[Puppet Users] Re: Suggested class layout for multi-tenant puppet install?
Hello, This sounds like a different direction than you're thinking, but it might help to keep things manageable - and it's kinda cool! Take a look at R10K [1] and Control Repos [2]. The gist is that each tenant would have it's own control repo, then R10K can deploy each control repo as a dynamic puppet environment, prefixed by the tenant's name. The nice thing here is that the control repo contains all the tenant's nodes, data, modules and environments in a fairly manageable way...especially if you like to track changes or want to test things with puppet-rspec and CI tools before going live. A Git branch in the control repo is deployed as a puppet environment, so the "master" branch in [2] is labeled "production" and is the default environment for puppet. Using r10k's tenant prefix capability [3], each tenant's environments will be unique within a single puppet master - [1] https://github.com/puppetlabs/r10k [2] https://github.com/puppetlabs/control-repo [3] https://github.com/puppetlabs/r10k/blob/master/doc/dynamic-environments/configuration.mkd#prefix The Puppet Master's environments directory (/etc/puppetlabs/code/environments) with two tenants (group1 and group2) might look like this: -- group1_production/ --data/ <- where hiera data lives --manfiests/<- where site.pp and node manifests live --site-modules/ <- where role and profile modules live --modules/ <- where r10k deploys puppet modules --hiera.yaml<- environment data hierarchy --Puppetfile<- file to define what modules r10k deploys (sourced from Puppet Forge or Git Repos) --environment.conf <- puppet environment config, e.g. modulepath -- group1_test/ --data/ --manfiests/ --site-modules/ --modules/ --hiera.yaml --Puppetfile --environment.conf -- group2_production/ --data/ --manfiests/ --site-modules/ --modules/ --hiera.yaml --Puppetfile --environment.conf If you can get fancy with CI/CD tools, you can use a webhook from the git control repos to spur R10K to deploy a branch/environment to the puppet master. On Wednesday, March 27, 2019 at 9:13:54 AM UTC-4, zxcvb...@gmail.com wrote: > > My employer has a multi-tenant puppet installation with a fairly odd > layout. The files a laid out like this: > > /manifests/group1/application1/server.pp > /manifests/group1/application1/node.pp > /manifests/group1/application2/server.pp > /manifests/group1/application2/node.pp > ... > /manifests/groupX/applicationY/server.pp > /manifests/groupX/applicationY/node.pp > > Where server.pp is always called server.pp, and always defines class > "server" and three inherited classes dev_server, qa_server, and > prod_server. These include all the puppet directives to install groupX's > applicationY server in either the dev, qa, or prod environment. > > The node.pp always has three node stanzas which include either dev_server, > qa_server, or prod_server. > > The guy who set it up never used puppet before and had a real knack for > putting things in non-standard places, so I'd like to clean it up and do > things "the puppet way". However I've not done a multi-tenant setup before > so could use some advice, or some "this is how we do it and works for us" > ideas. > > My thoughts at the moment are to consolidate all of the node.pp files into > a single file under manifests, then set up a second modules directory > (maybe called nodeclasses?) and then groupX/applicationY will become the > groupX::applicationY class which is included in the node definition in > node.pp. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c9ea2f56-ce05-41f6-a62f-c4e4592fec3b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: hiera can't find facts to read hierarchy files?
Wow, this was a long time ago :)
I can not speak to the deep bits on why I was seeing hiera files based on
Puppet Facts not having correct file names when processing puppet lookup.
What I can say is that I was referencing a class params like
$::test::dconf_default_config,
but I had not defined dconf_default_conf in the init.pp's class params...
class test(
...
String $dconf_default_config,# This was missing, adding it fixed the
issue.
...
) {
...
}
Before adding the line, I just had the default value for that param defined
in a fact driven hieradata file. It all produced a very strange behavior
though.
On Wednesday, September 19, 2018 at 12:14:47 PM UTC-4,
ch...@fuzzyblender.com wrote:
>
> Hi Sean,
>
> I'm having the same issue, and I see what you said, I'm just too new to
> puppet. Would it be possible for you (or others) to expand on how you
> fixed this (with and example)?
>
> Chris
>
> On Wednesday, November 29, 2017 at 11:15:49 AM UTC-6, Sean wrote:
>>
>> Thanks to PuppetLab's Mr. Lindberg who helped get my troubleshooting
>> focused in the right direction.
>>
>> Basically, I forgot to add my new parameters to the class parameter
>> definitions in the module's init.pp.
>>
>> DOH!
>>
>> On Tuesday, November 28, 2017 at 4:53:42 PM UTC-5, Sean wrote:
>>>
>>> Hi,
>>> I'm quite confused about how I could have created this problem. I have
>>> a module we'll call it "test" which has been using Hiera v5 module data for
>>> the last couple of releases...this works great on either puppet 4 or 5...as
>>> expected.
>>>
>>> Last week added a feature, which involved adding 1 new manifest file
>>> (which creates concat::fragment resources), 2 parameters to a hiera data
>>> file, and adding 2 concat file resources, each named by one of those
>>> parameters, to an existing manifest file (existing.pp below). Fairly
>>> simple and straight forward change. The parser passes the syntax checks
>>> for everything involved in the change.
>>>
>>> I have tested on both puppet 4 and 5 using a pair of centos7 vms, both
>>> produce the same result.
>>>
>>> # puppet apply -e "include test"
>>> Warning: Unknown variable: 'test::dconf_default_config'. at
>>> /etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
>>> Error: Evaluation Error: Missing title. The title expression resulted in
>>> undef at
>>> /etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
>>>
>>> on node localhost.localdomain
>>>
>>> This parameter is the filename of the concat resource mentioned above.
>>> Running a puppet lookup (on either v4 or v5) produces this output for the
>>> module data section:
>>>
>>> Module "test" Data Provider (hiera configuration version 5)
>>> Using configuration
>>> "/etc/puppetlabs/code/environments/production/modules/test/hiera.yaml"
>>> Hierarchy entry "Full Version"
>>> Path
>>> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
>>> Original path: "%{facts.os.name}-%{facts.os.release.full}.yaml"
>>> Path not found
>>> Hierarchy entry "Major Version"
>>> Path
>>> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
>>> Original path: "%{facts.os.name}-%{facts.os.release.major}.yaml"
>>> Path not found
>>> Hierarchy entry "Distribution Name"
>>> Path
>>> "/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
>>> Original path: "%{facts.os.name}.yaml"
>>> Path not found
>>> Hierarchy entry "Operating System Family + Major Version"
>>> Path
>>> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
>>> Original path:
>>> "%{facts.os.family}-%{facts.os.release.major}.yaml"
>>> Path not found
>>> Hierarchy entry "Operating System Family"
>>> Path
>>> "/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
>>> Original path: "%{facts.os.family}.yaml"
>>> Path not found
>>> Hierarchy entry "common"
>>> Path
>>> "/etc/puppetlabs/code/en
[Puppet Users] Re: Managing mounted NFS shares, when having no write permission on that share
Another alternative might be to avoid specifying the user/group/mode
attributes for the File resource. This would assume that you can be
confident that the agent is running as root and the system has a sufficient
umask setting. If that's the case, these resource attributes can be left
out and puppet shouldn't complain about them on subsequent runs...
file { '/data/app':
ensure => directory,
}
mount { '/data/app':
ensure => mounted,
device => nfs_server:/app
dump=> 0,
fstype=> 'nfs',
target=> '/etc/fstab',
require => File['/data/app'],
}
On Friday, August 17, 2018 at 5:03:02 PM UTC-4, Mike Langhorst wrote:
>
> I'm having some issues with managing a mount point for an NFS server.
> Specifically when the client system has no root write privileges to that
> NFS share.
>
> I need to mount a NetApp NFS/Cifs share to a filesystem location
> /data/app. So I'll need to manage the file resource /data/app, and as
> typical the owner and mode.
>
> file { '/data/app':
> ensure => directory,
> owner => root,
> group => root,
> mode => '0755',
> }
>
> mount { '/data/app':
> ensure => mounted,
> device => nfs_server:/app
> dump=> 0,
> fstype=> 'nfs',
> target=> '/etc/fstab',
> require => File['/data/app'],
> }
>
>
> So when I mount this nfs to /data/app, that share and it's contents are
> nfsnobody, or some other high numbered uid, with varying permissions,
> sometimes 777. The NetApp may show 777, but it's applying other ACLs due
> to the CIFS share. For the different shares I've had to mount, that uid
> and permissions have been different so I couldn't do something like
> updating the module/hiera data to match after the fact as I still wouldn't
> want that underling directory /data/app to be 777.
>
> I don't see anything in the file resource spec to allow for an "onlyif" or
> such.
>
> Any ideas on how to manage this?
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/323abd27-a8c3-4e87-9ef1-94a2602e2d27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet module repository w/ self signed ssl?
Hello, I'm wanting to use the module_repository setting in puppet.conf on my puppet5 master. The local repo mirror we've setup requires SSL, but has a self-signed cert. Is there a way to make puppet trust that cert? Mostly, I want to be able to use puppet module search as a convenience since the environment is not internet connected. We use control repos and r10k to deploy from the same repo and it works well. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0e37e66d-469e-4a61-a6da-46e546ec62d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Announcement: Release of Facter 3.11.0 gem
Hey Folks! We are officially shipping a gem for Facter 3.11.0! There is both a source and a set of precompiled gems available for installation. We understand that migrating from Facter 2 to Facter 3 is not a small task. As such we have decided to ship Facter 3 technically as a ‘pre-release’ gem. The version of the official release of facter 3.11.0 will be: facter-3.11.0.cfacter.20180319 Note that this means in order to make use of facter 3.11 in your gemfile or gemspec you will need to specify the version all the way down to ‘.cfacter’: gem facter, ‘~> 3.11.0.cfacter’ Using ‘--pre’ with rubygems will pull down the latest facter 3 gem for you: gem install facter --pre We are shipping the first facter 3 gems as ‘pre-releases’ to allow users (and ourselves) some time to use the new gem and find out what and where we need to improve the gem before moving it to a standard release. We fully plan on shipping Facter 3 as a standard release gem in the near future, but we would like users to try out the pre-release gem first and gather some feedback. Currently, the first iteration of the facter 3 gem does not include the facter binary, and is missing EC2 support. For this release we are focused on learning about incompatibilities in module testing. Please download the new Facter 3 gem and try it out! We would love your feedback -- Sean P. McDonald Software Engineer, Puppet Inc. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8c133ecb-3d2f-44d5-8abd-679c9cda796b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] What changed on yum.puppetlabs.com and apt.puppetlabs.com?
Thank you Ms. Waggett, I have made comments in the ticket so that the data from my post here is now there in full. On Thursday, March 1, 2018 at 1:42:35 PM UTC-5, Molly Waggett wrote: > > Hi Sean, > > We have opened CPR-519 <https://tickets.puppetlabs.com/browse/CPR-519> > and are looking into your issue. > > Thanks! > > On Thu, Mar 1, 2018 at 8:34 AM, Sean <smal...@gmail.com > > wrote: > >> Hi, >> >> Has something significant changed on repo sites? For years, I have been >> using lftp to selectively mirror parts of these repos to use on Internet >> isolated networks. lftp is a great tool and a little easier and more >> efficient than wget. Note, we are not able to use rsync, it is not >> permitted as an outbound protocol. >> >> So, what's happening when I use lftp today? Every directory on the repo >> looks like a file, not a directory, see below: >> $ lftp http://apt.puppetlabs.com >> cd ok, cwd=/ >> lftp apt.puppetlabs.com:/> ls >> -rw-r--r-- -- index_by_name_reverse.html >> -rw-r--r-- -- index_by_lastModified.html >> -rw-r--r-- -- index_by_size.html >> -rw-r--r-- -- index_by_name.html >> -rw-r--r-- -- DEB-GPG-KEY-puppet >> -rw-r--r-- -- DEB-GPG-KEY-puppetlabs >> -rw-r--r-- -- DEB-GPG-KEY-reductive >> -rw-r--r-- -- README.txt >> -rw-r--r-- -- dists >> -rw-r--r-- -- keyring.gpg >> -rw-r--r-- -- pool >> -rw-r--r-- -- pubkey.gpg >> .. >> >> What should happen? >> $ lftp http://mirror.centos.org >> cd ok, cwd=/ >> lftp mirror.centos.org:/> ls >> drwxr-xr-x -- / >> -rw-r--r-- -- HEADER.images/modern-CentOS-logo.png >> -rw-r--r-- -- icons/blank.gif >> -rw-r--r-- -- icons/unknown.gif >> -rw-r--r-- 11 2018-03-01 16:12 TIME >> -rw-r--r-- -- icons/folder.gif >> drwxr-xr-x- 2017-09-06 06:57 altarch >> drwxr-xr-x- 2009-09-09 05:18 centos-2 >> drwxr-xr-x- 2007-10-22 17:16 centos-3 >> drwxr-xr-x- 2011-03-02 14:00 centos-4 >> drwxr-xr-x- 2014-09-29 08:59 centos-5 >> drwxr-xr-x- 2017-04-05 11:36 centos-6 >> drwxr-xr-x- 2017-09-13 20:25 centos-7 >> drwxr-xr-x- 2017-09-13 13:56 centos >> -rw-r--r-- 132 2018-03-01 16:10 dir_sizes_altarch >> -rw-r--r-- 924 2018-03-01 16:10 dir_sizes_centos >> drwxr-xr-x- 2014-07-07 12:49 mirrorscripts >> -rw-r--r-- -- icons/text.gif >> .. >> >> As a result, my entire mirror of both apt/yum.puppetlabs.com turned into >> a bunch of static files, deleting a heap of data I'm going to have figure >> out how to download again using some other means. I attempted to >> reconfigure my mirror script to use wget instead of lftp, but it only >> downloaded html versions of the directory indexes, no RPMs, no repodata. >> >> Any ideas or anything as to what's up? >> >> Thanks for the assistance! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com . >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/7355d1ea-9a01-4338-ad53-7fa9fc8cc80d%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/7355d1ea-9a01-4338-ad53-7fa9fc8cc80d%40googlegroups.com?utm_medium=email_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > *Molly Waggett* > she/her/hers > Release Engineer @ Puppet, Inc. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8472eda4-be2b-4749-b792-a3f4d5b1be51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: mirroring puppet forge
I can't say it still works, as I haven't updated my forge mirror in about a year, but this is what I used back then - https://rubygems.org/gems/puppet-forge-mirror On Wednesday, February 21, 2018 at 7:37:23 PM UTC-5, Vince Skahan wrote: > > What's the preferred way these days to internally mirror puppet forge ? > I'd like to periodically catch up to current, but it doesn't have to be > 'that' current, as we don't update the module versions we use too often. > > FWIW - we mirror things like CentOS yum repos nightly with 'reposync', but > they tend to have more frequent updates. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/402207aa-1abc-40ae-84ac-53bb9fe60965%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] What changed on yum.puppetlabs.com and apt.puppetlabs.com?
Hi, Has something significant changed on repo sites? For years, I have been using lftp to selectively mirror parts of these repos to use on Internet isolated networks. lftp is a great tool and a little easier and more efficient than wget. Note, we are not able to use rsync, it is not permitted as an outbound protocol. So, what's happening when I use lftp today? Every directory on the repo looks like a file, not a directory, see below: $ lftp http://apt.puppetlabs.com cd ok, cwd=/ lftp apt.puppetlabs.com:/> ls -rw-r--r-- -- index_by_name_reverse.html -rw-r--r-- -- index_by_lastModified.html -rw-r--r-- -- index_by_size.html -rw-r--r-- -- index_by_name.html -rw-r--r-- -- DEB-GPG-KEY-puppet -rw-r--r-- -- DEB-GPG-KEY-puppetlabs -rw-r--r-- -- DEB-GPG-KEY-reductive -rw-r--r-- -- README.txt -rw-r--r-- -- dists -rw-r--r-- -- keyring.gpg -rw-r--r-- -- pool -rw-r--r-- -- pubkey.gpg .. What should happen? $ lftp http://mirror.centos.org cd ok, cwd=/ lftp mirror.centos.org:/> ls drwxr-xr-x -- / -rw-r--r-- -- HEADER.images/modern-CentOS-logo.png -rw-r--r-- -- icons/blank.gif -rw-r--r-- -- icons/unknown.gif -rw-r--r-- 11 2018-03-01 16:12 TIME -rw-r--r-- -- icons/folder.gif drwxr-xr-x- 2017-09-06 06:57 altarch drwxr-xr-x- 2009-09-09 05:18 centos-2 drwxr-xr-x- 2007-10-22 17:16 centos-3 drwxr-xr-x- 2011-03-02 14:00 centos-4 drwxr-xr-x- 2014-09-29 08:59 centos-5 drwxr-xr-x- 2017-04-05 11:36 centos-6 drwxr-xr-x- 2017-09-13 20:25 centos-7 drwxr-xr-x- 2017-09-13 13:56 centos -rw-r--r-- 132 2018-03-01 16:10 dir_sizes_altarch -rw-r--r-- 924 2018-03-01 16:10 dir_sizes_centos drwxr-xr-x- 2014-07-07 12:49 mirrorscripts -rw-r--r-- -- icons/text.gif .. As a result, my entire mirror of both apt/yum.puppetlabs.com turned into a bunch of static files, deleting a heap of data I'm going to have figure out how to download again using some other means. I attempted to reconfigure my mirror script to use wget instead of lftp, but it only downloaded html versions of the directory indexes, no RPMs, no repodata. Any ideas or anything as to what's up? Thanks for the assistance! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7355d1ea-9a01-4338-ad53-7fa9fc8cc80d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: hiera can't find facts to read hierarchy files?
Thanks to PuppetLab's Mr. Lindberg who helped get my troubleshooting
focused in the right direction.
Basically, I forgot to add my new parameters to the class parameter
definitions in the module's init.pp.
DOH!
On Tuesday, November 28, 2017 at 4:53:42 PM UTC-5, Sean wrote:
>
> Hi,
> I'm quite confused about how I could have created this problem. I have a
> module we'll call it "test" which has been using Hiera v5 module data for
> the last couple of releases...this works great on either puppet 4 or 5...as
> expected.
>
> Last week added a feature, which involved adding 1 new manifest file
> (which creates concat::fragment resources), 2 parameters to a hiera data
> file, and adding 2 concat file resources, each named by one of those
> parameters, to an existing manifest file (existing.pp below). Fairly
> simple and straight forward change. The parser passes the syntax checks
> for everything involved in the change.
>
> I have tested on both puppet 4 and 5 using a pair of centos7 vms, both
> produce the same result.
>
> # puppet apply -e "include test"
> Warning: Unknown variable: 'test::dconf_default_config'. at
> /etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
> Error: Evaluation Error: Missing title. The title expression resulted in
> undef at
> /etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
>
> on node localhost.localdomain
>
> This parameter is the filename of the concat resource mentioned above.
> Running a puppet lookup (on either v4 or v5) produces this output for the
> module data section:
>
> Module "test" Data Provider (hiera configuration version 5)
> Using configuration
> "/etc/puppetlabs/code/environments/production/modules/test/hiera.yaml"
> Hierarchy entry "Full Version"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
> Original path: "%{facts.os.name}-%{facts.os.release.full}.yaml"
> Path not found
> Hierarchy entry "Major Version"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
> Original path: "%{facts.os.name}-%{facts.os.release.major}.yaml"
> Path not found
> Hierarchy entry "Distribution Name"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
> Original path: "%{facts.os.name}.yaml"
> Path not found
> Hierarchy entry "Operating System Family + Major Version"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
> Original path: "%{facts.os.family}-%{facts.os.release.major}.yaml"
> Path not found
> Hierarchy entry "Operating System Family"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
> Original path: "%{facts.os.family}.yaml"
> Path not found
> Hierarchy entry "common"
> Path
> "/etc/puppetlabs/code/environments/production/modules/test/data/common.yaml"
> Original path: "common.yaml"
> No such key: "test::dconf_default_config"
>
>
> See how all the Hierarchy Paths have bad file names? This leads me to
> think that somehow Hiera has lost the ability to parse facts in my feature
> branch of this module. If I check the master branch out for the "test"
> module then Hiera produces the correct datafile names.
>
> How can that be?
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/c59d9137-779c-44cf-919f-3d804f52857d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] hiera can't find facts to read hierarchy files?
Hi,
I'm quite confused about how I could have created this problem. I have a
module we'll call it "test" which has been using Hiera v5 module data for
the last couple of releases...this works great on either puppet 4 or 5...as
expected.
Last week added a feature, which involved adding 1 new manifest file (which
creates concat::fragment resources), 2 parameters to a hiera data file, and
adding 2 concat file resources, each named by one of those parameters, to
an existing manifest file (existing.pp below). Fairly simple and straight
forward change. The parser passes the syntax checks for everything
involved in the change.
I have tested on both puppet 4 and 5 using a pair of centos7 vms, both
produce the same result.
# puppet apply -e "include test"
Warning: Unknown variable: 'test::dconf_default_config'. at
/etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
Error: Evaluation Error: Missing title. The title expression resulted in
undef at
/etc/puppetlabs/code/environments/production/modules/test/manifests/existing.pp:186:12
on node localhost.localdomain
This parameter is the filename of the concat resource mentioned above.
Running a puppet lookup (on either v4 or v5) produces this output for the
module data section:
Module "test" Data Provider (hiera configuration version 5)
Using configuration
"/etc/puppetlabs/code/environments/production/modules/test/hiera.yaml"
Hierarchy entry "Full Version"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path: "%{facts.os.name}-%{facts.os.release.full}.yaml"
Path not found
Hierarchy entry "Major Version"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path: "%{facts.os.name}-%{facts.os.release.major}.yaml"
Path not found
Hierarchy entry "Distribution Name"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
Original path: "%{facts.os.name}.yaml"
Path not found
Hierarchy entry "Operating System Family + Major Version"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/-.yaml"
Original path: "%{facts.os.family}-%{facts.os.release.major}.yaml"
Path not found
Hierarchy entry "Operating System Family"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/.yaml"
Original path: "%{facts.os.family}.yaml"
Path not found
Hierarchy entry "common"
Path
"/etc/puppetlabs/code/environments/production/modules/test/data/common.yaml"
Original path: "common.yaml"
No such key: "test::dconf_default_config"
See how all the Hierarchy Paths have bad file names? This leads me to
think that somehow Hiera has lost the ability to parse facts in my feature
branch of this module. If I check the master branch out for the "test"
module then Hiera produces the correct datafile names.
How can that be?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/dc488b41-8df1-403c-a932-2a956e38112f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Question on searching for and using data inside a structured fact
Hi,
I have been attempting (and failing miserably) at trying to obtain the UUID
of a partition mounted in a specific directory from the partitions fact.
I'm using puppet 4.10.8.
As an example, let's say I'm looking for the UUID of /boot on my systems...
$ facter partitions
{"sda1"=>{"size"=>"1048576", "mount"=>"/boot/efi"},
"sda2"=>{"uuid"=>"14528e73-61cc-4503-b24f-47c3b6e2aee2", "size"=>"1048576",
"mount"=>"/boot"}, "sda3"=>{"uuid"=>"c0f0fa3e-b389-4814-ae8b-dec3b14816fb",
"size"=>"974673920"}}
I can successfully use the filter function to find the sda2 hash in puppet:
$x = $facts['partitions'].filter |$p,$d| { $d['mount' == '/boot' }
$k = keys($x)
$u = $x[k[0]]['uuid']
notify { "$u": }
This produces the desired resulting data, a string with the UUID, but it
requires using puppetlabs-stdlib's keys function. So, is there a way to
accomplish this with native puppet alone?
Thanks you kindly.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/fa9679ba-72a4-4ba2-8cbf-a1695cdefa8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Confusing error with file resource...
Hi,
I have a strange puppet error (v4.10.1) with a file resource that creates a
cron job...
file { '/etc/cron.daily/aide':
ensure => $mymodule::ensure_aide,
owner => 'root',
group => 'root',
mode=> '0755',
source => 'puppet:///modules/mymodule/cron/daily-aide-check.sh',
require => Package['aide'],
}
The error is:
Error: Failed to apply catalog: Validation of File[/etc/cron.daily/aide]
failed: You cannot specify more than one of content, source, target at :line#
The ensure param is a Variant - either boolean or enum of true, false,
present, absent, latest. The code passes the puppet parser and checking
puppet lookup for $mymodule::ensure_aide for the test node returns a 'true'
value from the module's hiera data.
Any ideas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/64776827-6fe1-49c0-89b1-fc532faa211a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Question regarding Puppet4 class params and Hiera5
John,
I have no disagreement with your statements. I've never done object
oriented programming professionally, and only dabbled with java to learn
some basics, so I guess I don't have as much bias in that regard...I really
thought I was just going with the terminology flow. The complexity of this
module comes with trying to extend it's use to various platforms. The goal
is to have the end user just "include complex" and get what's broadly
appropriate for that platform, while having the flexibility to exclude
specific components as needed. The module is implementing a system-wide
configuration policy and touches many aspects things that would normally be
done in individual modules. This is a policy thing similar to what the
SCAP Security Guide project might address. So if other modules are in
play, an end use could exclude or disable a feature in order to avoid a
conflict of multiple resource declarations.
David,
Currently, aside from using --strict, is what I am doing. I think what
made your explanations click most for me was referring to there being only
one value for a parameter. It seems a better approach to use the fully
scoped names, and including class parameters only in init.pp, than
attempting to include class params in the module's member classes (formerly
addressed as sublcasses).
Thank you both!
On Thursday, September 28, 2017 at 9:24:49 AM UTC-4, jcbollinger wrote:
>
> Dear Sean,
>
> David has already given you great answers to the questions you posed. I
> have nothing to add to those, but I feel inclined to nitpick your question
> a bit:
>
> On Tuesday, September 26, 2017 at 10:00:49 AM UTC-5, Sean wrote:
> [...]
>
>> The class arrays are strings of fully qualified subclass names, e.g. [
>> 'complex::redhat::subclass1', 'complex::redhat::subclass2', ] etc.
>>
>> Is there a benefit to actually using class params or declaring all
>> references to class variables directly as fully qualified in the subclasses?
>>
>> Here's a simplified example subclass, and yes the example is silly, if we
>> enable/disable a feature in puppet code, why not just exclude the subclass
>> altogether. Typically, that is what happens, but I was failing to find any
>> other simplistic examples to provide.
>>
>> class complex::redhat::subclass1 (
>> Boolean $enable_feature1,
>> ) {
>>
>> if $enable_feature1 {
>> notify("${::osfamily} Feature 1 is enabled")
>> } else {
>> notify("${::osfamily} Feature 1 is disabled")
>> }
>>
>> }
>>
>>
>>
>
> Puppet has subclasses, whose definitions can be recognized by their use of
> the 'inherits' keyword. What you are describing are not them. Even *bona
> fide* Puppet subclasses behave differently than most people tend to
> expect based on the uses of the term "subclass" in object-oriented
> programming languages, but the classes you are actually describing have
> nothing at all recognizable as a superclass / subclass relationship, in any
> accepted sense of the term. In particular, each of the classes you
> described defines its own namespace, separate from and independent of all
> the others'.
>
> The thrust of some of your questions suggests uncertainty about the
> relationship between those classes, which is an excellent reason to avoid
> use of the term 'subclass' for it. Even if you understood (and when you do
> understand) the relationship, describing it via the term 'subclass' is
> prone to confuse. In fact, one class having another's name as its
> namespace has very little practical significance, other than putting them
> in the same module. Even that is primarily organizational, not functional.
> I suggest just calling them "classes".
>
>
> John
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/6cbc4f8b-809f-4e5e-b2da-830b0e012d97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Question regarding Puppet4 class params and Hiera5
Hi David, thanks for your reply.
I can see where I may have confused the intent of my questions with too
much information. If someone using the class were to declare something
like:
class { 'complex':
enable_feature1 => false,
class_incl_list => [ 'complex::redhat::subclass1', ],
}
Will subclass1 obtain the value of enable_feature1 from the above
declaration? Suppose the module default in data/common.yaml for
enable_feature1 is true.
On Tuesday, September 26, 2017 at 12:13:42 PM UTC-4, David Schmitt wrote:
>
>
>
> On Tue, Sep 26, 2017 at 4:01 PM Sean <smal...@gmail.com >
> wrote:
>
>> Greetings,
>>
>> I have read searched and read several threads in the list regarding using
>> hiera, automatic lookup, and class params. Some of them, I'm thinking
>> relate to Puppet3 and prior, and I admit I'm struggling a bit with weeding
>> through the information that's appropriate to my scenario of versions.
>> Please bear with me. I am attempting to build a module that will use Hiera
>> data layers and get away from the params.pp pattern. The hope is that
>> customers can use their environment hiera data if they choose, global data
>> from an ENC, accept the default module layer data or use resource
>> definition and supply data directly. Unfortunately the module is complex
>> and has many sublcasses, the init.pp looks something like:
>>
>> class complex (
>> Array $class_incl_list,
>> Array $class_excl_list,
>> Boolean $enable_feature1,
>> ...more params that subclasses might use...
>> ) {
>>
>> validate_array($class_incl_list)
>> validate_array($class_excl_list)
>>
>
> Since you have already specified `Array` on the params, you can skip the
> `validate_array()` call here.
>
>
>>
>> $local_incl_list = array_subtract($class_incl_list, $class_excl_list)
>>
>> include $local_incl_list
>>
>> }
>>
>> The class arrays are strings of fully qualified subclass names, e.g. [
>> 'complex::redhat::subclass1', 'complex::redhat::subclass2', ] etc.
>>
>> Is there a benefit to actually using class params or declaring all
>> references to class variables directly as fully qualified in the subclasses?
>>
>
> `include` is necessary to make the class - and its resources - available
> in the catalog. It has no influence over variable namespacing/scope.
>
> If that doesn't answer your question, likely I haven't really understood
> what you were asking.
>
>
>> Here's a simplified example subclass, and yes the example is silly, if we
>> enable/disable a feature in puppet code, why not just exclude the subclass
>> altogether.
>>
>
> If you need to have stuff done to *remove* a feature, this pattern is
> absolutely fine!
>
>
>
>> Typically, that is what happens, but I was failing to find any other
>> simplistic examples to provide.
>>
>> class complex::redhat::subclass1 (
>> Boolean $enable_feature1,
>> ) {
>>
>> if $enable_feature1 {
>> notify("${::osfamily} Feature 1 is enabled")
>> } else {
>> notify("${::osfamily} Feature 1 is disabled")
>> }
>>
>> }
>>
>>
>> Would I be better off removing the class param and using
>> $::complex::enable_feature1 in the conditional?
>>
>
> Yes.
>
>
>> The subclasses aren't really meant to be called by the end-user
>> directly, so I would never expect to see someone doing a resource
>> declaration of a subclass, but I would expect to see a user doing a
>> resource declaration of the main class and supplying the enable_feature1
>> boolean with it.
>>
>> Thanks for your thoughts and input.
>>
>
>
> Cheers, David
>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/f374a512-e5a1-4933-bc0e-405bbc8b44f9%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/f374a512-e5a1-4933-bc0e-405bbc8b44f9%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/94f61b8e-94b1-4023-bb84-7eb64de07fa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Question regarding Puppet4 class params and Hiera5
Greetings,
I have read searched and read several threads in the list regarding using
hiera, automatic lookup, and class params. Some of them, I'm thinking
relate to Puppet3 and prior, and I admit I'm struggling a bit with weeding
through the information that's appropriate to my scenario of versions.
Please bear with me. I am attempting to build a module that will use Hiera
data layers and get away from the params.pp pattern. The hope is that
customers can use their environment hiera data if they choose, global data
from an ENC, accept the default module layer data or use resource
definition and supply data directly. Unfortunately the module is complex
and has many sublcasses, the init.pp looks something like:
class complex (
Array $class_incl_list,
Array $class_excl_list,
Boolean $enable_feature1,
...more params that subclasses might use...
) {
validate_array($class_incl_list)
validate_array($class_excl_list)
$local_incl_list = array_subtract($class_incl_list, $class_excl_list)
include $local_incl_list
}
The class arrays are strings of fully qualified subclass names, e.g. [
'complex::redhat::subclass1', 'complex::redhat::subclass2', ] etc.
Is there a benefit to actually using class params or declaring all
references to class variables directly as fully qualified in the subclasses?
Here's a simplified example subclass, and yes the example is silly, if we
enable/disable a feature in puppet code, why not just exclude the subclass
altogether. Typically, that is what happens, but I was failing to find any
other simplistic examples to provide.
class complex::redhat::subclass1 (
Boolean $enable_feature1,
) {
if $enable_feature1 {
notify("${::osfamily} Feature 1 is enabled")
} else {
notify("${::osfamily} Feature 1 is disabled")
}
}
Would I be better off removing the class param and using
$::complex::enable_feature1 in the conditional? The subclasses aren't
really meant to be called by the end-user directly, so I would never expect
to see someone doing a resource declaration of a subclass, but I would
expect to see a user doing a resource declaration of the main class and
supplying the enable_feature1 boolean with it.
Thanks for your thoughts and input.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f374a512-e5a1-4933-bc0e-405bbc8b44f9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] How to determine best place to put external facts?
Hi, I am searching for a reasonably good method to determine where I should drop external fact files (like yaml/json files) on an arbitrary unix/linux/mac system...preferably outside of puppet. It seems different versions and install methods of puppet put the facter/facts.d directory in different places. For example, on a unix/linux host, suppose I have a cron job that produces a yaml file that I want to access as a fact in some module, role or profile. The cron job would need to determine where to create the file so that puppet can pull it as a fact. Should the cron job just create (if necessary) /etc/facter/facts.d and drop a file in there? Will that work for most unix/linux platforms and versions of puppet 3 and 4? Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0067aba0-f316-4660-bc31-ce1713fed76d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Struggling with hiera 5 and puppet 4.10
Ok, I think I discovered the issues. 1. for the r10k control repo, I cloned puppetlabs example, which has a directory called hieradata, but not hiera.yaml starter file. So I think when I copied from the example of a hiera 5 config file, it uses the default data dir as "data", I needed this to be "hieradata". 2. for my demo module, it appears I wasn't handling params correctly, and it seems that I can't fully qualify parameters in my code. using $::demo::webhost produced an undefined variable warning. Fixing these two things up and now I have working data. On Thursday, June 1, 2017 at 11:19:38 AM UTC-4, Sean wrote: > > Thanks for that, I have read that blog plus the more recent followup. I > also have tried using the --explain flag for the lookup function. > > Again if I run puppet lookup --node test.demo.local --explain > demo::webhost on the puppet master, it produces a value for demo::webhost. > If I run on the agent node, it complains that hiera.yaml is using version > 3 and that's deprecated, then produces no resulting value. > > When puppet runs on the demo webserver with the class (that uses the > demo::webhost value to configure an apache vhost resource), the > demo::webhost value appears to be empty. It produces a apache vhost config > file in /etc/httpd/conf.d which has no hostname, no vhost name, no server > name. Everywhere in the resource where demo::webhost is used, there is no > value in the resulting apache config file. > > So perhaps the problem is in configuring hiera on the agents? I guess I > need to deploy the puppet/hiera module and try to ensure that all the > agents are configured to use Hiera 5? I haven't read anywhere that I need > to deploy hiera.yaml files to agents, is that what I'm missing? > > > On Monday, May 29, 2017 at 2:58:18 AM UTC-4, amateo wrote: >> >> Take a look at https://puppet.com/blog/debugging-hiera >> <https://www.google.com/url?q=https%3A%2F%2Fpuppet.com%2Fblog%2Fdebugging-hiera=D=1=AFQjCNFsec44FVrEZDblVBLzYE5gRokbKg> >> >> for help >> debuggin hiera problems. >> >> El 26/05/17 a las 22:59, Sean escribió: >> > Hi, >> > >> > I'm working to prototype an upgrade of our environment to puppet 4.10 >> > and use hiera 5 data layers. Today, we're running puppet 3, and I've >> > refactored a our main modules to use hiera module data instead of >> > params.pp. It better suits our needs to have the data layers setup >> this >> > way. This prototype is also leveraging r10k, so the environment data >> is >> > stored in a control repo branch for each puppet environment. >> > >> > Anyway, I'm struggling because the when I run puppet lookup on the >> > puppet master, I get a value for a parameter that hiera should be >> > serving data. In the module data layer, the parameter defaults to >> > facts.hostname. When I run puppet agent or puppet lookup on a node >> that >> > this module is applied to, I get nothing...e.g. if I use that piece of >> > data in an apache::vhost define, the config file in /etc/httpd/conf.d/ >> > is 25-.mydomain.com.conf where it should be 25-www.mydomain.com.conf >> > because www is the value parameter hiera is looking up. The same >> result >> > holds true even when I override the default value with something >> > specific at the environment layer, the lookup on the puppet master >> > produces the right value but the lookup on the agent returns nothing. >> > >> > I'm something at a loss of what could cause this with out any errors or >> > useful information produced. Might anyone have an idea where I've gone >> > wrong? >> > >> > Thanks! >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to puppet-users...@googlegroups.com >> > <mailto:puppet-users+unsubscr...@googlegroups.com>. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/puppet-users/31f68898-9b99-4b8b-8362-b588c5ea0eae%40googlegroups.com >> >> > < >> https://groups.google.com/d/msgid/puppet-users/31f68898-9b99-4b8b-8362-b588c5ea0eae%40googlegroups.com?utm_medium=email_source=footer>. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> Angel L. Mateo Martínez >> Sección de Telemática >> Área de Tecnologías de la Información >> y las Comunicaciones Aplicadas (ATICA) >> http://www.um.es/atica >> Tfo: 868889150 >> Fax: 86337 >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/789a8b5d-13a2-44ad-ac95-6830620814cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Struggling with hiera 5 and puppet 4.10
Thanks for that, I have read that blog plus the more recent followup. I also have tried using the --explain flag for the lookup function. Again if I run puppet lookup --node test.demo.local --explain demo::webhost on the puppet master, it produces a value for demo::webhost. If I run on the agent node, it complains that hiera.yaml is using version 3 and that's deprecated, then produces no resulting value. When puppet runs on the demo webserver with the class (that uses the demo::webhost value to configure an apache vhost resource), the demo::webhost value appears to be empty. It produces a apache vhost config file in /etc/httpd/conf.d which has no hostname, no vhost name, no server name. Everywhere in the resource where demo::webhost is used, there is no value in the resulting apache config file. So perhaps the problem is in configuring hiera on the agents? I guess I need to deploy the puppet/hiera module and try to ensure that all the agents are configured to use Hiera 5? I haven't read anywhere that I need to deploy hiera.yaml files to agents, is that what I'm missing? On Monday, May 29, 2017 at 2:58:18 AM UTC-4, amateo wrote: > > Take a look at https://puppet.com/blog/debugging-hiera > <https://www.google.com/url?q=https%3A%2F%2Fpuppet.com%2Fblog%2Fdebugging-hiera=D=1=AFQjCNFsec44FVrEZDblVBLzYE5gRokbKg> > > for help > debuggin hiera problems. > > El 26/05/17 a las 22:59, Sean escribió: > > Hi, > > > > I'm working to prototype an upgrade of our environment to puppet 4.10 > > and use hiera 5 data layers. Today, we're running puppet 3, and I've > > refactored a our main modules to use hiera module data instead of > > params.pp. It better suits our needs to have the data layers setup this > > way. This prototype is also leveraging r10k, so the environment data is > > stored in a control repo branch for each puppet environment. > > > > Anyway, I'm struggling because the when I run puppet lookup on the > > puppet master, I get a value for a parameter that hiera should be > > serving data. In the module data layer, the parameter defaults to > > facts.hostname. When I run puppet agent or puppet lookup on a node that > > this module is applied to, I get nothing...e.g. if I use that piece of > > data in an apache::vhost define, the config file in /etc/httpd/conf.d/ > > is 25-.mydomain.com.conf where it should be 25-www.mydomain.com.conf > > because www is the value parameter hiera is looking up. The same result > > holds true even when I override the default value with something > > specific at the environment layer, the lookup on the puppet master > > produces the right value but the lookup on the agent returns nothing. > > > > I'm something at a loss of what could cause this with out any errors or > > useful information produced. Might anyone have an idea where I've gone > > wrong? > > > > Thanks! > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to puppet-users...@googlegroups.com > > <mailto:puppet-users+unsubscr...@googlegroups.com >. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/puppet-users/31f68898-9b99-4b8b-8362-b588c5ea0eae%40googlegroups.com > > > < > https://groups.google.com/d/msgid/puppet-users/31f68898-9b99-4b8b-8362-b588c5ea0eae%40googlegroups.com?utm_medium=email_source=footer>. > > > > For more options, visit https://groups.google.com/d/optout. > > -- > Angel L. Mateo Martínez > Sección de Telemática > Área de Tecnologías de la Información > y las Comunicaciones Aplicadas (ATICA) > http://www.um.es/atica > Tfo: 868889150 > Fax: 86337 > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f7dfe5dd-401e-4a9f-99f9-758ef44de472%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Struggling with hiera 5 and puppet 4.10
Hi, I'm working to prototype an upgrade of our environment to puppet 4.10 and use hiera 5 data layers. Today, we're running puppet 3, and I've refactored a our main modules to use hiera module data instead of params.pp. It better suits our needs to have the data layers setup this way. This prototype is also leveraging r10k, so the environment data is stored in a control repo branch for each puppet environment. Anyway, I'm struggling because the when I run puppet lookup on the puppet master, I get a value for a parameter that hiera should be serving data. In the module data layer, the parameter defaults to facts.hostname. When I run puppet agent or puppet lookup on a node that this module is applied to, I get nothing...e.g. if I use that piece of data in an apache::vhost define, the config file in /etc/httpd/conf.d/ is 25-.mydomain.com.conf where it should be 25-www.mydomain.com.conf because www is the value parameter hiera is looking up. The same result holds true even when I override the default value with something specific at the environment layer, the lookup on the puppet master produces the right value but the lookup on the agent returns nothing. I'm something at a loss of what could cause this with out any errors or useful information produced. Might anyone have an idea where I've gone wrong? Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/31f68898-9b99-4b8b-8362-b588c5ea0eae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Using notify with concat module...
Thank you for the reply!
On Tuesday, January 24, 2017 at 4:42:10 AM UTC-5, Luke Bigum wrote:
>
>
>
> On Monday, 23 January 2017 20:55:44 UTC, Sean wrote:
>>
>> Hello,
>>
>> I was reading over several threads regarding the use of concat modules
>> and subscribe capabilities. It seems everyone is subscribe from another
>> resource instead of notify with a concat resource. My preference is to use
>> notify, as I think it makes the code read better for documentation
>> purposes. One thread implied that subscribe and notify are interchangeable
>> as long as refreshonly=true. Is that correct in the case of using notify
>> with concat? Is it sufficient to use one notify statement inside the main
>> concat resource for a file, or do I need to notify from each
>> concat::fragment resource? I am hoping someone can clear up a bit of
>> confusion I've developed reading through the threads.
>>
>
> There should be no difference, the examples you've seen are probably
> written by someone with a mental model where 'subscribe' makes more sense,
> where you and I think 'notify' reads better. The one time where it might
> get cumbersome is if you have one Concat resource that has to notify dozens
> of other resources, so the Notify parameter ends up being a large array of
> resources. In that case the code might read better to put one Subscribe on
> each other resource, but that's personal preference.
>
> I would not recommend you put your own requirements on concat::fragments,
> just let the Concat module sort out it's own dependencies. You can easily
> create loops, even through implicit relationships that aren't immediately
> obvious. For example here's two classes, one that manages the Gnome dconf
> file and one of my own that sets some of the settings I want, but I've
> decided I need dconf done first before the my_desktop class is finished:
>
> *
> $dconf_file = '/tmp/dconf'
> class my_desktop {
> concat::fragment { 'setting1':
> target => $dconf_file,
> }
> service { 'some_stuff': }
> }
>
> class dconf {
> concat { $dconf_file: }
> }
>
> include dconf
> include my_desktop
>
> Class[dconf] -> Class[my_desktop]
> *
>
> That doesn't work so well.
>
>
>
>> For background, I'm using puppet to configure Gnome using dconf. I've
>> written a simple Exec resource that runs dconf-update, refreshonly => true.
>> A concat resource might manage a file that collects several Gnome options
>> that relate to each other, where each concat::fragment resource corresponds
>> to a single Gnome option...like a fragment for enabling the screensaver,
>> and another fragment for the idle-delay. If the file is updated,
>> dconf-update needs to be run and should only be run once at the end of a
>> puppet run.
>>
>> Thanks for your thoughts.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/78e3f373-59ad-47da-94b4-7732320623b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Using notify with concat module...
Hello, I was reading over several threads regarding the use of concat modules and subscribe capabilities. It seems everyone is subscribe from another resource instead of notify with a concat resource. My preference is to use notify, as I think it makes the code read better for documentation purposes. One thread implied that subscribe and notify are interchangeable as long as refreshonly=true. Is that correct in the case of using notify with concat? Is it sufficient to use one notify statement inside the main concat resource for a file, or do I need to notify from each concat::fragment resource? I am hoping someone can clear up a bit of confusion I've developed reading through the threads. For background, I'm using puppet to configure Gnome using dconf. I've written a simple Exec resource that runs dconf-update, refreshonly => true. A concat resource might manage a file that collects several Gnome options that relate to each other, where each concat::fragment resource corresponds to a single Gnome option...like a fragment for enabling the screensaver, and another fragment for the idle-delay. If the file is updated, dconf-update needs to be run and should only be run once at the end of a puppet run. Thanks for your thoughts. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/09321e9b-9161-433a-8dcc-364a27af3220%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Announce, Puppet Agent 1.6.2 Available
Puppet Agent 1.6.2 is now available. This release includes several bugfixes for Puppet. Check out the full release notes here: https://docs.puppet.com/puppet/latest/reference/release_notes_agent.html To install or upgrade puppet-agent, follow the getting started directions: http://docs.puppetlabs.com/puppet/latest/reference/index.html -- Sean P. McDonald Associate Release Engineer, Puppet -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOPg%3DQe1dMFGUHF1gh56MudQfSHMXWJmOOg-xJvQUP8JFpnoSw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Puppet Exec resource with complex Environment Variables...
John,
Thanks for the reply. To answer your first question, no I'm not completely
sure. What I can say is that I can run the commands in a shell by hand and
the result is what I hope for. When I run puppet, with this particular
class included, puppet hangs for a while with no screen output. This leads
me to believe that the "unless" fails and the "command" executes. I can
verify that by running (in another shell):
[root@desktop ~]# ps -ef|grep aide
root 28085 1 0 14:42 ?00:00:00 sh -c /usr/sbin/aide --init
>/dev/null 2>&1 && cp -p ${DBDIR}/${DBNEW} ${DBDIR}/${DBFILE}
root 28088 28085 20 14:42 ?00:01:24 /usr/sbin/aide --init
I can say when I run the various piece by hand inside an interactive shell
everything comes out as expected:
[root@desktop ~]# DBDIR=$(egrep '^@@define DBDIR ' /etc/aide.conf |awk
'{print $NF}')
[root@desktop ~]# echo $DBDIR
/var/lib/aide
[root@desktop ~]# DBFILE=$(egrep '^database=file' /etc/aide.conf |awk -F/
'{print $NF}')
[root@desktop ~]# echo $DBFILE
aide.db.gz
[root@desktop ~]# DBNEW=$(egrep '^database_out=file' /etc/aide.conf |awk
-F/ '{print $NF}')
[root@desktop ~]# echo $DBNEW
aide.db.new.gz
[root@desktop ~]# test -f ${DBDIR}/${DBNEW} && test -f ${DBDIR}/${DBFILE}
[root@desktop ~]# echo $?
0
[root@desktop ~]# /usr/sbin/aide --init >/dev/null 2>&1 && cp -p
${DBDIR}/${DBNEW} ${DBDIR}/${DBFILE}
cp: overwrite ‘/var/lib/aide/aide.db.gz’? y
The cp overwrite prompt above comes from the alias cp='cp -i ' in my shell.
I'm not sure if that would be there inside puppet, but if so I'll modify
to negate that option.
For testing, I created a separate class for just this one exec. I modified
the unless and command statements as follows:
command => 'echo "/usr/sbin/aide --init >/dev/null 2>&1 && cp -p
${DBDIR}/${DBNEW} ${DBDIR}/${DBFILE}"',
unless => 'echo "test -f ${DBDIR}/${DBNEW} && test -f
${DBDIR}/${DBFILE}" && test -f ${DBDIR}/${DBNEW} && test -f
${DBDIR}/${DBFILE}',
So basically the "unless" echo's what it's doing, then tries to do it. The
"command" just echoes what it would do. Here's the puppet agent --test
--debug output for the class:
Debug: Exec[init-aide-database](provider=posix): Executing check 'echo
"test -f ${DBDIR}/${DBNEW} && test -f ${DBDIR}/${DBFILE}" && test -f
${DBDIR}/${DBNEW} && test -f ${DBDIR}/${DBFILE}'
Debug: Executing 'echo "test -f ${DBDIR}/${DBNEW} && test -f
${DBDIR}/${DBFILE}" && test -f ${DBDIR}/${DBNEW} && test -f
${DBDIR}/${DBFILE}'
Debug: /Stage[main]/Testenv/Exec[init-aide-database]/unless: test -f $(egrep
'^@@define DBDIR ' /etc/aide.conf|awk '{print $NF}')/$(egrep
'^database_out=file' /etc/aide.conf|awk -F/ '{print $NF}') && test -f $(egrep
'^@@define DBDIR ' /etc/aide.conf|awk '{print $NF}')/$(egrep
'^database=file' /etc/aide.conf|awk -F/ '{print $NF}')
Debug: /Stage[main]/Testenv/Exec[init-aide-database]/unless: sh: line 0:
test: too many arguments
Debug: Exec[init-aide-database](provider=posix): Executing 'echo
"/usr/sbin/aide --init >/dev/null 2>&1 && cp -p ${DBDIR}/${DBNEW}
${DBDIR}/${DBFILE}"'
Debug: Executing 'echo "/usr/sbin/aide --init >/dev/null 2>&1 && cp -p
${DBDIR}/${DBNEW} ${DBDIR}/${DBFILE}"'
Notice: /Stage[main]/Testenv/Exec[init-aide-database]/returns: /usr/sbin/aide
--init >/dev/null 2>&1 && cp -p $(egrep '^@@define DBDIR ' /etc/aide.conf|awk
'{print $NF}')/$(egrep '^database_out=file' /etc/aide.conf|awk -F/ '{print
$NF}') $(egrep '^@@define DBDIR ' /etc/aide.conf|awk '{print $NF}')/$(egrep
'^database=file' /etc/aide.conf|awk -F/ '{print $NF}')
Notice: /Stage[main]/Testenv/Exec[init-aide-database]/returns: executed
successfully
Debug: /Stage[main]/Testenv/Exec[init-aide-database]: The container Class[
Testenv] will propagate my refresh event
Debug: Class[Testenv]: The container Stage[main] will propagate my refresh
event
So it looks like the strings inside the environment variables aren't
interpreted by the shell, they're just passed as literal strings. But
notably, the the unless test fails with an error from /usr/bin/test that
doesn't surface when running interactively. I will attempt to run in the
shell provider instead of posix, but if that fails, I just re-code
everything into shell scripts and have puppet push and execute them. If we
need to make this a bug, I'll be happy to help, but I'm running on EL7 with
puppet out of EPEL7, with no intent of going to Puppet 4 anytime soon.
Thanks again for taking a look!
On Monday, December 7, 2015 at 11:37:19 AM UTC-5, jcbollinger wrote:
>
>
>
> On Friday, December 4, 2015 at 10:27:52 AM UTC-6, Sean wrote:
>>
>> Greetings,
>>
>> I am working
[Puppet Users] Puppet Exec resource with complex Environment Variables...
Greetings,
I am working on streamlining some older puppet code, that uses a lot of
Exec resources to accomplish it's purposes. It's not terribly elegant and
we're working on design to replace it with code that leverages puppet
features. One of the pieces I'm struggling with is how to set complex
environment variables that are available to use in onlyif/unless statements
as well as the command itself. I'm wondering if this just isn't possible?
Here's an example with the aide. NOTE that we're not in a spot where I can
make puppet manage the aide config file, and thus use an aide module and
parameters instead of shell variables. All of these commands run
successfully in a bash shell for the various conditions that would apply.
I have other similar scenarios, but aide is one of the more complex ones.
exec { 'init-aide-database':
path=>
'/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin',
environment => [ 'DBDIR=$(egrep \'^@@define DBDIR \' /etc/aide.conf|awk
\'{print $NF}\')',
'DBFILE=$(egrep \'^database=file\' /etc/aide.conf|awk -F/ \'{print
$NF}\')',
'DBNEW=$(egrep \'^database_out=file\' /etc/aide.conf|awk -F/ \'{print
$NF}\')',
],
command => '/usr/sbin/aide --init >/dev/null 2>&1 && cp -p
${DBDIR}/${DBNEW} ${DBDIR}/${DBFILE}',
unless => 'test -f ${DBDIR}/${DBNEW} && test -f ${DBDIR}/${DBFILE}'
,
require => Package['aide'],
logoutput => true,
timeout => 0,
}
When executing, puppet always runs the exec because the env var's are
empty, so the unless case always fails. Then we get a scenario where we're
running aide --init when it's not needed and the cp command throws an error
due to empty variables.
My thought at the moment is that I need to build two shell scripts as file
resources. One to call in the unless test, and another to call in the
command if the unless script fails. Perhaps that's more elegant, but we're
hoping to avoid delivering script files to the nodes wherever possible.
I'm hoping the gurus out here might point me in the best direction!
Thank you kindly!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d4a7a101-cb24-46e3-98a6-4ad42b2345cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet 4, rspec, and stages
Hah! That's a valid point. Unfortunately for me, the actual manifest has
the comma after the password (I just failed when obscuring it, apparently).
On Thursday, September 24, 2015 at 8:33:48 PM UTC-7, red wrote:
>
> You might need a comma after 'obscured_because_security' :)
>
> On Thu, Sep 24, 2015 at 3:40 PM, Sean McKinley <sean.c@gmail.com
> > wrote:
>
>> We recently upgraded to PE2015, and as such have upgraded our local
>> puppet gems to match (4.2.2). Unfortunately a few of our specs that were
>> previously passing are now failing, mostly in regards to stages:
>>
>> "Evaluation Error: Error while evaluating a Function Call, Could not find
>> stage first specified by Class[Ipa::client]"
>>
>> The class is fairly simple:
>>
>> class ipa::client(
>> $principal = 'host_manager',
>> $password = 'obscured_because_security'
>> $stage = first,
>> ){
>>
>> Has anyone run into this yet by chance?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/02ebfaec-04b8-4f5c-89f8-6f81a9827f2b%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/02ebfaec-04b8-4f5c-89f8-6f81a9827f2b%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/2c653d19-6491-4bf1-91bb-c40bbc9ac906%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet 4, rspec, and stages
We recently upgraded to PE2015, and as such have upgraded our local puppet
gems to match (4.2.2). Unfortunately a few of our specs that were
previously passing are now failing, mostly in regards to stages:
"Evaluation Error: Error while evaluating a Function Call, Could not find
stage first specified by Class[Ipa::client]"
The class is fairly simple:
class ipa::client(
$principal = 'host_manager',
$password = 'obscured_because_security'
$stage = first,
){
Has anyone run into this yet by chance?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/02ebfaec-04b8-4f5c-89f8-6f81a9827f2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet method to subtract two arrays?
My woes were definitely due to the data in the parameters being treated as
strings throughout. Basically, for whatever reason even when using
any2array(), the issue came down to all the desired individual elements
were being treated as a single string that became element 0 of an array...
Effectively:
$whitelist = [ 'foo::a, foo::b, foo::c, foo::d, foo::e', ]
$blacklist = [ 'foo::c, foo::e', ]
It's possible that whitelist was not, but I can confirm that blacklist
(sent to puppet via ENC) was indeed a string, that any2array converted to a
single element array. I have coerced the datatype in the ENC using
Foreman's SmartClass parameter override, and am now getting the correct
results.
I also converted the inline template into a custom function to avoid having
to use any2array.
On Thursday, September 17, 2015 at 4:16:16 PM UTC-4, Sean wrote:
>
> Hi Peter,
>
> Thanks for that! I must have lost the = in translation from the old post,
> I appreciate you 2nd set of eyes. Now that I'm passed that and have data
> in the result, I've only graduated to having incorrect results. I had used
> the any2array function to ensure the array status of the template output
> and the blacklist param. The blacklist param will be delivered from and
> ENC (specifically Foreman), and while it should work, I've had issues in
> the past with arrays and hashes being taken as strings. That said, here's
> what I see now:
>
> $whitelist = [ foo::a, foo::b, foo::c, foo::d, foo::e ]
> $blacklist = [ foo::c, foo::e ]
>
> < apply corrected code, sending notifies for $whitelist, $blacklist, and
> $include_list >
>
> The notify outputs show that $include_list is identical to $whitelist. If
> I actually attempt the include $include_list statement (which is usually
> commented) I get duplicate resource definition errors since the blacklisted
> classes create resources like package { 'apache': ensure => absent } and
> the node's purpose might include being a webserver so we have another class
> which manages the package resource for apache.
>
> I've experimented with the parameter from the ENC, and how I define
> whitelist in params.pp. I have tried several experiments with quoting the
> array elements, with singles, with doubles, not quoting the elements, and
> even defining them as strings, and allowing any2array to convert them
> before the template. The outputs are different each time, but the result
> is the same. The blacklist items still appear in the end result.
>
> FWIW, I'm running puppet 3.6.2 on the agent and 3.8.2 on the master, I
> assume you refer to current as the version 4 tree.
>
>
>
> On Thursday, September 17, 2015 at 3:15:37 PM UTC-4, Peter Huene wrote:
>>
>> Hi Sean,
>>
>> On Thu, Sep 17, 2015 at 12:01 PM, Sean <smal...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I have been working on trying to drive an include statement with an
>>> array parameter.
>>>
>>> The idea looks like so (in pseudo code) :
>>>
>>>
>>> class foo( $whitelist = $::foo::params::whitelist, $blacklist = [],) {
>>>
>>> $include_list = inline_template( "<% @whitelist - @blacklist %>" )
>>> validate_array($include_list)
>>> include $include_list
>>>
>>> }
>>>
>>> I picked up that inline template from a message in the group dating back
>>> to 2011.
>>>
>>
>> The template is missing a '=' character to write the result, like so:
>>
>> <%= @whitelist - @blacklist %>
>>
>> However, this will return a string-ified version of the array and is not
>> what you want as include will treat it as a single class name.
>>
>> In the current version of the Puppet language, two arrays can simply be
>> subtracted from one another:
>>
>> $whitelist = [foo, bar, baz]
>> $blacklist = [bar]
>> include $whitelist - $blacklist
>>
>> This would include "foo" and "baz", but not "bar".
>>
>>
>>> Basically, class foo has a ton of subclasses who's names populate the
>>> default value for $whitelist. Normally all these get applied, but I need
>>> to allow for deviations for specific cases, thus the blacklist.
>>>
>>> The issue seems to be that no matter what I put in whitelist or
>>> blacklist, include_list is always empty. What am I missing? I have also
>>> tried writing a Custom Function to do the same as the inline template but
>>> the result was not anymore successful, though the debugging was more
>>> difficult.
>>>
>>> Thanks for your thoughts o
Re: [Puppet Users] Puppet method to subtract two arrays?
Hi Peter,
Thanks for that! I must have lost the = in translation from the old post,
I appreciate you 2nd set of eyes. Now that I'm passed that and have data
in the result, I've only graduated to having incorrect results. I had used
the any2array function to ensure the array status of the template output
and the blacklist param. The blacklist param will be delivered from and
ENC (specifically Foreman), and while it should work, I've had issues in
the past with arrays and hashes being taken as strings. That said, here's
what I see now:
$whitelist = [ foo::a, foo::b, foo::c, foo::d, foo::e ]
$blacklist = [ foo::c, foo::e ]
< apply corrected code, sending notifies for $whitelist, $blacklist, and
$include_list >
The notify outputs show that $include_list is identical to $whitelist. If
I actually attempt the include $include_list statement (which is usually
commented) I get duplicate resource definition errors since the blacklisted
classes create resources like package { 'apache': ensure => absent } and
the node's purpose might include being a webserver so we have another class
which manages the package resource for apache.
I've experimented with the parameter from the ENC, and how I define
whitelist in params.pp. I have tried several experiments with quoting the
array elements, with singles, with doubles, not quoting the elements, and
even defining them as strings, and allowing any2array to convert them
before the template. The outputs are different each time, but the result
is the same. The blacklist items still appear in the end result.
FWIW, I'm running puppet 3.6.2 on the agent and 3.8.2 on the master, I
assume you refer to current as the version 4 tree.
On Thursday, September 17, 2015 at 3:15:37 PM UTC-4, Peter Huene wrote:
>
> Hi Sean,
>
> On Thu, Sep 17, 2015 at 12:01 PM, Sean <smal...@gmail.com >
> wrote:
>
>> Hello,
>>
>> I have been working on trying to drive an include statement with an array
>> parameter.
>>
>> The idea looks like so (in pseudo code) :
>>
>>
>> class foo( $whitelist = $::foo::params::whitelist, $blacklist = [],) {
>>
>> $include_list = inline_template( "<% @whitelist - @blacklist %>" )
>> validate_array($include_list)
>> include $include_list
>>
>> }
>>
>> I picked up that inline template from a message in the group dating back
>> to 2011.
>>
>
> The template is missing a '=' character to write the result, like so:
>
> <%= @whitelist - @blacklist %>
>
> However, this will return a string-ified version of the array and is not
> what you want as include will treat it as a single class name.
>
> In the current version of the Puppet language, two arrays can simply be
> subtracted from one another:
>
> $whitelist = [foo, bar, baz]
> $blacklist = [bar]
> include $whitelist - $blacklist
>
> This would include "foo" and "baz", but not "bar".
>
>
>> Basically, class foo has a ton of subclasses who's names populate the
>> default value for $whitelist. Normally all these get applied, but I need
>> to allow for deviations for specific cases, thus the blacklist.
>>
>> The issue seems to be that no matter what I put in whitelist or
>> blacklist, include_list is always empty. What am I missing? I have also
>> tried writing a Custom Function to do the same as the inline template but
>> the result was not anymore successful, though the debugging was more
>> difficult.
>>
>> Thanks for your thoughts on this!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/6ac9c22b-f5fc-409b-a75e-7d286862220b%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/6ac9c22b-f5fc-409b-a75e-7d286862220b%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> --
> Peter Huene
> Software Engineer, Puppet Labs
> Puppet Open Source Team
> ---
>
> *PuppetConf 2015 <http://2015.puppetconf.com/> ** is right around the
> corner! Join us October 5-9 in Portland, OR. *
> *Register now <https://puppetconf2015.eventbrite.com/>**.*
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1b7dc734-07fd-47e2-af3c-da8f06e23455%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Is there a method for puppet to find all suid files?
Hi, I'm using a module from the Forge to manage auditd rules, the module works quite well and managing rules is very easy. The hard part is that there's a requirement to audit use SUID files on each system. With out knowing exactly what files are SUID on every server in the field, since there are several linux flavors and versions, I'm finding myself thinking the only way to accomplish this is to write a custom fact to hold all the SUID files as an array, then pass the array to the resource creator. I just don't relish the idea of running a find command from / every 30 minutes. Might anyone have any better ideas? Thank you kindly! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e848e8ab-0a96-4934-9382-42f3b828d529%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] How to use variables in a puppet class
Hi Vikas, Do you have the package 'redhat-lsb' installed? The $lsbdistrelease fact is only populated when this package is installed Sean On 24 July 2014 17:07, Vikas Kumar vikas...@gmail.com wrote: Hello All, I have a kickstart server which I use to deploy many minor versions of CentOS/RHEL 5 and 6 for both 32 and 64 Bit OS. I have lots of yum repository files. For. e.g. - RHEL_5.5_64.repo, RHEL_5.6_64.repo, RHEL_6.2_32, RHEL_6.5_64, etc. I am looking to use Puppet to automatically deploy the required kickstart repos. I tried to follow this http://seriousbirder.com/blogs/how-to-create-a-puppet-yum-repo-module/ link in vain. The problem is that I am unable to use facter variables *$lsbdistrelease* with something like below. baseurl= http://our-reposrv:8080/dev/RHEL_$lsbdistrelease_64; Here, the variable does not converts to is value. Please help me to get this sorted. Am I missing anything ? Regards, Vikas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/59aa2148-3133-48fc-9731-412d8687c4f0%40googlegroups.com https://groups.google.com/d/msgid/puppet-users/59aa2148-3133-48fc-9731-412d8687c4f0%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADg9O%2BN2K138omiTWBJDZhdUR%3DTMz%3Dov_47XbYt3USEgNy_qmA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Puppet Master not responding
I just had this happen to me today. Turns out that I had pasted some
database settings into the puppet.conf instead of the database.ini while
using *screen* and having too many windows open. Luckily I had some cert
warnings so I ran *puppet cert list --all *and got an error about the
puppet.conf file having an invalid line. There you go,
Sean
On Monday, December 9, 2013 9:45:17 PM UTC-7, Naveen Desu wrote:
Hi,
While I was trying to access Puppet REST API [
https://PuppetHost:8140/production/facts/ClientHost], getting the
below error.
I am not sure the issue here could not find any specific log to further
troubleshoot. Any help will be appreciated.
Web application could not be started
exit (SystemExit)
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/util.rb:525:in `exit'
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/util.rb:525:in `rescue in
exit_on_fail'
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/util.rb:511:in `exit_on_fail'
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/application.rb:364:in `run'
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/util/command_line.rb:132:in
`run'
/opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/util/command_line.rb:86:in
`execute'
config.ru:28:in `block in main'
/opt/puppet/lib/ruby/gems/1.9.1/gems/rack-1.4.5/lib/rack/builder.rb:51:in
`instance_eval'
/opt/puppet/lib/ruby/gems/1.9.1/gems/rack-1.4.5/lib/rack/builder.rb:51:in
`initialize'
config.ru:1:in `new'
config.ru:1:in `main'
/opt/puppet/share/phusion_passenger/helper-scripts/rack-preloader.rb:105:in
`eval'
/opt/puppet/share/phusion_passenger/helper-scripts/rack-preloader.rb:105:in
`preload_app'
/opt/puppet/share/phusion_passenger/helper-scripts/rack-preloader.rb:150:in
`module:App'
/opt/puppet/share/phusion_passenger/helper-scripts/rack-preloader.rb:29:in
`module:PhusionPassenger'
/opt/puppet/share/phusion_passenger/helper-scripts/rack-preloader.rb:28:in
`main'
Application root/var/opt/lib/pe-puppetmasterEnvironment (value of RAILS_ENV,
RACK_ENV, WSGI_ENV and PASSENGER_ENV)production
PS: The server was working fine until the REST API DELETE
https://PuppetHost:8140/production/certificate_status/{hostname} was
run.
Thanks,
Naveen.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/b132068d-c699-40c3-b5f0-4a64d336bce7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Duplicate declaration problem
So, I am trying to do something with a list (array) of users from hieara.
Here is the yaml:
profile::sysconfig::sftp_users: [ joe, bill, nancy ]
In my profile I have a defined class debugUsers that I am calling with
the array I got from hiera:
class profile::sysconfig::sftpserver {
define debugUsers {
notify { username: \${user}\: }
}
class doWork {
$users = hiera('profile::sysconfig::sftp_users')
validate_array($users)
debugUsers { $users: }
}
include doWork
}
From everything I know and have read that should give me a notify line for
user in my array. But it doesn't. Instead I get this error from the agent:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate declaration: Notify[username: ] is already declared in file
/etc/puppetlabs/puppet/environments/r10k/dev_users/modules/profile/manifests/sysconfig/sftpserver.pp:5;
cannot redeclare at
/etc/puppetlabs/puppet/environments/r10k/dev_users/modules/profile/manifests/sysconfig/sftpserver.pp:5
Why am I getting duplicate null declarations? If I call out specific
elements of the array I get back exactly what I would expect:
class profile::sysconfig::sftpserver {
class doWork {
$users = hiera('profile::sysconfig::sftp_users')
validate_array($users)
notify { user1: \${users[0]}\: }
notify { user2: \${users[1]}\: }
notify { user3: \${users[2]}\: }
}
include doWork
}
returns this:
Notice: user1: joe
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user1:
joe]/message: defined 'message' as 'user1: joe'
Notice: user3: nancy
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user3:
nancy]/message: defined 'message' as 'user3: nancy'
Notice: user2: bill
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user2:
bill]/message: defined 'message' as 'user2: bill'
I am sure this is something really stupid, but can someone point out what
I'm doing wrong here?
Thanks,
--Sean
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/4477ce95-b58e-4ead-80bc-5ae9ef0b5bda%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Duplicate declaration problem
Found the problem. When passing an array to a define the default variable
name for the elements of the array is $name. This works:
define debugUsers {
validate_string($name)
notify { username: \${name}\: }
}
On Monday, April 21, 2014 11:31:52 AM UTC-6, Sean Korten wrote:
So, I am trying to do something with a list (array) of users from hieara.
Here is the yaml:
profile::sysconfig::sftp_users: [ joe, bill, nancy ]
In my profile I have a defined class debugUsers that I am calling with
the array I got from hiera:
class profile::sysconfig::sftpserver {
define debugUsers {
notify { username: \${user}\: }
}
class doWork {
$users = hiera('profile::sysconfig::sftp_users')
validate_array($users)
debugUsers { $users: }
}
include doWork
}
From everything I know and have read that should give me a notify line for
user in my array. But it doesn't. Instead I get this error from the agent:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate declaration: Notify[username: ] is already declared in file
/etc/puppetlabs/puppet/environments/r10k/dev_users/modules/profile/manifests/sysconfig/sftpserver.pp:5;
cannot redeclare at
/etc/puppetlabs/puppet/environments/r10k/dev_users/modules/profile/manifests/sysconfig/sftpserver.pp:5
Why am I getting duplicate null declarations? If I call out specific
elements of the array I get back exactly what I would expect:
class profile::sysconfig::sftpserver {
class doWork {
$users = hiera('profile::sysconfig::sftp_users')
validate_array($users)
notify { user1: \${users[0]}\: }
notify { user2: \${users[1]}\: }
notify { user3: \${users[2]}\: }
}
include doWork
}
returns this:
Notice: user1: joe
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user1:
joe]/message: defined 'message' as 'user1: joe'
Notice: user3: nancy
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user3:
nancy]/message: defined 'message' as 'user3: nancy'
Notice: user2: bill
Notice: /Stage[main]/Profile::Sysconfig::Sftpserver::Dowork/Notify[user2:
bill]/message: defined 'message' as 'user2: bill'
I am sure this is something really stupid, but can someone point out what
I'm doing wrong here?
Thanks,
--Sean
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/cee17fb4-89ae-4a4c-a4af-c7a34c47b0f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Re: Puppet master does not start
On 29 October 2013 09:31, josec.r...@gmail.com wrote: # id uid=0(root) gid=0(root) groups=0(root),503(puppet) Why have you added the root user to the group puppet? puppetmaster normally runs using the puppet user in the puppet group. What groups is your 'puppet' user part of? Here's mine: # id puppet uid=52(puppet) gid=52(puppet) groups=52(puppet) Sean -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADg9O%2BOhq7ZGOLrKPN4D1VoUNL354U4F82XMyxOjigg888nDRw%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] FreeBSD / Puppet 3.3.1 problem
I just upgraded my Puppet master from 3.1 to 3.3.1. It is running via
Passenger on FreeBSD.In manifests/default.pp, I have:
Package {
provider = portupgrade,
}
This used to work just fine, but is now throwing errors. On the clients, I
see:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Invalid parameter provider at
/usr/local/etc/puppet/env/production/modules/portupgrade/manifests/init.pp:10
on node client
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
On the server, I can get more interesting errors with `puppet master
--compile`:
smkelly@server:~$ sudo puppet master --compile client
Error: Could not autoload puppet/provider/package/freebsd: undefined method
`intern' for Puppet::Util::Package:Module
Error: Could not autoload puppet/type/package: Could not autoload
puppet/provider/package/freebsd: undefined method `intern' for
Puppet::Util::Package:Module
Error: Could not autoload puppet/type/package: Could not autoload
puppet/provider/package/freebsd: undefined method `intern' for
Puppet::Util::Package:Module on node client
Error: Could not autoload puppet/type/package: Could not autoload
puppet/provider/package/freebsd: undefined method `intern' for
Puppet::Util::Package:Module on node client
Could not autoload puppet/type/package: Could not autoload
puppet/provider/package/freebsd: undefined method `intern' for
Puppet::Util::Package:Module on node client
Any ideas? My ruby force is weak. Also, I need to manually set the
provider to portupgrade, as without it it tries to use the pkg_* tools
which I do not want.
Versions:
puppet-3.3.1
rubygem-facter-1.6.18_2
Master OS: FreeBSD 9.0-RELEASE
Client OS: FreeBSD 9.1-RELEASE-p3
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
From the command line all works fine, only not from Puppet. BTW, I am not the only one with this complaint online on your forums and elsewhere, people complain that Tar works, but not UnTar. -S On 9/12/13 5:54 AM, Matthew Burgess wrote: On 11 September 2013 23:55, slafreni...@b-e-f.org mailto:slafreni...@b-e-f.org wrote: Ed, I am having trouble unzipping any tarball via Puppet. So I installed your module to see how you might have done it. It runs, it creates the javapath and copies the file... but I get the same error that I get on my modules... can I please ask how you made unzip work? I am on Ubuntu 10.4.1, and 2.6.4 (Puppet Enterprise 1.0). err: /Stage[main]/Apache-maven-v3/Exec[install_maven_v3]/returns: change from notrun to 0 failed: /bin/tar zxf /usr/local/java/apache-maven-3.0.3-bin.tar.gz returned 2 instead of one of [0] at /etc/puppetlabs/puppet/modules/apache-maven-v3/manifests/init.pp:18 What happens if you run '/bin/tar zxf /usr/local/java/apache-maven- 3.0.3-bin.tar.gz' from the command line? Additionally, you could change your manifest so that it executes 'pwd /bin/tar zxf /usr/local/java/apache-maven-3.0.3-bin.tar.gz' so that you can see what directory the contents of the file are being extracted to. My suspicion is that you're either extracting to the wrong directory, or the directory you're extracting to has incorrect permissions set on it or the tar file has incorrect permissions set on it. Regards, Matt. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/AlqzFLkTS28/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Puppet dashboard stuck pending jobs
I ran into this as a result of the output of failed deps on a yum install and had a couple jobs that just wouldn't go away. After fixing the condition creating the error I used /usr/bin/rake jobs:clear to clear out the delayed_job queue and everything was back to normal. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet runs extremly slow on 1 of 18 Windows Server
I ran into this same problem, and pe_compliance was the culprit-- took 120 seconds. Removing this class from the default group and re-running puppet made it run quickly again. On Monday, October 1, 2012 2:08:08 PM UTC-6, Josh Cooper wrote: On Mon, Sep 3, 2012 at 2:07 AM, David Schmitt da...@dasz.at javascript: wrote: On 03.09.2012 09:45, Jan Ziegler wrote: Hi, We have 18 Windows Server in the same environment. All Windows Server are build with an individual Windows Image, we created before, which means, that all Windows Machines have the same configuration except ip/mac address and hostname. 17 of those Windows Server run Puppet within 120 seconds per run. But one of those Server took 49 hours for the run...the second one wasn't faster. We already installed this machine from bottom up several times, to be sure, that this server has the same configuration as the other ones... but without success. The last lines before it takes some hours are: info: Loading facts in C:\.. and so on info: Loading facts in C:\.. and so on info: Caching catalog for windowstest.domain info: Applying configuration version '1346550140' Any idea why this machine is so slow? It uses the same puppet classes as the other 17 server. use --evaltrace to see which resources are evaluated. Maybe this gives you a hint what's happening. Since you seem to be pretty sure this is not a problem rooted in the machine itself, the attentions focuses on the environment: Perhaps there is an IP-collision with another device on the network? Perhaps the switchport is faulty? The underlying virtualisation has something fishy configured? The nameserver is acting up? etc. Good hunting, D. Did this issue get resolved? If not, what did --evaltrace show? Are you managing file owner and group? Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Trying to install a specific version of Java on Redhat
I should have added to my post that I've tried adding that 1: as well to
the ensure line with the same results.
Any other ideas?
I've tried this workaround:
exec { upgrade java:
command = yum -d 1 -e 1 upgrade
java-1.6.0-sun-1:1.6.0.39-1jpp.4.el5_9.x86_64
java-1.6.0-sun-devel-1:1.6.0.39-1jpp.4.el5_9.x86_64 -y,
path= /usr/bin/
}
...but it then runs every single time the puppet agent runs:
notice: /Stage[main]/Java/Exec[upgrade java]/returns: executed successfully
On Thursday, February 14, 2013 4:52:17 AM UTC-7, Felix.Frank wrote:
Hi,
please take note that
On 02/14/2013 02:32 AM, Sean LeBlanc wrote:
ensure = '1.6.0.39-1jpp.4.el5_9',notice:
...this version is unlike...
/Stage[main]/Java/Package[java-1.6.0-sun.x86_64]/ensure: ensure changed
'1.6.0.33-1jpp.1.el5_8' to '1:1.6.0.39-1jpp.4.el5_9'
...this version. Notice the leading 1:
HTH,
Felix
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Trying to install a specific version of Java on Redhat
I have a class that looks like this:
class java {
package { java-1.6.0-sun.x86_64:
ensure = '1.6.0.39-1jpp.4.el5_9',
}
}
...but it gives me this error:
err: /Stage[main]/Java/Package[java-1.6.0-sun.x86_64]/ensure: change from
1.6.0.33-1jpp.1.el5_8 to 1.6.0.39-1jpp.4.el5_9 failed: Could not update:
Failed to update to version 1.6.0.39-1jpp.4.el5_9, got version
1.6.0.33-1jpp.1.el5_8 instead at
/etc/puppet/modules/java/manifests/init.pp:5
However, if I change the class to just use ensure = 'latest', it will do
this:
notice: /Stage[main]/Java/Package[java-1.6.0-sun.x86_64]/ensure: ensure
changed '1.6.0.33-1jpp.1.el5_8' to '1:1.6.0.39-1jpp.4.el5_9'
So I know it's possible for the upgrade to work, but I don't want puppet
arbitrarily installing whatever the latest is, I want to ensure it's that
version.
Any ideas?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Unable to replace a symlink with regular file
I am running Puppet 2.7.x (x varies from 14 to 20 on different machines).
I am trying to use Puppet to deploy a new Zabbix agent configuration file.
On all machines where the file wasn't a symlink, the deployment worked.
However, every machine where it is a link, Puppet refuses to replace teh
link with a regular file or do anything with it.
I've read the type reference, and I see nothing specific about forcing
symlink replacement. I've looked at the source, and it seems like
remove_existing should be unlinking teh symlink ahead of my new file. But,
it isn't happening. Any suggestions on hwo to do this?
File {
backup = main,
owner = root,
group = $operatingsystem ? {
freebsd = wheel,
default = root,
},
mode = 644,
ensure = present,
}
class zabbix {
file {
'/usr/local/etc/zabbix':
ensure = 'directory';
'/usr/local/etc/zabbix/zabbix_agentd.conf':
content = template(zabbix/zabbix_agentd.conf.erb),
}
...
root@victor:~# ls -ld /usr/local/etc/zabbix/zabbix_agentd.conf
lrwxr-xr-x 1 root wheel 64 Dec 9 2011
/usr/local/etc/zabbix/zabbix_agentd.conf -
/usr/local/flightaware/monitor-scripts/zabbix/zabbix_agentd.conf
root@victor:~# puppet agent --test --debug --color=no | grep
zabbix_agentd.conf 21
debug: /Stage[main]/Zabbix/Service[zabbix_agentd]/subscribe: subscribes to
File[/usr/local/etc/zabbix/zabbix_agentd.conf]
debug: /Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]:
Autorequiring File[/usr/local/etc/zabbix]
debug:
/Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]/mode:
Not managing symlink mode
Thanks!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/mw3dMbd96TkJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Unable to replace a symlink with regular file
I've tried that as well. It doesn't work.
On Monday, January 21, 2013 12:34:00 PM UTC-6, Gary Larizza wrote:
You should be able to add force = true and get this to work for you
On Monday, January 21, 2013 at 9:19 AM, Sean Kelly wrote:
I am running Puppet 2.7.x (x varies from 14 to 20 on different machines).
I am trying to use Puppet to deploy a new Zabbix agent configuration file.
On all machines where the file wasn't a symlink, the deployment worked.
However, every machine where it is a link, Puppet refuses to replace teh
link with a regular file or do anything with it.
I've read the type reference, and I see nothing specific about forcing
symlink replacement. I've looked at the source, and it seems like
remove_existing should be unlinking teh symlink ahead of my new file. But,
it isn't happening. Any suggestions on hwo to do this?
File {
backup = main,
owner = root,
group = $operatingsystem ? {
freebsd = wheel,
default = root,
},
mode = 644,
ensure = present,
}
class zabbix {
file {
'/usr/local/etc/zabbix':
ensure = 'directory';
'/usr/local/etc/zabbix/zabbix_agentd.conf':
content = template(zabbix/zabbix_agentd.conf.erb),
}
...
root@victor:~# ls -ld /usr/local/etc/zabbix/zabbix_agentd.conf
lrwxr-xr-x 1 root wheel 64 Dec 9 2011
/usr/local/etc/zabbix/zabbix_agentd.conf -
/usr/local/flightaware/monitor-scripts/zabbix/zabbix_agentd.conf
root@victor:~# puppet agent --test --debug --color=no | grep
zabbix_agentd.conf 21
debug: /Stage[main]/Zabbix/Service[zabbix_agentd]/subscribe: subscribes to
File[/usr/local/etc/zabbix/zabbix_agentd.conf]
debug: /Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]:
Autorequiring File[/usr/local/etc/zabbix]
debug:
/Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]/mode:
Not managing symlink mode
Thanks!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/mw3dMbd96TkJ.
To post to this group, send email to puppet...@googlegroups.comjavascript:
.
To unsubscribe from this group, send email to
puppet-users...@googlegroups.com javascript:.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/uzMEDywYxD8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Unable to replace a symlink with regular file
That worked, thanks! I didn't realize file was even a valid setting for
ensure.
notice:
/Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]/ensure:
defined content as '{md5}6b3491d534f04c4eea426b9cf83e637d'
info: /Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]:
Scheduling refresh of Service[zabbix_agentd]
notice: /Stage[main]/Zabbix/Service[zabbix_agentd]: Triggered 'refresh'
from 1 events
notice: Finished catalog run in 5.32 seconds
Again, thanks!
On Monday, January 21, 2013 4:11:18 PM UTC-6, Gary Larizza wrote:
Have you tried explicitly setting the ensure value - a la ensure = file
- on the files that might exist as symlinks? I tested this out locally and
was able to get Puppet to overwrite a symlink with a file declaration.
On Monday, January 21, 2013 at 11:31 AM, Sean Kelly wrote:
I've tried that as well. It doesn't work.
On Monday, January 21, 2013 12:34:00 PM UTC-6, Gary Larizza wrote:
You should be able to add force = true and get this to work for you
On Monday, January 21, 2013 at 9:19 AM, Sean Kelly wrote:
I am running Puppet 2.7.x (x varies from 14 to 20 on different machines).
I am trying to use Puppet to deploy a new Zabbix agent configuration file.
On all machines where the file wasn't a symlink, the deployment worked.
However, every machine where it is a link, Puppet refuses to replace teh
link with a regular file or do anything with it.
I've read the type reference, and I see nothing specific about forcing
symlink replacement. I've looked at the source, and it seems like
remove_existing should be unlinking teh symlink ahead of my new file. But,
it isn't happening. Any suggestions on hwo to do this?
File {
backup = main,
owner = root,
group = $operatingsystem ? {
freebsd = wheel,
default = root,
},
mode = 644,
ensure = present,
}
class zabbix {
file {
'/usr/local/etc/zabbix':
ensure = 'directory';
'/usr/local/etc/zabbix/zabbix_agentd.conf':
content = template(zabbix/zabbix_agentd.conf.erb),
}
...
root@victor:~# ls -ld /usr/local/etc/zabbix/zabbix_agentd.conf
lrwxr-xr-x 1 root wheel 64 Dec 9 2011
/usr/local/etc/zabbix/zabbix_agentd.conf -
/usr/local/flightaware/monitor-scripts/zabbix/zabbix_agentd.conf
root@victor:~# puppet agent --test --debug --color=no | grep
zabbix_agentd.conf 21
debug: /Stage[main]/Zabbix/Service[zabbix_agentd]/subscribe: subscribes to
File[/usr/local/etc/zabbix/zabbix_agentd.conf]
debug: /Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]:
Autorequiring File[/usr/local/etc/zabbix]
debug:
/Stage[main]/Zabbix/File[/usr/local/etc/zabbix/zabbix_agentd.conf]/mode:
Not managing symlink mode
Thanks!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/mw3dMbd96TkJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/uzMEDywYxD8J.
To post to this group, send email to puppet...@googlegroups.comjavascript:
.
To unsubscribe from this group, send email to
puppet-users...@googlegroups.com javascript:.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/CI6dzpN2iKEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Strange issue with create_resources and exec 'command' parameter
Hi.
I've done some googling, and did find something sort of similar in a
bug report (see http://projects.puppetlabs.com/issues/16082 and the
second to last update -- but as I created this post, I realize it's
almost certainly not related at all).
In a bunch of narrowing, I've found that apparently when you create
the resources using create_resources for the built-in type 'exec',
it completely ignores that 'command' argument. Here's that test:
foo.pp:
$other = {
'/bin/false' = { command = '/bin/echo hello', },
}
create_resources('exec', $other)
And the output from puppet apply foo.pp:
err: /Stage[main]//Exec[/bin/false]/returns: change from notrun to 0
failed: /bin/false returned 1 instead of one of [0]
notice: Finished catalog run in 0.29 seconds
Note that though the resource is created with a title of '/bin/false'
(according to the docs on puppetlabs.com), with the parameter
command set to '/bin/echo hello'. However, /bin/false is executed.
The command is NOT ignored if the resource is instantiated outside of
the create_resources() function:
foo.pp:
exec { '/bin/false':
command = '/bin/echo hello'
}
And the output from puppet apply foo.pp:
notice: /Stage[main]//Exec[/bin/false]/returns: executed successfully
notice: Finished catalog run in 0.32 seconds
In this case, the title is /bin/false, but the echo is called (or
true, or whatever you want to run).
Am I missing something, or is this a bug? It's an odd one as well,
because I *really* want to create titles that are arbitrary names, and
specify a command. Fortunately, the 'name' parameter, which is used
instead of 'command' if 'command' is not found, works.
Thanks for any help.
Sean
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Service Resources and Selinux
Tom,
It seems like having that as a parameter in the service type might be a
good idea worthy of at least some further discussion. Want to open a
feature request in Redmine to track it? I might (eventually) take a stab
at adding support for it.
Sean
On Wed, 2012-10-10 at 09:01 +0100, Tom wrote:
Well, I've decided on a very simple way of doing this,
# Keep it running
service { mysqld:
ensure = running,
start = runcon -u system_u /etc/init.d/mysqld start,
hasrestart = false,
require= [ Package[mysql-server], File[$mysqldirs], ],
}
so, it starts under the correct selinux user context, and then using
restart on the init script is disabled so that it makes use of the start
command when doing a restart.
Not sure if this would be something that would make a good resource flag?
Many thanks. Tom.
On 10/10/12 07:55, Tom wrote:
Hi,
Thanks for the response. Really, I think the way I'm approaching this
is thinking about starting mysqld under the right selinux user context
so that it doesn't label its own files incorrectly. Every time a
database or table is created, MySQL will be creating it under the
wrong user context, and selinux will then go and reset it back.
I think maybe a wrapper script using runcon which invokes the mysqld
service under the correct context is going to be the way to go.
Really though, I'd hoped that puppet had some kind of provision for
starting services with the correct user context!
Just wondering if anyone else has had the same issue in the past, or
do they just ignore all those seluser notifications? :-)
Many thanks. Tom.
On 10/10/12 01:50, Peter Brown wrote:
You need to add a require to the service for the config files you are
managing.
I find the best way to do that is put all the config files in a config
subclass and then require that in in the service.
On 10 October 2012 01:02, Tomt...@t0mb.net wrote:
Hi list,
I've got an issue at the moment, which isn't really a big problem,
but an
untidy annoyance really, and I'd just like to understand what the best
practice might be when dealing with the issue.
As a really quick summary, the issue is that Puppet is starting up the
mysqld service for the first time as unconfined_u, and then when
MySQL goes
and creates a load of its initial files also as unconfined_u, Puppet
goes
and resets them all to system_u which is what they should be when
checking
matchpathcon:
The thing is, because the service is started as unconfined_u, any
databases/tables that are created are going to inherit that, and
puppet is
going to be resetting them.
For some more detail, I've written something which will set the
mysqld_db_t
selinux file_context on my data directories which are in /home, and
I have a
notify which will go and check and re-set the selinux file_context
if there
are any changes in these directories. They're set to recurse, so to
stop
Puppet changing things from unconfined_u to system_u on a regular
basis, and
sending refresh notices to my Exec resources, I've set
selinux_ignore_defaults to true in my File resources.
This strikes me as a bit of a dirty way of doing things, and I was
wondering
if anyone had any better ideas of how to manage this.
Please find below a sample of the relevant code - because I'm sure my
verbose description is probably leaving some people scratching their
heads!
:) I was going to make the file_context stuff much more re-usable,
but want
to get my head around the best practices first - as I'm not that
experiened
with all of this stuff to be honest!
Many thanks. Tom.
# List of directories we're going to use with MySQL
$mysqldirs = [ /home/data, /home/logs, /home/mysqltmp, ]
# Set SELinux contexts
define add_selinux_context ($context = mysqld_db_t) {
file { $name:
ensure = directory,
owner = mysql,
group = mysql,
seltype = mysqld_db_t,
selinux_ignore_defaults = true,
recurse = true,
require = Package[mysql-server],
notify = [ Exec[add_file_context_${context}_${name}],
Exec[set_file_context_${context}_${name}], ],
}
# Set the default file_context regex for the path
exec { add_file_context_${context}_${name}:
command = semanage fcontext -a -t ${context}
\${name}(/.*)?\,
unless = semanage fcontext -l | grep
'^${name}(/.*)?:${context}:',
require = [ Package[policycoreutils-python], File[$name], ],
refreshonly = true,
}
# Reset the file_context using restorecon
exec { set_file_context_${context}_${name}:
command = restorecon -R ${name},
unless = ls -d --scontext ${name} | awk -F: '{print \$3}'
| grep
\${context}\,
require = File[$name
[Puppet Users] Starting service as non root user with puppet
Hi, I have an ubuntu system with some of our own services on it. I prefer to run these services as a non-root user. I can control the services using upstart as a non root user and can start and stop the service using initctl without any problems. I'm trying to use puppet to start and stop these services; however, it's not obvious if it is possible. A suboptimal approach appears to be one in which I create a service.conf file in /etc/init - this service.conf file can su to the user and run the service. I think this is suboptimal, as it's not working with the user level control mechanisms that have already been designed into upstart. So I'm wondering if there is any way to instruct puppet to automatically become a specific user before starting a specific service (presumably using initctl in the case of ubuntu). Thoughts/pointers appreciated. BR, Seán. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Override a file{} directive - is it possible?
This has been extremely useful in my environment when importing the odd 'unique snowflake' type server quickly without having to make any code/logic changes or introduce large numbers of ENC values to disable certain functionality or alter the flow of your puppet code. Yes. Puppet doesn't seem to deal with snowflakes well, thanks for sharing this. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Override a file{} directive - is it possible?
It's not really the cleanest-looking thing, but the easiest option for
your particular case is to wrap the file resource in an if statement
like this:
if (! $::security_limits_disabled) {
file { '/etc/security/limits.conf':
...
}
}
Super, thanks Martin!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Override a file{} directive - is it possible?
It's not really the cleanest-looking thing, but the easiest option for
your particular case is to wrap the file resource in an if statement
like this:
if (! $::security_limits_disabled) {
file { '/etc/security/limits.conf':
...
}
}
Thanks, this is just what I was looking for.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Override a file{} directive - is it possible?
Maybe one of you can help with this. I have a class that's got a
file{} type directive in it. It populates /etc/security/limits.conf
with specific settings. I have a small handful of hosts where we want
to manage /etc/security/limits.conf manually. Is there a simple way
to tell puppet to exclude this file type just on those hosts, without
copying the entire class?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Override a file{} directive - is it possible?
You don't say what version of puppet you're using, whether you're using
an ENC, or whether you're already using either extlookup() or hiera(),
so it's really difficult to suggest something that integrates well with
your current environment.
Sorry I didn't provide more detail. We're using puppet 2.6.13. We
have a single *.pp config file for each and every host, so specifying
additional classes is not hard to do on a host-per-host basis. Here's
the limits.conf config from the class that has been applied to these
hosts:
file { /etc/security/limits.conf:
owner = root,
group = root,
mode= 644,
content =
#domain\t\ttype\t\titem\t\tvalue\n*\t\t-\t\tnofile\t\t65000\n*\t\t-\t\tnproc\t\t14\n*\t\thard\t\tcore\t\tunlimited\ncdc-dev\t\t-\t\tpriority\t\t15\nhtc\t\t-\t\tnofile\t\t25\n;
}
Basically I just want this file type to not be active on three
hosts. I don't need to be able to detect the hosts, as I can specify
the config manually in each of their config files.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Announce: PuppetDB 0.9.0 (first release) is available
On Wed, 2012-05-23 at 06:24 -0700, jcbollinger wrote: That understanding of storeconfigs looks right, but I think the criticism is misplaced. It is not Deepak's line of thinking that is dangerous, but rather the posited strategy of purging (un)collected resources. Indeed, I rate resource purging as a bit dangerous *any* way you do it. Moreover, the consequences of a storeconfig DB blowing up are roughly the same regardless of the DBMS managing it or the middleware between it an the Puppetmaster. I don't see how the existence of that scenario makes PuppetDB any better or worse. Indeed, it *is* dangerous, but so are many things we do as system administrators. The key is in gauging the risk and then choosing the right path accordingly. In my environment I am not always able to know the complete history of resources as changes may come from unexpected places. It is less than ideal, but it is one aspect of my reality. In that situation, the selective use of purging becomes quite key in keeping things that need to be cleaned up cleaned up. I don't put anything in exported resources with purging that would be capable of bringing down a production application, thankfully, but there is quite a bit that could quite possibly cause a variety of headaches, alerts, and tickets on a massive scale for a while during the reconvergence. In additioanl, we are in a transition to PE and the Compliance tool will allow me another way of handling that in a more manual admin-review approach (to catch resources that get added outside of Puppet's knowledge). What I really need is some tool by which I can mark exported resources as absent instead of purging them from the database when they are no longer needed (such as deleting a host). That would eliminate most, if not all, of the intersections of purging and exported resources that I have. Right now I use a Ruby script I found quite a while back to delete removed nodes and all of their data. I'm sure there is a way to mark the resources as ensure = absent instead, but I've not gone digging into the DB structure. If you cannot afford to wait out a repopulation of some resource, then you probably should not risk purging its resource type. If you do not purge, then a storeconfig implosion just leaves your resources unmanaged. If you choose to purge anyway then you need to understand that you thereby assume some risk in exchange for convenience; mitigating that risk probably requires additional effort elsewhere (e.g. DB replication and failover, backup data center, ...). Indeed, as I said above, it is about risk management. Deepak's statement I had responded to wasn't the first time I had read the oh, just wait for it to repopulate statement and I wanted to be certain that wasn't actually something that was considered in the design with regards to updates, etc. on the stability of the storeconfigs data. At some point you have to trust tools that have earned that trust (either via testing or real world use or both) to do the job that they say they are going to do. Puppet has years of earning that trust with me. Could something corrupt and destroy the database and cause me a lot of trouble? Sure, but that could be said of many tools. That's why we have backups, DR systems, etc. even though the in the now when it fails can be painful as heck. However, as long as Puppet Labs is designing it to be dependable and upgrade-safe (which it sounds like they are) then I'll continue to trust it (with prudent testing, of course) because they've earned it. Sean -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Announce: PuppetDB 0.9.0 (first release) is available
On Mon, 2012-05-21 at 15:39 -0600, Deepak Giridharagopal wrote:
1) The data stored in PuppetDB is entirely driven by puppetmasters
compiling catalogs for agents. If your entire database exploded and
lost all data, everything will be 100% repopulated within around
$runinterval minutes.
I think that this is a somewhat dangerous line of thinking. Please
correct me if my understanding of storedconfigs are wrong, but if I am
managing a resource with resources { 'type': purge = true } (or a
purged directory populated file resources) and any subset of those
resources are exported resources then, if my entire database exploded,
would I not have Puppet purging resources that haven't repopulated
during this repopulation time? They would obviously be replaced, but if
those were critical resources (think exported Nagios configs, /etc/hosts
entries, or the like) then this could be a really big problem.
To me storedconfigs are one of the killer features in Puppet. We are
using them for a handful of critical things and I plan to only expand
their use. I'm glad that Puppet Labs is focusing some attention on them,
but this attitude of we can wait out a repopulation has me worried.
Again, maybe I'm misunderstanding how purging with exported resources
actually works, but my experience has been that if you clear the
exported resource from the database so goes the exported record in a
purge situation.
In a slightly different vein, does PuppetDB support a cluster or HA
configuration? I assume at least active/passive must be okay. Any
gotchas to watch for?
Thanks,
Sean
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Sites. Your thoughts?
On Fri, 2012-05-11 at 09:39 -0700, Daniel Sauble wrote: Another problem is that if you move services around, you have to update puppet.conf on all nodes that use that service. For example, if you migrate your master to a new host, you have to update puppet.conf on every agent that uses that master. What Puppet Sites provides is a service registry that allows you to store this information in a central location. Your agents retrieve service connection information from the service registry. So, if your master switches to a different host, all you need do is update the host in the service registry, and all your agents will pick up that change automatically. Daniel, Sorry for chiming in late, but I'm just catching up on this discussion. I didn't see explicit mention of it one way or the other, but I would hope that whatever mechanism you are using for the service registry will support some type of inheritance mechanism for assigning the configuration settings at fairly arbitrary levels/grouping and not just globally with per-host overrides. At $WORK we are a multi-tenant environment and differing customer needs mean that there is a potential for potentially significant Puppet configuration variances from environment to environment. For instance, one customer may have their own Puppetmaster environment for catalogs/files, but share the common CA, while most other customers use a shared set of Puppetmasters. We have created a $customer variable within Puppet (available with every host) that we use with Hiera to select out any per-customer settings. We aren't currently but may even select Puppetmasters based on datacenter (so, $customer and $datacenter as either/or selectors with a likely global default). Having to manage customer-wide variances per-host would quickly get pretty unmanageable. Right now our puppet.conf files are generated via templates (with data pulled from Hiera) and deployed by Puppet to take into account any variances. I like the Sites concept, but it would have to account for a similarly high degree of flexibility to be something we'd be able to use. Thanks, Sean -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Certificate's
Gary, thanks very much for that. I got that to work as I wanted after a bit of fighting with other issues of my own creation. So I am very grateful to you for your help. If you ever in Dublin, Ireland. Look me up, I owe you a favor so I'm willing to pay back, within reason of course. Best Sean On Apr 12, 5:21 pm, Gary Larizza g...@puppetlabs.com wrote: Hey Guys, Let me try to step through this one step at a time. I recommend downloading one of our VMs that we host for testing puppet (I'm using the VM we use for training located here --http://downloads.puppetlabs.com/training/puppet-vmware.zipbut there's also one for VirtualBox too --http://downloads.puppetlabs.com/training/puppet-vbox.zip) to test this setup. If you do that, make sure DNS and networking are working (So, setup host entries on your laptop for each VM, setup the hostname and FQDN ON EACH VM, and make sure each VM can ping the VM Master). I'm using three VMs (a master and two agents): nodemaster.puppetlabs.vm, node1.puppetlabs.vm, and node2.puppetlabs.vm. Once DNS resolves and is working, setup Puppet on the master FIRST, and then setup the remaining nodes as agents. Again, I recommend using the VMs and using Puppet Enterprise because it makes it MUCH EASIER to setup Puppet - just use the puppet-enterprise-installer script (once you get the process of using a single cert and multiple node_names DOWN, THEN you can start on some actual machines). Now we can start customizing Puppet. There are a couple of key steps that need to be taken since we're shipping around a single cert for all machines: 1. When you stand up a PE Agent, it's going to contact the master and setup a Certificate Signing Request. Because of this, go to the master node's $ssldir (which, on Puppet Enterprise, is /etc/puppetlabs/puppet/ssl. If you want to find the $ssldir on YOUR master, just run `puppet config print ssldir` and it will print it out for you) and remove the CSRs that are in the ca/requests/ directory (they should be named after your nodes). 2. Next, lets generate the single certificate that will be shopped around. You will need to use the same 'certname' on every node. This is the name of the node as SSL is aware (in my case I'm using 'macs.puppetlabs.vm'). Do this by doing `puppet cert generate macs.puppetlabs.vm` on your MASTER machine. The master will generate the certs and your $ssldir will look something like this: ssl |-- ca | |-- ca_crl.pem | |-- ca_crt.pem | |-- ca_key.pem | |-- ca_pub.pem | |-- inventory.txt | |-- private | | `-- ca.pass | |-- requests | |-- serial | `-- signed | |-- macs.puppetlabs.vm.pem | |-- nodemaster.puppetlabs.vm.pem | |-- pe-internal-broker.pem | |-- pe-internal-dashboard.pem | |-- pe-internal-mcollective-servers.pem | |-- pe-internal-peadmin-mcollective-client.pem | `-- pe-internal-puppet-console-mcollective-client.pem |-- certificate_requests |-- certs | |-- ca.pem | |-- macs.puppetlabs.vm.pem | |-- nodemaster.puppetlabs.vm.pem | |-- pe-internal-broker.pem | |-- pe-internal-mcollective-servers.pem | |-- pe-internal-peadmin-mcollective-client.pem | `-- pe-internal-puppet-console-mcollective-client.pem |-- crl.pem |-- private |-- private_keys | |-- macs.puppetlabs.vm.pem | |-- nodemaster.puppetlabs.vm.pem | |-- pe-internal-broker.pem | |-- pe-internal-mcollective-servers.pem | |-- pe-internal-peadmin-mcollective-client.pem | `-- pe-internal-puppet-console-mcollective-client.pem `-- public_keys |-- foo.puppetlabs.vm.pem |-- macs.puppetlabs.vm.pem |-- nodemaster.puppetlabs.vm.pem |-- pe-internal-broker.pem |-- pe-internal-mcollective-servers.pem |-- pe-internal-peadmin-mcollective-client.pem `-- pe-internal-puppet-console-mcollective-client.pem 3. There are three files you need to collect on your master and ship around to all of your nodes. They are ALL in the $ssldir, so these paths are relative to THAT directory. The three files are: - $ssldir/private_keys/macs.puppetlabs.vm.pem on the master - gets copied to the agent's $ssldir/private_keys directory - $ssldir/public_keys/macs.puppetlabs.vm.pem on the master - gets copied to the agent's $ssldir/public_keys directory - $ssldir/ca/signed/macs.puppetlabs.vm.pem on the master - gets copied to the agent's $ssldir/certs directory 4. You need to modify /etc/puppetlabs/puppet/auth.conf on the master so every node can access the find action on the catalog REST endpoint for the master (i.e. The Mac nodes can get their catalog). Look for this stanza in auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 Add the following line under 'allow $1': (Remember that I'm using the certname
[Puppet Users] Re: Puppet Certificate's
Gary,
Thanks very much for getting back to me on this. While I have been
researching Puppet for our Mac fleet I have used a lot of the very
useful information you have published about this so thank you very
much for that.
In regards your response. Firstly, apologies for my lack of knowledge
in this matter and any help that can be provided will be very much
appreciated.
I am interested in #3 and am having looking at it now but the
following are some of the things that have crossed my mind
The private cert to distribute to the client nodes, which one from the
master is it? There are a few there and I cannot tell which one it is
and where does it go on the client?
Is there any other configuration that is needed on the master?
In the clients /etc/puppet/puppet.conf file would the following
configuration be correct for this approach.
[puppetd]
node_name_fact = hostname
node_name_value = certname # i.e. the one from the server
Is this correct?
Thats it for now, I'm going to stay playing around with this and see
where I can get but any help and guidance that anyone can provide will
be very much appreciated.
Regards
Sean
On Apr 11, 5:32 pm, Gary Larizza g...@puppetlabs.com wrote:
Hey Sean,
First - congrats on wrangling your Macs with Puppet! Next, I understand and
have shared your pain regarding timely imaging of workstations and Puppet
cert-wrangling. Generally, I've seen folks do one of a couple of things:
1. Autosign
2. Utilize a CGI script to sign/revoke certs on the master (which can
largely be replaced through the use of the `puppet cert` face)
3. Use the same private key everywhere and change the individual
node_name
Numbers 1 and 2 are largely process around signing individual certs for
every node. You COULD even backup the $ssldir on your clients, image the
machine, install puppet, restore the $ssldir, and then run Puppet again and
Puppet will work fine for your clients.
Number 3 is a bit different. With #3, you would have the SAME private cert
for EVERY node in your infrastructure. Because of this, the certname must
be THE SAME for every node. When you do this, however, Puppet treats every
node as if it were the SAME node - so you need a way to de-couple the name
of the node as Puppet knows it with the name of the node as the Certificate
knows it. The solution is the 'node_name_fact' and 'node_name_value'
configuration item in puppet.conf
--http://docs.puppetlabs.com/references/stable/configuration.html#noden...
You would essentially ship the private cert around to EVERY node, set
the
node_name_{fact,value} in puppet.conf, and then Puppet would treat each
machine as a separate node (even though the certificate is the same
everywhere). Obviously there are security implications for this, but some
people prefer it to Autosigning.
Hopefully, this should help you on your way.
On Wed, Apr 11, 2012 at 8:31 AM, Sean McGrath seanc.mcgr...@gmail.comwrote:
Firstly my apologies for posting this if it has been answered
elsewhere and I missed it while looking.
I'm starting to look at using Puppet to manage our fleet of Mac's
running OS X in our lab environment and I'm quite impressed with it
from my testing so far.
I have tested the functionality of the autosign.conf file with the
hostnames of the trusted clients in it.
However, if I re-image one of the Mac's as we occasionally do that
destroys the client certificate that it uses for the puppetca request.
Thus the puppet master see's a request with a different certificate
from a node with a hostname that has had its trust relationship
established with a different certificate.
This is probably a noob question but I haven't been able to figure it
out. How do I get around this in an automated manner. I don't want to
have to revoke certificates each time I re-image a Mac so they can be
re-trusted by the puppet master. Is there something like a root
certificate I could build into the image to establish the trust
relationship easily and securely each time a Mac is re-imaged?
many thanks
Sean
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Gary Larizza
Professional Services Engineer
Puppet Labs
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Certificate's
Firstly my apologies for posting this if it has been answered elsewhere and I missed it while looking. I'm starting to look at using Puppet to manage our fleet of Mac's running OS X in our lab environment and I'm quite impressed with it from my testing so far. I have tested the functionality of the autosign.conf file with the hostnames of the trusted clients in it. However, if I re-image one of the Mac's as we occasionally do that destroys the client certificate that it uses for the puppetca request. Thus the puppet master see's a request with a different certificate from a node with a hostname that has had its trust relationship established with a different certificate. This is probably a noob question but I haven't been able to figure it out. How do I get around this in an automated manner. I don't want to have to revoke certificates each time I re-image a Mac so they can be re-trusted by the puppet master. Is there something like a root certificate I could build into the image to establish the trust relationship easily and securely each time a Mac is re-imaged? many thanks Sean -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Corrupted inventory.txt - how to rebuild?
0x is typically the CA cert, was the inventory.txt file blank when this occurred? If you have all the certificates, you can use puppet cert -pa and extract the serial number, date, and CN info. I'm not sure if there's an automated way using openssl commands. This might be reasonably close (output should be sorted by serial number): Here's the problem as I understand it. We have several puppetmaster servers, due to the large number of clients and networks that need to be supported. We synchronize SSL certs between load balanced hosts using rsync. Somehow or other we occasionally end up getting a host in the inventory.txt file with 0x serial number. Unfortunately this seems to reset the counter and new hosts will end up with duplicate serials to other hosts previously listed in the file. How do you all handle load balancing and certificate management? Is there a way to have a master authority cert server, that all the other nodes turn to for all things SSL? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Corrupted inventory.txt - how to rebuild?
We have an issue where sometimes servers get assigned serial number 0x in the inventory.txt file. This causes major problems including SSL cert errors in the log file. Anyone know how to properly rebuild inventory.txt without tearing everything out and starting from scratch? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] undefined method `initvars'
On Tue, Jul 26, 2011 at 11:44 AM, Tony G. tony...@gmail.com wrote: Try enabling debug and trace on your agent, that will provide more details. Ok, we gave this a shot. Here's the output with --debug and --trace turned on: /var/lib/puppet/lib/puppet/type/package.rb:316:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet/resource.rb:172:in `new' /usr/lib/ruby/site_ruby/1.8/puppet/resource.rb:172:in `to_ral' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:569:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:569:in `to_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:547:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:547:in `to_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:473:in `to_ral' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:119:in `convert_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:114:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/sbin/puppetd:160 err: Could not run Puppet configuration client: undefined method `initvars' for #Puppet::Type::Package:0x2ba48168 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] undefined method `initvars'
We are seeing this error in our log files on some clients: puppetd[15068]: Could not run Puppet configuration client: undefined method `initvars' for #Puppet::Type::Package:0x2bbb4858 Where do I begin troubleshooting this? The client software versions are: ruby-1.8.5-5.el5_4.8.x86_64 ruby-libs-1.8.5-5.el5_4.8.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 facter-1.5.8-1.el5.noarch ruby-augeas-0.4.1-1.el5.x86_64 puppet-0.25.5-1.el5.noarch And the server is running puppet 2.6.7. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Over-riding changes in modules and classes
You can just create a new class that inherits your previous class and then overwrites the File[] you declared before and use that only on the new machines. Will this also work with an augeas entry with a changes [] section? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] OS X package management
Hello, I've got puppet installed and working. I'm looking for a way to update software on OS X desktops. I have successfully set up the appdmg package provider, and I can update an application. How do you manage installs? I want to update an application but not when the user is using the application. Is there a way to check if an application is running and do the package install later? How do people manage this? Or are more people leaning toward Munki and letting Munki's dialog box interact with the user? Sean -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Question about refreshonly
I have inherited some puppet configurations; there is an exec resource
that looks like this:
exec { force-reload-httpd:
command = /etc/rc.d/init.d/httpd force-reload,
refreshonly = true,
}
Should this be paired with a subscribe or notify somewhere?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
