations and then help extend it. But I'm not even sure which modules to
> pick to work on. Puppetlabs has Cloud Provisioner, which claims to be what
> I'm looking for except that it only supports AWS, and then only ec2
> instances as far as I can tell. But Puppetlabs also makes a separate AWS
> module, and a GCE module. I can't find any references to Rackspace, Digital
> Ocean, or Linode.
>
> Has anyone else attempted anything like this? Is anyone currently using
> Cloud Provisioner, and if so, how is it working out?
>

IMO, describing systems as resource makes much more sense. I'm guessing
load-balancer and storage repo are private, but take a look at:

https://github.com/puppetlabs/puppet-instance
https://github.com/puppetlabs/puppet-cloud_connection

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] username/password combo for custom provider (couchbase)

[Nan Liu]

On Mon, Jul 15, 2013 at 4:54 AM, Jakov Sosic  wrote:
>
> OK, I will basically do something like this, but I will implement my own
> transport-alike resource until you guys standardize this :)
>

Disclaimer, I don't work at Puppet Labs anymore, and this will be a
personal project as time permits.

This would be great! It would certainly avoid collisions... Eg. two
> different modules (couchbase and vmware for example) both bringing
> 'transport' resource with them...
>

Yep, that's the goal. I've seen interest managing database with puppet
device, and a common module could provide a standard pattern for these type
of usages.


> It would be a good idea to merge transport into stdlib.
>

It's probably too experimental at this point for me to send PR against
stdlib.

> OK, I will basically do something like this, but I will implement my own
> > transport-alike resource until you guys standardize this :)
>
> OK, I'm having a big problem ... How can I get the values from the other
> resource?
>
> For example:
>
> couchconnection { 'default':
>   username => 'admin',
>   password => 'admin',
> }
>
> couchbucket { 'test':
>   ramsize=> '64',
>   connection => Couchconnection['default'],
> }
>
>
> So, how can I get the value of username in my couchbucket 'create method'?
>
> I would like to have something like:
>
>   def create
> username = @resource[:connection][:username]
>   end
>
>
> but that obviously doesn't work :-/
>

The one mistake in my original email was it was searching by resource by
name instead of reference, so perhaps it's as simple as fixing:

defaultto 'Transport[couch]' # or maybe defaultto "Transport['couch']"

If that's not the issue, then I'm not sure. I'll try to put together the
transport module when I get some spare time.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] username/password combo for custom provider (couchbase)

[Nan Liu]

Crosspost to puppet-dev to get better feedback.

On Sat, Jul 13, 2013 at 7:54 AM, Jakov Sosic  wrote:

> I'm trying to program custom type for managing Couchbase buckets.
>
> Problem is that every RW operation to Couchbase cluster (creating,
> deleting, resizing bucket) requires admin privileges (username/password).
>
>
> Do you have any suggestion how should I pass the username/password to
> provider? If I make it a param, then every resource of type
> 'couchbucket' will need to have 'username =>' and 'password =>' params,
> which will (probably) be the same across the board.
>

There's two options, one to store the username/password on server like
mysql resource (~/my.cnf), or in catalog. I had discussions where some
users prefer the former, but I'm in the later camp.

Now, to circumvent that repetition, I'm thinking of maybe setting
> something like:
>
> Couchbucket {
>   username => $::couchbase::admin_user,
>   password => $::couchbase::admin_password,
> }
>
> in the '::couchbase' class. Offcourse there will be similar settings for
> hostname and port of the couchnode, and probably something like purge =>
> true.
>

This works, just slightly cumbersome.

But still, if someone wants to use the type without including the base
> class, this is obviously not a viable option, because he will have to
> address the username/password in every couchbucket resource definition.
>
> So, what I am interested in is your opinion about how to proceed with
> this one.
>

In vmware modules, we use a transport resource to specify connectivity.

https://github.com/vmware/vmware-vcsa/blob/master/manifests/init.pp#L44-L51

Right now, transport is a resource and metaparameter, but I think there's
some value perhaps to turn it back to a regular parameter so we can specify
defaults.

Puppet::Type.newtype(:couchbucket) do
...
  newparam(:transport) do
defaultto 'couch'
  end
end

This should allow a one time specification of username password for all
resources:

transport { 'couch'
  username => ...
  password => ...,
}

couchbucket { 'a':
  #transport => 'couch' implied
}

You can find examples in the vmware module how we search the catalog to
find the transport data to initialize and reuse connection.

I've intended to convert transport to a stand alone module and support the
following usage:

1. simple store for username/password (for your exact usage).
2. transport ssh.
3. transport rest.
4. transport soap.

Maybe that would be of interest? I have some other ideas about how to take
advantage of the catalog as data, instead of just resource, but that's
probably going to deviate from this topic.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] What's the benefit of Virtual Resources?

[Nan Liu]

On Fri, Jul 12, 2013 at 8:11 AM, Christian Flamm <
christian.le.fl...@gmail.com> wrote:

>
>
> Am Freitag, 12. Juli 2013 17:03:11 UTC+2 schrieb Nan Liu:
>
>> On Fri, Jul 12, 2013 at 7:45 AM, Christian Flamm 
>> wrote:
>>
>>> Hi,
>>> I'm having trouble understanding the added value Virtual Resources
>>> provide. Let's say I'm having two different modules (that usually are
>>> assigned to different agents) that both contain a common resource (let's
>>> say a user). If I want to easily make it possible to assign both modules to
>>> the same agent - without suffering from the "duplicate resource
>>> declaration" error - I could make the resource definition virtual and
>>> realize it in different modules. See this simplified example.
>>>
>>> > cat $modulesdir/virtual/manifests/**init.pp
>>> class virtual {
>>>   @user { 'admin': ensure => present }
>>> }
>>>
>>> > cat $modulesdir/mailserver/**manifests/init.pp
>>> class mailserver {
>>>   realize(User['admin'])
>>>   # some more mailserver stuff...
>>> }
>>>
>>> > cat $modulesdir/webserver/**manifests/init.pp
>>> class webserver {
>>>   realize(User['admin'])
>>>   # some more webserver stuff...
>>> }
>>>
>>> > cat $manifestsdir/nodes.pp
>>>  node // {
>>>   include virtual
>>>   include mailserver
>>>   include webserver
>>> }
>>>
>>>
>>> My question: How is that different, more convenient or more flexible
>>> than extracting that admin user into its own module? Like that:
>>>
>>> > cat $modulesdir/adminuser/**manifests/init.pp
>>> class adminuser {
>>>   user { 'admin': ensure => present }
>>> }
>>>
>>> > cat $modulesdir/mailserver/**manifests/init.pp
>>> class mailserver {
>>># some more mailserver stuff...
>>> }
>>>
>>> > cat $modulesdir/webserver/**manifests/init.pp
>>> class webserver {
>>>   # some more webserver stuff...
>>> }
>>>
>>> > cat $manifestsdir/nodes.pp
>>>  node // {
>>>   include adminuser
>>>   include mailserver
>>>   include webserver
>>> }
>>>
>>>
>>> I guess I'm missing something here, or I'm using it wrong.
>>> Your help is highly appreciated,
>>>
>>
>>  In this simple case no, but think of a vinn diagram with overlapping
>> groups (such as user belonging to dbadmin/webadmin and two different teams
>> of dbadmin webadmin). You can easily realize virtual resource by tags, but
>> not so easy by splitting to class dbadmin/webadmin/db_and_**webadmin ...
>>
>> HTH,
>>
>> Nan
>>
>
> Do you mean something like this?
>
> > cat $modulesdir/virtual/manifests/**init.pp
> class virtual {
>   @user { ['a', 'b', 'c', 'd']: ensure => present }
> }
>
> > cat $modulesdir/mailserver/**manifests/init.pp
> class mailserver {
>   realize(User['a'], User['b'], User['c'])
>   # some more mailserver stuff...
> }
>
> > cat $modulesdir/webserver/**manifests/init.pp
> class webserver {
>   realize(User['b'], User['c'], User['d'])
>   # some more webserver stuff...
> }
>
> > cat $manifestsdir/nodes.pp
> node // {
>   include virtual
>   include mailserver
>   include webserver
> }
>
>
Not quite, the realize function isn't that useful, you should use <| |>
instead. I'm going to use notify as an example:

class users {
  # admin with different responsibilities:
  @notify { 'a':
tag => ['webadmin', 'dbadmin', 'prod', 'dev']
  }
  @notify { 'b':
tag => ['dbadmin', 'prod', 'dev']
  }
  @notify { 'c':
tag => ['webadmin','prod', 'dev']
  }
  # developers limited to dev environment:
  @notify { 'd':
tag => ['dbadmin', 'dev']
  }
  @notify { 'e':
tag => ['webadmin', 'dev',]
  }
}

class db ($env = 'prod') {
  include users
  Notify <| tag == 'dbadmin' and tag == $env |>
}

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] What's the benefit of Virtual Resources?

[Nan Liu]

On Fri, Jul 12, 2013 at 7:45 AM, Christian Flamm <
christian.le.fl...@gmail.com> wrote:

> Hi,
> I'm having trouble understanding the added value Virtual Resources
> provide. Let's say I'm having two different modules (that usually are
> assigned to different agents) that both contain a common resource (let's
> say a user). If I want to easily make it possible to assign both modules to
> the same agent - without suffering from the "duplicate resource
> declaration" error - I could make the resource definition virtual and
> realize it in different modules. See this simplified example.
>
> > cat $modulesdir/virtual/manifests/init.pp
> class virtual {
>   @user { 'admin': ensure => present }
> }
>
> > cat $modulesdir/mailserver/manifests/init.pp
> class mailserver {
>   realize(User['admin'])
>   # some more mailserver stuff...
> }
>
> > cat $modulesdir/webserver/manifests/init.pp
> class webserver {
>   realize(User['admin'])
>   # some more webserver stuff...
> }
>
> > cat $manifestsdir/nodes.pp
> node // {
>   include virtual
>   include mailserver
>   include webserver
> }
>
>
> My question: How is that different, more convenient or more flexible than
> extracting that admin user into its own module? Like that:
>
> > cat $modulesdir/adminuser/manifests/init.pp
> class adminuser {
>   user { 'admin': ensure => present }
> }
>
> > cat $modulesdir/mailserver/manifests/init.pp
> class mailserver {
>   # some more mailserver stuff...
> }
>
> > cat $modulesdir/webserver/manifests/init.pp
> class webserver {
>   # some more webserver stuff...
> }
>
> > cat $manifestsdir/nodes.pp
> node // {
>   include adminuser
>   include mailserver
>   include webserver
> }
>
>
> I guess I'm missing something here, or I'm using it wrong.
> Your help is highly appreciated,
>

In this simple case no, but think of a vinn diagram with overlapping groups
(such as user belonging to dbadmin/webadmin and two different teams of
dbadmin webadmin). You can easily realize virtual resource by tags, but not
so easy by splitting to class dbadmin/webadmin/db_and_webadmin ...

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Fwd: [Module team] Much ado about modules

[Nan Liu]

On Mon, Jul 8, 2013 at 9:02 AM, Ashley Penney  wrote:

> On Mon, Jul 8, 2013 at 11:12 AM, Alessandro Franceschi wrote:
>
>>
>>
>> On Saturday, July 6, 2013 1:30:15 AM UTC+2, Nan Liu wrote:
>>
>>> On Fri, Jul 5, 2013 at 11:05 AM, Ashley Penney >> > wrote:
>>>
>>>> Now that Puppetlabs has a module team we thought we should start trying
>>>> to keep the community informed as to what we're doing and why on earth
>>>> we're doing it.  I wanted to put together a short update (I'm aiming to do
>>>> these every friday) as to where we stand.
>>>>
>>>> This was our first week working full-time on Modules, and I spent a
>>>> good chunk of time this week filling in paperwork, meeting people I've only
>>>> seen on IRC, and trying to get up to speed with internal systems and tools.
>>>>  This slowed us down a little.
>>>>
>>>
>>> Hi! I'm glad to hear this is prioritized.
>>>
>>> We focused specifically on puppetlabs-mysql and puppetlabs-apt this week
>>>> to try and get the PR/issue count under control.  To give you an idea of
>>>> the progress we've made:
>>>>
>>>
>>>> puppetlabs-mysql: Closed/merged 20 PRs.
>>>> puppetlabs-apt: Closed/merged 18 PRs.
>>>>
>>>> We're going to continue iterating over different modules each week to
>>>> deal with the enormous backlog of PRs and issues and keep bashing these
>>>> into shape until we're caught up with all the community submissions.
>>>>
>>>> We appreciate each and every PR you send us (unless you forgot specs,
>>>> which makes me shout at a puppy) and hopefully we'll be able to shorten the
>>>> cycle of merging them as this work goes forward.
>>>>
>>>> As a result of this week's work we have released:
>>>>
>>>> http://forge.puppetlabs.com/**puppetlabs/apt/1.2.0<http://forge.puppetlabs.com/puppetlabs/apt/1.2.0>
>>>> http://forge.puppetlabs.com/**puppetlabs/mysql/0.8.0<http://forge.puppetlabs.com/puppetlabs/mysql/0.8.0>
>>>>
>>>
>>> Would it be possible for the module team to review Alessandro's "The
>>> handy grail of modules standards" thread and set a variable name standard
>>> moving forward? It doesn't even need to be quite as comprehensive, but some
>>> basic standard to start. We use quite a few modules as upstream, and would
>>> love to see some consistency even if it means breaking changes. Thanks
>>> again, and look forward to the great things coming out of the module team.
>>>
>>> Nan
>>>
>>
>> +1 of course.
>> We all say some naming standards are needed and we still continue to make
>> our modules in our ways.
>> For the sanity of Puppet modules ecosystem let's do something about it.
>>
>
> This is definitely something we want to do and need to do.  I've been a
> little hesitant to wade down into the whole "these are the specific
> parameter names we want to use" and building out a huge set of guidelines,
> but I do have a straightforward question for the list along these lines:
>
> We're refactoring the ntp module to try and be a little bit of a better
> design rather than one giant class.  We've been having some discussions in
> the PR about the right way to name the following options:
>
> manage_service
> ensure_package
> package_enable
>
> I was leaning towards:
>
> ensure_package
> enable_package
> ensure_service.
>
> But it's been proposed that:
>
> service_ensure
> package_enable
>

 I would agree with resource_attributes order instead of the other way
around. It also makes sense because you can just introspect the class
parameters with .sort and everything is in an easy to find order.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: [Module team] Much ado about modules

[Nan Liu]

On Mon, Jul 8, 2013 at 10:55 AM, root  wrote:

> Hello.  It would be nice if there was a way to browse all modules on
> Puppet Forge.  I can browse all the modules released by Puppet Labs @
> http://forge.puppetlabs.com/puppetlabs, (same for any author for whom I
> know the username) but as far as I know, there is no way to browse all
> modules. (Perhaps there is with the Puppet Module Tool, but I can't get
> that to work through our proxy.)
>

http://forge.puppetlabs.com/modules

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Fwd: [Module team] Much ado about modules

[Nan Liu]

On Fri, Jul 5, 2013 at 11:05 AM, Ashley Penney  wrote:

> Now that Puppetlabs has a module team we thought we should start trying to
> keep the community informed as to what we're doing and why on earth we're
> doing it.  I wanted to put together a short update (I'm aiming to do these
> every friday) as to where we stand.
>
> This was our first week working full-time on Modules, and I spent a good
> chunk of time this week filling in paperwork, meeting people I've only seen
> on IRC, and trying to get up to speed with internal systems and tools.
>  This slowed us down a little.
>

Hi! I'm glad to hear this is prioritized.

We focused specifically on puppetlabs-mysql and puppetlabs-apt this week to
> try and get the PR/issue count under control.  To give you an idea of the
> progress we've made:
>

> puppetlabs-mysql: Closed/merged 20 PRs.
> puppetlabs-apt: Closed/merged 18 PRs.
>
> We're going to continue iterating over different modules each week to deal
> with the enormous backlog of PRs and issues and keep bashing these into
> shape until we're caught up with all the community submissions.
>
> We appreciate each and every PR you send us (unless you forgot specs,
> which makes me shout at a puppy) and hopefully we'll be able to shorten the
> cycle of merging them as this work goes forward.
>
> As a result of this week's work we have released:
>
> http://forge.puppetlabs.com/puppetlabs/apt/1.2.0
> http://forge.puppetlabs.com/puppetlabs/mysql/0.8.0
>

Would it be possible for the module team to review Alessandro's "The handy
grail of modules standards" thread and set a variable name standard moving
forward? It doesn't even need to be quite as comprehensive, but some basic
standard to start. We use quite a few modules as upstream, and would love
to see some consistency even if it means breaking changes. Thanks again,
and look forward to the great things coming out of the module team.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] variables inside variable names

[Nan Liu]

On Tue, Jul 2, 2013 at 5:53 PM, Schofield  wrote:

> Given
>
> class java::jdk_1_7_u10{
>   home=/usr/java/jdk-1.7.0-10
> }
>
> $java = jdk_1_7_u10
> $java_home = ${java::$java::home}
>
> I would like $java_home to be equal to /usr/java/jdk-1.7.0-10.  Is there
> an elegant way to make this work?  We currently use an inline template to
> make it work.
>
> java_home =>
> inline_template("<%=scope.lookupvar('java::${java}::home')%>"),
>
> But this has always felt like a hack to me so I am curious to know if
> there is a better way?  Currently running puppet 3.0.0.


Try puppetlabs-stdlib getvar function.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] passing an environment variable to a command in a provider

[Nan Liu]

On Fri, Jun 28, 2013 at 2:03 PM, Tim Mooney  wrote:

> We have some custom types & providers related to mysql (mysql_user,
> mysql_grant, mysql_db) written by an admin that's no longer here.  The
> provider just uses the mysql command to run various commands, e.g:
>
> Puppet::Type.type(:mysql_user)**.provide(:mysql) do
> desc "Provider for a mysql user"
>
> optional_commands :mysql => 'mysql'
>
> mk_resource_methods
>
> def create
> debug "mysql_user create"
> @property_hash[:ensure] = :present
> mysql('mysql','-e',"create user '%s' identified by '%s';" %
> [@resource[:name].sub("@","'@'**"),@resource[:password]])
> end
>
> def flush
> debug "in flush"
> mysql('mysql','-e','flush privileges;')
> @property_hash.clear
> end
>
> # other stuff elided
> end
>
> For this particular provider/type to work, though, it requires that
> you actually have root's environment, because it relies on reading some
> config from /root/.my.cnf.
>
> That means that on most of our hosts, doing
>
> sudo puppet agent --test
>
> works fine, but on hosts where we use our mysql module with the custom
> types and provider, we can't do that.  We instead have to
>
> sudo su -
> puppet agent --test
>
> to make certain we've picked up root's environment, specifically HOME.
>
> What I would like to do is augment the provider so that the mysql command
> is always invoked with the environment augmented with HOME=/root or
> (even better) HOME=roots_home_from_facter.
>
> I'm not certain how to pass an environment variable to an external command
> that's invoked as part of a puppet provider, though, and the searches I've
> done so far haven't turned up anything helpful.
>
> Can anyone that's familiar with writing types and providers shed some
> light on what I should be doing to augment this?  I know this is as much
> ruby ignorance as puppet ignorance, but I have to believe that there are
> people here that can point me in the right direction.
>

In Puppet 3, home environment can be passed something like:

has_command(:brew, 'brew') do
  environment({ 'HOME' => ENV['HOME'] })
end

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Node collecting its own exported resource

[Nan Liu]

On Thu, Jun 27, 2013 at 5:55 AM,  wrote:

>
>
> On Thursday, June 27, 2013 7:26:34 AM UTC-4, Ken Barber wrote:
>>
>> Perhaps if you can provide a code snippet like the simplified case
>> above we can take a look at what is going wrong. Also - what version
>> of Puppet are you running?
>>
>
>  > facter puppetversion
> 2.7.21 (Puppet Enterprise 2.8.2)
>
> Your code snipped doesn't work because, according to the Exported
> Resources docs[1], 'storeconfigs' is enabled in the [master] section of
> puppet.conf, and therefore isn't set for 'puppet apply'.
>
> I built a small module though and tried with that and it works... so now
> I'm trying to figure out what's different about that vs. my actual use
> case.  I'm at a loss.
>
> This is the part of the manifest that's the problem.  In the block below,
> ${site} is a custom fact that gives me the data centre name, and it's
> pulled from the FQDN of the server; ${pad_index} is a zero-padded customer
> number, to give a simplified explanation.
>
> This bit is part of a larger collection of files that are assembled into a
> final config by the Exec that's referenced.  There are two "mgmt" class
> servers, and the first @@file resource is never picked up in the File
> <<||>> collector by the node where it was defined.  That is, mgmt1 gets
> mgmt2's resource, but not its own.  I had to stick in the second,
> non-exported resource, to make it work.  Note that even though the exported
> resource doesn't get realized, I'm still seeing duplicate declarations if I
> have the two resources named the same, thus the 'exported' and 'own'
> strings added to the resource titles.
>
> # This needs to go on *both* mgmt servers (one from each) so
> it's
> # an exported resource just like from the app servers.
> @@file { "${pad_index}-${title}-${fqdn}-exported-hcdV.conf":
> path=>
> "${hcdVdir}/healthcheckd.conf.d/${pad_index}-${fqdn}.
> conf",
> owner   => $::aconfig::params::user,
> group   => $::aconfig::params::group,
> mode=> 0644,
> content => template("aconfig/hcdV-instance-mgmt.conf.erb"),
> notify  => Exec["hcdV.conf-${title}-refresh"],
> tag => "hcdV.conf-${title}-${site}",
> }
> # Temporary workaround .. exported resources aren't picked up
> by
> # the server that defined them, so we have to define this
> resource
> # twice.  One of these will probably start throwing an error
> when
> # the bug is fixed.
> file { "${pad_index}-${title}-${fqdn}-own-hcdV.conf":
> path=>
> "${hcdVdir}/healthcheckd.conf.d/${pad_index}-${fqdn}.conf",
> owner   => $::aconfig::params::user,
> group   => $::aconfig::params::group,
> mode=> 0644,
> content => template("aconfig/hcdV-instance-mgmt.conf.erb"),
> notify  => Exec["hcdV.conf-${title}-refresh"],
> tag => "hcdV.conf-${title}-${site}",
> }
>
> #
> # collects all the hcdV config files for this site/vertical
> File <<| tag == "hcdV.conf-${title}-${site}" |>>
>
> Perhaps another pair of eyes will pick up what I'm missing... why is the
> behaviour here different from the simplified test?  For reference, this was
> my test module, which worked as expected:
>

Might be the usage of dash in the tag. Puppet had a series of bugs related
to dash. I would look at the generated catalog and see what are the tags
associated with the resource. For example:

reference:
File[/opt/puppet/libexec/mcollective/mcollective/agent/package.ddl]
tags:
  - file
  - class
  - "pe_mcollective::server::plugins"
  - pe_mcollective
  - default

This should confirm whether the bug is with usage of dash or collection of
resources.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Conditional statement =,<,> etc.

[Nan Liu]

On Thu, Jun 27, 2013 at 2:22 AM, David Jarosch  wrote:

> Hello guys :),
>
> I'm kind of new to Puppet and stuck in defining a conditional statement.
> Here my problem:
>
> I want to provide different apt/source.list for different versions of
> Debian, 6.0.x and 7.0.x, which also run different versions of Puppet, 2.7.x
> and 3.2.x. My first idea was to use facters variable
> operatingsystemmajrelease and define like this:
>
> file { '/etc/apt/sources.list':
>source  => $operatingsystemmajrelease ? {
>  6 => 'puppet:///modules/apt/sources.list_debian6',
>  7 => 'puppet:///modules/apt/sources.list_debian7',
>},
>owner   => 'root',
>group   => 'root',
>mode=> '0644',
> }
>
> This works nice for Puppet 3.2.2, but this variable isn't available on the
> 2.7.x hosts :/. Next idea, use the facter operatingsystemrelease variable,
> but I can't find a resource to describe something like:
>

Probably facter version. It's possible to upgrade to a later version for
the 2.7 series.


> if the $operatingsystemrelease is bigger/equal then 6.0.0 but smaller then
> 7.0.0 then provide source.list.debian6
> if else $operatingsystemrelease is bigger/equal 7.0.0 then provide
> source.list.debian7
> else do nothing
>
> Maybe someone can me point in the right direction, would be very nice :).
>

Try the versioncmp function.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Is it possible to pass extra flags to Puppet via rspec?`

[Nan Liu]

On Wed, Jun 26, 2013 at 9:28 PM, Justin Stoller wrote:

> In puppetlabs_spec_helper/puppet_spec_helper[1] which was based on a file
> in Puppet[2] the confdir and vardir are explicitly set to '/dev/null' which
> causes the modulepath you're seeing in Puppet "proper".
>
> I believe, however the subject catalog/function that is tested in each
> example group (unless you explicitly create a subject yourself) should mask
> that value with what ever is passed into RSpec.configure (like the
> modulepath setting in module_spec_helper) for its
> compilation/initialization[3][4].
>

Thanks for the clarification, that would certainly explain why I'm seeing
/dev/null in module path.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] most current method of configuring cisco (and force10?) devices

[Nan Liu]

On Tue, Jun 25, 2013 at 3:30 PM, Wolf Noble  wrote:

> I've been asked to explore the landscape of network device management via
> puppet.
>

There are two approaches, either run an agent on the device such as
juniper, or manage through a proxy agent.

in particular, I'm looking to support cisco, and force10 switches.
>

I'm not sure the cisco device support that's built in is very robust at the
moment. I've heard someone mention a demo of cisco one pk, but haven't seen
the module anywhere.

I know about the network device system, I'm wondering if that's the way to
> go for both cisco and force10, or if there's a better way for one or both?
>

I'm assuming you are willing to roll your sleeve to implement this.
Emulating what the network admin would type via CLI is going to be brittle
(i.e. ios commands), so I would look at the device API docs to get a better
idea what it takes to manage them.

I've seen the Juniper netdev module, but haven't the gear to play with it.
>

I think the netdev module is easier to follow than the cisco resource to
get an idea what is needed to implemented a device resource. IMO, you don't
need to adhere to device resource type, and it's actually easier to
implement support through regular puppet resources.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Is it possible to pass extra flags to Puppet via rspec?`

[Nan Liu]

On Wed, Jun 26, 2013 at 7:23 PM, Amos Shapira wrote:

> I'm writing my first puppet function rspec test and am having a problem
> which I don't see how to solve.
>
> The function (and the test) involve access to files through the File
> Server. In order for the function (and the test) to work I need to pass
> "--fileserverconf=fileserver.conf" parameter to Puppet.
>
> So far I haven't found a way to do that.
>
> If I understand the rspec-puppet source at
> https://github.com/rodjek/rspec-puppet/blob/master/lib/rspec-puppet.rbcorrectly
>  then the list of parameters I can pass is limited to the ones
> mentioned in lines 16-22. Am I right?
>
> Does anyone know how can I pass other parameters, or otherwise affect
> Puppet's configuration to set this value?
>

Oddly enough, you can't depend on rspec-puppet to configure the settings
for spec test. For example, puppetlab's spec helper configures the
modulepath [1] to include spec/fixtures/modules, but this does not seem to
configure Puppet[:modulepath] setting. For whatever reason, puppet loads
the modules correctly from spec/fixtures/modules, but when you debug the
spec test, it appears to set the module path to:

(rdb:1) p Puppet[:modulepath]
"/dev/null/modules:/usr/share/puppet/modules"

You can do what Wolf suggested. File server conf is somewhat inconsistent,
since the setting is actually: Puppet[:fileserverconfig].

HTH,

Nan


1.
https://github.com/puppetlabs/puppetlabs_spec_helper/blob/master/lib/puppetlabs_spec_helper/module_spec_helper.rb#L21-L24

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet Enterprise 3.0 now available!

[Nan Liu]

On Wed, Jun 26, 2013 at 1:33 AM, DEGREMONT Aurelien <
aurelien.degrem...@cea.fr> wrote:

> It is difficult to find what's inside Puppet Enterprise (which puppet
> version, etc...).
> I'm particularly interested to understand what was changed to have such
> gain in performances.
>

I believe it's Puppet 3.2.2 and MC 2.2.4. Puppet 3 is overall significantly
faster than Puppet 2.7:
http://somethingsinistral.net/blog/the-angry-guide-to-puppet-3/#puppet-3-is-fast

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Certificate problems

[Nan Liu]

On Thu, Jun 6, 2013 at 7:52 AM, Andthepharaohs  wrote:

> Hi all - my head hurts! ;-)
>
> I am getting this error on my agent host:
>
> err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from
> {md5}d41d8cd98f00b204e9800998ecf8427e to
> {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1:
> Server hostname 'ncqd-isghub01' did not match server certificate; expected
> one of ncqd-isghub01.nott.ime.reuters.com, DNS:
> ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS:
> puppet.nott.ime.reuters.com
>

You are connecting to the master using the option --server 'ncqd-isghub01',
but did not list that in the dns_alt_names option when you generated the
master cert.

See
http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificateand
follow "Are Agents Contacting the Master at a Valid DNS Name?".

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: puppet master --compile

[Nan Liu]

On Tue, Jun 4, 2013 at 7:12 AM, jcbollinger wrote:

> - what are the exit statuses that I need to catch?
>>
>
> Others will have more specific information there, but I would expect to
> see status 0 if compilation is successful, else nonzero.
>

Not sure this is all that reliable, yes it will catch compilation errors,
but a successfully generated catalog can still fail to even run on the
client due to missing resource dependency. If you wish to compile a catalog
and make some assertions about the results, rspec-puppet is the way to go.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Run a File resource only if another file is missing

[Nan Liu]

On Fri, May 31, 2013 at 1:00 AM, Matthias Saou  wrote:

> There are other ways. None are nice and clean, but a custom fact just
> for this seems overkill.
>
> Here's a quick example of how I've implemented creating a default
> ~/.gitconfig for users if it doesn't exist, but not modify it if it's
> already there or has been modified.
>
> $gitconfig_user_name = $mymodule::uservar::fullname[$title]
> $gitconfig_user_email = "${title}@example.com"
> file { "${home}/.gitconfig":
>   owner   => $owner,
>   group   => $group,
>   mode=> '0644',
>   require => Exec["create-gitconfig-${title}"],
> }
> exec { "create-gitconfig-${title}":
>   command => template('mymodule/user/gitconfig.erb'),
>   require => User[$title],
>   creates => "${home}/.gitconfig",
> }
>

A bit off topic, but you should use file attribute replace => false instead
of an exec.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Issue with Puppet & Packages which are installed multiple times

[Nan Liu]

On Tue, May 28, 2013 at 3:57 AM, bjoern pohl wrote:

> Hi,
> hopefully this hasn't been discussed too often, haven't found anything in
> the group:
>
> I'm having some issues when a package gets installed twice ( x86 & x64
> version).
> #system is a RHEL5/x64 system.
> *#following manifest:*
> [root@kermit ~]# cat install_expect.pp
> package { 'expect':
> ensure => present,
> }
> *#ok, let's apply*
> [root@kermit ~]# puppet apply install_expect.pp
> Notice: /Stage[main]//Package[expect]/ensure: created
> Notice: Finished catalog run in 14.25 seconds
>
> *#let's see what we've got*
> [root@kermit ~]# rpm -qa|grep expect
> expect-5.43.0-8.el5
> expect-5.43.0-8.el5
> *#so we have two versions installed ( in fact it's the x64 and x86
> version. for whatever reason yum installs both ( it's yum, a dry-run with
> yum results in the same situation)
> #I would not have expected this for expect ( :) ) , but for libs that's
> normal on an x64 system.*
> *
> #ok, lets uninstall expect*
> [root@kermit ~]# cat uninstall_expect.pp
> package { 'expect':
> ensure => absent,
> }
> [root@kermit ~]# puppet apply uninstall_expect.pp
> Notice: /Stage[main]//Package[expect]/ensure: removed
> Notice: Finished catalog run in 0.27 seconds
>
> [root@kermit ~]# rpm -qa|grep expect
> expect-5.43.0-8.el5
> *#here's my problem - there's still one left.*
>
> *#2nd run:*
> [root@kermit ~]# puppet apply uninstall_expect.pp
> Notice: /Stage[main]//Package[expect]/ensure: removed
> Notice: Finished catalog run in 0.61 seconds
> [root@kermit ~]# rpm -qa|grep expect
> [root@kermit ~]#
> *#now it's completely absent*
>
> Any Idea how I can avoid multiple runs to completely remove it ( so,
> basically what rpm -e --allmatches  would do )?
>

The behavior you are seeing is actually the one noted in the provider
code[1]. I'm not sure why it was implemented this way since removing both
seems to be the correct action. I would open a ticket since this requires a
change to the rpm package provider.

Thanks,

Nan

1.
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/package/rpm.rb#L120-L124

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppet apply -- override node name, module path

[Nan Liu]

On Fri, May 24, 2013 at 3:39 PM, Martin Langhoff
wrote:

> Hi folks,
>
> testing puppet configs, I have
>
>   /home/martin/mytestingpuppetconfigs/{manifests,modules}
>
> and while working in there, I would like to be able to say something
> along the lines of:
>
>  puppet apply --noop --nodename=foo01 --modulepath=./modules
> manifests/site.pp
>
> which should tell me what puppet wants to do to my system.
>
> Is there any practical way to achieve this? I am not planning on
> having one test VM per "victim" system :-p


I believe you can do:

puppet apply --certname=foo01 ...


HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Custom function help: works locally, "wrong header line format" error on master

[Nan Liu]

On Tue, May 14, 2013 at 5:14 PM, David Pires  wrote:

> I have a custom function (
> http://docs.puppetlabs.com/guides/custom_functions.html) working locally
> using `puppet apply --modulepath=` and a test manifest.
>
> The issue I am having is when I run it on a node I get a "wrong header
> line format" error on the puppet master and I can't figure out why. It is
> not a erb template issue as I have tested all my erb's and they are fine, I
> have pinpointed the error to wherever I use the function.
>
> I have run through all the troubleshooting steps (irb, ruby -rpuppet etc.)
> they all work correctly. The same error occurs whether I use the function
> in my main site manifest or through a module class.
>
> Any help to further debug this is appreciated.
>

On the master try 'puppet master --compile  --trace'

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Puppermaster certificate expired

[Nan Liu]

On Thu, May 9, 2013 at 3:57 PM, Stefan Schulte <
stefan.schu...@taunusstein.net> wrote:

> On Thu, 9 May 2013 17:10:51 +0200
> Lorenzo Salvadorini  wrote:
>
> > 2013/5/9 Nicolai Mollerup 
> >
> > > Anyway I think the easy way is to setup some autosigning of clients
> > > after creating a new CA.
> > > Think you will have to clean the ssl-dir on clients for this to
> > > work, though.
> > >
> > > Since we are going to make a brand new puppetmaster here sometime
> > > before our CA expires that will be my approach to make the
> > > transition smoother.
> > >
> >
> > we are exactly at the same point: currently moving our puppetmaster on
> > another host, struggling against CA hostname in SSL Certificates and
> > thinking how to approach the refresh of all certificates on agents.
>

There's some older thread when Puppet first hit this 5 year anniversary. I
recall trying a few things, and one that only required updating the CA cert
in the environment, but there's no avoiding touching every client once the
CA cert expired.


> > Autosigning for some day could be a good approach for us too, since
> > we have our racks with predefined networks IPs and master on amazon,
> > so amazon agents can contact master via internal network.
> >
> > We already manage agents configuration with a puppet module, do you
> > think we can do the SSL substitution with a recipe in puppet itself?
> >
>
> I'd not try to remove ssl certificates during a puppetrun because I
> expect that every file resource with a `source` parameter will fail
> after that point and the agent would not be able to send the last report
> to the old master.
>
> We had a slightly different approach when migrating our agents to a new
> master. We run puppet out of cron and the cronentry is also managed by
> puppet. Now we have the following simplified puppet::agent class:
>
> # need_migration is mostly calculated by checking the agent's
> # version and the current puppetmaster
> if $need_migration {
>   $cron_command = '/var/lib/puppet/migrate.sh'
> }
> else {
>   $cron_command = '/usr/bin/puppet agent'
> }
>
> cron { 'puppet_clientrun':
>   command => $cron_command
> }
>
> If an agent contacts the old puppetmaster and need_migration evaluates
> to false, the agent will replace its cronjob with the migration script,
> so in the next interval we run the migration script instead of the
> puppet agent.
>
> The migration script updates the puppet software, updates the server
> setting in puppet.conf and erases the ssl directory (this is only done
> once in case the migrate.sh is executed more than once). The migrate.sh
> script will also trigger a normal puppetrun as the last step, so
> the puppet agent will create new certificates. The `migrate.sh` keeps
> running every hour until someones signes the new certificate request
> on the new master. Once the request is signed and the agent is able to
> contact the new mater, the $need_migration will evaluate to false and
> the migrate.sh in cron is replaced with the normal puppet agent
> invocation.
>
> This way we keet the removal of the ssl directory completly outside of
> puppet. We can also be sure that hosts that had puppet temporarily
> disabled will be instructed to migrate after they contact the (old)
> master again.


Off the top of my head, the ssldir option + server option should allow
migration to new server while keeping two different set of ssl keys as you
move the system to another master with a different CA. A mcollective puppet
plugin that supports both option might be useful for this kind of migration.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Running all apt source and update operations first, best practice.

[Nan Liu]

On Thu, May 9, 2013 at 11:52 AM, James Kyle  wrote:

> I've run into several incidences where a module attempts to install a
> package before the apt::source is added or an update is run. Result is a
> bunch apt errors and explosions.
>
> Basically what should be done is all the apt::sources are added and and an
> update run _before_ any packages are installed to ensure you're pulling
> from the repos you want.
>
> I've gone through several iterations in my attempt to achieve that
> behavior. The one that works best so far is stages and wrapper classes.
> Here's a terse example of what it looks like:
>
> class myorg::common {
>   include stdlib
>
>   Apt::Source {stage => "setup"}
>
>   apt::source { 'puppetlabs':
> location   => 'http://apt.puppetlabs.com',
> repos  => 'main',
> key=> '4BD6EC30',
> key_server => 'pgp.mit.edu',
>   }
>
>   Exec['apt_update'] -> Package<|  title != 'ubuntu-cloud-keyring' |>
> }
>
> node 'foo.bar.com' {
>   include stdlib
>
>   class {'myorg::common': stage => "setup"}
> }
>
>
> One thing that bothers me is you have to declare the stage for
> myorg::common in every node that uses it. And as the name implies, that's
> every node.
>
> Is there a way to get rid of that duplication? I've thought of node
> inheritance, but the docs seem to strongly steer you away from that pattern.
>

Doesn't the relationship do the right thing without stages? Does this work?

class myorg::common (
  $staging  = 'setup',
) { ...

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet 3.1.1, hiera and parameter autoload

[Nan Liu]

On Thu, May 2, 2013 at 10:32 AM, David Campos  wrote:

> Hello all,
>
> I don't know if I have hit a strange bug or it's just an incorrect
> interpretation about how parameter autoloading works... Today I have been
> searching, analysing and about to hit my head against a wall trying to
> figure out why a call to hiera_hash was not merging data from top level
> among different hierarchies. The problem was that I was trying to do
> something like this:
>
> class jenkins::slave (
>   $client = hiera_hash("jenkins::slave::client"),
>   $connection = hiera_hash("jenkins::slave::connection"),
>   $config= hiera_hash("jenkins::slave::config"),
>   $security = hiera_hash("jenkins::slave::security")) {
>
>
> My idea was as simple as to retrieve data from 4 hashes and later on work
> with that data but with the advantage to have that data defined into a
> lower level (a sort of common class or project hierarchies) and refine at
> leafs. All did compile and run smoothly but the results were not what I
> expected. Leafs did have preference but they did set the whole value, no
> merge was being done on top level variables that were not being defined at
> leaf hierarchy (or the one that first made a match). Hashes were acting as
> priority scope: first hit -> return.
>
> After playing with lower classes, reinstalling, trying older versions and
> including a lot of extra loggers I did try a desperate attempt without
> hope: change one of the variables name into something different from other
> classes (it did happen that jenkins::slave::config did conflict with
> another class but that class was being processed and the variable and class
> should be different kinds)...
>
> class jenkins::slave (
>   $client   = hiera_hash("jenkins::slave::client"),
>   $connection   = hiera_hash("jenkins::slave::connection"),
>   $slave_config = hiera_hash("jenkins::slave::config"),
>
>   $security   = hiera_hash("jenkins::slave::security")) {
>
>
> And magic happened! $slave_config variable was doing merge but not the
> others! I did not understand why the others were not working (they were not
> colliding with anything in my code) but then a voice came to my mind...
> Puppet 3.x did include a new feature, parameter autoload through hiera...
> And it works... But removes the explicit functionality that was my call to
> hiera_hash!
>
> Is that behavior correct? Is it a bug?
>

It's behaving as specified, but unfortunately a bit retarded for your use
case. If you translate your manifests per specification of what Puppet 3 is
implicitly doing, it's a bit clearer why it behaves that way:

#whoops, use hiera results
class jenkins::slave (
  $config = hiera('jenkins::slave::config',
hiera_hash("jenkins::slave::config")),
) {

#uses hiera_hash since slave_config does not exist.
class jenkins::slave (
  $slave_config = hiera('jenkins::slave::slave_config',
hiera_hash("jenkins::slave::config")),
) {

I guess either change heira variable and use something like
jenkins::slave::config_hash or avoid the implicit lookup by declaring the
variable inside the class.

class jenkins::slave (
  $config = hiera_hash("jenkins::slave::config_hash"),
) {

class jenkins::slave {
  $config = hiera_hash("jenkins::slave::config")

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] compare md5

[Nan Liu]

On Thu, May 2, 2013 at 6:31 AM, Roque Moyano  wrote:

> I wanna to download a file and compare the md5 result of it with the md5
> file downloaded, is there any way to do it? Is to verify that the file was
> downloaded correctly. I did it but it doesn't work me
>
> exec {'download-FILE-tgz':
> user => $user,
> cwd  => $tmpdir,
> path => '/usr/bin',
> provider => 'shell',
> command  => "wget --no-proxy -q -O ${tgzfilename}
> ${packageurl}",
> onlyif => [ "test \"$(curl ${packageMd5})\" !=
> \"$(md5sum ${tmpdir}/${tgzfilename} | awk {'print $1'})\" "]
> }


Take a look at Branan's s3 file example:

https://github.com/branan/puppet-module-s3file

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Windows Firewall Question

[Nan Liu]

On Thu, Mar 7, 2013 at 5:50 PM, ad  wrote:

> Hey David
>
> Below are some examples. Note these are used on embedded Windows 7
> (6.1.7601) and I've never tested them on servers (we run mostly Linux
> servers). I also have examples for XP (5.1.2600) if you want, it's a lot
> different.
>
> The first 6 are just for enabling the firewall and allowing exceptions.
> Obviously you may not want to enable the non-domain profiles.
>
>   # Enable firewall
>   # Note: In Windows7, it seems the gui doesn't reflect enabling/disabling
> the firewall in the registry until a reboot.
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall':
> ensure => present,
> type   => 'dword',
> data   => '1',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall':
> ensure => present,
> type   => 'dword',
> data   => '1',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall':
> ensure => present,
> type   => 'dword',
> data   => '1',
>   }
>
>   # Allow exceptions
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions':
> ensure => present,
> type   => 'dword',
> data   => '0',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DoNotAllowExceptions':
> ensure => present,
> type   => 'dword',
> data   => '0',
>   }
>
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions':
> ensure => present,
> type   => 'dword',
> data   => '0',
>   }
>
> Here's an example for opening a port:
>
>   # enable Edge
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarEdge':
> ensure => present,
> type   => 'string',
> data   =>
> 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8080|LPort=443|Name=PopstarEdge|',
>   }
>
> Some other examples
>
>   # enable public ping
>   registry_value {
> 'HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PopstarPing':
> ensure => present,
> type   => 'string',
> data   =>
> 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=PopstarPing|',
>   }
>
>   # disable Remote Assistant
>   # Note: when you set this in Advanced System Settings it also changes a
> bunch of firewall rules that we aren't doing yet
>   registry_value { 'HKLM\SYSTEM\CurrentControlSet\Control\Remote
> Assistance\fAllowToGetHelp':
> ensure  => present,
> type=> 'dword',
> data=> '0',
>   }
>

The registry keys for enabling is helpful, but Windows 2008r2 is not happy
with registry added firewall rules (see attach). I'm guessing they
function, but doesn't work correctly in the UI. I suppose netsh advfirewall
is the way to go.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.


<><>

Re: [Puppet Users] Custom type and provider development

[Nan Liu]

On Thu, Mar 7, 2013 at 1:38 PM, Nan Liu  wrote:

> On Thu, Mar 7, 2013 at 8:47 AM,  wrote:
>
>>
>> Hi,
>>
>> I'm very new to Ruby, and pretty new to Puppet so apologies if this is a
>> bit Puppet custom type development 101.
>>
>> We currently have a whole bunch of Windows services that are written in
>> .Net.  They are really simple and so we don't bother creating MSI installs
>> for them and just use InstallUtil.exe called from a script.
>> I'm looking at creating a simple Puppet type and provider that will allow
>> me to install the service (via InstallUtil) if it doesn't already exist (as
>> opposed to using an exec resource in which it is hard to determine if the
>> service exists as a conditional).
>>
>> Now, there are many different flavours of .Net in use, and some are
>> 32bit, some 64 bit.  This means that I need to be able to specify what
>> version of installutil.exe to use.
>> Currently the type has a bunch of parameters (not properties) to specify
>> this.  E.g.
>> dotnetwinservice {'MyService':
>> ensure=> present,
>> dotnetversion => '4.0.30319',
>> sixtyfourbit  => false,
>> path  => 'c:\program files(x86)\myapp\myapp.exe',
>> }
>>
>> My question is, in the provider code what is the best way to dynamically
>> determine the installutil path?  All of the examples i can find setting a
>> command are not dynamic (i.e. the full command path is known without
>> looking at parameter values).
>>
>> My provider code looks like the below...
>> The INSTALLUTIL value is currently hard coded. I'd like to do something
>> like the commented out code but it doesn't appear as though either
>> @property_hash or @resource have values at the time of execution (I get
>> undefined method [] for nil:nilClass error).
>>
>> Puppet::Type.type(:dotnetwinservice).provide(:dotnetwinservice) do
>> desc "DotNet Windows Service"
>>
>>   confine :operatingsystem => :windows
>>   defaultfor  :operatingsystem => :windows
>>
>>   #dotnetframeworkversion = @resource[:sixtyfourbit] ? 'Framework64' :
>> 'Framework'
>>   #installutilpath =
>> "#{ENV['SYSTEMROOT']}\\Microsoft.NET\\Framework\\#{@resource[:dotnetversion]}\\InstallUtil.exe"
>>
>>   #INSTALLUTIL =
>>   #  if File.exists?(installutilpath)
>>   #installutilpath
>>   #  else
>>   #raise Puppet::Error.new("Cannot find installutil.exe for
>> dotnetversion #{@property_hash[:dotnetversion]} at #{installutilpath} " )
>>   #  end
>>
>>   INSTALLUTIL =
>> "#{ENV['SYSTEMROOT']}\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
>>
>>   commands :installutil => INSTALLUTIL
>>
>>
>>   def create
>>   installutil("/unattended", @resource[:path])
>>   end
>>
>>   def destroy
>>   installutil("/u", "/unattended", @resource[:path])
>>   end
>>
>>   def exists?
>>   Win32::Service.exists?( @resource[:name] )
>>   end
>>
>> end
>
>
> See example here, you should be able to do something similar:
>
> https://github.com/puppetlabs/puppetlabs-dism/blob/master/lib/puppet/provider/dism/dism.rb#L7-L13
>
>
Rethinking a bit more since you need access to a provider parameter, you
may need to do something closer to this:

commands :default_installutil => INSTALLUTIL

def installutil(*args)
  if @resource[:dotnetversion]
args.unshift "#{ENV['SYSTEMROOT']}\\Microsoft.NET\\Framework\\#{@
resource[:dotnetversion]}\\InstallUtil.exe"
Puppet.debug("Executing '#{args.inspect}'")
execute(args, :failonfail => true)
  else
default_installutil *args
  end
end

def create
  installutil("/unattended", @resource[:path])
end

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Pattern for Associating Module versions with Nodes

[Nan Liu]

On Thu, Mar 7, 2013 at 2:43 PM, Mohamed Abbas wrote:

>  On 3/7/13 1:51 PM, Nan Liu wrote:
>
> On Thu, Mar 7, 2013 at 12:42 PM, Mohamed Abbas wrote:
>
>> I'm wondering what is the canonical way of associating "specific"
>> versions of a module to a node? Is there a way of doing this in puppet? Let
>> me explain a "Use Case" of what I'm trying to accomplish:
>>
>> Say we have created a puppet model called apache to manage and configure
>> apache webserver.
>> We have the apache module under version control and there are several
>> versions.
>> We use puppet to apply apache-1.0.3 across an entire "environment"
>> We want to be able to do a rolling upgrade across that entire
>> environment, where some nodes in the environment have apache-1.0.3 and
>> other have apache-1.1.2.
>>
>> From what I understand of puppet, there is no way of associating a
>> specific version of a module to a specific node. The only way of doing that
>> would be to "embed" a version tag in the module/class name. However that is
>> ugly and does not work well with version control systems.
>>
>> Any suggestions of to accomplish this using puppet?
>>
>
>  Github's boxen project powered by librarian-puppet, or r10k:
> https://github.com/adrienthebo/r10k are good examples using Puppetfile
> for module version control.
>
>
> Thanks Nan. I looked at both and they address a different defined-problem
> than the one I'm trying to address. What librarian-puppet and the boxen and
> r10k solution you mentioned allow you to do is(per my understanding and
> experience with using librarian-puppet):
>
>- To populate a modules sub-directory dynamically by using a
>"Puppetfile" where you can pull different modules from different sources
>and being able to specify which version to pull in. Once the modules
>directory is populated, what is available to you to use in Puppet is still
>a *single *version of that module.
>
> The defined-problem I'm trying to see if puppet addresses or create a new
> solution to address it:
>
>- Having multiple instances of a module of different version number
>available in the modules sub-directory where I can freely associate
>different 2 different nodes to differing versions of the same module.
>
> They are typically used to populate the master. But I'm using per system
Puppetfile with 'puppet apply' instead. I suppose this won't meet your
requirements if you need multiple module versions on the master to compile
different versions per node.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Pattern for Associating Module versions with Nodes

[Nan Liu]

On Thu, Mar 7, 2013 at 12:42 PM, Mohamed Abbas wrote:

> I'm wondering what is the canonical way of associating "specific" versions
> of a module to a node? Is there a way of doing this in puppet? Let me
> explain a "Use Case" of what I'm trying to accomplish:
>
> Say we have created a puppet model called apache to manage and configure
> apache webserver.
> We have the apache module under version control and there are several
> versions.
> We use puppet to apply apache-1.0.3 across an entire "environment"
> We want to be able to do a rolling upgrade across that entire environment,
> where some nodes in the environment have apache-1.0.3 and other have
> apache-1.1.2.
>
> From what I understand of puppet, there is no way of associating a
> specific version of a module to a specific node. The only way of doing that
> would be to "embed" a version tag in the module/class name. However that is
> ugly and does not work well with version control systems.
>
> Any suggestions of to accomplish this using puppet?
>

Github's boxen project powered by librarian-puppet, or r10k:
https://github.com/adrienthebo/r10k are good examples using Puppetfile for
module version control.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Custom type and provider development

[Nan Liu]

On Thu, Mar 7, 2013 at 8:47 AM,  wrote:

>
> Hi,
>
> I'm very new to Ruby, and pretty new to Puppet so apologies if this is a
> bit Puppet custom type development 101.
>
> We currently have a whole bunch of Windows services that are written in
> .Net.  They are really simple and so we don't bother creating MSI installs
> for them and just use InstallUtil.exe called from a script.
> I'm looking at creating a simple Puppet type and provider that will allow
> me to install the service (via InstallUtil) if it doesn't already exist (as
> opposed to using an exec resource in which it is hard to determine if the
> service exists as a conditional).
>
> Now, there are many different flavours of .Net in use, and some are 32bit,
> some 64 bit.  This means that I need to be able to specify what version of
> installutil.exe to use.
> Currently the type has a bunch of parameters (not properties) to specify
> this.  E.g.
> dotnetwinservice {'MyService':
> ensure=> present,
> dotnetversion => '4.0.30319',
> sixtyfourbit  => false,
> path  => 'c:\program files(x86)\myapp\myapp.exe',
> }
>
> My question is, in the provider code what is the best way to dynamically
> determine the installutil path?  All of the examples i can find setting a
> command are not dynamic (i.e. the full command path is known without
> looking at parameter values).
>
> My provider code looks like the below...
> The INSTALLUTIL value is currently hard coded. I'd like to do something
> like the commented out code but it doesn't appear as though either
> @property_hash or @resource have values at the time of execution (I get
> undefined method [] for nil:nilClass error).
>
> Puppet::Type.type(:dotnetwinservice).provide(:dotnetwinservice) do
> desc "DotNet Windows Service"
>
>   confine :operatingsystem => :windows
>   defaultfor  :operatingsystem => :windows
>
>   #dotnetframeworkversion = @resource[:sixtyfourbit] ? 'Framework64' :
> 'Framework'
>   #installutilpath =
> "#{ENV['SYSTEMROOT']}\\Microsoft.NET\\Framework\\#{@resource[:dotnetversion]}\\InstallUtil.exe"
>
>   #INSTALLUTIL =
>   #  if File.exists?(installutilpath)
>   #installutilpath
>   #  else
>   #raise Puppet::Error.new("Cannot find installutil.exe for
> dotnetversion #{@property_hash[:dotnetversion]} at #{installutilpath} " )
>   #  end
>
>   INSTALLUTIL =
> "#{ENV['SYSTEMROOT']}\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
>
>   commands :installutil => INSTALLUTIL
>
>
>   def create
>   installutil("/unattended", @resource[:path])
>   end
>
>   def destroy
>   installutil("/u", "/unattended", @resource[:path])
>   end
>
>   def exists?
>   Win32::Service.exists?( @resource[:name] )
>   end
>
> end


See example here, you should be able to do something similar:
https://github.com/puppetlabs/puppetlabs-dism/blob/master/lib/puppet/provider/dism/dism.rb#L7-L13

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Windows Firewall Question

[Nan Liu]

On Thu, Mar 7, 2013 at 7:55 AM, Paul Tötterman wrote:

> As someone who generally hates using execs unless I absolutely have to, I
>> would recommend using the Puppet Labs registry module. I can dig out some
>> examples tomorrow if you like.
>
>
> I'm a bit wary about prodding in the registry behind the back of windows
> firewall, but please tell me if it works. I wrote some idempotent
> powershell to control the firewall rules in windows.
>

The registry data looks straightforward in HKLM/System/CurrentControlSet/
(search FirewallRules):

v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1433|Name=SQL|

But the problem is generating the name:
{4DBAC415-6138-489A-B647-7FAA20709582}

You can't arbitrarily name it SQL. This would be straightforward as a
define type wrapping around registry if someone knows how to generate the
registry name. Adam?

I'm also using exec with netsh firewall to open a port for SQL server for
now, but a type and provider would be much more robust. However I would
like to hear some Windows expert chime in, before trying to write a
type/provider around netsh advfirewall.


Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Require with Templates

[Nan Liu]

On Fri, Feb 15, 2013 at 11:30 AM, Tiago Cruz wrote:

> Hello Nan,
>
> So this is the problem: I think that puppet must fail on the fist attempt,
> but install the package to be sucess on the second try.
>
> But not, it always failing:
>
> Feb 15 16:37:49 alog228 puppet-agent[18960]: Starting Puppet client
> version 2.7.9
> Feb 15 16:37:57 alog228 puppet-agent[18960]: Could not retrieve catalog
> from remote server: Error 400 on SERVER: Failed to parse template
> base/rpmforge.repo.erb: Could not find value for 'lsbmajdistrelease' at
> 4:/etc/puppet/modules/base/templates/rpmforge.repo.erb at
> /etc/puppet/modules/base/manifests/repository.pp:23 on node alog228
> Feb 15 16:37:57 alog228 puppet-agent[18960]: Using cached catalog
> Feb 15 16:37:57 alog228 puppet-agent[18960]: Could not retrieve catalog;
> skipping run
> Feb 15 17:08:00 alog228 puppet-agent[18960]: Could not retrieve catalog
> from remote server: Error 400 on SERVER: Failed to parse template
> base/rpmforge.repo.erb: Could not find value for 'lsbmajdistrelease' at
> 4:/etc/puppet/modules/base/templates/rpmforge.repo.erb at
> /etc/puppet/modules/base/manifests/repository.pp:23 on node alog228
> Feb 15 17:08:00 alog228 puppet-agent[18960]: Using cached catalog
> Feb 15 17:08:00 alog228 puppet-agent[18960]: Could not retrieve catalog;
> skipping run
> Feb 15 17:27:05 alog228 puppet-agent[18960]: Caught TERM; calling stop
> Feb 15 17:27:06 alog228 puppet-agent[21508]: Reopening log files
> Feb 15 17:27:06 alog228 puppet-agent[21508]: Starting Puppet client
> version 2.7.9
> Feb 15 17:27:08 alog228 puppet-agent[21508]: Could not retrieve catalog
> from remote server: Error 400 on SERVER: Failed to parse template
> base/rpmforge.repo.erb: Could not find value for 'lsbmajdistrelease' at
> 4:/etc/puppet/modules/base/templates/rpmforge.repo.erb at
> /etc/puppet/modules/base/manifests/repository.pp:23 on node alog228
>

Two different manifests (in two different environments) need to exist, one
to install the facter dependency, the second for the template. Putting them
in the same deployment will always result in a catalog compilation error
since the master doesn't have the required fact, and the client will not
receive a catalog to install the package to fulfill the fact.

I saw your module, sounds really nice! Did you know if it works with puppet
> 2.7.9?
>

It should, facts are usually not sensitive to Puppet version.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Require with Templates

[Nan Liu]

On Fri, Feb 15, 2013 at 10:42 AM, Tiago Cruz wrote:

> Hello,
>
> What's the problem with this syntax:
>
> package { 'redhat-lsb':
>   ensure => present,
>   before => File['/etc/yum.repos.d/rpmforge.repo'],
> }
>
> file { '/etc/yum.repos.d/rpmforge.repo':
> mode => 644,
> owner => root,
> content => template("base/rpmforge.repo.erb"),
> require => Package["redhat-lsb"],
> }
>
> The "before" and "require" its not working, 'Cause I still getting this
> message:
>
> Could not retrieve catalog from remote server: Error 400 on SERVER: Failed
> to parse template base/rpmforge.repo.erb: Could not find value for
> 'lsbmajdistrelease' at
> 4:/etc/puppet/modules/base/templates/rpmforge.repo.erb at
> /etc/puppet/modules/base/manifests/repository.pp:23
>
>
> I'm using "lsbmajdistrelease" to discover the verstion of CentOS, but I've
> noticed that some hosts has broken, because the package "redhat-lsb" is
> missing. If I install the package with yum, everything works well, but I
> would like to solve this with puppet.
>

You can't update fact information during a puppet run. Puppet either have
or don't have lsb facts when applying the catalog, installing the package
to satisfy the dependency won't help that particular puppet run (only the
next one). I also find redhat-lsb package to be hideously large dependency
for answering such a basic fact. Here's one possible work around (as long
you don't need lsbrelease): https://forge.puppetlabs.com/nanliu/lsb

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] f5 module usage/debugging tips?

[Nan Liu]

On Mon, Feb 11, 2013 at 8:27 AM, Christopher Wood <
christopher_w...@pobox.com> wrote:

> (Following up to my own post for posterity's sake, see xkcd.com/979.)
>
> Short form: for me this isn't yet as easy as a file resource but the
> puppetized management payoff will be worth the work. My issues are most
> likely a reflection of my own puppet/ruby/iControl/SOAP skill.
>
> I am going to explore a personalized set of F5 types/providers that I can
> use without first loading up the wsdl file for every involved iControl
> interface, version, and hotfix.
>
>
>
> Points from my various BigIP/puppet experimentations:
>
> a) The f5-icontrol-10.2.0.2.gem doesn't necessarily work with LTM 11.1.0.
> (Or I haven't figured it out, also quite likely.) This could be because the
> gem ships different wsdl files but I couldn't get it to work with later
> iControl wsdl files anyway.
>
> b) In LTM 11, F5 deprecated some interfaces so puppet f5 module providers
> like f5_node are suddenly using deprecated interfaces.
>
> c) Some parts of the iControl api are being updated/fixed over time, for
> instance the hotfix id 388590 reading "Certificates can now successfully be
> updated using the iControl Management::KeyCertificate interface", see:
>
> http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14175.html
>
> d) Judging by my soap-newbie eye the soap4r package appears abandonware,
> savon isn't up to complicated data structures and I have yet to dive into
> handsoap (the starter page says to start with a wsdl, see my wsdl-tracking
> issues). Picking the right soap package to use is likely going to be job 1.
>
> (If the list has any feedback to the above, I'm very much all ears.)


Have you tried the v11 gem?
https://devcentral.f5.com/internal-forums/aff/2306. The module certainly
needs to updates against v11 API, but seems like it would be a better
starting point.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet F5: Graceful Server Shutdown

[Nan Liu]

On Mon, Feb 11, 2013 at 2:22 AM, MrTeleBird  wrote:

> Another option (I do not know if this would work), would be to "translate"
> this script:
>
> https://devcentral.f5.com/wiki/icontrol.pspoolmembercontrol.ashx
>
> to ruby and execute it when deploying a new application.
>
> What do you think??
>

It might be possible to add 'session_enabled_state' to the list of methods
available to 'LocalLB.PoolMember' and see if that allows it to toggle this
setting:

https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/provider/f5_pool/f5_pool.rb#L69-L74
https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/provider/f5_pool/f5_pool.rb#L126-L131

f5_pool { 'webserver':
  member => { '192.168.1.1:80' =>
{ 'session_enabled_state' => 'STATE_DISABLED' },
  }
}

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet F5: Graceful Server Shutdown

[Nan Liu]

On Thu, Feb 7, 2013 at 6:46 AM, MrTeleBird  wrote:

> How can I gracefully shut down my servers of a given pool member for
> maintenance without disrupting current user sessions using the F5 iControl
> module??...and of course, allowing for enabling and disabling of the server
> for a pool
>
> Has anyone done this before?
>

The short version is F5 have an API call, but I'm not sure it's actually
usable. The good news is you have other options.

The v11 API [1] was extended to support this functionality, but the module
was written specifically for v10 [2]. I don't know the f5-icontrol 10.2
gem compatibility with v11 API, and F5 haven't released v11.2.1 gem yet
[3]. I think setting a poolmember connection limit would simulate the
behavior. The other solution is setup monitoring to watch a service
availability and drain stop (not the actual service but a service
availability indicator). This is actually quite helpful as it gives the
server admin the ability to start maintenance, monitor user traffic drain,
all without any load balancer changes [4].

If you are on v11 and willing to work with the provider, you can look at
updating this section:
https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/provider/f5_pool/f5_pool.rb#L66-L74
https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/provider/f5_pool/f5_pool.rb#L123-L131

Change the WSDL to LocalLB.Pool, add enabled state property, and change to
the appropriate get_member_*, set_member_* methods.

HTH,

Nan

1.
https://devcentral.f5.com/wiki/iControl.GlobalLB__Pool__set_member_enabled_state.ashx
2. https://devcentral.f5.com/wiki/iControl.GlobalLB__PoolMember.ashx
3.
https://devcentral.f5.com/tech-tips/articles/getting-started-with-ruby-and-icontrol
4. https://devcentral.f5.com/community/group/aft/2161534/asg/50

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Any way to "force" set the type provider? Problem with firewall module and iptables

[Nan Liu]

On Wed, Jan 30, 2013 at 10:50 PM, Erno Aapa  wrote:

> Hi,
> I have tricky problem and I hope that someone could help me.
> I'm using puppetlabs-firewall module. My box doesn't have iptables
> pre-installed. And because there is no /sbin/iptables puppet don't find
> provider for firewall -type. I get error that no provider for firewall
> found.
>
> Does anyone have idea how to get around this? Even if I create stage which
> is before "main"-stage and install the iptables there I get errors.
>

The issue should be fixed somewhere in 2.7.x where you can install packages
and have it satisfy provider requirements in a single puppet run. See:
http://projects.puppetlabs.com/issues/6907.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet Modules from Forge

[Nan Liu]

On Wed, Jan 30, 2013 at 9:55 AM, jim  wrote:

> Hello all,
>
> I have some questions about the download puppet modules from puppetforge:
>
> I'll take puppetlabs-dism as an example, once its installed its located:
>
> /etc/puppetlabs/puppet/modules/dism
>
> Can this be renamed to something else ?
>
> Also if for example, I had a folder tree under modules e.g.
>
> /etc/puppetlabs/puppet/modules/windows
> |
> |- manifests
> |--base.pp
> |--networking.pp
>
> Can I move the DISM module folder under my windows folder ?
>

This particular module is just a type/provider with no puppet manifest so
you can move the lib dir to another module.


> then I assume i'd call it by windows::dism?
>

No, the resource is still called dism, because it's the name of the type
and moving the lib dir won't change this.

https://github.com/puppetlabs/puppetlabs-dism/blob/master/lib/puppet/type/dism.rb#L1

 You can write your own custom define resource called windows::dism which
wraps the native dism resource. This is typically done if you need
environment defaults.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Searching for Nodes

[Nan Liu]

On Thu, Jan 24, 2013 at 12:13 PM, Brian Malinconico wrote:

> Thank you for the feedback. We are actually using haproxy, and will
> undoubtedly use the stock book, it was just the example.
>
> I guess I am confused as to the pattern. I have looked over the nagios
> examples many times but I am still unsure. T
>
> he final example would be how to distribute a database IP without
> hard-coding it.
>
> My understanding of the exported resources would be that the database
> needs to export the configuration file, and the application servers would
> need to import that file. This means that the database box needs to have
> application level knowledge to create the config file needed.
>
>
What am I not understanding? Is the puppet pattern to set the $database_ip
> variable?
>

You don't need to export resource per se, an empty define resource allows
you to export information as data.

define data(
  $value,
) {}

node database {
  @@data { 'ipaddress':
value => $::ipaddress, #obtained from facter, heck you don't really
need to do this because it's available in puppetdb.
  }
  ...
}

But the problem is collection syntax only gather resource, so you need a
custom function to perform the query and treat the result as data. This is
the gap in the Puppet DSL, and there's no official solution if you want to
treat catalog/puppetdb as source of data rather than resource.

There's another module under RI repo that Dan Bode used as PoC for
openstack modules. It's delivered as a puppet face with matching puppet
functions: https://github.com/ripienaar/ruby-puppetdb

The face provides a way to treat puppetdb as source of data. For example,
for database_ip you can simply ask (and probably more interesting asking
what network, is it production, etc):
$ puppet query node --query '(Package[mysql-server] and
architecture=amd64)' --filter ipaddress

In the manifests this is:
$nodes = unique(query_active_nodes('Package[mysql-server] and
architecture=amd64', 'ipaddress'))

Some caveats:
1. Not really an official PuppetLabs project (i.e. experimental).
2.  It's not really tested at scale and does data filter after getting a
large result set. Recent changes in PuppetDB allows more optimal query so
PuppetDB does the filter, but I'm pretty sure not taking advantage of it
yet.
3. PuppetDB exports on catalog compilation, so your database server might
not be online yet.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet Bonding Module: Detect missing values before creation of file or template

[Nan Liu]

On Tue, Jan 22, 2013 at 2:53 PM, GregC  wrote:

> I have a module that reads and creates bonding configuration with
>  persistent routes, by pulling those values and inserting into my static
> route file on RH 5.6 like so:
>
> <% bond_route.each do |bond_route| -%>
> <%= bond_route %> via <%= bond_gateway %> dev bond<%= name %>
> <%end -%>
>
> Problem is that if I am missing any values for bond_route or bond_gateway
> it will create the template with those values missing. I can do a puppet
> run by giving it a blank value like so:
>
> bond1_route = ""
>
> Does anyone have a suggestions as to how I can detect and NOT execute this
> module if the any variables are missing???
>

See puppetlabs-stdlib module validate_* functions.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] node_openstack dependency

[Nan Liu]

On Tue, Jan 22, 2013 at 6:59 AM,  wrote:

> That was a bug and fixed partially. Now installation happens but puppet
> commands are broken and I see no manifests files in the new module
> directories.
>
> # puppet module install puppetlabs/node_openstack
> Preparing to install into /etc/puppetlabs/puppet/modules ...
> Downloading from http://forge.puppetlabs.com ...
> Installing -- do not interrupt ...
> /etc/puppetlabs/puppet/modules
> ââ⬠puppetlabs-node_openstack (v0.0.4)
>   âââ puppetlabs-cloud_provisioner (v1.0.5)
>
> # puppet module list
> /etc/puppetlabs/puppet/modules
> âââ puppetlabs-cloud_provisioner (v1.0.5)
> âââ puppetlabs-node_openstack (v0.0.4)
> /opt/puppet/share/puppet/modules
> âââ puppetlabs-auth_conf (v0.0.5)
> âââ puppetlabs-pe_accounts (v1.1.0)
> âââ puppetlabs-pe_compliance (v0.0.8)
> âââ puppetlabs-pe_mcollective (v0.0.57)
> âââ puppetlabs-request_manager (v0.0.5)
> âââ puppetlabs-stdlib (v2.5.1)
> âââ ripienaar-concat (v0.2.0)
>
> # ls /etc/puppetlabs/puppet/modules/
> cloud_provisioner  node_openstack
>
> # puppet node_openstack
> Error: Unknown Puppet subcommand 'node_openstack'
> See 'puppet help' for help on available puppet subcommands
>
> # puppet help
> err: no such file to load -- puppet/face/node/install
> err: Try 'puppet help help help' for usage
>
>
You can try exporting RUBYLIB with the modules lib dir to use the face.
This is related to http://projects.puppetlabs.com/issues/7316.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: How to watch a logfile in Puppet?

[Nan Liu]

On Mon, Jan 21, 2013 at 4:28 PM, Andrey Brindeyev <
abrinde...@griddynamics.com> wrote:

> I need to deploy Java artifact to Tomcat and run tests.
> Due Java environment variables change I can't just put WAR file inside
> Tomcat, entire Tomcat app needs to be restarted.
>
> If I start my tests immediately after Tomcat startup then they fail due
> "Connection refused" error.
> I need to wait until Tomcat service start and initializes itself and all
> deployed artifacts. Easiest way to do that is to wait specified pattern in
> Tomcat's log file.
>

Just write and deploy the service startup wrapper script and ask puppet to
invoke that script for service start.

service { 'tomcat':
   ensure => running,
   start => custom_startup_script.
}

The custom startup script should just do the same thing as the chef script,
start the service, watch the log before exit, or timeout and fail.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Does a service resource autorequire its package resource?

[Nan Liu]

On Sat, Jan 19, 2013 at 12:03 PM, royhills  wrote:

> I've seen a couple of instances where a service resource has failed with
> an error because it's
> been evaluated before its corresponding package is installed. I can fix
> this by adding an explicit
> require to the service resource, or by just running puppet again, but I
> thought that there would be
> an implicit or automatic require from a service object to the associate
> service object.
>
> Here's an example class where I've seen this, although it only happens
> when I have this class
> as part of a larger overall manifest and I'm commissioning a new system.
>
> class tftp_server {
>
>package { 'tftpd-hpa':
>   ensure => installed,
>}
>
>service { 'tftpd-hpa':
>   ensure => running,
>   enable => true,
>   hasstatus => true,
>   hasrestart => true,
>}
>
>file { '/srv/tftp':
>   ensure => 'directory',
>   owner => 'root',
>   group => 'root',
>   mode => '0644',
>   require => Package['tftpd-hpa'],
>   source => 'puppet:///modules/tftp_server/tftp',
>   recurse => true,
>   purge => true,
>   ignore => '.svn',
>}
> }
>
> Note that there is no notify/subscribe between the file object and the
> service object. Perhaps
> that's why I get the problem?
>
> What I see is:
>
> info: Applying configuration version '1358616112'
> ...
> err: /Stage[main]/Tftp_server/Service[tftpd-hpa]: Could not evaluate:
> Could not find init script for 'tftpd-hpa'
> ...
> notice: /Stage[main]/Tftp_server/Package[tftpd-hpa]/ensure: ensure changed
> 'purged' to 'present'
> ...
>
> In http://docs.puppetlabs.com/learning/ordering.html, it says "Some of
> Puppet’s resource types will notice
> when an instance is related to other resources, and they’ll set up
> automatic dependencies", but it doesn't
> state exactly what resources this relates to. I'd expected service/package
> to be one of the examples though.
>

This is not an auto dependency. They are all documented in the resource
type document by searching autorequires:
http://docs.puppetlabs.com/references/latest/type.html

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet 2.6 - Custom functions - environments issue

[Nan Liu]

On Sat, Jan 19, 2013 at 11:37 AM, xkrantz  wrote:

> Le vendredi 18 janvier 2013 20:52:03 UTC+1, jcbollinger a écrit :
>
>
>>
>> On Friday, January 18, 2013 7:56:20 AM UTC-6, xkrantz wrote:
>>>
>>> Hello every one,
>>>
>>> I have looked at a lots of threads in the Puppet User group but I did
>>> not find a clear answer or explanation how custom functions work
>>> Here is my current setup :
>>>
>>>
>>> * I have *2 "environments"*. working fine
>>> /etc/puppet/environments/**production/
>>> /etc/puppet/environments/test/
>>>
>>> * I have a version of my function already working in production
>>>
>>> * According to the documentation, *"functions" are executed on puppet
>>> master Side*.
>>> So I put my *new version* into 
>>> /var/lib/puppet/lib/puppet/**parser/functions/myfunction.rb
>>> on the master.
>>> My new version is also present in /etc/puppet/*environments/test*/**
>>> modules/mymodule/lib/puppet/**parser/function/myfunction.rb and synced
>>> to the agent via "pluginsync"
>>>
>>>
>>> * When I run my puppet agent on my "test" environment, I get the
>>> expected behavior.
>>> So I merged my changes in the "production" environment.
>>>
>>> * Now when I run my agent on the "production" Environment, I get the
>>> behavior of the previous version of my function.
>>> If I run the agent right away against the "test" environment, I get
>>> again the expected behavior...
>>> I checked the files in both environment through md5sum and they are the
>>> same.
>>> And the /var/lib... on the master is also the same
>>>
>>>
>>> So, how exactly does it work ?
>>>
>>>
>> Once Puppet loads a function implementation by processing its Ruby source
>> file, I don't think it will ever process that Ruby source again in the same
>> run.  Try restarting the master.
>>
>>
>> John
>>
>>
>
> Hi John,
>
> Indeed, after a while (Passenger's threads with puppet masterd process
> stopped and restarted), it was ok.
>
> But still, I have experienced different behaviors according to the
> "Environment" my puppet Agents were running against.
> So, does Puppet master load different versions of the function's ruby
> files per environments ?
>

The corollary from what John said is environments are lightweight methods
for testing new manifests. Anything written in ruby such as functions
should be tested and deployed in separate puppet master instances.
 Environments are not suitable as containers for running different ruby
code or multi-tenancy.

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] f5 module usage/debugging tips?

[Nan Liu]

On Thu, Jan 17, 2013 at 3:37 PM, Christopher Wood <
christopher_w...@pobox.com> wrote:

>
> Usually when I make a change via the gui or tmsh I see the change
> reflected in the text config right away.


Good to know.


> >If you run puppet again does it attempt to make the same changes
> again?
>
> Yes, it does.
>

Interesting, what version of F5 are you using?

If you trim the manifests down, isolate to just an iRule and enable --debug
do you see this line:

Puppet::Provider::F5_Rule: creating {rule_name}

https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/provider/f5_rule/f5_rule.rb#L35

Does this message show up? In most cases any failure will result in an
appropriate SOAP error, so I'm curious if the transport should be
investigated or the puppet version (since you mentioned 3.0.2).

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] f5 module usage/debugging tips?

[Nan Liu]

On Thu, Jan 17, 2013 at 2:59 PM, Christopher Wood <
christopher_w...@pobox.com> wrote:

> The question: how can I get extra debugging/troubleshooting information to
> figure out why my F5 resources aren't applying? I see my "puppet device"
> command claiming to have applied an f5_node and f5_rule, but the irule and
> node respectively do not appear in the device's config.
>
> I have already turned up logging on the F5 device and debug/verbose in my
> puppet device run and found nothing obvious there.
>
> (More details below.)
>
> I see these:
>
> Notice: /Stage[main]//Node[my_f5]/F5_node[192.168.127.1]/ensure: created
> Notice: /Stage[main]//Node[my_f5]/F5_rule[cw1]/ensure: created
>
> As part of this set of debug output, but:
>
> [cwood@lb-lab:Active] log # grep cw1 /config/bigip.conf
> [cwood@lb-lab:Active] log #
>

I'm not familiar with F5 tmsh, the puppet module is using iControl to
update the device, so I don't know how changes are reflected in the text
config.

If you run puppet again does it attempt to make the same changes again? If
not the changes should have taken effect. Can you login to the web console
and review if the rules were added to the device?

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] generate() function help

[Nan Liu]

On Thu, Dec 27, 2012 at 10:29 AM, Jakov Sosic  wrote:

> I want to run script which is distributed with my module, but the problem
> is I have to then hardcode the path to the script in the generate function
> call, for example:
>
> generate("/etc/puppet/**environments/${environment}/**
> modules/mymodule/scripts/**myscript")
>
> But what If some other site uses other path to their modules, or doesn't
> use environments at all? Is it possible somehow to detect the dir in which
> the module is installed, so that I can use something like:
>
>
> generate("$modulepath/scripts/**myscript")


See stdlib:
https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/lib/puppet/parser/functions/get_module_path.rb


HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Unit-Testing/test: recommended method?

[Nan Liu]

On Thu, Dec 13, 2012 at 11:01 AM, Andreas Haerter <
list+puppet-us...@mail-node.com> wrote:

> Hi,
>
> is there any "officially" recommended default/standard method to realize
> Puppet module unit test beyond linting (puppet-lint)? Compatibility to
> version < 3.x is nice but NOT needed.
>
>
> My main questions are:
>
> 1) I know there are different, well-known methods:
> - Test::Unit
> - rspec-puppet
> - cucumber-puppet


> Is there anything missing worth a look? Which are deprecated, wich are
> future-proof?
>

Not aware of Test::Unit. Cucumber Puppet is deprecated [1]. rspec-puppet is
the way to go.

>
> 2) There are helpful blog postings and articles out there [1] [2] [3]
> [4]. However, none of them gives me a clue if there is a commonly
> recommended tool/method to implement Unit test, some kind of
> "use X because everybody is using it, you won't get compatibility issues
> and the dev-community behind is healthy".
>
> A hint out of e.g. Puppet Labs or experienced community members
> Point-of-View would be very helpful. Are there any recommendations?
> Getting familiar with testing needs some work which I don't want to
> invest into the wrong  candidate/method/tools. ;-)
>

The blog posts you referenced are slightly out of date. I would start with
Branan's post on Puppet Labs spec_helper [2]. It's used in all puppet labs
modules. You can see it in action both in travis-ci [3] and puppet labs
public Jenkins CI [4].

[1] 
[2] <
http://puppetlabs.com/blog/the-next-generation-of-puppet-module-testing/>
[3] 
[4] 

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Are these the same?

[Nan Liu]

On Sun, Nov 25, 2012 at 8:56 AM, Mark  wrote:

> Trying to figure out if these would behave the same or not?
>
> Example 1:
> -
>
> class Foo {
>   require Bar
>   someresource { 'baz':
> …. # This depends on A,B and C being already completed
>   }
> }
>
> class Bar {
>   include A
>   include B
>   include C
> }
>
>
> Example 2:
> 
>
> class Foo {
>   include Bar
>   someresource { 'baz':
>  ….
>  require => Class['Bar']
>   }
> }
>
> class Bar {
>   include A
>   include B
>   include C
> }
>
>
> So will these behave the same? When I require Bar in the first example are
> the A,B and C resources guaranteed to be executed before the resource in
> Foo? Same question goes for example 2
>

They don't work as expected. You need containment resources in class Bar.
See documentation and ticket 8040 for more info and work around:

http://docs.puppetlabs.com/puppet/2.7/reference/lang_containment.html
http://projects.puppetlabs.com/issues/8040

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Relationship for a called function?

[Nan Liu]

On Tue, Nov 20, 2012 at 1:28 AM, KomodoDave  wrote:

> If you define a custom function in *lib/puppet/parser/functions *can it
> be executed with a *before *or* require *relationship applied?
>
> Without this I don't understand the logic behind when it will be called,
> considering relationships make the literal ordering of code in a manifest
> irrelevant to a degree.
>
>
Neither, functions are executed during catalog compilation on the master.
Resources in the catalog are applied in the order of their relationship on
the client. The first rule in the documentation applies here:

http://docs.puppetlabs.com/guides/custom_functions.html#gotchas

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Can I create virtual resources with create_resources function

[Nan Liu]

On Thu, Nov 15, 2012 at 2:04 PM, Rajul Vora  wrote:

>
> I am trying to add ability to add virtual users to the git://
> github.com/erwbgy/puppet-system.git module as I really want the ability
> to use virtual users and then combine that with "User <| group == 'x' and
> group == 'y' |>" way of realizing the users. This is much more flexible
> than what I can do with this module out of the box.
>
> Using the pattern in that module, I tried to do this:
>
> class system::virt_users (
>   $config = undef
> ) {
>   if $config {
> $defaults = {
>   ensure => 'present',
>   managehome => true,
>   shell  => '/bin/bash'
> }
> create_resources(@user, $config, $defaults)
>   }
> }
>
>
> But that gives me syntax error:
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Syntax error at '@'; expected ')' at
> /etc/puppet/modules/system/manifests/virt_users.pp:10 on node ..
>
> So I tried putting @user in quotes but that also generated syntax error
> (could not create resource of unknown type @user).
>
> So is there a create_virtual_resource function or some other trick to do
> this?
>
>
See: http://projects.puppetlabs.com/issues/15081

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Pass Array as param to custom provider...

[Nan Liu]

On Wed, Nov 14, 2012 at 9:44 AM, fatmcgav  wrote:

> However I'm not sure that having individual params/properties for each
> volume option is the right way - The list of possible volume options
> currently stands at 36.. I don't really fancy having to implement a
> param/property for each of those... However I could see a single 'options'
> hash param/prop working for that... Although then I'm back to the same
> challenge of making sure each volume option is set & maintained
> correctly...
>

Creating 36 options is a bit of work, but they will be documented as
resource properties, and puppet takes care of some of problem of which
option needs to be updated and only call the setter for a specific option
when necessary. I suspect the option values getter/setter are very similar
so you can use define_method to reduce boilerplate code. Certainly you can
create a single property with a hash value to manage all 36 options, but in
this case the option property need to do a few extra things:

1. option method should return all 36 options in a hash.
2. insync? should return true as long the user specified subset of option
values is the same as the one returned by the previous method. It might
make sense to maintain the list of option that needs to be updated for the
setter method.
3. option= should determine which options need update and perform them.

The other challenge is that to set volume options is a different webservice
> call to the volume-list/volume-create method, but I'm guessing I can just
> get that handled with another def in the provider...
>

If it makes sense to have them in one resource, whether it's one or more
api call is just something the provider abstracts away. I wouldn't be
concerned how many api/commands the provider uses to manage a resource.

HTH,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Pass Array as param to custom provider...

[Nan Liu]

On Wed, Nov 14, 2012 at 8:56 AM, Gavin Williams  wrote:

> Cheers for the response... Looks like I've got some more reading to do to
> get my head around some of the more complex stuff...
>

I'm not sure why netapp_volume_options is a separate resource. You are
already managing the volume state in netapp_volume, and all netapp volume
options should be properties in netapp_volume instead.

Think you're right in that I'm trying to treat the options as a whole,
> rather than individual items...
>

The resource seems to make more sense modeled as:

netapp_volume { 'example':
  ensure => present,
  initsize => '2GB',
  convert_ucode => 'on',
  no_atime_update => 'on',
}

The provider exists? method should simply return true if the volume is
present and it should not compare the property values (that's what Puppet
does for you). One key difference is volume options should be newproperty.
So far you implemented all attributes as parameters, and puppet will not
retrieve and compare parameter values (i.e. it will not call
initsize/initsize= method).

The convert_ucode method return the option value. and convert_ucode= method
updates the setting.


> Am I better off moving to a prefetch/flush style provider, rather than the
> getter/setting method?
>

I would avoid prefetch/flush until you have the provider working with
individual get/set first.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Pass Array as param to custom provider...

[Nan Liu]

On Tue, Nov 13, 2012 at 11:58 AM, fatmcgav  wrote:

> Looks like overriding the 'insync?' method is the way to go, as I'm only
> interested in checking/setting property values that are being passed
> through...
>
> Any insync? examples that I could refer to?
>

There's a simple example here:
https://github.com/puppetlabs/puppetlabs-f5/blob/master/lib/puppet/type/f5_virtualserver.rb#L13-15

Search puppet source code lib/puppet/type/ for additional ones.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Pass Array as param to custom provider...

[Nan Liu]

On Tue, Nov 13, 2012 at 11:19 AM, Gavin Williams  wrote:

> After a quick google, came up with:
>
> #!/usr/bin/env ruby
>>
>> grades = { "Bob" => 82,
>>"Jim" => 94,
>>"Billy" => 58
>>  }
>>
>> grades.each do|name,grade|
>>   puts "#{name}: #{grade}"
>> end
>
>
> So now all I need to do is pull the existing options values and compile a
> hash to compare in the exists?, and use the above in the create...



Quick question on the create - how will it handle one property that
> matches, but one property that doesn't?
>

You need a hash diff between current values and desired values and iterate
through the difference. Hash properties are a bit more work, because the
retrieve method may return more options than you care to set. You have the
option to either munge and include default value to the user supplied
value, or override insync? method so the comparison operation does not
invoke option= method if the user specified value is a subset of the return
hash from the option method.

Alternatively if you only have a short number of options, you can just
implement them as properties instead.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Pass Array as param to custom provider...

[Nan Liu]

On Tue, Nov 13, 2012 at 7:33 AM, fatmcgav  wrote:

> One of the functions required is the ability to set 'options' against a
> given volume.
> What I want to do is create a provider that accepts a volume name and a
> list of volume options with their corresponding settings, and then iterate
> through the provided list making a webservice call for each option.
>
> So to give a better example of the provider in pastebin:
> netapp_volume_options { 'v_puppet_test12111508':
> options => ['convert_ucode=on', 'no_atime_update=on'],
> }
>

Yeah this seems to make more sense as a hash:

options => { 'convert_ucode' => 'on', 'no_atime_update' => 'on' }

I'm assuming this is just parameter, if it's a property add the following
method to the type and you should get a reasonable output:

def should_to_s(v)
  v.inspect
end

def is_to_s(v)
  v.inspect
end

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.