[Puppet Users] Apparent bug in 'import' when directory name matches module name
I've found an apparent bug in the puppet parser.
If you are using 'import' to include the contents of a subdirectory, like this:
import 'foo/*.pp'
and then you create a new module 'foo', suddenly the import statement silently
stops working. This means that any node definitions in the manifests that
should have been included are not present, and those nodes fall back to the
default node. The 'foo' module can be completely minimal, just a 'class foo {
}' in the init.pp is enough to break the import.
Now, in our case, our default node closes the firewall. When we productionised
a new module called 'oracle', all of the node definitions imported from
oracle/*.pp suddenly stopped working, and so all the production oracle servers
fell back to the default node definition, and closed their firewalls... Insert
the sound of the brown stuff hitting the fan...
I have successfully duplicated this, and logged it as a bug on the Puppet bug
tracker. A workaround seems to be to add a './' prefix to the imported
directory name:
import './foo/*.pp'
which has the same effect, but is not broken by having a 'foo' module present.
I've tried to delve through the parser code to track this one down, but my Ruby
skills are not as good as my Perl skills, and I've not managed to identify the
reason. Possibly the parser creates a new class for the imported directory?
I'd be interested in hearing if anyone else has experienced this, or if this
clears up odd behaviour you're experiencing on your system. Also, if you also
have the problem, please go to the bug tracker and give this a +1 to help it
get higher priority on the fix list...
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
RE: [Puppet Users] Is it possible to set up multi-level puppet nodes?
I have set ours up like this. One top-level puppet server, hosting the CA, Filebucket, and Dashboard. This uses mod_balancer and mod_proxy to route to... Three backend puppet masters, handling the production environment manifests One backend puppet server, handling the dev and test environment manifests In addition, we have our departmental Subversion server, which synchs the puppet configuration to the three backend servers every 15min. To make changes, we do this in the test environment, then check it in to subversion and migrate to production, which causes a subsequent synch out to all 3 backend servers within 15min. We can theoretically have any number of backend production servers now, and the load on the frontend is relatively low. The CA must be on a single server, and we also put thefilebucket here to save on storage and make the dashboard work better -- though we could always put the filebucket onto a completely separate server if we so wished. The CA could likewise be farmed out but since its load is negligible theres no point in doing so. The dashboard could also be on a separate server but again it has low CPU requirements. We use DNS to point to the top-level server. Should we wish to have a remote puppet server (to save on bandwidth) then we can set one up with the same synchronisation, but not add it to the balancer group. Maybe make it use a local filebucket, but it can still use the central CA. This setup also allows us to have one dashboard, but still allow separate departments to run their own puppet environment behind the one DNS CNAME if they so wish. Most of the config info was taken from the Puppet book, though it misses out a key configuration item - you need to specify which env var and HTTP header carries the SSL auth information on the backend, unless you keep the CA on the same host. Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] 12% of my puppet clients -- Could not retrieve catalog from remote server: execution expired
Not sure if it is the same issue, but we had a lot of timeout errors for catalogue retrieval once we started getting to the 200 nodes/hour point. We changed puppet to be every 2 hours, and all was well, until we had 450 nodes (again, 200/hr) and the problem resurfaced. I take it to be some limitation in the puppet system. Now we've just finished installing a fully distributed puppet setup, with one frontend and four backend puppetmasters. This should be able to handle 800/hr if the previous test were right, and we can expand horizontally indefinitely. It could just be that you've reached the limit of your puppet infrastructure. I also found that such features as storeconfigs greatly slow things down and reduce how many catalogues/hr can be served (thin storeconfigs is much better). We were advised of this limitation when we put it in, but I had to try it out myself and see... Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf of Tim Lank [timl...@timlank.com] Sent: Wednesday, 9 May 2012 2:59 a.m. To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] 12% of my puppet clients -- Could not retrieve catalog from remote server: execution expired they do run as a daemon pretty much always the same 70 and they don't all run at the same time. Many do, but not all. On Tue, May 8, 2012 at 9:03 AM, Arnau Bria listsar...@gmail.com wrote: On Tue, 8 May 2012 05:35:34 -0700 (PDT) Tim Lank wrote: how do I troubleshoot this error that occurs for about 12% of the puppet clients (~70 out of ~550.) do they run as daemon? always the 70 same hosts are failling? do they run at same time? Cheers, Arnau -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] This worked for me
Thankyou - this was a great help, and fixed my issue straight off. Good to know about the version problem. Steve -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: No child processes error message in dashboard
Possibly the UID under which the process is running has a resource limit and is not able to spawn a new process? You likely need to unlimit nproc for the puppet process. Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf of mukulm [smilemukul2...@gmail.com] Sent: Tuesday, 13 March 2012 5:17 p.m. To: Puppet Users Subject: [Puppet Users] Re: No child processes error message in dashboard Can anyone assist whats the root cause of Could not evaluate: No child processes error message in dashboard how this can be resolved ? Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Puppet staging server
We do this via multiple Environments. We have a Dev, Test and Production environment, and migrate between them using subversion scripts. The only thing to be aware of, is that you need to set up the file server so that all puppet: resources include the environment; thus: puppet:///files-$environment/myfile ; in this way, modules and manifests can move between environments without needing to change the files URL (under modules is fine because it already is aware of environments) Another useful thing is to append the Production modules path to the end of the Dev and Test module paths, so you dont have to have a copy of every module in each environment. If you want to have a client pointing at completely different puppet servers, then make a second client directory /etc/puppet2 for example, that defines a completely different varpath etc. Then use --confpath=/etc/puppet2 to activate this one rather than using --server. This way you can have a completely separate puppet agent installation, separate certificates, and so on. We do this in some cases where we have an applications puppet server, where the client runs as a non-root user, and a systems puppet server, where the agent runs as root. We can allow the apps team to maintain the manfests on the applications server. Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf of Gonzalo Servat [gser...@gmail.com] Sent: Wednesday, 7 March 2012 8:20 p.m. To: puppet-users@googlegroups.com Subject: [Puppet Users] Puppet staging server Hi All, I tried to implement a second Puppet server as a staging server with the idea of being able to run puppet in dry run mode against this staging server. I ran into some SSL trouble. When I point at the staging server, I get various SSL related errors and I assume it's because the ca cert is different. I can get around it by clearing /var/lib/puppet/ssl and regenerating/signing the certificate, but I have to do the same thing when I go back to the production server which is not what I was hoping for. Has anyone done this sort of thing? How'd you get around the SSL issues? I could use the same CA cert on both Puppet servers but I assume that won't work as the hostnames are different? Thanks in advance Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] RE: enterprise puppet architecture
Your Puppet master has twice the CPU of ours; but more importantly, you have
far simpler manifests. Ours are very complex, and can take 20seconds on
average to build - some taking a minute for the whole process to finish.
We're going to completely redesign our setup, as per the instructionsin the
ProPuppet book, with multiple puppetmasters in a cluster behind a load balancer
so that we can expand indefinitely.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf
of Luke Bigum [luke.bi...@lmax.com]
Sent: Thursday, 23 February 2012 9:56 p.m.
To: puppet-users@googlegroups.com
Subject: Re: [Puppet Users] RE: enterprise puppet architecture
On 23/02/12 07:26, Steve Shipway wrote:
Our Puppet system here is currently managing about 500 nodes. We anticipate
about 1000 eventually.
I have had to reduce the client frequency to once every 4 hours; it seems that
the maximum that can be handled by a single (dual-CPU, 8GB) puppet master is
200 nodes. After that, performance drops quickly and I notice many failed
manifests. This is with Puppet 2.7.10 on the master.
Hi Steve,
Excuse the slight change in topic but I'm interested in the performance stats
you posted. I run Puppet 2.7.5 on a 4 CPU 4 GiB RAM KVM virtual machine. I use
Puppet Commander to evenly distribute runs and my interval time works out to be
around 15 minutes for 230 odd hosts, as per the timestamps between MCollective
discoveries below:
[root@gs2puppet01 ~]# grep Found /var/log/puppetcommander.log | tail
I, [2012-02-23T06:46:12.218853 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T06:57:59.009689 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T07:09:49.237810 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T07:21:39.435558 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T07:33:26.554525 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T07:45:59.550541 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T07:57:51.013245 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T08:12:10.915308 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T08:24:16.383794 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I, [2012-02-23T08:37:03.750438 #28284] INFO -- : Found 231 puppet nodes,
sleeping for ~3 seconds between runs
I allow 10 Agents to run concurrently however my catalogs are very very light,
less than a second to compile:
[root@gs2puppet01 ~]# grep 'Compiled catalog' /var/log/messages | awk
'{sum+=$14} END {print sum/NR}'
0.750115
How big are your Puppet manifests so that you've had to drop the run time down
to 4 hours? Have you considered the use of MCollective and Puppet Commander to
spread your load out more?
-Luke
We've bought a copy of ProPuppet (as Jeff Watts recommended) and we're
planning to make a distributed system as instructed in there -- one puppet
dashboard/report server, multiple puppet master servers, and one dev server.
Puppet configurations held is subversion and synchronised on all puppet
masters, which would themselves be behind a load balancer. This is still in
the planning stage, though.
I'd be interested in hearing your experiences in managing your extra-large
system; I can also share our experiences in how we implemented and manage
control of this system, if you'd like to contact me off-list. When we first
implemented, we engaged a Puppet Labs consultant for a few days to help with
the initial work. I can definitely recommend doing this if you've no puppet
experience, as one place Puppet lacks is documentation!
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to
puppet-users@googlegroups.commailto:puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.commailto:puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
Luke Bigum
Information Systems
luke.bi...@lmax.commailto:luke.bi...@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN
The information in this e-mail and any attachment is confidential and is
intended only for the named recipient(s). The e-mail may
[Puppet Users] RE: enterprise puppet architecture
Our Puppet system here is currently managing about 500 nodes. We anticipate about 1000 eventually. I have had to reduce the client frequency to once every 4 hours; it seems that the maximum that can be handled by a single (dual-CPU, 8GB) puppet master is 200 nodes. After that, performance drops quickly and I notice many failed manifests. This is with Puppet 2.7.10 on the master. We've bought a copy of ProPuppet (as Jeff Watts recommended) and we're planning to make a distributed system as instructed in there -- one puppet dashboard/report server, multiple puppet master servers, and one dev server. Puppet configurations held is subversion and synchronised on all puppet masters, which would themselves be behind a load balancer. This is still in the planning stage, though. I'd be interested in hearing your experiences in managing your extra-large system; I can also share our experiences in how we implemented and manage control of this system, if you'd like to contact me off-list. When we first implemented, we engaged a Puppet Labs consultant for a few days to help with the initial work. I can definitely recommend doing this if you've no puppet experience, as one place Puppet lacks is documentation! Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Change user password only on systems where they exist
We have a system here that automatically resets the root password (amongst
others) when they are 60 days old, and stores the new password in a central
encrypted location. To do this, we have a custom fact that identifies the age
of users, and a custom function that returns if a user exists and, if so, the
age of their password. Another custom function creates a new passowrd, and a
final one does the update i nthe central encrypted database. An Exec resource
takes care of the actual password change on the puppet agent.
Is this similar to what you're looking for? If you take a look in the Puppet
Forge website for the 'ss' module then you can see how we do it there, else
contact me off-list.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf
of Romeo Theriault [romeo.theria...@maine.edu]
Sent: Thursday, 23 February 2012 4:49 p.m.
To: puppet-users@googlegroups.com
Subject: [Puppet Users] Change user password only on systems where they exist
Hi, We're just getting started with puppet and one of the things we'd
like to automate across a mix of Solaris and RHEL boxes is resetting a
users password. But we only want to reset the users password on the
boxes they already exist on. We don't want to have their account
created on all the boxes. We also don't want to modify any of their
settings like shells, etc...
I've used puppet to create users across all our boxes and that was
straight forward but I'm not sure the best way to conditionally change
a users password is. If it was just RHEL I'd be tempted to check for
the users homedir and then do an exec { usermod -p }, but
solaris doesn't support the usermod -p (for password) option. Is there
a more puppet way to pull this off?
Thank you,
Any suggestions would be appreciated.
--
Romeo
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Augeas question ab
This is only a guess, but is Augeas doing a STRING comparison of the values
instead of a NUMERICAL one?
String-wise, 7000 80 but numerically it's the other way around.
Can you try setting the current value to '1' and see if Augeas wants to change
it to 784009728. If it does, then that's the issue.
As to WHY it would be doing a string-wise comparison, I don't know. It could
be down to the version of Augeas or the Puppet agent. Try upgrading to the
latest and test it again...
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf
of rvlinden [rene.vanderlinde...@gmail.com]
Sent: Wednesday, 15 February 2012 10:26 a.m.
To: Puppet Users
Subject: [Puppet Users] Augeas question ab
Hi,
I'm having some 'strange' issues with augeas and an onlyif statement
This is my code
augeas { classx_sysctl_shmmax:
incl= '/etc/sysctl.conf',
lens= 'Sysctl.lns',
changes = set kernel.shmmax ${sysctl_kernel_shmmax},
onlyif = get kernel.shmmax ${sysctl_kernel_shmmax},
}
I only want to change the kernel.shmmax in /etc/sysctl.conf when the
value is greater than what is currently configured.
For example
kernel.shmmax defauls to 784009728 and I changed it manually to
784009729 (so +1)
= When puppet runs, nothing needs to be done (as expected)
kernel.shmmax defaults to 784009728 and I changed it manually to
784009727 (so -1)
When puppet runs, it wants to change the value (as expected)
-kernel.shmmax = 784009727
+kernel.shmmax = 784009728
notice: /Stage[main]/Classx/Augeas[classx_sysctl_shmmax]/returns:
current_value need_to_run, should be 0 (noop)
So for now, everything looks fine, however ...
If I change the value to something really small, like from 784009728
to 84009728 (removed the first digit), pupppet does not want to change
it anymore.
What I can see is that puppet/augeas only evaluates values correctly
as long as the number of digits stays the same, so
100 is less than 101
101 is greater than 100
but 99 is greater than 100 ?!? :-(
Anyone an idea how I can configure augeas to do this correctly ??
Regards,
Rene
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Display correctly any array
This is because puppet lacks the join() function, the obvious (but absent) partner to the split() function. However you can add it by using a custom function very easily, as we've done. Email me if you'd like a copy of the join.rb file to put in your puppet/parser/functions directory. The only caveat is to remember to type check arg[0] in case passed a string rather than an array. Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf of Antidot SAS [antidot...@gmail.com] Sent: Tuesday, 17 January 2012 4:23 a.m. To: puppet-users Subject: [Puppet Users] Display correctly any array Hi everyone, Is there a way to display correctly an array, each time I am trying to 'notice' an array I have something like that: Here is the code: $array = [ 'test' , 'test2'] notice(Here is the $array) The ouput is as follow: Here is the testtest2 There is no way to put a clean IFS for the ouput... -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] How to handle multiple modules requiring the same packages
You can make the package resource definition conditional.
class foo {
if ! defined( Package[gcc] ) {
package { gcc: ensure=installed; }
}
}
class bar {
if ! defined( Package[gcc] ) {
package { gcc: ensure=installed; }
}
}
Or, define a new class for the package(s) and include that
class pkg::gcc {
package { gcc: ensure=installed; }
}
class foo {
include pkg::gcc
}
class bar {
include pkg::gcc
}
Second method is more elegant IMHO; but if its a one-off then first might be
simpler.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet integration with SecretServer (Thycotic)
I've done some more development on my Puppet module that handles password
integration with Secret Server from Thycotic, and now it handles certificates
as well.
This allows you to have a 'password' define that ensures the password is stored
in SecretServer, and changes it on a regular basis:
password { 'root': maxage=60; }
password { 'oracle': }
Also now you can manage certificates, and it will install and update them:
ssl::cert { $fqdn: }
ssl::cert { 'foo.company.com': key='/usr/local/ssl/foo.key',
crt='/usr/local/ssl/foo.crt'; }
The module will retrieve the certificate and key from SecretServer, then
optionally restart Apache after installing them. You can override this
behaviour, or specify a different location for the files than the default of
/etc/httpd/conf.
It can also work from files instead of secretserver if necessary.
This requires SecretServer 7.6 or later (for the certificates) and 7.0 or later
(for passwords). There is also a ruby module (secretserver.rb) that needs to
be installed, as well as Ruby Gems and the 'savon' gem.
I'm working on wrapping the two up into a 'secretserver' module and uploading
to moduleforge.
If anyone would like a copy, let me know.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nzmailto:s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Variable interpolation in class parameters
FWIW, I find I agree with jcbollinger on this one -- the class parameter declaration block is not a code block, so you should not use variables defined there to define other variables in the same block. That it works at all is surprising, and probably down to the order the parameters are processes (which, as it most likely depends on hash table sequence, is going to appear random) Best practice would seem to be to make the variables default to null, and then use subsequent evaluations within the class code to perform the relevant defaulting, as he said. Steve -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ocjQmdnOX3sJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Hostname fact doesn't handle hostnames with periods
We have a situation here where we have multiple internal subdomains, but want to configure Nagios to identify hosts without our main domain. Thus, the 'hostname' we use for some items would be hostname.subdomain . We also have to strrip off a certain subdomain (I wont go into the convoluted reasons for this). To do this (in the cases it is necessary) I simply take the fqdn and use search/replace to replace the trailing domain name with nothing. So, no need to change facter as I can use fqdn. $hostname = foo $fqdn = foo.dept.auckland.ac.nz $nagioshostname = regsubst( $fqdn, '(\.itss|\.no)?\.auckland\.ac\.nz$', '','I' ) This might be sufficuient for what the original poster was asking? Of course, they could always define a custom fact to hold the output of uname if they prefer. One of the great things about the puppet/facter model is that you can do this with very little effort. I would definitely not want to change the current behaviour of fqdn and hostname. Steve Steve Shipway University of Auckland ITS UNIX Systems Design Lead s.ship...@auckland.ac.nz Ph: +64 9 373 7599 ext 86487 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet module to regularly change passwords and update SecretServer
I've created a Puppet module which will check a specified user for password
age, and if it is older than a specified amount, then it will first generate
a random password, change the user's password to this, and will then update
(or create) the stored password as held in the Secret Server application
(via the SecretServer API) -- see http://www.thycotic.com/ . This means
that we don't need to allow SecretServer to log in remotely as root to do
the job itself, and we can receive notification (via Puppet reports) when
this has been done.
So far this only works for Linux but it should be simple to make it work for
other OS.
Usage is:
password { 'user': age=30, username='user' }
with both parameters optional. We will use this to autorotate passwords on
non-user accounts (root, oracle) since account expiry causes crontabs to
stop working and we cannot lock the accounts or disable expiry due to
functionality and security requirements.
Is anyone already using SecretServer interested in testing a copy? There
are a couple of caveats with it but things are looking good so far.
Steve
_
Steve Shipway
st...@steveshipway.org
Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows
Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios
and MRTG; and other Open Source projects.
Web: http://www.steveshipway.org/software
P Please consider the environment before printing this e-mail
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] RHEL5 and RHEL6 wiith Puppet
I've just started to test existing Puppet modules with RHEL6. It seems that several things have changed slightly, breaking the old RHEL5-tested modules and requiring addition configuration to be added. 1. The syslod has changed to rsyslog, and the config files have altered. This is the largest change. 2. The snmpd has changed the location of its var file and so SNMPv3 user creation doesn't work the same. 3. The use of UDEV for all devices now requires us to have some special rules added on our virtual (vmware) guests, so that device names are not persistent -- we need to exclude vmware network devices from UDEV else they will be renamed if the MAC address changes. Has anyone else spotted any other changes requiring alteration to the Puppet manifests and modules? Steve _ Steve Shipway st...@steveshipway.org Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios and MRTG; and other Open Source projects. Web: http://www.steveshipway.org/software P Please consider the environment before printing this e-mail -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Virtual resources stopped working...
Since I moved our pre-prod puppet master to RHEL6, things have
broken. This is how:
We have two classes, 'users' (which defines all our users as virtual)
and 'users::sys' which realises the systems-admin users.
I then have (this is simplified to show the problem):
node basenode {
include users
}
node foo inherits basenode {
include defaults::systems
}
class defaults::systems {
include users::sys
}
Previously, this worked -- but now, it doesnt! The virtual users seem
to be created, but nothing is realised.
I also have another class -- sudo -- which is included in basenode.
This uses the class collection in a template file to build the sudoers
file, based on which of the users::xxx classes have been included.
Again, this used to work, but now it seems to be unable to see the
defaults::systems or users::sys classes for some reason. I know they
are being included because I've added a notice() call in the class to
verify its inclusion.
Why would this be? Does anyone know any reliable way to list every
class a node is including? Is there a reason the users::sys class
cannot realise resources defined in users?
We originally tried to use tags to achieve this, but they are
completely useless as they are not global...
Hope someone can help.
Steve
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How to use a resource name in its own definition?
Hi, I'm trying to set up Puppet here for the first time and have run into
some problems.
To set up our users, I'm trying to define many users at once as virtual
resources for later realisation in sets. However, I'd like to have it
properly create the home directory:
@user { 'foo':
ensure = present,
managehome = true,
home = $operatingsystem ? {
solaris = /export/home/foo,
default = /home/foo,
},
}
Now, this works; what I want to do is to make the 'foo' bit parameterised,
so that I can do:
$admins = [ 'foo', 'bar' ]
@user { $admins:
ensure = present,
managehome = true,
home = $operatingsystem ? {
solaris = /export/home/$name,
default = /home/$name,
},
}
However this doesn't work; the $name is taken from the class that we're
running this in. Is there any way to do this? I'd use a loop over the
$admins list, except that I cant find any loop structures in the puppet
config language, only if/else.
I've tried using a define to do it:
define users::addVirt() {
@user { $name:
ensure = present,
managehome = true,
home = $operatingsystem ? {
solaris = /export/home/$name,
default = /home/$name,
},
}
}
class users {
$admins = [ 'foo', 'bar' ]
users::addVirt { [ $admins ]: }
}
and this works; however when I later try to realise the users:
class users::admins inherits users {
$admingroup = $operatingsystem ? {
solaris = 'sysadmin',
default = 'unixadmin'
}
User[ $admins ] {
groups + [ $admingroup ],
}
realize( User[ $admins ] )
}
I end up with:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Only subclasses can override parameters at
/etc/puppet/manifests/classes/users.pp:96 on node
secpupprd01.its.auckland.ac.nz
which is complaining about the part:
User[ $admins ] {
groups + [ $admingroup ],
}
although I cannot see why.
Does anyone have any advice for me on what is going wrong here, or a better
way to achieve this? Thanks in advance for any help...
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.ship...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Puppet Application Server Deployment
I'm just starting with puppet, but how about this as a solution to the
precedence and single-restart problem
1. Define some stages
stage { pre: before = Stage[main] }
stage { post: require = Stage[main] }
2. Define a jvm class with the stages associated with the pre and
post:
class jvm { }
class jvm::jvm1 inherits jvm {
$start = /etc/init.d/jvm1 start
$stop = /etc/init.d/jvm1 stop
@exec { jvm1::stop: command= $stop, stage=pre }
@exec { jvm1::start: command= $start, stage=post }
# In here add anything else you want to do for the jvm1 setup, eg global
settings
}
3. Create a define to add a jvm deploy
define jvm::jvm1::deploy() {
include jvm::jvm1
realize( Exec[jvm1::stop], Exec[jvm1::start] )
# add the necessary deploy commands here, file definitions, etc
deploy( $name )
}
This might be overkill and I'm not 100% sure about my syntax, but you should
be able to extend it to have multiple JVMs on the same machine. The use of
the jvm::jvm1 class and the virtual resources for the exec's makes sure you
don't end up with the start/stop multiple times and they only run if
required, and you can use the jvm::jvm1::deploy multiple times. The stages
ensure that the stop it run before the deployment and the start is run after
deployment. It might be possible to use parameterised classes with the jvm
class to set up the jmv::jvm1 classes but I'm not so familiar with the
syntax as yet.
The problem with doing the nodes sequentially might be possible using
resource chaining?
Steve
_
Steve Shipway
ITS Unix Services Design Lead
University of Auckland, New Zealand
Floor 1, 58 Symonds Street, Auckland
Phone: +64 (0)9 3737599 ext 86487
DDI: +64 (0)9 924 6487
Mobile: +64 (0)21 753 189
Email: mailto:s.ship...@auckland.ac.nz s.ship...@auckland.ac.nz
P Please consider the environment before printing this e-mail
From: puppet-users@googlegroups.com [mailto:puppet-us...@googlegroups.com]
On Behalf Of jwa
Sent: Thursday, 28 October 2010 2:13 p.m.
To: puppet-users@googlegroups.com
Subject: Re: [Puppet Users] Puppet Application Server Deployment
On Oct 27, 2010, at 5:02 PM, Douglas Garstang wrote:
On Mon, Oct 25, 2010 at 1:21 AM, James Turnbull ja...@puppetlabs.com
wrote:
ajinkya prabhune wrote:
Hi,
So what do u thing is good and better than Puppet ?
thanks
I second Nigel's question. I know a number of people who deploy Java,
Ruby, PHP, etc, etc applications with Puppet.
Me too. I do it several times a day.
Can you guys describe the sort of applications you deploy, how they are
delivered to the target, and how you deal with rolling bounces (start on
node A, shutdown JVM, deploy code, start JVM, move to node B, etc.) ? Are
you just doing this by ordering puppet runs externally? If so, what manages
the ordering?
How do you tell puppet which version / package of the code to install? Do
you generate manifests with this information? Is it a fact? extlookup?
I'd also be interested to know how / if you handle deployment of multiple
apps to the same container. Imagine you have a dependency like this (pseudo
puppet code):
app1: { require = [ exec[ shutdown-jvm1], deploy[app1],
exec[start-jvm1] ] }
app2: { require = [ exec[ shutdown-jvm1], deploy[app2],
exec[start-jvm1] ] }
.. when you deploy app1 and app2 at the same time (ie, within the same
puppet run), are you able to make puppet only apply the first shutdown and
the last startup? (basically, optimize it just shutdown jvm1 once, deploy
both app1 and app2, then start jvm1.) We do this today with home-grown code
but I'd like to move it into puppet if possible.
Thanks!
James
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: How to use a resource name in its own definition?
A Puppet define is not a macro. Roughly speaking, your User resources do not belong to class users, but rather to instances of your define, users::addVirt, which is why a subclass of users cannot override their properties. You could try nesting the define inside class users, but I don't really think that's gonna work (it would be sweet if it did, though!). This explains a lot, then. I was thinking of a define as a macro or a function block, whereas in fact it is more like a class (albeit with multiple instances). A parameterised class isn't going to work. Maybe I can make users::virt as the define, and then then a subclass users::virt::admins which inherits users and is included by users::admins in order to get around this? I'll try it and see what it says... Thanks for the help; in a couple of days the Puppet book should arrive here and hopefully fill in the large gaps in the online manual for us. Steve Steve Shipway st...@steveshipway.org Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios and MRTG; and other Open Source projects. Web: http://www.steveshipway.org/software Please consider the environment before printing this e-mail -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
