[Puppet Users] MCollective security
Hi! Not long ago we started using MCollective to trigger Puppet runs and execute maintenance shell commands on our servers. Everything looks good so far. But I'm concerned about MC security model. For the middleware we are using RabbitMQ. We authenticate MCollective servers against RabbitMQ with username/password pair. Also we have Stunnel for middleware SSL termination. We use Puppet CA signed certificates to verify MCollective servers. However I noticed that an attacker can easily change a hostname on a compromised server. And after that the server will get registered with that hostname. When I execute mco find I see it displayed with the hostname that was recently set. And the hostname can be equal to any of the existing servers. That means that if I execute a shell command via mco shell run -I "/existinghostnamemask/" "command" it will be also executed on the compromised server. The server can get sensitive data that it is not supposed to have. I hope I explained everything correctly :) So my question is - is there a way to avoid situations like the one I described? For example if I use SSH to connect to a host, I get its public key, and if the host changes, I receive an error. But probably there is something like this for MCollective? Thanks! Regards, Sergey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/856E0B90-FE48-43EE-96EA-6378867B4DBA%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet 4: webserver configuration
Thomas, I would configure a apache in front of puppetserver (sample vhost: https://groups.google.com/forum/#!topic/puppet-users/ECZ4-9XD7e0) to serve other content. I suppose that the puppet server is not thought as a general purpose webserver. I understand that puppet server is not a general purpose web server. And the idea is not to serve ‘other content’ but to mimic puppet 3 fileserver.conf: https://docs.puppetlabs.com/puppet/latest/reference/config_file_fileserver.html so that I could serve files from some additional location, not from modules/modulename/files In puppet 3 I could do that with fileserver.conf : [extra_files] path /etc/puppetlabs/puppet/extra_files allow * And then I could get it with ‘file’ resource type: file { “filename: ensure = present, source = puppet:///extra_files/filename, } But with puppet 4 I don’t know how to do that. Thank you. -- Best regards, Sergey Arlashin - Thomas Am Montag, 15. Juni 2015 18:42:12 UTC+2 schrieb Sergey Arlastin: Hi! I'm trying to configure webserver via conf.d/webserver.conf . The purpose is to add an extra web resource called 'secure-store' that can be used later in 'file' resource type. This is how webserver.conf looks at the moment: webserver: { default: { access-log-config = /etc/puppetlabs/puppetserver/request-logging.xml client-auth = want ssl-host = 0.0.0.0 ssl-port = 8140 default-server: true } secure-store: { access-log-config = /etc/puppetlabs/puppetserver/request-logging.xml ssl-host = 0.0.0.0 ssl-port = 8141 ssl-cert = /etc/puppetlabs/puppet/ssl/certs/p4server.site.pem ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/p4server.site.pem ssl-ca-cert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem client-auth = need static-content: [{resource: /etc/puppetlabs/code/secure_store/ path: /secure-store}] } } I can easily get files from there with curl : # curl -k --key ./private_keys/p4agent.site.pem --cert ./certs/p4agent.site.pem https://p4server:8141/secure-store/testtest.txt But I cannot get anything using 'file' resource type in my manifests: This is how it looks: file { '/tmp/testfile.txt': ensure = present, owner = root, group = root, mode= '0700', source = 'puppet://p4server.site:8141/secure-store/testtest.txt' } I see the following error when I try to run it: Error: /Stage[main]/Testfile/File[/tmp/testfile.txt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet://p4server.site:8141/secure-store/testtest.txt And the following record in puppetserver-access.log: GET /puppet/v3/file_metadata/secure-store/testtest.txt?environment=productionlinks=managechecksum_type=md5source_permissions=ignore HTTP/1.1 0 0 p4agent.site 172.16.15.12 8141 1 Could anyone please tell if I'm doing anything completely wrong or I misunderstood the idea of webserver thing regarding new puppet server ? Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9ed3aa8d-87fb-4ad5-bf8f-30e61fced02d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/89F23D24-84EF-4791-894C-A635B5823A0C%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet 4: webserver configuration
Hi! I'm trying to configure webserver via conf.d/webserver.conf . The purpose is to add an extra web resource called 'secure-store' that can be used later in 'file' resource type. This is how webserver.conf looks at the moment: webserver: { default: { access-log-config = /etc/puppetlabs/puppetserver/request-logging.xml client-auth = want ssl-host = 0.0.0.0 ssl-port = 8140 default-server: true } secure-store: { access-log-config = /etc/puppetlabs/puppetserver/request-logging.xml ssl-host = 0.0.0.0 ssl-port = 8141 ssl-cert = /etc/puppetlabs/puppet/ssl/certs/p4server.site.pem ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/p4server.site.pem ssl-ca-cert = /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem client-auth = need static-content: [{resource: /etc/puppetlabs/code/secure_store/ path: /secure-store}] } } I can easily get files from there with curl : # curl -k --key ./private_keys/p4agent.site.pem --cert ./certs/p4agent.site.pem https://p4server:8141/secure-store/testtest.txt But I cannot get anything using 'file' resource type in my manifests: This is how it looks: file { '/tmp/testfile.txt': ensure = present, owner = root, group = root, mode= '0700', source = 'puppet://p4server.site:8141/secure-store/testtest.txt' } I see the following error when I try to run it: Error: /Stage[main]/Testfile/File[/tmp/testfile.txt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet://p4server.site:8141/secure-store/testtest.txt And the following record in puppetserver-access.log: GET /puppet/v3/file_metadata/secure-store/testtest.txt?environment=productionlinks=managechecksum_type=md5source_permissions=ignore HTTP/1.1 0 0 p4agent.site 172.16.15.12 8141 1 Could anyone please tell if I'm doing anything completely wrong or I misunderstood the idea of webserver thing regarding new puppet server ? Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/BA40F1D1-EDDA-4EBE-B131-B49456929B3F%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppetserver 2.0.0 and fileserver.conf counterpart?
Hi! I'm also wondering how I can configure fileserver parameters in puppet server . Is webserver.conf a substitute for fileserver.conf now ? Thank you. -- Best regards, Sergey Arlashin On Apr 30, 2015, at 12:40 PM, Stefan Wiederoder stefanwiedero...@googlemail.com wrote: I´m struggling with puppetserver 2.0.0 on RHEL7, how do I configure puppetserver regarding the fileserver settings? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2d119b9e-7fe7-43b3-baef-ddedad426f55%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/FF9EEB05-706B-4BA8-9D8D-96D5DF0D4B79%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppetserver 2.0.0 and fileserver.conf counterpart?
Hi! I'm also wondering how I can configure fileserver parameters in puppetserver ? Is webserver.conf a substitute for fileserver.conf now ? Thank you. -- Best regards, Sergey Arlashin On Apr 30, 2015, at 12:40 PM, Stefan Wiederoder stefanwiedero...@googlemail.com wrote: I´m struggling with puppetserver 2.0.0 on RHEL7, how do I configure puppetserver regarding the fileserver settings? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2d119b9e-7fe7-43b3-baef-ddedad426f55%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0B81B2E3-1476-41EA-8A43-861C9CB8AFD4%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet 3.6.2: future parser + extlookup() + environment based selector
Hi! We use puppet 3.6.2 with several environments. One of them is vagrant based environment called 'localdev' which is intended for local use only. Also we keep all the secret data like passwords and related stuff in csv files which reside in separate repository. We use extlookup() function to get the data from these csv files. And of course this repo with secret data is unavailable for those ones who work with vagrant based environment 'localdev'. For example some of our code looks like this: smtp_password = $::environment ? { default = extlookup('smtp_password'), 'localdev' = 'password' }, When puppet is working with 'localdev' environment it does NOT try to execute extlookup() function at all. That's what we need. With current parser everything worked without any problems. But today I tried to run our manifests with future parser enabled in 'localdev' environment. And got the following error: == node1: Error: No match found for 'smtp_password' in any data file during extlookup() on node node1.site == node1: Error: No match found for 'smtp_password' in any data file during extlookup() on node node1.site I assume that future parser tries to execute extlookup() function even if the current environment is 'localdev'. So I'm wondering if it is a bug? Or may be it is a normal behaviour of future parser ? I hope I explained everything correctly :) Thanks in advance! -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7D151217-05A3-45B7-940B-5638EFFA1622%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet 3.6.2: force manifests reload
Thank you! -- Best regards, Sergey Arlashin On Jul 27, 2014, at 2:35 AM, Andreas Ntaflos d...@pseudoterminal.org wrote: On 2014-07-26 18:46, Sergey Arlashin wrote: Hi! I'm using webrick based puppetmaster. After upgrading to 3.6.x I noticed that when I alter some of my manifests or templates puppet continues to apply the old set of manifests. Puppet agents behave like there are no changes at all. It usually takes puppet 2-5 minutes to start shipping the new config. I can restart puppet master and then everything goes well. But I'd like to do without restarting puppet master. The documentation says that something like this can be achieved by touching site.pp . But I don't use site.pp any more due to 'import' deprecation, and touching all files in manifests folder doesn't solve the problem. So the question is - is it possible to force the reload of my manifests without restarting puppet master? Or may be switching to passenger based puppet can solve the problem ? Environments and their manifests are cached for three minutes by default so this is what you are seeing here. Have a look at http://docs.puppetlabs.com/puppet/latest/reference/environments.html#tuning-environment-caching and http://docs.puppetlabs.com/references/3.6.latest/configuration.html#environmenttimeout for more information and how to change the default behaviour. Switching to Apache and Passenger is definitely recommended though, for numerous reasons (http://docs.puppetlabs.com/guides/passenger.html). With Passenger getting the Puppetmaster to reload the cached environments is as easy as running service apache2 reload. Andreas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/BE88EB44-192A-41C0-97DC-A794C7696B11%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet 3.6.2: force manifests reload
Hi! I'm using webrick based puppetmaster. After upgrading to 3.6.x I noticed that when I alter some of my manifests or templates puppet continues to apply the old set of manifests. Puppet agents behave like there are no changes at all. It usually takes puppet 2-5 minutes to start shipping the new config. I can restart puppet master and then everything goes well. But I'd like to do without restarting puppet master. The documentation says that something like this can be achieved by touching site.pp . But I don't use site.pp any more due to 'import' deprecation, and touching all files in manifests folder doesn't solve the problem. So the question is - is it possible to force the reload of my manifests without restarting puppet master? Or may be switching to passenger based puppet can solve the problem ? Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/10F4940C-7D07-4061-809F-9CCD2BC8757D%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet 3.6.2 + Vagrant
Hi! Does anybody use puppet 3.6.x with Vagrant? Is there any way to specify manifests dir instead of site.pp file ? Thanks in advance. -- Best regards, Sergey Aralashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/B3B8C5FA-6DD7-4A9D-8439-6CA5517364CD%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet 3.6.2: import is deprecated
Hi! I used 'import' in my previous config. I had the following structure: site.pp : import 'nodes.pp' nodes.pp: import 'node1.pp' import 'node2.pp' import 'node3.pp' etc. Now I'm moving to 3.6.2 and after getting the deprecation warning decided to remove all imports from my manifests. Now puppet agent seems to ignore all my config. None of my modules is applied. --debug shows that it doesn't try to apply anything at all. Could anyone tell me if it is normal? :) Or may be I'm doing something wrong? Or may be this is a bug? # puppet config print manifest /etc/puppet/environments/production/manifests Thanks in advance! -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/F68AF841-26E8-442B-B8A3-E4EA8426FEA4%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Puppet 3.6.2: import is deprecated
I forgot to mention that I'm using directory environments. Also when I remove site.pp I get Error: Could not run: Could not find file /etc/puppet/environments/production/manifests/site.pp -- Best regards, Sergey Arlashin On Jun 30, 2014, at 9:52 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Hi! I used 'import' in my previous config. I had the following structure: site.pp : import 'nodes.pp' nodes.pp: import 'node1.pp' import 'node2.pp' import 'node3.pp' etc. Now I'm moving to 3.6.2 and after getting the deprecation warning decided to remove all imports from my manifests. Now puppet agent seems to ignore all my config. None of my modules is applied. --debug shows that it doesn't try to apply anything at all. Could anyone tell me if it is normal? :) Or may be I'm doing something wrong? Or may be this is a bug? # puppet config print manifest /etc/puppet/environments/production/manifests Thanks in advance! -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/93E6C0C9-21E7-482A-9EBB-E2F201B230CF%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Puppet 3.6.2: import is deprecated
I half an hour it magically started to work. Seems to be some caching issue? Did I need to restart puppet master after removing 'imports' ? Or do something like this ? -- Best regards, Sergey Arlashin On Jun 30, 2014, at 10:07 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: I forgot to mention that I'm using directory environments. Also when I remove site.pp I get Error: Could not run: Could not find file /etc/puppet/environments/production/manifests/site.pp -- Best regards, Sergey Arlashin On Jun 30, 2014, at 9:52 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Hi! I used 'import' in my previous config. I had the following structure: site.pp : import 'nodes.pp' nodes.pp: import 'node1.pp' import 'node2.pp' import 'node3.pp' etc. Now I'm moving to 3.6.2 and after getting the deprecation warning decided to remove all imports from my manifests. Now puppet agent seems to ignore all my config. None of my modules is applied. --debug shows that it doesn't try to apply anything at all. Could anyone tell me if it is normal? :) Or may be I'm doing something wrong? Or may be this is a bug? # puppet config print manifest /etc/puppet/environments/production/manifests Thanks in advance! -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/11585190-5027-4311-8480-51B27754F4B8%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Puppet: Dependency cycle
Hi, I have a weird dependency cycle issue. This is just a test module which I created while trying to solve this issue: modules/testmod/manifests/init.pp: class testmod { package { 'nginx': ensure = installed } service { 'nginx': ensure = running, enable = true, require = Package['nginx'] } } class testmod::nginxtest { file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } } manifests/test-node.pp: node 'test-node.site' { class { 'testmod': } class { 'testmod::nginxtest': require = Class['testmod'] } } When I apply this on node test-node.site I get: Error: Could not apply complete catalog: Found 1 dependency cycle: == test-node: (File[/tmp/nginx.test] = Service[nginx] = Class[Testmod] = Class[Testmod::Nginxtest] = File[/tmp/nginx.test]) == test-node: Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/BA65EC71-6CB1-4448-99F0-D25680533960%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Hm, ok. But when I use 'subscribe' instead of 'notify' class testmod { package { 'nginx': ensure = installed } service { 'nginx': ensure= running, enable= true, require = Package['nginx'], subscribe = File['/tmp/nginx.test'] } } class testmod::nginxtest { file { '/tmp/nginx.test': ensure = present } } I get == test-node: Error: Could not apply complete catalog: Found 1 dependency cycle: == test-node: (File[/tmp/nginx.test] = Service[nginx] = Class[Testmod] = Class[Testmod::Nginxtest] = File[/tmp/nginx.test]) == test-node: Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? On Jun 18, 2014, at 5:55 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, On 06/18/2014 03:51 PM, Sergey Arlashin wrote: Could you please help me figure out why this is happening ? It seems there is nothing in test mod whih requires testmod::nginxtest . actually yes, there is. file { '/tmp/nginx.test': ensure = present, notify = Service['nginx']; } The 'notify' implicitly puts File['/tmp/nginx.test'] *before* Service['nginx']. The class { 'testmod::nginxtest': require = Class['testmod'] } ends up doing the opposite - wanting the Service['nginx'] before File['/tmp/nginx.test']. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A19A45.30903%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9548D943-73FE-41B1-984C-1EDC8FAD40D3%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Puppet: Dependency cycle
Christopher, Felix, I got the idea. Thank you very much! -- Best regards, Sergey Arlashin On Jun 18, 2014, at 7:04 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Wow, Christopher gave an exhaustive answer :-) I'll try and Keep It Simple. On 06/18/2014 04:22 PM, Sergey Arlashin wrote: I do need to have 2 separate modules. I need the class 'testmode' to run before class 'test mod::nginxtest'. And I need to restart service 'nginx' when I change '/tmp/nginx.test'. Yes, you face the same issue, seeing as you just brought it in a different notation. The same relationships are established. So then the question is - how to do this properly? Do I need to create something like exec { 'nginx restart': ... } ? This is actually not possible. If Puppet should refresh the service upon change of the config file, it *must* evaluate the file resource before the service resource. You need to disentangle your relationships and come up with an order in which you want your resources applied, e.g. Package - File - Service This may indeed mean that you cannot require a whole class. But as Christopher has advised, you mileage may increase if you structure the classes more distinctly. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53A1AA93.9000708%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/D08BD01A-A46E-42B4-9E0C-F0852C611D84%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Hiera multiple datadirs
Hi! As far as I know Hiera at the moment doesn't support multiple datadirs. Does anybody know if it is going to support it in future releases? It would be really great if it did. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/669167BF-9F3B-468E-B0EB-874D610413F1%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
0.10.7-1 Popular easy to use Ruby client for RabbitMQ ii ruby-colorize0.5.8-1 Add colors methods to string class ii ruby-dalli 2.6.4-1 High performance memcached client for Ruby ii ruby-flexmock1.3.2-1 Simple and Flexible Mock Objects for Testing ii ruby-json1.6.3-1 JSON library for Ruby ii ruby-libshadow 1.0.0-1 shadow.h ii ruby-mime-types 1.25-1This library allows for the identification of a file's likely MIME content type ii ruby-net-ssh 1:2.2.1-1 Ruby implementation of the SSH protocol ii ruby-parseconfig 1.0.2-1 Config File Parser for Standard Unix/Linux Type Config Files ii ruby-pg 0.17.0-1 Pg is the Ruby interface to the {PostgreSQL RDBMS}[http://www.postgresql.org/] ii ruby-rgen0.6.5-1puppetlabs1A framework supporting Model Driven Software Development (MDSD) ii ruby-wopen3 0.3-1 Wopen3 is a simple replacement for Open3 ii ruby-xml-simple 1.1.2-1 A simple API for XML processing. ii ruby1.8 1.8.7.352-2ubuntu1.4 Interpreter of object-oriented scripting language Ruby 1.8 ii ruby1.9.11.9.3.0-1ubuntu2.8 Interpreter of object-oriented scripting language Ruby ii ruby1.9.1-dev1.9.3.0-1ubuntu2.8Header files for compiling extension modules for the Ruby 1.9.1 ii ruby1.9.1-examples 1.9.3.0-1ubuntu2.8Examples for Ruby 1.9 ii ruby1.9.1-full 1.9.3.0-1ubuntu2.8Ruby 1.9.1 full installation ii ruby1.9.31.9.3.0-1ubuntu2.8 Interpreter of object-oriented scripting language Ruby, version 1.9.3 ken. On Thu, May 22, 2014 at 5:06 AM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Yesterday I downgraded both puppet to 3.5.1 and pupetdb to 1.6.3, and the problem disappeared. Unfortunately this is production infrastructure and I don't have an ability to test it further :( On May 21, 2014, at 11:54 PM, Ken Barber k...@puppetlabs.com wrote: Phil and I have been conversing offline ... we found that downgrading the terminus to 1.6.3 (not PuppetDB) fixes the issue. So far we can see that a submission occurs but the server does not respond. This is synonymous with a bad Content-Length, and certainly I'm able to replicate this with some basic tests ... but we're still looking for the ultimate cause of this. For now can everyone who is seeing this issue, try downgrading their puppetdb-terminus package to 1.6.3, and see if it solves it? ken. On Wed, May 21, 2014 at 6:41 PM, Ken Barber k...@puppetlabs.com wrote: Phil, Do you happen to have a tcpdump I can look at, one where this problem is replicated? I know its SSL - but I'm primarily interested in seeing when (and _IF_) the network connection goes idle - so packet timing is more important to me then content. I'm trying to prove/disprove that idletimeout is doing the correct thing here or not. It could be that the idling is caused by something else, and the timeout is valid - or it could be that the idletimeout is not actually paying attention to traffic (which I can't prove locally at least for cleartext - it seems fine). There is also a chance the idling could be after traffic is submitted, which would make things even more interesting. Either way I'd like some external confirmation of this reported 'idling' and the best way is probably via tcpdump's. If we can prove the idle timeout is correct in its behaviour, we can stop looking at Jetty as the cause, which helps us a lot. If you want to chat I'm on Freenode in #puppet (ken_barber). My colleague in the meantime is trying to upgrade us to Jetty 9.1.5 (from 9.1.0), its a non-trivial upgrade though, which sucks when under duress. We're also looking at introducing the idle-timeout setting so we can play with that also, potentially as a work-around for now. ken. On Wed, May 21, 2014 at 5:29 PM, Ken Barber k...@puppetlabs.com wrote: So one thing I'm sure about - is that there was no idle timeout defined in 1.6.3 at all. I can connect idle for quite some time for example. Its quite possible that there is another delay/lag somewhere causing the connection to be idle in the first place - but with 1.6.3 this would not have surfaced for example as a server error, because there was no idle handling. ken. On Wed, May 21, 2014
Re: [Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
Yesterday I downgraded both puppet to 3.5.1 and pupetdb to 1.6.3, and the problem disappeared. Unfortunately this is production infrastructure and I don't have an ability to test it further :( On May 21, 2014, at 11:54 PM, Ken Barber k...@puppetlabs.com wrote: Phil and I have been conversing offline ... we found that downgrading the terminus to 1.6.3 (not PuppetDB) fixes the issue. So far we can see that a submission occurs but the server does not respond. This is synonymous with a bad Content-Length, and certainly I'm able to replicate this with some basic tests ... but we're still looking for the ultimate cause of this. For now can everyone who is seeing this issue, try downgrading their puppetdb-terminus package to 1.6.3, and see if it solves it? ken. On Wed, May 21, 2014 at 6:41 PM, Ken Barber k...@puppetlabs.com wrote: Phil, Do you happen to have a tcpdump I can look at, one where this problem is replicated? I know its SSL - but I'm primarily interested in seeing when (and _IF_) the network connection goes idle - so packet timing is more important to me then content. I'm trying to prove/disprove that idletimeout is doing the correct thing here or not. It could be that the idling is caused by something else, and the timeout is valid - or it could be that the idletimeout is not actually paying attention to traffic (which I can't prove locally at least for cleartext - it seems fine). There is also a chance the idling could be after traffic is submitted, which would make things even more interesting. Either way I'd like some external confirmation of this reported 'idling' and the best way is probably via tcpdump's. If we can prove the idle timeout is correct in its behaviour, we can stop looking at Jetty as the cause, which helps us a lot. If you want to chat I'm on Freenode in #puppet (ken_barber). My colleague in the meantime is trying to upgrade us to Jetty 9.1.5 (from 9.1.0), its a non-trivial upgrade though, which sucks when under duress. We're also looking at introducing the idle-timeout setting so we can play with that also, potentially as a work-around for now. ken. On Wed, May 21, 2014 at 5:29 PM, Ken Barber k...@puppetlabs.com wrote: So one thing I'm sure about - is that there was no idle timeout defined in 1.6.3 at all. I can connect idle for quite some time for example. Its quite possible that there is another delay/lag somewhere causing the connection to be idle in the first place - but with 1.6.3 this would not have surfaced for example as a server error, because there was no idle handling. ken. On Wed, May 21, 2014 at 5:01 PM, Phil Fenstermacher phillip.fenstermac...@gmail.com wrote: Running tcpdump filtering on port 8081 renders a pcap file of about ~350K. The template is only 20K, so large here is probably somewhat relative. Any other thoughts? Just for reference, I'm running the same version of Java as Sergey: java version 1.7.0_55 OpenJDK Runtime Environment (IcedTea 2.4.7) (7u55-2.4.7-1ubuntu1~0.12.04.2) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) On Wednesday, May 21, 2014 9:53:42 AM UTC-4, Ken Barber wrote: Catalogue size might be a factor, as templates get stored in the catalogue. On Wed, May 21, 2014 at 2:45 PM, Phil Fenstermacher phillip.fe...@gmail.com wrote: I encountered this same issue yesterday, and unfortunately haven't found a fix either. The error seems to be happening whenever I use the php::fpm::conf resource (with ensure = present) from https://forge.puppetlabs.com/thias/php. Removing that resource, or setting ensure to abset makes everything work fine. That resource is essentially only creating a file resource from a large template (https://github.com/thias/puppet-php/blob/master/manifests/fpm/conf.pp). I tried setting max-threads to 200 as well without any luck. On Tuesday, May 20, 2014 11:27:05 AM UTC-4, Sergey Arlashin wrote: Unfortunately setting max-threads to 200 did not help. # java -version java version 1.7.0_55 OpenJDK Runtime Environment (IcedTea 2.4.7) (7u55-2.4.7-1ubuntu1~0.12.04.2) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) # dpkg -l |grep -i java ii ca-certificates-java 20110912ubuntu6 Common CA certificates (JKS keystore) ii java-common 0.43ubuntu2 Base of all Java packages ii libjs-jquery 1.7.1-1ubuntu1 JavaScript library for dynamic web applications ii openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.12.04.2 OpenJDK Java runtime, using Hotspot JIT (headless) ii tzdata-java 2014c-0ubuntu0.12.04 time zone and daylight-saving time data for use by java runtimes This is a fresh output in logs: 2014-05-20 15:21:52,331 INFO [p.t.s.w.jetty9-service] Initializing web server. 2014-05-20 15:21:52,403 INFO [p.t.s.w.jetty9-service] Starting web server. 2014-05-20 15:21:52,406 INFO [o.e.j.s.Server] jetty-9.1.z
Re: [Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
Here is described http://www.eclipse.org/jetty/documentation/current/configuring-connectors.html how idle timeout for jetty cat be configured . But I don't know how to apply this for puppetdb :( Does anybody have any ideas ? On May 20, 2014, at 9:43 AM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: 2014-05-20 05:34:36,684 INFO [c.p.p.command] [e806b0a2-7703-4a4a-8107-65cd2c0db9a8] [replace facts] prod1.site 2014-05-20 05:34:44,112 INFO [c.p.p.command] [e8cb3511-9734-4ba7-b040-96f663404c00] [replace facts] redmine.site 2014-05-20 05:34:45,387 INFO [c.p.p.command] [9026d779-3a43-4c06-a23d-aeefd4eb6e1f] [replace catalog] redmine.site 2014-05-20 05:34:47,487 INFO [c.p.p.command] [1234e95c-e254-4b1d-b46f-8ef5b07e9158] [replace facts] www-node1.site 2014-05-20 05:34:48,350 INFO [c.p.p.command] [56be0dc9-03b9-45b8-8b8a-527f1c25e057] [replace facts] dev01.site 2014-05-20 05:34:48,404 INFO [c.p.p.command] [17474841-6043-46cf-98a1-122f116d5cd6] [replace facts] parser1.site 2014-05-20 05:34:48,634 INFO [c.p.p.command] [44da2889-811f-4e80-8190-ad7313f0ca81] [replace facts] dev02.site 2014-05-20 05:34:48,942 INFO [c.p.p.command] [4080aa24-23c7-4f16-9011-2104a457e201] [replace catalog] www-node1.site 2014-05-20 05:34:51,429 INFO [c.p.p.command] [6b62c283-f306-44e7-8101-4948110e3d78] [replace catalog] dev01.site 2014-05-20 05:34:51,437 INFO [c.p.p.command] [55fb7348-3b36-4c5a-9265-61ca3c1f55c3] [replace catalog] dev02.site 2014-05-20 05:34:52,925 INFO [c.p.p.command] [9ace137e-f708-4656-829a-92de7722b388] [replace facts] lb-node1.site 2014-05-20 05:34:55,017 INFO [c.p.p.command] [0b6e6592-97f2-4b8a-8cc7-6d321793d2ed] [replace catalog] lb-node1.site 2014-05-20 05:34:58,285 INFO [c.p.p.command] [971285dd-b141-4f44-a6d0-375aa3af830a] [replace facts] lb-node2.site 2014-05-20 05:34:59,333 INFO [c.p.p.command] [3977fc34-aa41-43e7-8eb9-ef5398dc3567] [replace facts] www-node2.site 2014-05-20 05:35:01,625 INFO [c.p.p.command] [f095ef50-4b71-41d6-ba83-6dd4a0030fe2] [replace facts] parser2.site 2014-05-20 05:35:02,107 INFO [c.p.p.command] [539a78de-1743-4135-adeb-c5ed3b43cc24] [replace catalog] lb-node2.site 2014-05-20 05:35:02,379 INFO [c.p.p.command] [f4b7fc4d-cccd-4fb9-881e-da4007d57f6e] [replace facts] monitor.site 2014-05-20 05:35:03,945 INFO [c.p.p.command] [f49a6fcd-ca63-49eb-bbec-7712ba590675] [replace catalog] www-node2.site 2014-05-20 05:35:05,350 INFO [c.p.p.command] [6913aceb-0d60-4701-9d31-d84af8f92374] [replace facts] db-node1.site 2014-05-20 05:35:05,587 INFO [c.p.p.command] [bd9796df-e989-4788-addc-d31f2d2dda3a] [replace catalog] monitor.site 2014-05-20 05:35:05,848 INFO [c.p.p.command] [f9215b15-f646-403a-b4d3-21fd532e1c06] [replace facts] puppet.site 2014-05-20 05:35:05,871 INFO [c.p.p.command] [7820d545-1c5f-4b0f-a2e8-0dcbc12d4571] [replace facts] db-node2.site 2014-05-20 05:35:07,642 WARN [o.e.j.s.HttpChannel] /v3/commands?checksum=e51aa526e2236306cff22ef33c8cb4467166f9c0 java.io.IOException: java.util.concurrent.TimeoutException: Idle timeout expired: 30002/3 ms at org.eclipse.jetty.util.BlockingCallback.block(BlockingCallback.java:101) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInputOverHTTP.blockForContent(HttpInputOverHTTP.java:62) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInput$1.waitForContent(HttpInput.java:392) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:161) ~[puppetdb.jar:na] at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283) ~[na:1.7.0_55] at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325) ~[na:1.7.0_55] at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) ~[na:1.7.0_55] at java.io.InputStreamReader.read(InputStreamReader.java:184) ~[na:1.7.0_55] at java.io.BufferedReader.fill(BufferedReader.java:154) ~[na:1.7.0_55] at java.io.BufferedReader.read(BufferedReader.java:175) ~[na:1.7.0_55] at clojure.core$slurp.doInvoke(core.clj:6396) ~[puppetdb.jar:na] at clojure.lang.RestFn.invoke(RestFn.java:410) ~[puppetdb.jar:na] at ring.util.request$eval10113$fn__10114.invoke(request.clj:30) ~[na:na] at clojure.lang.MultiFn.invoke(MultiFn.java:227) ~[puppetdb.jar:na] at com.puppetlabs.middleware$payload_to_body_string$fn__10429.invoke(middleware.clj:273) ~[na:na] at com.puppetlabs.middleware$verify_content_type$fn__10379.invoke(middleware.clj:128) ~[na:na] at com.puppetlabs.puppetdb.http.v3$v3_app$fn__11827.invoke(v3.clj:23) ~[na:na] at com.puppetlabs.puppetdb.http.v3$v3_app.invoke(v3.clj:21) ~[na:na] at com.puppetlabs.puppetdb.http.server$routes$fn__12370.invoke(server.clj:47) ~[na:na] at net.cgrand.moustache$alter_request$fn__10771.invoke(moustache.clj:54) ~[na:na] at com.puppetlabs.puppetdb.http.server$routes.invoke(server.clj:47) ~[na:na
Re: [Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
. On Tue, May 20, 2014 at 12:41 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Here is described http://www.eclipse.org/jetty/documentation/current/configuring-connectors.html how idle timeout for jetty cat be configured . But I don't know how to apply this for puppetdb :( Does anybody have any ideas ? On May 20, 2014, at 9:43 AM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: 2014-05-20 05:34:36,684 INFO [c.p.p.command] [e806b0a2-7703-4a4a-8107-65cd2c0db9a8] [replace facts] prod1.site 2014-05-20 05:34:44,112 INFO [c.p.p.command] [e8cb3511-9734-4ba7-b040-96f663404c00] [replace facts] redmine.site 2014-05-20 05:34:45,387 INFO [c.p.p.command] [9026d779-3a43-4c06-a23d-aeefd4eb6e1f] [replace catalog] redmine.site 2014-05-20 05:34:47,487 INFO [c.p.p.command] [1234e95c-e254-4b1d-b46f-8ef5b07e9158] [replace facts] www-node1.site 2014-05-20 05:34:48,350 INFO [c.p.p.command] [56be0dc9-03b9-45b8-8b8a-527f1c25e057] [replace facts] dev01.site 2014-05-20 05:34:48,404 INFO [c.p.p.command] [17474841-6043-46cf-98a1-122f116d5cd6] [replace facts] parser1.site 2014-05-20 05:34:48,634 INFO [c.p.p.command] [44da2889-811f-4e80-8190-ad7313f0ca81] [replace facts] dev02.site 2014-05-20 05:34:48,942 INFO [c.p.p.command] [4080aa24-23c7-4f16-9011-2104a457e201] [replace catalog] www-node1.site 2014-05-20 05:34:51,429 INFO [c.p.p.command] [6b62c283-f306-44e7-8101-4948110e3d78] [replace catalog] dev01.site 2014-05-20 05:34:51,437 INFO [c.p.p.command] [55fb7348-3b36-4c5a-9265-61ca3c1f55c3] [replace catalog] dev02.site 2014-05-20 05:34:52,925 INFO [c.p.p.command] [9ace137e-f708-4656-829a-92de7722b388] [replace facts] lb-node1.site 2014-05-20 05:34:55,017 INFO [c.p.p.command] [0b6e6592-97f2-4b8a-8cc7-6d321793d2ed] [replace catalog] lb-node1.site 2014-05-20 05:34:58,285 INFO [c.p.p.command] [971285dd-b141-4f44-a6d0-375aa3af830a] [replace facts] lb-node2.site 2014-05-20 05:34:59,333 INFO [c.p.p.command] [3977fc34-aa41-43e7-8eb9-ef5398dc3567] [replace facts] www-node2.site 2014-05-20 05:35:01,625 INFO [c.p.p.command] [f095ef50-4b71-41d6-ba83-6dd4a0030fe2] [replace facts] parser2.site 2014-05-20 05:35:02,107 INFO [c.p.p.command] [539a78de-1743-4135-adeb-c5ed3b43cc24] [replace catalog] lb-node2.site 2014-05-20 05:35:02,379 INFO [c.p.p.command] [f4b7fc4d-cccd-4fb9-881e-da4007d57f6e] [replace facts] monitor.site 2014-05-20 05:35:03,945 INFO [c.p.p.command] [f49a6fcd-ca63-49eb-bbec-7712ba590675] [replace catalog] www-node2.site 2014-05-20 05:35:05,350 INFO [c.p.p.command] [6913aceb-0d60-4701-9d31-d84af8f92374] [replace facts] db-node1.site 2014-05-20 05:35:05,587 INFO [c.p.p.command] [bd9796df-e989-4788-addc-d31f2d2dda3a] [replace catalog] monitor.site 2014-05-20 05:35:05,848 INFO [c.p.p.command] [f9215b15-f646-403a-b4d3-21fd532e1c06] [replace facts] puppet.site 2014-05-20 05:35:05,871 INFO [c.p.p.command] [7820d545-1c5f-4b0f-a2e8-0dcbc12d4571] [replace facts] db-node2.site 2014-05-20 05:35:07,642 WARN [o.e.j.s.HttpChannel] /v3/commands?checksum=e51aa526e2236306cff22ef33c8cb4467166f9c0 java.io.IOException: java.util.concurrent.TimeoutException: Idle timeout expired: 30002/3 ms at org.eclipse.jetty.util.BlockingCallback.block(BlockingCallback.java:101) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInputOverHTTP.blockForContent(HttpInputOverHTTP.java:62) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInput$1.waitForContent(HttpInput.java:392) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:161) ~[puppetdb.jar:na] at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283) ~[na:1.7.0_55] at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325) ~[na:1.7.0_55] at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) ~[na:1.7.0_55] at java.io.InputStreamReader.read(InputStreamReader.java:184) ~[na:1.7.0_55] at java.io.BufferedReader.fill(BufferedReader.java:154) ~[na:1.7.0_55] at java.io.BufferedReader.read(BufferedReader.java:175) ~[na:1.7.0_55] at clojure.core$slurp.doInvoke(core.clj:6396) ~[puppetdb.jar:na] at clojure.lang.RestFn.invoke(RestFn.java:410) ~[puppetdb.jar:na] at ring.util.request$eval10113$fn__10114.invoke(request.clj:30) ~[na:na] at clojure.lang.MultiFn.invoke(MultiFn.java:227) ~[puppetdb.jar:na] at com.puppetlabs.middleware$payload_to_body_string$fn__10429.invoke(middleware.clj:273) ~[na:na] at com.puppetlabs.middleware$verify_content_type$fn__10379.invoke(middleware.clj:128) ~[na:na] at com.puppetlabs.puppetdb.http.v3$v3_app$fn__11827.invoke(v3.clj:23) ~[na:na] at com.puppetlabs.puppetdb.http.v3$v3_app.invoke(v3.clj:21) ~[na:na] at com.puppetlabs.puppetdb.http.server$routes$fn__12370.invoke(server.clj:47) ~[na:na] at net.cgrand.moustache$alter_request$fn__10771.invoke(moustache.clj:54) ~[na:na] at com.puppetlabs.puppetdb.http.server$routes.invoke(server.clj:47) ~[na:na] at ring.middleware.resource$wrap_resource$fn__12339.invoke(resource.clj:24
[Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
Hi! Every now and then I get the following error while running puppet agent. Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace catalog' command for prod2.site to PuppetDB at puppet.site:8081: [500 java.util.concurrent.TimeoutException: Idle timeout expired: 3/3 ms] htmlheadmeta http-equiv=Content-Type content=text/html;charset=ISO-8859-1/titleError 500 /title/headbodyh2HTTP ERROR: 500/h2pProblem accessing /v3/commands. Reason:prejava.util.concurrent.TimeoutException: Idle timeout expired: 3/3 ms/pre/phr /ismallPowered by Jetty:///small/i/body/html Does anybody know how I can get rid of this error? Thanks in advance! -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8A2FC518-6B42-42D5-8524-12D39B94DBD4%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppetdb 2 : Idle timeout expired: 30000/30000 ms
.invoke(middleware.clj:55) ~[na:na] at com.puppetlabs.middleware$wrap_with_default_body$fn__10354.invoke(middleware.clj:62) ~[na:na] at com.puppetlabs.middleware$wrap_with_metrics_STAR_$fn__10401$fn__10410.invoke(middleware.clj:207) ~[na:na] at com.puppetlabs.utils.metrics$multitime_BANG__STAR_$fn__10068$fn__10069$fn__10070.invoke(metrics.clj:14) ~[na:na] at com.puppetlabs.utils.metrics.proxy$java.lang.Object$Callable$7da976d4.call(Unknown Source) ~[na:na] at com.yammer.metrics.core.Timer.time(Timer.java:91) ~[puppetdb.jar:na] at com.puppetlabs.utils.metrics$multitime_BANG__STAR_$fn__10068$fn__10069.invoke(metrics.clj:14) ~[na:na] at com.puppetlabs.utils.metrics$multitime_BANG__STAR_$fn__10068$fn__10069$fn__10070.invoke(metrics.clj:14) ~[na:na] at com.puppetlabs.utils.metrics.proxy$java.lang.Object$Callable$7da976d4.call(Unknown Source) ~[na:na] at com.yammer.metrics.core.Timer.time(Timer.java:91) ~[puppetdb.jar:na] at com.puppetlabs.utils.metrics$multitime_BANG__STAR_$fn__10068$fn__10069.invoke(metrics.clj:14) ~[na:na] at com.puppetlabs.utils.metrics$multitime_BANG__STAR_.invoke(metrics.clj:17) ~[na:na] at com.puppetlabs.middleware$wrap_with_metrics_STAR_$fn__10401.invoke(middleware.clj:206) ~[na:na] at com.puppetlabs.middleware$wrap_with_globals$fn__10358.invoke(middleware.clj:73) ~[na:na] at com.puppetlabs.middleware$wrap_with_debug_logging$fn__10342.invoke(middleware.clj:27) ~[na:na] at puppetlabs.trapperkeeper.services.webserver.jetty9_core$proxy_handler$fn__16765.invoke(jetty9_core.clj:66) ~[na:na] at puppetlabs.trapperkeeper.services.webserver.jetty9_core.proxy$org.eclipse.jetty.server.handler.AbstractHandler$ff19274a.handle(Unknown Source) ~[na:na] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1112) ~[puppetdb.jar:na] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1048) ~[puppetdb.jar:na] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[puppetdb.jar:na] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:199) ~[puppetdb.jar:na] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) ~[puppetdb.jar:na] at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:325) ~[puppetdb.jar:na] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) ~[puppetdb.jar:na] at org.eclipse.jetty.server.Server.handle(Server.java:459) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:280) ~[puppetdb.jar:na] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229) [puppetdb.jar:na] at org.eclipse.jetty.io.AbstractConnection$1.run(AbstractConnection.java:505) [puppetdb.jar:na] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607) [puppetdb.jar:na] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536) [puppetdb.jar:na] at java.lang.Thread.run(Thread.java:744) [na:1.7.0_55] Caused by: java.util.concurrent.TimeoutException: Idle timeout expired: 30002/3 ms at org.eclipse.jetty.io.IdleTimeout.checkIdleTimeout(IdleTimeout.java:153) ~[puppetdb.jar:na] at org.eclipse.jetty.io.IdleTimeout$1.run(IdleTimeout.java:50) ~[puppetdb.jar:na] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) ~[na:1.7.0_55] at java.util.concurrent.FutureTask.run(FutureTask.java:262) ~[na:1.7.0_55] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) ~[na:1.7.0_55] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) ~[na:1.7.0_55] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) ~[na:1.7.0_55] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) ~[na:1.7.0_55] ... 1 common frames omitted On May 20, 2014, at 9:38 AM, Spencer Krum krum.spen...@gmail.com wrote: This looks like a puppetdb error. Can you check the PuppetDB logs and post any relevant errors? Thanks, Spencer On Mon, May 19, 2014 at 10:02 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Hi! Every now and then I get the following error while running puppet agent. Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace catalog' command for prod2.site to PuppetDB at puppet.site:8081: [500 java.util.concurrent.TimeoutException: Idle timeout expired: 3/3 ms] htmlheadmeta http-equiv=Content-Type
[Puppet Users] Puppet 3.4.1: Could not find relationship target
Hi! I've just run into a problem. Puppet agent fails with the following message: Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not convert from pson: Could not find relationship target File[] and then refuses to proceed further. Then I started it with --debug --trace and got this: Info: Loading facts in /var/lib/puppet/lib/facter/homedir.rb Debug: Failed to load library 'msgpack' for feature 'msgpack' Debug: catalog supports formats: pson b64_zlib_yaml yaml dot raw Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not convert from pson: Could not find relationship target File[] /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:361:in `edge_from_pson' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:340:in `block in from_pson' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:339:in `each' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:339:in `from_pson' /usr/lib/ruby/vendor_ruby/puppet/util/pson.rb:11:in `pson_create' /usr/lib/ruby/vendor_ruby/puppet/external/pson/pure/parser.rb:305:in `parse_object' /usr/lib/ruby/vendor_ruby/puppet/external/pson/pure/parser.rb:98:in `parse' /usr/lib/ruby/vendor_ruby/puppet/external/pson/common.rb:133:in `parse' /usr/lib/ruby/vendor_ruby/puppet/network/formats.rb:148:in `intern' /usr/lib/ruby/vendor_ruby/puppet/network/format_support.rb:12:in `convert_from' /usr/lib/ruby/vendor_ruby/puppet/indirector/rest.rb:229:in `deserialize_find' /usr/lib/ruby/vendor_ruby/puppet/indirector/rest.rb:104:in `find' /usr/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:201:in `find' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:256:in `block in retrieve_new_catalog' /usr/lib/ruby/vendor_ruby/puppet/util.rb:327:in `block in thinmark' /usr/lib/ruby/1.9.1/benchmark.rb:295:in `realtime' /usr/lib/ruby/vendor_ruby/puppet/util.rb:326:in `thinmark' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:255:in `retrieve_new_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:69:in `retrieve_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:109:in `prepare_and_retrieve_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:172:in `run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:44:in `block (4 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent/locker.rb:20:in `lock' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:44:in `block (3 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:114:in `with_client' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:41:in `block (2 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:79:in `run_in_fork' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:40:in `block in run' /usr/lib/ruby/vendor_ruby/puppet/application.rb:179:in `call' /usr/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:38:in `run' /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:355:in `onetime' /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:321:in `run_command' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `block (2 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/application.rb:470:in `plugin_hook' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `block in run' /usr/lib/ruby/vendor_ruby/puppet/util.rb:468:in `exit_on_fail' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `run' /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run' /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:91:in `execute' /usr/bin/puppet:4:in `main' Debug: Using cached catalog for dev01.site So this hasn't clarified the situation either. Could anyone please tell how one can debug this sort of errors? Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5EAC4C21-7F15-452E-BF84-563A065B8F7E%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet 3.4.1: Could not find relationship target
Oh, I found what caused this error. There was a mistake in one of my modules - file {'': ... } with empty name. But I was able to find it only after I'd run 'puppet apply' locally via vagrant. Puppet apply showed the name of faulty module and the exact line number. Error: Parameter path failed on File[]: File paths must be fully qualified, not '' at /tmp/vagrant-puppet/modules-0/gitolite/manifests/init.pp:35 And puppet agent puppet agent --server puppet.site --verbose --no-daemonize --onetime --debug --trace didn't. I found only this: Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not convert from pson: Could not find relationship target File[] in both puppet agent output and puppetmaster log. So the question is - is it a bug? Or may be it is a normal behaviour? -- Best regards, Sergey Arlashin On Feb 2, 2014, at 1:22 AM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Hi! I've just run into a problem. Puppet agent fails with the following message: Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not convert from pson: Could not find relationship target File[] and then refuses to proceed further. Then I started it with --debug --trace and got this: Info: Loading facts in /var/lib/puppet/lib/facter/homedir.rb Debug: Failed to load library 'msgpack' for feature 'msgpack' Debug: catalog supports formats: pson b64_zlib_yaml yaml dot raw Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not convert from pson: Could not find relationship target File[] /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:361:in `edge_from_pson' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:340:in `block in from_pson' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:339:in `each' /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:339:in `from_pson' /usr/lib/ruby/vendor_ruby/puppet/util/pson.rb:11:in `pson_create' /usr/lib/ruby/vendor_ruby/puppet/external/pson/pure/parser.rb:305:in `parse_object' /usr/lib/ruby/vendor_ruby/puppet/external/pson/pure/parser.rb:98:in `parse' /usr/lib/ruby/vendor_ruby/puppet/external/pson/common.rb:133:in `parse' /usr/lib/ruby/vendor_ruby/puppet/network/formats.rb:148:in `intern' /usr/lib/ruby/vendor_ruby/puppet/network/format_support.rb:12:in `convert_from' /usr/lib/ruby/vendor_ruby/puppet/indirector/rest.rb:229:in `deserialize_find' /usr/lib/ruby/vendor_ruby/puppet/indirector/rest.rb:104:in `find' /usr/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:201:in `find' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:256:in `block in retrieve_new_catalog' /usr/lib/ruby/vendor_ruby/puppet/util.rb:327:in `block in thinmark' /usr/lib/ruby/1.9.1/benchmark.rb:295:in `realtime' /usr/lib/ruby/vendor_ruby/puppet/util.rb:326:in `thinmark' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:255:in `retrieve_new_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:69:in `retrieve_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:109:in `prepare_and_retrieve_catalog' /usr/lib/ruby/vendor_ruby/puppet/configurer.rb:172:in `run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:44:in `block (4 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent/locker.rb:20:in `lock' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:44:in `block (3 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:114:in `with_client' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:41:in `block (2 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:79:in `run_in_fork' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:40:in `block in run' /usr/lib/ruby/vendor_ruby/puppet/application.rb:179:in `call' /usr/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run' /usr/lib/ruby/vendor_ruby/puppet/agent.rb:38:in `run' /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:355:in `onetime' /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:321:in `run_command' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `block (2 levels) in run' /usr/lib/ruby/vendor_ruby/puppet/application.rb:470:in `plugin_hook' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `block in run' /usr/lib/ruby/vendor_ruby/puppet/util.rb:468:in `exit_on_fail' /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `run' /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run' /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:91:in `execute' /usr/bin/puppet:4:in `main' Debug: Using cached catalog for dev01.site So this hasn't clarified the situation either. Could anyone please tell how one can debug this sort of errors? Thanks in advance. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr
Re: [Puppet Users] puppet won't change user's password
# uname -a Linux db-node2 3.2.0-55-generic #85-Ubuntu SMP Wed Oct 2 12:29:27 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/issue Ubuntu 12.04.3 LTS \n \l # puppet -V 3.3.2 # cat /etc/passwd |grep ^testuser testuser:x:1002:1002::/home/testuser:/bin/sh # cat /etc/shadow |grep ^testuser testuser:$6$.JNdUYPK$KUcfD3urk5290LvluOE.wnCKoEibMqd2.uiT/X0ezS29JaXfk4T9K57ea/6mSU7Z/8ppi8IiNNV7bkVYc5p0s0:16036:0:9:7::: # puppet apply -e 'user { testuser: password = * }' Notice: Compiled catalog for db-node2.site in environment production in 0.07 seconds Notice: Finished catalog run in 0.08 seconds # cat /etc/shadow |grep ^testuser testuser:$6$.JNdUYPK$KUcfD3urk5290LvluOE.wnCKoEibMqd2.uiT/X0ezS29JaXfk4T9K57ea/6mSU7Z/8ppi8IiNNV7bkVYc5p0s0:16036:0:9:7::: -- Best regards, Sergey Arlashin On Nov 27, 2013, at 2:32 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, no, it's not. What version of puppet are you using? To make sure there is nothing funny going on with your overall manifest structure, can you try this as root on the agent machine: puppet apply -e 'user { username: password = * }' For me, this yields Notice: /User[username]/password: changed password Notice: Finished catalog run in 0.53 seconds This is puppet 3.3.1. TIA, Felix On 11/26/2013 04:36 PM, Sergey Arlashin wrote: Hi! I'm trying to set password for a user. I do the following: user { username: password = '*', } And when I run puppet agent nothing happens. The password remains the same. But if I create a new user which doesn't exist yet, the password is set without any problems. Is this a normal behaviour of 'user' type? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5295CA2A.1050102%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2689FC78-CD82-4ECF-A3F4-8B66DD2667ED%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet won't change user's password
# puppet apply -e 'user { testuser: password = $6$MhRLkUTo$9RhLb3AfsO4HSxeHdLOLCPBj7LRH6vGOx1zPcvpfVRGOuJPczjEyaYoS3SyQ6MESctWarz2VDhD4ZT9wHe61v/ }' Notice: Compiled catalog for db-node2.site in environment production in 0.07 seconds Notice: Finished catalog run in 0.06 seconds Best regards, Sergey Arlashin On Nov 27, 2013, at 3:00 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Ugh. So, does it work with other values (e.g., actual password hashes)? On 11/27/2013 11:57 AM, Sergey Arlashin wrote: # puppet apply -e 'user { testuser: password = * }' Notice: Compiled catalog for db-node2.site in environment production in 0.07 seconds Notice: Finished catalog run in 0.08 seconds # cat /etc/shadow |grep ^testuser testuser:$6$.JNdUYPK$KUcfD3urk5290LvluOE.wnCKoEibMqd2.uiT/X0ezS29JaXfk4T9K57ea/6mSU7Z/8ppi8IiNNV7bkVYc5p0s0:16036:0:9:7::: -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5295D0C3.6090306%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CD1DE611-372E-4D93-9419-598FF52B663E%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet won't change user's password
Seems to be useradd issue.. Debug: /User[testuser]: Provider useradd does not support features manages_passwords; not managing attribute password http://docs.puppetlabs.com/references/latest/type.html#user-provider-useradd: useradd User management via useradd and its ilk. Note that you will need to install Ruby’s shadow password library (often known as ruby-libshadow) if you wish to manage user passwords. So I installed libshadow and everything's working now! # puppet apply -e 'user { testuser: password = * }' Notice: Compiled catalog for db-node2.site in environment production in 0.08 seconds Notice: /User[testuser]/password: changed password Notice: Finished catalog run in 0.13 seconds Thank you! -- Best regards, Sergey Arlashin On Nov 27, 2013, at 3:05 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, no good then. Please run again with an added -dv switch to puppet apply, and share the debug output. Thanks in advance. On 11/27/2013 12:02 PM, Sergey Arlashin wrote: # puppet apply -e 'user { testuser: password = $6$MhRLkUTo$9RhLb3AfsO4HSxeHdLOLCPBj7LRH6vGOx1zPcvpfVRGOuJPczjEyaYoS3SyQ6MESctWarz2VDhD4ZT9wHe61v/ }' Notice: Compiled catalog for db-node2.site in environment production in 0.07 seconds Notice: Finished catalog run in 0.06 seconds Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5295D1DE.5030106%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CBD5BDE1-3EF8-4004-8552-D1D898161113%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppet won't change user's password
Hi! I'm trying to set password for a user. I do the following: user { username: password = '*', } And when I run puppet agent nothing happens. The password remains the same. But if I create a new user which doesn't exist yet, the password is set without any problems. Is this a normal behaviour of 'user' type? -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/E932E656-33B5-4FBB-ADD3-F069DCF99B3C%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet: a way to secure certain files
Thank you! On Nov 20, 2013, at 9:02 PM, jcbollinger john.bollin...@stjude.org wrote: On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs wrote: You can use hiera gpg for ssh keys too. See this example: https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J But you would be unwise to do that in conjunction with Puppet 3, unless you fall into one of a small number of special cases. If you add the hiera-gpg back end to your hiera configuration then the encrypted file will be decrypted once for each class parameter that is neither explicitly assigned a value nor resolved in a higher-priority back end. Decrypting the file is very expensive, and if you do it many times then you will see a very noticeable impact on catalog compilation performance. There have been reports on this group of such decryption adding several minutes of compilation time for catalogs that otherwise take a few seconds. That decryption overhead will not affect you if you use few (or no) parameterized classes (watch out for third-party modules!), if you take care to assign values to all class parameters of every declared class (again, beware third party modules here), or if you are using Puppet 2 rather than Puppet 3. You should consider whether it really makes sense to encrypt at all, vs. simply securing the master against unauthorized users. If you encrypt then you must record the plaintext decryption key somewhere that the master can read it, and if you hypothesize an assailant that is savvy enough to track down sensitive information in your Puppet configs then you should assume that that assailant can also find the decryption key. In fact, such an assailant must also break your access controls to reach the sensitive information, meaning that they must have gained root access to your server before encryption is even a factor. If an assailant gains root then it's already game over. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/C08FC97C-6503-46A1-B204-DBE0B7243794%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Want to restrict puppet module execute every 30mins
You can create some sort of a trigger file. Like this: file { /some/folder/file_trigger ensure = present, content = version01, … } Add refreshonly = true to your resources. Then subscribe your resources to this file. Once the file is changed, your code will be executed. -- Best regards, Sergey Arlashin On Nov 20, 2013, at 6:18 PM, Aravind Valluru aravind.vall...@pearson.com wrote: Hi, I have created a puppet module that performs below steps: 1. stop application service 2. take backup of existing application 3. download application artifact 4. install the application 5. some configuration stuff 6. start the application service Since the agent will poll the master every 30mins all these steps are executed every 30mins which I do not want. I want to enforce the puppet module execution only upon module change. Can I possibly do that? If not how can resolve this situation? Thanks Aravind -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/32dc1990-2593-4817-8841-30ab1cab55e0%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/24A5F54F-71F2-499B-A943-7138D5580FB6%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet: a way to secure certain files
Hi! I'm trying to secure some data inside my puppet repository. Some passwords and private ssh keys. I have discovered a plenty of ways to secure passwords - hiera gpg, puppet-decrypt, extlookup and so on. What about files? Is there a decent way to encrypt files, for example ssh keys? -- Best reagards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6A2CB173-BF75-4D1E-B0AB-14C3831769E3%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet: Custom functions
Hi! As far as I know custom functions are executed on puppet master server. But each run puppet master copies all the custom functions available to /var/lib/puppet/lib/puppet/parser/functions/ folder on puppet clients. Why is it so? -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/BB5FEC9D-B18E-43F2-87CB-021D821738CB%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet: Custom functions
Thank you! On Nov 18, 2013, at 6:42 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, you have likely enabled the pluginsync feature, which allows you to use Plugins in modules to e.g. distribute custom facts to your agents. Puppet will not distinguish custom facts and types from parser functions. For most people, syncing parser functions to agents serves no purpose. I advise to regard it as just a side occurence, and to just ignore it. HTH, Felix On 11/18/2013 09:49 AM, Sergey Arlashin wrote: Hi! As far as I know custom functions are executed on puppet master server. But each run puppet master copies all the custom functions available to /var/lib/puppet/lib/puppet/parser/functions/ folder on puppet clients. Why is it so? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/528A2750.6050602%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/43C06D56-9AB6-4FB6-B7E9-F0D7341AD951%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3.3.1: custom function change requires restart of puppetmaster
Hi! I've spent quite a while before I understood that for Puppet to see changes in custom functions' code Puppetmaster needs to be restarted. Is this a normal behaviour or may be it's a bug ? -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3.2: add element to array
Hi! Is it possible to add a new element to an array inside puppet manifest ? Something like ruby's array.push('new_element') ? -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3.2.2: Could not find declared class
Hi! Every now and then I get the following error message in logs on one particular host on my network: Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class cachier at /etc/puppet/manifests/nodes.pp:285 on node hostname1.site The next run the error disappears. In a couple of days I see the same message with one difference - it says that it cannot find another class. So the class name can vary. Host name is the same every time. Do you know what can cause an error like this ? -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3.2 : warnings
HI! I see a couple of warnings in master.log on puppetmaster server each time puppet agent runs. But when I run puppet agent manually by executing puppet agent --server puppet.site --verbose --no-daemonize --onetime I don't see any warnings in its output. Is it possible to make puppet agent show warnings in its output while running from command line? -- Best regards, Sergey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet: chaining and conditionals
Thank you all for your answers! Finally I decided to modify a couple of my classes to look like: class { class1: } - class { class2: class_enabled = $fqdn ? { nodename2 = yes, default= no } } - class { class3: } -- best regards, Sergey On Aug 16, 2013, at 12:25 AM, Ellison Marks gty...@gmail.com wrote: perhaps something like this? node nodename1, nodename2, nodename3, nodename4 { class { class1: } if $fqdn == nodename2 { Class[class1] - class { class2: } - class{ class3 } } else { Class[class1] - class { class3: } } Class[class3] - class { class4: } } On Thursday, August 15, 2013 10:17:46 AM UTC-7, Sergey Arlashin wrote: Hi! I'm using the following way to define the order and assign classes to nodes: node nodename1, nodename2, nodename3, nodename4 { class { class1: } - class { class2: } - class { class3: } - class { class4: } } I'm fully delighted with it. But at the moment I need class2 to be executed only on nodename2. The following construction doesn't work node nodename1, nodename2, nodename3, nodename4 { class { class1: } - if $fqdn == nodename2 { class { class2: } - } class { class3: } - class { class4: } } And this construction breaks the order: node nodename1, nodename2, nodename3, nodename4 { class { class1: } if $fqdn == nodename2 { Class[class1] - class { class2: } } class { class3: } - class { class4: } } What do I do in a situation like this? Thanks in advance. Sergey. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet: chaining and conditionals
Hi! I'm using the following way to define the order and assign classes to nodes: node nodename1, nodename2, nodename3, nodename4 { class { class1: } - class { class2: } - class { class3: } - class { class4: } } I'm fully delighted with it. But at the moment I need class2 to be executed only on nodename2. The following construction doesn't work node nodename1, nodename2, nodename3, nodename4 { class { class1: } - if $fqdn == nodename2 { class { class2: } - } class { class3: } - class { class4: } } And this construction breaks the order: node nodename1, nodename2, nodename3, nodename4 { class { class1: } if $fqdn == nodename2 { Class[class1] - class { class2: } } class { class3: } - class { class4: } } What do I do in a situation like this? Thanks in advance. Sergey. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet: chaining and conditionals
Thank you for your reply. This looks nice only if I have 4 classes. That was just an example. In reality I have a huge number of classes assigned to this group of nodes. So I want to avoid (if it is possible of course) declaring classes twice. On Aug 15, 2013, at 9:27 PM, Arthur Furlan afur...@afurlan.org wrote: Have you tried putting all the classes in the conditional? node nodename1, nodename2, nodename3, nodename4 { if $fqdn == nodename2 { class { class1: } - class { class2: } - class { class3: } - class { class4: } } else { class { class1: } - class { class3: } - class { class4: } } } -- Arthur Furlan On Thu, Aug 15, 2013 at 2:17 PM, Sergey Arlashin sergeyarl.maill...@gmail.com wrote: Hi! I'm using the following way to define the order and assign classes to nodes: node nodename1, nodename2, nodename3, nodename4 { class { class1: } - class { class2: } - class { class3: } - class { class4: } } I'm fully delighted with it. But at the moment I need class2 to be executed only on nodename2. The following construction doesn't work node nodename1, nodename2, nodename3, nodename4 { class { class1: } - if $fqdn == nodename2 { class { class2: } - } class { class3: } - class { class4: } } And this construction breaks the order: node nodename1, nodename2, nodename3, nodename4 { class { class1: } if $fqdn == nodename2 { Class[class1] - class { class2: } } class { class3: } - class { class4: } } What do I do in a situation like this? Thanks in advance. Sergey. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Mcollective: remote commands
Hi! Is it possible to use Mcollective to run different cli commands remotely on nodes? Cannot find anything related in the documentation. -- Best regards, Sergey Arlashin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] looping over an hashmap in an .pp file
Hi Simon, You can use create_resources http://docs.puppetlabs.com/references/latest/function.html#createresources -- Best regards, Sergey On Aug 9, 2013, at 7:47 PM, Simon Hönscheid simon.hoenscheid.pli...@gmail.com wrote: I have an interesting problem an I found no solution yet: I want puppet to repeat an exec for every hast element I have: $database_users = [ { user = 'jira', passwort= 'supersecure', userpermissions = 'LOGIN CREATEDB NOSUPERUSER NOCREATEROLE' }, { user = 'test', passwort = 'test', userpermissions = 'CREATEDB NOSUPERUSER NOCREATEROLE' }, ] now i want to do something in config.pp with it, for every element. is there a solution? exec { echo \CREATE ROLE ${database_user[user]} WITH ${database_user[userpermissions]} PASSWORD '${database_user[password]}';\| psql: onlyif = test `echo \\\dg\ | psql| grep ${database_user[user]}|wc -l` -eq 0 } thanks simon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] looping over an hashmap in an .pp file
also you can use the following way to iterate over a hash: $foo = [ { addr = bar, port = 1 }, { addr = bat, port = 2 } ] testmod::bar {$foo:} define testmod::bar () { $var1 = $name[addr] $var2 = $name[port] notify {${var1}_${var2}: } } -- Best regards, Sergey Arlashin On Aug 9, 2013, at 7:47 PM, Simon Hönscheid simon.hoenscheid.pli...@gmail.com wrote: I have an interesting problem an I found no solution yet: I want puppet to repeat an exec for every hast element I have: $database_users = [ { user = 'jira', passwort= 'supersecure', userpermissions = 'LOGIN CREATEDB NOSUPERUSER NOCREATEROLE' }, { user = 'test', passwort = 'test', userpermissions = 'CREATEDB NOSUPERUSER NOCREATEROLE' }, ] now i want to do something in config.pp with it, for every element. is there a solution? exec { echo \CREATE ROLE ${database_user[user]} WITH ${database_user[userpermissions]} PASSWORD '${database_user[password]}';\| psql: onlyif = test `echo \\\dg\ | psql| grep ${database_user[user]}|wc -l` -eq 0 } thanks simon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] useradd Duplicate declaration: Group
Hello, try group { addgroup_$group: name = $group, git = $gid } -- Best regards, Sergey Arlashin On Aug 6, 2013, at 10:30 AM, Andreas Dvorak andreas.dvo...@googlemail.com wrote: Hello, I have written a module to add user and it does work with one user. But if I use two user puppet tells me: Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Group[badm] is already declared in file /etc/puppet/git/modules/useradd/manifests/init.pp at line 9; cannot redeclare on node vm6740.muc.baag How can I change the group creating part to get rid of this error? Here is my module file ~/git/test.git/modules/useradd/manifests$ cat init.pp define useradd ( $name, $uid, $group, $gid, $password, $shell, $sshkeytype, $sshkey) { $homedir = $kernel ? { 'SunOS' = '/export/home', default = '/home' } group { $group: gid = $gid, } $username = $title user { $username: ensure = present, comment = $name, uid = $uid, gid = $gid, shell = $shell, home = $homedir/$username, managehome = true, password = $password, require = group[$group], } exec { $username: command = /bin/cp -R /etc/skel $homedir/$username; /bin/chown -R $username:$group $homedir/$username , creates = $homedir/$username, require = user[$username], } ssh_authorized_key { $username: user = $username, type = $sshkeytype, key = $sshkey, require = exec[$username], } } and here are the manifests files. ~/git/test.git/manifests$ cat nodes.pp node 'vm6739' { include git_puppet_update } node 'vm6740' { import create_admin_user.pp } ~/git/test.git/manifests$ cat create_admin_user.pp useradd { test: name = test, uid = 881, gid = 888, group = badm, shell = /bin/bash, password = 'Yvrp7r/L.ah8AliUXLMM9LZN/hQOtaYXUXNFQ8kOaqzUp1/jkH61SaE7gz/', sshkeytype = rsa, sshkey = 5j5llTO3cVcbPQYlII/5Arzwnj5gyzpm3xZL3o9vaAX1pA4F1Lq87ZBrZxrTS2F0G7hHJDffhqwlYoWfl1755hWeNeNZWQBcF2, } useradd { testuser1: name = test user1, uid = 2012, gid = 888, group = badm, shell = /bin/bash, password = '$6$0vY.Ob.b$uOClxSzliv.Jxt1XoWXjbLXtnf5JzqL5pP.caiF0JMxjptxEq9gj72KrU7CqB7ez0gCt6fAB1', sshkeytype = rsa, sshkey = B3NzaC1yc2EDAQABAAABAQC8tCVus/i5CN8KpqsEy1L3KIa0xRS9/QqgNc39q877hHJDffhqwlYoWfl1755hWeNeNZWQBcF2, } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Class execution order
Hi! I'm trying to make puppet execute classes in a certain order for a particular node. So this is my test config: class one { exec { echoone: command = /bin/echo $var1, } } class two { exec { echotwo: command = /bin/echo $var2, } } class three { exec { echothree: command = /bin/echo $var3, } } node client-tpl-puppet.localnet { $var1 = 1 $var2 = 2 $var3 = 3 include one, two, three } But when I launch puppet client on the node client-tpl- puppet.localnet I see that all the classes execute in an absolutely random order. The documentation says I should use stages, but I cannot figure out how to use them in this particular case. Could you show an example? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.