Re: [Puppet Users] Re: How to Orchestrate State, such as use IPs of new systems for config other systems

[Thomas Mueller]

On 04/30/2018 06:29 PM, Joaquin Menchaca wrote:
> For pure-cluster pattern, I have to deploy all at once first, then put
> the config on all the systems.  For load balancer + web nodes, the
> eventual convergence with puppetdb (poor person's service discovery)
> would work, but clusters are all or nothing deal, eventual convergence
> would set off alarms.
>
> I am looking into roles/profiles w/ hiera (now roles/profiles w/ hiera
> + control repo), and trying to read up on this (and usign r10k).  It's
> a bit daunting starting out.
>
> I was wondering about these possibilities (if they are possibilities):
> (1) custom or external facts, command line, or ruby class, (2) ENC to
> pass in values, which reads current cloud config (gcp or aws) or local
> vagrant settings for dev, which can pass these values to the class. 

 custom facts will always be data generated on the client and submitted
to the master - which might not be safe to trust for important decisions
as you might send credentials to the client based on that data.

An ENC could provide any data you like - but you'll need to create an
own one.

Another possibility might be http://jerakia.io/ by Craig Dunn. which was
created to integrate different data sources. But more data sources ==
more external dependencies.

But none of these will run your puppet agents in correct order.


>
> Bolt has me curious.  I have dabbled around with it, running commands
> or a script to a remote node.  Are there other ways I could use this? 
> Could I use it to introduce custom facts, or inject values into
> puppetdb? hiera?  The docs are not all that intuitive (had to step
> through gem source code to discern how to use ssh transport for my
> environment).

I think bolt is still in its early stages.

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9bea2742-d36d-db2b-b324-74feab10ff62%40chaschperli.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Environment variable setting while using a module

[Thomas Mueller]

On 04/19/2018 02:21 PM, Ugo Bellavance wrote:
>
>
> On Thursday, April 19, 2018 at 7:50:30 AM UTC-4, Thomas Müller wrote:
>
> Hi Ugo
>
> Am Freitag, 30. März 2018 17:27:28 UTC+2 schrieb Ugo Bellavance:
>
> Hi,
>
> I'm using the puppetlabs-postgresql module and it works very
> well, but I want to make it work with a non-standard version
> of postgresql (from Red Hat Software Collections) because I
> would like to use Postgresql 9.6 on RHEL 7.  Almost everything
> is working, but I get errors from some commands that cannot
> find a shared object.  This is caused by the fact that
> Software Collections package use non-standard paths for their
> files.  For example, postgresql binaries are in
> opt/rh/rh-postgresql96/root/usr/bin/ than /usr/bin/.  Here's
> the kind of errors I get:
>
> /opt/rh/rh-postgresql96/root/usr/bin/psql: error while loading
> shared libraries: libpq.so.rh-postgresql96-5: cannot open
> shared object file: No such file or directory
>
>
> I've used the pl-postgresql module successfully this way:
>
> 
> https://gist.github.com/vinzent/448fa47032a6f050fb4c501cc741ccad#file-puppetdb-postgresql-9-5-example-pp
> 
> 
>
>
> Hi,
>
> That looks great, but is that in the puppetdb module or in the
> postgresql module? 
>

I was configuring postgresql SCL for use with the puppetdb module.

the important part  you is the postgresql::globals class that defines
all necessary pathes that the postgresql SCL uses.

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/610d006e-1b7a-6f1f-4435-6ab9bcb4a300%40chaschperli.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Encrypting password with custom provider

[Thomas Mueller]

Am 08.11.2016 um 20:10 schrieb Ziwi:
> Thanks for the link, I will definitely look at this. If this actually
> renders on agent it could come in handy.
>
> However different outputs of the encryption command are still a
> problem, as there should be some kind of: onlyif =>
> decrypt('old_value') != plain_password functionality for this.
>
> If anyone has some straightforward examples of using an exec on agent
> to collect data and reference them in manifests in the type/provider
> manner please share.
The puppet way to collect data from the client is to create facts.
https://docs.puppet.com/facter/3.5/custom_facts.html

But i doubt having credentials in facts are a good thing, as they are
transmitted to the puppet server  and saved stored in reports (saved as
yaml files and if configured also to PuppetDB). IMHO also parameters of
classes and resources are stored. You have to be aware of this when you
start managing credentials.

There was just recently a sensitive data type introduced
(https://docs.puppet.com/puppet/latest/reference/lang_data_sensitive.html)
which should prevent storing it at too many places. Havent looked into
it in details.

 -Thomas


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/39a6c470-7765-3fb9-d5e7-410284412b29%40chaschperli.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Role vs hiera

[Thomas Mueller]

Am 27.10.2016 um 15:43 schrieb Ugo Bellavance:
> That looks great, thanks!
>
> However, I just realized that my server roles are somewhat related to
> the server names.  For example, I could call my webservers something
> like www1, www2, www3.  If all those 3 servers have the same config,
> is there a way to create a file that would apply to all of them?
>  Something like /hiera/hosts/www?.yaml ?
no there is no wildcard option. If your hostnames contain the role, you
could do something like this:


if $trusted['certname'] =~ /^([a-z]+)[0-9]+\./) {
  $role = $1
} else {
  fail('Could not determine role')
  # or set some default role? or call $role = hiera('role'), ... whatever you 
like
}

I really only would do it by hostname if you are sure your dns names
reflect the roles now and forever (or if you are in position to decide
that it will be that way forever).

or like Rob has written, creating a custom fact works too.


>
> If not, could I use a hard or soft link?
This should work IMHO.

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/66dd5cfa-9680-9568-023b-66d9041a87e3%40chaschperli.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Certificate request does not match existing certificate

[Thomas Mueller]

Am Mon, 18 Apr 2011 14:28:57 -0700 schrieb Sylvain:

> Hello there,
> 
> I have a problem while I'm trying to puppetize a client, I get this
> error:
> err: Could not request certificate: Certificate retrieval failed:
> Certificate request does not match existing certificate; run 'puppetca
> --clean puppetclienttest.sl.ss'.
> 
> I checked
> -Shutdown puppet on client/server side, delete ssl/ dir to regenerate
> certificate.
> -Be sure that the time is the same on both host.
> 
> Now I don't know what I can do else.
> 
> Client version: 0.24.8
> Server version: 2.6.6

IMHO client 0.24.x is too old and does not work with puppetmaster 2.6.x?

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: How to randomize a template

[Thomas Mueller]

Am Wed, 05 Jan 2011 04:59:29 -0800 schrieb Rune Stensø:

> For something that's a bit more generic, you can also just use $RANDOM
> with sleep. $RANDOM returns between 0 and 32k as a value, and you can
> use a divider to reduce it.
> For example, I use 'sleep $(($RANDOM/10)) && do_heavy_stuff' to
> randomize the start of a heavy job out across just under a hour.
> 

$RANDOM is "bash'ism". it's not available to all shells out there.

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Use MySQL replication with stored configs

[Thomas Mueller]

Am Wed, 22 Dec 2010 22:02:27 +0200 schrieb Ohad Levy:

> Hi,
> 
> Search the threads, there were a few discussions about this point... at
> the moment afaik, its not doable.

it maybe could be done outside of puppet with mysql-proxy. rewriting/
redirecting SELECT and UPDATE/INSERT.

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Adding System Account

[Thomas Mueller]

Am Mon, 29 Mar 2010 18:23:04 -0300 schrieb Darvin Denmian:

> What option I need to use to create a system account with "Puppet"? Like
> the bellow command:
> 
> useradd -r nagios -s /sbin/nologin -d /var/lib/nagios -m nagios
> 
> Sorry for this newbie question, I'm new in Puppet configuration :)
> 
> Thanks !



User {
"nagios":
gid => "nagios",
shell => "/sbin/nologin",
home => "/var/lib/nagios",
}



see type reference "user" (and maybe "group" too): 

http://docs.reductivelabs.com/references/latest/type.html#id310

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] "Failed to retrieve current state of resource" messages

[Thomas Mueller]

Am Tue, 23 Mar 2010 22:42:57 -0400 schrieb Kent Rankin:

> I've made no changes, so I'm assuming that it's webrick.  Would this
> impact that?

had this error too. try to go on with mongrel or passenger. webrick's 
intended use is for development and is not optimized for real production. 

- Thomas

>>>
>>> Tue Mar 23 12:06:43 -0400 2010 ///File[/etc/init.d/] (err):
>>> Failed to retrieve current state of resource: end of file reached
>>> Could not retrieve file metadata for puppet:///modules//: end
>>> of file reached at /etc/puppet/modules//manifests/init.pp:45
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet 100% CPU usage

[Thomas Mueller]

Am Fri, 12 Mar 2010 03:30:59 -0800 schrieb DieterVDW:

> On Mar 12, 11:21 am, Patrick  wrote:
>> Puppet doesn't handle a folder with lots of files well.  It handles
>> large files even worse.  The standard advice is "Try putting the files
>> in a package and distributing them using apt."  Another common answer
>> is to try combining exec and rsync.  I ended up using apt.  Here are
>> the tutorials I used:
> 
> The problem is, I -am- using apt!
> Those files are downloaded and installed using apt, I just want puppet
> to make sure they are owned by a certain user and group. That's the only
> thing puppet needs to do.

if the files are installed by apt and do not have the permissions you 
need, you may need to have a look at dpkg-statoverride (man dpkg-
statoverride). 

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] file recurse leads to restarting service twice

[Thomas Mueller]

hi

is there a way to not restarting a service twice if file recursion is 
enabled?

IMHO the problem is that puppet updates first the "somdir" and then the 
underlying files which then updates the "somedir" timestamp. the next run 
puppet will detect wrong "somedir" timestamp and restart the service 
again. 

example:

file {
"/etc/somedir":
source => "puppet:///somemodule/somedir",
recurse => true,
checksum => "md5",
notify => Service["someservice"]
}

service {
"someservice":
ensure => "running",
}

- Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.