[Puppet Users] Design Patterns - Profiles & Shared Information
Hi, I wonder what approaches you are currently using for sharing common information among multiple Puppet profiles: To come up with some examples which will need to be maintained for multiple profiles: - HTTP proxy settings - IP ACLs for whitelists (eg. IP of monitoring systems, trusted hosts) - E-mail addresses for system mails (not only for /etc/aliases) Any thoughts? The options I currently have on the table are: - Don’t do any abstraction and maintain multiple copies of the same information in hiera (eg. ::profile::redsocks::proxy_url, ::profile::apt::proxy_url). Which in more comprehensive Puppet might not scale so well. - As Volcane suggested on IRC, use a ::data module to provide an interface for hiera key lookups and use ::data::some_common_thing in other profiles. - Simply use hiera calls directly in modules such as class profile::redsocks( $proxy_url = hiera(‘proxy_url’) ) Which I personally dislike, as using a module provides options for documentation and validation as well as a defined, versionable interface to the variables. Thanks for your feedback! Best, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53340303-D04B-4055-A31D-2D636471BE1D%40ono.at. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] triggering 'apt-get update'?
On Sunday 22 December 2013 at 02:39, Felix Frank wrote: > On 12/20/2013 04:58 PM, Jon Yeargers wrote: > > The main reason I'm asking is that the 'apt-get update' seems to always > > run last in the 'agent' pass. IE it takes two runs to get the latest > > packages - 1 to update the cache and the 2nd to get the latest versions. > > > > > > Please note that Puppet won’t trigger the actions immediately for Execs and Services which should only get ‘refreshed’ when once notified. As Felix wrote, this is by design, because there could be more resources in the catalog which would also trigger a refresh (eg. you don’t want to restart Apache for every new vhost added during a run). I guess your problem here is, that you want to install a package from a different repository than the default operating system repo? Puppet will typically create the repository configuration, and will then install the package from the wrong repository, because apt-get update wasn’t run yet. What you would basically want to do, is to tie the APT configuration and running the apt-get update together and put it in order, so this is run before any package is installed. Puppetlabs APT module, is a nice example on how you can write such contained modules with ‘anchoring’ (from puppetlabs-stdlib): https://github.com/puppetlabs/puppetlabs-apt/blob/master/manifests/init.pp#L118 There’s also a section in the Puppet guide about contained resources: http://docs.puppetlabs.com/puppet/3/reference/lang_containment.html If I’m right then you will basically want to: * use the puppetlabs-apt module or something equivalent * define an apt::source with the repository you would like to add * Tell Puppet to run apt-get update before the installation of any package: Exec[‘apt_update'] -> Package <| |> But sharing code examples or a bit more information would be helpful. Regards, Stefan. -- Stefan Schlesinger // /// http://sts.ono.at -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/FB5E078C13B440EA8F8BB7F7E94B2582%40ono.at. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet and Passenger
Hi Jax, On 07.04.2012, at 02:45, Jax01 wrote: > I am attempting to configure Passenger. I have followed all of the > installation instructions but, when I restart my webserver, it does > not start the puppetmaster nor does it throw any errors. So, I am not > even sure where to begin to look. You can check my blog post, which describes the installation on Debian squeeze: http://sts.ono.at/blog/2010/08/31/debian-puppet-passenger Basically: * compare your puppet config against the one in my blog post * check you syslog and apache error log * Try to add a debug option to the config.ru file: ARGV << '-d' > Also, some of the documentation refers to the puppetmaster.conf file. > I am not sure what this is. I have only a puppet.conf file on the > puppetmaster which contains the required entries for the master. Am I > missing something here? No. Thats the correct one. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: NFS mount problem
Just take a look at example42's nfs module, it should already provide the
functionallity you are looking for.
Regards, Stefan.
On 04.03.2011, at 04:46, Ben Hughes wrote:
> On Thu, Mar 03, 2011 at 07:38:28PM -0800, Forrie wrote:
>
>> So are you saying for the "absent" items, we'll need to include a
>> file{} directive to remove the mount point, too?
>
> The mount handler won't go around deleting directories for you,
> thankfully. (:
>
> Do you create the mount point before you mount it, a la?
>
> file{ "/srv/fraser":
>ensure=> directory,
>owner=> "root",
>mode=> 0755,
> }
>
> mount{ "/srv/fraser":
>device=> "server:/path/fraser",
>fstype=> "nfs",
>ensure=> "mounted",
>options => "defaults",
>atboot=> true,
>require=> File[ "/srv/fraser" ]
> }
>
> You could probably make a define to wrap around both to ensure => absent
> the directory after you ensure => absent the mount point?
>
>
> --
> Ben Hughes || http://www.puppetlabs.com/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] slave-facts on puppetmaster
Hey, > I'm figuring out a way to build a ssh-gateway. For that to work I want > access to the internal ipaddresses that are used by my slaves What are you trying to do? Are you trying to cluster SSH? > (which > get assigned by dhcp and thus are not predictable). You know that DHCP also provides options to make it less random? You could use dynamic DNS entries, or fixed IPs per MAC address Regards, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] race conditions in using "svn update" in puppetmaster's /etc/puppet directory?
Hey James, if you could switch to Git instead of SVN, I have a working script which will automate this process for you, maybe you could also adopt it to use SVN as VCS backend. http://sts.ono.at/blog/2010/12/22/synchronize-puppet-with-git/ Regards, Stefan. On Jan 3, 2011, at 22:34 , James Ralston wrote: > In multiple places in the Puppet wiki, I see the advice to store the > puppermaster configuration in a VCS (specifically, a Subversion > repository), and then checkout that Subversion repository into /etc/ > puppet. That way, the puppermaster's configuration can be updated by > simply running (on the puppetmaster): > > $ cd /etc/puppet > $ svn update > > But this approach raises an interesting question: the process of > updating a checked-out copy of a Subversion repository is NOT atomic. > If the puppetmaster were to read files in /etc/puppet while a lengthy > "svn update" operation was updating /etc/puppet to the latest revision > (e.g., from revision 6 to revision 7), it is possible that the > puppetmaster would see a mix of files from revisions 6 and 7. That > could cause problems. > > So, here's my question: if you are currently using the "svn update" > approach to manage /etc/puppet on the puppetmaster, have you taken > conscious steps to help avoid a race condition? If so, what are they? > And if not, why not? > > (Note that you don't have to worry about individual files containing a > mix of revision 6 versus revision 7 content, because "svn update" > modifies files by first creating a new temporary file, then using the > rename(2) system call (which IS atomic) to move the new file into > place...) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Stefan Schlesinger // /// s...@ono.at+43.676.4911123 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet & Hudson CI
Would it be better to be able to have checkout a specific revision, or should I rather add support for checking out a tagged version? Regards, Stefan. On Dec 30, 2010, at 02:57 , Scott wrote: > Stefan, > > This is a great start, thank you! This is what I needed; once I check > in the source code revision (and it passes the requisite tests) I can > have Hudson trigger the sync tool on the puppet masters. It will work > as-is; but if you could add the option for a specific revision I would > be grateful as it would make reverting to an earlier version much > easier. > > Thanks again. > > On Dec 29, 7:13 pm, Stefan Schlesinger wrote: >> Hey Scott, >> >> I wrote a puppet-sync tool which syncs a git branch from Git to puppet >> masters.http://sts.ono.at/blog/2010/12/22/synchronize-puppet-with-git/ >> >> Maybe you could trigger it from hudson and sync the build from the Git >> repository. Only thing which might still be missing, is to specify a >> revision of a branch. >> >> Have a look at it and tell me if its useable and whether you need a >> parameter to sync a specific version of a Git branch. If so I'll just >> patch it. >> >> Regards, Stefan. >> >> On Dec 29, 2010, at 16:28 , Scott wrote: >> >> >> >> >> >> >> >> >> >>> All, >> >>> I'm looking for additional information regarding Puppet and Hudson. >>> Specifically, I am looking to automatically push successful >>> environment builds (say for Dev, QA, Production environments) from >>> Hudson to Puppet. Thus, when a puppet configuration is checked into >>> Hudson and the build succeeds, I want that configuration pushed via >>> Puppet to its managed servers. A RedMonk podcast (http:// >>> www.redmonk.com/cote/2008/06/11/puppet-at-google-redmonk-radio-episod...) >>> indicates Google uses this setup, and a few users here have alluded >>> they have a similar setup. However, I cannot find any documentation >>> on how to integrate the two. A short how-to or tutorial would be >>> appreciated! >> >>> Thanks in advance. >> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-us...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscr...@googlegroups.com. >>> For more options, visit this group >>> athttp://groups.google.com/group/puppet-users?hl=en. >> >> -- >> Stefan Schlesinger // /// >> s...@ono.at +43.676.4911123 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Stefan Schlesinger // /// s...@ono.at+43.676.4911123 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppet +with build support
Hey Sanjiy, On Nov 16, 2010, at 11:41 , sanjiv.singh wrote: > i am able to use environment option for build support .. Don't know whether this might still be of use to you. I wrote a puppet-sync script, which in this setup could maybe solve your problem. http://sts.ono.at/blog/2010/12/22/synchronize-puppet-with-git/ Regards, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet & Hudson CI
Hey Scott, I wrote a puppet-sync tool which syncs a git branch from Git to puppet masters. http://sts.ono.at/blog/2010/12/22/synchronize-puppet-with-git/ Maybe you could trigger it from hudson and sync the build from the Git repository. Only thing which might still be missing, is to specify a revision of a branch. Have a look at it and tell me if its useable and whether you need a parameter to sync a specific version of a Git branch. If so I'll just patch it. Regards, Stefan. On Dec 29, 2010, at 16:28 , Scott wrote: > All, > > I'm looking for additional information regarding Puppet and Hudson. > Specifically, I am looking to automatically push successful > environment builds (say for Dev, QA, Production environments) from > Hudson to Puppet. Thus, when a puppet configuration is checked into > Hudson and the build succeeds, I want that configuration pushed via > Puppet to its managed servers. A RedMonk podcast (http:// > www.redmonk.com/cote/2008/06/11/puppet-at-google-redmonk-radio-episode-48/) > indicates Google uses this setup, and a few users here have alluded > they have a similar setup. However, I cannot find any documentation > on how to integrate the two. A short how-to or tutorial would be > appreciated! > > Thanks in advance. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Stefan Schlesinger // /// s...@ono.at+43.676.4911123 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet meet-up in Vienna?
Hey Dan, we are currently about to organize a group of devops in Vienna, and I think it would be a great addition if someone from Puppetlabs would join our meeting. We had our first meeting in November and there will be another one December 14th. We didn't agree on a date for our third meetup, but we will arrange it so you can join us. I'll keep you updated. Btw. how long are you planning to stay? Regards, Stefan. On Nov 30, 2010, at 22:52 , Dan Bode wrote: > Hi, > > Anyone have interest in a puppet meet-up in Vienna? I will be in the area for > the holidays and would love to meet up with local puppet users to chat about > Puppet/Linux and such. I am thinking about the 20th of December. > > regards, > > -Dan Bode > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Thoughts on dropping 0.24.x client support in Puppet 2.7?
On Nov 25, 2010, at 07:43 , Patrick wrote: > On Nov 24, 2010, at 3:50 PM, Nigel Kersten wrote: > I mentioned this in an earlier thread, but here's a dedicated one. >> >> We made a big change between 0.24.x and 0.25.x where we moved from >> XMLRPC to REST. >> >> How do people feel about us dropping all XMLRPC support from 2.7.x, >> such that it only supported Puppet clients 0.25.x and higher? > > I don't need it, but at the very least, I think that doing that before Debian > stable picks up 0.25.x is probably a terrible idea. Guys, I'm a bit confused ... Debian/stable won't pick up 0.25.x anymore anyways. A list of Puppet versions in Debian: lenny (stable): 0.24.5-3 backports: 2.6.2-1~bpo50+1 squeeze:2.6.2-1 sid:2.6.2-2 experimental: 2.6.3-1 So the upcoming stable release will at least include 2.6.2. I'm not sure yet, whether they will even be trying to get 2.6.3 into squeeze, since they also got 2.6.2 into it after the official freeze. So if you are still running lenny boxes as soon as 2.7 will be out and you are going to mix *lenny* puppet agents with *sid* puppet masters you could still use the 2.6.2 packages which are already in backports. Basically, at least for Debian, I see no reason why it would be a bad idea for Puppetlabs to drop the support for pre 0.25.x clients. Regards, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Need advice on managing large Centos environment
On Sep 22, 2010, at 14:06 , Leslie Giles wrote: > I'm working on rolling out Puppet, but I'm stuck and I know somebody has > solved this problem... > > We have an engineering environment of around 200 Centos servers, plus a > production environment of roughly the same size. Currently, when we roll out > a new server, we do a 'yum update' so the new server has the latest packages; > however this means that just about every server has a different set of > package versions - a system rolled out today will have different versions > from one rolled out last month, and that will have different versions from > one rolled out last year. This might be a bit OT on this list but Usually operating system vendors do stable releases for that purpose. They invest a lot of effort to provide a stable version of a certain set of packages. Once released, they tend to not update software versions, except for updates which will fix security patches. So really, if you need a stable environment, use the stable version of your distribution and DO make security updates. Doing so never caused any harm to my systems. The next thing is that you have to somehow migrate your systems from stable release to stable release. Thats where puppet comes into play. You simply apply your manifests on the distribution's new release, and test the major service provided by the server. > This has bitten me in the past, where a feature developed on a recent system > failed to run on an older server, so I'm looking for a solution. I am in the > middle of rolling out Puppet, and we have private mirrors of the yum repos, > so a solution could build on these. > I can see several possible solutions: > - manage changes to the yum repos, and use puppet to make sure that every > server is up to date w.r.t. the yum repo. However this makes it difficult to > roll out changes in a controlled way,or to rollback changes. Same here, there shouldn't be any issues with updates as long as you don't upgrade a system from one major distribution release to the next. If a security update causes any harm to your application, you should fix it too. > - use puppet to list all package versions, and manage the versions explicitly > in puppet, however this means that puppet is going to have hundreds of > entries, and I can imagine a situation where I upgrade one package in puppet > without realizing that it depends on a newer version of another package, thus > puppet and yum start fighting about which version of the other package should > be installed. Specifying each installed package's version manually in your puppet manifest doesn't sound like a wise idea to me. > - always make sure that all systems are updated to the latest, which means a > slightly less stable environment, but avoids incompatibilities between > systems, and particularly the possibility that a feature developed on a newer > system will be asked to run on an older system. I think you should invest some work to provide an environment to your developers which better fits your production environment. If they use applications or libraries provided by your operating system, they need to make sure, that as soon as you upgrade your system, their code is still in a workable state. If they don't want to do that, either you or them needs to ship their application bundled with the appropriate set of libraries, so you decouple your application release cycles from your distribution's one. Regards, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Setup 2.6 + apache, passenger
On Sep 10, 2010, at 15:47 , Gavin wrote: > File does not exist: /usr/share/puppet/rack/puppetmasterd/public/ > production. Actually I think I can reproduce your problem when I turn that option off in puppetmaster vhost: RackAutoDetect On ;-) Regards, Stefan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Setup 2.6 + apache, passenger
On Sep 10, 2010, at 15:47 , Gavin wrote: > I'm running on Lenny mostly, but have Puppet (2.6), Passenger, Ruby > etc all installed from Debian 'Testing', and all seems to be co- > existing quite happily together. Well, if you install puppet/apache/rack/rails/passenger from testing, you could as well use squeeze instead of lenny. ;-) I've got the following packages installed on my system: ii apache2-mpm-worker 2.2.16-2 ii puppetmaster 2.6.0-2 ii libapache2-mod-passenger 2.2.11debian-1 ii librack-ruby1.8 1.1.0-3 ii rails2.3.5-1.1 > I'm stumped on one thing though, maybe someone one this list can offer > some pointers/advice. > > The guide talks about creating /usr/share/puppet/rack/puppetmasterd/ > public/ and /usr/share/puppet/rack/puppetmasterd/tmp/ which I have > done, however when my clients make a request I get the following > Apache error:- > > File does not exist: /usr/share/puppet/rack/puppetmasterd/public/ > production Since "public/" should be the apache document root, I suppose there is something wrong with your Apache configuration. Puppet agents will create a http request to the following url: "https://puppet:8140/production/...anything..."; Everything below the first slash should be interpreted by Apache to be passed to the Rack application running in Passenger. Did you try it with the apache configuration I sent in my last email? Also adding Passenger options[1][2] might help: PassengerRoot /usr PassengerRuby /usr/bin/ruby RailsAutoDetect On RailsBaseURI / Also try to tune Apache's log level and have a look at the logfiles. Regards, Stefan. [1] RailsAutoDetect - http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_lt_on_off_gt [2] RailsBaseURI - http://www.modrails.com/documentation/Users%20guide%20Apache.html#RailsBaseURI -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Setup 2.6 + apache, passenger
Hey,
I just tried to install puppet/puppetmaster/passenger on squeeze, and it worked
perfectly.
Since squeeze is already frozen, I consider using it as okey. :-)
Packages to install:
* puppetmaster
* libapache2-mod-passenger
Apache modules to enable:
a2enmod headers
a2enmod ssl
I had to change config.ru to use master instead of puppetmasterd, see the
following
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593557
/usr/share/puppet/rack/puppetmasterd/config.ru:
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = "puppetmasterd"
require 'puppet'
# if you want debugging:
# ARGV << "--debug"
ARGV << "--rack"
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
Disabled my puppetmaster (/etc/defaults/puppetmaster):
# Defaults for puppetmaster - sourced by /etc/init.d/puppetmaster
# Start puppetmaster on boot? If you are using passenger, you should
# have this set to "no"
START=no
The following represents my puppet configuration (/etc/puppet/puppet.conf)
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
[master]
certname=puppet.ono.at
ssl_client_header=SSL_CLIENT_S_DN
ssl_client_verify_header=SSL_CLIENT_VERIFY
And below goes my Apache configuration:
## Puppetmaster Configuration
## Passenger Limits
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetectOff
RailsAutoDetect Off
Listen 8140
ServerName puppet.ono.at
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.ono.at.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.ono.at.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem
## CRL checking should be enabled; if you have problems with
## Apache complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
## The following client headers allow the same configuration
## to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RackAutoDetect On
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
Options None
AllowOverride None
Order allow,deny
allow from all
After everything is in place, restart apache and open up a web browser
to test whether everything is working: https://puppet:8140
If everything is working you should see a line saying:
"The environment must be purely alphanumeric, not ''"
Regards,
Stefan.
On Sep 8, 2010, at 19:17 , Mathias Gug wrote:
> Hi,
>
> Excerpts from Martin Willemsma's message of Wed Sep 08 04:43:21 -0400 2010:
>
>> 2010/9/8 FreddieB
>>
>>> I'm testing Puppet 2.6 and got all the basic stuff working with the
>>> default webricks. I read that it doesn't scale very well and is not
>>> suited for production environments and the recommended setup is Apache/
>>> Passenger.
>>>
>>> Is there a step-by-step-guide on how to set it up?
>>>
>>
>> There is detailed information regarding puppetmaster using passenger/apache
>> on centos and ubuntu
>>
>> http://projects.reductivelabs.com/projects/puppet/wiki/Using_Passenger
>>
>
> You may wanna give a try to the puppetmaster-passenger package available
> in Ubuntu Maverick and Debian experimental. The package will
> automatically setup everything for you.
>
> --
> Mathias Gug
> Ubuntu Developer http://www.ubuntu.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
Stefan Schlesinger // ///
s...@ono.at+43.676.4911123
--
You recei
[Puppet Users] module organisation
Hello folks!
Since you cannot include modules twice, or overwrite anything
within a namespace, I'm looking for a way to organize my modules.
I initially started to create the following structure, which
will avoid storing redundant configuration in your manifests:
node server01.ono.at { include servergroups::ono::webserver }
node server02.ono.at { include servergroups::ono::webserver }
node server03.ono.at { include servergroups::ono::webserver }
node server04.ono.at { include servergroups::ono::mailserver }
class servergroups::ono::server
{
include puppet::client
include ssh::server
include exim::minimal
}
class servergroups::ono::webserver inherits servergroups::ono::server
{
include apache
...
}
class servergroups::ono::mailserver inherits servergroups::ono::server
{
include exim::mx
...
}
But after having worked with this for a while now and putting more and
more configuration into Puppet, I hit the point where all servers would
want a certain service configuration (eg. a minimal exim configuration),
*except* for one, the mail server, which wants to include a much more
complex exim configuration.
So I'd like to know how others worked around such limitations,
whether there are any functions in Puppet I could use to work around
this issue,
or which other approaches I could take to reach the same goal - not
having to create a second "servergroups::ono::server" class for just
one server.
--
Stefan Schlesinger // ///
s...@ono.at+43.676.4911123
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
