[Puppet Users] How to access a module fact?

[dkoleary]

Hi;

I'm trying to use a custom module fact.  From what I can see, the fact is 
actually getting loaded but I can't seem to figure out the syntax for 
accessing it inside a module.  

The module I'm working on will end up doing much more than is there 
currently but:

class mpiappdynamics (
  $install_appdynamics = false,
) {

### appdynamics_installed fact installed via module fact.

  if ($install_appdynamics) {

file { '/opt/app/appdynamics':
  ensure => directory,
  owner  => '5082',
  group  => '5032',
  mode   => '0755',
}

case $mpiappdynamics::appdynamics_installed {
  true: {
$appdyn_t_source = absent
  }
  false: {
$appdyn_t_source = 'file'
  }
  default: {
$appdyn_t_source = 'nasty message goes here'
  }
}

#--
# notifies
#--

notify { 'install_appdynamics':
  message => "install_appdynamics is set to: ${install_appdynamics}"
}
notify { 'appdynamics_installed':
  message => "appdynamics_installed is set to: ${appdynamics_installed}"
}
notify { 'appdyn_t_source':
  message => "appdyn_t_source is set to: ${appdyn_t_source}"
}
}



I've loaded the custom fact under ${module}/facts.d and that actually seems 
to be working.  On my test host I can execute:

# find /opt/puppetlabs /etc/puppetlabs -name appdynamics_installed -print
/opt/puppetlabs/puppet/cache/facts.d/appdynamics_installed
# facter -p appdynamics_installed
false

with this set up, I would expect to have appdyn_t_source set to 'file', but 
that's not what's happening:

# puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node 
environment 'appd', switching agent to 'appd'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for myhost.mycompany.com
Info: Applying configuration version '1516730560'
Notice: install_appdynamics is set to: true
Notice: /Stage[main]/Mpiappdynamics/Notify[install_appdynamics]/message: 
defined 'message' as 'install_appdynamics is set to: true'
Notice: appdynamics_installed is set to: false
Notice: /Stage[main]/Mpiappdynamics/Notify[appdynamics_installed]/message: 
defined 'message' as 'appdynamics_installed is set to: false'
Notice: appdyn_t_source is set to: nasty message goes here
Notice: /Stage[main]/Mpiappdynamics/Notify[appdyn_t_source]/message: 
defined 'message' as 'appdyn_t_source is set to: nasty message goes here'
Notice: Applied catalog in 3.73 seconds


This is my first attempt at using a module based custom fact.  I'm psyched 
that I actually got it to load but.. that only takes me so far.

Thanks for any hints/tips/suggestions.

Doug O'Leary





-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/42bd6061-82c0-4c76-a145-6a7f3befa360%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet lookup could not find directory environment

[dkoleary]

And resolved... that was ugly.

Turns out the ENC was returning an unconfigured node because it couldn't 
access the mysql db when running 'puppet lookup'  I ran that trace I was 
talking about and a painful bout of pouring through trace later, I saw 
several references to not being able to access the DB.  More looking, I 
finally saw that it was not using the puppet user's or root's .my.cnf 
file.  I created one where it said it was looking and I get some valid 
output:

# puppet lookup --node a_dmz_host.mydom.com mpisshd::sshd_config_source
--- sshd_config.dmz

I'm curious to find out what user that's running as if it can't find the 
.my.cnf for the only two users on the box... but, not curious enough to 
search for it any further.  

Thanks again for the Chris.  I appreciate it.

Doug O'Leary


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/67dd2c68-fcf6-475b-98bc-89f5f61e03a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet lookup could not find directory environment

[dkoleary]

Enter code here...

Well, at least I've already checked all the things you're asking about.  
While the problem is frustrating, I do hate proving I'm a complete idiot to 
the internet :)

On Tuesday, December 5, 2017 at 1:50:10 PM UTC-6, Christopher Wood wrote:
>
> Quoth your earlier post: 
>
> [[snip]]
>
> What does the ENC return for that node? The ENC is listed under the 
> "external_nodes" parameter in /etc/puppetlabs/puppet/puppet.conf, you 
> should be able to run it at the console like "/usr/bin/myenc nodename" sort 
> of thing. 
>

 cl1vinfconf2442 is my puppet server.  The enc output looks like:

# enc cl1vinfconf2442.mydom.com
---
classes:
  - roles::mpipsrv
environment: production
parameters:
  env: prd
  dc: cl1
  gw: 10.168.65.254
  dmz: false
  auth: ldap
  grp: NULL


> I notice you are missing a colon in your hiera key, should that be 
> "mpiossec::run_ossec"? The class::param delimiter is two colons. 
>

Also quite correct.  My earlier attempts at that did have the two colons.  
To verify that it still returns the same:

# puppet lookup --environment production --node cl1vinfconf2442.mydom.com 
--explain mpiossec::run_ossec
Error: Could not run: Could not find a directory environment named 
'unconfigured' anywhere in the path: /etc/puppetlabs/code/environments. Does 
the directory exist?

You are again correct that there is no 
/etc/puppetlabs/code/environments/unconfigured.  Just to see what would 
happen, I did create a soft-link from unconfigured to production.  I didn't 
get the error anymore... just didn't get anything at all.

Now that I think of it, I ran those tests looking for fqdn.. let's try 
mpiossec::run_ossec:  ... Hey, would you look at that

# puppet lookup --node cl1vinfconf2442.mydom.com mpiossec::run_ossec
--- true

I'm beginning to suspect I know what's going on.  The ENC will return an 
environment of 'unconfigured' for any node it doesn't know about.  It's 
basically a catch-all that never gets used because in order to get that far 
a node has to have a cert which it won't get without being in the same 
database that the enc queries.  

so maybe ;puppet lookup' is getting the unconfigured from the enc and 
freaking before iet gets to the environment switch... I could probably 
confirm that by tracing the pid but, if an unconfigured env will get this 
working, I'm happy.

...

Partially working as it turns out.  it's still not accepting any puppet 
environment change.  Any rate, this will get me started.  thanks for the 
responses.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/34250c91-b266-484d-b4c2-f4f561d835dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet lookup could not find directory environment

[dkoleary]

On Tuesday, December 5, 2017 at 1:10:44 PM UTC-6, Christopher Wood wrote:
>
> Twofold: 
>
> "fqdn" is usually a puppet fact, I suspect you wouldn't find that if you 
> grepped your hiera data. Try these as root on any node: 
>

You are quite right.  My attempt to simplify the problem apparently went 
awry.
 

>
> puppet lookup --node myhost.me.com --environment production --explain 
> myclass::someparam 
> puppet lookup --node myhost.me.com --environment production --explain 
> fqdn 
> puppet help lookup | less 
>
>
I had tried variations of those all with the same result:

# puppet lookup --environment production --node cl1vinfconf2442.mydom.com 
--explain mpiossec:run_ossec
Error: Could not run: Could not find a directory environment named 
'unconfigured' anywhere in the path: /etc/puppetlabs/code/environments. Does 
the directory exist?

 mpiossec is *definitely* a hiera data entry.

Thanks for the response.  I appreciate it.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/818f86f2-027a-487a-a457-593d35944206%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet lookup could not find directory environment

[dkoleary]

Hi;

I'm running open source puppet server ver 5.  So far, I've been exceedingly 
happy with the performance and maintainability of it.  I'm about to start a 
rewrite of a module and would like to verify some hiera data.  Quick google 
search shows what looks like it should be the perfect tool - problem is, it 
doesn't work.

On the puppet server, I run:

# puppet lookup fqdn
Error: Could not run: Could not find a directory environment named 
'unconfigured' anywhere in the path: /etc/puppetlabs/code/environments. Does 
the directory exist?


I tried adding the environment with the same result:

# puppet lookup --environment production fqdn
Error: Could not run: Could not find a directory environment named 
'unconfigured' anywhere in the path: /etc/puppetlabs/code/environments. Does 
the directory exist?

Puppet environments, in my setup, are established via an external node 
classifier.  I tried adding 'environment = production' to the user section 
of /etc/puppetlabs/puppet/puppet.conf but that didn't have any affect 
either.  Even with that, though, I would have thought specifying the 
environment on the command line would resolve that.

Has anyone seen this and know what I may have messed up and/or how to work 
around it?

Any hints/tips/suggestions greatly appreciated.

Doug O'Leary


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ae431f1f-02de-4ad2-abdb-92ed5288ef15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: lvm module help

[dkoleary]

Hey;

Thanks again; unfortunately, that's not it.  volume_groups is set as a 
parameter to the lvm class:

class lvm (
  $package_ensure = 'installed',
  $manage_pkg = undef,
*  $volume_groups  *
*= {},*) {


I tried it w/o the 's' anyways.  While the error went away, I didn't get my 
lv created either.  

Thanks again for the reply.

Doug O'Leary

On Thursday, May 4, 2017 at 10:08:22 AM UTC-5, dkoleary wrote:
>
> I'll give that  try.  I was retyping/copying/pasting from the link 
> directly, figuring the forge module handled that some how.  I appreciate 
> the suggestion.
>
> Thanks
>
> Doug
>
> On Thursday, May 4, 2017 at 9:53:18 AM UTC-5, Joshua Schaeffer wrote:
>>
>> You list volume_group*s* in Hiera (with an "s"):
>>
>> ---
>> lvm::volume_groups:
>>   vg00:
>> createonly: true
>> physical_volumes:
>>   /dev/sda2:
>> unless_vg: 'vg00'
>> logical_volumes:
>>   audit:
>> size: 2G
>>
>> You list volume_group (without an "s") in your manifest:
>>
>> create_resources('lvm::volume_group', $volume_groups)
>>
>> If this is a typo in your copy/paste then it may be that Puppet cannot 
>> find the data in Hiera. Where do you define lvm::volume_groups in Hiera 
>> (common.yaml, node specific yaml file, etc)?
>>
>> On Wednesday, May 3, 2017 at 9:01:10 AM UTC-6, dkoleary wrote:
>>>
>>> Hey, all;
>>>
>>> I'm having some trouble getting the lvm module to work the way I think 
>>> it should based on my probable erroneous reading of the documentation.
>>>
>>> I would like to ensure a logical volume of 2gs is created in vg00 which 
>>> has plenty of free space to handle the lv creation.  I've been using this 
>>> link as the guide:  
>>>
>>> https://github.com/puppetlabs/puppetlabs-lvm
>>>
>>> I'm using the puppetforge lvm module.
>>>
>>> Hiera data looks like:
>>>
>>> ---
>>> lvm::volume_groups:
>>>   vg00:
>>>     createonly: true
>>> physical_volumes:
>>>   /dev/sda2:
>>> unless_vg: 'vg00'
>>> logical_volumes:
>>>   audit:
>>> size: 2G
>>>
>>> I get this error when running on a test box:
>>>
>>> # puppet agent -t
>>> Notice: Local environment: 'production' doesn't match server specified 
>>> node environment 'dkoleary', switching agent to 'dkoleary'.
>>> Info: Retrieving pluginfacts
>>> Info: Retrieving plugin
>>> Info: Loading facts
>>> Error: Could not retrieve catalog from remote server: Error 400 on 
>>> SERVER: Evaluation Error: Error while evaluating a Resource Statement, 
>>> Lvm::Volume_group[vg00]: has no parameter named 'createonly' on node 
>>> myhost.mydomain.com
>>> Warning: Not using cache on failed catalog
>>> Error: Could not retrieve catalog; skipping run
>>>
>>> If i comment the hiera data and specify the parameters directly in the 
>>> class, it works:
>>>
>>> # == Class: lvm
>>> #
>>>   
>>> class lvm { 
>>>
>>>
>>>   physical_volume { '/dev/sda2':
>>> ensure=> present,
>>> unless_vg => 'vg00',
>>>   } 
>>>
>>>
>>>   volume_group { 'vg00':
>>> ensure   => present,
>>> physical_volumes => '/dev/sda2',
>>> createonly   => true,
>>>   } 
>>>
>>>
>>>   logical_volume { 'audit':
>>> ensure   => present,
>>> size => '2G',
>>> volume_group => 'vg00',
>>>   } 
>>> } 
>>> #==
>>> # original init.pp code
>>> #==
>>> # class lvm (
>>> #   $package_ensure = 'installed',
>>> #   $manage_pkg = undef,
>>> #   $volume_groups  = {},
>>> # ) {
>>> #
>>> #   if $manage_pkg {
>>> # package { 'lvm2':
>>> #   ensure   => $package_ensure
>>> # }
>>> #   } 
>>> #
>>> #   validate_hash($volume_groups)
>>> #
>>> #   create_resources('lvm::volume_group', $volume_groups)
>>> # }   
>>> #==
>>>
>>> results in:
>>>
>>> # puppet agent -t

[Puppet Users] Re: lvm module help

[dkoleary]

I'll give that  try.  I was retyping/copying/pasting from the link 
directly, figuring the forge module handled that some how.  I appreciate 
the suggestion.

Thanks

Doug

On Thursday, May 4, 2017 at 9:53:18 AM UTC-5, Joshua Schaeffer wrote:
>
> You list volume_group*s* in Hiera (with an "s"):
>
> ---
> lvm::volume_groups:
>   vg00:
> createonly: true
> physical_volumes:
>   /dev/sda2:
> unless_vg: 'vg00'
> logical_volumes:
>   audit:
> size: 2G
>
> You list volume_group (without an "s") in your manifest:
>
> create_resources('lvm::volume_group', $volume_groups)
>
> If this is a typo in your copy/paste then it may be that Puppet cannot 
> find the data in Hiera. Where do you define lvm::volume_groups in Hiera 
> (common.yaml, node specific yaml file, etc)?
>
> On Wednesday, May 3, 2017 at 9:01:10 AM UTC-6, dkoleary wrote:
>>
>> Hey, all;
>>
>> I'm having some trouble getting the lvm module to work the way I think it 
>> should based on my probable erroneous reading of the documentation.
>>
>> I would like to ensure a logical volume of 2gs is created in vg00 which 
>> has plenty of free space to handle the lv creation.  I've been using this 
>> link as the guide:  
>>
>> https://github.com/puppetlabs/puppetlabs-lvm
>>
>> I'm using the puppetforge lvm module.
>>
>> Hiera data looks like:
>>
>> ---
>> lvm::volume_groups:
>>   vg00:
>> createonly: true
>> physical_volumes:
>>   /dev/sda2:
>> unless_vg: 'vg00'
>> logical_volumes:
>>   audit:
>> size: 2G
>>
>> I get this error when running on a test box:
>>
>> # puppet agent -t
>> Notice: Local environment: 'production' doesn't match server specified 
>> node environment 'dkoleary', switching agent to 'dkoleary'.
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Loading facts
>> Error: Could not retrieve catalog from remote server: Error 400 on 
>> SERVER: Evaluation Error: Error while evaluating a Resource Statement, 
>> Lvm::Volume_group[vg00]: has no parameter named 'createonly' on node 
>> myhost.mydomain.com
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>>
>> If i comment the hiera data and specify the parameters directly in the 
>> class, it works:
>>
>> # == Class: lvm
>> #
>>   
>> class lvm { 
>>
>>
>>   physical_volume { '/dev/sda2':
>> ensure=> present,
>> unless_vg => 'vg00',
>>   } 
>>
>>
>>   volume_group { 'vg00':
>> ensure   => present,
>> physical_volumes => '/dev/sda2',
>> createonly   => true,
>>   } 
>>
>>
>>   logical_volume { 'audit':
>> ensure   => present,
>> size => '2G',
>> volume_group => 'vg00',
>>   } 
>> } 
>> #==
>> # original init.pp code
>> #==
>> # class lvm (
>> #   $package_ensure = 'installed',
>> #   $manage_pkg = undef,
>> #   $volume_groups  = {},
>> # ) {
>> #
>> #   if $manage_pkg {
>> # package { 'lvm2':
>> #   ensure   => $package_ensure
>> # }
>> #   } 
>> #
>> #   validate_hash($volume_groups)
>> #
>> #   create_resources('lvm::volume_group', $volume_groups)
>> # }   
>> #==
>>
>> results in:
>>
>> # puppet agent -t
>> Notice: Local environment: 'production' doesn't match server specified 
>> node environment 'dkoleary', switching agent to 'dkoleary'.
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Loading facts
>> Info: Caching catalog for cl1vproegit1395.multiplan.com
>> Info: Applying configuration version '149382'
>> [[ Misc der'mo snipped]]
>> Notice: /Stage[main]/Lvm/Logical_volume[audit]/ensure: created
>>
>> Notice: Applied catalog in 94.15 seconds
>> 
>>
>> # lvs vg00 |grep audit
>>   auditvg00 -wi-a- 2.00g   
>>
>> I'd appreciate any hints/tips/suggestions on what I might be doing wrong.
>>
>> Thanks for your time.
>>
>> Doug O'Leary
>>
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/18433e18-1f5c-403d-beb2-b3dc8546f5ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] lvm module help

[dkoleary]

Hey, all;

I'm having some trouble getting the lvm module to work the way I think it 
should based on my probable erroneous reading of the documentation.

I would like to ensure a logical volume of 2gs is created in vg00 which has 
plenty of free space to handle the lv creation.  I've been using this link 
as the guide:  

https://github.com/puppetlabs/puppetlabs-lvm

I'm using the puppetforge lvm module.

Hiera data looks like:

---
lvm::volume_groups:
  vg00:
createonly: true
physical_volumes:
  /dev/sda2:
unless_vg: 'vg00'
logical_volumes:
  audit:
size: 2G

I get this error when running on a test box:

# puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node 
environment 'dkoleary', switching agent to 'dkoleary'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Evaluation Error: Error while evaluating a Resource Statement, 
Lvm::Volume_group[vg00]: has no parameter named 'createonly' on node 
myhost.mydomain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

If i comment the hiera data and specify the parameters directly in the 
class, it works:

# == Class: lvm
#
  
class lvm { 


  physical_volume { '/dev/sda2':
ensure=> present,
unless_vg => 'vg00',
  } 


  volume_group { 'vg00':
ensure   => present,
physical_volumes => '/dev/sda2',
createonly   => true,
  } 


  logical_volume { 'audit':
ensure   => present,
size => '2G',
volume_group => 'vg00',
  } 
} 
#==
# original init.pp code
#==
# class lvm (
#   $package_ensure = 'installed',
#   $manage_pkg = undef,
#   $volume_groups  = {},
# ) {
#
#   if $manage_pkg {
# package { 'lvm2':
#   ensure   => $package_ensure
# }
#   } 
#
#   validate_hash($volume_groups)
#
#   create_resources('lvm::volume_group', $volume_groups)
# }   
#==

results in:

# puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node 
environment 'dkoleary', switching agent to 'dkoleary'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for cl1vproegit1395.multiplan.com
Info: Applying configuration version '149382'
[[ Misc der'mo snipped]]
Notice: /Stage[main]/Lvm/Logical_volume[audit]/ensure: created

Notice: Applied catalog in 94.15 seconds


# lvs vg00 |grep audit
  auditvg00 -wi-a- 2.00g   

I'd appreciate any hints/tips/suggestions on what I might be doing wrong.

Thanks for your time.

Doug O'Leary




-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0d36fdbf-bbe5-4191-8da8-6da283f7e47d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] mount lvm & auditd module(s) design?

[dkoleary]

Hey;

Core requirement: have puppet manage auditd on a separate /var/log/audit 
filesystem.

I've seen the mount resource so I can have the auditd module require the 
file/dir /var/log/audit (for permissions) which requires the mount point 
/var/log/audit which will, if necessary, update /etc/fstab.  I don't see 
any way to generate a new device using that, though. I can pre-generate 
that but I'd like to have puppet do it so it'll catch any new systems 
getting built.

Enter the puppetforge lvm module.  That looks cool.  The examples on the 
web show the mountpath and mountpath_require option but I can't tell if 
that'll update /etc/fstab.  Doesn't appear to.  

Anyone have any hints/tips/suggestions on having modules interact with 
mountpoints and linux lvm before I see if I can blow up a test box?

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/208c2340-b57a-4820-a71e-20066b9d8e23%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Open source puppet performance monitoring/tuning?

[dkoleary]

Excellent!  Thank you very much.  That will come in handy.

Doug

On Friday, January 13, 2017 at 2:06:27 PM UTC-6, R.I. Pienaar wrote:
>
>
>
> - Original Message - 
> > From: "dkoleary" <dkol...@olearycomputers.com > 
> > To: "puppet-users" <puppet...@googlegroups.com > 
> > Sent: Friday, 13 January, 2017 20:52:30 
> > Subject: Re: [Puppet Users] Open source puppet performance 
> monitoring/tuning? 
>
> > Thanks; That looks like a pretty cool too; unfortunately, I can't seem 
> to 
> > get it to run. 
> > 
> > Centos 6.8 fully patched: 
> > 
> > $ ./report_print.rb 
> > ./report_print.rb:17:in `require': no such file to load -- puppet 
> > (LoadError) 
> >from ./report_print.rb:17 
>
> if you're on puppet 4 you'll need to do: 
>
>  /opt/puppetlabs/puppet/bin/ruby report_print.rb 
>
> basically you have to use the ruby that puppet uses 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9f3767a7-a1f9-4671-bf2b-c511b49078a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] simple file resource taking longer than it should

[dkoleary]

Hi;

A follow-on to another thread; I'm trying to track down performance issues 
in open source puppet server (and clients) ver 4.5.0

Reading through last_run_summary.yaml, the vast majority of time is spent 
on file resources.  I then hit the last_run_report.yaml and, 
as an example, one of the simplest file resources took 17 seconds (assuming 
I'm reading this correctly):

  File[/etc/ntp/step-tickers]: !ruby/object:Puppet::Resource::Status
title: "/etc/ntp/step-tickers"
file: 
"/etc/puppetlabs/code/environments/dkoleary/modules/mpintp/manifests/init.pp"
line: 67
resource: File[/etc/ntp/step-tickers]
resource_type: File
containment_path:
- Stage[main]
- Mpintp
- File[/etc/ntp/step-tickers]
*evaluation_time**: 17.430422487*
tags:
- file
- class
- mpintp
- profiles::mpibase
- profiles
- mpibase
- roles::mpibase
- roles
time: '2017-01-13T13:08:38.619245800-06:00'
failed: false
changed: false
out_of_sync: false
skipped: false
change_count: 0
out_of_sync_count: 0
events: []

It'd be hard to get more simple than this file resource:

  file { '/etc/ntp/step-tickers':
ensure => 'present',
owner  => 'root',
group  => 'root',
mode   => '0644',
source => 'puppet:///modules/mpintp/step-tickers',
notify => Service['ntpd'],
  }



The rest of the module is equally as simple.  one package, one service, and 
one other file resource.  

And, of course, the performance issue is sporadic.  The very next agent run 
finished the whole thing in less than a second.  I don't believe it's a 
system resource contention.  *This* box is a linux desktop that was all but 
idle for both runs.  I'm seeing similar issues on other systems, though, so 
I'd like to be able to track this down.

Anyone have any ideas or tips on where I can look next?

Thanks for your time.

Doug O'Leary



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/582f9bae-c97d-4a83-90e8-2db2a481889d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Open source puppet performance monitoring/tuning?

[dkoleary]

Thanks; That looks like a pretty cool too; unfortunately, I can't seem to 
get it to run.  

Centos 6.8 fully patched:

$ ./report_print.rb 
./report_print.rb:17:in `require': no such file to load -- puppet 
(LoadError)
from ./report_print.rb:17

Some googling showed a 'gem install' command but that results in:

# gem install puppet
ERROR:  Error installing puppet:
puppet requires Ruby version >= 1.9.3.

Any tips?

Thanks again.

Doug O'Leary

On Friday, January 13, 2017 at 12:46:17 PM UTC-6, R.I. Pienaar wrote:
>
>
>
> - Original Message ----- 
> > From: "dkoleary" <dkol...@olearycomputers.com > 
> > To: "puppet-users" <puppet...@googlegroups.com > 
> > Sent: Friday, 13 January, 2017 19:43:20 
> > Subject: Re: [Puppet Users] Open source puppet performance 
> monitoring/tuning? 
>
> > Hi, Garret; 
> > 
> > Your suggestion to review last_run_summary.yaml results in one huge step 
> in 
> > the right direction. 
> > 
> > # grep file: /opt/puppetlabs/puppet/cache/state/last_run_summary.yaml 
> >  file: 121.817228425 
> > 
> > So, how do I go about finding out which file resource(s) are causing the 
> > problem? 
>
> You can use https://github.com/ripienaar/puppet-reportprint to report on 
> slow 
> things 
>
> See the sample report. 
>
> I think it'll work with Puppet 4, it's been a while, open an issue if it 
> doesnt 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/431839f1-39e3-4b8a-928a-1e60754b6807%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Open source puppet performance monitoring/tuning?

[dkoleary]

Hi, Garret;

Your suggestion to review last_run_summary.yaml results in one huge step in 
the right direction.  

# grep file: /opt/puppetlabs/puppet/cache/state/last_run_summary.yaml
  file: 121.817228425

So, how do I go about finding out which file resource(s) are causing the 
problem?

Thanks a lot for the tip.  Appreciate it immensely.

Doug O'Leary


>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cceb8898-6860-41d6-8b91-30b80b6917fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Open source puppet performance monitoring/tuning?

[dkoleary]

Hey;

thanks for the reply.  I do use augeas sparsely.  Turns out that's not the 
issue but your suggestion is very intriguing.  I'm going to be trying that 
out shortly.

Thanks

Doug

>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7e865f8f-5c92-4b5f-ade9-4a4c0d1b7c7e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Open source puppet performance monitoring/tuning?

[dkoleary]

I think I've taken my open source puppet server to the limits; but, I'd like to 
be able to confirm that and find out what resources are needed.

Short version of the problem:  When we first started, puppet agent runs would 
take 5-10 seconds.  Now, while we still have a limited number of modules, we're 
looking at 1400+ systems under management.  Most runs still take in the 5-10 
second range but a growing number are taking 400+ seconds to complete.

Short version of the question:  How do I know what needs to be tuned or 
examined?

An example:  the first paragraph of 
https://docs.puppet.com/pe/latest/config_puppetserver.html says "Tuning JRuby 
on Puppet server". What would be the symptom that suggests JRuby needs tuning?

An ISBN for a book would be great.  I find all sorts of books on learning 
puppet but not too many on tuning it.

Any hints or suggestions will be greatly appreciated.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0e2a7c13-312d-4967-8935-f347c4b97a69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] module design: different module sections manipulating files in single directory

[dkoleary]

Hey

I went with my option #2 for this exercise.  I will definitely be looking into 
the package management as it'll come up.  In fact, it may have already come up 
in a different request.  For this one, though, I have something like 5 scripts 
in the 'all-hosts' list and 3 in the subset so individual file resources were 
easy enough.  It works.  Not pretty by any stretch but that's what process 
improvement's for.

Thanks again for the responses.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a2f99ab3-463d-4e1b-a8cd-e967936ef06f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] module design: different module sections manipulating files in single directory

[dkoleary]

Hey;

Thanks for the responses.  I hadn't thought of packages.  I will start 
exploring that option

Thanks again.

Doug O'Leary

On Monday, August 15, 2016 at 3:42:20 PM UTC-5, Rob Nelson wrote:
>
> Doubt,
>
> I agree with Dan, packaging is the answer. And before you say it - yes, 
> packaging sounds scary at first, but it doesn't have to be. Check out FPM - 
> https://github.com/jordansissel/fpm/wiki - to generate a package in the 
> correct format. You can very easily package static files that way, and use 
> file resources with `source => template(...)` for any dynamic files 
> required.
>
> Hosting the files is pretty easy if you're using yum, as yumrepos are 
> built in. You can host them on a node with profile::yumrepo (
> https://github.com/puppetinabox/controlrepo/blob/production/dist/profile/manifests/yumrepo.pp
>  
> and 
> https://github.com/puppetinabox/controlrepo/blob/production/hiera/puppet_role/yumrepo.yaml),
>  
> throw the rpms in /var/www/html/puppetrepo/el7, and then ensure your base 
> profile distributes that repo (
> https://github.com/puppetinabox/controlrepo/blob/production/dist/profile/manifests/base.pp#L29-L38).
>  
> That code is dated and needs a little improvement (stop using 
> `create_resources()`!) but should get you started quickly. I'm sure there's 
> an equivalent for Apt.
>
>
> Rob Nelson
> rnel...@gmail.com 
>
> On Mon, Aug 15, 2016 at 4:19 PM, Dan Mahoney <goo...@gushi.org 
> > wrote:
>
>> On Mon, 15 Aug 2016, dkoleary wrote:
>>
>> Hey;
>>> I suspected this was going to be a problem and, sure enough, it is.  
>>>
>>> Here's the scenario:  puppet server 4.5:  I have ~ 1200 hosts on which I
>>> want specific files in /root/bin on all hosts.  A reasonably large 
>>> subset of
>>> those should have additional files in /root/bin as part of an home-grown
>>> application management process.  To be clear, none of the files from the
>>> 'all-host' group overlap with any of the files from the 'some-hosts' 
>>> group.
>>>
>>> The all-host group is easy enough::
>>>
>>>   file { '/root/bin':
>>> ensure  => 'directory',
>>> owner   => 'root',
>>> group   => 'root',
>>> mode=> '0700',
>>> recurse => true,
>>> source  => 'puppet:///modules/myroot/rootbin',
>>> require => File['/root'],
>>>   }
>>>
>>> So, that's worked for weeks now.  In my company's slow migration to 
>>> puppet
>>> management, I'm finally to the point of adding some custom application
>>> related files to /root/bin.  On the surface, the some-hosts group is 
>>> pretty
>>> easy too::
>>>
>>> file { 'webconfbin':
>>>   ensure  => 'directory',
>>>   path=> '/root/bin',
>>>   owner   => 'root',
>>>   group   => 'root',
>>>   mode=> '0700',
>>>   recurse => true,
>>>   source  => 'puppet:///modules/myroot/webconf',
>>> }
>>>
>>> As I suspected, that resulted in the bright red error message about
>>> 'resource /root/bin already declared'.  The two options that I can think 
>>> of
>>> aren't particularly appetizing:
>>>
>>> 1.  Add the files from some-hosts to all-hosts resulting in the app
>>> management files being everywhere.  These files, themselves, don't 
>>> represent
>>> a security issue, but it's not a very clean approach.
>>>
>>> 2.  Use individual file resources.  I could get away with that approach 
>>> on
>>> this one; but, when I run into a similar issue with dozens or 100s of 
>>> files,
>>> I'd hate to be specifying all those file resources.
>>>
>>> Realizing I probably took a wrong turn in my initial design and figuring
>>> someone else has to have had run into this problem before, I'm asking the
>>> experts.  What's the right way to have a set of files on all hosts and a
>>> different set of files on a subset of all hosts in the same directory?
>>>
>>
>> I don't often comment on the puppet stuff, but yours made me need to 
>> chime in and say this:
>>
>> Recurse is an ugly, awful, terrible hack and should be deprecated.
>>
>> I don't say that with any knowledge of the way it evolved or what its 
>> future support status is, but if you look at it -- it's effectively an 
>> expansion macro that turns into dozens or hundreds of File[] resources (and 
>> interally -- can and MUS

[Puppet Users] module design: different module sections manipulating files in single directory

[dkoleary]

Hey;

I suspected this was going to be a problem and, sure enough, it is.  

Here's the scenario:  puppet server 4.5:  I have ~ 1200 hosts on which I 
want specific files in /root/bin on all hosts.  A reasonably large subset 
of those should have additional files in /root/bin as part of an home-grown 
application management process.  To be clear, none of the files from the 
'all-host' group overlap with any of the files from the 'some-hosts' group.

The all-host group is easy enough::

  file { '/root/bin':
ensure  => 'directory',
owner   => 'root',
group   => 'root',
mode=> '0700',
recurse => true,
source  => 'puppet:///modules/myroot/rootbin',
require => File['/root'],
  }

So, that's worked for weeks now.  In my company's slow migration to puppet 
management, I'm finally to the point of adding some custom application 
related files to /root/bin.  On the surface, the some-hosts group is pretty 
easy too::

file { 'webconfbin':
  ensure  => 'directory',
  path=> '/root/bin',
  owner   => 'root',
  group   => 'root',
  mode=> '0700',
  recurse => true,
  source  => 'puppet:///modules/myroot/webconf',
}

As I suspected, that resulted in the bright red error message about 
'resource /root/bin already declared'.  The two options that I can think of 
aren't particularly appetizing:

1.  Add the files from some-hosts to all-hosts resulting in the app 
management files being everywhere.  These files, themselves, don't 
represent a security issue, but it's not a very clean approach.

2.  Use individual file resources.  I could get away with that approach on 
this one; but, when I run into a similar issue with dozens or 100s of 
files, I'd hate to be specifying all those file resources.

Realizing I probably took a wrong turn in my initial design and figuring 
someone else has to have had run into this problem before, I'm asking the 
experts.  What's the right way to have a set of files on all hosts and a 
different set of files on a subset of all hosts in the same directory?

Thanks for any hints/tips/suggestions.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aa0bd31a-139e-4d8c-a845-8f292fa65054%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] comparing facts as integers in puppet server 4.5?

[dkoleary]

Excellent, sir!  Thank you very much for the tip and clear information.

Thanks again.

Doug

On Wednesday, August 10, 2016 at 5:48:47 PM UTC-5, Peter Huene wrote:
>
> Hi Doug:
>
> On Wed, Aug 10, 2016 at 12:28 PM, dkoleary <dkol...@olearycomputers.com 
> > wrote:
>
>> Hey
>>
>> I'm setting up a module to handle our smtp config.  
>>
>> My simple if statement is:
>>
>>   if ($facts['os']['release']['major'] > 5 ) {
>>
>>
>> results in a bright red error stating:
>>
>> Error: Could not retrieve catalog from remote server: Error 400 on SERVER
>> : Evaluation Error: Error while evaluating a Resource Statement, 
>> Evaluation Error: Comparison of: String > Integer, is not possible. 
>> Caused by '*A String is not comparable to a non String'*. at /etc/
>> puppetlabs/code/environments/dkoleary/modules/mpismtp/manifests/init.pp:
>> 50:40 on node nap1d030.multiplan.com
>>
>> Facts are obviously interpreted as strings.  Several posts referenced 
>> that puppet will auto-translate strings to integers if appropriate.  So, 
>> figuring there was something special about the facts hash, I created a 
>> variable for it:
>>
>
> Recent versions of Puppet do not "stringify" facts and Facter 3 outputs 
> facts of many different types, including numerical.  However, Facter's 
> schema defines this particular fact as being a string because it cannot 
> limit any component of a version string to be numerical; for example, a 
> valid version string could just be a release code name.
>  
>
>>
>>   $mpismpt_orm = $facts['os']['release']['major']
>>   if ($mpismpt_orm > 5) {
>>
>> with the same result.  It wasn't until I updated the var declaration as 
>> "$mpismpt_orm = 0 + $facts['os']['release']['major']" that this works - a 
>> hint in a post from 2010.  There has to be a better way to have facts be 
>> interpreted as numbers, doesn't there?  
>>
>
> The Puppet compiler only automatically coerces strings to numeric types 
> for arithmetic operations, such as the plus operator, as you've noticed; 
> the comparison operators do no such coercion.
>
> In Puppet 4.5+, you can use the `new` function (
> https://docs.puppet.com/puppet/latest/reference/function.html#new) to 
> perform type conversions:
>
> if Integer($facts['os']['release']['major']) > 5 {
>   # ...
> }
>
> This example will explicitly convert the string to an integer using the 
> "type-conversion-like" syntax for invoking the new function.  It is 
> semantically equivalent to explicitly invoking the `new` function, like so:
>
> if Integer.new($facts['os']['release']['major']) > 5 {
>   # ...
> }
>
> On older versions, you can use the conversion technique you've already 
> discovered or the `scanf` function (
> https://docs.puppet.com/puppet/latest/reference/function.html#scanf).
>
> Hope this helps.
>  
>
>>
>> It works so, if all else fails, I'm good.  It just seems that something 
>> should have changed in this regards in the last 7 years.
>>
>> Thanks for any information.
>>
>> Doug O'Leary
>>
>>
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/18556755-8853-4367-8a1e-47d337e66a22%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/18556755-8853-4367-8a1e-47d337e66a22%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> --
> Peter Huene - Senior Software Engineer
> peter...@puppet.com  | @peterhuene
> -- 
> PuppetConf 2016 
> <https://www.google.com/url?q=https%3A%2F%2Fpuppet.com%2Fpuppetconf=D=1=AFQjCNFf4WhS0623bLixxPqtXYm9RV8fyg>
> , 19 - 21 October , San Diego, California
> *Summer Savings - Register by 15 September and save $240 
> <https://www.google.com/url?q=https%3A%2F%2Fpuppetconf2016.eventbrite.com%2F%3Fdiscount%3DSummerSavings=D=1=AFQjCNGjMlH0LEUoxVdNBzlb4PcuUbs42Q>*
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ae516a77-d4b8-4886-86f0-598c39ed07ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] comparing facts as integers in puppet server 4.5?

[dkoleary]

Hey

I'm setting up a module to handle our smtp config.  

My simple if statement is:

  if ($facts['os']['release']['major'] > 5 ) {


results in a bright red error stating:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Evaluation Error: Error while evaluating a Resource Statement, Evaluation 
Error: Comparison of: String > Integer, is not possible. Caused by '*A 
String is not comparable to a non String'*. at /etc/puppetlabs/code/
environments/dkoleary/modules/mpismtp/manifests/init.pp:50:40 on node 
nap1d030.multiplan.com

Facts are obviously interpreted as strings.  Several posts referenced that 
puppet will auto-translate strings to integers if appropriate.  So, 
figuring there was something special about the facts hash, I created a 
variable for it:

  $mpismpt_orm = $facts['os']['release']['major']
  if ($mpismpt_orm > 5) {

with the same result.  It wasn't until I updated the var declaration as 
"$mpismpt_orm = 0 + $facts['os']['release']['major']" that this works - a 
hint in a post from 2010.  There has to be a better way to have facts be 
interpreted as numbers, doesn't there?  

It works so, if all else fails, I'm good.  It just seems that something 
should have changed in this regards in the last 7 years.

Thanks for any information.

Doug O'Leary




-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/18556755-8853-4367-8a1e-47d337e66a22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: ssh_authorized_key ensure => absent?

[dkoleary]

I haven't yet as there are other keys that haven't been migrated into puppet 
management yet.  That's a bit more work.  I was hoping to be able to clear out 
old keys w/o resorting to manually removing the keys as getting all the keys 
under puppet management is probably a couple of weeks off.  

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/05c52b13-2ba4-44bb-92c2-c4114b66636e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: ssh_authorized_key ensure => absent?

[dkoleary]

Hey;

Both are ver 4.5.  Sorry; should have added that.  Just seems like I'm 
missing something fairly simple.  It's not like the class is all that 
involved.

thanks

Doug

On Tuesday, July 19, 2016 at 8:40:57 AM UTC-5, dkoleary wrote:
>
> Hey;
>
> I'm trying to add/delete ssh key from a specific user.  Adding keys works; 
> however, removing them doesn't.
>
> Here's what I have:
>
>   ssh_authorized_key { 'dkoleary':
> ensure  => absent,
> key => '[[long_key_snipped]]',
>     type    => 'ssh-dss',
> user=> 'dkoleary',
>   }
>
>
> Anyone see what I'm missing?  As I said, the 'ensure => present' works... 
> just can't seem to remove the specific key.
>
> Thanks
>
> Doug O'Leary
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0d40aaf2-7f4e-416a-9472-c4293d4c79ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] ssh_authorized_key ensure => absent?

[dkoleary]

Hey;

I'm trying to add/delete ssh key from a specific user.  Adding keys works; 
however, removing them doesn't.

Here's what I have:

  ssh_authorized_key { 'dkoleary':
ensure  => absent,
key => '[[long_key_snipped]]',
type=> 'ssh-dss',
user=> 'dkoleary',
  }


Anyone see what I'm missing?  As I said, the 'ensure => present' works... 
just can't seem to remove the specific key.

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c07befcb-e14f-47ab-be3b-98972fa27434%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Will puppet follow a file source that's symlinked?

[dkoleary]

Hi;

I'm pondering the use of a symlinked source for several file resources. 
 Due to too many fingers in the pot, I have 10 separate environments to 
manage.  As an example, I have a file source that's a text file.  If I want 
to update that file, I have to do it in 10 places or go through an entire 
SDLC push.  Seems a bit overkill just to correct one tiny little typo.  

If I have .../environments/${env}/modules/${mod}/files/${subdir} soft 
linked to another location, will puppet follow it and find the files under 
it?  

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0932dbef-f1da-465e-84db-bca8712b3579%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppetdb general questions

[dkoleary]

Hey, all;

I've come to the point where i need to install puppetdb in my opensource 
puppet server 4.5 implementation.  

Although the use of exported resources is on the scope, the two immediate 
use cases that I'm looking for are:

   - puppet node status
   - Use of a dashboard yet TBD

I looked through the docs at https://docs.puppet.com/puppetdb/4.1/ and have 
some general questions:


   - Are there any hidden issues when installing puppetdb for use with 
   puppet server?  The doc mentions puppet master repeatedly.  I'm not seeing 
   anything in any of the docs that look like they wouldn't run on puppet 
   server 4.5.  Even the "puppet master --configprint route_file" works but 
   having direct feedback from someone who's done it would be nice.
   - When should I consider installing puppetdb on a separate node?  I have 
   8 very basic modules managing roughly 1200 linux systems.  The puppet 
   server is a physical HP dl360 gen8 w/2x16 core cpus and 32 gigs of ram. 
The number of modules will increase as we migrate more fully into the 
   puppet management paradigm and we will probably end up with nigh on 2000 
   nodes by year's end.  We may also have other teams using open source puppet 
   if the long-delayed puppet enterprise is delayed yet again; however, for 
   the moment, the implementation is very low impact.
   - If I do install puppetdb on the puppet server, how hard is it to move 
   if I later decide to split them up?

I think that covers the questions.  Any hints/tips/suggestions on avoiding 
hurdles would be greatly appreciated as well.  

Thanks for your time

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/595d957c-f360-49d5-b2dc-e39f56e85cae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: hiera-eyaml not decrypting?

[dkoleary]

I'll be damned.. that was it.  Well, I don't feel so bad about that one.  

Thank you very much!  

On Friday, July 8, 2016 at 12:33:02 PM UTC-5, Michael Watters wrote:
>
> I think I ran into a similar issue before.  Try putting "eyaml" as the 
> first backend to see if that helps.
>
> Here's a copy of our hiera.yaml file which works.
>
> ---
> :backends:
>   - eyaml
>   - yaml
>
>
> :hierarchy:
>   - "nodes/%{::trusted.certname}"
>   - common
>
>
> :yaml:
> # datadir is empty here, so hiera uses its defaults:
> # # - /etc/puppetlabs/code/environments/%{environment}/hieradata on *nix
> # # - 
> %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata on 
> Windows
> # # When specifying a datadir, make sure the directory exists.
> #   :datadir:
>
>
> :eyaml:
> :extension: 'yaml'
> :pkcs7_private_key: 
> '/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem'
> :pkcs7_public_key:  '/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem'
>
>
>
> On Friday, July 8, 2016 at 1:09:02 PM UTC-4, dkoleary wrote:
>>
>> Hi;
>>
>> I have hiera.eyaml installed and functional from the CLI; however, when I 
>> attempt to use it in a module, the encrypted string is being used rather 
>> than the decrypted value.
>>
>> I have to be missing something mind numbingly simple; but, I've been 
>> through the doc at https://github.com/TomPoulton/hiera-eyaml so many 
>> times it's starting to blur.  Can someone tell me waht I messed up?
>>
>> From the CLI:
>>
>> -bash-4.1$ cat nap1d030.yaml 
>> ---
>> # mpintp::source: 'ntp.conf.dmz'
>> # mpisyslog::el6::source: 'mpi-custom.conf'
>> mpisshd::enabled: false
>> mpiroot::pwd: >
>> ENC[PKCS7,
>> MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
>> DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
>> SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
>> k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
>> PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
>> alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
>> uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
>> 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
>> qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
>>
>>
>> -bash-4.1$ eyaml decrypt -f ./nap1d030.yaml 
>> [hiera-eyaml-core] Loaded config from /opt/puppetlabs/server/data/
>> puppetserver/.eyaml/config.yaml
>> ---
>> # mpintp::source: 'ntp.conf.dmz'
>> # mpisyslog::el6::source: 'mpi-custom.conf'
>> mpisshd::enabled: false
>> mpiroot::pwd: snipped
>>
>> The test module just does a notify:
>>
>> class mpiroot (
>>   $pwd,
>> ) {
>>
>>   notify { "Password: ${pwd}": }
>> }
>>
>>
>> And the run shows the encrypted string:
>>
>> $ sudo puppet agent -t
>> Notice: Local environment: 'production' doesn't match server specified 
>> node environment 'dkoleary', switching agent to 'dkoleary'.
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Loading facts
>> Info: Caching catalog for nap1d030.multiplan.com
>> Info: Applying configuration version '1467996521'
>> Notice: Password: 
>> ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw 
>> DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA 
>> SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV 
>> k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN 
>> PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC 
>> alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt 
>> uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF 
>> 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ 
>> qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
>> [[snip]]
>>
>>
>> The hiera.yaml file and keys:
>>
>> ---
>> :backends:
>>   - yaml
>>   - eyaml
>> :hierarchy:
>>   - "hosts/%{facts.hostname}"
>>   - "environments/%{facts.environment}"
>>   - "host_env/%{facts.env}"
>>   - "dc/%{facts.dc}"
>>   - "os/%{facts.operatingsystemmajrelease}"
>>   - common
>> :yaml:
>>   :datadir: /etc/puppetlabs/code/hieradata
>> :eyaml:
>>   :extension: 'yaml'
>>   :datadir: /etc/puppetlabs/code/hieradata
>>   :pkcs7_private_key: /etc/puppetlabs/secure/keys/private_key.pkcs7.pem
>>   :pkcs7_public_key: /etc/puppetlabs/secure/keys/public_key.pkcs7.pem

[Puppet Users] hiera-eyaml not decrypting?

[dkoleary]

Hi;

I have hiera.eyaml installed and functional from the CLI; however, when I 
attempt to use it in a module, the encrypted string is being used rather 
than the decrypted value.

I have to be missing something mind numbingly simple; but, I've been 
through the doc at https://github.com/TomPoulton/hiera-eyaml so many times 
it's starting to blur.  Can someone tell me waht I messed up?

>From the CLI:

-bash-4.1$ cat nap1d030.yaml 
---
# mpintp::source: 'ntp.conf.dmz'
# mpisyslog::el6::source: 'mpi-custom.conf'
mpisshd::enabled: false
mpiroot::pwd: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]


-bash-4.1$ eyaml decrypt -f ./nap1d030.yaml 
[hiera-eyaml-core] Loaded config from /opt/puppetlabs/server/data/
puppetserver/.eyaml/config.yaml
---
# mpintp::source: 'ntp.conf.dmz'
# mpisyslog::el6::source: 'mpi-custom.conf'
mpisshd::enabled: false
mpiroot::pwd: snipped

The test module just does a notify:

class mpiroot (
  $pwd,
) {

  notify { "Password: ${pwd}": }
}


And the run shows the encrypted string:

$ sudo puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node 
environment 'dkoleary', switching agent to 'dkoleary'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for nap1d030.multiplan.com
Info: Applying configuration version '1467996521'
Notice: Password: 
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw 
DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA 
SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV 
k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN 
PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC 
alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt 
uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF 
6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ 
qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
[[snip]]


The hiera.yaml file and keys:

---
:backends:
  - yaml
  - eyaml
:hierarchy:
  - "hosts/%{facts.hostname}"
  - "environments/%{facts.environment}"
  - "host_env/%{facts.env}"
  - "dc/%{facts.dc}"
  - "os/%{facts.operatingsystemmajrelease}"
  - common
:yaml:
  :datadir: /etc/puppetlabs/code/hieradata
:eyaml:
  :extension: 'yaml'
  :datadir: /etc/puppetlabs/code/hieradata
  :pkcs7_private_key: /etc/puppetlabs/secure/keys/private_key.pkcs7.pem
  :pkcs7_public_key: /etc/puppetlabs/secure/keys/public_key.pkcs7.pem


-bash-4.1$ ls -ld /etc/puppetlabs/secure/keys/{public,private}_key*.pem
-r. 1 puppet puppet 1675 Jul  8 11:28 /etc/puppetlabs/secure/keys/
private_key.pkcs7.pem
-r. 1 puppet puppet 1050 Jul  8 11:28 /etc/puppetlabs/secure/keys/
public_key.pkcs7.pem

Any hints/tips, etc gratefully accepted.

Thanks

Doug


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c3785f68-7f17-404d-850a-e8a37f2a4380%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] encrypting hiera data?

[dkoleary]

Thanks.  I'll take a look.  I appreciate the response.

On Friday, July 8, 2016 at 9:12:04 AM UTC-5, Jeffrey Miller wrote:
>
> It's one way to go. Another way is to use GPG encryption using 
> https://github.com/StackExchange/blackbox . All depends the requirements 
> at your site.
>
> -Jeffrey
>
>
>
> On Fri, Jul 8, 2016 at 8:46 AM, Christopher Wood <christop...@pobox.com 
> > wrote:
>
>> Puppet at least plugs it in their blog.
>>
>> https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
>>
>> We've had lots of good uses for it in production.
>>
>> On Fri, Jul 08, 2016 at 06:29:31AM -0700, dkoleary wrote:
>> >Hey;
>> >I've come to the point where I need to encrypt a password in hiera 
>> data.
>> > After trying (and failing) the recipe in the puppet cookbook, I hit 
>> the
>> >google searches and very quickly came across hiera eyaml.  
>> >So, short question: is hiera.eyaml the generally accepted method of
>> >encrypting data for use in modules?
>> >Just trying to avoid going down the wrong path again...
>> >Thanks
>> >Doug O'Leary
>> >
>> >--
>> >You received this message because you are subscribed to the Google 
>> Groups
>> >"Puppet Users" group.
>> >To unsubscribe from this group and stop receiving emails from it, 
>> send an
>> >email to [1]puppet-users...@googlegroups.com .
>> >To view this discussion on the web visit
>> >[2]
>> https://groups.google.com/d/msgid/puppet-users/82dd1d76-e583-48ed-b0f0-d77f792e6029%40googlegroups.com
>> .
>> >For more options, visit [3]https://groups.google.com/d/optout.
>> >
>> > References
>> >
>> >Visible links
>> >1. mailto:puppet-users+unsubscr...@googlegroups.com 
>> >2. 
>> https://groups.google.com/d/msgid/puppet-users/82dd1d76-e583-48ed-b0f0-d77f792e6029%40googlegroups.com?utm_medium=email_source=footer
>> >3. https://groups.google.com/d/optout
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/20160708134609.GA28943%40iniquitous.heresiarch.ca
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6f82cb98-0eab-4602-82ee-2db4b70e945c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Restricting ssh keys?

[dkoleary]

Hey

Thanks for the response.  Moving where sshd looks for authorized_keys is 
one of the recommendations I make in a white paper I wrote a while back 
discussing the benefits of 2FA to privileged accounts.

http://www.olearycomputers.com/ll/security/ssh/sudo_v_ssh-pka.html

I'll take a look at your module.  Thanks for the tip.

Doug O'Leary

On Friday, July 8, 2016 at 9:39:59 AM UTC-5, Thomas Bendler wrote:
>
> I've solved this by moving ssh keys to a different location outside 
> /home/user/.ssh to /etc/ssh.d/user. This gives you full control over the 
> ssh-keys without the possibility that a user more or less accidentally 
> change it to something not compliant. You can take a look at my ssh module (
> https://forge.puppet.com/thbe/ssh) which should give you an indication 
> how it's done.
>
> Regards Thomas
>
> 2016-07-05 16:22 GMT+02:00 dkoleary <dkol...@olearycomputers.com 
> >:
>
>> Hey, all;
>>
>> I have a number of application administration accounts which can be 
>> accessed via a select set of ssh keys.  I've seen several pages/recipes for 
>> using virtual users and the ssh_authorized_key resource which look like 
>> they work well for adding and deleting keys; but, not necessarily for 
>> restricting access to *only* those keys.
>>
>> More specifically, I have ~ 1200 hosts.  On all of them, I have an admin 
>> account that should have ssh keys for four administrators.  ~ 90% will have 
>> other admin accounts that will have an additional key in the file and a few 
>> outliers that will have 3 -4 other keys. 
>>
>> Basically, what i"m looking for is having any keys that are not one of 
>> those automatically removed.  
>>
>> Is there a way to do that outside of using a file resource?  I'm still 
>> working my way through the ~38,000 google search results and am hoping to 
>> cut that work down a bit.
>>
>> Any hints greatly appreciated.
>>
>> Thanks
>>
>> Doug O'Leary
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> performance, security, automation, SAP
> cimt consulting ag, Burchardstrasse 17, 20095 Hamburg
> fon: +49 (163) 6081 302, fax: +49 (40) 5 33 02-22, web: www.cimt.de
> key: FED7C867 at pgp.mit.edu
>
> Sitz der Gesellschaft: Hamburg, Amtsgericht Hamburg, HRB 74173
> Vorstand: Christoph Friedlaender, Dr.-Ing. Thorsten Kuhlmann
> Vorsitzender des Aufsichtsrats: Christian Gottsmann
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d829fb94-36c6-4f89-9412-74036350439b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] encrypting hiera data?

[dkoleary]

Hey;

I've come to the point where I need to encrypt a password in hiera data. 
 After trying (and failing) the recipe in the puppet cookbook, I hit the 
google searches and very quickly came across hiera eyaml.  

So, short question: is hiera.eyaml the generally accepted method of 
encrypting data for use in modules?

Just trying to avoid going down the wrong path again...

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/82dd1d76-e583-48ed-b0f0-d77f792e6029%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Restricting ssh keys?

[dkoleary]

Excellent!  Thank you very much; that will cut a huge amount of time off my 
research.

Thanks again.

Doug

On Tuesday, July 5, 2016 at 9:42:24 AM UTC-5, Peter Kristolaitis wrote:
>
> There is an attribute on the 'user' type called 'purge_ssh_keys'.  If you 
> set it to 'true', Puppet will remove all SSH keys from 
> ~/.ssh/authorized_keys if they are not explicitly managed by Puppet.
>
> So if you have something like:
>
> user { 'appadmin':
>
>purge_ssh_keys: true,
>
> }
>
> ssh_authorized_key { 'appadmin_bob':
> user: appadmin,
> 
> }
>
> ssh_authorized_key { 'appadmin_mary':
> user: appadmin,
> 
> }
>
> Then when Puppet runs, it will ensure that Bob and Mary's keys, and ONLY 
> those keys, are in ~appadmin/.ssh/authorized_keys.
>
> - Peter
>
>
> On 2016-07-05 10:22 AM, dkoleary wrote:
>
> Hey, all; 
>
> I have a number of application administration accounts which can be 
> accessed via a select set of ssh keys.  I've seen several pages/recipes for 
> using virtual users and the ssh_authorized_key resource which look like 
> they work well for adding and deleting keys; but, not necessarily for 
> restricting access to *only* those keys.
>
> More specifically, I have ~ 1200 hosts.  On all of them, I have an admin 
> account that should have ssh keys for four administrators.  ~ 90% will have 
> other admin accounts that will have an additional key in the file and a few 
> outliers that will have 3 -4 other keys. 
>
> Basically, what i"m looking for is having any keys that are not one of 
> those automatically removed.  
>
> Is there a way to do that outside of using a file resource?  I'm still 
> working my way through the ~38,000 google search results and am hoping to 
> cut that work down a bit.
>
> Any hints greatly appreciated.
>
> Thanks
>
> Doug O'Leary
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com .
> To view this discussion on the web visit 
> <https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com?utm_medium=email_source=footer>
> https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/255d31fb-3590-4ddd-a6fe-96d5e471e452%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Restricting ssh keys?

[dkoleary]

Hey, all;

I have a number of application administration accounts which can be 
accessed via a select set of ssh keys.  I've seen several pages/recipes for 
using virtual users and the ssh_authorized_key resource which look like 
they work well for adding and deleting keys; but, not necessarily for 
restricting access to *only* those keys.

More specifically, I have ~ 1200 hosts.  On all of them, I have an admin 
account that should have ssh keys for four administrators.  ~ 90% will have 
other admin accounts that will have an additional key in the file and a few 
outliers that will have 3 -4 other keys. 

Basically, what i"m looking for is having any keys that are not one of 
those automatically removed.  

Is there a way to do that outside of using a file resource?  I'm still 
working my way through the ~38,000 google search results and am hoping to 
cut that work down a bit.

Any hints greatly appreciated.

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: High level module & hiera design

[dkoleary]

Hey;

Never mind, I reasoned this one out on my own.  The whole point of hiera is 
to be able to override lower level configurations with ones higher up in 
the hierarchy, so while a cool idea, this definitely won't work. 

On to plan B.

Thanks

Doug

On Wednesday, June 8, 2016 at 7:32:37 PM UTC-5, dkoleary wrote:
>
> Hey;
>
> I'm planning out a module to handle syslog config in my environment.  I 
> know there are modules on puppet forge already but am interested in the 
> learning opportunity.  .
>
> Here's the scenario:
>
> * The syslog config files will all be the same except for forwarders.
> * We have three datacenters whose hosts forward to a DC specific collector.
> * Production systems and select others also foward to a SIEM
> * DMZ systems forward to a third collector in addition to the previous two.
>
> This seems like a template would work well here.  Don't know what that 
> would look like yet but there are plenty of examples on the net.  I'm 
> curious how about hiera interaction - specifically multiple remote 
> collectors specified.
>
> Here's my hierarchy:
>
> :hierarchy:
>   - "hosts/%{facts.hostname}"
>   - "environments/%{facts.environment}"
>   - "host_env/%{facts.env}"
>   - "dc/%{facts.dc}"
>   - "os/%{facts.osfamily}"
>   - common
>
> in the appropriate dc.yaml file, I'm planning on:
>
> ---
> dolsyslog::remote: '1.2.3.4'
>
> Similar set up in hosts_env/prd.yaml
>
> ---
> dolsyslog::remote: '2.3.4.5'
>
> DMZ and specific hosts will be set up in the hosts hieradata directory.
>
> So. long build up to a relatively short question.  Can a template be made 
> to iterate across multiple remotes identified like that?  It seems like 
> it'd be too good to be true but worth the question.  If my suspicion is 
> correct, is there a better way to work this?
>
> Thanks for your time and help.
>
> Doug O'Leary
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6ba8f598-3a27-4ce6-ac31-7c9f14f612c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Run Puppet Class only once

[dkoleary]

Hey;

I don't know if this matches the OP's scenario; but, I've been 
contemplating something similar during provisioning.  To provide context, 
as you can probably tell from my other posts, I'm just rolling out puppet 
server after a long absence and even then wasn't exactly an expert.

Like most places, I imagine, I support a reasonably complex environment... 
different data centers, different environments, different zones (dmz, zone 
1, etc).

Quite a bit of my modules that I'm planning on developing will be based on 
custom facts such as "$ facter auth" returns ldap, local, poss others if 
mgmt gets its way, "$ facter dc" returns the name of the datacenter.  

Short version: Those custom facts won't be available to the modules until 
the agent's been run once.  The "solution" as yet untried is similar to 
what Rob Nelson suggested ie: have a "build" class(es) that gets applied 
via the enc that does basic configs, then update the enc with the final 
config.

I'm certainly open to suggestions if there's a better way.

Thanks

Doug O'Leary

On Tuesday, June 7, 2016 at 6:59:02 AM UTC-5, LinuxDan wrote:
>
> Can you provide more detail on exactly what you want to do ?
> A generic how-to request does not work in this instance.
>
> Dan White | d_e_...@icloud.com 
> 
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
>
>
> On Jun 07, 2016, at 06:13 AM, Christoph  > wrote:
>
> Hi there,
>
> I want to run a whole puppet class only once when provisioning a system 
> for the first time.
>
> Unfortunately I do not find a way to do this. 
>
> I know how to run commands once using onlyif or unless or creates, but 
> what about running a whole class ?
>
> Thanks
>   Christoph
>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/81d340b3-3ea9-4c57-8603-e1d5ba03d860%40googlegroups.com
>  
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1f1d869e-5c0b-49b4-987e-0dbabe1ace9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] High level module & hiera design

[dkoleary]

Hey;

I'm planning out a module to handle syslog config in my environment.  I 
know there are modules on puppet forge already but am interested in the 
learning opportunity.  .

Here's the scenario:

* The syslog config files will all be the same except for forwarders.
* We have three datacenters whose hosts forward to a DC specific collector.
* Production systems and select others also foward to a SIEM
* DMZ systems forward to a third collector in addition to the previous two.

This seems like a template would work well here.  Don't know what that 
would look like yet but there are plenty of examples on the net.  I'm 
curious how about hiera interaction - specifically multiple remote 
collectors specified.

Here's my hierarchy:

:hierarchy:
  - "hosts/%{facts.hostname}"
  - "environments/%{facts.environment}"
  - "host_env/%{facts.env}"
  - "dc/%{facts.dc}"
  - "os/%{facts.osfamily}"
  - common

in the appropriate dc.yaml file, I'm planning on:

---
dolsyslog::remote: '1.2.3.4'

Similar set up in hosts_env/prd.yaml

---
dolsyslog::remote: '2.3.4.5'

DMZ and specific hosts will be set up in the hosts hieradata directory.

So. long build up to a relatively short question.  Can a template be made 
to iterate across multiple remotes identified like that?  It seems like 
it'd be too good to be true but worth the question.  If my suspicion is 
correct, is there a better way to work this?

Thanks for your time and help.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5fe212c3-6839-4f74-8580-decd7fed941e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple resource bodies?

[dkoleary]

Hey;

Thank you all for the information.  That was definitely the issue.  I'm not 
overly worried about '/' so I just took it out - primarily had it in there 
for completeness.  In nigh on 30 years of admin, I think I've had someone 
change the ownership of root maybe twice.  Those other directories - that 
tends to happen more often.  

Any rate, thanks again.  I appreciate it.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9ef583ff-cf25-4032-94d2-4fe42c479188%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple resource bodies?

[dkoleary]

Hey;

Thanks for the response.  I'm trying to work my way into iteration a bit 
slower than my fourth manifest :)  If all else fails, I'm pretty sure I can 
set up separate file resource declarations; but, this multiple resource 
bodies, in this case, seems like this is cleaner.

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ef2dfc24-053b-4e73-aa76-eb857b8db0fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Multiple resource bodies?

[dkoleary]

Hey;

According to the puppet language resource guide 
at https://docs.puppet.com/puppet/latest/reference/lang_resources_advanced.html:

If a resource expression includes more than one resource body, the 
expression will declare multiple resources of that resource type. (A 
resource body is a title and a set of attributes; each body must be 
separated from the next one with a semicolon.)

With that, can someone take a peek and tell me what I'm messing up with 
this manifest?

file {
  default:
ensure   => 'directory',
owner=> 'root',
group=> 'root',
  ;


  '/': mode  => '0755' ;
  '/home': mode  => '0755' ;
  '/opt' : mode  => '0755' ;
  '/usr' : mode  => '0755' ;
  '/var' : mode  => '0755' ;
  '/tmp' : mode  => '1777' ;
  '/var/tmp' : mode  => '1777' ;


  '/etc/passwd':
ensure   => 'file',
mode => '0644',
  ;
  '/etc/group':
ensure   => 'file',
mode => '0644',
  ;


  '/etc/shadow':
ensure   => 'file',
mode => '',
  ;


  '/etc/rc.d/init.d':
mode => '0755',
recurse  => true,
  ;
}


I'm not seeing the error; but, when I try to apply it, I get:

$ sudo puppet apply ./file.pp
Notice: Compiled catalog for node1.olearycomputers.com in environment 
production in 0.04 seconds
Error: Parameter path failed on File[/]: File paths must be fully 
qualified, not '' at 
/ignite/dkoleary/mpi_git/puppet/modules/mpicommon/manifests/file.pp:1

Any pointers, greatly appreciated.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f284439e-d1d8-49f0-a77e-d0c07ce61239%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] facter 3.2 global custom facts directory?

[dkoleary]

Hey;

Thanks; yes, that was a typo.  Responding from an ipad on a shaky 
surface... bit surprised that was the only one.

Any rate, I now have fact scripts in /etc/facter/facts.d

$ ltree /etc/facter/facts.d
drwxr-xr-x. 2 root root 4096 May 28 08:07 /etc/facter/facts.d
drwxr-xr-x. 3 root root 4096 May 28 08:06 /etc/facter
drwxr-xr-x. 122 root root 12288 May 28 08:06 /etc

A cleaned up root debug facter run shows that root is hitting all three 
directories:

sudo facter --debug env 2>&1
2016-05-28 08:11:41.053089 INFO  puppetlabs.facter - executed with command 
line: --debug env.
[[snip]]
2016-05-28 08:11:41.079647 INFO  puppetlabs.facter - requested queries: env.
2016-05-28 08:11:41.079776 DEBUG puppetlabs.facter - fact "facterversion" 
has resolved to "3.2.0".
2016-05-28 08:11:41.080092 DEBUG puppetlabs.facter - searching 
"/opt/puppetlabs/facter/facts.d" for external facts.
[[snip]]
2016-05-28 08:11:41.091406 DEBUG | - env=tst
2016-05-28 08:11:41.091561 DEBUG puppetlabs.facter - fact "env" has 
resolved to "tst".
2016-05-28 08:11:41.091700 DEBUG leatherman.execution:555 - process exited 
with status code 0.
2016-05-28 08:11:41.091785 DEBUG puppetlabs.facter - completed resolving 
facts from executable file "/opt/puppetlabs/facter/facts.d/hosts".
2016-05-28 08:11:41.091933 DEBUG puppetlabs.facter - searching 
"/etc/facter/facts.d" for external facts.
[[snip]]
2016-05-28 08:11:41.103835 DEBUG | - env=tst
2016-05-28 08:11:41.103998 DEBUG puppetlabs.facter - fact "env" has changed 
from "tst" to "tst".
2016-05-28 08:11:41.104163 DEBUG leatherman.execution:555 - process exited 
with status code 0.
2016-05-28 08:11:41.104294 DEBUG puppetlabs.facter - completed resolving 
facts from executable file "/etc/facter/facts.d/hosts".
2016-05-28 08:11:41.104428 DEBUG puppetlabs.facter - searching 
"/etc/puppetlabs/facter/facts.d" for external facts.
[[snip]]
2016-05-28 08:11:41.116165 DEBUG | - env=tst
2016-05-28 08:11:41.116332 DEBUG puppetlabs.facter - fact "env" has changed 
from "tst" to "tst".
2016-05-28 08:11:41.116493 DEBUG leatherman.execution:555 - process exited 
with status code 0.

Does emphasize the point that I should have those in one and only one of 
those directories...

Following is the same debug run (with nothing snipped) from a non-root user 
showing that it's not hitting any of those directories:

$ facter --debug env
2016-05-28 08:16:03.979516 INFO  puppetlabs.facter - executed with command 
line: --debug env.
2016-05-28 08:16:03.980478 INFO  leatherman.ruby:133 - ruby loaded from 
"/opt/puppetlabs/puppet/lib/libruby.so.2.1.0".
2016-05-28 08:16:04.006387 INFO  leatherman.ruby:182 - using ruby version 
2.1.9
2016-05-28 08:16:04.006507 INFO  puppetlabs.facter - requested queries: env.
2016-05-28 08:16:04.006616 DEBUG puppetlabs.facter - fact "facterversion" 
has resolved to "3.2.0".
2016-05-28 08:16:04.006961 DEBUG puppetlabs.facter - skipping external 
facts for "/home/doug.oleary/.puppetlabs/opt/facter/facts.d": No such file 
or directory
2016-05-28 08:16:04.007032 DEBUG puppetlabs.facter - skipping external 
facts for "/home/doug.oleary/.facter/facts.d": No such file or directory
2016-05-28 08:16:04.007065 DEBUG puppetlabs.facter - no external facts were 
found.
2016-05-28 08:16:04.007681 DEBUG puppetlabs.facter - loading all custom 
facts.
2016-05-28 08:16:04.007756 DEBUG puppetlabs.facter - fact "env" does not 
exist.

It looks like facter, run as a non-root user, is limited to personal home 
directories.  So, rephrasing the original question: is there some way to 
tell non-root facter runs to use the standard directories without having to 
add '--external-dir' everytime?

Thanks for the responses.

Doug O'Leary

On Saturday, May 28, 2016 at 7:18:13 AM UTC-5, Christopher Wood wrote:
>
> Just to confirm that's a typo below? You have an "s" in facter. 
>
> /etc/facter/facts.d 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4f531be5-d659-46ba-9c57-4d5391f3f114%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] facter 3.2 global custom facts directory?

[dkoleary]

Thanks for the response. I'm pretty sure I tried /etc/faster/facts.d; but, I'll 
confirm that.  

Thanks again.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2dacc5a3-1b67-4ec3-b2f0-0b338ceaa2b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] facter 3.2 global custom facts directory?

[dkoleary]

Hey;

I'm drafing some custom facts that I would like to have available to 
everyone even outside of puppet.  The facts themselves work just fine for 
root and will work for normal users if I specify the --external-dir option:

$ sudo facter env 
tst
$ facter --external-dir=/opt/puppetlabs/facter/facts.d env
tst

Without that, facter run as a normal user doesn't find the script. Is there 
a config file somewhere that I can specify, globally, that custom facts are 
in /opt/puppetlabs/facter/facts.d or a default global directory (facter 
--debug doesn't seem to show one...)? Alternatively, I could set an alias 
in /etc/profile so everyone gets it but that seems like a bit of a kludge.

Any info is appreciated.

Thanks

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a9867381-4b0d-457e-aea3-173730ac86cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet server 4: hiera set up?

[dkoleary]

I haven't yet in this particular run; however, in my puppet ver 2 days, I 
created custom facts on the client nodes.  I find it hard to believe that was 
taken out of mix.  A search of puppet docs has this url.  
https://docs.puppet.com/facter/3.1/custom_facts.html

I'll probably be trying that one tonight or tomorrow depending on my ability to 
troubleshoot what should be a laughably simple class.  De-rustifying my PDL 
ability is a pain.

If anyone's interested, there are a couple of reasons why  I'm having 
${::environment} different from $facts['env'].  First, when designing their 
sdlc process, my company went nuts with different environments - way more than 
just the standard dev, qa, uat, prd and those environments won't match the 
puppet environments at least while we're rolling it out.  Second, I'd like to 
be able to get the env from the box when I'm on it.  Our naming convention 
isn't universal so getting that information is sometimes hit or miss "$ faster 
env" will be a lot easier than a MySQL query.

So, short answer and a longer story.  Thanks

Doug

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e16e799e-55cc-416a-b9f8-8e2f2617c826%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet server 4: hiera set up?

[dkoleary]

Unbelievable.  I'm a dumb-a##.  That was it.  Thank you very much.

# mv pm pm.yaml
# puppet lookup puppet::status
--- running
...


On Friday, May 20, 2016 at 2:42:40 PM UTC-5, R.I. Pienaar wrote:
>
>
>
> my guess is this should be pm.yaml 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ed4662c5-86c3-4184-af21-98c7253f6476%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet server 4: hiera set up?

[dkoleary]

Hey;

Before dumping a bunch of data into hiera data files, I wanted to run a 
quick check to verify functionality.  This seems to be set up so I'm 
suspecting my test isn't valid.  Could someone take a peek and confirm for 
me?

This is the set up:

# h
pm

# puppet config print hiera_config
/etc/puppetlabs/puppet/hiera.yaml

# cat /etc/puppetlabs/puppet/hiera.yaml
---
:backends:
  - yaml
:hierarchy:
  - "hosts/%{facts.hostname}"
  - "environments/%{facts.environment}"
  - "host_env/%{facts.env}"
  - "os/%{facts.osfamily}"
  - common
:yaml:
  :datadir: /etc/puppetlabs/code/hieradata

# facter hostname
pm

# cat /etc/puppetlabs/code/hieradata/hosts/pm
---
puppet::status: 'running'

but the tests aren't showing anything:

# hiera puppet::status
nil
# puppet lookup puppet::status

The hiera call makes sense because it doesn't have access to host fact, as 
I understand it.  The puppet lookup command should have worked, though, 
right?

Any hints/tips/suggestions greatly appreciated.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d7754606-219a-49f3-9065-4f3bd52855b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet 4 environments git feedback?

[dkoleary]

Thanks, all, for the information.  I appreciate it.  

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5abdf4e3-72be-47d3-b85e-5c37a789a135%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet 4 environments git feedback?

[dkoleary]

Hey;

To put this in perspective, I'm a sysadmin, not a developer.  While I've 
used git for a couple of years, until today, I could easily count the 
number of times I issued a 'git branch' command.

I'm practicing setting up a new puppet 4 server and, after some research, 
I've got various environments under git management and have successfully 
'promoted code' from test through production.  It's a wee bit tedious but 
I'm sure I could get used to it.

What I'm hoping is to have someone more familiar the process verify I'm 
doing it somewhat close to right and/or make suggestions on an 
improvements.  I have heard of r10k; however, I'm one of those that has to 
know what's going on under the covers.  Up until now, r10k has been of of 
those 'developer' things.  Once I run through this a few times, *then* I'll 
start playing with r10k.

So, bit of a build up.  Here's what I have:

one git repo covering all puppet environments thusly::

# git branch -r
  origin/HEAD -> origin/master
  origin/dev
  origin/master
  origin/prod
  origin/qa
  origin/test
  origin/uat

On a different system, one pulls the test system, develops code, commits, 
pushes, etc.  In the test environment, the admin pulls the updated work and 
tests

# pwd
/etc/puppetlabs/code/environments/test
# git branch
* test

once the tests are complete, a responsible admin accesses the dev 
environment and executes:

git checkout test 
git pull # if necessary
git checkout dev
git merge test

Process iterates through the environments to prod.  

# git log --oneline
e298de7 prod.rst: mved from uat
07f3ab1 uat: merged from qa
a20a85c qa: mved from dev
2f644f2 dev: renamed from test
c8c067b test: added
a432124 puppet production environment initial check in

Thanks for any hints/tips/suggestion.  

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/729cd1f2-2828-4d46-b008-2e0033fed34d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppetserver (ver 4) initial set up

[dkoleary]

Hey;

Never mind, I got it.   Based on advice from a knowledgeable source, I 
changed the 'volatile' file directory in the puppetserver configs.  I had 
to have the [agent] stanza pointing to the same location.  Once done, 
'puppet agent -t' works as expected.

Amazing how many times the answer comes to me after I post a question about 
it.

Hope this helps someone else.

Doug

>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7ea6832d-9bfb-45f8-99b6-b88feae13f2f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppetserver (ver 4) initial set up

[dkoleary]

Hey;

I'm trying to figure out puppet ver 4 after a long absence from puppet - in 
fact, I missed pretty much all of ver 3.  

The recommendation everywhere is basically don't use the same name for the 
puppet server as the node on which it's running.  Short way of saying that 
from one book is: The server is not the node.

So, I have puppet resolving in DNS as a cname for the node on which my 
puppetserver will be running:

# host puppet 
puppet.olearycomputers.com is an alias for pm.olearycomputers.com.
pm.olearycomputers.com has address 192.168.122.2

The initial run of the puppet server generates the host key and what not:

# puppet cert list --all
+ "pm.olearycomputers.com" (SHA256) 
3E:48:31:69:42:D9:F1:9D:85:E2:CF:D2:A9:95:6C:54:24:9A:DF:CF:44:07:F1:E8:AB:7F:5C:79:78:51:CE:93
 
(alt names: "DNS:puppet", "DNS:pm.olearycomputers.com")

The CA is pointing to pm from what I see:

# puppet ca list --all  
+ pm.olearycomputers.com  (SHA256) 
3E:48:31:69:42:D9:F1:9D:85:E2:CF:D2:A9:95:6C:54:24:9A:DF:CF:44:07:F1:E8:AB:7F:5C:79:78:51:CE:93

Yet, when I try to run the puppet agent on the puppet server, I'm getting 
the certificate error:

# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the 
master does not match the agent's private key.
Certificate fingerprint: 
2B:DD:26:A3:DE:E4:52:A4:51:91:55:25:17:90:08:6E:A5:62:31:0F:59:A2:D7:DC:B3:A9:84:53:E5:19:EB:61
[[snip]]

I'm betting I missed something very basic; but, if someone could point it 
out to me, I'd appreciate it.

BTW, I have had success configuring the server *as* pm; however, that 
breaks the rule 'the server is not the node'.

Thanks

Doug O'Leary


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b666350c-3e2a-4703-a574-6d196c08386a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: file resource calling a 'define'd exec syntax?

[dkoleary]

Hey, all;

Thanks for the responses.  I appreciate it.  I was unaware that the file 
resource handles selinux.  I seem to remember one of my searches saying 
puppet didn't support selinux.  Maybe an old version of puppet or a 
misread, either way, I'll take that route.

I know my attempt at executing the chcon command was wrong - that was the 
last attempt of probably 10 or more that didnt' work and was more out of 
shere frustration.  I was basing my original feeble attempts on a 
compilation of the recipes in the puppet cookbook.  

Unfortunately, I haven't had time to get back to this since I posted the 
original question.  I'm hoping to get back to it tonight during which I can 
reexamine the recipes I was looking at and maybe post a more coherent 
question.  While the file type supports selinux, the functionality I'm 
looking for would be good to know.

Thanks again for your help and responses.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5529b99c-e6e5-475c-b536-cb47facfbc5e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] file resource calling a 'define'd exec syntax?

[dkoleary]

Hi;

This one should be easy; but, so far, it's eluding me.

I would like to configure ssh to use a different directory for authorized 
keys files.  I have the file resource which that works on its own.  I want 
the file resource to call the exec to set the selinux type on the directory 
when needed.  Here's what I have:

class ssh::config
{   
define sshdir_selinux() {
exec {  /usr/bin/chcon -R -t ssh_home_t 
$ssh::params::ssh_authkey_dir: }
}   
# exec { 'sshdir_selinux':
# command = chcon -R -t ssh_home_t $ssh::params::ssh_authkey_dir,
# path= '/usr/bin',
# require = File[$ssh::params::ssh_authkey_dir],
# }
file {  $ssh::params::ssh_authkey_dir:
ensure   = directory,
owner= root,
group= root,
mode = '0755',
}
file {  $ssh::params::ssh_rootkeys:
ensure   = present,
owner= root,
group= sys,
mode = '0750',
source   = 'puppet:///modules/ssh/authorized_keys.root',
sshdir_selinux { },
}
}

My searches 
(particularly:https://support.mayfirst.org/wiki/how-to/puppet/layout#defines) 
 seem to indicate this is the right syntax; but I keep getting:

# ptest 
Error: Syntax error at '{'; expected '}' at 
/root/modules/ssh/manifests/config.pp:62 on node puppet.olearycomputers.com
Error: Syntax error at '{'; expected '}' at 
/root/modules/ssh/manifests/config.pp:62 on node puppet.olearycomputers.com

when I run it.

I have made the process work by using the straight exec that's commented in 
the code above; but, that'll call chcon every time that puppet's run (as I 
understand it).  I would rather have it called only when a key file is 
added.

Appreciate any hints/tips/suggestions.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e40a6bc4-170f-4be6-bacb-73e13c483ce9%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] git puppet, modules manifests (oh-my)

[dkoleary]

Hey;

I am a recent convert to puppet and git and have become a huge fan so the 
concept on keeping modules under git/vcs control is well and truly 
accepted.  I'm not clear on how to keep the /etc/puppet/manifests in sync 
with the modules, however.

Case in point:  I have two puppet instances running, one, prod, 
running/maintaining a set of physical linux systems and one, dev, running 
on a set of KVMs on which I'm doing most of my testing.

I use the master branch of the dev instance as the place to test out 
changes to the things that I eventually want in prod.  Put another way, the 
prod instance pulls changes from the dev master branch.  So far, pretty 
standard

The dev instance also has a testing branch in which I can go hog wild. 
 Doing this, though, I occasionally have to update the 
/etc/puppet/manifests/nodes.pp file to include additional testing modules. 
 When I switch back to the master branch on dev, I have to re update that 
file manually.  It seems there should be a better way to keep these in sync.

I pondered putting the entire /etc/puppet directory under one repo; but 
that would make migrating changes to my prod instance an ugly process. 
 Host names changed, puppet.conf file's different, etc, etc.  

The only thing I've thought of is creating a softlink from 
/etc/puppet/manifests/nodes.pp - /etc/puppet/modules/nodes.pp.  I'm sure 
that'll work as the nodes would get switched to whatever git branch is 
current; but, I wanted to find out if there's a better, cleaner, more 
standard method.

Any hints/tips/suggestions greatly appreciated.

Thanks.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/fd275df7-b1f8-4c74-9e37-8ca392a5eb32%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] git puppet, modules manifests (oh-my)

[dkoleary]

Hey;

Thanks for the reply.  Yes; having it under git control would be optimal. 
 I tried having a separate repo for /etc/puppet/manifests (and still have 
it); however, when I switch between testing and master, I still have to 
remember to switch on the manifests repo.  I'm a UNIX admin.  We're lazy by 
nature.  

I tried the soft link that I mentioned above and it seems to work.  Pending 
any other responses, I'll keep going with that:

# pwd
/etc/puppet/modules
# git branch
* master
  testing
# grep pm /etc/puppet/manifests/nodes.pp
node 'pm.olearycomputers.com' { include base }

and switching:

# git checkout testing
Switched to branch 'testing'
# git branch
  master
* testing
# grep pm /etc/puppet/manifests/nodes.pp
node 'pm.olearycomputers.com' { include base,testing }

The only (minor) issue is that I'll have an extra nodes.pp file in my 
production instance but since the soft link won't exist in prod, it won't 
matter.

Thanks again for the response.  I appreciate it.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/00cf4e72-c842-4fee-a42f-25a678102b6a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] apache/passenger not sending out updated files?

[dkoleary]

Hey;

I'm running a couple of very small puppet ver 3.3 instance primarily for 
learning.  Seems I have a way to go.  I updated a file that's supposed to 
be distributed in the modules then ran the puppet agent manually.  It 
didn't get sent to the remote host until I stopped httpd and started the 
master from the command line:

puppet master --verbose --no-daemonize

Once that's done, and a puppet agent --verbose --onetime --server=${srv} 
works fine.  Missing files get restored, updated files get distributed. 

There are no error messages in the syslog, httpd error log or http access 
log.   service httpd configtest comes back clean.  I copied the info from 
the passenger.conf file from the pro puppet book (nice book, btw).  

Obviously the modules are right or they wouldn't get distributed when 
operating under webrick.  

The passenger.conf file is included below.  I appreciate any 
hints/tips/suggestions that anyone could provide.

Doug O'Leary

# cat passenger.conf 
LoadModule passenger_module modules/mod_passenger.so
IfModule mod_passenger.c
   PassengerRoot /usr/share/rubygems/gems/passenger-3.0.21
   PassengerRuby /usr/bin/ruby
PassengerHighPerformance on
PassengerUseGlobalQueue on
PassengerMaxPoolSize 6
PassengerMaxRequests 4000
PassengerPoolIdleTime 1800
/IfModule

### Puppet config

Listen 8140
VirtualHost *:8140
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/pm.olearycomputers.com.pem
SSLCertificateKeyFile 
/var/lib/puppet/ssl/private_keys/pm.olearycomputers.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
## Disable following if apachecomplains about CRL
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
### Optional to allow CSR request; required if certs get distributed
### to clients during provisioning
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
### Client headers record authentication info for downsteam workers
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On
DocumentRoot /etc/puppet/rack/puppetmaster/public/
Directory /etc/puppet/rack/puppetmaster/
Options None
AllowOverride None
Order allow,deny
allow from all
/Directory
/VirtualHost

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Puppet vs Oracle Enterprise Manager (cm pack)?

[dkoleary]

Hey;

We use both as they solve different problems.

Thank you very much for responding!  All of the searching I've been doing 
has slowly lead me to that same conclusion, but I don't have any solid 
facts or sites to back it up.  

My client also has a lot of oracle stuff.  I'm sure they could start using 
rhel w/o issue, but it's almost exclusively OEL at this point.  They say 
they have the license for OEM 12c; but, so far, I've not been able to 
confirm the license for the CM pack - which, if I'm reading it right, is 
*not* cheap and does not come with the base OEM.

I've read about the mcollective but haven't had a chance to try it yet. 
 Good to know that there's a performance issue running both of puppet and 
OEM simultaneously.

As for the environment: as I mentioned, it's mostly OEL but they do have a 
smattering of rhel ver 4 and 5.  Most of the systems are now vmware guests; 
but, there are a few physicals - mostly the rhel4 systems, still running.  

What are you trying to solve? 

That, right there, is my core problem.  I haven't yet been able to hammer 
that down; but, I believe that the other admin (the one pushing for OEM) 
and I are trying to solve different problems.  She's looking for something 
that'll automate patching + some other nebulous things on which I haven't 
gotten a clear answer.  I'm looking for a tool through which I can nail 
down system configurations - ensuring that they're kept consistent across 
all environments - and help automate configuration change distributions. 
 I'm a UNIX admin but also a security guy at heart (CISSP/CISA).

So, short version: I need to figure out what my client's trying to solve 
(not as easy an investigation as one would hope) and, from there, I can 
figure out whether or not OEM will be sufficient.

At your convenience, any chance you could expand on the concept that they 
solve different problems?

Thanks again, very much, for your response.  It's nice getting at least a 
partial confirmation that what I was suspecting is accurate.

Doug OLeary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Puppet vs Oracle Enterprise Manager (cm pack)?

[dkoleary]

Hey;

I'm still very new to puppet having *just* finished the pro puppet book. 
 Going to have to go back to that a few times for re-reading, I suspect. 
 Any rate, I have a client who's leaning very heavily towards OEM w/the 
configuration management pack.  Despite some fairly exhaustive google 
sessions, I haven't been able to find a direct comparison between these 
two.  I have found a couple of troubling points (like cost); but, nothing 
saying how well these two CM apps compare/contrast with each other.  Does 
anyone here have any experience w/OEM and how it compares against puppet?

Any info, stories, tips, or links would be greatly appreciated.

Thanks.

Doug O'Leary

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.