[Puppet Users] Re: authenticating new nodes that are created by provisioning
Never tried it myself but I think you can create the certificate as a part of the provisioning process, and then somehow place it in the new server. http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates On Jun 3, 7:42 am, "Matthew Delves" wrote: > Hey Folks, > I'm looking at doing automated provisioning of new servers and am trying to > integrate puppet into this process. What I'm wondering though is what the > best process for securely registering a new node is. > > At the moment the first time puppet is run I have to then accept the > certificate on the puppetmaster and then run puppet again. > > What I would like to do is accept the certificate automatically, though am > hesitant to do so as then anyone could just register against the puppetmaster. > > Is there a way to do this securely? > > Thanks, > Matt. > -- > > - > Matthew Delves > System Administrator > Information Systems > Networks & Infrastructure > University of Ballarat > ph: 03 5327 9732 > email: m.del...@ballarat.edu.au -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: variable containing applied classes?
As I wrote before "some serious scoping and ordering issues" ... On Mar 6, 2:21 pm, "R.I.Pienaar" wrote: > hello, > > - "Oded" wrote: > > <% classes.each do |current_class| -%> > > this is order dependent, it only find classes already included before this > template gets built. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: variable containing applied classes?
This code loops all applied classes and if a class has a variable named "iptable_rule_chain" it prints its(the variable's) content to the file. It raises some series scoping and ordering issues but I use it anyways as I prefer them over file concatenation(in some templates I use of 3 if these loops for 3 different variables - concatenating file would be a mess ). <% classes.each do |current_class| -%> <% if has_variable?(current_class + "::iptable_rule_chain") then -%> <%= scope.lookupvar(current_class + "::iptable_rule_chain") %> <% end -%> <% end -%> On Mar 6, 1:02 pm, "R.I.Pienaar" wrote: > hello, > > The way I achieve this is using a concat tool[1] and a define like: > > class motd { > concat{"/etc/motd": > owner => root, > group => root, > mode => 644, > } > > concat::fragment{"modules_header": > target => "/etc/motd", > order => 9, > content => " Puppet Modules:\n", > } > > } > > define motd::register() { > concat::fragment{"motd_${name}": > target => "/etc/motd", > content => " - ${name}", > } > > } > > now later on in my apache module I just do: > > motd::register{"apache": } > > And the result - obviously not the entire thing is shown above: > > Welcome to Transient Atmospheric Phenomenon > hosted at Rapidswitch, Maidenhead, UK > > Puppet Modules: > - apache > - bind master server > - iptables > - mcollective member > > [1]http://www.devco.net/archives/2010/02/19/building_files_from_fragment... > > > > > > - "jb" wrote: > > I see your point...after looking at the classes.txt file it does have > > a lot more than what I want. I'm in particular looking for classes > > that affect app deployment/management for the engineers so they can > > easily see what is under puppet control...they don't need to need to > > see the myriad of OS level classes that are applied. > > > As the classes are defined via a mysql database (external node lookup > > script), I think the best way will be to use that same database > > somehow via another script run from the local host. I already call > > such a script to update the database with 'last puppet run' so this > > shouldn't be too much of an issue. > > > thanks - jeff > > > On Mar 4, 11:24 pm, Peter Meier wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > I'm looking for an easy way to include the list of applied classes > > on > > > > a host in something like /etc/motd. using an .erb template would > > do > > > > the trick if I an array exists that has all the classes in it? > > > > Hopefully it's available? > > > > you find a list of the applied class on each host in > > > /var/lib/puppet/state/classes.txt . > > > > However I'm not sure if this is the right approach, as for example > > for > > > my environment on a moderate host I apply around 180 classes. This > > will > > > happen very fast if you structure your code properly into modules > > and > > > use inheritance to deal with os-specific things. > > > > I assume what you like to do is to display to a user logging into > > the > > > machine, what is managed on this host, right? So maybe you should > > get > > > this informaton out of something else than classes, as classes > > might > > > only represent a small part of a bigger thing that is managed. I > > don't > > > know how you decide in your manifests what to manage on a host, > > however > > > you might want to collect this information from there. > > > > cheers pete > > > -BEGIN PGP SIGNATURE- > > > Version: GnuPG v1.4.9 (GNU/Linux) > > > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org > > > > iEYEARECAAYFAkuQsawACgkQbwltcAfKi38jOwCaA9Dl7K4d1QDw/fI1QM9qsBmo > > > UtcAnRW+rS2dp8nv6e4HXi/zcDrDOMYT > > > =82bO > > > -END PGP SIGNATURE- > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: using (possibly) undefined out of scope variables in an erb template
Got it ! <% classes.each do |current_class| -%> <% if has_variable?(current_class + "::iptable_rule_chain") then -%> <%= scope.lookupvar(current_class + "::iptable_rule_chain") %> <% end -%> <% end -%> So easy ,all that time I was trying to use Bash style string concatenation , which for some strange reason didn't work :) Now each class that has a variable named "iptable_rule_chain" adds a line to my template, yey ! Theres a new issue with scoping now : if i use this variable in a class that calls other classes I get duplicate lines as the same variable is "in the scope" of several classes ,currently I write the manifests around this issue (by using "subclasses"),but it would be nice if I could control the scoping of each variable. I prefer this solution to using Augeas as it is more "deterministic" , I know exactly how my file will look like without considering its current state. On Feb 13, 8:35 pm, Oded wrote: > Actually I am trying to go around it :) > I choose to use the classes array because of the an ordering issue I > encountered while trying to build an array of iptables rules : the > template would get evaluated before some the classes would get the > chance to add lines to the array. > I'm hoping that by using the classes array (which is in its finale > state before the classes start to run) I can avoid the ordering issue. > my question was about the ruby syntax of checking for undefined out > of scope variables (or are you trying to tell me that theres no way > around it ?). > > Oded > > On Feb 11, 10:33 pm, Ohad Levy wrote: > > > > > you might be hitting -http://projects.reductivelabs.com/issues/2309 > > > OhadOn Thu, Feb 11, 2010 at 1:09 AM, Oded wrote: > > > I'm trying to use (possibly) undefined variables that are not in the > > > scope of my class in an erb template. > > > How do I combine this : > > > > <% if has_variable?("myvar") then %> > > > myvar has <%= myvar %> value > > > <% end %> > > > > with this : > > > <%= scope.lookupvar(myclass::myvar) %> > > > > The idea is to get the iptables template to go through all the classes > > > assigned to a machine and add lines on relevant classes only(by > > > searching for a specific variable in that class),this way I will not > > > be forced to edit the iptables template/class every time another > > > module needs to change its iptable settings. > > > > Without checking for undefined variables my code looks like this : > > > > <% classes.each do |current_class| -%> > > > <% scope.lookupvar(current_class::iptables_input_tags) %> > > > <% end -%> > > > > Oded > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-us...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscr...@googlegroups.com > > groups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Israeli Puppet meetup?
I'l be the guy who looks like he writes puppet manifests for a living ... On Feb 21, 3:35 pm, Ohad Levy wrote: > I'll book a table under my name, see you there :) > > Ohad > > > > On Sun, Feb 21, 2010 at 3:11 PM, юрка олейников wrote: > > AFAIK there're two "halls" in temple bar... > > > 2010/2/19 Ohad Levy > > >> Hi, > > >> Lets meet this Sunday 20:00 at the temple bar at the cinema city - > >>http://www.rest.co.il/sites/Default.asp?txtRestID=5290&txtSR=1 > > >> See you there! > >> Ohad > > >> On Mon, Feb 15, 2010 at 11:21 PM, Moty wrote: > > >>> Count me in too > > >>> On Feb 10, 9:42 am, Ohad Levy wrote: > >>> > Hey Guys, > > >>> > Wondering if anyone here is from Israel, I'll be visiting Israel next > >>> week > >>> > and would love to have a good puppet talk > > >>> > cheers, > >>> > Ohad > > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to puppet-us...@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> puppet-users+unsubscr...@googlegroups.com >>> groups.com> > >>> . > >>> For more options, visit this group at > >>>http://groups.google.com/group/puppet-users?hl=en. > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-us...@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com >> groups.com> > >> . > >> For more options, visit this group at > >>http://groups.google.com/group/puppet-users?hl=en. > > > -- > > Be Secure, Stay Open - live w/ OpenBSD > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com > groups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Israeli Puppet meetup?
I'm in ! On Feb 10, 9:42 am, Ohad Levy wrote: > Hey Guys, > > Wondering if anyone here is from Israel, I'll be visiting Israel next week > and would love to have a good puppet talk > > cheers, > Ohad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: using (possibly) undefined out of scope variables in an erb template
Actually I am trying to go around it :) I choose to use the classes array because of the an ordering issue I encountered while trying to build an array of iptables rules : the template would get evaluated before some the classes would get the chance to add lines to the array. I'm hoping that by using the classes array (which is in its finale state before the classes start to run) I can avoid the ordering issue. my question was about the ruby syntax of checking for undefined out of scope variables (or are you trying to tell me that theres no way around it ?). Oded On Feb 11, 10:33 pm, Ohad Levy wrote: > you might be hitting -http://projects.reductivelabs.com/issues/2309 > > OhadOn Thu, Feb 11, 2010 at 1:09 AM, Oded wrote: > > I'm trying to use (possibly) undefined variables that are not in the > > scope of my class in an erb template. > > How do I combine this : > > > <% if has_variable?("myvar") then %> > > myvar has <%= myvar %> value > > <% end %> > > > with this : > > <%= scope.lookupvar(myclass::myvar) %> > > > The idea is to get the iptables template to go through all the classes > > assigned to a machine and add lines on relevant classes only(by > > searching for a specific variable in that class),this way I will not > > be forced to edit the iptables template/class every time another > > module needs to change its iptable settings. > > > Without checking for undefined variables my code looks like this : > > > <% classes.each do |current_class| -%> > > <% scope.lookupvar(current_class::iptables_input_tags) %> > > <% end -%> > > > Oded > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com > groups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] using (possibly) undefined out of scope variables in an erb template
I'm trying to use (possibly) undefined variables that are not in the scope of my class in an erb template. How do I combine this : <% if has_variable?("myvar") then %> myvar has <%= myvar %> value <% end %> with this : <%= scope.lookupvar(myclass::myvar) %> The idea is to get the iptables template to go through all the classes assigned to a machine and add lines on relevant classes only(by searching for a specific variable in that class),this way I will not be forced to edit the iptables template/class every time another module needs to change its iptable settings. Without checking for undefined variables my code looks like this : <% classes.each do |current_class| -%> <% scope.lookupvar(current_class::iptables_input_tags) %> <% end -%> Oded -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Exported Resources: noob help please!
Great ,thanks. Oded On Aug 27, 5:05 pm, David Schmitt wrote: > Odedwrote: > > David,how does the code you provided handle the removal of a "source" > > node ? as far as i can tell the directory that contains the > > concatenated_file_parts doesn't get purged on each puppet > > iteration.so even after the "source" node stops exporting its > > file_part the Concatenated_file will contain its entry. > > Maybe some time-stamp magic is needed here ... > > The directory where all thos parts land is "purged". So you need to > delete the node from your stored configs (see the kill_node script on > the wiki) or run it a last time with no classes at all. Then the file > will vanish automatically on the next run on the target. > > Regards, DavidS > > > > > > > David Schmitt wrote: > >> robbyt wrote: > >>>>> Hi All, > >>>>> I'm successfully using Exported Resources and StoreConfigs on my > >>>>> puppet system. I'm able to populate the hosts files on all of my > >>>>> nodes, and that's pretty cool. > >>>>> My problem is that i'm not quite clear how to query the information > >>>>> stored in the Exported Resources database for other things. e.g., I > >>>>> want to setup Postfix to allow relay from _all_ of the IPs that facter > >>>>> has reported to the puppet master. How can I pull all of the IPs from > >>>>> the database and turn them into puppet variable array? > >>> On Aug 25, 5:19 am, Stefano Harding wrote: > >>>> I too would like to know how to pull like this from the stored config > >>>> db... > > >>>> - Stefano > > >>> I'm glad someone else out there feels the same way about Exported > >>> Resources. I've resulted to using exported resources in a manifest to > >>> have the local puppet on the puppetmaster write templates for other > >>> modules which then get picked up by other nodes. > > >>> Messy stuff. > > >>> There has to be a better way to do this without manually defining all > >>> of my IP addresses in variables? > >> Why don't you collect and build those things directly on the node where > >> you need it? > > >> Use something like the concatenated_file define[1]: > > >> source: > > >> @@concatenated_file_part { "$ipaddress": > >> dir => "/var/lib/puppet/ips", > >> content => "$ipaddress\n", > >> tag => 'ip' > >> } > > >> target: > > >> Concatenated_file_part <<| tag == 'ip' |>> > >> concatenated_file { "/etc/iplist": > >> dir => "/var/lib/puppet/ips", > >> } > > >> This gives you a list of all $ipaddresses in /etc/iplist on the target. > > >> Regards, DavidS > > >> [1]http://github.com/puppet-modules/puppet-common/blob/0caa32db1aaad6dab... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Exported Resources: noob help please!
David,how does the code you provided handle the removal of a "source" node ? as far as i can tell the directory that contains the concatenated_file_parts doesn't get purged on each puppet iteration.so even after the "source" node stops exporting its file_part the Concatenated_file will contain its entry. Maybe some time-stamp magic is needed here ... David Schmitt wrote: > robbyt wrote: > >>> Hi All, > >>> I'm successfully using Exported Resources and StoreConfigs on my > >>> puppet system. I'm able to populate the hosts files on all of my > >>> nodes, and that's pretty cool. > >>> My problem is that i'm not quite clear how to query the information > >>> stored in the Exported Resources database for other things. e.g., I > >>> want to setup Postfix to allow relay from _all_ of the IPs that facter > >>> has reported to the puppet master. How can I pull all of the IPs from > >>> the database and turn them into puppet variable array? > > > > On Aug 25, 5:19 am, Stefano Harding wrote: > >> I too would like to know how to pull like this from the stored config > >> db... > >> > >> - Stefano > >> > > > > I'm glad someone else out there feels the same way about Exported > > Resources. I've resulted to using exported resources in a manifest to > > have the local puppet on the puppetmaster write templates for other > > modules which then get picked up by other nodes. > > > > Messy stuff. > > > > There has to be a better way to do this without manually defining all > > of my IP addresses in variables? > > Why don't you collect and build those things directly on the node where > you need it? > > Use something like the concatenated_file define[1]: > > source: > >@@concatenated_file_part { "$ipaddress": > dir => "/var/lib/puppet/ips", > content => "$ipaddress\n", > tag => 'ip' >} > > target: > >Concatenated_file_part <<| tag == 'ip' |>> >concatenated_file { "/etc/iplist": > dir => "/var/lib/puppet/ips", >} > > This gives you a list of all $ipaddresses in /etc/iplist on the target. > > Regards, DavidS > > [1]http://github.com/puppet-modules/puppet-common/blob/0caa32db1aaad6dabc9542c5e0aa20e76ea94f48/manifests/defines/concatenated_file.pp --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---