[Puppet Users] Re: file_line assistance
On Tuesday, July 30, 2013 10:24:41 PM UTC+1, Tom Hanstra wrote:
>
> I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from
> puppetlabs.
>
> I'm attempting to use file_line to add a line to a file. I've dumbed this
> down to basically the test script:
>
> class hs_puptest1 {
>
>file { '/tmp/testfile':
> ensure => present
>}->
>file_line { 'test_line':
> line => 'Some data',
> path => '/tmp/testfile',
>}
> }
>
>
> Add
ensure => present
To the file_line resource as well.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: "Looping" around a custom fact list
On Thursday, July 11, 2013 11:21:12 PM UTC+1, jcbollinger wrote:
>
>
>
> On Thursday, July 11, 2013 8:41:03 AM UTC-5,I wrote:
>>
>>
>> $kernel_fact_stem = 'installed_kernel'
>> $kernel_list = inline_template("<%=
>> (0...@installed_kernel_count.to_i).collect{|n| @kernel_fact_stem +
>> n.to_s}.join(',') %>")
>>
>>
> Sorry, I think I've buggered that up a bit. It should be more like this:
>
> $kernel_list = inline_template("<%=
> (0...@installed_kernel_count.to_i).collect{|n| eval('@' + @kernel_fact_stem
> + n.to_s)}.join(',') %>")
>
> The idea is that you construct the name of the desired Puppet variable via
> Ruby code, then retrieve the associated value (the original version would
> have returned the variable names instead of their values). You could also
> use a similar approach based on scope.lookupvar() if you dislike eval().
>
>
> Thanks that works. Now to get them into an array so I can spin them
through a define.
Appreciate the help
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: "Looping" around a custom fact list
On Thursday, July 11, 2013 10:17:47 AM UTC+1, Paul Tötterman wrote: > > > What I want Puppet to do is to "loop" through this list of potential >> kernels and install a specific driver package for all possibilities. >> Is this even possible without a custom provider ? >> > > I doubt it, unless you also export a installed_kernel_count => 3 fact. > > Thanks as luck we have it we do as part of the custom fact installed_kernel_count => 3 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] "Looping" around a custom fact list
Hello,
We have a custom fact to show all kernels installed which appends a count.
i.e.
installed_kernel0 => 2.6.18-274.3.1.el5
installed_kernel1 => 2.6.18-308.16.1.el5
installed_kernel2 => 2.6.18-194.11.4.el5
What I want Puppet to do is to "loop" through this list of potential
kernels and install a specific driver package for all possibilities.
i.e. mykod-${installed_kernelX}
Is this even possible without a custom provider ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] facts_terminus
Hello, Is it possible to use this on a master in more than one way on a system that just accepts the "puppet facts upload" and is not a real puppet master server. I have a case where I would like to keep the facter information in couchdb, and also in Foreman which can be imported from the YAML files but you cannot set the terminus to couch, facter to add to both the CouchDB, and to /var/lib/puppet/yaml/facts (or wherever). Appreciate it's an edge case but is this even possible. Being sensible is another question. Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Separate reporting server for estate subset
Hello, Out of a large-ish estate of systems I want only some of those systems to send reports elsewhere to be processed by Foreman/Dashboard etc. Whilst the others carry on sending their reports to the "general" puppet master. Is this possible from the client side using "reportserver =" option and is it possible for Foreman / Dashboard to only process these reports and possibly inventory information as well ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Facter Strings to integer.
Hello,
If I want to do something like this:-
if $::lsbdistrelease >= 6.3 {
SOMETHING
}
Do I have to convert lsbdistrelease from a string to a number with an
inline template or some such ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: multiple pamameter values in puppet dashboard ENC
On Friday, March 8, 2013 10:16:37 AM UTC, vioilly wrote:
>
> Is there a way to use send multiple parameter values using puppet
> dashboard ENC?
>
> For example,
>
> nameserver = 10.0.0.1, 10.0.0.2
>
> or perhaps
>
> nameserver = ['10.0.0.1','10.0.0.2'}
>
> then the template erb file can loop through each of the nameserver values
> to set up mulitple nameservers in resolve.conf?
>
>
Don't use the dashboard as an ENC (use extlookup/hiera) but the ERB looks
something like this. With a split on whitespace:-
#
# The below is generated by Puppet template from <%= @module_name %> module:
domain <%= scope.lookupvar('resolver::params::domainname') %>
search <%= scope.lookupvar('resolver::params::searchpath') %>
<% scope.lookupvar('resolver::params::resolvers').split(/\s+/).each do | ns
| -%>
nameserver <%= ns %>
<% end -%>
So however you get your key/value pairs should be fine.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Discover SO of my nodes
http://docs.puppetlabs.com/dashboard/inventory_support.html Might help On Tuesday, 5 March 2013 15:06:03 UTC, Tiago Cruz wrote: > > Hello all! > > Using puppet 2.7.9 and Dashboard, I can see the hostname of my nodes. > > With some selects against MySQL, I can also discover their IP address. > > But that is any way to discover more details, like, with OS is running on > that node? > > Thanks a lot!! > > Tiago C. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Solaris Certificate Problems
On Wednesday, February 27, 2013 8:09:11 AM UTC, olli...@googlemail.com wrote: Figured it out in the end. Puppet CA server had ca_ttl=25y in it. Solaris is still packing a 32bit OpenSSL. Which took it over 2038 Set down a few years and it's fine now. Thanks Solaris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Solaris Certificate Problems
Hello, Have a fully working setup with mostly Linux clients running on a 2.7.x master all is good. Trying to join Solaris clients to this master yields:- info: Creating a new SSL key for warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for info: Certificate Request fingerprint (md5): 7D:9C:6E:49:BB:19:06:F8:4C:4D:78:1D:C1:EF:0F:84 warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca warning: peer certificate won't be verified in this SSL session err: Could not request certificate: time out of range NTP is running fine on both machines and the time is in sync. # date Wed Feb 27 08:04:36 GMT 2013 This is on the client which is the same as all the rest of the Linux clients. # openssl x509 -text -in /etc/puppet/ssl/certs/ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: Validity Not Before: Dec 28 11:11:33 2011 GMT Not After : Dec 27 11:11:33 2016 GMT Subject: CN=Puppet CA: These are using the OpenCSW Solaris packages. I cannot work out why this is happening. master logs show:- Could not find certificate for '' Could not find certificate_request for '' has a waiting certificate request Signed certificate request for Removing file Puppet::SSL::CertificateRequest at '/etc/puppet/ssl/ca/requests/.pem' I am really stumped now. Any ideas what it could be, anything else to check ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppetdb catalog duplication
Hello, Just kicking the tyres with PuppetDB (1.1.0) on a test setup with 100-odd nodes running only once an hour by default. Looking at the dashboard the catalog duplication is showing 0.0% which seems a little odd to me. Any way to track down why this is and how to correct it as presumably this is not desired behaviour. Cheers Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet LVM create volume maximum size
On Tuesday, January 8, 2013 9:21:54 AM UTC, olli...@googlemail.com wrote: > > Hello, > > Using the LVM module/providers from the forge I want to create a logical > volume at the maximum size and I cannot work out how to do this. > > physical_volume -> volume_group -> logical_volume -> filesystem -> mount > > All works fine but you have to hard code the size for the logical volume. > Never mind sorted it with the help of http://projects.puppetlabs.com/issues/14718 Cheers Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/XiOQGvazTiUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet LVM create volume maximum size
Hello, Using the LVM module/providers from the forge I want to create a logical volume at the maximum size and I cannot work out how to do this. physical_volume -> volume_group -> logical_volume -> filesystem -> mount All works fine but you have to hard code the size for the logical volume. Anyone know if this is possible ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3v2bPHcT0EMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Catalog into something "human readable"
Hello, Is there anyway to parse a catalog generated with something like:- puppet master --compile > .cat That looks vaguely human readable. I have tried the "puppet catalog print" face but cannot seem to get it to parse for some reason # puppet catalog print --catalog /var/tmp/.cat err: undefined method `preferred_run_mode=' for # err: Try 'puppet help catalog print' for usage This is on a 2.7.16 master BTW Or indeed anything in the PuppetDB that can pull this and parse it ? Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/u4awwsOj2uAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Overriding default providers
Hello, I have a need to extend a default provider. Now whilst I can/will raise a request to add the required functionality to the blastwave.rb provider in the short-term what would be the best way to use my extended version. I can add the updated provider to my global module which drops my custom versions in and pluginsync pulls that into $libdir fine. But what is the lookup path list. Will Puppet go to $rubysitedir/... before $libdir or will my synced version get used first consistently ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/YONL5CBfRBMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] PuppetDB - HA
Hello, So in my company I have put in this fully load-balanced (behind F5) solution with multiple PM's/CA's/ENC and a single entry client entry point no matter where the servers are located globally - puppet. and the F5 will point you as local as possible and the rest do their thing. Now say we want to introduce PuppetDB into this scenario. Does anyone have any recommendations on how this can be done ? Appreciate it. Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DIsh4EDqTrYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Multiple package install.
On Friday, August 31, 2012 9:41:28 AM UTC+1, David Schmitt wrote: > > D'oh. here're quotes too! Missed them on the first round. > > D. > Of course there is. Fixed it thanks. Coffee needed for me I think. Cheers Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/e6G-VJBbWe8J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Multiple package install.
On Friday, August 31, 2012 9:00:34 AM UTC+1, David Schmitt wrote:
>
> On 2012-08-31 09:46, olli...@googlemail.com wrote:
> > Hello,
> > For the life of me I cannot get this to work. It's seemingly doable with
> > a single class but outside
> > params.pp:
> > class vmware::params {
> > case $::lsbmajdistrelease {
> > '4': {
> > $packagelist = "[ 'vmware-tools-esx-kmods-smp',
> > 'vmware-tools-esx-kmods-up' ]"
> > }
> > default: {
> > $packagelist = 'vmware-tools-esx-kmods'
> > }
> > }
> > }
> > install.pp
> > package { "$vmware::params::packagelist":
>
> Don't quote here. That converts the contents into a string.
>
>
> D.
>
Thanks David, No matter what I try though it always seems to be passed
through as a string rather than the array.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/9VAY2vkfA7IJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Multiple package install.
Hello,
For the life of me I cannot get this to work. It's seemingly doable with a
single class but outside
params.pp:
class vmware::params {
case $::lsbmajdistrelease {
'4': {
$packagelist = "[ 'vmware-tools-esx-kmods-smp',
'vmware-tools-esx-kmods-up' ]"
}
default: {
$packagelist = 'vmware-tools-esx-kmods'
}
}
}
install.pp
package { "$vmware::params::packagelist":
ensure => present,
}
Which results in this:-
err: /Stage[main]/Vmware::Install/Package[['vmware-tools-esx-kmods-smp',
'vmware-tools-esx-kmods-up']]/ensure: change from absent to present failed:
Execution of '/usr/bin/yum -d 0 -e 0 -y install
['vmware-tools-esx-kmods-smp', 'vmware-tools-esx-kmods-up']' returned 1:
Traceback (most recent call last):
I have tried escaping this in all sorts of crazy ways but not having a good
deal of luck.
Anyone have the right way to do this ?
Cheers
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/Y7KXBpD7spsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Adding resource parameters in inheritence
>
> Your general idea sounds feasible. I see two specific problems in the
> example code you posted, however:
>
>1. Is the title of the File resource you want to override really
>'resolv.conf'? I mean, it could be if you specified the full path via the
>'path' parameter in the original declaration, but it didn't sound like
>that's what you had done.
>2. You do not want plussignment in this case. You want to set the
>value of the 'audit' parameter to the scalar value 'all', regardless of
>what might have been declared in the parent class. Use the regular
>assignment operator for that.
>
> So what you want might be:
>
> class audit::resolver inherits resolver::config {
> notify{"Running audit on $resolver::params::config_file": }
> File["$resolver::params::config_file"] {
> audit => all
> }
>
Thanks so resolver::config looks like this:-
class resolver::config {
file { '/etc/resolv.conf.predhclient':
ensure => absent
}
file { '/etc/resolv.conf':
ensure => file,
owner => root,
group => root,
mode=> '0644',
content => template('resolver/resolv.conf.erb'),
require => File['/etc/resolv.conf.predhclient']
}
The audit class looks like this:-
class audit::resolver inherits resolver::config {
File['/etc/resolv.conf'] {
audit => all
}
}
There is nothing related to this in the debug logs of a run the notify was
put in originally to make sure the class was called which is was. The only
thing in this is that the catalog run completes without error.
The plus assignment was because it was an addition rather than a
replacement.
Cheers
Paul
> }
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/s5QOGTT2Jc4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Adding resource parameters in inheritence
Hello,
On some machines being managed by Puppet I would like to perform targetted
audit runs with "puppet -t --noop --tags audit"
For better or for worse I am trying to do this with a separate module
"audit" rather than add the audit => to the resources and use inheritence.
i.e.
class audit::resolver inherits resolver::config {
notify{"Running audit on $resolver::params::config_file": }
File['resolv.conf'] {
audit +> all
}
}
The $resolver::params::config sets the path for the resource and I just
want to audit it rather than change amend it but it doesn't seem to work.
Is this possible or not really ? Or is there a fundamentally better way of
doing it ?
Cheers
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/y4kA-jMgTNQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: how to scale puppet with F5 load balancer?
On Tuesday, 17 July 2012 16:14:05 UTC+1, Matt wrote: > > Is there no one who has done this that can provide examples of how they > did it? I would if I could. Company policy and all that. Generated the SSL certificate with the single F5 DNS address that all the clients globally will hit puppet. using puppet cert generate... Put these on the F5 and have SSL terminate there and pass on anything /certificate/ to the pool of CA servers so they can be revoked/stored and what not - although we never will. The same certs are installed on these. Anything without the /certificate/ regex will be passed from the F5 down to the puppet master pool which will contact a central ENC and do whatever it needs to do. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/cAYOzqHDhNAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to scale puppet with F5 load balancer?
On Monday, 9 July 2012 06:44:16 UTC+1, Alan Evans wrote: > > From what I can tell there is no need to use alternate names. You can > make the F5 appear to the clients to be the puppetmaster by leveraging > the F5 to do SSL offloading and part of the certificate verification > taking some load off your puppet masters. Even more though, since the > puppet environments and other calls use pretty consistently organized > URI paths, you can do some really neat stuff with F5 HTTP Class > profiles to delegate certain requests to certain servers. > > +1 on Alan's post. This is exactly how we do it where I currently am. Allows us to scale out the Puppet Master pool horizontally based on demand and geographical location to keep hops to the minimum. Using AltDNSNames would not make this flexible at all as you would need to re-gen the cert each time. This was all the clients have a single entry point:- puppet. and the F5 takes the strain and sends them to the appropriate server and routes around accordingly. The only minor downside we have we this is that sometimes debugging the route from the client to the eventual master means we have to go through the logs on the potential masters to track down where it went. I do not have direct access to the F5's. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ouA64Dul3LYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet v2.7.11 Seg Faults
Hello, Migrating some clients from an ancient client to a new infrastructure based on 2.7.11 these are RHEL boxes Some clients are hitting an issue [30/06/12 05:11:37 UTC] /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:733: [BUG] Segmentation fault [30/06/12 05:11:37 UTC] ruby 1.8.5 (2006-08-25) [x86_64-linux] [30/06/12 05:11:37 UTC] [30/06/12 05:11:37 UTC] Puppet SSL run return code: 134 [30/06/12 05:11:37 UTC] Puppet SSL certificate handshake failed This looks to be writing a file # Update the umask to make non-executable files Puppet::Util.withumask(File.umask ^ 0111) do File.open(file, *args) do |file| yield file end end Anyone got any ideas on resolving this issue painlessly :) Cheers Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Ay1XsNlb91YJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Python Puppet YAML Report Parser
Hello, A quick search showed some people may have got this working. Anyone got a Python (or Perl) script to parse the Puppet reports and put them into a human readable format ? Might be able to knock something together myself but not used PyYAML too much and might need some pointers. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/tGz191hj__oJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Disable HTML traces from Passenger
Hello, Not sure on this must be something in Apache/Passenger but I cannot find it right now. Is there anyway to disable the Ruby traces to return non--HTML output ? Many thanks, Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] rdoc escaping help
Hello, Trying to be a good boy and put rdoc headers in my classes. I am trying to put some scoped variables into the output i.e. # [*myclass::params::server*] # This is derived from the myclass::params class which returns the server to configure # # [*myclass::params::venafiport*] # This is derived from the myclass::params class which returns the port to use Which should hopefully return a list with some bold text. But does not. Any ideas how to escape these tried various things but not a lot of success. Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Templates has_variable scoping etc
Hello,
Trying to write out a file with some facter variable handling i.e.
if has_variable?("@lsbdistdescription")
then
my_OS = @lsbdistdescription
else
my_OS = @operatingsystem + " " + @operatingsystemrelease
end
Therefore if the facter variable @lsbdistdescription doesn't exist
(i.e. Solaris) it will build the value from other facts.
But this always falls through to the else condition.
What's going on here ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: 2.7.9 -> 2.7.11 Error 403
Never mind found I did indeed screw with auth.conf - my bad. Nice to see facts only loading once this time... On Feb 27, 1:43 pm, "ollies...@googlemail.com" wrote: > Hello, > > Thought I would upgrade the masters then tried to join a new client. > > All the /etc/puppet/*.conf files are the same. This is running split > CA/Masters running behind F5 and running under Passenger on RHEL6 > > Now getting 403 errors. > > info: Retrieving plugin > err: /File[/var/lib/puppet/lib]: Failed to generate additional > resources using 'eval_generate: Error 403 on SERVER: Forbidden > request: (10.) access to /file_metadata/plugins > [search] at line 99 > err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on > SERVER: Forbidden request: (10.) access to / > file_metadata/plugins [find] at line 99 Could not retrieve file > metadata for puppet:///plugins: Error 403 on SERVER: > Forbidden request: (10.) access to /file_metadata/ > plugins [find] at line 99 > err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: (10.) access to /catalog/ > [find] at line 99 > > Removed names, IP's etc. > > Now the auth.conf looks the same so I am unsure about why this has > started happening. > > Cheers > Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] 2.7.9 -> 2.7.11 Error 403
Hello, Thought I would upgrade the masters then tried to join a new client. All the /etc/puppet/*.conf files are the same. This is running split CA/Masters running behind F5 and running under Passenger on RHEL6 Now getting 403 errors. info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: Forbidden request: (10.) access to /file_metadata/plugins [search] at line 99 err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: (10.) access to / file_metadata/plugins [find] at line 99 Could not retrieve file metadata for puppet:///plugins: Error 403 on SERVER: Forbidden request: (10.) access to /file_metadata/ plugins [find] at line 99 err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: (10.) access to /catalog/ [find] at line 99 Removed names, IP's etc. Now the auth.conf looks the same so I am unsure about why this has started happening. Cheers Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: RHEL4 + 2.6.11 and Puppet CA/Master at 2.7.9
This actually comes back with:- info: Creating a new SSL key for warning: peer certificate won't be verified in this SSL session. info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session. warning: peer certificate won't be verified in this SSL session. info: Creating a new SSL certificate request for info: Certificate Request fingerprint (md5): BB:92:3E:98:C7:2C:9C: 18:42:A4:38:E2:C2:34:F1:3D warning: peer certificate won't be verified in this SSL session. err: Could not request certificate: Could not intern from yaml: dump format error Exiting; failed to retrieve certificate and waitforcert is disabled The YAML from the ENC looks like this:- --- parameters: ext_dev: "true" classes: - auth - autofs - bootloader - crashdump - cron - disks - email - galaxy - ganglia - hardwaremon - hpbios - identification - kernelparams - locale - lom - network - nimbus - ntp - packages - profile - puppetclient - resolver - security - selinux - services - ssh - sudo - syslog - systemusers - tsgtools - verify - vmware environment: engineering Is there anything wrong the 2.7.9 clients work fine ? Thanks Paul On Feb 24, 10:12 am, "ollies...@googlemail.com" wrote: > Hello, > > As the 2.7 branch doesn't seem to be available for RHEL4 (yes I know > EOS next week) am trying to use a 2.6.11 client for our new Puppet > infrastructure to replace the creaking one we have now. > > The POC setup is all running behind an F5 with a pair of CA's and > seperate pool of Puppet Masters. > > RHEL5/6 clients running 2.7.9 work fine. The older version on RHEL4 > gives me SSL issues "does not match" etc. Full clean out tried as per > usual but nothing works. > > Are these compatible. Or any known issues/workarounds. Google hasn't > helped. > > Thanks > Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] RHEL4 + 2.6.11 and Puppet CA/Master at 2.7.9
Hello, As the 2.7 branch doesn't seem to be available for RHEL4 (yes I know EOS next week) am trying to use a 2.6.11 client for our new Puppet infrastructure to replace the creaking one we have now. The POC setup is all running behind an F5 with a pair of CA's and seperate pool of Puppet Masters. RHEL5/6 clients running 2.7.9 work fine. The older version on RHEL4 gives me SSL issues "does not match" etc. Full clean out tried as per usual but nothing works. Are these compatible. Or any known issues/workarounds. Google hasn't helped. Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Template Help Please
On Jan 24, 7:14 am, "ollies...@googlemail.com"
wrote:
> On Jan 23, 9:07 pm, Guy Matz wrote:
>
> > Is your issue resolved? It looks like you don't have the correct erb
> > syntax in your loop
>
> > *<%=* scope.lookupvar('resolver::params::resolvers').split(/\s+/).each
>
> > I think should be
>
> > *<%* scope.lookupvar('resolver::params::resolvers').split(/\s+/).each
>
> Thanks Gary, the split now works. Although I get an line break.
>
> # more /etc/resolv.conf
> # File managed by puppet
> domain example.com
> searchpath example.com example2.com
>
> nameserver 10.10.10.10
>
> nameserver 11.11.11.11
No worries sorted that with:-
<% scope.lookupvar('resolver::params::resolvers').split(/\s+/).each do
| ns | -%>
nameserver <%= ns %>
<% end -%>
Thanks to all for the help.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Template Help Please
On Jan 23, 9:07 pm, Guy Matz wrote:
> Is your issue resolved? It looks like you don't have the correct erb
> syntax in your loop
>
> *<%=* scope.lookupvar('resolver::params::resolvers').split(/\s+/).each
>
> I think should be
>
> *<%* scope.lookupvar('resolver::params::resolvers').split(/\s+/).each
>
Thanks Gary, the split now works. Although I get an line break.
# more /etc/resolv.conf
# File managed by puppet
domain example.com
searchpath example.com example2.com
nameserver 10.10.10.10
nameserver 11.11.11.11
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Template Help Please
On Jan 23, 4:32 pm, Felix Frank
wrote:
> On 01/23/2012 02:48 PM, ollies...@googlemail.com wrote:
>
> > host: parse of /etc/resolv.conf failed
> > ./resolver/templates/resolv.conf.erb:7:in `result': compile error
> > (SyntaxError)
> > ./resolver/templates/resolv.conf.erb:4: syntax error
> > _erbout.concat(( scope.lookupvar('resolver::params::resolvers').split(/
> > \s+/).each do | ns | ).to_s); _erbout.concat "\n"
>
> > ^
> > ./resolver/templates/resolv.conf.erb:7: syntax error
> > _erbout
>
> Uhuh. Just a wild guess, but: *Does* your template end in a newline
> character?
> If not, add one. If in doubt, loose the '-%>' and substitute '%>' instead.
>
> HTH,
> Felix
Looks about right to me.
Thanks for the continued help.
Cheers
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Template Help Please
On Jan 23, 1:32 pm, Felix Frank
wrote:
> Absolutely beats me.
>
> Is this a verbatim paste from your template?
> Are you certain that the template is the source of the error?
> Does it say anything beyond "syntax error"?
>
> Just pasting puppet output would be ideal.
>
host: parse of /etc/resolv.conf failed
./resolver/templates/resolv.conf.erb:7:in `result': compile error
(SyntaxError)
./resolver/templates/resolv.conf.erb:4: syntax error
_erbout.concat(( scope.lookupvar('resolver::params::resolvers').split(/
\s+/).each do | ns | ).to_s); _erbout.concat "\n"
^
./resolver/templates/resolv.conf.erb:7: syntax error
_erbout
^from /usr/lib/ruby/1.8/erb.rb:741:in `value'
from /usr/lib/ruby/1.8/erb.rb:741:in `result'
from /usr/lib/ruby/site_ruby/1.8/puppet/parser/
templatewrapper.rb:106:in `result'
from /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:185:in
`benchmark'
from /usr/lib/ruby/site_ruby/1.8/puppet/parser/
templatewrapper.rb:103:in `result'
from /usr/lib/ruby/site_ruby/1.8/puppet/parser/functions/
template.rb:18:in `function_template'
from /usr/lib/ruby/site_ruby/1.8/puppet/parser/functions/
template.rb:10:in `collect'
from /usr/lib/ruby/site_ruby/1.8/puppet/parser/functions/
template.rb:10:in `function_template'
... 62 levels...
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:401:in
`exit_on_fail'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`run'
from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:
69:in `execute'
from /usr/bin/puppet:4
#
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Template Help Please
On Jan 23, 1:17 pm, Denmat wrote: > Hi, > > Is that variable declaration copied correctly? > > > $resolvers = "10.10.10.10 11.11.11.11.12.12.12.12" > > Should be> $resolvers = "10.10.10.10 11.11.11.11 12.12.12.12" > > what's that do for you? > That was a typo in my original mail. The syntax problem remains as it would still be a split on the spaces. Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Template Help Please
Hello,
I am trying to setup a template with data being passed in as a long
string of data which is being returned via extlookup()
i.e. $resolvers = "10.10.10.10 11.11.11.11.12.12.12.12"
The template should split those up and put a nameserver entry per line
in /etc/resolv.conf
I have this in the template now:-
<%= scope.lookupvar('resolver::params::resolvers').split(/\s+/).each
do | ns | %>
nameserver <%= ns %>
<% end -%>
Which is throwing a syntax error. Can't for the life of me work out
whats wrong. Probably not had enough coffee yet.
Any ideas ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Stupid Exec
On Jan 5, 3:54 pm, krish wrote: > On Thu, Jan 5, 2012 at 9:12 PM, ollies...@googlemail.com > > wrote: > > Hello, > > > I have this stupid exec on a bash script but bear with me. Works OK on > > an ancient 0.xx Puppet setup. But not on 2.7.9. > > > $command = "( /apps/path/scripts/install.sh || true ) && touch /etc/ > > puppet/puppet.script.done" > > Why do you have to do a || with true here? > afaik, /apps/path/scripts/install.sh && touch > /etc/puppet/puppet.script.done should do.. or even better use a ; > instead of && > Thanks that wouldn't work if install.sh gave a non-zero RC. This is for testing environments (based on a case statement) outside of that is doesn't call true and has no need for brackets. I agree it's stupid and something of an inheritence. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Stupid Exec
Hello,
I have this stupid exec on a bash script but bear with me. Works OK on
an ancient 0.xx Puppet setup. But not on 2.7.9.
$command = "( /apps/path/scripts/install.sh || true ) && touch /etc/
puppet/puppet.script.done"
exec { install:
command => "$command",
cwd => "/apps/path/scripts",
path=> "/bin:/usr/bin:/sbin:/usr/sbin",
timeout => 600,
logoutput => false,
unless => 'test -f /etc/puppet.script.done'
}
Whilst this command works OK on Solaris manually running under Puppet
gives me:-
/Exec[install]/returns: change from notrun to 0 failed: Could not find
command '('
Have tried all manner of escaping and single/double quote combos
Any ideas on how to make this work ?
Cheers
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks for all the help but I have failed in this and decided to change tack a little. With no better results :) Here is what the current attempt is. 2 Apache Load-Balancers which will be CA's and therefore entry points for clients. These will be in active/standby solution on RHEL6 with heartbeat. The virtual IP will be called puppet.domain.fqdn the physical node names will be different of course. The PuppetMaster processes will be a load balanced pool underneath to allow the horizontal scaling and with active/standby LB's and CA's should not have a SPOF Client will then connect to the VIP which will do the certificate checks on the LB server and then pass to the puppetmaster pool. Load-Balancer/CA structures kept in place with rsync or some-such. Still failing with the CA setup against it's realname, setup with generate on the puppet.domain.fqdn name, and setup with certname = puppet.domain.fqdn and then calling puppet master removing the ssldir between each. They all failed to allow clients to get a valid cert:- err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Now I just assume I am being brain-dead and doing silly things with fatigue to get this working with a VIP. Or is this setup without a SPOF really just not possible ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
On Dec 20, 4:16 pm, Brice Figureau wrote: > On Tue, 2011-12-20 at 08:02 -0800, ollies...@googlemail.com wrote: > > > That's easy: dedicate two host to be CAs only. One is the hot standby of > > > the first one. You can either manually bring it up when the first one > > > fails, or use something like drbd+pacemaker to do it automatically. > > > Then have all your other masters run in "no ca" mode. Each can have a > > > different server CN, or they can share the same server certificate. > > > This is explained in length in the Pro puppet [1] book if you need. > > > > > Maybe it's just not possible right now and I am flogging a dead horse > > > > and should accept a SPOF for a CA but can easily scale out the > > > > puppetmasters fine. > > > > The simplest architecture for load balanced puppet is the single CA one, > > > of course that means you can live with the SPOF. BTW, the SPOF is only > > > at certificate signing. In the event your CA becomes unresponsive, it > > > won't prevent your actual nodes to get a catalog. > > > > I highly recommend you to get a copy of the "Pro Puppet" book. It > > > contains an extensive chapter on load balancing puppet master (both with > > > the SPOF and without it). > > > Thanks. > > > Have got a copy of the book and that is what I was working from. As > > per the > > example in the book it's fine running the CA's in the localhost sort > > of mode > > but when switching from locahost to other servers off the load- > > balancer server > > I get the cert errors:- > > > err: /File[/var/lib/puppet/lib]: Failed to generate additional > > resources using 'eval_generate: certificate verify failed. This is > > often because the time is out of sync on the server or client > > > Do I have to clean out the puppetmaster setup on the load-balancer > > host ? > > > On the CA servers I removed the ssldir and ran "puppet master" to > > generate a > > new ssl data. > > > Then with a new client I get the new cert generated but then the above > > error. > > That's expected because when the client connects to one of your > loadbalanced server it receives a certificate that was signed/generated > under the previous CA. You actually need your loadbalanced masters to > get a certificate from your current CA. This certificate will then be > used when talking to your nodes. But the Apache LB settings are sending the certificate stuff to the seperate CA server (I can see this in the logs) and the CA has the signed cert in the puppet cert --list --all but it still complains on the client. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
> That's easy: dedicate two host to be CAs only. One is the hot standby of > the first one. You can either manually bring it up when the first one > fails, or use something like drbd+pacemaker to do it automatically. > Then have all your other masters run in "no ca" mode. Each can have a > different server CN, or they can share the same server certificate. > This is explained in length in the Pro puppet [1] book if you need. > > > Maybe it's just not possible right now and I am flogging a dead horse > > and should accept a SPOF for a CA but can easily scale out the > > puppetmasters fine. > > The simplest architecture for load balanced puppet is the single CA one, > of course that means you can live with the SPOF. BTW, the SPOF is only > at certificate signing. In the event your CA becomes unresponsive, it > won't prevent your actual nodes to get a catalog. > > I highly recommend you to get a copy of the "Pro Puppet" book. It > contains an extensive chapter on load balancing puppet master (both with > the SPOF and without it). Thanks. Have got a copy of the book and that is what I was working from. As per the example in the book it's fine running the CA's in the localhost sort of mode but when switching from locahost to other servers off the load- balancer server I get the cert errors:- err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client Do I have to clean out the puppetmaster setup on the load-balancer host ? On the CA servers I removed the ssldir and ran "puppet master" to generate a new ssl data. Then with a new client I get the new cert generated but then the above error. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks. I assume that the section in this:- http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability Stating that is doesn't work for 0.25 & 2.6 also applies to the 2.7.9 release that is the latest ? Sharing an area via NFS/iSCSI/rsync'ing or whatever is potentially viable does anyone know how this would be possible with different hostnames serving the certs and the traffic being directed via a load- balancer ? Maybe it's just not possible right now and I am flogging a dead horse and should accept a SPOF for a CA but can easily scale out the puppetmasters fine. Thanks all. Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks, On our older infrastrcture if we wanted to scale out we just copied the ssldir and changed the filenames to the FQDN of the new master server. certdnsnames would be wildcarded. Now using 2.7.9 how do we do certificates so we could scale out horizontally from behind this loadbalancer ? Tring this approach leads now to this:- # puppet cert --list --all warning: The `certdnsnames` setting is no longer functional, after CVE-2011-3872. We ignore the value completely. For your own certificate request you can set `dns_alt_names` in the configuration and it will apply locally. There is no configuration option to set DNS alt names, or any other `subjectAltName` value, for another nodes certificate. Alternately you can use the `--dns_alt_names` command line option to set the labels added while generating your own CSR. - (FA:C4:68:C1:30:E2:95:9E:48:AB:ED:E4:A7:BF:3F:19) (certificate signature failure) Going around in circles somewhat trying to get a modern puppet setup with a potential to scale horizontally. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Seperate CA's/Master behind load balancer
Thanks I realised that when I sent it. Dialled back the CA to:- Listen 18140 SSLEngine off ServerName RackAutoDetect On DocumentRoot /etc/puppet/rack/puppetmaster/public/ Options None AllowOverride None Order allow,deny allow from all Now clients are getting cert requests signed but not going any further info: Creating a new SSL key for warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for info: Certificate Request fingerprint (md5): 51:D6:6B:58:EA:CC: 11:14:4B:48:E1:B4:C1:8B:A5:A6 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Caching certificate for info: Retrieving plugin err: /File[/var/lib/puppet/plugins]: Failed to generate additional resources using 'eval_generate: certificate verify failed. This is often because the time is out of sync on the server or client err: /File[/var/lib/puppet/plugins]: Could not evaluate: certificate verify failed. This is often because the time is out of sync on the server or client Could not retrieve file metadata for puppet:// /plugins: certificate verify failed. This is often because the time is out of sync on the server or client err: Could not retrieve catalog from remote server: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog I know the time is in sync OK Certs look the same. On CA:- # openssl x509 -text -noout -in Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: Validity Not Before: Dec 15 15:29:00 2011 GMT Not After : Dec 9 15:29:00 2036 GMT Subject: CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ad:62:d2:47:05:33:94:e2:5c:55:c1:e4:c4:7b: 27:7d:21:ec:0b:34:29:39:4f:56:1c:81:9f:94:3d: 9c:4c:ed:b0:ae:6b:82:85:d9:2f:3f:c9:bc:9a:31: 3d:5b:e7:d0:f9:19:7c:71:e0:ad:7f:18:fa:fe:53: 38:d2:35:67:d6:e6:dd:f8:df:fc:3c:46:ae:50:b1: 7b:66:04:a1:39:b3:bf:55:39:2e:47:ad:ee:59:ae: 17:36:43:2b:76:c3:ad:90:5e:03:67:aa:7e:8e:9e: ca:1a:19:c6:3f:2e:c0:ea:33:bc:2a:01:63:2b:85: e5:b1:4a:75:ff:0f:8b:b2:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: C7:AB:D6:D1:DC:D9:30:E6:0B:DE:60:4E:FB:25:37:AF:7F: 43:E1:B7 X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 00:dc:82:79:6b:2f:30:2c:e2:8b:9d:52:78:6f:e7:86:56:8c: 98:7f:3a:46:8a:86:49:12:de:e7:2e:c3:d9:ed:96:e6:5e:1e: fe:0d:cc:86:ed:86:2e:44:13:c3:4b:ec:e7:3c:9a:1d:bf:2d: 07:a5:c7:65:dc:ec:10:80:85:f5:de:25:83:8b:66:4f:46:17: 73:97:5d:1b:8c:9e:1c:bc:7a:51:5a:11:d7:b4:75:21:44:0b: 39:29:06:77:51:9a:b0:3f:5b:80:6b:6d:13:99:ed:6a:7d:35: c2:0c:6c:f2:98:f0:d1:f0:4f:ed:d6:53:98:7c:8a:5b:07:4a: 54:e0 On client:- # openssl x509 -text -noout -in Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: Validity Not Before: Dec 15 15:29:00 2011 GMT Not After : Dec 9 15:29:00 2036 GMT Subject: CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ad:62:d2:47:05:33:94:e2:5c:55:c1:e4:c4:7b: 27:7d:21:ec:0b:34:29:39:4f:56:1c:81:9f:94:3d: 9c:4c:ed:b0:ae:6b:82:85:d9:2f:3f:c9:bc:9a:31: 3d:5b:e7:d0:f9:19:7c:71:e0:ad:7f:18:fa:fe:53: 38:d2:35:67:d6:e6:dd:f8:df:fc:3c:46:ae:50:b1: 7b:66:04:a1:39:b3:bf:55:39:2e:47:ad:ee:59:ae: 17:36:43:2b:76:c3:ad:90:5e:03:67:aa:7e:8e:9e: ca:1a:19:c6:3f:2e:c0:ea:33:bc:2a:01:63:2b:85: e5:b1:4a:75:ff:0f:8b:b2:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical
[Puppet Users] Seperate CA's/Master behind load balancer
Hello,
Attempting to setup a CA primary/standby as well as seperate
puppetmaster servers (all running Apache/Passenger) behind another
Apache/Passenger type load balancer.
Clients are not getting certs:-
err: Could not request certificate: Could not intern from s: nested
asn1 error
Clearly an SSL issue but not something I know a great deal about.
loadbalancer.conf
# Puppet Load Balancing Thing
BalancerMember http://puppetmst1:18140
BalancerMember http://puppetmst2:18140
# Only one member
BalancerMember http://cahost1:18140
# Hot Standby if the primary is offline
BalancerMember http://cahost2:18140 status=+H
Listen 8140
ServerName loadbalancer
SSLEngine on
# SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Puppet master should generate initial CA certificate.
# ensure certs are located in etc/puppet/ssl
SSLCertificateFile /etc/puppet/ssl/certs/loadbalancer.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/loadbalancer.pem
SSLCertificateChainFile /etc/puppet/ssl/certs/ca.pem
SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled
# disable next line if Apache complains about CRL
#SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, required if certificates
distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers record authentication information for
down stream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
# WARNING THIS SHOULD HAVE ACCESS CONTROL.
# I've left it wide open for testing.
SetHandler balancer-manager
Order allow,deny
Allow from all
SetHandler server-status
Order allow,deny
Allow from all
# Optional status
ProxyStatus On
# Don't load balance requests to the status page
ProxyPass /balancer-manager !
ProxyPass /server-status !
# Ordering of ProxyPass directives is important
# Direct all Puppet Agent CA requests to a specific set of workers.
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
# Direct all other Puppet Agent requests to the default set of
workers.
ProxyPass / balancer://puppetmaster/
ProxyPassReverse / balancer://puppetmaster/
ProxyPreserveHost On
# Logging for this front end
ErrorLog /var/log/httpd/frontend_puppet_error.log
CustomLog /var/log/httpd/frontend_puppet_access.log combined
CustomLog /var/log/httpd/frontend_puppet_ssl_requests.log "%t %h %
{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
cahost.conf:-
Listen 18140
ServerName cahost1
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /etc/puppet/ssl/certs/cahost1.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/cahost1.pem
SSLCertificateChainFile /etc/puppet/ssl/certs/ca.pem
SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled
# disable next line if Apache complains about CRL
SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
# optional to allow CSR request, required if certificates
distributed to client during provisioning.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers record authentication information for
down stream workers.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RackAutoDetect On
DocumentRoot /etc/puppet/rack/puppetmaster/public/
Options None
AllowOverride None
Order allow,deny
allow from all
Hostname have been changed to protect the innocent.
Any pointers or obviously "you idiot" things here ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Separate CA's
Hello, I have a desire to have separate primary/secondary CA servers, and separate puppet master servers running behind a load balancer (ultimately an F5 but will use an Apache mod_proxy.. setup initially to test). The Pro Puppet books suggest this with everything running with Passenger which is fine but is it really necessary for the CA's or is there an alternative ? Anyone got any example config's that I can crib off. If that's the best way then I can start with that and think about the SSL issues that will inevitably arise. Any pointers would be much appreciated. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: extlookup()
Thanks but it remains the same.
Even if I put an ${fqdn}.csv it will read that file but only take the
first entry in the CSV and apply that to every extlookup call in the
module.
It's a little curious. This is running on PE1.2 but I suspect this is
running the same code base as 2.6.9
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: extlookup()
On Oct 21, 12:55 pm, Andrew Thompson wrote:
> On Oct 20, 10:18 am, "ollies...@googlemail.com"
> wrote:
> > Taking a brief look at extlookup()
>
> > We have a module to setup resolv.conf based on location so we have a %
> > {domain}.csv file
>
> Can you post your $extlookup_datadir and $extlookup_precedence values?
>
Sure it's set like this so host based, datacenter, country, region
based on custom fact(s) which would out the location based on a subnet
lookup to a backend system.
#
# Global configuration
#
$extlookup_datadir = "/etc/puppetlabs/puppet/envs/legacy/extdata"
$extlookup_precedence = ["%{fqdn}", "%{datacentreid}", "%{ctryid}", "%
{rgnid}", "common"]
>
> > more /etc/puppetlabs/puppet/envs/legacy/extdata/ldt.csv
> > domainname,my.domain.com
> > resolvers,10.10.10.10 10.10.10.11
> > searchpath,sub.my.domain.com sub2.my.domain.com
>
> > class resolver::setup {
> > $searchpath = extlookup("searchpath")
> > $resolvers = extlookup("resolvers")
> > $resolvdomainname = extlookup("domainname")
>
> > }
>
> This looks correct.
>
>
>
> > Each value is getting set with the “domainname” value.
>
> What happens if you change the order of the values in the csv file?
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] extlookup()
Taking a brief look at extlookup()
We have a module to setup resolv.conf based on location so we have a %
{domain}.csv file
more /etc/puppetlabs/puppet/envs/legacy/extdata/ldt.csv
domainname,my.domain.com
resolvers,10.10.10.10 10.10.10.11
searchpath,sub.my.domain.com sub2.my.domain.com
class resolver::setup {
$searchpath= extlookup("searchpath")
$resolvers = extlookup("resolvers")
$resolvdomainname = extlookup("domainname")
}
Each value is getting set with the “domainname” value.
This is with Puppet v2.6.9
Am I doing something wrong here ?
Thanks
Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet-lvm and volume group issues
Trying to setup a volume group with puppet lvm and this:-
volume_group { "my_vg":
ensure => present,
physical_volumes => "/dev/sdb /dev/sdc /dev/sdd",
require => [ Physical_volume["/dev/sdb"],
Physical_volume["/dev/sdc"],
Physical_volume["/dev/sdd"]
]
}
Fails with this in the debug output:-
debug: volume_group provider lvm: Executing '/usr/sbin/vgcreate my_vg /
dev/sdb /dev/sdc /dev/sdd'
/usr/lib/ruby/site_ruby/1.8/puppet/provider.rb:133:in `vgcreate'
/usr/lib/ruby/site_ruby/1.8/puppet/provider.rb:140:in `vgcreate'
err: //myvg::setup/myvg::disks/Volume_group[my_vg]/ensure: change from
absent to present failed: Execution of '/usr/sbin/vgcreate my_vg /dev/
sdb /dev/sdc /dev/sdd' returned 1280: File descriptor 8 (/tmp/puppet.
15759.0) leaked on vgcreate invocation. Parent PID 15759: /usr/bin/
ruby
If I do it with a single physical volume it's fine, and if I run the
command from the command line it's fine also.
Any ideas ?
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet_dashboard and noise...
Hello, Got the latest 0.25.2rc3 up and running and a seemingly partial dashboard setup. Get errors from it though:- Report puppet_dashboard failed: wrong Content-Length format ? Any ideas ? Also how do I stop the:- warning: Value of 'preferred_serialization_format' (pson) is invalid for report, user default (b64_zlib_yaml) messages ? Thanks Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] RPM upgrade
Hello Using the YUM provider/helper from 0.24.8 we have an issue with a package latest all 3 packages are in the manifest as "latest":- DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux-5.03.1.0-5.03.1.0-0 DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux-6.10.1.0-0- this has an upgrade in the channels DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux-6.02.1.0-6.02.1.0-0 However due to the length of the package name when we perform a puppet run this happens the system:- Package[DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux]/ensure: ensure changed '6.10.1.0-0' to '6.13.1.0-0' Which it duly does however the other 2 RPM's with similar names (but with version appended to allow for multiple revisions) are removed in the yum.log:- Jun 26 08:28:01 Updated: DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux.noarch 6.13.1.0-0 Jun 26 08:28:01 Erased: DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux-5.03.1.0 Jun 26 08:28:01 Erased: DBCF_4Q_LinuxAS4_DBCF_4Q_Linux_ins_DBCFStageLinux-6.02.1.0 Any ideas on how to resolve this. Thanks. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
