Re: [Puppet Users] shell file but getting copied do destination

[Neil - Puppet List]

hi,

the source has a typo. it says midules rather than an modules.

Neil


On 10 Sep 2017 18:29,  wrote:

Hi,

following is my task file which i call from deployment_task.yaml

file { '/tmp/filename.sh'
path => '/tmp'
.
. source => puppet:///midules/pluginname/filename.sh,
} ->

exec {'/tmp/filename.sh'
command => '/tmp/filename.sh'
path => '/usr/bin:/bin'
}

my problem is that neither filename.sh is getting copied into /tmp/ folder
nor(and probably that's why) commands is not getting executed

please help me asap, I have already defaulted on deadline twice.

thanks,
Vivek

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/
msgid/puppet-users/966fd69f-9e35-4d7e-bff1-0493432757c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBc%2B%3D6_1i12bMsNuswrYA5%3DcdfDEPH9xzXMPyKr5kX7vtQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple vhosts, same document root

[Neil - Puppet List]

Hello

stdlib package has a function ensure_resource that would allow you to
create the directory as many times as needed.

out of curiosity why not use the puppetlabs apache module?

Cheers
Neil

On 7 Jul 2017 09:39, "'Bas van de Wiel' via Puppet Users" <
puppet-users@googlegroups.com> wrote:

> So I managed to hack a fix for this:
> # Hackish pair of execs to allow multiple sites with the same docroot
> # See: https://confluence.maxserv.com/display/OPS/MaxServ+Apache
> exec { "${name}_${webroot}":
>   cwd => '/',
>   user=> 'root',
>   path=> '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/
> sbin:/usr/local/bin:/home/beheer/bin',
>   command => "`which mkdir` -p ${webroot}",
>   creates => $webroot,
>   notify  => Exec["${name}_webroot_permissions"],
> }
>
> exec { "${name}_webroot_permissions":
>   cwd => '/',
>   user=> 'root',
>   path=> '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/
> sbin:/usr/local/bin:/home/beheer/bin',
>   command => "`which chown` ${apache::user}:${apache::group}
> ${webroot}",
>   refreshonly => true,
> }
>
> Any comments?
>
> Bas
>
> On 06-07-17 21:32, bas via Puppet Users wrote:
>
> Hello Puppet users,
>
> I'm working on a webserver module that needs to ensure directories for
> document roots. I tried doing this by using file resources like so:
>
> file { 'vhost-A':
>   ensure => 'directory',
>   path   => '/var/www/sharedvhost',
>   ...clipped for brevity...
> }
>
> file { 'vhost-B':
>   ensure => 'directory',
>   path   => '/var/www/sharedvhost',
>   ...clipped for brevity...
> }
>
> This, sadly, does not work. Even though I avoid the pitfall of declaring
> two resources by the same name Puppet is clever enough to see that I'm
> ensuring the same path in the end.
>
> What I'd like the result to be, is the existence of /var/www/sharedvhost
> with the ability for my vhost resource type to know about it but without
> throwing errors.
>
> Any help would be much appreciated!
>
> Bas
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/fbdc265c-4fe1-59b3-fb07-c951abe957d6%40area536.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBcj7CE4_M_y_%2B5wM06Bz26w5tvskmReXNEJZOWdYhMqMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: How to reference NFS shares in a file resource

[Neil - Puppet List]

Hello

another option is to run a puppet master on the nfs server to share the
same files.

the file source would then be

puppet://servera/blah/filepath.

Neil

On 16 Jan 2017 23:38, "warron.french"  wrote:

> Merci Thomas,
>I didn't know how to implement the syntax (you solved that problem) and
> you expressed a technical advisory, against the idea of mounting NFS on the
> puppet master.
>
> Do you advise strongly against the source being mounted onto clients from
> the NFS server to source the file?  The idea is the source is going to be
> available on a NFS shared path so that Party1 can edit the file, and Party2
> has control over the Puppet Master.
>
> Thanks for replying, I was wondering if my email got into the queue
> properly, and I forgot about it over the weekend.
>
> --
> Warron French
>
>
> On Mon, Jan 16, 2017 at 2:03 AM, Thomas Müller 
> wrote:
>
>>
>>
>> Am Freitag, 13. Januar 2017 18:23:31 UTC+1 schrieb Warron French:
>>>
>>> Hi, I need to understand how to properly write some puppet code that
>>> will take files off of an NFS share on serverA and place them on my clients
>>> via a puppet module.
>>>
>>> My NFS server is *serverA.home*, providing serverA:/some/path that
>>> mounts on my clients
>>> my puppet master is *puppetmaster.home*,
>>>
>>> I believe (please correct me) that I can create a puppet file resource
>>> and then use the attribute called *source*.
>>>
>>> I don't know how to properly implement the source attribute with respect
>>> to my nfs server *serverA.home*.  Does the NFS mount need to be on the
>>> client machines, or available to the *puppetmaster.home* host?
>>>
>>
>>
>> if the nfs share is mounted on all clients you could just reference it as
>> a local file on the server:
>>
>> file { '/bli/bla/blup':
>>   ...
>>   source => '/nfs/share/bli/bla/blup',
>>   ...
>> }
>>
>> this '/nfs/share/bli/bla/blup' is not evaluated on the puppetmaster but
>> only on the client.
>>
>>
>>
>> if the share is mounted on the master only you might configure another
>> fileserver.conf entry: https://docs.puppet.com/puppet
>> /latest/config_file_fileserver.html
>>
>> you then reference IMHO like this:
>>
>>
>> file { '/bli/bla/blup':
>>   ...
>>   source => 'puppet:///mount_point_name/bli/bla/blup',
>>   ...
>> }
>>
>> I personally would not introduce a dependency on the nfs share on the
>> puppet master. If the nfs server is not available I'd expect the whole
>> puppet master to lock up. I'd at least would think about rsync'ing them
>> locally or even creating something like a puppet module only containing the
>> data.
>>
>> - Thomas
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/puppet-users/9b4f498a-d870-43b2-92a9-d194a0551b4f%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/CAJdJdQmLvj5xytLS7kQVNjYitSNU2VomHrvuLv62h%2BsnjeWxJA%
> 40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBejTDx7EVp02xVoWhRh91ghSFD%3DurdoYO%3DFDejfpJqRhw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

[Neil - Puppet List]

Hello Trevor,

I put this in when we did a fairly big puppet upgrade. This meant I could
direct a few clients to the upgraded server upgrade the agents see how that
went then do all dev service before moving others.

I guess we could have done that in a number of other ways but this worked
well for me and I like not configuring the clients differently, by changing
their server setting, as I did the upgrade

In a similar manner I've used it to experient with different node
classifiers not something I think DNS records would allow.

Before I used environments I used it for other changes like upgrading
modules such as puppet labs Apache by having the newer version only on one
puppet server and directing some clients there.

So in general the benefit is when you do not want the same puppet version
or code on all puppet servers.

Overhead of running a pair of tiny vms for the loadbal is tiny for me as we
run a dozen or so other loadbal pairs.

Neil

On 19 Sep 2016 21:28, "Trevor Vaughan"  wrote:

> Hi Neil,
>
> Thanks for sharing that config, it's quite useful.
>
> Did you see any large benefit of this versus using DNS SRV records (yes, I
> understand the actual load balancing implications).
>
> I'm curious if the extra infrastructure was worth the effort.
>
> I'm partial to a fan-out DNS SRV structure, but that doesn't really help
> with load unless your servers are active rejecting above a given connection
> load.
>
> Thanks,
>
> Trevor
>
> On Mon, Sep 19, 2016 at 5:09 AM, Neil - Puppet List <
> maillist-pup...@iamafreeman.com> wrote:
>
>> Hello
>>
>> One extra thing to mention is I have got into issues with configuring the
>> loadbal itself through puppet, as broken loadbal config breaks the puppet
>> service which means the loadbal can;t be fixed via puppet, so admin login
>> is required on these servers.
>>
>> Thanks
>>
>> Neil
>>
>> On 19 September 2016 at 10:07, Neil - Puppet List <
>> maillist-pup...@iamafreeman.com> wrote:
>>
>>> Hello
>>>
>>> Below is a slightly edited version of the haproxy.cfg
>>>
>>> All the backends except the ca require a valid client cert 'http-request
>>>  deny unless { ssl_c_verify 0 }'
>>>
>>> global
>>>   chroot  /var/lib/haproxy
>>>   daemon
>>>   group  haproxy
>>>   log  127.0.0.1 local4
>>>   log  127.0.0.1 local5 notice
>>>   maxconn  2
>>>   pidfile  /var/run/haproxy.pid
>>>   stats  socket /var/run/haproxy.stat mode 600
>>>   tune.ssl.default-dh-param  2048
>>>   user  haproxy
>>>
>>> defaults
>>>   log  global
>>>   maxconn  2
>>>   option  redispatch
>>>   retries  3
>>>   timeout  http-request 10s
>>>   timeout  queue 1m
>>>   timeout  connect 10s
>>>   timeout  client 1m
>>>   timeout  server 1m
>>>   timeout  check 10s
>>>
>>> frontend hastats
>>>   bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>>> no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-
>>> RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-
>>> SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-
>>> AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-
>>> GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-
>>> SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>   default_backend  ibe_hastats
>>>   mode  http
>>>   option  httplog
>>>   rspadd  Strict-Transport-Security:\ max-age=31536000
>>>
>>> frontend puppet
>>>   bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>>> ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
>>> /etc/haproxy/ca_crl.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-
>>> RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-
>>> SHA

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

[Neil - Puppet List]

Hello

One extra thing to mention is I have got into issues with configuring the
loadbal itself through puppet, as broken loadbal config breaks the puppet
service which means the loadbal can;t be fixed via puppet, so admin login
is required on these servers.

Thanks

Neil

On 19 September 2016 at 10:07, Neil - Puppet List <
maillist-pup...@iamafreeman.com> wrote:

> Hello
>
> Below is a slightly edited version of the haproxy.cfg
>
> All the backends except the ca require a valid client cert 'http-request
>  deny unless { ssl_c_verify 0 }'
>
> global
>   chroot  /var/lib/haproxy
>   daemon
>   group  haproxy
>   log  127.0.0.1 local4
>   log  127.0.0.1 local5 notice
>   maxconn  2
>   pidfile  /var/run/haproxy.pid
>   stats  socket /var/run/haproxy.stat mode 600
>   tune.ssl.default-dh-param  2048
>   user  haproxy
>
> defaults
>   log  global
>   maxconn  2
>   option  redispatch
>   retries  3
>   timeout  http-request 10s
>   timeout  queue 1m
>   timeout  connect 10s
>   timeout  client 1m
>   timeout  server 1m
>   timeout  check 10s
>
> frontend hastats
>   bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
> no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:
> AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>   default_backend  ibe_hastats
>   mode  http
>   option  httplog
>   rspadd  Strict-Transport-Security:\ max-age=31536000
>
> frontend puppet
>   bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
> ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
> /etc/haproxy/ca_crl.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:
> AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
>   acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
>   acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
>   acl  environment_production path_beg /production/catalog
>   default_backend  be_puppet_stable
>   http-request  set-header X-SSL   %[ssl_fc]
>   http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
>   http-request  set-header X-SSL-Client-SHA1   %{+Q}[ssl_c_sha1]
>   http-request  set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
>   http-request  set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
>   http-request  set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
>   http-request  set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
>   http-request  set-header X-SSL-Client-Not-After  %{+Q}[ssl_c_notafter]
>   mode  http
>   option  forwardfor
>   option  httplog
>   use_backend  be_puppet_ca if use_ca
>   use_backend  be_puppet_dev if use_dev
>   use_backend  be_puppet_foreman if use_foreman
>
> backend be_puppet_ca
>   mode  http
>   server  sys-puppet-ca-prod-0 sys-puppet-ca-prod-0:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_dev
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-0 sys-puppet-app-prod-0:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_foreman
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-1 sys-puppet-app-prod-1:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_stable
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-2 sys-puppet-app-prod-2:8140 check inter

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

[Neil - Puppet List]

Hello

Below is a slightly edited version of the haproxy.cfg

All the backends except the ca require a valid client cert 'http-request
 deny unless { ssl_c_verify 0 }'

global
  chroot  /var/lib/haproxy
  daemon
  group  haproxy
  log  127.0.0.1 local4
  log  127.0.0.1 local5 notice
  maxconn  2
  pidfile  /var/run/haproxy.pid
  stats  socket /var/run/haproxy.stat mode 600
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  log  global
  maxconn  2
  option  redispatch
  retries  3
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s

frontend hastats
  bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
no-sslv3 ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  default_backend  ibe_hastats
  mode  http
  option  httplog
  rspadd  Strict-Transport-Security:\ max-age=31536000

frontend puppet
  bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
/etc/haproxy/ca_crl.pem ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
  acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
  acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
  acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
  acl  environment_production path_beg /production/catalog
  default_backend  be_puppet_stable
  http-request  set-header X-SSL   %[ssl_fc]
  http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
  http-request  set-header X-SSL-Client-SHA1   %{+Q}[ssl_c_sha1]
  http-request  set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
  http-request  set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
  http-request  set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
  http-request  set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
  http-request  set-header X-SSL-Client-Not-After  %{+Q}[ssl_c_notafter]
  mode  http
  option  forwardfor
  option  httplog
  use_backend  be_puppet_ca if use_ca
  use_backend  be_puppet_dev if use_dev
  use_backend  be_puppet_foreman if use_foreman

backend be_puppet_ca
  mode  http
  server  sys-puppet-ca-prod-0 sys-puppet-ca-prod-0:8140 check inter 15s
rise 2 fall 2

backend be_puppet_dev
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-0 sys-puppet-app-prod-0:8140 check inter 15s
rise 2 fall 2

backend be_puppet_foreman
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-1 sys-puppet-app-prod-1:8140 check inter 15s
rise 2 fall 2

backend be_puppet_stable
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-2 sys-puppet-app-prod-2:8140 check inter 15s
rise 2 fall 2

backend ibe_hastats
  mode  http
  stats  uri /hastats/
  stats  realm HAStatistics
  stats  auth admin:PASSWORDFORADMINACCESSTOSTATSPAGE
  stats  admin if TRUE

On 18 September 2016 at 09:10, Gareth Rushgrove 
wrote:

> On 17 September 2016 at 15:06, Neil - Puppet List
>  wrote:
> > Hello
> >
> > I've run multiple puppet masters behind ha proxy for a few years now. I
> have
> > multiple masters, with haproxy rules directing some clients to particular
> > masters. I only have one puppet master as CA. I've about 600 clients.
> >
> > Initially I was concerned about only having one CA. But all it does is
> sign
> > new clients and revoke old. Haproxy trusts the clients based on this CA
> and
> > a revoke list from the CA.
> >
> > If the CA went down all existing clients would are fine, I've tested
> that. I
&

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

[Neil - Puppet List]

Hello

I've run multiple puppet masters behind ha proxy for a few years now. I
have multiple masters, with haproxy rules directing some clients to
particular masters. I only have one puppet master as CA. I've about 600
clients.

Initially I was concerned about only having one CA. But all it does is sign
new clients and revoke old. Haproxy trusts the clients based on this CA and
a revoke list from the CA.

If the CA went down all existing clients would are fine, I've tested that.
I can't sign new clients or revoke existing until I recover the CA but in
my environment that's no big deal. I have backups of the CA and a new one
would not take long to spin up.

So I wonder why you want multiple CA. What benefits would it bring?

Happy to share example haproxy config etc if you are interested.

Cheers,

Neil

On 12 Sep 2016 16:07, "Peter Kristolaitis"  wrote:

> Serial numbers on SSL certificates are important, and your setup will
> generate many duplicate serial numbers.  Ergo, this is bad.
>
> Related problem:  Did you test revoking a client certificate?  I suspect
> not, because the above issue will bite you.
>
>
> On 2016-09-12 12:48 AM, Ivan Arjune wrote:
>
> Did i figure out something new here, because I've been digging at this for
> a week and don't see anyone doing it like this.
>
> What i'm doing is running multiple puppetmasters behind haproxy.  Each
> puppetmaster is an active ca server and share a common certificate.  It
> works like a charm, in a lab.
>
> Step 1. created a common certificate that all the puppetservers will share.
> Step 2. point webserver.conf to the shared certs.
> Not a step 3. hit the masters through haproxy
>
> I posted this up on ask.puppet.com a few days ago and nobody seems
> interest in it.  Either it's a stale forum, which i believe is true, or
> they think i'm crazy.  Maybe you do to, ugg
>
> Here is the orig. post with details on the setup.
> Puppet CA Shared Certificate Guide: Scalable Puppet?
> 
>
> I'm looking to put this into production on an infra. with around 200
> nodes.  I think it's a good idea, but can't figure out why I don't see
> anyone doing it like this yet.
>
> Million dollar question:
> Why must i use a centralized the ca server?
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/6dcd4a20-909c-4373-892f-0f7a3e69d19d%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/c5dbbb59-4de7-720f-3424-3135db424522%40alter3d.ca
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfGJx14uUqocAXPw7oJvBdVsenQhE4rjDSNCXCwjM94Vg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Load Balancer for Puppet Master

[Neil - Puppet List]

Hello

i front puppet masters with haproxy.  haproxy handles ssl and requires a
valid client cert. requests for a cert go to a seperate ca master.

happy to supply config if you are interested

Neil
On 24 Jun 2016 07:17, "Braian Fabián Leiva"  wrote:

> I'm trying to setup a Load Balancer in front of some Compile Masters and
> the Puppet docs says that I can achieve that either with raw TCP proxying,
> or acting as its own SSL endpoint[1]. If I configure the LB with SSL and
> SNAT will that work? Is it better to use bridging instead?
>
> [1]
> https://docs.puppet.com/guides/scaling_multiple_masters.html#option-3-use-a-load-balancer
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/5ddb5120-4f41-4404-9f91-c177f7651757%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBf48sfUybGoqdCqZFhS1ubD_9X41C5cLxOkzLq%2BpGwt2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Monitoring Puppet with Zabbix

[Neil - Puppet List]

Hello

Using puppetdb the a query against its api would be my choice if you want
not to add custom bits to you puppet infrastructure, which is an entirely
reasonable thing to wish to avoid.

Neil
On 18 Jan 2016 07:02, "hoize"  wrote:

> Has nobody an idea...?
>
> Am Donnerstag, 10. Dezember 2015 16:10:24 UTC+1 schrieb hoize:
>>
>> Hello!
>>
>> Is there a way to monitor puppet runs with zabbix?
>> Here is what i want to monitor:
>> - a host's puppet run is more than 20 minutes ago
>> - a puppet run fails
>>
>> I have searched through the internet, but I only found solutions which
>> works with zabbix-sender and my colleagues do not want to install
>> zabbix-sender, or to use report-processors which work like zabbix-sender.
>>
>> I hope someone can help me or maybe someone has a solution he uses..
>>
>> Thank you!
>>
>> Greets
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/770f59fd-e5c1-4063-8f49-be6c7ac12ef5%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBeMjrpd1v7PZsX-9pnXLu3F%2B1B8wYkfDOCA9NHYjvbZjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Wanna see something scary ?

[Neil - Puppet List]

Their use of hiera_include is spaghetti codish and horrid. But a lot of
puppet code is.
For a framework to be flexible enough without supporting such horrors is
seemingly impossible.
You are right to be concerned.
If it were me I'd redo them as puppet classes and see if that looks better.
I'm not sure it really changes much other than appearing less scary.

Everything I say is my opinion ;)
On 16 Jun 2015 21:09, "Dan White"  wrote:

> From
> https://docs.puppetlabs.com/references/latest/function.html#hierainclude
>
> To use hiera_include,  the following configuration is required:
>
> • A key name to use for classes, e.g. classes.
> • A line in the puppet sites.pp file (e.g.
> /etc/puppetlabs/puppet/manifests/sites.pp) reading
> hiera_include('classes'). *Note that this line must be outside any node
> definition and below any top-scope variables in use for Hiera lookups.*
>
> (My italics)
>
> 
> The way hiera_include is being used is just asking for unexpected effects.
> 
>
> In the immortal words of Dennis Miller, "Of course that's just my opinion,
> I could be wrong."
>
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
>
>
> On Jun 16, 2015, at 02:09 PM, Neil  wrote:
>
> Whilst I don't like it, I'm intrigued as to what is scaring you?
>
> Looks like someone has modelled profiles in hiera/yaml rather than saying
>
> include profile::aa
>
>   and having
>
> class profile::aa () {
>   include syslog
>   include ttys
> 
> Perhaps they just felt like it?
>
> If you trust people puppet you are trusting them with the resources the
> manifests are applied to. Probably best if they don't scare you ;)
> On 16 Jun 2015 18:11, "Dan White"  wrote:
>
>> It scared the beans out of me when I found this code in a manifest I am
>> tasked to update / refactor.
>> Does this look as outrageously wrong to you all as it looks to me ?
>>
>> Variable names have been edited to protect the guilty
>>
>> class role::one {
>>   hiera_include('profile::aa')
>>   hiera_include('profile::bb')
>>   hiera_include('profile::cc')
>> }
>> ...and then in common.yaml:
>>
>> profile::aa :
>>   - syslog
>>   - ttys
>>   - ...(continues)
>>
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/6abd7a96-10c9-4668-9996-e8a25917b1d7%40me.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAAohVBeW%2BEAFE5H%2BJ6q%3DyQH%2BfUKxJdAjJ7E8y%2Bh_jrRN%3D9d-cA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/0406ec23-790d-4e0a-80de-da62fdf941be%40me.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBejTeNq9jp28oeJ_vxiVVDpcUgmxhAaB_ZWFveV7tuyOQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] A case for git (SVN vs Git)

[Neil - Puppet List]

Hello

With git I can commit branch etc and test on VMs all on my laptop with no
internet access. So features come one at a time when I get back online and
push.

When I had svn a lot of features would just appear in a single commit.
Horrid.

Not 100% joking
If your organisation is big enough you could run a parallel test of both,
though those who get svn may not speak to you again :)

Neil
On 15 Jun 2015 15:31, "Paul Seward"  wrote:

> On 12 June 2015 at 19:14, Ramin K  wrote:
>
>>
>> Being somewhat in the middle of a similar conversation at $dayjob
>> I believe it's a mistake to focus on the technology rather than the
>> outcome. I would focus on workflow, integration, and tooling instead.
>> Particularly the local branch per feature or ticket to review board to
>> merge to release branch is flexible, powerful, and relatively easy to
>> understand.
>>
>
> Having recently been through this (we used to use svn and have migrated to
> git) - the workflow/tooling are definitely the thing to focus on when
> describing it to management.
>
> Feature branch based workflow, with code reviewed merge requests (which
> can also be queued pending review board approval if that's how you roll)
> are an easy sell to management - and a world of pain to manage in svn.
>
> With git (and a supporting toolset like
> github/bitbucket/gitlab/stash/whatever) that branch/merge based workflow is
> super easy.
>
> "You'll find yourself about 900x more agile with git or the like" -
>> Binford2k
>>
>
> branching/merging in git is really the killer feature for me.  Compared to
> svn, branch/merge is almost so easy it's fun!
>
> Since moving from svn to git, our time-to-fix has gone down, changes are
> easier to stage so are more predictable, and we're pushing around 3 times
> as many changes through per week than we were able to before. Yet all those
> changes are peer reviewed and discussed before they're merged to
> production, in a level of detail which just wasn't possible before.
>
> It's made us more productive at a higher level of quality - and why
> wouldn't a decision maker want that?
>
> Regarding the document linked to by the OP
> https://github.com/logicminds/A-Case-For-Git.git - there are some claims
> in there which stretch the truth a bit too far for my liking - eg all the
> stuff about r10k not working with svn, or that you lock yourself out of
> using 3rd party modules without a lot of effort.
>
> I've never tried, but I can't see anything technologically that would stop
> you from using svn for your local code control and still using r10k to
> retrieve 3rd party modules via git - but the document reads like the sky
> will fall in if I try.
>
> When I'm presenting options to management, I generally need an unbiased
> assessment of the problem space, a description of what I'm trying to
> achieve, and a clear, unbiased assessment of how each of the options
> meets/misses those criteria.
>
> I would suggest starting by defining a desired workflow (eg, problem is
> identified, development environment created, change made, change tested,
> change queued for approval, fix merged to production) then evaluating how
> svn and git meet those requirements in a fair unbiased manner.
>
> Obviously git will still win in any scenario which involves
> branching/merging - but at least you'll have gone about it in a structured
> way, and that's hard to argue against.
>
> -Paul
> --
> --
> Paul Seward, University of Bristol
> paul.sew...@bristol.ac.uk  +44 (0)117 39 41148GPG Key ID: E24DA8A2
> GPG Fingerprint:7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAKzNK-abQaersQN-OPcEnZWbCe-NFRKt0_PUFNHX5frV0EK25Q%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBdFBmSJfok56A0P8%3DcAg%2B89kViDOF30fVnoC2SV9yri-g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] ERB template issues in an xml document

[Neil - Puppet List]

Another random thought, run dos2unix on the template?
On 14 Apr 2015 22:39, "Neil - Puppet List" 
wrote:

> Glad you just care why.
>
> so I agree you should not be seeing the extra lines.
>
> Do you have extra whitespace after the > ?
>
> key and value are bothering me.
> Is key something else unrelated? (Should it be @key?) If you remove that
> line do you get the same behaviour?
>
> Neil
> I care because I shouldn't be getting the new line if I'm using the
> closing -%> correct? And in any other type of file I do this very same
> syntax I don't get empty lines. So why is it happening here?
>
> On Tuesday, April 14, 2015 at 3:10:58 PM UTC-4, Neil - Puppet List wrote:
>>
>> Hello
>>
>> You have 3 newlines there which I've marked with Xs I expect you to get
>> N+2.
>>
>> But why do you care? Out of "I wonder why that is happening?" Is fine.
>> Beyond that the XML is for a machine not you to spend your time reading. I
>> hope :)
>>
>> Neil
>> On 14 Apr 2015 16:20, "Mark Rosedale"  wrote:
>> >
>> > So I have an erb template. x.xml.erb
>> >
>> > Inside the file I iterate over an array to add some contents to the
>> file. It looks like so.
>> >
>> > 
>> > X
>> > <%- @x_custom.each do |value| -%>
>> >   <%= value %>X
>> > <%- end -%>X
>> >   <%= key %>
>> >
>> > However, I'm having an issue when puppet actually updates that file. If
>> I have an array with one value in it I'd expect 1 line to be printed
>> instead 3 lines get printed out. So the file might look like this
>> >
>> > 
>> > 
>> >
>> >
>> >   text
>> >
>> >
>> >   somekey
>> >
>> > I've iterated over arrays in other templates in my puppet code without
>> any issue of added lines, but for some reason xml files seem to be giving
>> me trouble. Anyone else experience this, or have an idea what might be
>> going on here?
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to puppet-users...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/
>> msgid/puppet-users/88385a17-729e-47b6-8ac7-6d6ce5d3a0bd%
>> 40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBdV7OCgm-mjk_Ad8fChWE_VW-%3DW2nUdog8iqoFOoBgKFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] ERB template issues in an xml document

[Neil - Puppet List]

Glad you just care why.

so I agree you should not be seeing the extra lines.

Do you have extra whitespace after the > ?

key and value are bothering me.
Is key something else unrelated? (Should it be @key?) If you remove that
line do you get the same behaviour?

Neil
I care because I shouldn't be getting the new line if I'm using the closing
-%> correct? And in any other type of file I do this very same syntax I
don't get empty lines. So why is it happening here?

On Tuesday, April 14, 2015 at 3:10:58 PM UTC-4, Neil - Puppet List wrote:
>
> Hello
>
> You have 3 newlines there which I've marked with Xs I expect you to get
> N+2.
>
> But why do you care? Out of "I wonder why that is happening?" Is fine.
> Beyond that the XML is for a machine not you to spend your time reading. I
> hope :)
>
> Neil
> On 14 Apr 2015 16:20, "Mark Rosedale"  wrote:
> >
> > So I have an erb template. x.xml.erb
> >
> > Inside the file I iterate over an array to add some contents to the
> file. It looks like so.
> >
> > 
> > X
> > <%- @x_custom.each do |value| -%>
> >   <%= value %>X
> > <%- end -%>X
> >   <%= key %>
> >
> > However, I'm having an issue when puppet actually updates that file. If
> I have an array with one value in it I'd expect 1 line to be printed
> instead 3 lines get printed out. So the file might look like this
> >
> > 
> > 
> >
> >
> >   text
> >
> >
> >   somekey
> >
> > I've iterated over arrays in other templates in my puppet code without
> any issue of added lines, but for some reason xml files seem to be giving
> me trouble. Anyone else experience this, or have an idea what might be
> going on here?
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/88385a17-729e-47b6-8ac7-6d6ce5d3a0bd%40googlegroups.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBe-jFSSuNfvDh1G7%3DUPv7Sr3B47ik9A5Xf9WFnycg6z1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] ERB template issues in an xml document

[Neil - Puppet List]

Hello

You have 3 newlines there which I've marked with Xs I expect you to get N+2.

But why do you care? Out of "I wonder why that is happening?" Is fine.
Beyond that the XML is for a machine not you to spend your time reading. I
hope :)

Neil
On 14 Apr 2015 16:20, "Mark Rosedale"  wrote:
>
> So I have an erb template. x.xml.erb
>
> Inside the file I iterate over an array to add some contents to the file.
It looks like so.
>
> 
> X
> <%- @x_custom.each do |value| -%>
>   <%= value %>X
> <%- end -%>X
>   <%= key %>
>
> However, I'm having an issue when puppet actually updates that file. If I
have an array with one value in it I'd expect 1 line to be printed instead
3 lines get printed out. So the file might look like this
>
> 
> 
>
>
>   text
>
>
>   somekey
>
> I've iterated over arrays in other templates in my puppet code without
any issue of added lines, but for some reason xml files seem to be giving
me trouble. Anyone else experience this, or have an idea what might be
going on here?
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/88385a17-729e-47b6-8ac7-6d6ce5d3a0bd%40googlegroups.com
.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBcXMF2jdxu6WUGJxi2HWEiCoF5myn5dYHYVHFnOnZquvQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: collector in class with same name as tag causes all virtual resources of the type to be realized

[Neil - Puppet List]

Here is a similar example using notify

== site.pp ==
node default {
  include noticegroups::matches
}
== modules/noticegroups/manifests/matches.pp ==
class noticegroups::matches {
  include notices
  Notices::Anotice <| tag == matches |>
}
== modules/notices/manifests/anotice.pp ==
define notices::anotice {
  notify { $title: }
}
== modules/notices/manifests/data.pp ==
class notices::data {
  @notices::anotice { 'meant to be made': tag=>['matches'], }
  @notices::anotice { 'NOT meant to be made': tag=>['doesnotmatch'], }
}
== modules/notices/manifests/init.pp ==
class notices {
  include notices::data
}

with that I get the behaviour I expect in puppet 3.6 and broken in 3.7

if I change class noticegroups::matches to noticegroups::iwantmatches then
only the resource I want gets realized

this just seems like 3.7 broke something to me

On 7 April 2015 at 11:34, Neil - Puppet List <
maillist-pup...@iamafreeman.com> wrote:

> Hello
>
> I'm upgrading from 3.6 to 3.7 and have it a issue/bug
>
> I'm using users/groups but to keep it short and something others can run
> without the mess of users being made I've made up a file example
>
> == modules/filegroups/manifests/matches.pp ===
> class filegroups::matches {
>   include files
>   Files::Afile <| tag == matches |>
> }
> == modules/files/manifests/afile.pp ===
> define files::afile {
>   file { $title: ensure=>present, content=>'hello', }
> }
> == modules/files/manifests/data.pp ===
> class files::data {
>   @files::afile { '/tmp/meanttobemade': tag=>['matches'], }
>   @files::afile { '/tmp/notmeanttobemade': tag=>['doesnotmatch'], }
> }
> == modules/files/manifests/init.pp ===
> class files {
>   include files::data
> }
> == site.pp ===
> node default {
>   include filegroups::matches
> }
>
> makes both files
> Notice:
> /Stage[main]/Files::Data/Files::Afile[/tmp/notmeanttobemade]/File[/tmp/notmeanttobemade]/ensure:
> created
>
>
> If I rename modules/filegroups/manifests/matches.pp
> to  modules/filegroups/manifests/iwantmatches.pp (and change the first line)
> or rename the tag I get the desired behaviour
>
> Anyone else seen this? Is this a bug?
>
> There is a matching old question at askpuppetlabs
> https://ask.puppetlabs.com/question/14349/upgrade-to-371-causes-resource-collectors-to-realize-everything/
> that I've chipped in on the end off
>
> Thanks,
>
> Neil
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBd7X0eh-Ed6Pg%3DLC_Peezp5XdFokcNZp-YeXMLWbEAcnQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] collector in class with same name as tag causes all virtual resources of the type to be realized

[Neil - Puppet List]

Hello

I'm upgrading from 3.6 to 3.7 and have it a issue/bug

I'm using users/groups but to keep it short and something others can run
without the mess of users being made I've made up a file example

== modules/filegroups/manifests/matches.pp ===
class filegroups::matches {
  include files
  Files::Afile <| tag == matches |>
}
== modules/files/manifests/afile.pp ===
define files::afile {
  file { $title: ensure=>present, content=>'hello', }
}
== modules/files/manifests/data.pp ===
class files::data {
  @files::afile { '/tmp/meanttobemade': tag=>['matches'], }
  @files::afile { '/tmp/notmeanttobemade': tag=>['doesnotmatch'], }
}
== modules/files/manifests/init.pp ===
class files {
  include files::data
}
== site.pp ===
node default {
  include filegroups::matches
}

makes both files
Notice:
/Stage[main]/Files::Data/Files::Afile[/tmp/notmeanttobemade]/File[/tmp/notmeanttobemade]/ensure:
created


If I rename modules/filegroups/manifests/matches.pp
to  modules/filegroups/manifests/iwantmatches.pp (and change the first line)
or rename the tag I get the desired behaviour

Anyone else seen this? Is this a bug?

There is a matching old question at askpuppetlabs
https://ask.puppetlabs.com/question/14349/upgrade-to-371-causes-resource-collectors-to-realize-everything/
that I've chipped in on the end off

Thanks,

Neil

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBe750Dk8Hc207TsGiNFZeU2kTyE1SR5XrO7-bgCJHFiEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppetlabs/concat Problem on Windows

[Neil - Puppet List]

Hello

As it is a param to the file resource you could set it as the default with

File { source_permissions => ignore, }

Be warned that it may mess up other file resources.

Neil
On 13 Mar 2015 15:13, "Fraser Goffin"  wrote:

> Hi,
>
> I am attempting to use the puppetlabs/concat module on Windows, but having
> some problems. To keep things really simple since it illustrates the
> problem, here is the mainfest I'm using (note: it just uses concat at this
> stage) :-
>
> class concat_file {
>
>   concat { 'E:/Temp/puppetTests/myfiles/concatFile.txt':
> ensure => present,
>   }
> }
>
> When run the following is output :-
>
> Warning: Copying owner/mode/group from the source file on Windows is
> deprecated; use source_permissions => ignore.
>(at D:/Apps/puppet/puppet/lib/puppet/type/file/source.rb:133:in `block
> in copy_source_values')
> Debug:
> /Stage[main]/Concat::Setup/File[C:/ProgramData/PuppetLabs/puppet/var/concat/bin/concatfragments.rb]:
> Copying owner
> from the source file on Windows is deprecated; use source_permissions =>
> ignore.
> ...
> Error:
> /Stage[main]/Concat::Setup/File[C:/ProgramData/PuppetLabs/puppet/var/concat/bin/concatfragments.rb]:
> Could not evaluate:
> Could not read file
> C:/ProgramData/PuppetLabs/puppet/var/concat/bin/concatfragments.rb:
> Permission denied -
> C:/ProgramData/PuppetLabs/puppet/var/concat/bin/concatfragments.rb
>
> followed by a number of other consequent errors.
>
> The Warning is fair enough, but obviously I can't add source_permissions
> as a param since the concat manifest doesn't support it and will throw and
> invalid param error if I try. Its just a warning so OK, lets move on.
>
> As part of setup (now included by default in init.pp) concatfragments.rb
> is copied to location shown, but clearly does not have permissions to read
> it ?
>
> If I look at this file I can see that it indeed does not have read (or any
> other) permissions set.
>
> I tried adding values user, group and mode but to no avail.
>
> Can anyone suggest what I need to do here ?
>
> Kind Regards
>
> Fraser.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/89289e85-5f3c-4035-af5a-7b5f9f25383a%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBej4YoWmTekR4t9NfG4skTqfqpiGFczKQMH2Hup_1sTuQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Manage a single file (directory) from multiple modules

[Neil - Puppet List]

file { "/System/Library/User
Template/English.lproj/Library/Preferences/${source}" :  # the source is
the file from the line directly below, this seems true as the correct files
copy when I have only

No its just not like that

$source would need to be defined in or passed to the scope your file
resource is in.
It does not refer to the source parameter to the file resource itself.

To try and get back on the right track i suggest you try just putting two
files in place one from each calling class.

I really don't think a recursive directory is what you want. And I don't
think having two of them will ever work.

You should be specifying the names of the individual files.

Please post your complete code

Neil
On 23 Sep 2014 18:46,  wrote:

> I thought I had it, but I don't.  I will post my code and explain what I
> think it is doing.  Perhaps someone can see my misunderstanding.
>
> This is init.pp in a module called managed_preferences.
>
> class managed_preferences {
> }
>
> define mac_managed_preferences ($application) {  #application variable is
> the name of the application from the module which installs the application
>   include managed_preferences
>
>   file { "/System/Library/User
> Template/English.lproj/Library/Preferences/${source}" :  # the source is
> the file from the line directly below, this seems true as the correct files
> copy when I have only one application
> source  => "puppet:///modules/${application}/Preferences/",
>  #application from the module with the install command, finds the files I
> want to copy to the client in the /Preferences folder.  In this example
> office_2011
> owner   => "root",
> group   => "wheel",
> mode=> "600",
> recurse => "true",
> }
>
> This is code from init.pp from a module called office_2011 which installs
> the application.
>
> mac_managed_preferences { "$module_name":
>   application => $module_name, # resolves to the folder or class
> name of the application, allows path to be resolved for the Preferences
> folder on the server to be located.
> }
>
> When I have both applications assigned to the client, I get the duplicate
> declaration.  When only one is assigned, it works as expected.
>
> The duplication error is as follows:  Duplicate declaration:
> File[/System/Library/User Template/English.lproj/Library/Preferences/]
>
> Having variables in the source and destination is what I though I needed.
> I feel that the declaration is duplicate because I am declaring file
> /Preferences/$(source) which is different for each module that
> communicates with this one.
>
> I know it has been explained, and I just don't understand.  How is
> mac_managed_preferences declared twice?
>
> Sorry and thanks.
>
>
> On Tuesday, September 23, 2014 10:23:36 AM UTC-5, aar...@gmail.com wrote:
>>
>> John,
>>
>> I would like to re-explain the problem I am trying to solve to make sure
>> that what I want to do is possible, and that it can be done in the way you
>> are trying to help me.
>>
>> In my first post, I mentioned wanting different modules to write to the 
>> /System/Library/User
>> Template/English.lproj/Library/Preferences/ folder.  Which I will now
>> just call preferences.
>>
>> I have two modules I am working on, one installs Office 2011, and one
>> installs Maya 2012.  Office has three files that I want to put in the
>> preferences folder, and Maya has one.
>>
>> So the tree on each client would be:
>>
>> /preferences/com.microsoft.*
>> /preferences/com.autodesk.*
>>
>> As you can see, the files are in the root of the preferences folder, not
>> subfolders of it.
>>
>> It is possible other modules (applications I install) may have individual
>> files in the root of preferences and a subfolder, or just a subfolder with
>> preferences inside.
>>
>> I envision on my master I would have the preferences that I need copied
>> to the preferences of the client to be in the 
>> modules/office_2012/files/preferences
>> folder.
>>
>> I hope this clears the problem up and I have an idea for another solution
>> if the above approach won't work.
>>
>> Is it possible for puppet to read the files in the preferences folder on
>> the master in a loop and the file name be a variable so that the file type
>> (/Preferences/${variable}) would be the correct destination?
>>
>>
>>
>> On Tuesday, September 23, 2014 8:49:10 AM UTC-5, jcbollinger wrote:
>>>
>>>
>>>
>>> On Monday, September 22, 2014 4:51:38 PM UTC-5, aar...@gmail.com wrote:

 I did the following to see if it would work, and I got (for me anyway)
 a surprising result.  It may be the source of some of my confusion and
 reason why I'm finding this so difficult.  Note, I don't want to do this
 this way.  I just did it as an experiment.

 define mac_managed_preferences ($source) {
   include managed_preferences

   file { "/System/Library/User 
 Template/English.lproj/Library/Preferences/${source}"
 :
 source  => "puppet:///m

Re: [Puppet Users] Manage a single file (directory) from multiple modules

[Neil - Puppet List]

Hello

I do not think that is possible or really desirable. Puppet is about
desired state so you can not say the directory should both be
/pathtodir
├── fileA
└── fileB

and /tmp should be
/pathtodir
├── fileB
└── fileC

as the first says must not have fileC and the second says must have fileC.
Those are conflicting.

Back to what you could do, which is to write to two separate directories
and then merge them together with a separate command that is triggered by
either directory changing. But you should not go down that route especially
in a situation like this where you can specify exactly what files you want.

Going to your original post what you are trying to do is write the
preferences for a particular application in the User Template for that
application. Trouble is, looking on my mac, there are multiple plist files
there for each application

so transform your
file { "System/Library/User Template/English.lproj/Library/Preferences/":
source  => "puppet:///modules/office_2011/Preferences",
owner   => "root",
group   => "wheel",
mode=> 600,
recurse => true,
require => Package["$main_package"],
}

into

$components = ['com.microsoft.Excel.plist','com.microsoft.Outlook.plist',]

macprefs::usertemplate{ $components:
  require=> Package[$main_package],
  sourcebase => 'puppet:///modules/office_2011/Preferences',
}

(or that can be wrapped up into a define for this set of prefs,)

now you need to implement macprefs::usertemplate. (I've ignored the
language/locale issue which could complicate matters)

so now you make a module and in there you do similar things to John's post

in a file macprefs/manifest/init.pp start by making "/System/Library/User
Template"

class macprefs {
  # A shared resource:
  file { '/System/Library/User Template/English.lproj/Library/Preferences':
ensure => 'directory',
owner  => 'root',
owner  => 'wheel',
mode   => '0700'
  }
}

in a file macprefs/manifest/usertemplate.pp

define macprefs::usertemplate($sourcebase, $require) {
  # relies on the preferences base directory:
  include 'macprefs'

  # A file in the templates directory:
  file { "/System/Library/User Template/English.lproj/Library/Preferences
/${title}":
ensure  => 'file',
source  => "$sourcebase/$title",
require => $require,
owner   => 'root',
group   => 'wheel',
mode=> '0600'
  }
}


Neil

On 22 September 2014 17:30,  wrote:

> Thanks John,
>
> By putting the /etc/preferences/${title} in the file line, aren't you
> putting a subfolder in the preferences folder on the puppet agent?  I tried
> to follow your example and it happened to me.
>
> What I am looking to do is to have different modules writing into the base
> folder, in your example "/etc/preferences/".  The modules won't ever have
> the same file names, so overwritting isn't a concern.
>
> Is this possible?
>
>
> On Monday, September 22, 2014 9:33:04 AM UTC-5, jcbollinger wrote:
>>
>>
>>
>> On Saturday, September 20, 2014 2:33:34 PM UTC-5, aar...@gmail.com wrote:
>>>
>>> Thanks Neil,
>>>
>>> I am not sure I understand exactly what you mean, so I will post the
>>> code I have done for testing (I am using different paths, but the concept
>>> is the same as the original post).
>>>
>>> Here is the class with the define.  It is in a module called
>>> copy_directory.
>>>
>>> class copy_directory {
>>> }
>>>
>>> define managed_preferences ($source = undef) {
>>>   file {"/tmp/":
>>> source  => "puppet:///modules/${source}/tmp",
>>> recurse => true,
>>> owner   => "root",
>>> group   => "root",
>>> mode=> 600,
>>>   }
>>> }
>>>
>>> Here is the module that calls it.
>>>
>>> include copy_directory
>>>
>>> class test_module {
>>>   managed_preferences { 'title':
>>>   source => "$module_name",
>>>   }
>>> }
>>>
>>> I also created a module called test_module2 with the same code.  I know
>>> that file {"/tmp/": is causing the problem, but the entire point is
>>> different modules copy files into that directory. To me I'm defining it
>>> once, and using it twice.  As I defined it in the copy_directory module,
>>> and I am using it in the test_module and test_module2.   What am I doing
>>> wrong?
>>>
>>>
>>
>> A class may be declared multiple times (though the resource-like syntax,
>> if used, must be the first one evaluated), with the same effect as
>> declaring it just once.  That is, classes are idempotent.  Ordinary
>> resources, including defined-type instance, may be declared only once.
>> Given that defined types are usually meant to allow multiple instances, it
>> follows that defined type instances must declare only resources that wholly
>> belong to them; they must not not declare shared resources.  Instead, they
>> can rely on a class to declare the shared resources.
>>
>> For example:
>>
>> class my_module::preferences_base {
>>   # A shared resource:
>>   file { '/etc/preferences':
>> ensure => 'directory',
>> owner  => 'root',
>> owner  => 'gr

Re: [Puppet Users] puppetlabs-apache n00b question - docroot value for fully proxied virtual host?

[Neil - Puppet List]

Set it to /dev/null ?
On 17 Sep 2014 17:53, "Hunter Haugen"  wrote:

> Yeah, basically `$docroot` is still a required parameter because
> historically it was required (apache::vhost didn't do proxy stuff) and was
> never updated. If you want to make a PR that makes it default to `undef`
> and then raises helpful errors in cases when it is needed, then that would
> be great :).
>
>
>
> -Hunter
>
> On Tue, Sep 16, 2014 at 4:49 AM, Antoine Cotten 
> wrote:
>
>> Unfortunately you can't. This is a restriction of Apache, which requires
>> a docroot value for every vhost, and not of Puppet.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/8c6a00ee-3cb6-4193-936a-6acc771142ba%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAJaQvGDqJ%2BLnPmcXcz5Uv5iFgK63RawwVo8sdTr%2BX%3DQcVguiBw%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfLqXM29z_aR6bbX9CihUK5p%3DgpBf0G_-VpoyVJCuFM0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Very large Hiera File

[Neil - Puppet List]

Hello

I hit a similar issue but took a hackish way out. I now have a script
convert my yaml to a file full of virtual resources.
Its a bit yuck but compile time is much better.

Neil
On 3 Sep 2014 21:07, "Trevor Vaughan"  wrote:

> Honestly, if you have a large number of accounts, I would go with LDAP.
> Redundancy isn't an issue and it does everything that you want it to.
>
> Trevor
>
>
> On Wed, Sep 3, 2014 at 3:23 PM, Terrence Martin  wrote:
>
>> Hi,
>>
>> I have a large Hiera file that I want to use for a module that creates
>> accounts on my systems. The module is
>> https://forge.puppetlabs.com/torrancew/account
>>
>> In any case the issue is I get an error
>>
>> Error: Could not retrieve catalog from remote server: execution expired
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>> Error: Could not run Puppet configuration client: execution expired
>>
>> It seems there is a timeout caused by the size of the Heira file. Presumably
>>
>> this is due to all of the accounts I have placed in my hiera.yaml file.
>>
>> My question is whether or not it is possible to configure puppet to
>> extend the time for compilation to take these large hiera files into
>> account, or if there are any suggestions on how to improve things to
>> increase the time to compile the yaml file?
>>
>> At the end of the day I do not really need the accounts as much as I
>> just need the usernames on these systems due to the storage system we
>> use. I do not want to have a central user management system as that
>> creates a single point of failure. So that means I could in fact just
>> have puppet manage a static file that adds to the /etc/passwd file.
>>
>>
>> However I would prefer to maintain consistency
>>
>>
>> Any suggestions on how best to approach this in puppet is of course 
>> appreciated. :)
>>
>> Terrence
>>
>>
>>
>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/8b432b54-ab14-4142-801b-65a6183790d9%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaug...@onyxpoint.com
>
> -- This account not approved for unencrypted proprietary information --
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CANs%2BFoUsL7s7aoPaeN0r7GC_XzhYnJGvkSM82zry6xRYKgFu7w%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfQCZ5FSCukin2KBrEkTq5%2B2u3WSPg3UNsLj-2bug-fBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Open puppet port(s) to the internet

[Neil - Puppet List]

Hi

Running puppet on port 443 might be a good move if you expect your laptops
to be using cafe hotel airport style wifi

sslh might be a suitable tool to proxy for puppet I've not tried it though.

Regards

Neil
 On 18 Jun 2014 14:30, "jcbollinger"  wrote:

>
>
> On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote:
>>
>> I probably don't really understand much about how puppet connects to the
>> clients, but is there a big security risk about opening it up to the
>> internet so laptops can get their configuration... If it's "safe enough"
>> for any value of safe, what ports does it use?
>>
>> Thanks,
>>
>
>
> In normal operation, Puppet  (the master) *doesn't* connect to clients --
> the clients connect to it (on port 8140), thereby establishing a two-way
> communication channel.
>
> Client-side firewalls need to allow outgoing traffic to that port, and
> accept incoming traffic belonging to an established connection to that
> port.  Those permissions can be narrowed to specific destination networks
> or machines, if needed.  For its part, the master needs to accept
> connections on port 8140 from all client machines; that can be narrowed to
> traffic originating on specific networks, if you wish.
>
> Each end of the conversation between agent and master authenticates to the
> other via SSL certificate.  Spencer understated the security there: on the
> web, most SSL connections are authenticated only on one end, so Puppet's
> communications are even better secured.
>
> With that said, if you want laptops in the field to be able to retrieve
> their configuration, then you have the alternative of requiring them to
> establish a VPN connection to your internal network in order to do so
> (especially if users will want / need to use VPN anyway), or of just
> letting them go without syncing until they return home.  The Puppet service
> itself is pretty well secured, but allowing connections from anywhere on
> the internet increases your exposure to network-level attacks.
>
>
> John
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to apply a set of configurations to a specific host group?

[Neil - Puppet List]

Hello

I think you'd probably be best served by using a sql backend to hiera.

this would allow you to think and configure in terms of host groups but
hiera to find that a host has a class of group.

A view or two might be needed to keep things tidy.

Neil
On 23 Apr 2014 21:42, "Sans"  wrote:

>
> Thanks Jose!
> That trick worked (I've actually used that thing before) but I was
> wondering if there is a way to do it "properly", like creating  a
> host-group or something like that.
>
> Best!
>
> On Wednesday, April 23, 2014 12:25:09 PM UTC+1, Jose Luis Ledesma wrote:
>>
>> Hi,
>>
>> You can use a default node definition, checking if the hostname is inside
>> any of your array declarations.
>>
>> Regards,
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b5c3d9d9-b049-495a-8aef-f7726a345afc%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBcGt9cOKXtT2OfO3hOXKO2LvcB05nZKi1ygPodX1rS1rg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Reg : War deployment with Puppet

[Neil - Puppet List]

Puppi?
On 30 Jan 2014 13:52, "Andrey Kozichev"  wrote:

> we used to package into rpms as well
>
>
> On 30 January 2014 11:50, PaulC  wrote:
>
>> Must admit i would be interested in seeing what other peoples approaches
>> has been for this, we have been thinking about going down the route of
>> getting the war files and any relevant library files put into a rpm/deb
>> package and getting puppet to install the rpm though the OS package manager.
>>
>> Paul C.
>>
>>
>> On Thursday, 30 January 2014 06:54:26 UTC, krishna bhaskara rao wrote:
>>>
>>> Hi,
>>>
>>> Can any one share me sample snippets to deploy war in tomcat. if
>>> deployment fails, how to rollback.
>>>
>>> With Regards,
>>> Krishna.
>>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/241ed902-f5c6-4f83-a2de-85a13b1948ed%40googlegroups.com
>> .
>>
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CACzr%3DFcrk1udFVCQTYKF%2BkPPou-1%2Bh9JVpgUY8RyavOjjJb9xQ%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfKhmaWx7ZDGzPgPV%3DA0ZcMZtR5ZqzvW%2B8S%3DbP4WbpM_w%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppet open source and vmware template

[Neil - Puppet List]

When you deploy a vm from the template give it a host name.  Then first
puppet run will make a new cert. Set puppet master to autosign and you are
in business
Neil
On 29 Nov 2013 12:09, "kaustubh chaudhari"  wrote:

> Hi All,
>
> Fairly new to puppet!
>
> I wanted to include puppet agent in a vmware template, Of course this can
> be done, but i have a question.
>
> what about the certificates ? all the vms created with that template will
> have the same certificate. How to fix that?
> i am sure there is a solution but i dont know how, can someone put some
> light/redirect me to the documentation!
>
> Thanks!
> Kaustubh
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/23cbb03a-1964-4ef5-be6f-e6181b613d4d%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfAQSP3pvjCsWTwf_um49-iBJ7ux597Zm9oVj7NifhoPA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] question about file {} type

[Neil - Puppet List]

Gid should be a number?
On 25 Nov 2013 18:14, "Stuart Cracraft"  wrote:

> My class reads like:
>
> class name1::name2 ($gidvariable) {
>   file { "somepath-to-file":
>  ensure => file,
>  mode => '0640',
>  gid => $gidvariable,
>  }
> }
>
> The problem is that the file isn't getting set to the $gidvariable's value
> which is a string "abc".
>
> The other things work (presence as file, mode).
>
> Stuart
>
>
>
>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f3b6d362-0030-4a9b-a258-bc913bd1061d%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBfKhv8NMtexYhU%2BuRDJGkAFS-_hs9Ro_UEsHMdZri4pmw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] file resource calling a 'define'd exec syntax?

[Neil - Puppet List]

Hello
First up the file type supports selinux roles etc so you might not need any
of that.
If you did make the exec resource refreshonly and notify it from the file
resource.
Anyway the parser is right the syntax is bad. Inside the curly its always
like
type{'name':
  var => value,
Followed by more of the same pairs
}
Neil
On 17 Nov 2013 20:34, "dkoleary"  wrote:

> Hi;
>
> This one should be easy; but, so far, it's eluding me.
>
> I would like to configure ssh to use a different directory for authorized
> keys files.  I have the file resource which that works on its own.  I want
> the file resource to call the exec to set the selinux type on the directory
> when needed.  Here's what I have:
>
> class ssh::config
> {
> define sshdir_selinux() {
> exec {  "/usr/bin/chcon -R -t ssh_home_t
> $ssh::params::ssh_authkey_dir": }
> }
> # exec { 'sshdir_selinux':
> # command => "chcon -R -t ssh_home_t
> $ssh::params::ssh_authkey_dir",
> # path=> '/usr/bin',
> # require => File["$ssh::params::ssh_authkey_dir"],
> # }
> file {  $ssh::params::ssh_authkey_dir:
> ensure   => directory,
> owner=> root,
> group=> root,
> mode => '0755',
> }
> file {  $ssh::params::ssh_rootkeys:
> ensure   => present,
> owner=> root,
> group=> sys,
> mode => '0750',
> source   => 'puppet:///modules/ssh/authorized_keys.root',
> sshdir_selinux { },
> }
> }
>
> My searches (particularly:
> https://support.mayfirst.org/wiki/how-to/puppet/layout#defines)  seem to
> indicate this is the right syntax; but I keep getting:
>
> # ptest
> Error: Syntax error at '{'; expected '}' at
> /root/modules/ssh/manifests/config.pp:62 on node
> puppet.olearycomputers.com
> Error: Syntax error at '{'; expected '}' at
> /root/modules/ssh/manifests/config.pp:62 on node
> puppet.olearycomputers.com
>
> when I run it.
>
> I have made the process work by using the straight exec that's commented
> in the code above; but, that'll call chcon every time that puppet's run (as
> I understand it).  I would rather have it called only when a key file is
> added.
>
> Appreciate any hints/tips/suggestions.
>
> Doug O'Leary
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e40a6bc4-170f-4be6-bacb-73e13c483ce9%40googlegroups.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAAohVBdUM7fxVh_JJAupoPx7U9Y%3DsuhEZ9wVjR0VGxNU-qcvBw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.