[Puppet Users] Dependency conundrum

2017-06-15 Thread Tom Limoncelli 
I'm having a problem getting some dependencies exactly right.

This is the code I originally wrote:

File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
daemon-reload']~>Service['patcher-client']

It works great except... oops... if any *other* module does Exec['systemctl
daemon-reload'], then Service['patcher-client'] restarts.  That additional
restart is unneeded.

I thought about rewriting it as:

File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
daemon-reload']

File['/usr/lib/systemd/system/patcher-client.service']~>Service['patcher-client']

But then how would Puppet know to do the Exec[] before the Service[]?  I
could add:

Exec['systemctl daemon-reload']->Service['patcher-client']

But then we're basically in the same situation as the original code. Right?

I guess I kind of want something like this: (not real syntax)

File['/usr/lib/systemd/system/patcher-client.service']~> (
Exec['systemctl daemon-reload']~>Service['patcher-client'] )

How do I achieve that?

Thanks in advance,
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgnkPQTgeNHv6L0Ao%2BuvdVtL-7ftaPfJG3gzXF0OCs6%3DsQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: unit testing and eyaml

2017-02-24 Thread Tom Poulton 
Hi

Look into rspec-puppet-utils , 
you can use the MockFunction class to completely mock hiera (there's an 
example in the readme). This way your tests never even execute the real 
hiera function, so you don't need to worry about yaml files, eyaml files, 
hierarchies, eyaml installation, eyaml keys, etc

This is more like unit testing in a Java/C#/ruby project, where you're 
isolating what you want to test away from it's dependencies. Mocking hiera 
allows your tests to be very flexible with minimal setup, and you're also 
not testing hiera/hiera-ayaml functionality in your tests for foo

Full disclosure: I wrote rspec-puppet-utils so naturally I think it's a 
useful tool and a good fit in this case, but there are other ways of doing 
it :)

Does that make sense? I hope it helps


On Friday, February 24, 2017 at 11:16:43 AM UTC-6, Stanislav Khromoy wrote:
>
>
> Need a little help with integrating unit testing ( rspec-puppet ) with 
> eyaml encrypted data in hiera.
>
> I have something like this in heira:
>
> foo::foo_api_key: ENC[super long string of stuff]
>
> manifest:
>
>  class { '::some_module_from_forge':
>apikey => hiera('foo::foo_api_key')
>  }
>
> foo_spec.rb
>
> it { should contain_class('stackdriver').with_apikey(ENC[super long string 
> of stuff])}
>
> I am not really sure how to quote this properly. Everything I've tried 
> comes back with an error
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cca91927-6b86-4bfc-a8ce-39b1cfcdc7cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppetlabs-concat updates to concatfragments.rb causes triggers

2015-11-20 Thread Tom Limoncelli 
We recently upgraded to the latest puppetlabs-concat module.  The new
module generated the exact same files as before which was great (yea
upwards compatibility!) but because a new concatfragments.rb file was
installed, puppet triggered downstream "reloads" and reloaded our
server (boo! undesired reloads!).  As a result, our keepalived's were
reloaded and that caused unplanned failovers between replicas.

The good news is that we caught this in testing so it didn't affect
production.  However, our workaround was ugly. We paused puppet agent,
manually updated concatfragments.rb, then unpaused puppet agent.

Is it possible for the module to deploy updates to concatfragments.rb
without it being considered trigger-worthy?

Thanks,
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D_A%2BZJv75-LBQXTKUvcansFHAztb-x%3DAdS7W8oDOoAHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Passing Powershell Variables into Puppet manifest

2015-10-27 Thread tom . swaby 
Hi all

Im having difficulty passing powershell variables into Puppet, while using 
the Powershell module.

What I need to achieve is this in powershell. It is basically a script that 
executes a check to see if a windows module is installed, and if not, 
copies it from a source directory. 

*This is the powershell script*

$check = Get-WindowsFeature -name Net-Framework-Core
$source = "\\server\directory\directory2\directory3"
$destination = "C:\source3"
if ($check.Installed -ne "True") {
Copy-Item $source -Destination $destination -Recurse
Install-WindowsFeature Net-Framework-Core
Remove-Item $destination -Recurse
}

*This is my puppet manifest*

class profiles::dotnetrun {


$check = "Get-WindowsFeature -name Net-Framework-Core"

$source = "server\\directory\\directory2\\directory3"

$destination = "C:\source3"


exec { 'dotnet':

command => 'Copy-Item \$source -Destination \$destination -Recurse',

onlyif => '\$check.Installed -ne "True"',

provider => powershell,


}

}

-- 
 

ITV plc (Registration No. 4967001) (ITV) is incorporated in England and 
Wales with its registered office at The London Television Centre, Upper 
Ground, London SE1 9LT. Please visit www.itv.com for further information.

This email and any attachments are intended solely for the addressee and 
may contain confidential, copyrighted and/or privileged information.  If 
you have received this message in error, please notify us and delete it.  
Recipients should scan the email and any attachments for their own 
protection. 

This email does not conclude a binding agreement.  The views or opinions 
presented in this email do not necessarily represent those of ITV.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5672654e-6c18-4fdd-a2c7-d4c62cba1a03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] RHEL 7 - Satellite 6.1 - Puppet Locally

2015-10-26 Thread Tom Zurita 
We deploy our servers and use Puppet using Satellite 6.1.  I deployed a 
server and am trying to test modules locally and it NEVER works.  

cat /etc/puppet/puppet.conf 


[main]

vardir = /var/lib/puppet

logdir = /var/log/puppet

rundir = /var/run/puppet

ssldir = $vardir/ssl


[agent]

pluginsync  = true

report  = true

ignoreschedules = true

daemon  = false

ca_server   = blah

certname= rhel7-test2.blah.edu

environment = KT_SI_Org_Default_RHEL7_Prod_RHEL7_comp_CV_14

# server  = blah


[root@rhel7-test2 manifests]#  puppet config print modulepath 

/etc/puppet/modules:/usr/share/puppet/modules


[root@rhel7-test2 manifests]# puppet module list

/etc/puppet/modules

├── cis-puppet (???)

├── duritong-sysctl (v0.0.11)

└── puppetlabs-stdlib (v4.9.0)

/usr/share/puppet/modules (no modules installed)


puppet apply --modulepath=/etc/puppet/modules 
/etc/puppet/modules/cis-puppet/manifests/test.pp


I don't get errors just doesn't change a thing, nor does it show it running 
that script.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f7a79794-97d8-49d2-8a03-f64f847fef38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: should create_resources honor schedule metaparameter?

2015-10-02 Thread Tom Downes 
Hi - didn't seem to get the automatic update on this post. I'm going to 
have a member of my team check out your suggestion.

Tom

On Tuesday, September 29, 2015 at 8:35:32 AM UTC-5, jcbollinger wrote:
>
>
>
> On Monday, September 28, 2015 at 10:17:31 PM UTC-5, Tom Downes wrote:
>>
>> I have a defined resource that I instantiate through create_resources and 
>> a set of defaults that trace back to hiera:
>>
>> create_resources("apache::vhost", $full_apache_hash, $http_defaults)
>>
>>
>> http_defaults:
>>
>>   schedule: 'nightly'
>>
>>   priority: '25'
>>
>>   docroot: '/var/www'
>>
>>   serveradmin: 'myl...@dot.edu'
>>
>>   port: '80'
>>
>>
>> Elsewhere in the catalog I have defined:
>>
>>
>> schedule { 'nightly':
>>
>>   range  => '0-2',
>>
>>   period => daily,
>>
>>   repeat => 1,
>>
>> }
>>
>>
>> When I run "puppet agent -t" outside of the specified range, it always 
>> takes action to manage my apache::vhost. i.e. if I blow away the file, it 
>> will come back. Am I wrong not to expect this? Is it create_resources not 
>> honoring schedule or puppet agent -t ignoring schedule?
>>
>>
>>
>
> There have been problems with create_resources() and other metaparameters 
> in the past, but I think the consensus is that they *should* work 
> together.  I see no reason or documentation that the 'schedule' 
> metaparameter would be different.
>
> Looking at the other side of the equation, there is a configuration 
> setting 'ignoreschedules' whose effect on the agent is what its name 
> indicates.  That setting is not documented to be included in '--test' / 
> '-t', but perhaps it crept in there without being documented, or perhaps it 
> is specified in your config file.  I'd try this command instead to see 
> whether it behaves differently with respect to schedules:
>
> puppet agent --onetime --no-daemonize --ignorecache --no-usecacheonfailure 
> --no-ignoreschedules
>
> Optionally, include also some or all of the flags --detailed-exitcodes 
> --no-splay --show_diff', which are implied by --test.
>
> If the schedule still is not honored then do make sure it is actually in 
> the catalog the agent retrieves.  If so, then I call bug.
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d91f7438-c18d-435c-9406-33e3520d89fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] should create_resources honor schedule metaparameter?

2015-09-28 Thread Tom Downes 
I have a defined resource that I instantiate through create_resources and a 
set of defaults that trace back to hiera:

create_resources("apache::vhost", $full_apache_hash, $http_defaults)


http_defaults:

  schedule: 'nightly'

  priority: '25'

  docroot: '/var/www'

  serveradmin: 'myl...@dot.edu'

  port: '80'


Elsewhere in the catalog I have defined:


schedule { 'nightly':

  range  => '0-2',

  period => daily,

  repeat => 1,

}


When I run "puppet agent -t" outside of the specified range, it always 
takes action to manage my apache::vhost. i.e. if I blow away the file, it 
will come back. Am I wrong not to expect this? Is it create_resources not 
honoring schedule or puppet agent -t ignoring schedule?


Thanks,


Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aee81143-8119-41e8-96f3-279d2045428d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Accessing facts in ENC

2015-09-08 Thread Tom 
Using the following as a reference.
https://docs.puppetlabs.com/guides/external_nodes.html#tricks-notes-and-further-reading

I've been attempting to use facts of a node to contribute to the lookup of 
the host in the ENC. In my ENC I've tried both shelling out and running 
`puppet facts find example.com --terminus yaml` and also loading the yaml 
from '/var/lib/puppet/yaml/facts/'. However on the first run this file does 
not exist. Also if I change the terminus to puppetdb the facts are also not 
present yet in puppetdb. This looks like an ordering issue. If I run the 
same ENC with puppet 2.7 then the yaml file is present in 
'/var/lib/puppet/yaml/facts/'. With Puppet 3.8 the fact yaml file only 
appears after the ENC has run.

Has anyone else come across this issue?
I'm not sure if this is by design or if this is an ordering issue. In my 
opinion the facts should be written to yaml cache and puppetdb before the 
ENC is executed.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/af85cc9f-9941-4172-a6f5-297ad85ffe7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Complex edits on /etc/default/grub (Setting transparent_hugepage at boot time)

2015-07-29 Thread Tom Limoncelli 
Of course, minutes after emailing that I found the answer to my own
question.

If you install the augeasproviders_grub module (
https://github.com/hercules-team/augeasproviders_grub) then it becomes as
simple as:

kernel_parameter { 'transparent_hugepage':
  value => 'never',
  ensure => present,
}

In CentOS7, the module is smart enough to make the change to
/etc/default/grub's GRUB_CMDLINE_LINUX variable.  From a quick look at the
code, it seems to do the right thing for other OSs too.

The Augeas people never fail to impress!

Tom

On Wed, Jul 29, 2015 at 5:30 PM, Tom Limoncelli  wrote:

> I need to disable transparent_hugepage at boot time (before some big
> services start up).  This is on centos7 machines using SystemD.
>
> There are many ways to do this.  It isn't clear which is the
> best/easiest way to do it via puppet.  (Here is a list of ways to do
> it manually
> http://answers.splunk.com/answers/188875/how-do-i-disable-transparent-huge-pages-thp-and-co.html
> and here is one more
> http://docs.mongodb.org/manual/tutorial/transparent-huge-pages/)
>
> The most straightforward way seems to be to edit /etc/default/grub:
>
> Change this line in /etc/default/grub and add
> transparent_hugepage=never to the GRUB_CMDLINE_LINUX.
>
> i.e.
>
> Change this line:
>
> GRUB_CMDLINE_LINUX="rd.lvm.lv=centos_ks-7/root
> rd.lvm.lv=centos_ks-7/swap crashkernel=auto
> vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
> intel_pstate=disable rhgb quiet transparent_hugepage=never"
>
> to
>
> GRUB_CMDLINE_LINUX="rd.lvm.lv=centos_ks-7/root
> rd.lvm.lv=centos_ks-7/swap crashkernel=auto
> vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
> intel_pstate=disable rhgb quiet transparent_hugepage=never"
>
> However doing that in puppet (even with Augeas) seems non-trivial.
>
>
>
> Any suggestions?
>
> Tom
>
> P.S.  I'm also considering making a systemd "unit" that just sets the
> parameter and is scheduled to run before any of the major services on
> the machine. However that seems like a long way to do a short thing.
>
> --
> Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
> Skype: YesThatTom
> Blog:  http://EverythingSysadmin.com
>



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm5Okv%3DrjDhkrxcQXtEP7OAASL5E-w%2BidT5QE8qJkDhCg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Complex edits on /etc/default/grub (Setting transparent_hugepage at boot time)

2015-07-29 Thread Tom Limoncelli 
I need to disable transparent_hugepage at boot time (before some big
services start up).  This is on centos7 machines using SystemD.

There are many ways to do this.  It isn't clear which is the
best/easiest way to do it via puppet.  (Here is a list of ways to do
it manually 
http://answers.splunk.com/answers/188875/how-do-i-disable-transparent-huge-pages-thp-and-co.html
and here is one more
http://docs.mongodb.org/manual/tutorial/transparent-huge-pages/)

The most straightforward way seems to be to edit /etc/default/grub:

Change this line in /etc/default/grub and add
transparent_hugepage=never to the GRUB_CMDLINE_LINUX.

i.e.

Change this line:

GRUB_CMDLINE_LINUX="rd.lvm.lv=centos_ks-7/root
rd.lvm.lv=centos_ks-7/swap crashkernel=auto
vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
intel_pstate=disable rhgb quiet transparent_hugepage=never"

to

GRUB_CMDLINE_LINUX="rd.lvm.lv=centos_ks-7/root
rd.lvm.lv=centos_ks-7/swap crashkernel=auto
vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
intel_pstate=disable rhgb quiet transparent_hugepage=never"

However doing that in puppet (even with Augeas) seems non-trivial.



Any suggestions?

Tom

P.S.  I'm also considering making a systemd "unit" that just sets the
parameter and is scheduled to run before any of the major services on
the machine. However that seems like a long way to do a short thing.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3DRPaAJ8X0mCWcgfVnGrRiAGS_rWMLdbU_diNv%2BSK53ug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Anyone really using Postgres for a Hiera backend?

2015-07-22 Thread Tom De Vylder 
Puppet-Community [1] would be a prime example to take over the maintainership.

[1] https://github.com/puppet-community/ <https://github.com/puppet-community/>

Tom

> On 13 Jul 2015, at 15:45, Erik Dalén  wrote:
> 
> Yeah, I'm not really using puppet server (yet at least) or the postgres hiera 
> backend. So if someone else wants to take over maintainership of it I can 
> transfer the repo ownership.
> 
> On Tue, 19 May 2015 at 18:51 Tony Thayer  <mailto:tony.tha...@gmail.com>> wrote:
> Actually, I just realized I was using my own fork of the original: 
> https://github.com/tthayer/hiera-psql <https://github.com/tthayer/hiera-psql>
> 
> I'm not using it actively anymore and I doubt my previous employer is still 
> using it either. There is an open issue stating that it doesn't work with the 
> new puppetserver, too: https://github.com/dalen/hiera-psql/issues/7 
> <https://github.com/dalen/hiera-psql/issues/7>
> 
> On Wednesday, May 13, 2015 at 9:45:55 AM UTC-7, leam hall wrote:
> Just wondering. I found some options but don't see any under current 
> development. 
> 
> Leam
> 
> 
> -- 
> Mind on a Mission <http://leamhall.blogspot.com/>
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/6a3391ec-22d7-4f43-b7f0-7036ee722869%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/puppet-users/6a3391ec-22d7-4f43-b7f0-7036ee722869%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAAAzDLd-WGbX3iceb99NJF_b%2BgCjNFe8oHjqE%3DH8ZXW--K%3D1FA%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/puppet-users/CAAAzDLd-WGbX3iceb99NJF_b%2BgCjNFe8oHjqE%3DH8ZXW--K%3D1FA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0D52B176-0638-4939-A8A2-ED66EC9FB222%40penumbra.be.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to create hadoop directory vi puppet script.

2015-07-10 Thread Tom Limoncelli 
"fully qualitied" means the path to the command is included.  That is,
"/usr/bin/cat" is qualified.  "cat" is note.

exec {} commands have to be qualified ("/usr/bin/cat") or you have to add
the parameter "path" and specify the path to the command.

I generally use the path parameter if the code will run on many different
operating systems, each with a different path.

More info:
https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-path

Tom


On Thu, Jul 9, 2015 at 8:42 PM, Ayyanar  wrote:

> 1. exec { "/home/haas":
> #command =>
> "/usr/hdp/current/hadoop-yarn-nodemanager/sbin/yarn-daemon.sh stop
> resourcemanager",
> command =>  "hadoop fs -mkdir -p /apps/hive/warehouse",
> user => haas
> }
>
> Note: my site.pp file contain this code. while executing this command
> facing validation issue. how to solve this.
>
> 2. "Error: Validation of Exec[/home/haas] failed: 'hadoop fs -mkdir -p
> /apps/hive/warehouse' is not qualified and no path was specified. Please
> qualify the command or specify a path. at /etc/puppet/manifests/site.pp:491"
>
> Thanks,
> Ayyanar Thangaraj
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/282c193c-9ba2-4283-8878-cb541a0d8b2c%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/282c193c-9ba2-4283-8878-cb541a0d8b2c%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkWesjiR9mtNVB053OOjCbiFj8Mtmbw1X8DKjVfEAU3jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Exposing master to the public internet

2015-07-06 Thread Tom Limoncelli 
Google does this on a massive scale for the laptops they give to
employees.  Many of the details are in
http://research.google.com/pubs/pub43231.html

The key points are:
1.  SSL only.  All else is firewalled off.  (external clients actually talk
to a load balancer that is locked down and only forwards SSL-authenticated
connections to the master).
2.  Don't autosign your certs.
3.  When you sign certs, actually check the fingerprints
4.  The server cert AND the client cert must be signed (puppet cert takes
care of that for you).

Tom
(not a google employee, not speaking for google)


On Thu, Jul 2, 2015 at 3:51 PM, Nik Haldimann  wrote:

> Hi
>
> I have a fleet of headless devices to manage that are going to be deployed
> all over the place on various networks but connected to the public
> internet. I'm evaluating if it would make sense to manage them through
> puppet. I am able to run the puppet agent on the devices and I seem to be
> able to do things I would want to do, so on the surface this seems like a
> good idea.
>
> However, my impression is that a puppet master is usually deployed within
> a private networks (e.g., internal to a data center or as part of a private
> VPC subnet on AWS). For my use case I would have to open the master to the
> public internet. What are the implications of this? Is this recommended or
> not? Are there specific settings I should be watching out for to make this
> secure?
>
> Nik
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmn0XGxzAGzyJks2nGJ9%3DWzpQuPBche53_G0wMjQEhStQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Concat params along a node.

2015-07-06 Thread Tom Limoncelli 
[ sorry for the late reply ]

Have you considered Exported Resources?
https://docs.puppetlabs.com/puppet/latest/reference/lang_exported.html

Tom


On Thu, Jun 11, 2015 at 4:21 PM, Albert Shih  wrote:

> Hi,
>
> Let's say I have a module to manage something on a server so
>
>   modules/things/manifests/init.pp
>   /addthing.pp
>
> the addthing.pp whould be a define.
>
> And I use this « addthing » inside other module, how can I get the list of
> all thing I add. For example
>
>   class my_service {
>
> include ::things
>
> things::addthing { 'first' }
> things::addthing { 'second' }
> things::addthing { 'third' }
>
> # and now I want inside $my_things a string like 'first, second, third'
>
> }
>
>
> Regards.
>
>
> --
> Albert SHIH
> Heure local/Local time:
> jeu 11 jui 2015 22:14:50 CEST
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/20150611202146.GB67815%40pcjas.obspm.fr
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm5GY1%2B%3DLTdvjE%3D-R1v1A1RAjYDLX1RdG5XFBzK-wANbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet firewall module and more esoteric rules

2015-07-03 Thread Tom Boland 

Hi all,

I've been looking at using the puppet firewall module to define the 
rules on a load balancer/proxy I'm working on.  Unfortunately, I don't 
think it's going to work, unless there's a workaround for the issue I've 
just found.


I'm looking at implementing the SYNPROXY guidelines in this RedHat article:

http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

I've attempted to implement a rule in iptables, and then use puppet 
resource to reverse engineer it in to puppet, and this is the result:


$ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 
-j CT --notrack

$ puppet resource firewall
firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
  ensure => 'present',
  chain  => '80',
  checksum_fill  => 'false',
  clamp_mss_to_pmtu  => 'false',
  dport  => ['CT'],
  iniface=> '--tcp-flags',
  isfragment => 'false',
  jump   => '--notrack',
  kernel_timezone=> 'false',
  physdev_is_bridged => 'false',
  proto  => 'FIN,SYN,RST,ACK SYN',
  random => 'false',
  rdest  => 'false',
  reap   => 'false',
  rsource=> 'false',
  rttl   => 'false',
  socket => 'false',
  table  => 'raw',
  time_contiguous=> 'false',
}

As you may see, the parameters are a bit jumbled.  The chain has the 
value for the port, and the dport has the value for the jump, the 
protocol has various TCP packet types rather than just 'tcp' etc etc.


Would anyone be able to suggest a way around this?

For the moment I'll look in to stopping the module purging existing 
rules and manage my SYNPROXY stuff outside of puppet.


Many thanks.  Tom.

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PE Licensing

2015-07-01 Thread Tom Tucker 
Disregard...PuppetLabs support confirms it is a violation of the 10 node
trial.

On Wed, Jul 1, 2015 at 2:06 PM, Tom Tucker  wrote:

> Is it true you can run PE and exceed the 10-node limit without purchasing
> appropriate licenses from a business perspective?  The only down side
> apparently is no support (technical or software). True?
>
>
>
> Assuming it is, what is the advantage of using the community version then?
> Just a faster release cycle with the community version?
>
>
>
> Comments?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1BwmMVWWst60rRLD481wHX-z%2B%2BKnv4%2B84WR3gwTXLsGFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PE Licensing

2015-07-01 Thread Tom Tucker 
Is it true you can run PE and exceed the 10-node limit without purchasing
appropriate licenses from a business perspective?  The only down side
apparently is no support (technical or software). True?



Assuming it is, what is the advantage of using the community version then?
Just a faster release cycle with the community version?



Comments?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1DvahqChMhCpSKyxTx4wpr4ONVM_1T4vfvKfiaSVyr8Pg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] How do modules plan on dealing with Puppet 3.x incompatibilities?

2015-06-30 Thread Tom Limoncelli 
Suppose I maintain a public module.  I'd like to start using some
Puppet 4.x language features. This means that anyone that uses this
module can't use the new version of the module until they also adopt
Puppet 4.x.

What is the best way to address this?

Some ideas that have been tossed around internally on my team:

-- Increment the major version number and declare that 3.x users
shouldn't upgrade to the new major version.
-- Restrict our usage of the new features to ones that are compatible
with the "future parser" and assume that 3.x users will enable the
future parser. (This means more testing for us, which is difficult
since we don't want to maintain a Puppet 3.x master any in the
future.)
-- Change the name of the module and encourage Puppet 4.x users to
switch to the module name when they want the more advanced features.
(this seems like the worst option)

I'm sure there are other options that we haven't thought of too.

Is there a recommended process?

Thanks,
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkf7kKa0y6gByqxqjvR4fFVdR8SfnsTj-16gG6KJ26UMg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is this the right way of doing it?

2015-06-30 Thread Tom Limoncelli 
If you add a parameter to a define, it is important to provide a default
that lets current code work without being modified.  If there is no
default, than any current user of the define will get an error.  This is
how one makes changes but retains backwards compatibility.

I'm not sure I understand the question, so apologies in advance if this is
not the answer you are looking for.

Is the concern that every time you call this define you will have to repeat
many, many parameters with the same values, with only a few being
different?  If that is the case, you can define some resource defaults.

Webhosting::Php::Spip(
  ensure => $variable1,
  configuration  => $variable2,
  uid=> $variable3,
}

Now any time you call webhosting::php::sip(), you don't have to give the
ensure, configuration, or uid, parameters you want them to be $variable1,
$variable2, and $variable3 respectively.
(Note: These defaults have scope; they are not global.  More details are in
https://docs.puppetlabs.com/puppet/latest/reference/lang_defaults.html#area-of-effect)
 You can still override these new defaults by providing the parameters.

Hope that helps,
Tom

On Thu, Jun 11, 2015 at 10:22 AM, Sergiu Cornea <
s.cor...@my.westminster.ac.uk> wrote:

> Good afternoon guys,
>
> I have been assigned with the task of creating something like this:
> https://github.com/duritong/puppet-webhosting/tree/master/manifests
>  which I successfully implemented however, in order to add an extra
> variable you will have to add it in all your module manifests, say for
> example you want to add a debug variable you will need it to add it in each
> manifest file. My question is if this the right way to approach this? Or
> there is a better solution?
>
> define webhosting::php::spip( $ensure = present, $configuration = {}, $uid
> = 'absent', $uid_name = 'absent', $gid = 'uid', $gid_name = 'absent',
> $user_provider = 'local', $password = 'absent', $password_crypted = true,
> $domainalias = 'www', $server_admin = 'absent', $logmode = 'default',
> $owner = root, $group = 'sftponly', $run_mode = 'normal', $run_uid = '
> absent', $run_uid_name = 'absent', $run_gid = 'absent', $run_gid_name = '
> absent', $watch_adjust_webfiles = 'absent', $user_scripts = 'absent',
> $user_scripts_options = {}, $wwwmail = false, $allow_override = 'FileInfo'
> , $do_includes = false, $options = 'absent', $additional_options = 'absent
> ', $default_charset = 'absent', $ssl_mode = false, $php_settings = {},
> $php_options = {}, $vhost_mode = 'template', $template_partial = 'absent',
> $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file =
> 'absent', $nagios_check = 'ensure', $nagios_check_domain = 'absent',
> $nagios_check_url = '/', $nagios_check_code = '200', $nagios_use = '
> generic-service', $mod_security = true,){
> Thank you for you help!
>
> Regards,
> Cip
>
> This message and its attachments are private and confidential. If you have
> received this message in error, please notify the sender and remove it and
> its attachments from your system.
>
> The University of Westminster is a charity and a company
> limited by guarantee. Registration number: 977818 England.
> Registered Office: 309 Regent Street, London W1B 2UW.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/a956fb4a-8f72-4e3b-9cd4-f8453de958b7%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/a956fb4a-8f72-4e3b-9cd4-f8453de958b7%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm3o1hHd88Manb%3DA4uJKByQgvOiTL2r8ksCMffL4WZm2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] elegant way to hash a line in a file, if present

2015-06-30 Thread Tom Limoncelli 
You'll want to create the file using file{} and then add require =>
File['/path/to/file'] so that the file is created before Puppet tries
to modify it.

You can do that with less typing by using the -> operator. For example:

  file { '/usr/share/X11/xorg.conf.d/glamor.conf':
ensure => file,
mode  => '0644',   # adjust as needed
owner  => 'root', # adjust as needed
group  => 'root',# adjust as needed
  }->
  file_line { 'hash_glamor':
path  => '/usr/share/X11/xorg.conf.d/glamor.conf',
line  => '#  Load  "glamoregl"',
match => 'Load  "glamoregl"',
  }

Tom


On Mon, Jun 29, 2015 at 10:37 AM, Cam Mac  wrote:
> Hi,
>
> I wanted to create a recipe for hashing a line in a file (I'd rather hash it
> than delete it), if the file is present and that particular line is present.
> I came up with a less than elegant solution and wondered whether
> someone knows of a better way.
>
> The file in question: /usr/share/X11/xorg.conf.d/glamor.conf
> The line in question (which needs to be commented):  Load  "glamoregl"
>
>   exec { 'hash_glamor':
> path=> '/bin:/usr/sbin:/usr/bin',
> command => 'sed -i \'s/\(^\s*Load\s*\"glamoregl\"$\)/\#\1/\'
> /usr/share/X11/xorg.conf.d/glamor.conf',
> onlyif => 'grep -E "^\s*Load\s*\"glamoregl\"$"
> /usr/share/X11/xorg.conf.d/glamor.conf',
>   }
>
> I tried using the 'file_line' module:
>
>   file_line { 'hash_glamor':
> path  => '/usr/share/X11/xorg.conf.d/glamor.conf',
> line  => '#  Load  "glamoregl"',
> match => 'Load  "glamoregl"',
>   }
>
> but this returns an error if the file doesn't exist, and I couldn't find a
> way of adding a conditional that will check whether the file exists in the
> 'file_line' module before it executes.
>
> Augeas could be a possibility, but I couldn't see a way of doing it in a
> simple way.
>
> Any suggestions welcome.
>
> Thanks,
>
> Cam
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f0b10c43-3868-46f7-9257-fd1e795dc360%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3DLpUcvgucQ_B9OVE0oT6PToSJkz6YO8UU7dTdOUiwSCQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PuppetDB Sizing

2015-06-26 Thread Tom Tucker 
Chris,
Thanks for the detailed response.  BTW did you deploy HA, load balancing,
etc on the Postgres side?

Cheers

On Thu, Jun 25, 2015 at 11:11 PM, Christopher Wood <
christopher_w...@pobox.com> wrote:

> Somewhere past 700 nodes (still puppetizing) our 1-core, 2GB-RAM
> puppetmasters and 2-core, 2GB-RAM puppetdb host started showing signs of
> overload (ssl/connect errors in agent logs, catalog/report mismatches in
> puppetdb). I augmented the VMs with "hardware" to stop the complaints and
> later on went off tuning. I moved the puppetmasters up to 4-core 8GB-RAM
> and the puppetdb host is now 4-core 16GB-RAM. Definitely rattling around in
> them now but there's lots of room for growth.
>
> For scaling/tuning, among others:
>
>
> https://ask.puppetlabs.com/question/13433/how-should-i-tune-passenger-to-run-puppet/
>
> https://docs.puppetlabs.com/puppetdb/latest/scaling_recommendations.html
>
> https://docs.puppetlabs.com/guides/scaling.html
>
> http://activemq.apache.org/scaling-queues.html
>
> http://activemq.apache.org/javalangoutofmemory.html
>
> After all that I analyzed catalogs across the deployment and found that
> the datacat usage in the mcollective module (now
> https://github.com/puppet-community/puppet-mcollective) was an abominable
> percentage of the total number of resources. The firewall type (
> https://github.com/puppetlabs/puppetlabs-firewall) was 3% of the total
> resources. Since it takes less horsepower to puppet up fewer things I
> figure there will be a benefit in some judicious refactoring here and
> there. (Templates instead of file_line, iptables config instead of firewall
> resources, et cetera.)
>
> However, I figure there's a benefit in a conversion effort to cram things
> into puppet first and sort them out later. I had a good time just throwing
> hardware at the problem to start and then tuning after the bulk of hosts
> were converted to puppet management. People at companies where incremental
> hardware use is expensive may want to tune early and shrink manifests more
> aggressively.
>
> On Thu, Jun 25, 2015 at 08:16:31PM -0400, Tom Tucker wrote:
> >Assuming 2,500 Linux clients running Puppet community edition 3.8.
> Any
> >sizing recommendation for a PuppetDB system in regards to disk size
> for
> >the DB, CPU, Memory, etc.
> >Thank you for your time and feedback.
> >
> >--
> >You received this message because you are subscribed to the Google
> Groups
> >"Puppet Users" group.
> >To unsubscribe from this group and stop receiving emails from it,
> send an
> >email to [1]puppet-users+unsubscr...@googlegroups.com.
> >To view this discussion on the web visit
> >[2]
> https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com
> .
> >For more options, visit [3]https://groups.google.com/d/optout.
> >
> > References
> >
> >Visible links
> >1. mailto:puppet-users+unsubscr...@googlegroups.com
> >2.
> https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com?utm_medium=email&utm_source=footer
> >3. https://groups.google.com/d/optout
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/20150626031113.GA832%40iniquitous.heresiarch.ca
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CXG4cfFfFDEv4vRkko558un3Duo89LpqTTaHd1VmkQRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PuppetDB Sizing

2015-06-25 Thread Tom Tucker 
Assuming 2,500 Linux clients running Puppet community edition 3.8.  Any
sizing recommendation for a PuppetDB system in regards to disk size for the
DB, CPU, Memory, etc.

Thank you for your time and feedback.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: what is actually "undefined method 'include?' for nil:NilClass on node" error?

2015-06-17 Thread Tom Noonan 
Good catch.  Out of curiosity, what lead you to look at file sizes
in /var/lib/puppet/yaml/node?  Based on your initial problem
description that is not where I would have been looking to troubleshoot.

On Wed, 17 Jun 2015 07:11:09 -0700 (PDT)
Ed Deloye  wrote:

> Discovered truncated yaml files on the puppet master in 
> /var/lib/puppet/yaml/node for the 24 systems. Identified as each one
> was 4096 bytes. After deleting those files puppet runs successfully
> on the nodes.
> 
> On Thursday, May 29, 2014 at 3:57:49 PM UTC-4, Sans wrote:
> >
> >  I have two identical nodes - serv106 and serv107 - one of which is 
> > working just fine but the other one failing with these error
> > message:
> >
> > err: Could not retrieve catalog from remote server: Error 400 on
> > SERVER: 
> >> undefined method `include?' for nil:NilClass on node 
> >> warning: Not using cache on failed catalog
> >> err: Could not retrieve catalog; skipping run
> >>
> >
> >
> > running puppet master in the foreground, I see these on the screen: 
> >
> > err: undefined method `include?' for nil:NilClass on node
> >> err: undefined method `include?' for nil:NilClass on node
> >> debug: Received report to process from serv106.syst.local
> >> debug: Processing report from serv106.syst.local with processor 
> >> Puppet::Reports::Store
> >> debug: Processing report from serv106.syst.local with processor 
> >> Puppet::Reports::Http
> >> err: Report processor failed: Connection refused - connect(2)
> >> debug: Processing report from serv106.syst.local with processor 
> >> Puppet::Reports::Log
> >> err: //serv106.syst.local/Puppet: Could not retrieve catalog from
> >> remote server: Error 400 on SERVER: undefined method `include?'
> >> for nil:NilClass on node
> >> warning: //serv106.syst.local/Puppet: Not using cache on failed
> >> catalog err: //serv106.syst.local/Puppet: Could not retrieve
> >> catalog; skipping run
> >>
> >
> >
> > a bit if google-search suggested that  removing certificates from
> > both master and the agent (and recreating afterwards) is the
> > solution to this issue. Which did but no joy so far. Has any one
> > ever seen this error before or know what's I'm doing wrong here.
> > Any help/pointer would be greatly appreciated. 
> >
> > Best!
> >
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150617124634.66bce9c7%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet introducing instability to Docker on Debian Jessie

2015-06-15 Thread Tom Noonan 
I'm seeing a bug that appears to be a bad interaction between Puppet
and SystemD on Debian Jessie that causes my Docker daemon to go
unavailable.  I'm running both Docker and Puppet from upstream:

root@docker0:~# dpkg --list | grep 'lxc-docker\|puppet'
ii  facter 2.4.4-1puppetlabs1all  
Ruby module for collecting simple facts about a host operating system
ii  hiera  1.3.4-1puppetlabs1all  A 
simple pluggable Hierarchical Database.
ii  lxc-docker 1.6.2 amd64
Linux container runtime
ii  lxc-docker-1.6.2   1.6.2 amd64
Linux container runtime
ii  puppet 3.8.1-1puppetlabs1all  
Centralized configuration management - agent startup and compatibility scripts
ii  puppet-common  3.8.1-1puppetlabs1all  
Centralized configuration management
ii  puppetlabs-release 1.0-11   all 
 "Package to install Puppet Labs gpg key and apt repo"

For this test I've stripped my manifest down to the minimum: only a
service declaration for Docker on the node:

node "docker0.tjnii.com" {
  #Debug
  service { 'docker':
ensure => running,
enable => true,
  }
}

Docker is started by Puppet via SystemD without issue:

root@docker0:~# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for docker0.tjnii.com
Info: Applying configuration version '1434419985'
Notice: /Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]/ensure:
ensure changed 'stopped' to 'running'Info: 
/Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]: Unscheduling refresh 
on Service[docker]
Notice: Finished catalog run in 0.88 seconds

root@docker0:~# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; disabled)
  Drop-In: /etc/systemd/system/docker.service.d
   service-overrides.conf
   Active: active (running) since Mon 2015-06-15 20:01:45 MDT; 32s ago
 Docs: http://docs.docker.com
 Main PID: 25160 (docker)
   CGroup: /system.slice/docker.service
   25160 /usr/bin/docker -d -H fd://



root@docker0:~# docker ps
CONTAINER IDIMAGE   COMMAND CREATED 
STATUS  PORTS   NAMES
root@docker0:~# ps awwfux | grep [d]ocker
root 25160  0.6  0.9 273044 14984 ?Ssl  20:01   0:00 
/usr/bin/docker -d -H fd://
root@docker0:~# ls /var/run/docker.sock -l
srw-rw 1 root docker 0 Jun 15 20:01 /var/run/docker.sock


After a few Puppet daemon runs (I haven't nailed it down to a fixed number, 
perhaps
a race?) Puppet will think Docker is down and try and restart it:

Jun 15 20:32:35 docker0 puppet-agent[1271]: 
(/Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]/ensure) ensure 
changed 'stopped' to 'running'
Jun 15 20:32:35 docker0 puppet-agent[1271]: Finished catalog run in 1.10 seconds

This will replace the socket with a new file:

root@docker0:~# ls /var/run/docker.sock -l
srw-rw 1 root docker 0 Jun 15 20:32 /var/run/docker.sock

However the Docker daemon is not restarted.  Note that the pid hasn't
changed from when it was initially started:

root@docker0:~# ps awwfux | grep [d]ocker
root 25160  0.4  1.1 557024 17008 ?Ssl  20:01 0:11 /usr/bin/docker 
-d -H fd://

So after Puppet tries to start the service it looks like the Docker daemon 
becomes
disconnected from its socket.  Puppet is exacerbating this, if I stop Puppet 
Docker
is stable.  I'm wondering if this has something to do with the docker.socket
SystemD service, but I don't know enough about SystemD to troubleshoot that.

This is the SystemD config from Docker:

root@docker0:~# systemctl cat docker.service
# /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
ExecStart=/usr/bin/docker -d -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/docker.service.d/service-overrides.conf
[Service]
EnvironmentFile=-/etc/default/docker
root@docker0:~# systemctl cat docker.socket
# /lib/systemd/system/docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target

I'm not sure if this is a Puppet bug, SystemD bug, or Docker bug.  has anyone 
else seen
behaviour like this with Puppet and SystemD?

--Tom Noonan II

-- 
You receiv

[Puppet Users] MCollective - Restricted Access

2015-06-04 Thread Tom Tucker 
Is it possible to limit which node can execute mco related commands?
Ideally I would only want an admin node(s) to have this level of access.

Thanks in advance,

# rpm -qa | egrep 'mcol|pupp'
puppetserver-1.0.8-1.el6.noarch
mcollective-service-common-3.1.3-1.el6.noarch
mcollective-2.8.2-1.el6.noarch
mcollective-puppet-common-1.10.0-1.el6.noarch
mcollective-nettest-agent-3.0.4-1.el6.noarch
mcollective-package-agent-4.4.0-1.el6.noarch
mcollective-client-2.8.2-1.el6.noarch
mcollective-service-agent-3.1.3-1.el6.noarch
mcollective-puppet-client-1.10.0-1.el6.noarch
mcollective-nettest-common-3.0.4-1.el6.noarch
mcollective-nettest-client-3.0.4-1.el6.noarch
mcollective-package-common-4.4.0-1.el6.noarch
mcollective-package-client-4.4.0-1.el6.noarch
puppetlabs-release-6-11.noarch
puppet-3.8.1-1.el6.noarch
mcollective-common-2.8.2-1.el6.noarch
mcollective-service-client-3.1.3-1.el6.noarch
mcollective-puppet-agent-1.10.0-1.el6.noarch
mcollective-facter-facts-1.0.0-1.noarch
puppet-server-3.8.1-1.el6.noarch

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1Ac%3DEKOanL4kjGjJtJksjPRLJfomYtAa6Edv%2BLpVcx-NA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] MCollective - Unable to see/interact with client nodes

2015-06-02 Thread Tom Tucker 
Puppet Peeps,


I am tinkering with the community edition of Puppet (version info below)
with MCollective.  In my environment I want to test basic MCollective
functionality without the SSL overhead.



Everything looks fine in the logs, but when I run ‘mco ping’ from either
the client or server I only see that single node in the output.  Assuming I
run this from the master node running ActiveMQ and MCollective, how do I
interact/see with my other clients?





MCO ping example from the server

##

server# mco ping

server.mydomain.pem  time=19.03 ms





 ping statistics 

1 replies max: 19.03 min: 19.03 avg: 19.03

server#









Client/Server Data

##

server# rpm -qa | egrep -i 'pup|mcol'

puppetserver-1.0.8-1.el6.noarch

mcollective-service-common-3.1.3-1.el6.noarch

mcollective-2.8.2-1.el6.noarch

mcollective-puppet-common-1.10.0-1.el6.noarch

mcollective-nettest-agent-3.0.4-1.el6.noarch

mcollective-client-2.8.2-1.el6.noarch

mcollective-service-agent-3.1.3-1.el6.noarch

mcollective-puppet-client-1.10.0-1.el6.noarch

mcollective-nettest-common-3.0.4-1.el6.noarch

mcollective-nettest-client-3.0.4-1.el6.noarch

puppetlabs-release-6-11.noarch

puppet-3.8.1-1.el6.noarch

mcollective-common-2.8.2-1.el6.noarch

mcollective-service-client-3.1.3-1.el6.noarch

mcollective-puppet-agent-1.10.0-1.el6.noarch

mcollective-facter-facts-1.0.0-1.noarch

puppet-server-3.8.1-1.el6.noarch

server#



server# cat /etc/mcollective/server.cfg | grep -v '^$' | grep -v '^#'

daemonize = 1

securityprovider = psk

plugin.psk = unset

connector = activemq

direct_addressing = 1

plugin.activemq.pool.size = 1

plugin.activemq.pool.1.host = server.mydomain.com

plugin.activemq.pool.1.port = 61613

plugin.activemq.pool.1.user = mcollective

plugin.activemq.pool.1.password = mysexypassword





identity = server.mydomain.com.pem

factsource = yaml

plugin.yaml = /etc/mcollective/facts.yaml

classesfile = /var/lib/puppet/state/classes.txt



collectives = mcollective

main_collective = mcollective



registerinterval = 600



rpcaudit = 1

rpcauditprovider = logfile

plugin.rpcaudit.logfile = /var/log/mcollective-audit.log





logger_type = file

loglevel = info

logfile = /var/log/mcollective.log

keeplogs = 5

max_log_size = 2097152

logfacility = user



libdir = /usr/libexec/mcollective

server#







client# rpm -qa | egrep -i '^pup|^mco'

mcollective-common-2.8.2-1.el5

mcollective-puppet-client-1.10.0-1.el5

puppet-3.8.1-1.el5

mcollective-service-client-3.1.3-1.el5

mcollective-client-2.8.2-1.el5

puppetlabs-release-5-11

mcollective-puppet-common-1.10.0-1.el5

mcollective-service-common-3.1.3-1.el5

client#



client#cat /etc/mcollective/client.cfg | grep -v '^$' | grep -v '^#'

securityprovider = psk

plugin.psk = unset

connector = activemq

plugin.activemq.pool.size = 1

plugin.activemq.pool.1.host = server.mydomain.com

plugin.activemq.pool.1.port = 61613

plugin.activemq.pool.1.user = mcollective

plugin.activemq.pool.1.password = sexypassword

factsource = yaml

plugin.yaml = /etc/mcollective/facts.yaml



default_discovery_method = mc

direct_addressing_threshold = 10

ttl = 60

color = 1

rpclimitmethod = first



collectives = mcollective

main_collective = mcollective



libdir = /usr/libexec/mcollective



logger_type = console

loglevel = warn

client#

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1C%3DDvsj01h7X3t2dk76Ciu8-kEFd0%2B_ud5orkLu5OL4Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Sort by IP in ERB (related to puppetlabs-haproxy and MODULES-1919)

2015-04-13 Thread Tom Limoncelli 
On Mon, Apr 13, 2015 at 11:10 AM, jcbollinger  wrote:
> You're already generating a compound search key (although it's not strictly
> necessary for what you're doing so far); a reasonable solution would be a
> compound sort key that captures the IP address (if any) as the first part,
> and the rest of the hash key as a second part.  Here's a way to approach it
> with the help of a Ruby regex:
>
> <%
> require 'ipaddr'
> if @bind
>   @bind.sort_by { |address_port, bind_params|
> md = /^((\d+)\.(\d+)\.(\d+)\.(\d+))?(.*)/.match(address_port)
> [ (md[1] ? md[2..5].inject(0){ |addr, octet| (addr << 8) + octet.to_i }
> : -1), md[6] ]
>   }.map do |address_port, bind_params|
> -%>
>bind <%= address_port -%> <%= Array(bind_params).join(" ") %>
> <%
>   end
> else
> -%>
>
>
> In the sort_by() block, variable 'md' captures the match data for matching
> the given regex against the 'address_port' string.  The regex will match any
> string; the important part is the capturing groups.  If the string starts
> with a dotted-quad address then the whole address is captured as group 1,
> and the segments are captured as groups 2 - 5.  Whatever is not matched as a
> dotted-quad address is always captured as group 6.  The dotted-quad match is
> all-or-nothing; either four segments will be captured or none.  The sort key
> is then formed as a two-element array: the first element is -1 if no address
> is given, else the 4-byte integer IP address, and the second element is the
> string tail.


John,

That looks great!  I'll give that a try.  (Though possibly after a
delay... I have some higher priority issues on my plate)

Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D9VQY4NUOSauTeaUzMfwaYjHKHcUua%2BVK27Jh6U31m7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] file_line - 400 on SERVER: Invalid parameter match on File_line[lsinitgroup]

2015-04-13 Thread Tom Limoncelli 
Private to you...

I don't know why that wouldn't work.  However, you might want to
instead put "LS_GROUP=logstash" in the defaults file for that service.
RedHat: /etc/sysconfig/elasticsearch
Debian: /etc/default/elasticsearch

If you look, the init.d file sources that file early enough that the
variable it set for the rest of the script.

Tom


On Sun, Apr 12, 2015 at 7:41 PM, Justin Rovang  wrote:
> I've loosened my 'match' to something as simple as 'cheeseburger' to see if
> it works, same error, I've tried moving match above 'line' too, and have
> confirmed the file_line type exists (the error would be different in that
> case anyway)
>
>
> file_line { 'lsinitgroup':
> ensure => present,
> path => '/etc/init.d/logstash',
> line => 'LS_GROUP=adm',
> match => 'LS_GROUP=logstash'
> }
>
>
> Error:
>
>  Could not retrieve catalog from remote server: Error 400 on SERVER: Invalid
> parameter match on File_line[lsinitgroup] at
> /etc/puppet/modules/logging/manifests/logstash.pp:56 on node FOO.BAR
>
> What am I doing wrong?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b3ab8308-95c9-42cd-aa86-ab91146529bb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3DSZ_dA56JnCnrk21MZXE8MKGRNchFytSEwsdTCOBmH3g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Generating firewall rules without connection tracking.

2015-04-07 Thread Tom Limoncelli 
The puppetlabs-firewall module has a provider called firewall{} which
builds a rule.  I've written a wrapper that either calls it (without
any changes) or, if track => false, generates an equivalent set of
rules that does not use the Linux firewall "connection tracking"
mechanism.  This is useful if you are a high-volume web site and
connection tracking has become a resource hog.

When "track => false", four rules are generated instead:

1. the raw table, chain=PREROUTING, same source and destination, jump=NOTRACK.
2. the raw table, chain=OUTPUT, swap the source and destination, jump=NOTRACK.
3. the filter table, chain=INPUT, same source and destination.
4. the filter table, chain=OUTPUT, swap the source and destination.

NOTE: However if this is an OUTPUT rule, swap the chain in 1 and 2,
and 3 and 4. If you are using ipsets, reverse them in rules 2 and 4.
(Easy to remember, right?)

You can generate these 4 rules by hand, but it is error prone...
especially if you are making many such rules.

My employer (Stack Exchange, Inc.) has graciously me permission to
open source it:
https://github.com/StackExchange/stackexchange-superfirewall

Enjoy!

Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D9E_wF0NJ%2BFDO_UBWYxvGiHTH6fgyhoYuKXihE4TVf5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Sort by IP in ERB (related to puppetlabs-haproxy and MODULES-1919)

2015-04-07 Thread Tom Limoncelli 
The puppetlabs-haproxy module has a minor annoyance where by the
"bind" statements are sorted lexicographically instead of by IP
address.  (Full description here:
https://tickets.puppetlabs.com/browse/MODULES-1919)

My attempt to fix this bug was to change the ERB template:

diff --git a/templates/fragments/_bind.erb b/templates/fragments/_bind.erb
index e60983a..a04d021 100644
--- a/templates/fragments/_bind.erb
+++ b/templates/fragments/_bind.erb
@@ -1,6 +1,6 @@
 <% require 'ipaddr' -%>
 <%- if @bind -%>
-<%- @bind.sort.map do |address_port, bind_params| -%>
+<%- @bind.sort_by { |address_port, bind_params|
address_port.split('.').map{ |octet| octet.to_i} }.map do
|address_port, bind_params| -%>
   bind <%= address_port -%> <%= Array(bind_params).join(" ") %>
 <%- end -%>
 <%- else -%>

This works.  However, the results are slightly different on old
versions of Ruby.  If you look at the TravisCI output, you'll see
slightly different results for Ruby 1.8.7.  It looks like something
changed in Ruby 1.9.

https://travis-ci.org/puppetlabs/puppetlabs-haproxy/builds/57502529

I don't have a lot of deep Ruby knowledge. Can anyone suggest either a
way to fix the code or the test?

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkUrMMV%3DcvSD69Z-%3DVbK%3Dd1pHnu8QK37uLAOpZ%3DJb53_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Use of hash in a conditional assignment doesn't work

2015-03-24 Thread Tom Limoncelli 
On Tue, Mar 24, 2015 at 1:11 PM, Nick Howes  wrote:
> On Tuesday, 24 March 2015 15:22:16 UTC, Tom Limoncelli wrote:
>>
>> I'd like to assign $v one hash if $y == 'foo' and a different hash if
>> $y == 'bar'.  However it seems like conditional assignments aren't
>> permitted.
>>
>> $ puppet --version
>> 3.7.3
>>
>> $ cat -n hash-condeq.pp
>>  1 $y = 'foo'
>>  2
>>  3 $v = $y ? {
>>  4  'foo' => { 'x' => 'xfoo', 'y' => 'yfoo', },
>>  5  'bar' => { 'x' => 'xbar', 'y' => 'ybar', }
>>  6 }
>>  7
>>  8 notice($v)
>>  9 notice($v['y'])
>> $ puppet apply hash-condeq.pp
>>
>
> I know most people have a lot of manifests that would be a pain to upgrade,
> but your example works fine in the new parser (`--parser future`) among
> other improvements. If that's an option for you at all I'd recommend it.

This afternoon I figured out a solution that is less verbose.
However, it is good to know this will be fixed in  `--parser future`.

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmazCcV07pZxvRY0dai5J9sHD28xgAyhGy22Px%3DuM9wSw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Use of hash in a conditional assignment doesn't work

2015-03-24 Thread Tom Limoncelli 
I'd like to assign $v one hash if $y == 'foo' and a different hash if
$y == 'bar'.  However it seems like conditional assignments aren't
permitted.

$ puppet --version
3.7.3

$ cat -n hash-condeq.pp
 1 $y = 'foo'
 2
 3 $v = $y ? {
 4  'foo' => { 'x' => 'xfoo', 'y' => 'yfoo', },
 5  'bar' => { 'x' => 'xbar', 'y' => 'ybar', }
 6 }
 7
 8 notice($v)
 9 notice($v['y'])
$ puppet apply hash-condeq.pp
Error: Could not parse for environment production: Syntax error at
'{'; expected '}' at /tmp/hash-condeq.pp:4 on node
ny-tlim01.ds.stackexchange.com
Error: Could not parse for environment production: Syntax error at
'{'; expected '}' at /tmp/hash-condeq.pp:4 on node
ny-tlim01.ds.stackexchange.com

If I do it the long way and use a case statement, it works:

$ cat -n hash-case.pp
 1 $y = 'foo'
 2
 3 case $y {
 4  'foo': {
 5  $v = { 'x' => 'xfoo', 'y' => 'yfoo', }
 6  }
 7  'bar': {
 8  $v = { 'x' => 'xbar', 'y' => 'ybar', }
 9  }
10 }
11
12 notice($v)
13 notice($v['y'])
$ puppet apply hash-case.pp
Notice: Scope(Class[main]): xxfooyyfoo
Notice: Scope(Class[main]): yfoo
Notice: Compiled catalog for ny-tlim01.ds.stackexchange.com in
environment production in 0.06 seconds
Notice: Finished catalog run in 0.02 seconds

Is there a way to do this with conditional assignments?  I'm updating
code that has a lot of conditional assignments and the data structure
is changing from an array to a hash. The conversion is going to be a
lot more work if there is no syntax that permits conditional
assignment of hashes.

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmARtfxrNU_ioGbMDcSRW%2BRJbycYxCHXBmyTTr7s%2BJXXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Copying a hash with changes

2015-03-04 Thread Tom Limoncelli 
On Sat, Feb 28, 2015 at 2:25 PM, Dan White  wrote:

> $new_hash = {
>   'log' => "${log_ip} local0",
> }
>
> $global_options = merge ( $haproxy::params::global_options, $new_hash )
>

Thanks, Dan!  I'll do that while I wait for Puppet 4.0 (or when I can use
the future parser).

On Sun, Mar 1, 2015 at 6:37 PM, Henrik Lindberg <
henrik.lindb...@cloudsmith.com> wrote:

> In Puppet 4.0 (and in 3x with parser=future) you can do this (i.e. merge a
> hash) directly in the Puppet Language:
>
> $global_options = $haproxy::params::global_options + {
> 'log' => "{log_ip} local0"
>   }
>

Henrik, that's great!  I look forward to that addition to Puppet!

Tom
-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmDJ1RntWGY4TVwMZRS5apfAGGf%2BkTxkGQPWQpjWmKNVw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Copying a hash with changes

2015-02-28 Thread Tom Limoncelli 
I want to copy a hash to a variable but change some settings along the way.

For example:

I have $haproxy::params::global_options (which is a hash) and I want
to create a copy with some changes.

I tried this:
  $global_options = $haproxy::params::global_options += {
  'log' =>  "${log_ip} local0",
  }
But that gives me:
Error: Syntax error at '+='; expected '}' at ...

If I do:
  $global_options = $haproxy::params::global_options
  $global_options['log'] = "${log_ip} local0"
This gives me:
Error: Assigning to the hash 'global_options' with an existing key
'log' is forbidden

Suggestions?

Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgnmdYrNOUdujza-EE0M5KyMZDR%3Dzt3wB-5tvbh8%3DaC4-w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL Cert automation for service

2015-01-04 Thread Tom Noonan 
Hello, list:
   I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself.  What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages.  This will allow me to
use CA certs for trust without the pain of hand managing my CA.
   I'm hoping someone had trod this path and can provide pointers, as
this is difficult to Google as I'm not interested in Puppet's internal
certs.  Thanks.

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150102193428.1796f2b6%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Filebucket

2014-10-29 Thread Tom Tucker 
Hello. I have a file bucket question.  I believe I have file bucket
configured correctly.  I am able to backup a change file and restore it  My
question is how do get a list of files for a particular host or revisions
for a particular file.


Thanks

Info: /Stage[main]/Sudo/File[/etc/sudoers]: Filebucketed /etc/sudoers to
main with sum a22374b27a4cde79f8416648e567a77c

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CoGd8wCH5Yy668NZiRn%3DiopnMAjSMUH1Nrxorezvx8_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Calling external modules

2014-10-03 Thread Tom Tucker 
Disregard...

In my app_tier::class_A file I needed to define the "class::module".

#cat class_A.pp
class app_tier::class_A {



On Fri, Oct 3, 2014 at 1:06 PM, Tom Tucker  wrote:

>
> I am trying to call another class that is not located in the current
> working directory.  What is the correct way of doing this?
>
>
> $mypath/modules/web_app/init.pp
>
> if $hostname =~ /^some_www_regex$/ {
>
> include some_class_A
> include some_class_B
> include app_tier::class_A  # Doesn't work...trying to call an external
> class...
>  }
>
>
> Thank you for your  time,
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1BS84JQo6HDdLKePjDz2PY7o7xz-xsYSztwZY6dL%2BJgeA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Calling external modules

2014-10-03 Thread Tom Tucker 
I am trying to call another class that is not located in the current
working directory.  What is the correct way of doing this?


$mypath/modules/web_app/init.pp

if $hostname =~ /^some_www_regex$/ {

include some_class_A
include some_class_B
include app_tier::class_A  # Doesn't work...trying to call an external
class...
 }


Thank you for your  time,

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CA1VyxZtjBtf36U6itC9YE9tFOxerRrZXWm%3DMSYx2VNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Git Repo Strategy

2014-09-30 Thread Tom Tucker 
I just got back from PuppetConf last week and several presenters mentioned
using more than one Git repo with Puppet.  Some even recommend having a
repo per module.  For our initial Puppet deployment this seems a bit
excessive.  My plan was to have three repos for each of our environments
(Dev, QA and Production).  The contents of these repos would contain Puppet
Enterprise directory of /etc/puppetlabs/puppet.



Deployment strategy

-   Upload changes to Dev repo

-   Deploy Dev changes to Dev master

-   Test

-   Merge Dev changes to QA repo

-   Rinse and repeat





Thoughts? Any tips for a Puppet and Git newbie in regards to file
hierarchy, Git repo strategies, etc.



Thank you in advance,



Tom






Sample tree and repo of /etc/puppetlabs/puppet

# tree *

auth.conf

autosign.conf

console.conf   # File excluded this is site specific.  We will have a
unique Puppet master for each env.

environments

├── development

│   ├── hieradata

│   │   └── environmentX.yaml

│   ├── manifests

│   │   └── site.pp

│   └── modules

└── production

fileserver.conf

hieradata

├── defaults.yaml

├── master.mydomain.com.yaml

└── production.yaml

hiera.yaml [error opening dir]

manifests

├── hieradata

│   └── hostgroups.yaml

└── site.pp

modules

├── custom

puppet.conf   # File excluded this is site specific.  We will have a unique
Puppet master for each env.

puppetdb.conf   # File excluded this is site specific.  We will have a
unique Puppet master for each env.

routes.yaml

ssl # Directory excluded this is site specific

< extra lines removed>





# cat hiera.yaml

---

:hierarchy:

- "hieradata/fqdn/%{::fqdn}"

- "%{environment}/%{::osfamily}"

- "%{environment}/hieradata/%{::network_location}"

- "%{environment}/hieradata/%{::systemrole}"

- "hieradata/common"



:backends:

- yaml



:yaml:

:datadir: /etc/puppetlabs/puppet/environments

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1DKrTsh%2BNO%3DQLMpP1pM80ac3MMxvbo2p0aN9q9USXLj5Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Based way to exclude systems?

2014-09-24 Thread Tom Tucker 
I would like to use a profile that would be applied against all Linux based
systems to ensure they have an appropriate /etc/ntp.conf based on their
data center location as defined by Hiera.  My question is how do I deploy
this client based ntp.conf to all Linux systems, but also ensure my four
Linux based NTP server feeding these clients continue to have unique server
based NTP configs?



In other words

I have four data centers and 2000+ systems.  If you are a Linux system and
not marked as an NTP server then use this client ntp.conf.



What is the best way to achieve such?



Thanks in advance,

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1AH34zHUF7BQJY-noAcw5d4GRo7KPJKwm82D2oT3s4jug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker 
Thanks, Chris.  It was a typo with the "manifests" name.

On Sunday, August 10, 2014 4:14:47 PM UTC-4, Tom Tucker wrote:
>
>
> I've been chasing this for a few hours.  I created my own user management 
> module and Puppet can't find it.  I must be overlooking something obvious 
> here.  Module path, ownership, permission, etc. have all been checked.  Any 
> ideas?
>
>
> Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/hostint.rb
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
> Could not find class sismon_account for dpupmstr4901.domain.com on node 
> dpupmstr4901.domain.com
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
>
>
> # Init passes validation
> 
> [root@dpupmstr4901 manifest]# puppet parser validate init.pp
> [root@dpupmstr4901 manifest]# 
>
> # modulepath
> ##
> [root@dpupmstr4901 manifest]# puppet config print modulepath
> /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules
>
>
>
> [root@dpupmstr4901 rc3.d]# cd -
> /etc/puppetlabs/puppet/modules/sismon_account/manifest
>
> [root@dpupmstr4901 manifest]# ls
> init.pp
>
>
> [root@dpupmstr4901 manifest]# cat init.pp 
>  class sismon_account {
>
>  file { "/data/home":
> ensure => "directory",
>   }
>
>  group {'sismon':
>   ensure => present,
>   gid => 3997,
>}
>
>   user { "sismon":
>ensure   => "present",
>comment  => "sismon@${hostname}",
>gid  =>  "3997",
>home => "/data/home/sismon",
>password => "*",
>password_max_age => "9",
>password_min_age => "0",
>shell=> "/bin/bash",
>uid  => "3997",
>managehome => true,
>   }
>
>  file { "/data/home/sismon/.ssh":
> ensure => "directory",
> owner => "3997",
> group => "3997",
> mode  => "0775",
>   }
>
>  file { "/data/home/sismon/.ssh/authorized_keys":
> owner   => "3997",
> group   => "3997",
> mode=> "0400",
> source  => 
> "puppet://$::server/modules/sismon_account/data/home/sismon/.ssh/authorized_keys",
>  }
>
> }
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cf16c28b-08d0-4c40-bfd6-ff79ce6cd04c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker 
puppet/var]
Debug: /File[/var/lib/peadmin/.puppet/var/facts.d]: Autorequiring 
File[/var/lib/peadmin/.puppet/var]
Debug: Finishing transaction 30589340
Debug: Using settings: adding file resource 'cadir': 
'File[/var/lib/peadmin/.puppet/ssl/ca]{:path=>"/var/lib/peadmin/.puppet/ssl/ca",
 
:mode=>"755", :ensure=>:directory, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'cacert': 
'File[/var/lib/peadmin/.puppet/ssl/ca/ca_crt.pem]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/ca_crt.pem",
 
:mode=>"644", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'cakey': 
'File[/var/lib/peadmin/.puppet/ssl/ca/ca_key.pem]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/ca_key.pem",
 
:mode=>"640", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'capub': 
'File[/var/lib/peadmin/.puppet/ssl/ca/ca_pub.pem]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/ca_pub.pem",
 
:mode=>"644", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'cacrl': 
'File[/var/lib/peadmin/.puppet/ssl/ca/ca_crl.pem]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/ca_crl.pem",
 
:mode=>"644", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'caprivatedir': 
'File[/var/lib/peadmin/.puppet/ssl/ca/private]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/private",
 
:mode=>"750", :ensure=>:directory, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'csrdir': 
'File[/var/lib/peadmin/.puppet/ssl/ca/requests]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/requests",
 
:mode=>"755", :ensure=>:directory, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'signeddir': 
'File[/var/lib/peadmin/.puppet/ssl/ca/signed]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/signed",
 
:mode=>"755", :ensure=>:directory, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'capass': 
'File[/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass",
 
:mode=>"640", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'serial': 
'File[/var/lib/peadmin/.puppet/ssl/ca/serial]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/serial",
 
:mode=>"644", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: Using settings: adding file resource 'cert_inventory': 
'File[/var/lib/peadmin/.puppet/ssl/ca/inventory.txt]{:path=>"/var/lib/peadmin/.puppet/ssl/ca/inventory.txt",
 
:mode=>"644", :ensure=>:file, :loglevel=>:debug, :links=>:follow, 
:backup=>false}'
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_crt.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_key.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_pub.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_crl.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/private]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/requests]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/signed]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass]: 
Autorequiring File[/var/lib/peadmin/.puppet/ssl/ca/private]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/serial]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/inventory.txt]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: Finishing transaction 30373520
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Using cached certificate for dpupmstr4901.domain.com
Debug: Using settings: adding file resource 'pidfile': 
'File[/var/lib/peadmin/.puppet/var/run/master.pid]{:path=>"/var/lib/peadmin/.puppet/var/run/master.pid",
 
:ensure=>:file, :loglevel=>:debug, :

[Puppet Users] PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker 

I've been chasing this for a few hours.  I created my own user management 
module and Puppet can't find it.  I must be overlooking something obvious 
here.  Module path, ownership, permission, etc. have all been checked.  Any 
ideas?


Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/hostint.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Could not find class sismon_account for dpupmstr4901.domain.com on node 
dpupmstr4901.domain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run



# Init passes validation

[root@dpupmstr4901 manifest]# puppet parser validate init.pp
[root@dpupmstr4901 manifest]# 

# modulepath
##
[root@dpupmstr4901 manifest]# puppet config print modulepath
/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules



[root@dpupmstr4901 rc3.d]# cd -
/etc/puppetlabs/puppet/modules/sismon_account/manifest

[root@dpupmstr4901 manifest]# ls
init.pp


[root@dpupmstr4901 manifest]# cat init.pp 
 class sismon_account {

 file { "/data/home":
ensure => "directory",
  }

 group {'sismon':
  ensure => present,
  gid => 3997,
   }

  user { "sismon":
   ensure   => "present",
   comment  => "sismon@${hostname}",
   gid  =>  "3997",
   home => "/data/home/sismon",
   password => "*",
   password_max_age => "9",
   password_min_age => "0",
   shell=> "/bin/bash",
   uid  => "3997",
   managehome => true,
  }

 file { "/data/home/sismon/.ssh":
ensure => "directory",
owner => "3997",
group => "3997",
mode  => "0775",
  }

 file { "/data/home/sismon/.ssh/authorized_keys":
owner   => "3997",
group   => "3997",
mode=> "0400",
source  => 
"puppet://$::server/modules/sismon_account/data/home/sismon/.ssh/authorized_keys",
 }

}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7ec4e20a-d8d5-4094-8a4b-8fdced5a71ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] CF3 to PE 3.3 - Hiera Question

2014-08-06 Thread Tom Tucker 

I’m in the process of migrating from CFEngine 3 to PE 3.3 so please pardon 
me if my terminology is off.

With CFEngine I could build arrays, define a hostname regex  or define 
network segment variables to gain further control.  How do you do this with 
Hiera?

CFEngine Examples
###
"web_regex" expression => classmatch("^web\d+$")
"mail_servers_array" or => { mailA, mailB, mailC, someSYS, someSYS2}; 
"DC1_DEV_NET" or => { ipv4_10_225_172 };
"DC2_QA_NET" or => { ipv4_10_224_136 };

For example….
If your hostname matches the “web_regex” and you reside in the DC2_QA_NET 
 then do X, Y and Z.

Thanks in advance for your time and assistance.  

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1b81679f-ef7e-4711-be43-012db728ce5d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL error when after restarting httpd. CA information missing/or wrong?

2014-07-08 Thread Tom Hallam 
OK, so this is a straight line version of how I debugged the issue.  There 
were a couple more dead ends than described here.

The first thing to notice is the error. I was getting: "certificate verify 
failed: [self signed certificate for 
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001".
This told me a couple of things:

   - The certificate verification was failing.
   - The identity given in the certificate was: 
   
"/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001".

I checked the configuration of the Puppet virtual site.  It all looked OK. 
I then turned to openssl (https://www.openssl.org/docs/apps/x509.html) to 
check the certificates.  I used the following (substituting the certificate 
file for cert.pem) to print out the server and CA certificates used in the 
configuration:

openssl x509 -in cert.pem -noout -text 

I decided to have a look at the certificates I got if I connected to the 
server.  Again openssl is your friend (
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server).
  
I ran the following with output to separate files for the WEBrick and 
Apache servers.

openssl s_client -showcerts -connect ecm-rhl-001:8140 WEBrick.certs
openssl s_client -showcerts -connect ecm-rhl-001:8140 Apache.certs


This gave me 2 files each with 2 certificates in it.  The first certificate 
is the server certificate and the second is the CA certificate. A brief 
inspection of the files showed that the first certificate was different 
whilst the second the same: ie the server certificates differed but the CA 
certificates were the same. I confirmed this further by splitting each 
certificate out to a separate file and using openssl to print text 
representations as per check on configured certificates above.

So where were the different certificates coming from?  Openssl (again) lets 
me print out and md5 for a certificate and a private key.  The md5 will 
match for matching certificates and keys.

openssl x509 -noout -modulus -in signed/ecm-rhl-001.pem | openssl md5
openssl rsa -noout -modulus -in private_keys/ecm-rhl-001.pem | openssl md5

This allowed me to check that the certificate and private keys matched.  It 
also gave me a quick way to check what keys the certificates that I 
retrieved from the servers matched.  All checked out OK.  I still could not 
locate the illusive certificate that was being returned by the Apache 
server.  I checked a number of possible keys and 

So I went back to look at the Apache configuration and checked all of them 
for 'SSLCertificateFile' using grep. This showed the that "SSL 
Configuration" had a certificate defined in it by default.  A quick check 
using the previous Openssl commands showed that it matched the one returned 
by the Apache server.  A few comments to remove the unwanted site from the 
Apache configuration and everything was working again.

I've installed ssl on a number of Apache servers (debian package, ubuntu 
package & compiled from source) over the last 15 years or so and this is 
the first time the ssl configuration has included a "live" ssl virtual host 
definition.

Tom


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0553fe0f-cfdd-4041-b6d3-2529b685544a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL error when after restarting httpd. CA information missing/or wrong?

2014-07-08 Thread Tom Hallam 
It took a bit of digging - but I did workout what the issue was.  I'll give 
the solution first and then an overview of how I diagnosed the issue  It 
may be useful to others with SSL issues.

I was running Puppet on a Red Hat server.  By default Red Hat installs an 
SSL configuration in /etc/httpd/conf.d. The Puppet server's default 
configuration is also installed in /etc/httpd/conf.d and loads before the 
SSL configuration.  I'd moved the puppet configuration (a virtual host / 
site ) to /etc/httpd/sites-available so it now loads after the SSL 
configuration and is in the same location as other sites / virtual hosts.  
Unfortunately the default Red Hat SSL configuration includes a virtual host 
with a self signed certificate.  Unlike other SSL configuration these are 
not commented out.  

SSL certificates are selected on a per IP basis.  The first one loaded by 
Apache for an IP takes precedence.  The Red Hat SSL certificate was 
therefore loading and the one in the Puppet configuration was being 
silently ignored.  The solution was simple: comment out the unused virtual 
host configuration in the default Red Hat SSL configuration.

I'll follow up later on how I debugged this issue.

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/13c73ae2-a9b3-4f27-915d-a8190715ed3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL error when after restarting httpd. CA information missing/or wrong?

2014-06-25 Thread Tom Hallam 
Hi everybody

I've been running puppet under Apache/Passenger for some time.  I restarted 
Apache this morning I'm getting the following error

---
[root@ecm-rhl-032 ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [self signed certificate for 
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001]
Info: Retrieving pluginfacts
---

If I switch back to the WEBrick server it all works...
Apache/Passenger configuration has not been changed.

Digging into SSL, it looks like the CA information is missing when I run 
Apache/Passenger but not when I run WEBrick.

Where does WEBrick get its Certificate information from?  How do I check 
what values it's using?
Where does the Puppet agent get its Certificate information from?  How do I 
check what values it's using?

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/955cd265-1c50-4d42-a573-3e5c3db98c6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet forge module puppetlabs-puppetdb

2014-06-12 Thread Tom Verdaat 
Looks vaguely familiar.

Using the puppetdb and postgresql master branches from github and this is 
all I've got:

  class { 'puppetdb': }
  class { 'puppetdb::master::config':
puppet_service_name => 'apache2',
require => Class['puppetdb'],
  }

Works fine with Foreman. Like Ken Barber just mentioned: check if there is 
no other reference to Puppetdb::Database::Postgresql in your manifests.

Tom




Op donderdag 12 juni 2014 14:10:30 UTC+2 schreef Salty Old Cowdawg:
>
> Trying to use the puppetlabs-puppetdb module to set up my puppet master to 
> use stored configs using puppetdb along side foreman.
>
> In a config group I dropped it class puppetb and puppetdb::master::config. 
>  
>
> Here's the error I'm seeing:
>
> Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
> Duplicate declaration: Class[Puppetdb::Database::Postgresql] is already 
> declared; cannot redeclare at 
> /etc/puppet/environments/production/modules/puppetdb/manifests/init.pp:108 
> on node mcadprod1.mca.sharkrivertech.com
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
> is there a work around for ths?
>
>
> -- 
>
> Peter L. Berghold   salty@gmail.com 
>
> http://blog.berghold.net
>  

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/26669235-0712-4724-9b3e-dd21537d83d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: MySQL Module Root Password issue RHEL6

2014-04-23 Thread Tom Ford 
/.my.cnf is correct, /root/.my.cnf is never created.
I am using puppet 2.7.23 from the debian wheezy repositories, I think the 
problem is that the 2.X versions of the puppetlabs/mysql module are not 
fully compatible with this version of puppet. I think perhaps it is missing 
some facts or other feature - strange that it does not error though!

On Wednesday, 23 April 2014 20:06:31 UTC+1, Cristian Falcas wrote:
>
> Is this a typo? 
> rm -f /.my.cnf 
>
> I think it should be /root/.my.cnf 
>
> Best regards 
> Cristian Falcas 
>
>
> On Wed, Apr 23, 2014 at 6:01 PM, Tom Ford > 
> wrote: 
> > We are having exactly the same problem on Debian Wheezy - did you ever 
> find 
> > a solution Justin? 
> > 
> > We have set root_password to the new password we want to use and 
> > old_root_password => ''. The /.my.cnf is created with the root password 
> but 
> > root's password is still blank (if you check the the mysql.user table, 
> > password column to confirm). 
> > In addition setting remove_default_accounts => true is not deleting the 
> > default mysql accounts or the test database. 
> > 
> > Any ideas? 
> > 
> > 
> > On Thursday, 6 February 2014 02:55:19 UTC, Justin Sevier wrote: 
> >> 
> >> Hi All, 
> >> 
> >> I did search and found this article before I posted: 
> >> 
> https://groups.google.com/forum/#!searchin/puppet-users/mysql$20root/puppet-users/nEZ9bDcaBJE/4O0hN459g9oJ
>  
> >> 
> >> Unfortunately there really wasn't a resolution as far as I can see. 
> >> 
> >> The situation: 
> >> I am trying to setup a test environment to evaluate if Puppet will work 
> to 
> >> automate my deployments.  I deployed a couple vm's from my templates 
> which 
> >> have RHEL 6 and MySQL is already pre-installed.  I am trying to get 
> MySQL 
> >> installed with a root password but it appears to not be working.  I 
> have run 
> >> the following to try and remove all traces of MySQL: 
> >> 
> >> yum remove mysql 
> >> rm -f /etc/my.cnf 
> >> rm -rf /var/lib/mysql 
> >> rm -rf /etc/mysql 
> >> rm -rf /etc/mysql/conf.d 
> >> rm -f /var/log/mysqld.log.rpmsave 
> >> rm -rf /var/backup/mysql 
> >> rm -f /etc/cron.daily/mysqlbackup 
> >> rm -f /root/.mysql_history 
> >> rm -f /.my.cnf 
> >> 
> >> When I attempt to install with Puppet MySQL installs but I can login 
> with 
> >> no password.  The /.my.cnf file is created with the correct password 
> but 
> >> even if I try to login with it using mysql -uroot -p and specify the 
> >> password it fails.  It really seems as though the password is NOT being 
> set? 
> >> 
> >> I am using the following in my site.pp for testing: 
> >> 
> >> class { '::mysql::server': 
> >>   root_password => 'passwordtest', 
> >>   override_options => { 'mysqld' => { 'max_connections' => '1024' } } 
> >> } 
> >> 
> >> Below you'll find the complete output of the debug run.  I'm hoping 
> >> someone can point me in the right direction as I haven't been able to 
> figure 
> >> this out now for a few days. 
> >> 
> >> 
> >> debug: /Stage[main]/Mysql::Server::Config/before: requires 
> >> Class[Mysql::Server::Service] 
> >> debug: /File[/etc/mysql/conf.d]/notify: subscribes to 
> >> Class[Mysql::Server::Service] 
> >> debug: /Stage[deploy_app]/before: requires Stage[deploy] 
> >> debug: /Stage[main]/Mysql::Server::Install/before: requires 
> >> Class[Mysql::Server::Config] 
> >> debug: /Stage[main]//require: requires Class[Stdlib] 
> >> debug: /File[/.my.cnf]/require: requires Mysql_user[root@localhost] 
> >> debug: /Stage[setup_app]/before: requires Stage[deploy_app] 
> >> debug: /Stage[main]/Mysql::Server::Providers/before: requires 
> >> Anchor[mysql::server::end] 
> >> debug: /Stage[setup]/before: requires Stage[main] 
> >> debug: /File[/etc/my.cnf]/notify: subscribes to 
> >> Class[Mysql::Server::Service] 
> >> debug: /Stage[main]/Mysql::Server/Anchor[mysql::server::start]/before: 
> >> requires Class[Mysql::Server::Install] 
> >> debug: /Stage[main]/Mysql::Server::Service/before: requires 
> >> Class[Mysql::Server::Root_password] 
> >> debug: /File[/etc/httpd/conf.d/ewh.conf]/notify: subscribes to 
> >> Service[httpd] 
> >> debug: /File[/etc/mysql]/notify: subs

[Puppet Users] Re: MySQL Module Root Password issue RHEL6

2014-04-23 Thread Tom Ford 
We are having exactly the same problem on Debian Wheezy - did you ever find 
a solution Justin?

We have set root_password to the new password we want to use and 
old_root_password => ''. The /.my.cnf is created with the root password but 
root's password is still blank (if you check the the mysql.user table, 
password column to confirm).
In addition setting remove_default_accounts => true is not deleting the 
default mysql accounts or the test database.

Any ideas?


On Thursday, 6 February 2014 02:55:19 UTC, Justin Sevier wrote:
>
> Hi All,
>
> I did search and found this article before I posted:  
> https://groups.google.com/forum/#!searchin/puppet-users/mysql$20root/puppet-users/nEZ9bDcaBJE/4O0hN459g9oJ
>
> Unfortunately there really wasn't a resolution as far as I can see.  
>
>
> *The situation:*I am trying to setup a test environment to evaluate if 
> Puppet will work to automate my deployments.  I deployed a couple vm's from 
> my templates which have RHEL 6 and MySQL is already pre-installed.  I am 
> trying to get MySQL installed with a root password but it appears to not be 
> working.  I have run the following to try and remove all traces of MySQL:
>
> yum remove mysql 
> rm -f /etc/my.cnf
> rm -rf /var/lib/mysql
> rm -rf /etc/mysql
> rm -rf /etc/mysql/conf.d
> rm -f /var/log/mysqld.log.rpmsave
> rm -rf /var/backup/mysql
> rm -f /etc/cron.daily/mysqlbackup
> rm -f /root/.mysql_history
> rm -f /.my.cnf
>
> When I attempt to install with Puppet MySQL installs but I can login with 
> no password.  The /.my.cnf file is created with the correct password but 
> even if I try to login with it using mysql -uroot -p and specify the 
> password it fails.  It really seems as though the password is NOT being 
> set?  
>
> I am using the following in my site.pp for testing:
>
> class { '::mysql::server':
>   root_password => 'passwordtest',
>   override_options => { 'mysqld' => { 'max_connections' => '1024' } }
> }
>
> Below you'll find the complete output of the debug run.  I'm hoping 
> someone can point me in the right direction as I haven't been able to 
> figure this out now for a few days.
>
>
> debug: /Stage[main]/Mysql::Server::Config/before: requires 
> Class[Mysql::Server::Service]
> debug: /File[/etc/mysql/conf.d]/notify: subscribes to 
> Class[Mysql::Server::Service]
> debug: /Stage[deploy_app]/before: requires Stage[deploy]
> debug: /Stage[main]/Mysql::Server::Install/before: requires 
> Class[Mysql::Server::Config]
> debug: /Stage[main]//require: requires Class[Stdlib]
> debug: /File[/.my.cnf]/require: requires Mysql_user[root@localhost]
> debug: /Stage[setup_app]/before: requires Stage[deploy_app]
> debug: /Stage[main]/Mysql::Server::Providers/before: requires 
> Anchor[mysql::server::end]
> debug: /Stage[setup]/before: requires Stage[main]
> debug: /File[/etc/my.cnf]/notify: subscribes to 
> Class[Mysql::Server::Service]
> debug: /Stage[main]/Mysql::Server/Anchor[mysql::server::start]/before: 
> requires Class[Mysql::Server::Install]
> debug: /Stage[main]/Mysql::Server::Service/before: requires 
> Class[Mysql::Server::Root_password]
> debug: /File[/etc/httpd/conf.d/ewh.conf]/notify: subscribes to 
> Service[httpd]
> debug: /File[/etc/mysql]/notify: subscribes to 
> Class[Mysql::Server::Service]
> debug: /Stage[main]/Mysql::Server::Root_password/before: requires 
> Class[Mysql::Server::Providers]
> debug: /Stage[setup_infra]/before: requires Stage[deploy_infra]
> debug: /Stage[runtime]/require: requires Stage[main]
> debug: /Stage[runtime]/before: requires Stage[setup_infra]
> debug: /Stage[deploy_infra]/before: requires Stage[setup_app]
> debug: /File[/etc/mysql/conf.d]: Autorequiring File[/etc/mysql]
> debug: /Schedule[daily]: Skipping device resources because running on a 
> host
> debug: /Schedule[monthly]: Skipping device resources because running on a 
> host
> debug: /Schedule[hourly]: Skipping device resources because running on a 
> host
> debug: /Schedule[never]: Skipping device resources because running on a 
> host
> debug: Prefetching yum resources for package
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm --version'
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa 
> --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} 
> %{RELEASE} %{ARCH}
> ''
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -q 
> mysql-server --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| 
> %{VERSION} %{RELEASE} %{ARCH}
> '
> debug: Package[mysql-server](provider=yum): Ensuring => present
> debug: Puppet::Type::Package::ProviderYum: Executing '/usr/bin/yum -d 0 -e 
> 0 -y install mysql-server'
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -q 
> mysql-server --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| 
> %{VERSION} %{RELEASE} %{ARCH}
> '
> notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure: 
> created
> debug: /Stage[main]/Mysql::Server::Install/Package[mysql-ser

Re: [Puppet Users] Emergency Certificate Revocation Procedure

2014-04-09 Thread Tom 

Thank you Nan,

It looks like Puppet Labs have recognised the importance of this, and I 
guess this thread should defer to the guidance that Eric Sorenson just 
posted to the list!


Thank you for your help!

Tom.

On 08/04/14 15:01, Nan Liu wrote:
On Tue, Apr 8, 2014 at 12:57 AM, Tom <mailto:t...@t0mb.net>> wrote:



In light of the recently publicised vulnerability in OpenSSL
versions provided on RHEL6/CentOS6http://heartbleed.com/
<http://heartbleed.com/>, do you have any recommendations on a
procedure to regenerate new master certificates and then revoke,
clean and re-sign all client SSL certificates?

I think it'd be great in my organisation to have a bullet proof
procedure for the future, as well as getting around this currently
problem.

Thanks for any assistance.


Puppet Labs had a CVE around a puppet master certificate issue. It 
only replaces the master cert, but from what I recall a module 
automates this step. You can see if the remediation tool kit is still 
suitable for this purpose:


http://puppetlabs.com/security/cve/cve-2011-3872

http://puppetlabs.com/security/cve/cve-2011-3872/faq#q9
http://puppetlabs.com/security/cve/cve-2011-3872/faq#q11

Thanks,

Nan
--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com 
<https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5344F71D.5070106%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Emergency Certificate Revocation Procedure

2014-04-09 Thread Tom 

Hi Matthew,

Use your imagination.  Puppet is not directly accessible to the 
internet, but there are puppet clients which are.  Shared web servers, 
mail servers etc.  I'm paid to be paranoid..


Thanks.  Tom.

On 08/04/14 20:43, Matthew Burgess wrote:



On 8 Apr 2014 09:29, "Tom" mailto:t...@t0mb.net>> wrote:
>
> Hi,
>
> In light of the recently publicised vulnerability in OpenSSL 
versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have 
any recommendations on a procedure to regenerate new master 
certificates and then revoke, clean and re-sign all client SSL 
certificates?


Whilst I can't offer any direct answer to your question, and agree 
that it's a generally useful thing to have in the toolbox, I'm 
slightly inquisitive as to why you feel that action is necessary for 
this vulnerability. Is your Puppet Master accessible publically via 
the Internet and if so, why is that? If it isn't directly accessible 
via the Internet who/what is it that you think could have exploited 
the vulnerability?


Thanks,

Matt

--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com 
<https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5344F7EC.4040807%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Emergency Certificate Revocation Procedure

2014-04-08 Thread Tom 

Hi,

In light of the recently publicised vulnerability in OpenSSL versions 
provided on RHEL6/CentOS6http://heartbleed.com/ 
<http://heartbleed.com/>, do you have any recommendations on a procedure 
to regenerate new master certificates and then revoke, clean and re-sign 
all client SSL certificates?


I think it'd be great in my organisation to have a bullet proof 
procedure for the future, as well as getting around this currently problem.


Thanks for any assistance.

Tom.

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5343ABEF.5040101%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet fails to run if ruby1.8 is not installed.

2014-04-04 Thread Tom Poulton 
I was running into this problem as well so I ran:

*sudo cp -r /usr/lib/ruby/site_ruby/1.8/* 
/usr/local/share/ruby/site_ruby/2.0/*

/usr/local/share/ruby/site_ruby/2.0/ is part of the $LOAD_PATH so I figured 
why not stick the files in there and see what happens, now I can run *puppet 
--version* plus *facter ipaddress* etc. That's all I've run so far so there 
might be some weirdness down the line, but it's a start!?

It would be better if it was a symlink or something so you wouldn't have to 
run this again after a yum update, but hopefully puppetlabs will ralease a 
new RPM soon that works, I'm guessing they will now that AWS are running 
ruby 2.0.0 as default!?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ada194cd-89bb-49dd-841b-39c4f2cbf42b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] hiera_config ignored if in an environment block

2014-04-02 Thread Tom Blich 
Per-environment Blocks

Blocks named for 
environments<http://docs.puppetlabs.com/guides/environment.html> are 
the most specific, and can override settings in the run mode blocks. Only a 
small number of settings (specifically: modulepath, manifest, manifestdir,
 and templatedir) can be set in a per-environment block; any other settings 
will be ignored and read from a run mode or main block.


Any idea of when hiera_config might be one of these variables that can be 
put in envrionment blocks? 

puppet config print shows that they've changed, but they are not utilized.

Unless I'm missing something.




Thanks,
Tom


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/284ef7ff-c800-49c7-aa70-d2503dc9109c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Using Puppet with a self-signed ssl certificate

2014-03-26 Thread Tom Albrecht 
The corporate environment I'm in is doing ssl decryption on their traffic, 
and therefore requires a corporate self-signed ssl certificate to be 
installed on any clients throughout the enterprise.

I have a puppet server (CentOS 6.5) with the cert installed, and the agent 
on the server will no longer connect to itself.  I get the following error:

[root@foo certs]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [self signed certificate in certificate chain 
for ...]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [self signed certificate 
in certificate chain for ...]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...] Could 
not retrieve file metadata for puppet://taisrsvr01/plugins: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...]
Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [self signed 
certificate in certificate chain for ...]

The "..." is information on the self-signed cert.  I've already been 
banging my head just trying to get the whole ssl cert stuff working, and 
it's very possible I screwed something up.

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/07a90abe-0a78-4630-a09a-3e99a23ec546%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam 
Hi Spencer

That's fixed the ssl issue.  Not sure where I got the /etc/puppet/ssl... 
from.  

I've got some "access denied" issues now.  Trace them down another day

Thanks for the help

Tom

On Sunday, 23 March 2014 02:16:12 UTC+8, Tom Hallam wrote:
>
> Ahh, those lines are different.  The ones I have point to 
> /etc/puppet/ssl  Yep, the cert you've just pointed to look like they 
> match what I'm getting from WebBrick.  
>

>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e74a9abd-f533-4908-93ef-090c54fccf4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam 
Ahh, those lines are different.  The ones I have point to 
/etc/puppet/ssl  Yep, the cert you've just pointed to look like they 
match what I'm getting from WebBrick.  


On Sunday, 23 March 2014 01:59:50 UTC+8, Spencer Krum wrote:
>
> You should have several lines in your apache vhost pointing to specific 
> ssl certs. Can you verify that all these paths are correct?
>
> Specifically the lines beginning with SSL in 
> http://docs.puppetlabs.com/guides/passenger.html#create-and-enable-the-puppet-master-vhost
>
>
> On Sat, Mar 22, 2014 at 7:51 AM, Tom Hallam  wrote:
>
>> Hi All
>>
>>
>> I've been running Puppet using the build in web server and I'm now moving 
>> to Apache and Passenger.  I've completed the installation and started 
>> testing. If I run
>>
>>
>> puppet agent --test --noop
>>
>>
>> I get the following error (domain removed)
>>
>>
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>>
>> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server 
>> certificate B: certificate verify failed: [certificate signature failure 
>> for /CN=ecm-rhl-001...]
>>
>> Info: Retrieving plugin
>>
>> Error: /File[/var/lib/puppet/lib]: Failed to generate additional 
>> resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 
>> read server certificate B: certificate verify failed: [certificate 
>> signature failure for /CN=ecm-rhl-001...]
>>
>> Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
>> verify failed: [certificate signature failure for /CN=ecm-rhl-001] 
>> Could not retrieve file metadata for puppet://puppet/plugins: 
>> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
>> certificate verify failed: [certificate signature failure for 
>> /CN=ecm-rhl-001...]
>>
>> Error: Could not retrieve catalog from remote server: SSL_connect 
>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
>> verify failed: [certificate signature failure for /CN=ecm-rhl-001...]
>>
>> Warning: Not using cache on failed catalog
>>
>> Error: Could not retrieve catalog; skipping run
>>
>> Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
>> read server certificate B: certificate verify failed: [certificate 
>> signature failure for /CN=ecm-rhl-001...]
>>
>> If I turn apache off and the built in webserver back on it all works.
>>
>>
>> The server I'm running puppet on server that has a CNAME "puppet" 
>> that points to its real name "ecm-rhl-001...".  Apache site is configured 
>> with "ecm-rhl-001..." as the servername and  "puppet..." as server 
>> alias.  The system returns 'ecm-rhl-001' for hostname and 
>>  'ecm-rhl-001' for hostname -f.  The certificate has "ecm-rhl-001..." 
>> as its CN and "puppet..." as one of its "alt names".  Obviously the cert is 
>> OK as it works with the built in webserver. It looks like I'm missing 
>> something in the apache SSL or Passenger configuration but I have no idea 
>> what.
>>
>>
>> I've tried various permutations of servername and serveralias without 
>> success.  Changing the server name in the agent configuration so it users 
>> the real name instead of the CNAME also does not fix the issue.
>>
>>
>> Any suggestions?
>>
>>
>> Tom
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Spencer Krum
> (619)-980-7820 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3c30c2ee-e5de-4dce-b7e4-e434f9ed2880%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam 
Hi

Just tried

openssl s_client -connect puppet...:8140 -showcerts /tmp/file


To get the certificates from each server and they are not the same.  I've 
checked /etc/puppet/ssl and the Pasenger configuration is giving me the 
same certificates as are in there.  Can't find ones that match WebBricks 
certificates.


Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c3960d51-8be5-4db6-8090-1d9c3c2b2a57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam 


Hi All


I've been running Puppet using the build in web server and I'm now moving 
to Apache and Passenger.  I've completed the installation and started 
testing. If I run


puppet agent --test --noop


I get the following error (domain removed)


Warning: Unable to fetch my node definition, but the agent run will 
continue:

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate signature failure for 
/CN=ecm-rhl-001...]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [certificate signature 
failure for /CN=ecm-rhl-001...]

Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for /CN=ecm-rhl-001] 
Could not retrieve file metadata for puppet://puppet/plugins: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed: [certificate signature failure for 
/CN=ecm-rhl-001...]

Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for /CN=ecm-rhl-001...]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [certificate 
signature failure for /CN=ecm-rhl-001...]

If I turn apache off and the built in webserver back on it all works.


The server I'm running puppet on server that has a CNAME "puppet" that 
points to its real name "ecm-rhl-001...".  Apache site is configured with "
ecm-rhl-001..." as the servername and  "puppet..." as server alias.  The 
system returns 'ecm-rhl-001' for hostname and  'ecm-rhl-001' for 
hostname -f.  The certificate has "ecm-rhl-001..." as its CN and 
"puppet..." as one of its "alt names".  Obviously the cert is OK as it 
works with the built in webserver. It looks like I'm missing something in 
the apache SSL or Passenger configuration but I have no idea what.


I've tried various permutations of servername and serveralias without 
success.  Changing the server name in the agent configuration so it users 
the real name instead of the CNAME also does not fix the issue.


Any suggestions?


Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet agent gives error undefined method `empty?' for nil:NilClass

2014-02-25 Thread Tom Hanstra 
I have a puppet master which has over 50 puppet agents talking to it just 
fine.  But I have one particular server on which the agent, after 
connecting and exchanging keys, gives the following error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
undefined method `empty?' for nil:NilClass at 
/etc/puppet/modules/server/iptables/manifests/init.pp:7 on node 
curatevanilla.library.nd.edu
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Having read other posts, and knowing that we do use hiera, this looks like 
a hiera problem.  If I comment out classes which don't use hiera, the agent 
will run them all.  But add any in which use hiera and that will be the 
class which fails (iptables above is just the first one it hits).

How do I best track down where the problem really is?  I have made sure 
that the /etc/hiera.yaml file is in place and it matches other servers 
which work.  I've tried clearing out /var/lib/puppet on the server and 
letting that get rebuilt.  If I move /var/lib/hiera out of the way, it does 
not get rebuilt, probably because the download does not get that far.  Any 
suggestions on what might allow me to find the conflict. 

Thanks,
Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2b9fe2ac-6646-44e0-b344-1b65d35e2e27%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Simplest manner to print a node's catalog

2013-11-11 Thread Tom Noonan 
Nice, I didn't think to check the master arguments.  Gracias!

On Mon, 11 Nov 2013 19:21:43 -0600
Joe Esposito  wrote:

> Hey Tom,
> 
> This works on puppet 2.6.3 (on Ubuntu 10.04)
> 
> #puppet master --compile nodename
> 
> Joe Esposito
> 
> 
> On Mon, Nov 11, 2013 at 1:44 PM, Thomas Noonan II 
> wrote:
> 
> > Hello, list:
> > Today a coworker and I were trying to find the easiest way
> > to print the catalog for a node running Puppet 2.6.x (I know, I
> > advised an upgrade) and were coming up empty handed.  On a Puppet
> > 3.2.4 node I
> > found /var/lib/puppet/client_data/catalog/${fqdn}.json, but that
> > didn't exist on the 2.6.x host.  I couldn't find any "puppet
> > [argument]" commands that worked.  I was hoping to find something
> > easier than hitting the PuppetDB API with curl. Can someone advise
> > on commands to print the catalog on a node, preferably backwards
> > compatible with Puppet 2.6? Thanks.
> >
> > --Tom Noonan II
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to puppet-users+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/puppet-users/2013134423.19010a07%40TJNII-Desktop.rackspace.corp
> > .
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2013194749.16da0f22%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Security of facts (aka: who can see my facts?)

2013-11-04 Thread Tom Noonan 
But that doesn't address the concern that you can't auto generate
values and store them in Heira, as Arnaud mentioned.  Is our
understanding on this flawed?  I see a Puppet source on
http://docs.puppetlabs.com/hiera/1/data_sources.html#puppet, but that
just says "Coming soon."

My solution thus far, for file based passwords like Bind keys and Bacula
passwords, has been to generate passwords on the puppetmaster
and then pull the values into templates via file reads. This relies on
the filesystem security of the puppetmaster, but if that is gone you're
pretty well hosed anyway.  The generation script on the puppetmaster
handles password aging and regeneration.  Not the most graceful
solution, but it works well for me. If there is a better way I'd love
to hear it, however.

On Mon, 4 Nov 2013 22:06:01 +0530
Virender Khatri  wrote:

> puppetdb also expose facts etc. details via api calls too, you might
> want to check that out.
> 
> take a look at hiera-gpg puppet module to store hiera variables in
> encrypted form, it will provide enough security on hiera/git side.
> 
> 
> On Mon, Nov 4, 2013 at 7:49 PM, Arnaud Gomes-do-Vale
> wrote:
> 
> > Chuck  writes:
> >
> > > I wouldn't put any sensitive information in a fact, unless the
> > > only
> > people
> > > with access to PuppetDB and your Servers are admins who already
> > > have
> > access
> > > to this information.  But even then I still wouldn't do it.
> >
> > That's more or less the conclusion I arrived at, except I can't
> > find any real reason not to trust the Puppet ecosystem with my
> > facts. I mean, my servers and PuppetDB are secure (well, they
> > should be, unless I screwed things up), inventory service is turned
> > off on my dashboard, so I should be safe, shouldn't I?
> >
> > > At this time I would say the best route would be something like
> > > hiera.
> >
> > Except AFAIU Hiera doesn't allow me to generate values on the client
> > node. The whole point of my fact-base approach is that I don't want
> > to manage database passwords, they just have to be long-enough
> > random strings.
> >
> > --
> > A
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to puppet-users+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/puppet-users/y9hzjpkfdw2.fsf%40licencieux.ircam.fr
> > .
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20131104185251.41e7c004%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] package conflict resolution method:

2013-11-01 Thread Tom Noonan 
That looks like a good solution, thanks!

On Fri, 1 Nov 2013 14:11:44 -0700
Ryan Coleman  wrote:

> On Fri, Nov 1, 2013 at 2:03 PM, Tom Noonan  wrote:
> 
> > Can the list please advise on what best practice is in this
> > case?
> >
> 
> Hi Tom,
> 
> The puppetlabs/stdlib module includes the ensure_packages() and
> ensure_resource() functions. Both are intended for expressing common
> resources which will only be included in your catalog if they're not
> already in it. You can read more about it here:
> http://forge.puppetlabs.com/puppetlabs/stdlib
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20131101161629.0fd702d0%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] package conflict resolution method:

2013-11-01 Thread Tom Noonan 
Hello, list:
I have two puppet modules that are unrelated to each other, but
both have (unrelated) Python scripts that parse YAML.  As such, both
have a block like the following in their manifests for the PyYAML script
dependency:

  package { 'PyYAML':
ensure  => installed,
  }

If I try and include both modules on the same server this
causes an obvious conflict as the PyYAML package is now defined in two
different package{} blocks.
Can the list please advise on what best practice is in this
case?  I'd prefer not to create a whole other module just to do a class
dependency for PyYAML, but if that is best practice so be it.  Please
let me know if I'm overlooking any other solutions.  Thanks!

--Tom N.



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20131101160320.736bf186%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Upgraded to Puppet 3.3.1 and custom facts broke

2013-10-22 Thread Tom Limoncelli 
I found the issue.  It turns out to be related to the use of Rack on
the Puppet Master.

I'll document the issue so the mailing list archive can help others:

When upgrading to Puppet 3.0.0 the release notes say that config.ru
needs to be updated:
http://docs.puppetlabs.com/puppet/3/reference/release_notes.html#break-puppet-master-rack-configuration-is-changed

If you don't make those changes, there is a chance that things will
continue to work.  At least at our site it seems to have continued to
work.  I guess we were lucky.  However some change between 3.2.4 and
3.1.1 made those changes required.

Without those changes, in particular the line with "--confdir", the
Puppet Master is pointing to the wrong directory and is unable to do
its job.  However there are no errors or warnings.  The first symptom
is that custom facts and types (and maybe more) are deleted at the
next client run.  The other symptom is that if you turn off Rack and
run puppet master directly things start to work (of course, without
all the benefits of Rack).

Updating the file as specified in the URL above and restarting Rack
fixes the problem.

Tom

On Tue, Oct 22, 2013 at 12:20 AM, Tom Limoncelli  wrote:
> I upgraded to puppet 3.3.1 and my clients can no longer access custom
> facts or types.  pluginsync = true in [main] for both clients and the
> server.  I suspect a problem with pluginsync because the master is
> able to load the custom facts.
>
> I looked at syslog on both machines and didn't find any error or
> warning messages; just the usual messages minus the ones about loading
> custom facts.
>
> The first run after the upgrade resulted in messages about deleting
> the custom facts (filebucketing them).  That makes me suspect
> fileserver.conf.  According to our git repo, none of the *.conf files
> changed.  Did their interpretation change?
>
> "puppet agent -t -d -v" doesn't show anything unusual (except the
> missing lines about syncing)
>
> Where should I start looking to debug this?
>
> Thanks,
> Tom
> P.S. I'm using CentOS6.4.
>
> --
> Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
> Skype: YesThatTom
> Blog:  http://EverythingSysadmin.com



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Upgraded to Puppet 3.3.1 and custom facts broke

2013-10-22 Thread Tom Limoncelli 
I found the issue.  It turns out to be related to the use of Rack on
the Puppet Master.

I'll document the issue so the mailing list archive can help others.


Tom


On Tue, Oct 22, 2013 at 12:20 AM, Tom Limoncelli  wrote:
> I upgraded to puppet 3.3.1 and my clients can no longer access custom
> facts or types.  pluginsync = true in [main] for both clients and the
> server.  I suspect a problem with pluginsync because the master is
> able to load the custom facts.
>
> I looked at syslog on both machines and didn't find any error or
> warning messages; just the usual messages minus the ones about loading
> custom facts.
>
> The first run after the upgrade resulted in messages about deleting
> the custom facts (filebucketing them).  That makes me suspect
> fileserver.conf.  According to our git repo, none of the *.conf files
> changed.  Did their interpretation change?
>
> "puppet agent -t -d -v" doesn't show anything unusual (except the
> missing lines about syncing)
>
> Where should I start looking to debug this?
>
> Thanks,
> Tom
> P.S. I'm using CentOS6.4.
>
> --
> Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
> Skype: YesThatTom
> Blog:  http://EverythingSysadmin.com



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Upgraded to Puppet 3.3.1 and custom facts broke

2013-10-21 Thread Tom Limoncelli 
I upgraded to puppet 3.3.1 and my clients can no longer access custom
facts or types.  pluginsync = true in [main] for both clients and the
server.  I suspect a problem with pluginsync because the master is
able to load the custom facts.

I looked at syslog on both machines and didn't find any error or
warning messages; just the usual messages minus the ones about loading
custom facts.

The first run after the upgrade resulted in messages about deleting
the custom facts (filebucketing them).  That makes me suspect
fileserver.conf.  According to our git repo, none of the *.conf files
changed.  Did their interpretation change?

"puppet agent -t -d -v" doesn't show anything unusual (except the
missing lines about syncing)

Where should I start looking to debug this?

Thanks,
Tom
P.S. I'm using CentOS6.4.

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Including files in a template

2013-10-01 Thread Tom Noonan 
> <% require File.dirname(__FILE__) + "/foo.rb" %>
This suits my needs perfectly.  Thanks!

On Tue, 1 Oct 2013 06:32:15 -0700 (PDT)
jcbollinger  wrote:

> 
> 
> On Tuesday, October 1, 2013 7:02:00 AM UTC-5, Sneha More wrote:
> >
> > Hi,
> >You can use here the concept of partial template.
> > Try including 
> >
> > <%= scope.function_template("foo.rb") %>
> >
> > This may help you, please refer 
> > http://somethingsinistral.net/blog/partial-templates-with-puppet/
> > Here is the link, someone has faced the similar issue as including
> > file in template, refer 
> > http://stackoverflow.com/questions/16551717/how-to-include-a-subtemplate-in-a-puppet-template
> > .
> >
> >>
> >>
> 
> That invokes the Puppet template() function with argument "foo.rb",
> but from name and usage that appears to be a Ruby source file as
> opposed to an ERB template.  The stackoverflow link looks promising,
> however, in that the discussion there demonstrates a technique for
> determining the template file's location from within the file itself,
> using the __FILE__ variable. To apply that to 'require'ing a Ruby
> source file you would probably end up with something like this:
> 
> <% require File.dirname(__FILE__) + "/foo.rb" %>
> 
> 
> John
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Including files in a template

2013-10-01 Thread Tom Noonan 
Hello, folks:

I want to include a file into my templates to deduplicate code.
However, I'm running into problems with the module path.  If I try to
include the relative path with code like the following it fails:

# Fails
require 'foo.rb'

However, a fully qualified path succeeds:

# Works as expected
require '/etc/puppet/modules/foobar/templates/foo.rb'

While the latter works it causes problems if I want to move the
module.  Am I overlooking something here?  I've grepped through the
variables passed into the templates and I don't see any paths passed in
that I could use.

Thanks in advance.

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] hiera oddities

2013-09-30 Thread Tom Hanstra 
Pete: Thanks for pointing this out as well.  It explains some things that 
were confusing me about how I was using hiera.  I appreciate the 
information.

Tom

On Saturday, September 28, 2013 7:16:00 AM UTC-4, Peter Meier wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA1 
>
> > My current setup has a puppet master and an agent.  On both I have 
> > the same /etc/hiera.yaml file linked into the /etc/puppet 
> > directory.  I've also been able to confirm that hiera is seeing the 
> > right json files in /var/lib/hiera. 
>
> Note: if you want to go with plain master/agent setup, there is no 
> need to setup hiera on the client. As the agent gets a compiled 
> catalog from the master that can be seen as kind of static, at least 
> all the hiera lookups are done when the agent receives the catalog. 
>
> ~pete 
>
> -BEGIN PGP SIGNATURE- 
> Version: GnuPG v1.4.14 (GNU/Linux) 
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 
>
> iEYEARECAAYFAlJGumsACgkQbwltcAfKi394RgCfQ8+6+7uqJx02XO9wKux/Qb2k 
> W8QAoK/tCiEO3Q2w4gY1q/3GENSqrI07 
> =nmWj 
> -END PGP SIGNATURE- 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: hiera oddities

2013-09-30 Thread Tom Hanstra 
Spot on!  Thanks for pointing this out.

Tom

On Friday, September 27, 2013 1:35:42 PM UTC-4, Ellison Marks wrote:
>
> Prefix doesn't return a string, it returns an array. I think this gets 
> stringified in the error message, but it screws up the lookup. Try 
> hiera($role_value[0]).
>
> On Friday, September 27, 2013 9:32:12 AM UTC-7, Tom Hanstra wrote:
>>
>> I'm having a real trouble getting hiera to work as expected.
>>
>> My current setup has a puppet master and an agent.  On both I have the 
>> same /etc/hiera.yaml file linked into the /etc/puppet directory.  I've also 
>> been able to confirm that hiera is seeing the right json files in 
>> /var/lib/hiera.
>>
>> What I'm seeing right now is that if I hard code a value (in my case a 
>> value called "role_puptest1").  In the class I'm working on, if I hardcode 
>> that value into the hiera lookup:
>>
>> $server_role = hiera('role_puptest1')
>>
>> then puppet  agent runs just fine.  However, if I build the value 
>> "role_puptest1" from other information, for instance like this:
>>
>>$role_value = prefix([$hostname],'role_')
>>$server_role = hiera($role_value)
>>
>> I get this error when running the puppet agent:
>>
>> Error: Could not retrieve catalog from remote server: Error 400 on 
>> SERVER: Could not find data item role_puptest1 in any Hiera data file and 
>> no default supplied at 
>> /etc/puppet/modules/server/iptables2/manifests/init.pp:9 on node 
>> puptest1.library.nd.edu
>>
>> Based on the error, it is parsing the role_value properly (still has 
>> "role_puptest1"), but it is not finding the value in the file.  At the same 
>> time, command line hiera on both my agent and my master find the file 
>> properly:
>>
>> puptest1 800$ hiera role_puptest1
>> role_LOCKSS
>>
>> So, why is the generated value which comes up with the same string of 
>> data not finding the record in the hiera data file?
>>
>> I'm using hiera 1.2.1 and puppet 3.2.4 on RHEL 6.
>>
>> Thanks,
>> Tom
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] hiera oddities

2013-09-27 Thread Tom Hanstra 
I'm having a real trouble getting hiera to work as expected.

My current setup has a puppet master and an agent.  On both I have the same 
/etc/hiera.yaml file linked into the /etc/puppet directory.  I've also been 
able to confirm that hiera is seeing the right json files in /var/lib/hiera.

What I'm seeing right now is that if I hard code a value (in my case a 
value called "role_puptest1").  In the class I'm working on, if I hardcode 
that value into the hiera lookup:

$server_role = hiera('role_puptest1')

then puppet  agent runs just fine.  However, if I build the value 
"role_puptest1" from other information, for instance like this:

   $role_value = prefix([$hostname],'role_')
   $server_role = hiera($role_value)

I get this error when running the puppet agent:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Could not find data item role_puptest1 in any Hiera data file and no 
default supplied at 
/etc/puppet/modules/server/iptables2/manifests/init.pp:9 on node 
puptest1.library.nd.edu

Based on the error, it is parsing the role_value properly (still has 
"role_puptest1"), but it is not finding the value in the file.  At the same 
time, command line hiera on both my agent and my master find the file 
properly:

puptest1 800$ hiera role_puptest1
role_LOCKSS

So, why is the generated value which comes up with the same string of data 
not finding the record in the hiera data file?

I'm using hiera 1.2.1 and puppet 3.2.4 on RHEL 6.

Thanks,
Tom


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-08-21 Thread Tom Poulton 
Well I've been using an initial solution for the past month or two which 
seems to be working ok.

I have a custom puppet function that reads the version of the artifact 
being deployed and I add that to the mcollective facts.yaml file at the 
same time that the artifact is deployed. I've also got a groovy script 
which I've put up on GitHub (
https://github.com/TomPoulton/mcollective-synchronous-puppet/blob/master/deployment_trigger.groovy)
 
that runs as part of the Jenkins deployment job that finds the correct 
instances, triggers a puppet run, then waits until all the instances show 
the new version in their facts. It handles the situation where puppet is 
already running, and also has timeouts so the script doesn't run forever.

The only problem is that sometimes (although it's started to get more 
frequent) the script reaches it's timeout waiting for the new version to 
show in the facts, the timeout is pretty generous and is certainly longer 
than a puppet run and an mcollective restart would take, and the facts are 
being updated correctly. Does mcollective have a cache or something that 
would prevent the new values being returned to the mco client on the Jenins 
box?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: User Resource Type | non-unique UID

2013-08-16 Thread tom . russell 
3 years on, it did indeed :) Thanks!

On Wednesday, 6 October 2010 16:59:14 UTC+1, CraftyTech wrote:
>
> I answered my own question from the documentation.. 
> allowdupe => true 
>
> Hope it helps someone else looking for a similar answer. 
>
> On Oct 6, 11:29 am, CraftyTech  wrote: 
> > Hello All, 
> > 
> >  Is there a way in puppet to define a User resource with a non- 
> > unique UID? i.e, 
> >@user { 'user1': 
> > tag => 'test', 
> > uid => '' 
> > } 
> > 
> >@user { 'user2': 
> > tag => 'test', 
> > uid => '' 
> > } 
> > If I do it like this, I get an error saying that the UID is not 
> > unique 
> > 
> > Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: file_line assistance

2013-07-31 Thread Tom Hanstra 
Well, the hostname was the problem.  That never tripped me up before, but 
I'll keep it in mind for future reference!

Thanks,
Tom

On Tuesday, July 30, 2013 5:24:41 PM UTC-4, Tom Hanstra wrote:
>
> I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
> puppetlabs.
>
> I'm attempting to use file_line to add a line to a file.  I've dumbed this 
> down to basically the test script:
>
> class hs_puptest1 {
>
>file { '/tmp/testfile':
>  ensure => present
>}->
>file_line { 'test_line':
>  line => 'Some data',
>  path => '/tmp/testfile',
>}
> }
>
> The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
> line to the file.  I don't even see file_line executed:
>
> puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
> Info: Caching catalog for puptest1.library.nd.edu
> Info: Applying configuration version '1375219378'
> Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
> Notice: Finished catalog run in 1.86 seconds
> puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
> puptest1.library.nd.edu|root no_ora /etc/puppet 675$
>
> What am I doing wrong?  What might be missing?
>
> Thanks,
> Tom
> hans...@nd.edu
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: file_line assistance

2013-07-31 Thread Tom Hanstra 
No, I don't have pluginsync enabled, but when I attempt to do so I get this 
error:

Info: Retrieving plugin
Error: Could not retrieve plugin: Parameter source failed on 
File[/var/lib/puppet/lib]: Could not understand source 
puppet://lib_puppet2.library.nd.edu/plugins: the scheme puppet does not 
accept registry part: lib_puppet2.library.nd.edu (or bad hostname?)

I've been searching the web, but have not found the combination to get past 
this. Documentation only suggests enabling pluginsync on both master and 
agent, which is not enough.  What else am I missing?

Thanks,
Tom


On Tuesday, July 30, 2013 5:24:41 PM UTC-4, Tom Hanstra wrote:
>
> I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
> puppetlabs.
>
> I'm attempting to use file_line to add a line to a file.  I've dumbed this 
> down to basically the test script:
>
> class hs_puptest1 {
>
>file { '/tmp/testfile':
>  ensure => present
>}->
>file_line { 'test_line':
>  line => 'Some data',
>  path => '/tmp/testfile',
>}
> }
>
> The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
> line to the file.  I don't even see file_line executed:
>
> puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
> Info: Caching catalog for puptest1.library.nd.edu
> Info: Applying configuration version '1375219378'
> Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
> Notice: Finished catalog run in 1.86 seconds
> puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
> puptest1.library.nd.edu|root no_ora /etc/puppet 675$
>
> What am I doing wrong?  What might be missing?
>
> Thanks,
> Tom
> hans...@nd.edu
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] file_line assistance

2013-07-30 Thread Tom Hanstra 
I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
puppetlabs.

I'm attempting to use file_line to add a line to a file.  I've dumbed this 
down to basically the test script:

class hs_puptest1 {

   file { '/tmp/testfile':
 ensure => present
   }->
   file_line { 'test_line':
 line => 'Some data',
 path => '/tmp/testfile',
   }
}

The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
line to the file.  I don't even see file_line executed:

puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
Info: Caching catalog for puptest1.library.nd.edu
Info: Applying configuration version '1375219378'
Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
Notice: Finished catalog run in 1.86 seconds
puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
puptest1.library.nd.edu|root no_ora /etc/puppet 675$

What am I doing wrong?  What might be missing?

Thanks,
Tom
hans...@nd.edu

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Puppet3 key exchange on RHEL6

2013-07-30 Thread Tom Hanstra 
This can all safely be ignored.  A reboot of both the master and agent 
servers was able to clear things up.  I'm not sure if the times were 
slightly off or something else, but rebooting took care of things.

Tom

On Tuesday, July 30, 2013 4:00:27 PM UTC-4, Tom Hanstra wrote:
>
> I'm attempting to run Puppet 3.2.3 on RHEL6 and am running into key 
> problems.
>
> The keys seem to be exchanged, or at least the puppet master receives the 
> key from the client:
>
> lib_puppet2.library.nd.edu|root no_ora /var/lib/puppet 1029$ puppet cert 
> list --all
> + "puptest1.library.nd.edu" (SHA256) 
> D4:3C:F5:4B:14:66:3C:97:55:3E:A1:F9:D7:88:13:78:A1:32:C7:B7:EB:9B:70:CA:73:BC:0E:13:47:D0:B6:B1
>
> But when I attempt to connect from the agent, I get what look to be key 
> problems:
>
> puptest1.library.nd.edu|root no_ora ~ 639$ puppet agent --test
> Warning: Unable to fetch my node definition, but the agent run will 
> continue:
> Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server 
> certificate B: certificate verify failed: [certificate signature failure 
> for /CN=lib_puppet2.library.nd.edu]
> Info: Retrieving plugin
> Error: Could not retrieve plugin: Parameter source failed on 
> File[/var/lib/puppet/lib]: Could not understand source puppet://
> lib_puppet2.library.nd.edu/plugins: the scheme puppet does not accept 
> registry part: lib_puppet2.library.nd.edu (or bad hostname?)
> Error: Could not retrieve catalog from remote server: SSL_connect 
> returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
> verify failed: [certificate signature failure for /CN=
> lib_puppet2.library.nd.edu]
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
> Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
> read server certificate B: certificate verify failed: [certificate 
> signature failure for /CN=lib_puppet2.library.nd.edu]
>
> I've cleared /var/lib/puppet/ssl numerous times on both sides but every 
> time I get back to this point.  
>
> I'm open to any and all ideas.  Does anyone have this working on any RHEL6 
> servers?  I had no trouble with puppet 2.6 but am running into other 
> problems there with older versions of puppet, so I wanted to get puppet3 
> running.  But I seem to have hit a wall.
>
> Thanks,
> Tom Hanstra
> hans...@nd.edu
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Puppet3 key exchange on RHEL6

2013-07-30 Thread Tom Hanstra 
I'm attempting to run Puppet 3.2.3 on RHEL6 and am running into key 
problems.

The keys seem to be exchanged, or at least the puppet master receives the 
key from the client:

lib_puppet2.library.nd.edu|root no_ora /var/lib/puppet 1029$ puppet cert 
list --all
+ "puptest1.library.nd.edu" (SHA256) 
D4:3C:F5:4B:14:66:3C:97:55:3E:A1:F9:D7:88:13:78:A1:32:C7:B7:EB:9B:70:CA:73:BC:0E:13:47:D0:B6:B1

But when I attempt to connect from the agent, I get what look to be key 
problems:

puptest1.library.nd.edu|root no_ora ~ 639$ puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate signature failure for 
/CN=lib_puppet2.library.nd.edu]
Info: Retrieving plugin
Error: Could not retrieve plugin: Parameter source failed on 
File[/var/lib/puppet/lib]: Could not understand source 
puppet://lib_puppet2.library.nd.edu/plugins: the scheme puppet does not 
accept registry part: lib_puppet2.library.nd.edu (or bad hostname?)
Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=lib_puppet2.library.nd.edu]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [certificate 
signature failure for /CN=lib_puppet2.library.nd.edu]

I've cleared /var/lib/puppet/ssl numerous times on both sides but every 
time I get back to this point.  

I'm open to any and all ideas.  Does anyone have this working on any RHEL6 
servers?  I had no trouble with puppet 2.6 but am running into other 
problems there with older versions of puppet, so I wanted to get puppet3 
running.  But I seem to have hit a wall.

Thanks,
Tom Hanstra
hans...@nd.edu

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-14 Thread Tom Lanyon 
Hi John

On 14/06/2013, at 12:06 AM, jcbollinger  wrote:
>> 
>> On Wednesday, June 12, 2013 9:15:22 AM UTC-5, Tom Lanyon wrote:
>> On 05/06/2013, at 11:51 PM, jcbollinger [...] wrote: 
>> > I don't much like that general approach in the first place on account of 
>> > the $requested_package parameter.  That you encounter difficulty when you 
>> > try something a bit dodgy should not be surprising. 
>> 
>> Can you explain this further so I can understand the issue? 
> 
> Initially, it was mostly a gut feeling.  After having had time to step back 
> from the issue and return to it fresh, I think it's a combination of things, 
> mostly revolving around what you're actually modeling, and how you're 
> modeling it.
> 
> Basically, the 'myapp' definition represents one package chosen from a list 
> of mutually exclusive packages.  If that's all it is, then its name is 
> misleading -- it should be more generic -- and it should probably take the 
> exclusive list as a second parameter.  On the other hand, if it is indeed 
> supposed to be something specific, then it doesn't take much advantage of 
> that.  In particular -- and here's where my previous comment came from -- if 
> it supposed to represent something specific to your application, then why 
> doesn't it know anything about the application's package names?
> 
> Also, if the point is supposed to be that only one version of the application 
> can be installed at a time, and the definition is specific to that 
> application, then it really ought to be a class instead.

Alas, the whole intention of this is that multiple versions of the package must 
be installed at the same time.  This is where the problem lies, in that we have 
no way to clean up old unused versions once they're no longer needed.

We have instances of an application MyApp, which utilise a shared Package in 
many to one relationship:

Package[one] ___ MyApp[app1]

Package[two] ___ MyApp[app2]
\___ MyApp[app3]

Package[three] _ MyApp[app4]
  \_ MyApp[app5]
  \_ MyApp[app6]

In the above example, if we upgraded MyApp[app2] and MyApp[app3] to 
Package[three], we'd still have Package[two] installed on all of the hosts but 
no MyApp instances would be using it.  This is the unused Package we're trying 
to clean up with Puppet (there's no longer a MyApp resource definition which 
references Package[two]).

There is no mutually exclusive packages or any other such conflicts.


>> > In fact, despite my dissatisfaction with your approach, you can indeed do 
>> > this without defined(), and without even disrupting your current structure 
>> > very much.  Here's one way I think would work: 
>> > 
>> > # This class ensures all known app packages are 
>> > # by default purged 
>> > class app::packages { 
>> >$apps = split($::app_packages, ',') 
>> >package { $apps: 
>> >ensure => 'purged' 
>> >} 
>> > } 
>> > 
>> > # Overrides the requested package to be declared 
>> > # present instead of purged. 
>> > define app::myapp($requested_package) { 
>> >include 'app::packages' 
>> >Package<| title == $requested_package |> { 
>> >ensure => 'present' 
>> >} 
>> > } 
>> > 
>> > # no separate package_cleanup required 
>> 
>> 
>> OK, I wondered whether we could do something like this however - forgive my 
>> naivety - I still can't see how this could be a complete solution without 
>> something like defined(). 
>> 
>> As an example... your above snippet works fine to ensure already installed 
>> packages remain installed, but what if we wanted to install a brand new 
>> version of app::myapp?  Because a 'package' resource with title 
>> $requested_package does not yet exist, the Package<||> collector matches no 
>> resources and the new package is not installed.  The only solution that I 
>> can come up with is to check whether such a resource is already defined and, 
>> if not, define one. 
> 
> You appear to have a serious misunderstanding.  Resource collectors have no 
> direct relationship with or dependency on which resources are already 
> installed on the target system.  They work exclusively with resource 
> declarations in your manifests, and they do so at catalog compilation time.  
> Moreover, they are independent of parse order (though the example anyway 
> ensures a parse order that would work if collectors were parse-order 
> depend

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-12 Thread Tom Lanyon 
Hi John,

Sorry for the delayed reply.

On 05/06/2013, at 11:51 PM, jcbollinger  wrote:
> 
>> Sorry, I should have been clearer that this occurs when Package[package-434] 
>> IS declared elsewhere. "!defined(Package[package-434])" therefore is false, 
>> so just by referencing the existing declaration within the defined() call it 
>> seems to incite an implicit dependency. 
>> 
> If that's really what's happening then you should be able to create a simple 
> test case that demonstrates it.  That would be a worthy subject for a bug 
> report.

I'll see what I can do.

>>>> Is this implicit dependency expected behaviour or am I doing something 
>>>> Bad(tm)? 
>>> 
>>> Both. 
>>> 
>>> Supposing that the target package is not declared elsewhere (so that the 
>>> !defined() condition is true) the definition will declare the package 
>>> itself to ensure it absent, and in that case you would expect a 
>>> relationship between the defined-type instance and the resource declared by 
>>> it.  If elsewhere you have specific references to that package, applicable 
>>> resource parameter defaults, or collectors that will match that package, 
>>> then you can get relationships with it that are not evident from the 
>>> defined type body. 
>>> 
>>> On the other hand, defined() is evil.  Do not use it.  Ever. 
>> 
>> I had this discussion with someone on #puppet IRC earlier and they ended up 
>> with "Oh, in your case, defined() is probably actually what you want." 
> 
> No.  defined() is never what you want.  It may at times seem expedient, but 
> it's bad news every time.

OK, understood.

>> define myapp ($requested_package){ 
>> 
>>  package { $requested_package: 
>>ensure => present 
>>  } 
>> 
>>  define package_cleanup { 
>>$installed_package = $title 
>> 
>>if $installed_package != $requested_package { 
>>  package { $installed_package: 
>>ensure => purged 
>>  } 
>>} 
>>  } 
>> 
>>  # assuming a facter fact named 'installed_packages' 
>>  package_cleanup { split($::installed_packages, ','): } 
>> } 
> 
> I don't much like that general approach in the first place on account of the 
> $requested_package parameter.  That you encounter difficulty when you try 
> something a bit dodgy should not be surprising.

Can you explain this further so I can understand the issue?



> In fact, despite my dissatisfaction with your approach, you can indeed do 
> this without defined(), and without even disrupting your current structure 
> very much.  Here's one way I think would work:
> 
> # This class ensures all known app packages are
> # by default purged
> class app::packages {
>$apps = split($::app_packages, ',') 
>package { $apps:
>ensure => 'purged'
>}
> }
> 
> # Overrides the requested package to be declared
> # present instead of purged.
> define app::myapp($requested_package) {
>include 'app::packages'
>Package<| title == $requested_package |> {
>ensure => 'present'
>}
> }
> 
> # no separate package_cleanup required


OK, I wondered whether we could do something like this however - forgive my 
naivety - I still can't see how this could be a complete solution without 
something like defined().

As an example... your above snippet works fine to ensure already installed 
packages remain installed, but what if we wanted to install a brand new version 
of app::myapp?  Because a 'package' resource with title $requested_package does 
not yet exist, the Package<||> collector matches no resources and the new 
package is not installed.  The only solution that I can come up with is to 
check whether such a resource is already defined and, if not, define one.

Your guidance is appreciated.

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-04 Thread Tom Lanyon 
Hi John,

Thanks for the reply.

On 05/06/2013, at 12:33 AM, jcbollinger  wrote:
> On Tuesday, June 4, 2013 1:22:08 AM UTC-5, Tom Lanyon wrote:
> I'm testing a 'cleanup' stage which runs after Stage[main] and removes a 
> bunch of package resources. 
> 
> To do this, I tried a simple check of defined(Package[]) combined with a 
> custom facter fact (called 'app_packages'): 
> 
> > class app::package::cleaner { 
> > 
> >   define check_and_remove { 
> > if !defined(Package[$title]) { 
> >   package { $title: 
> > ensure => absent 
> >   } 
> > } 
> >   } 
> > 
> >   $apps = split($::app_packages, ',') 
> >   check_and_remove { $apps: } 
> > 
> > } 
> > 
> > node 'foo' { 
> >   class { 'app::package::cleaner': stage => 'cleanup' } 
> 
> > } 
> 
> Unfortunately, this results in a dependency cycle.  It appears that putting 
> the Package[$title] resource reference in defined() actually invokes an 
> implicit dependency between my cleanup helper resource in the cleanup stage 
> and the original Package resource in the main stage. 
> 
> > Augeas[redacted] => Service[iptables] => Class[Iptables] => Stage[main] => 
> > Stage[cleanup] => Class[App::Package::Cleaner] => 
> > App::Package::Cleaner::Check_and_remove[package-434] => 
> > Package[package-434] => Exec[app-graceful-restart] => Class[App] => 
> > Stage[main] 
> 
>> Does it do that when Package[package-434] is already declared elsewhere, or 
>> only when it is not?

Sorry, I should have been clearer that this occurs when Package[package-434] IS 
declared elsewhere. "!defined(Package[package-434])" therefore is false, so 
just by referencing the existing declaration within the defined() call it seems 
to incite an implicit dependency.


>> Is this implicit dependency expected behaviour or am I doing something 
>> Bad(tm)? 
> 
> Both.
> 
> Supposing that the target package is not declared elsewhere (so that the 
> !defined() condition is true) the definition will declare the package itself 
> to ensure it absent, and in that case you would expect a relationship between 
> the defined-type instance and the resource declared by it.  If elsewhere you 
> have specific references to that package, applicable resource parameter 
> defaults, or collectors that will match that package, then you can get 
> relationships with it that are not evident from the defined type body.
> 
> On the other hand, defined() is evil.  Do not use it.  Ever.

I had this discussion with someone on #puppet IRC earlier and they ended up 
with "Oh, in your case, defined() is probably actually what you want."

>  I usually attribute its malignancy to the parse-order dependency it 
> inherently creates -- which is indeed a serious problem -- but in this case I 
> think trying to use it to approach your problem it has also obfuscated your 
> manifests enough to confuse you about the scope and nature of some of your 
> other declarations.
> 
> Instead of using defined(), you can apply logic farther upstream to make the 
> correct declaration in the first (one) place or to apply resource parameter 
> overrides to the correct resources.  Alternatively, you can simply determine 
> by other means what packages need to be ensured absent, such as by filtering 
> a list of possible packages against a list of packages that are supposed to 
> be installed.  Some of those options may still susceptible to the problem you 
> observed, however, if relevant relationships spring from declarations 
> elsewhere, as I described they may do.

I've tried this other ways, but here's an example of why farther upstream logic 
doesn't work:

define myapp ($requested_package){

  package { $requested_package:
ensure => present
  }

  define package_cleanup {
$installed_package = $title

if $installed_package != $requested_package {
  package { $installed_package:
ensure => purged
  }
}
  }

  # assuming a facter fact named 'installed_packages'
  package_cleanup { split($::installed_packages, ','): }
}

# now in the case of:
#   $::installed_packages = 'one,two,three'
# with:
myapp { 'oneA': requested_package => 'one' }
myapp { 'twoA': requested_package => 'two' }
myapp { 'oneB': requested_package => 'one' }

# we'd end up with package conflicts because
# Myapp[oneA] will define Package[one] (present)
# then define Package[two], Package[three] (absent),
# and Myapp[twoA] will try and define Package[two]
# (present) and fail with a non-unique

[Puppet Users] defined() implicitly requiring resource reference

2013-06-03 Thread Tom Lanyon 
I'm testing a 'cleanup' stage which runs after Stage[main] and removes a bunch 
of package resources.

To do this, I tried a simple check of defined(Package[]) combined with a 
custom facter fact (called 'app_packages'):

> class app::package::cleaner {
> 
>   define check_and_remove {
> if !defined(Package[$title]) {
>   package { $title:
> ensure => absent
>   }
> }
>   }
> 
>   $apps = split($::app_packages, ',')
>   check_and_remove { $apps: }
> 
> }
> 
> node 'foo' {
>   class { 'app::package::cleaner': stage => 'cleanup' }

> }

Unfortunately, this results in a dependency cycle.  It appears that putting the 
Package[$title] resource reference in defined() actually invokes an implicit 
dependency between my cleanup helper resource in the cleanup stage and the 
original Package resource in the main stage.

> Augeas[redacted] => Service[iptables] => Class[Iptables] => Stage[main] => 
> Stage[cleanup] => Class[App::Package::Cleaner] => 
> App::Package::Cleaner::Check_and_remove[package-434] => Package[package-434] 
> => Exec[app-graceful-restart] => Class[App] => Stage[main]

Is this implicit dependency expected behaviour or am I doing something Bad(tm)?

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] module dependancy

2013-05-29 Thread Tom De Vylder 
Hi,

Class ['pythonpip'] -> Class ['myapp'] 

… should do the trick for you.

Regards,
Tom

On 14 May 2013, at 20:36, Matt F  wrote:

> I have two modules, and I'm having some dependacy problems: 
> 
> 1 - Install python "pip":
> 
> class pythonpip::install {
> file {"/root/.pip":
> ensure => directory,
> owner  => root,
> group  => root,
> mode   => 755
> }
> file {"/root/.pip/pip.conf":
> ensure  => present,
> source => 'puppet:///modules/pythonlinux/pip.conf',
> mode=> 0644,
> }
> }
> 
> 
> 2 - install some python packages via "pip":
> 
> class myapp::install {
> package {
> "mechanize":
> provider => pip;
> "numpy":
> provider => pip;
> "pandas":
> provider => pip;
> "reportlab":
> provider => pip;
> }
> }
> 
> I want to make sure tha the "pythonpip::install" is alway run before the 
> "myapp::install". How can I do that?
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>  
>  

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-21 Thread Tom Poulton 
So I get the move to systemd (whatever that is) if that's what Fedora uses,
but why rename the "service", that means I have to add a special case in my
puppet module just for Fedora to set the name of the service resource to
"puppetagent"? Unless it's a change they're going to roll out to all their
supported environments in which case that makes sense (sort of)!?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-20 Thread Tom Poulton 
Wait... spoke too soon:

*Error: Could not start Service[puppet]: Execution of '/sbin/service puppet
start' returned 6: *
*Error: /Stage[main]/Puppet/Service[puppet]/ensure: change from stopped to
running failed: Could not start Service[puppet]: Execution of
'/sbin/service puppet start' returned 6:*

If I do "sudo service puppet start":
*Redirecting to /bin/systemctl start  puppet.service*
*Failed to issue method call: Unit puppet.service failed to load: No such
file or directory. See system logs and 'systemctl status puppet.service'
for details.*
*
*
The only puppet service files are below and there's no puppet file in
/etc/init.d/:
/usr/lib/systemd/system/puppetagent.service
/usr/share/puppet/ext/systemd/puppetagent.service
/usr/share/puppet/ext/systemd/puppetmaster.service

Any ideas? Is this just another stupid mistake?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-20 Thread Tom Poulton 
Yep that worked, I had to enable the puppetlabs-devel repo in
/etc/yum.repos.d/puppetlabs.repo (instead of "yum
--enablerepo=puppetlabs-devel") but it works fine now, lesson learned :)

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-17 Thread Tom Poulton 
Hahaha, I didn't even think about that, I just copied the script blindly
from out EC2 setup, that'll teach me

I'll test it out on Monday morning and update

If that is the answer: thanks in advance

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-17 Thread Tom Poulton 
I setup the Puppet Labs yum repo via "sudo rpm -ivh
http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-6.noarch.rpm
"

So far between me and a colleague we've tried:
F18 GNOME:
Seemed fine I think (but GNOME 3 didn't play nice with VirtualBox, very
very slow)

F18 KDE: Initially running Puppet 2.7.X
The client worked fine but the Puppet Dashboard kept throwing errors that's
what made me realise we were running 2.7 (I didn't bother to check the yum
install process as I assumed the Fedora repo would be up to date)

F18 KDE: Running Puppet 3.1.1
Ruby errors above. I upgraded my colleagues machine today and ran into
exactly the same problem

>From that I'm thinking this might be specific to the F18 KDE version, maybe
ruby is setup in an odd fashion on this spin??

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-16 Thread Tom Poulton 
I'm using Fedora 18 KDE in VirtualBox, fresh install this morning with full 
updates using yum.

I installed puppet by adding the puppet labs yum repo and then "sudo yum 
install puppet", so now I'm running puppet version 3.1.1

Running "puppet --version" or "sudo puppet agent --test" gave me the 
following error:

*/usr/share/rubygems/rubygems/custom_require.rb:36:in `require': cannot 
load such file -- puppet/util/command_line (LoadError)*
* from /usr/share/rubygems/rubygems/custom_require.rb:36:in `require'*
* from /usr/bin/puppet:3:in `'*

As far as I can tell with my limited knowledge of Ruby, Linux and Puppet, 
/usr/bin/puppet has a line "require 'puppet/util/command_line'" which 
executes via /usr/bin/ruby. The custom_require.rb script (part of ruby) 
then looks for a file puppet/util/command_line relative to itself which it 
can't find.

Looking at an AWS Linux box where puppet is working, I can see that the 
custom_require.rb file is located at 
/usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb, whereas on my 
Fedora box the file is located at 
/usr/share/rubygems/rubygems/custom_require.rb, the problem is that puppet 
has installed it's ruby files in /usr/lib/ruby/site_ruby/1.8, but they 
should actually be in /usr/share/rubygems.

The first fix was to add "RUBYLIB=/usr/lib/ruby/site_ruby/1.8" in 
/etc/environment and "export RUBYLIB=/usr/lib/ruby/site_ruby/1.8" at the 
beginning of /etc/rc.d/init.d/puppet but that felt pretty dirty so now I've 
done this:

*sudo mv /usr/lib/ruby/site_ruby/1.8/* /usr/share/rubygems/
*
*sudo rm -r /usr/lib/ruby/site_ruby/1.8
*
*sudo ln -s /usr/share/rubygems /usr/lib/ruby/site_ruby/1.8*

If anyone has a better solution I'm all ears, ideally I'd like to just use 
yum for puppet and any of it's dependencies, tweak the puppet.conf file and 
everything work (like it does in EC2, etc), Do I have to install another 
version of ruby?? Or set an environment variable before installing puppet 
so it knows where to put the files?? Maybe it's just Fedora's weird ruby 
install process?

Here's a yum list just in case:

$ sudo yum list installed | grep ruby
libselinux-ruby.x86_64 2.1.12-7.3.fc18  @updates   
 
ruby.x86_641.9.3.392-29.fc18@updates   
 
ruby-augeas.x86_64 0.4.1-4.fc18 @fedora 

ruby-irb.noarch1.9.3.392-29.fc18@updates   
 
ruby-libs.x86_64   1.9.3.392-29.fc18@updates   
 
ruby-shadow.x86_64 1.4.1-17.fc18@fedora 

rubygem-bigdecimal.x86_64  1.1.0-29.fc18@updates   
 
rubygem-io-console.x86_64  0.3-29.fc18  @updates   
 
rubygem-json.x86_641.6.8-1.fc18 @updates   
 
rubygem-rdoc.noarch3.12-6.fc18  @updates   
 
rubygems.noarch1.8.25-6.fc18@updates 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-05-14 Thread Tom Poulton 
I'll have a play around in the next few days when I get a chance and report 
back

I'm thinking a little foreground agent is probably the way to go for now as 
a "quick fix", and then I'll work on something cleaner once we start phase 
2 in a couple of months

Thanks for the pointers, much appreciated


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-05-13 Thread Tom Poulton 
Thanks for the quick reply

The -W environment=foo tip is very useful and definitely solves one 
problem. I appreciate that the synchronous part could get pretty nasty, 
rather you than me :) In the meantime have you got any tips on the best 
(most reliable) way to check up on triggered runs, you mentioned inspecting 
them or querying my reporting infrastructure: to be honest I'm 
pretty familiar with puppet in terms of writing modules etc, but I haven't 
really looked into the reporting or querying side of things at all, and 
I'm definitely a newcomer to MCollective, feel free to just dump a load of 
keywords and I can google around if that's easier?

We're running Puppet Open Source but we do have Puppet Dashboard running if 
that offers any querying options against the DB or something?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] MCollective deployment pattern

2013-05-13 Thread Tom Poulton 
Hi all

I have a scenario in mind for MCollective and I was looking for 
some feedback

The basic idea is this:
1) A code push to Git triggers a Jenkins build
2) A successful build triggers automatic deployment to an automated 
functional test environment
3) Functional tests run automatically and the results are reported etc

This is just basic CI practice and 1) and 3) are sorted, the only issues 
are with 2) and the trigger for 3). The deployment job in Jenkins just 
copies files up to the Puppet master ready for deployment and service 
restarts etc etc, however with a basic puppet setup one has to wait for the 
clients to run to pickup the new changes and restart services etc and only 
then can Jenkins run the automated tests.

So the plan is for Jenkins to trigger a run on all the required Puppet 
clients via MCollective (filtered by environment), synchronously wait for 
the clients to finish and then run the tests. This has another advantage in 
that we can back off the Puppet run interval (as important changes are 
triggered by MCollective) which gives the Puppet master a bit of breathing 
room, and the clients can just check-in every hour or so to check 
everything is in order.

This also extends to deployments to other environments that have manual 
deployment triggers such as a QA environment. Even though the deployment is 
triggered by the QA team, the upload of the artifacts, running of puppet 
clients and notification of a successful deployment should all be automated.

1): Does this make sense as a pattern, if not what is the best practice for 
implementing this part of the CI and CD pipeline with puppet / jenkins / 
mcollective etc?

2): How would this work in practice. I can run "mco puppet runonce" which 
is fine, but if I filter by environment "mco puppet runonce --environment 
aft" I get the "Cannot specify any custom puppet options when the daemon is 
running" error. I can workaround this by stopping the daemons on every box, 
however this means that the clients no-longer check in periodically. Is 
there a fix for this or would you recommend turning them off anyway when 
using a tool such as MCollective and doing ALL configuration updates via 
MCollective triggers?

3) I need to do some more testing now, but just in case anyone knows off 
the top of their heads, will an MCollective runonce call be synchronous, 
i.e. will the mco call only finish once each client has reported that they 
have finished their runs? If it's not, does anyone know of a good way to 
check for a finished deployment (some command line wizardry with mco puppet 
status / mco puppet summary, etc)?

I have done my research with Google and read a fair amount about 
MCollective from various sources during the investigation and 
implementation, however if this is already documented or I'm missing 
something stupid I apologise in advance

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Advice on module organization

2013-03-15 Thread Tom Melendez 
Hi Folks,

Like to get some advice on module organization.  I have a system that
has a few different components.  One or more components can be
installed on a host.  The hosts also have a "type" dimension.  This
"type" dimension could (should) ideally be used to configure the
system (fill in a bunch of variables).  Problem is, I'm not sure how
the best way to do this in puppet.

I'm running puppet 2.7x.

To illustrate, I'd like to do something like this (pseudo syntax):

node 'foo.example.com' {
include module::component("systemType" => "foobar")
include module::component2("systemType" => "foobar")
}

node 'foo2.example.com' {
include module::component("systemType" => "foobar2")
include module::component3("systemType" => "foobar2")
}

or, maybe even better

node 'foo.example.com' {
include module(components => [component1,component2], "systemType"
=> "foobar")
}

node 'foo2.example.com' {
include module(components => [component1,component3], "systemType"
=> "foobar2")
}

In the above illustration, the value of componentType can determine
which files to load, as well as a bunch of variables (40-60 variables)
which would be used for things like ensuring directories are present,
ownership, users installed, etc..

I was thinking that each component would be a class, which is fine in
itself, but my real problem is the movement of these variables
(configuration).  There are a lot of components, and enough variables
that I don't want to add them to each class.  I want to be able to do
something like:

class mymodule(components, componentType) {
$myconfig = getConfig($componentType)
# can I "loop" through components?
include mymodule::component($myconfig)
}

Hopefully that's descriptive enough.  Feel free to ask questions.
Ultimately, my major goal is to boil the configuration down to a
single location, as the configurations (systemTypes).  Some like this
would work (I think) if calling the class could be dynamic:
http://docs.puppetlabs.com/guides/parameterized_classes.html#appendix-smart-parameter-defaults

Thanks in advance for the feedback,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger

2013-02-26 Thread Tom Blich 
Well, based on the error, wouldn't I need to install rack 1.1.0? I 
don't understand ruby all that well yet.   

My confusion is why 1.2.21 is working just fine, but 1.2.22 is not.


On Tuesday, February 26, 2013 9:47:17 AM UTC-8, Ramin K wrote:
>
> I'm guessing you're installing gems since everything looks very up to 
> date. Try the following. 
>
> sudo gem install rack --version 1.1.6 
>
> Then restart Apache. If you still have problems you can try removing all 
> versions of Rack that are not 1.1.6, assuming that Puppet and Puppet 
> dashboard are the only Rack applications on this machine. I'd test this 
> in a maintenance window just in case. 
>
> Ramin 
>
> On 2/26/2013 9:39 AM, Tom Blich wrote: 
> > Do you know where I might be able to change where it's looking for the 
> > specific rack version for 1.1.0? 
> > 
> > Thanks, 
> > Tom 
> > 
> > 
> > On Friday, February 22, 2013 5:29:59 PM UTC-8, Matt wrote: 
> > 
> > It looks like its trying to use a specific rack gem version but you 
> do 
> > not have that version installed or you have two versions installed 
> and 
> > its picking up the latest. It could be that you also have another 
> > passenger application where the versions conflict? 
> > 
> > (can't activate rack (~> 1.1.0, runtime) for [], already activated 
> > rack-1.5.2 for []) (process 8729, thread #): 
> > 
> > On Fri, Feb 22, 2013 at 7:17 PM, Tom Blich  > > wrote: 
> >  > Had puppet-dashboard-1.2.21 running via instructions provided 
> here: 
> >  > 
> >  > http://docs.puppetlabs.com/dashboard/passenger.html 
> > <http://docs.puppetlabs.com/dashboard/passenger.html> 
> >  > 
> >  > Upgraded to puppet-dashboard-1.2.22 and now get the following 
> error: 
> >  > 
> >  >   [ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 
> >  > 19:12:17.188 ]: *** Exception RuntimeError in 
> >  > PhusionPassenger::Rack::ApplicationSpawner (can't activate rack 
> > (~> 1.1.0, 
> >  > runtime) for [], already activated rack-1.5.2 for []) (process 
> > 8729, thread 
> >  > #): 
> >  > from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
> >  > `require_frameworks' 
> >  > from ./config/../vendor/rails/railties/lib/initializer.rb:134:in 
> > `process' 
> >  > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in 
> > `send' 
> >  > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in 
> > `run' 
> >  > from ./config/environment.rb:14 
> >  > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> >  > `gem_original_require' 
> >  > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> > `require' 
> >  > from config.ru:4 <http://config.ru:4> 
> >  > from 
> > /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> >  > `instance_eval' 
> >  > from 
> > /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> >  > `initialize' 
> >  > from config.ru:1:in `new' 
> >  > from config.ru:1 <http://config.ru:1> 
> >  > [Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down 
> >  > [Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not 
> > configured 
> >  > [hint: SSLSessionCache] 
> >  > [Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled 
> > (wrapper: 
> >  > /usr/sbin/suexec) 
> >  > [Fri Feb 22 19:13:37 2013] [warn] module php5_module is already 
> > loaded, 
> >  > skipping 
> >  > [Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for 
> > digest 
> >  > authentication ... 
> >  > [Fri Feb 22 19:13:37 2013] [notice] Digest: done 
> >  > [Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 
> >  > Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 
> > OpenSSL/1.0.0-fips 
> >  > configured -- resuming normal operations 
> >  > 
> >  > Not sure how to fix it. 
> >  > 
> >  > Thanks, 
> >  > Tom 
> >  > 
> >  > -- 
> >  > You received this message because you are subscribed to the 
> > Googl

Re: [Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger

2013-02-26 Thread Tom Blich 
Do you know where I might be able to change where it's looking for the 
specific rack version for 1.1.0?

Thanks,
Tom


On Friday, February 22, 2013 5:29:59 PM UTC-8, Matt wrote:
>
> It looks like its trying to use a specific rack gem version but you do 
> not have that version installed or you have two versions installed and 
> its picking up the latest. It could be that you also have another 
> passenger application where the versions conflict? 
>
> (can't activate rack (~> 1.1.0, runtime) for [], already activated 
> rack-1.5.2 for []) (process 8729, thread #): 
>
> On Fri, Feb 22, 2013 at 7:17 PM, Tom Blich > 
> wrote: 
> > Had puppet-dashboard-1.2.21 running via instructions provided here: 
> > 
> > http://docs.puppetlabs.com/dashboard/passenger.html 
> > 
> > Upgraded to puppet-dashboard-1.2.22 and now get the following error: 
> > 
> >   [ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 
> > 19:12:17.188 ]: *** Exception RuntimeError in 
> > PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~> 
> 1.1.0, 
> > runtime) for [], already activated rack-1.5.2 for []) (process 8729, 
> thread 
> > #): 
> > from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
> > `require_frameworks' 
> > from ./config/../vendor/rails/railties/lib/initializer.rb:134:in 
> `process' 
> > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send' 
> > from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run' 
> > from ./config/environment.rb:14 
> > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> > `gem_original_require' 
> > from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> `require' 
> > from config.ru:4 
> > from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> > `instance_eval' 
> > from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> > `initialize' 
> > from config.ru:1:in `new' 
> > from config.ru:1 
> > [Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down 
> > [Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not configured 
> > [hint: SSLSessionCache] 
> > [Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled (wrapper: 
> > /usr/sbin/suexec) 
> > [Fri Feb 22 19:13:37 2013] [warn] module php5_module is already loaded, 
> > skipping 
> > [Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for digest 
> > authentication ... 
> > [Fri Feb 22 19:13:37 2013] [notice] Digest: done 
> > [Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 
> > Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 OpenSSL/1.0.0-fips 
> > configured -- resuming normal operations 
> > 
> > Not sure how to fix it. 
> > 
> > Thanks, 
> > Tom 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "Puppet Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to puppet-users...@googlegroups.com . 
> > To post to this group, send email to 
> > puppet...@googlegroups.com. 
>
> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger

2013-02-22 Thread Tom Blich 
Had puppet-dashboard-1.2.21 running via instructions provided here:

http://docs.puppetlabs.com/dashboard/passenger.html

Upgraded to puppet-dashboard-1.2.22 and now get the following error: 

  [ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 
19:12:17.188 ]: *** Exception RuntimeError in 
PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~> 1.1.0, 
runtime) for [], already activated rack-1.5.2 for []) (process 8729, thread 
#):
from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
`require_frameworks'
from ./config/../vendor/rails/railties/lib/initializer.rb:134:in `process'
from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
from ./config/environment.rb:14
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`gem_original_require'
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from config.ru:4
from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`instance_eval'
from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`initialize'
from config.ru:1:in `new'
from config.ru:1
[Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down
[Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not configured 
[hint: SSLSessionCache]
[Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Fri Feb 22 19:13:37 2013] [warn] module php5_module is already loaded, 
skipping
[Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for digest 
authentication ...
[Fri Feb 22 19:13:37 2013] [notice] Digest: done
[Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 
Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 OpenSSL/1.0.0-fips 
configured -- resuming normal operations

Not sure how to fix it. 

Thanks,
Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: upgraded to puppet 1.2.22 from 1.2.21 and get error

2013-02-22 Thread Tom Blich 
I can get this working via running via WEBrick, but get the error when 
running it via passenger in apache.

Not sure yet how to get this working via apache so I can SSL and LDAP 
authenticate it.


On Friday, February 22, 2013 2:46:57 PM UTC-8, Tom Blich wrote:
>
>
>
> [ pid=1870 thr=69908823898540 file=utils.rb:176 time=2013-02-22 
> 16:39:47.170 ]: *** Exception RuntimeError in 
> PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~> 1.1.0, 
> runtime) for [], already activated rack-1.5.2 for []) (process 1870, thread 
> #):
>   from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
> `require_frameworks'
>   from ./config/../vendor/rails/railties/lib/initializer.rb:134:in 
> `process'
>   from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
>   from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
>   from ./config/environment.rb:14
>   from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> `gem_original_require'
>   from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
> `require'
>   from config.ru:4
>   from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> `instance_eval'
>   from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
> `initialize'
>   from config.ru:1:in `new'
>   from config.ru:1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] upgraded to puppet 1.2.22 from 1.2.21 and get error

2013-02-22 Thread Tom Blich 


[ pid=1870 thr=69908823898540 file=utils.rb:176 time=2013-02-22 
16:39:47.170 ]: *** Exception RuntimeError in 
PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~> 1.1.0, 
runtime) for [], already activated rack-1.5.2 for []) (process 1870, thread 
#):
  from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
`require_frameworks'
  from ./config/../vendor/rails/railties/lib/initializer.rb:134:in `process'
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
  from ./config/environment.rb:14
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`gem_original_require'
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`require'
  from config.ru:4
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`instance_eval'
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`initialize'
  from config.ru:1:in `new'
  from config.ru:1

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

  1   2   >