from:"tom"

[Puppet Users] Dependency conundrum

2017-06-15 Thread Tom Limoncelli

I'm having a problem getting some dependencies exactly right.

This is the code I originally wrote:

File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
daemon-reload']~>Service['patcher-client']

It works great except... oops... if any *other* module does Exec['systemctl
daemon-reload'], then Service['patcher-client'] restarts.  That additional
restart is unneeded.

I thought about rewriting it as:

File['/usr/lib/systemd/system/patcher-client.service']~>Exec['systemctl
daemon-reload']

File['/usr/lib/systemd/system/patcher-client.service']~>Service['patcher-client']

But then how would Puppet know to do the Exec[] before the Service[]?  I
could add:

Exec['systemctl daemon-reload']->Service['patcher-client']

But then we're basically in the same situation as the original code. Right?

I guess I kind of want something like this: (not real syntax)

File['/usr/lib/systemd/system/patcher-client.service']~> (
Exec['systemctl daemon-reload']~>Service['patcher-client'] )

How do I achieve that?

Thanks in advance,
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgnkPQTgeNHv6L0Ao%2BuvdVtL-7ftaPfJG3gzXF0OCs6%3DsQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: unit testing and eyaml

2017-02-24 Thread Tom Poulton

Hi

Look into rspec-puppet-utils , 
you can use the MockFunction class to completely mock hiera (there's an 
example in the readme). This way your tests never even execute the real 
hiera function, so you don't need to worry about yaml files, eyaml files, 
hierarchies, eyaml installation, eyaml keys, etc

This is more like unit testing in a Java/C#/ruby project, where you're 
isolating what you want to test away from it's dependencies. Mocking hiera 
allows your tests to be very flexible with minimal setup, and you're also 
not testing hiera/hiera-ayaml functionality in your tests for foo

Full disclosure: I wrote rspec-puppet-utils so naturally I think it's a 
useful tool and a good fit in this case, but there are other ways of doing 
it :)

Does that make sense? I hope it helps

On Friday, February 24, 2017 at 11:16:43 AM UTC-6, Stanislav Khromoy wrote:
>
>
> Need a little help with integrating unit testing ( rspec-puppet ) with 
> eyaml encrypted data in hiera.
>
> I have something like this in heira:
>
> foo::foo_api_key: ENC[super long string of stuff]
>
> manifest:
>
>  class { '::some_module_from_forge':
>apikey => hiera('foo::foo_api_key')
>  }
>
> foo_spec.rb
>
> it { should contain_class('stackdriver').with_apikey(ENC[super long string 
> of stuff])}
>
> I am not really sure how to quote this properly. Everything I've tried 
> comes back with an error
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cca91927-6b86-4bfc-a8ce-39b1cfcdc7cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppetlabs-concat updates to concatfragments.rb causes triggers

2015-11-20 Thread Tom Limoncelli

We recently upgraded to the latest puppetlabs-concat module.  The new
module generated the exact same files as before which was great (yea
upwards compatibility!) but because a new concatfragments.rb file was
installed, puppet triggered downstream "reloads" and reloaded our
server (boo! undesired reloads!).  As a result, our keepalived's were
reloaded and that caused unplanned failovers between replicas.

The good news is that we caught this in testing so it didn't affect
production.  However, our workaround was ugly. We paused puppet agent,
manually updated concatfragments.rb, then unpaused puppet agent.

Is it possible for the module to deploy updates to concatfragments.rb
without it being considered trigger-worthy?

Thanks,
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D_A%2BZJv75-LBQXTKUvcansFHAztb-x%3DAdS7W8oDOoAHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Passing Powershell Variables into Puppet manifest

2015-10-27 Thread tom . swaby

Hi all

Im having difficulty passing powershell variables into Puppet, while using
the Powershell module.

What I need to achieve is this in powershell. It is basically a script that
executes a check to see if a windows module is installed, and if not,
copies it from a source directory.

*This is the powershell script*

$check = Get-WindowsFeature -name Net-Framework-Core
$source = "\\server\directory\directory2\directory3"
$destination = "C:\source3"
if ($check.Installed -ne "True") {
Copy-Item $source -Destination $destination -Recurse
Install-WindowsFeature Net-Framework-Core
Remove-Item $destination -Recurse
}

*This is my puppet manifest*

class profiles::dotnetrun {

$check = "Get-WindowsFeature -name Net-Framework-Core"

$source = "server\\directory\\directory2\\directory3"

$destination = "C:\source3"

exec { 'dotnet':

command => 'Copy-Item \$source -Destination \$destination -Recurse',

onlyif => '\$check.Installed -ne "True"',

provider => powershell,

}

ITV plc (Registration No. 4967001) (ITV) is incorporated in England and
Wales with its registered office at The London Television Centre, Upper
Ground, London SE1 9LT. Please visit www.itv.com for further information.

This email and any attachments are intended solely for the addressee and
may contain confidential, copyrighted and/or privileged information. If
you have received this message in error, please notify us and delete it.
Recipients should scan the email and any attachments for their own
protection.

This email does not conclude a binding agreement. The views or opinions
presented in this email do not necessarily represent those of ITV.

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5672654e-6c18-4fdd-a2c7-d4c62cba1a03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] RHEL 7 - Satellite 6.1 - Puppet Locally

2015-10-26 Thread Tom Zurita

We deploy our servers and use Puppet using Satellite 6.1.  I deployed a 
server and am trying to test modules locally and it NEVER works.  

cat /etc/puppet/puppet.conf 


[main]

vardir = /var/lib/puppet

logdir = /var/log/puppet

rundir = /var/run/puppet

ssldir = $vardir/ssl


[agent]

pluginsync  = true

report  = true

ignoreschedules = true

daemon  = false

ca_server   = blah

certname= rhel7-test2.blah.edu

environment = KT_SI_Org_Default_RHEL7_Prod_RHEL7_comp_CV_14

# server  = blah


[root@rhel7-test2 manifests]#  puppet config print modulepath 

/etc/puppet/modules:/usr/share/puppet/modules


[root@rhel7-test2 manifests]# puppet module list

/etc/puppet/modules

├── cis-puppet (???)

├── duritong-sysctl (v0.0.11)

└── puppetlabs-stdlib (v4.9.0)

/usr/share/puppet/modules (no modules installed)


puppet apply --modulepath=/etc/puppet/modules 
/etc/puppet/modules/cis-puppet/manifests/test.pp


I don't get errors just doesn't change a thing, nor does it show it running 
that script.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f7a79794-97d8-49d2-8a03-f64f847fef38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: should create_resources honor schedule metaparameter?

2015-10-02 Thread Tom Downes

Hi - didn't seem to get the automatic update on this post. I'm going to 
have a member of my team check out your suggestion.

Tom

On Tuesday, September 29, 2015 at 8:35:32 AM UTC-5, jcbollinger wrote:
>
>
>
> On Monday, September 28, 2015 at 10:17:31 PM UTC-5, Tom Downes wrote:
>>
>> I have a defined resource that I instantiate through create_resources and 
>> a set of defaults that trace back to hiera:
>>
>> create_resources("apache::vhost", $full_apache_hash, $http_defaults)
>>
>>
>> http_defaults:
>>
>>   schedule: 'nightly'
>>
>>   priority: '25'
>>
>>   docroot: '/var/www'
>>
>>   serveradmin: 'myl...@dot.edu'
>>
>>   port: '80'
>>
>>
>> Elsewhere in the catalog I have defined:
>>
>>
>> schedule { 'nightly':
>>
>>   range  => '0-2',
>>
>>   period => daily,
>>
>>   repeat => 1,
>>
>> }
>>
>>
>> When I run "puppet agent -t" outside of the specified range, it always 
>> takes action to manage my apache::vhost. i.e. if I blow away the file, it 
>> will come back. Am I wrong not to expect this? Is it create_resources not 
>> honoring schedule or puppet agent -t ignoring schedule?
>>
>>
>>
>
> There have been problems with create_resources() and other metaparameters 
> in the past, but I think the consensus is that they *should* work 
> together.  I see no reason or documentation that the 'schedule' 
> metaparameter would be different.
>
> Looking at the other side of the equation, there is a configuration 
> setting 'ignoreschedules' whose effect on the agent is what its name 
> indicates.  That setting is not documented to be included in '--test' / 
> '-t', but perhaps it crept in there without being documented, or perhaps it 
> is specified in your config file.  I'd try this command instead to see 
> whether it behaves differently with respect to schedules:
>
> puppet agent --onetime --no-daemonize --ignorecache --no-usecacheonfailure 
> --no-ignoreschedules
>
> Optionally, include also some or all of the flags --detailed-exitcodes 
> --no-splay --show_diff', which are implied by --test.
>
> If the schedule still is not honored then do make sure it is actually in 
> the catalog the agent retrieves.  If so, then I call bug.
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d91f7438-c18d-435c-9406-33e3520d89fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] should create_resources honor schedule metaparameter?

2015-09-28 Thread Tom Downes

I have a defined resource that I instantiate through create_resources and a 
set of defaults that trace back to hiera:

create_resources("apache::vhost", $full_apache_hash, $http_defaults)


http_defaults:

  schedule: 'nightly'

  priority: '25'

  docroot: '/var/www'

  serveradmin: 'myl...@dot.edu'

  port: '80'


Elsewhere in the catalog I have defined:


schedule { 'nightly':

  range  => '0-2',

  period => daily,

  repeat => 1,

}


When I run "puppet agent -t" outside of the specified range, it always 
takes action to manage my apache::vhost. i.e. if I blow away the file, it 
will come back. Am I wrong not to expect this? Is it create_resources not 
honoring schedule or puppet agent -t ignoring schedule?


Thanks,


Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aee81143-8119-41e8-96f3-279d2045428d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Accessing facts in ENC

2015-09-08 Thread Tom

Using the following as a reference.
https://docs.puppetlabs.com/guides/external_nodes.html#tricks-notes-and-further-reading

I've been attempting to use facts of a node to contribute to the lookup of 
the host in the ENC. In my ENC I've tried both shelling out and running 
`puppet facts find example.com --terminus yaml` and also loading the yaml 
from '/var/lib/puppet/yaml/facts/'. However on the first run this file does 
not exist. Also if I change the terminus to puppetdb the facts are also not 
present yet in puppetdb. This looks like an ordering issue. If I run the 
same ENC with puppet 2.7 then the yaml file is present in 
'/var/lib/puppet/yaml/facts/'. With Puppet 3.8 the fact yaml file only 
appears after the ENC has run.

Has anyone else come across this issue?
I'm not sure if this is by design or if this is an ordering issue. In my 
opinion the facts should be written to yaml cache and puppetdb before the 
ENC is executed.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/af85cc9f-9941-4172-a6f5-297ad85ffe7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Complex edits on /etc/default/grub (Setting transparent_hugepage at boot time)

2015-07-29 Thread Tom Limoncelli

I need to disable transparent_hugepage at boot time (before some big
services start up). This is on centos7 machines using SystemD.

There are many ways to do this. It isn't clear which is the
best/easiest way to do it via puppet. (Here is a list of ways to do
it manually
http://answers.splunk.com/answers/188875/how-do-i-disable-transparent-huge-pages-thp-and-co.html
and here is one more
http://docs.mongodb.org/manual/tutorial/transparent-huge-pages/)

The most straightforward way seems to be to edit /etc/default/grub:

Change this line in /etc/default/grub and add
transparent_hugepage=never to the GRUB_CMDLINE_LINUX.

i.e.

Change this line:

GRUB_CMDLINE_LINUX=rd.lvm.lv=centos_ks-7/root
rd.lvm.lv=centos_ks-7/swap crashkernel=auto
vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
intel_pstate=disable rhgb quiet transparent_hugepage=never

However doing that in puppet (even with Augeas) seems non-trivial.

Any suggestions?

Tom

P.S. I'm also considering making a systemd unit that just sets the
parameter and is scheduled to run before any of the major services on
the machine. However that seems like a long way to do a short thing.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3DRPaAJ8X0mCWcgfVnGrRiAGS_rWMLdbU_diNv%2BSK53ug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Complex edits on /etc/default/grub (Setting transparent_hugepage at boot time)

2015-07-29 Thread Tom Limoncelli

Of course, minutes after emailing that I found the answer to my own
question.

If you install the augeasproviders_grub module (
https://github.com/hercules-team/augeasproviders_grub) then it becomes as
simple as:

kernel_parameter { 'transparent_hugepage':
value = 'never',
ensure = present,
}

In CentOS7, the module is smart enough to make the change to
/etc/default/grub's GRUB_CMDLINE_LINUX variable. From a quick look at the
code, it seems to do the right thing for other OSs too.

The Augeas people never fail to impress!

Tom

On Wed, Jul 29, 2015 at 5:30 PM, Tom Limoncelli t...@whatexit.org wrote:

I need to disable transparent_hugepage at boot time (before some big
services start up). This is on centos7 machines using SystemD.

The most straightforward way seems to be to edit /etc/default/grub:

Change this line in /etc/default/grub and add
transparent_hugepage=never to the GRUB_CMDLINE_LINUX.

i.e.

Change this line:

GRUB_CMDLINE_LINUX=rd.lvm.lv=centos_ks-7/root
rd.lvm.lv=centos_ks-7/swap crashkernel=auto
vconsole.font=latarcyrheb-sun16 vconsole.keymap=us
intel_pstate=disable rhgb quiet transparent_hugepage=never

However doing that in puppet (even with Augeas) seems non-trivial.

Any suggestions?

Tom

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm5Okv%3DrjDhkrxcQXtEP7OAASL5E-w%2BidT5QE8qJkDhCg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Anyone really using Postgres for a Hiera backend?

2015-07-22 Thread Tom De Vylder

Puppet-Community [1] would be a prime example to take over the maintainership.

[1] https://github.com/puppet-community/ https://github.com/puppet-community/

Tom

On 13 Jul 2015, at 15:45, Erik Dalén erik.gustav.da...@gmail.com wrote:

Yeah, I'm not really using puppet server (yet at least) or the postgres hiera
backend. So if someone else wants to take over maintainership of it I can
transfer the repo ownership.

On Tue, 19 May 2015 at 18:51 Tony Thayer tony.tha...@gmail.com
mailto:tony.tha...@gmail.com wrote:
Actually, I just realized I was using my own fork of the original:
https://github.com/tthayer/hiera-psql https://github.com/tthayer/hiera-psql

I'm not using it actively anymore and I doubt my previous employer is still
using it either. There is an open issue stating that it doesn't work with the
new puppetserver, too: https://github.com/dalen/hiera-psql/issues/7
https://github.com/dalen/hiera-psql/issues/7

On Wednesday, May 13, 2015 at 9:45:55 AM UTC-7, leam hall wrote:
Just wondering. I found some options but don't see any under current
development.

Leam

--
Mind on a Mission http://leamhall.blogspot.com/

https://groups.google.com/d/msgid/puppet-users/6a3391ec-22d7-4f43-b7f0-7036ee722869%40googlegroups.com?utm_medium=emailutm_source=footer.
For more options, visit https://groups.google.com/d/optout
https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com
mailto:puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAAAzDLd-WGbX3iceb99NJF_b%2BgCjNFe8oHjqE%3DH8ZXW--K%3D1FA%40mail.gmail.com

https://groups.google.com/d/msgid/puppet-users/CAAAzDLd-WGbX3iceb99NJF_b%2BgCjNFe8oHjqE%3DH8ZXW--K%3D1FA%40mail.gmail.com?utm_medium=emailutm_source=footer.
For more options, visit https://groups.google.com/d/optout
https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/0D52B176-0638-4939-A8A2-ED66EC9FB222%40penumbra.be.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to create hadoop directory vi puppet script.

2015-07-10 Thread Tom Limoncelli

fully qualitied means the path to the command is included. That is,
/usr/bin/cat is qualified. cat is note.

exec {} commands have to be qualified (/usr/bin/cat) or you have to add
the parameter path and specify the path to the command.

I generally use the path parameter if the code will run on many different
operating systems, each with a different path.

More info:
https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-path

Tom

On Thu, Jul 9, 2015 at 8:42 PM, Ayyanar ayyanar@gmail.com wrote:

1. exec { /home/haas:
#command =
/usr/hdp/current/hadoop-yarn-nodemanager/sbin/yarn-daemon.sh stop
resourcemanager,
command = hadoop fs -mkdir -p /apps/hive/warehouse,
user = haas
}

Note: my site.pp file contain this code. while executing this command
facing validation issue. how to solve this.

2. Error: Validation of Exec[/home/haas] failed: 'hadoop fs -mkdir -p
/apps/hive/warehouse' is not qualified and no path was specified. Please
qualify the command or specify a path. at /etc/puppet/manifests/site.pp:491

Thanks,
Ayyanar Thangaraj

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/282c193c-9ba2-4283-8878-cb541a0d8b2c%40googlegroups.com
https://groups.google.com/d/msgid/puppet-users/282c193c-9ba2-4283-8878-cb541a0d8b2c%40googlegroups.com?utm_medium=emailutm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkWesjiR9mtNVB053OOjCbiFj8Mtmbw1X8DKjVfEAU3jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Concat params along a node.

2015-07-06 Thread Tom Limoncelli

[ sorry for the late reply ]

Have you considered Exported Resources?
https://docs.puppetlabs.com/puppet/latest/reference/lang_exported.html

Tom

On Thu, Jun 11, 2015 at 4:21 PM, Albert Shih albert.s...@obspm.fr wrote:

Hi,

Let's say I have a module to manage something on a server so

modules/things/manifests/init.pp
/addthing.pp

the addthing.pp whould be a define.

And I use this « addthing » inside other module, how can I get the list of
all thing I add. For example

class my_service {

include ::things

things::addthing { 'first' }
things::addthing { 'second' }
things::addthing { 'third' }

# and now I want inside $my_things a string like 'first, second, third'

}

Regards.

--
Albert SHIH
Heure local/Local time:
jeu 11 jui 2015 22:14:50 CEST

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20150611202146.GB67815%40pcjas.obspm.fr
.
For more options, visit https://groups.google.com/d/optout.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm5GY1%2B%3DLTdvjE%3D-R1v1A1RAjYDLX1RdG5XFBzK-wANbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Exposing master to the public internet

2015-07-06 Thread Tom Limoncelli

Google does this on a massive scale for the laptops they give to
employees. Many of the details are in
http://research.google.com/pubs/pub43231.html

The key points are:
1. SSL only. All else is firewalled off. (external clients actually talk
to a load balancer that is locked down and only forwards SSL-authenticated
connections to the master).
2. Don't autosign your certs.
3. When you sign certs, actually check the fingerprints
4. The server cert AND the client cert must be signed (puppet cert takes
care of that for you).

Tom
(not a google employee, not speaking for google)

On Thu, Jul 2, 2015 at 3:51 PM, Nik Haldimann n...@placemeter.com wrote:

I have a fleet of headless devices to manage that are going to be deployed
all over the place on various networks but connected to the public
internet. I'm evaluating if it would make sense to manage them through
puppet. I am able to run the puppet agent on the devices and I seem to be
able to do things I would want to do, so on the surface this seems like a
good idea.

However, my impression is that a puppet master is usually deployed within
a private networks (e.g., internal to a data center or as part of a private
VPC subnet on AWS). For my use case I would have to open the master to the
public internet. What are the implications of this? Is this recommended or
not? Are there specific settings I should be watching out for to make this
secure?

Nik

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com
https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com?utm_medium=emailutm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmn0XGxzAGzyJks2nGJ9%3DWzpQuPBche53_G0wMjQEhStQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet firewall module and more esoteric rules

2015-07-03 Thread Tom Boland

Hi all,

I've been looking at using the puppet firewall module to define the
rules on a load balancer/proxy I'm working on. Unfortunately, I don't
think it's going to work, unless there's a workaround for the issue I've
just found.

I'm looking at implementing the SYNPROXY guidelines in this RedHat article:

http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

I've attempted to implement a rule in iptables, and then use puppet
resource to reverse engineer it in to puppet, and this is the result:

$ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80
-j CT --notrack

$ puppet resource firewall
firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
ensure = 'present',
chain = '80',
checksum_fill = 'false',
clamp_mss_to_pmtu = 'false',
dport = ['CT'],
iniface= '--tcp-flags',
isfragment = 'false',
jump = '--notrack',
kernel_timezone= 'false',
physdev_is_bridged = 'false',
proto = 'FIN,SYN,RST,ACK SYN',
random = 'false',
rdest = 'false',
reap = 'false',
rsource= 'false',
rttl = 'false',
socket = 'false',
table = 'raw',
time_contiguous= 'false',
}

As you may see, the parameters are a bit jumbled. The chain has the
value for the port, and the dport has the value for the jump, the
protocol has various TCP packet types rather than just 'tcp' etc etc.

Would anyone be able to suggest a way around this?

For the moment I'll look in to stopping the module purging existing
rules and manage my SYNPROXY stuff outside of puppet.

Many thanks. Tom.

--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PE Licensing

2015-07-01 Thread Tom Tucker

Is it true you can run PE and exceed the 10-node limit without purchasing
appropriate licenses from a business perspective?  The only down side
apparently is no support (technical or software). True?



Assuming it is, what is the advantage of using the community version then?
Just a faster release cycle with the community version?



Comments?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1DvahqChMhCpSKyxTx4wpr4ONVM_1T4vfvKfiaSVyr8Pg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PE Licensing

2015-07-01 Thread Tom Tucker

Disregard...PuppetLabs support confirms it is a violation of the 10 node
trial.

On Wed, Jul 1, 2015 at 2:06 PM, Tom Tucker tktuc...@gmail.com wrote:

 Is it true you can run PE and exceed the 10-node limit without purchasing
 appropriate licenses from a business perspective?  The only down side
 apparently is no support (technical or software). True?



 Assuming it is, what is the advantage of using the community version then?
 Just a faster release cycle with the community version?



 Comments?


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1BwmMVWWst60rRLD481wHX-z%2B%2BKnv4%2B84WR3gwTXLsGFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] elegant way to hash a line in a file, if present

2015-06-30 Thread Tom Limoncelli

You'll want to create the file using file{} and then add require =
File['/path/to/file'] so that the file is created before Puppet tries
to modify it.

You can do that with less typing by using the - operator. For example:

file { '/usr/share/X11/xorg.conf.d/glamor.conf':
ensure = file,
mode = '0644', # adjust as needed
owner = 'root', # adjust as needed
group = 'root',# adjust as needed
}-
file_line { 'hash_glamor':
path = '/usr/share/X11/xorg.conf.d/glamor.conf',
line = '# Load glamoregl',
match = 'Load glamoregl',
}

Tom

On Mon, Jun 29, 2015 at 10:37 AM, Cam Mac iuco...@gmail.com wrote:
Hi,

I wanted to create a recipe for hashing a line in a file (I'd rather hash it
than delete it), if the file is present and that particular line is present.
I came up with a less than elegant solution and wondered whether
someone knows of a better way.

The file in question: /usr/share/X11/xorg.conf.d/glamor.conf
The line in question (which needs to be commented): Load glamoregl

exec { 'hash_glamor':
path= '/bin:/usr/sbin:/usr/bin',
command = 'sed -i \'s/$^\s*Load\s*\glamoregl\$$/\#\1/\'
/usr/share/X11/xorg.conf.d/glamor.conf',
onlyif = 'grep -E ^\s*Load\s*\glamoregl\$
/usr/share/X11/xorg.conf.d/glamor.conf',
}

I tried using the 'file_line' module:

file_line { 'hash_glamor':
path = '/usr/share/X11/xorg.conf.d/glamor.conf',
line = '# Load glamoregl',
match = 'Load glamoregl',
}

but this returns an error if the file doesn't exist, and I couldn't find a
way of adding a conditional that will check whether the file exists in the
'file_line' module before it executes.

Augeas could be a possibility, but I couldn't see a way of doing it in a
simple way.

Any suggestions welcome.

Thanks,

Cam

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f0b10c43-3868-46f7-9257-fd1e795dc360%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3DLpUcvgucQ_B9OVE0oT6PToSJkz6YO8UU7dTdOUiwSCQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is this the right way of doing it?

2015-06-30 Thread Tom Limoncelli

If you add a parameter to a define, it is important to provide a default
that lets current code work without being modified.  If there is no
default, than any current user of the define will get an error.  This is
how one makes changes but retains backwards compatibility.

I'm not sure I understand the question, so apologies in advance if this is
not the answer you are looking for.

Is the concern that every time you call this define you will have to repeat
many, many parameters with the same values, with only a few being
different?  If that is the case, you can define some resource defaults.

Webhosting::Php::Spip(
  ensure = $variable1,
  configuration  = $variable2,
  uid= $variable3,
}

Now any time you call webhosting::php::sip(), you don't have to give the
ensure, configuration, or uid, parameters you want them to be $variable1,
$variable2, and $variable3 respectively.
(Note: These defaults have scope; they are not global.  More details are in
https://docs.puppetlabs.com/puppet/latest/reference/lang_defaults.html#area-of-effect)
 You can still override these new defaults by providing the parameters.

Hope that helps,
Tom

On Thu, Jun 11, 2015 at 10:22 AM, Sergiu Cornea 
s.cor...@my.westminster.ac.uk wrote:

 Good afternoon guys,

 I have been assigned with the task of creating something like this:
 https://github.com/duritong/puppet-webhosting/tree/master/manifests
  which I successfully implemented however, in order to add an extra
 variable you will have to add it in all your module manifests, say for
 example you want to add a debug variable you will need it to add it in each
 manifest file. My question is if this the right way to approach this? Or
 there is a better solution?

 define webhosting::php::spip( $ensure = present, $configuration = {}, $uid
 = 'absent', $uid_name = 'absent', $gid = 'uid', $gid_name = 'absent',
 $user_provider = 'local', $password = 'absent', $password_crypted = true,
 $domainalias = 'www', $server_admin = 'absent', $logmode = 'default',
 $owner = root, $group = 'sftponly', $run_mode = 'normal', $run_uid = '
 absent', $run_uid_name = 'absent', $run_gid = 'absent', $run_gid_name = '
 absent', $watch_adjust_webfiles = 'absent', $user_scripts = 'absent',
 $user_scripts_options = {}, $wwwmail = false, $allow_override = 'FileInfo'
 , $do_includes = false, $options = 'absent', $additional_options = 'absent
 ', $default_charset = 'absent', $ssl_mode = false, $php_settings = {},
 $php_options = {}, $vhost_mode = 'template', $template_partial = 'absent',
 $vhost_source = 'absent', $vhost_destination = 'absent', $htpasswd_file =
 'absent', $nagios_check = 'ensure', $nagios_check_domain = 'absent',
 $nagios_check_url = '/', $nagios_check_code = '200', $nagios_use = '
 generic-service', $mod_security = true,){
 Thank you for you help!

 Regards,
 Cip

 This message and its attachments are private and confidential. If you have
 received this message in error, please notify the sender and remove it and
 its attachments from your system.

 The University of Westminster is a charity and a company
 limited by guarantee. Registration number: 977818 England.
 Registered Office: 309 Regent Street, London W1B 2UW.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/a956fb4a-8f72-4e3b-9cd4-f8453de958b7%40googlegroups.com
 https://groups.google.com/d/msgid/puppet-users/a956fb4a-8f72-4e3b-9cd4-f8453de958b7%40googlegroups.com?utm_medium=emailutm_source=footer
 .
 For more options, visit https://groups.google.com/d/optout.




-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgm3o1hHd88Manb%3DA4uJKByQgvOiTL2r8ksCMffL4WZm2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] How do modules plan on dealing with Puppet 3.x incompatibilities?

2015-06-30 Thread Tom Limoncelli

Suppose I maintain a public module. I'd like to start using some
Puppet 4.x language features. This means that anyone that uses this
module can't use the new version of the module until they also adopt
Puppet 4.x.

What is the best way to address this?

Some ideas that have been tossed around internally on my team:

-- Increment the major version number and declare that 3.x users
shouldn't upgrade to the new major version.
-- Restrict our usage of the new features to ones that are compatible
with the future parser and assume that 3.x users will enable the
future parser. (This means more testing for us, which is difficult
since we don't want to maintain a Puppet 3.x master any in the
future.)
-- Change the name of the module and encourage Puppet 4.x users to
switch to the module name when they want the more advanced features.
(this seems like the worst option)

I'm sure there are other options that we haven't thought of too.

Is there a recommended process?

Thanks,
Tom

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkf7kKa0y6gByqxqjvR4fFVdR8SfnsTj-16gG6KJ26UMg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PuppetDB Sizing

2015-06-26 Thread Tom Tucker

Chris,
Thanks for the detailed response. BTW did you deploy HA, load balancing,
etc on the Postgres side?

Cheers

On Thu, Jun 25, 2015 at 11:11 PM, Christopher Wood
christopher_w...@pobox.com wrote:

Somewhere past 700 nodes (still puppetizing) our 1-core, 2GB-RAM
puppetmasters and 2-core, 2GB-RAM puppetdb host started showing signs of
overload (ssl/connect errors in agent logs, catalog/report mismatches in
puppetdb). I augmented the VMs with hardware to stop the complaints and
later on went off tuning. I moved the puppetmasters up to 4-core 8GB-RAM
and the puppetdb host is now 4-core 16GB-RAM. Definitely rattling around in
them now but there's lots of room for growth.

For scaling/tuning, among others:

https://ask.puppetlabs.com/question/13433/how-should-i-tune-passenger-to-run-puppet/

https://docs.puppetlabs.com/puppetdb/latest/scaling_recommendations.html

https://docs.puppetlabs.com/guides/scaling.html

http://activemq.apache.org/scaling-queues.html

http://activemq.apache.org/javalangoutofmemory.html

After all that I analyzed catalogs across the deployment and found that
the datacat usage in the mcollective module (now
https://github.com/puppet-community/puppet-mcollective) was an abominable
percentage of the total number of resources. The firewall type (
https://github.com/puppetlabs/puppetlabs-firewall) was 3% of the total
resources. Since it takes less horsepower to puppet up fewer things I
figure there will be a benefit in some judicious refactoring here and
there. (Templates instead of file_line, iptables config instead of firewall
resources, et cetera.)

However, I figure there's a benefit in a conversion effort to cram things
into puppet first and sort them out later. I had a good time just throwing
hardware at the problem to start and then tuning after the bulk of hosts
were converted to puppet management. People at companies where incremental
hardware use is expensive may want to tune early and shrink manifests more
aggressively.

On Thu, Jun 25, 2015 at 08:16:31PM -0400, Tom Tucker wrote:
Assuming 2,500 Linux clients running Puppet community edition 3.8.
Any
sizing recommendation for a PuppetDB system in regards to disk size
for
the DB, CPU, Memory, etc.
Thank you for your time and feedback.

--
You received this message because you are subscribed to the Google
Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it,
send an
email to [1]puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
[2]
https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com
.
For more options, visit [3]https://groups.google.com/d/optout.

References

Visible links
1. mailto:puppet-users+unsubscr...@googlegroups.com
2.
https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com?utm_medium=emailutm_source=footer
3. https://groups.google.com/d/optout

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20150626031113.GA832%40iniquitous.heresiarch.ca
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAGymF1CXG4cfFfFDEv4vRkko558un3Duo89LpqTTaHd1VmkQRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PuppetDB Sizing

2015-06-25 Thread Tom Tucker

Assuming 2,500 Linux clients running Puppet community edition 3.8.  Any
sizing recommendation for a PuppetDB system in regards to disk size for the
DB, CPU, Memory, etc.

Thank you for your time and feedback.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CQpBBFRZ2VO5x_e5XEt2sxF6Zpe_cT%2BZUaT5NbO%2BcEYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: what is actually undefined method 'include?' for nil:NilClass on node error?

2015-06-17 Thread Tom Noonan

Good catch. Out of curiosity, what lead you to look at file sizes
in /var/lib/puppet/yaml/node? Based on your initial problem
description that is not where I would have been looking to troubleshoot.

On Wed, 17 Jun 2015 07:11:09 -0700 (PDT)
Ed Deloye edel...@gmail.com wrote:

Discovered truncated yaml files on the puppet master in
/var/lib/puppet/yaml/node for the 24 systems. Identified as each one
was 4096 bytes. After deleting those files puppet runs successfully
on the nodes.

On Thursday, May 29, 2014 at 3:57:49 PM UTC-4, Sans wrote:

I have two identical nodes - serv106 and serv107 - one of which is
working just fine but the other one failing with these error
message:

err: Could not retrieve catalog from remote server: Error 400 on
SERVER:
undefined method `include?' for nil:NilClass on node
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

running puppet master in the foreground, I see these on the screen:

err: undefined method `include?' for nil:NilClass on node
err: undefined method `include?' for nil:NilClass on node
debug: Received report to process from serv106.syst.local
debug: Processing report from serv106.syst.local with processor
Puppet::Reports::Store
debug: Processing report from serv106.syst.local with processor
Puppet::Reports::Http
err: Report processor failed: Connection refused - connect(2)
debug: Processing report from serv106.syst.local with processor
Puppet::Reports::Log
err: //serv106.syst.local/Puppet: Could not retrieve catalog from
remote server: Error 400 on SERVER: undefined method `include?'
for nil:NilClass on node
warning: //serv106.syst.local/Puppet: Not using cache on failed
catalog err: //serv106.syst.local/Puppet: Could not retrieve
catalog; skipping run

a bit if google-search suggested that removing certificates from
both master and the agent (and recreating afterwards) is the
solution to this issue. Which did but no joy so far. Has any one
ever seen this error before or know what's I'm doing wrong here.
Any help/pointer would be greatly appreciated.

Best!

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20150617124634.66bce9c7%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet introducing instability to Docker on Debian Jessie

2015-06-15 Thread Tom Noonan

I'm seeing a bug that appears to be a bad interaction between Puppet
and SystemD on Debian Jessie that causes my Docker daemon to go
unavailable.  I'm running both Docker and Puppet from upstream:

root@docker0:~# dpkg --list | grep 'lxc-docker\|puppet'
ii  facter 2.4.4-1puppetlabs1all  
Ruby module for collecting simple facts about a host operating system
ii  hiera  1.3.4-1puppetlabs1all  A 
simple pluggable Hierarchical Database.
ii  lxc-docker 1.6.2 amd64
Linux container runtime
ii  lxc-docker-1.6.2   1.6.2 amd64
Linux container runtime
ii  puppet 3.8.1-1puppetlabs1all  
Centralized configuration management - agent startup and compatibility scripts
ii  puppet-common  3.8.1-1puppetlabs1all  
Centralized configuration management
ii  puppetlabs-release 1.0-11   all 
 Package to install Puppet Labs gpg key and apt repo

For this test I've stripped my manifest down to the minimum: only a
service declaration for Docker on the node:

node docker0.tjnii.com {
  #Debug
  service { 'docker':
ensure = running,
enable = true,
  }
}

Docker is started by Puppet via SystemD without issue:

root@docker0:~# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for docker0.tjnii.com
Info: Applying configuration version '1434419985'
Notice: /Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]/ensure:
ensure changed 'stopped' to 'running'Info: 
/Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]: Unscheduling refresh 
on Service[docker]
Notice: Finished catalog run in 0.88 seconds

root@docker0:~# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; disabled)
  Drop-In: /etc/systemd/system/docker.service.d
   service-overrides.conf
   Active: active (running) since Mon 2015-06-15 20:01:45 MDT; 32s ago
 Docs: http://docs.docker.com
 Main PID: 25160 (docker)
   CGroup: /system.slice/docker.service
   25160 /usr/bin/docker -d -H fd://

Snip Logs

root@docker0:~# docker ps
CONTAINER IDIMAGE   COMMAND CREATED 
STATUS  PORTS   NAMES
root@docker0:~# ps awwfux | grep [d]ocker
root 25160  0.6  0.9 273044 14984 ?Ssl  20:01   0:00 
/usr/bin/docker -d -H fd://
root@docker0:~# ls /var/run/docker.sock -l
srw-rw 1 root docker 0 Jun 15 20:01 /var/run/docker.sock


After a few Puppet daemon runs (I haven't nailed it down to a fixed number, 
perhaps
a race?) Puppet will think Docker is down and try and restart it:

Jun 15 20:32:35 docker0 puppet-agent[1271]: 
(/Stage[main]/Main/Node[docker0.tjnii.com]/Service[docker]/ensure) ensure 
changed 'stopped' to 'running'
Jun 15 20:32:35 docker0 puppet-agent[1271]: Finished catalog run in 1.10 seconds

This will replace the socket with a new file:

root@docker0:~# ls /var/run/docker.sock -l
srw-rw 1 root docker 0 Jun 15 20:32 /var/run/docker.sock

However the Docker daemon is not restarted.  Note that the pid hasn't
changed from when it was initially started:

root@docker0:~# ps awwfux | grep [d]ocker
root 25160  0.4  1.1 557024 17008 ?Ssl  20:01 0:11 /usr/bin/docker 
-d -H fd://

So after Puppet tries to start the service it looks like the Docker daemon 
becomes
disconnected from its socket.  Puppet is exacerbating this, if I stop Puppet 
Docker
is stable.  I'm wondering if this has something to do with the docker.socket
SystemD service, but I don't know enough about SystemD to troubleshoot that.

This is the SystemD config from Docker:

root@docker0:~# systemctl cat docker.service
# /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
ExecStart=/usr/bin/docker -d -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/docker.service.d/service-overrides.conf
[Service]
EnvironmentFile=-/etc/default/docker
root@docker0:~# systemctl cat docker.socket
# /lib/systemd/system/docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target

I'm not sure if this is a Puppet bug, SystemD bug, or Docker bug.  has anyone 
else seen
behaviour like this with Puppet and SystemD?

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving

[Puppet Users] MCollective - Restricted Access

2015-06-04 Thread Tom Tucker

Is it possible to limit which node can execute mco related commands?
Ideally I would only want an admin node(s) to have this level of access.

Thanks in advance,

# rpm -qa | egrep 'mcol|pupp'
puppetserver-1.0.8-1.el6.noarch
mcollective-service-common-3.1.3-1.el6.noarch
mcollective-2.8.2-1.el6.noarch
mcollective-puppet-common-1.10.0-1.el6.noarch
mcollective-nettest-agent-3.0.4-1.el6.noarch
mcollective-package-agent-4.4.0-1.el6.noarch
mcollective-client-2.8.2-1.el6.noarch
mcollective-service-agent-3.1.3-1.el6.noarch
mcollective-puppet-client-1.10.0-1.el6.noarch
mcollective-nettest-common-3.0.4-1.el6.noarch
mcollective-nettest-client-3.0.4-1.el6.noarch
mcollective-package-common-4.4.0-1.el6.noarch
mcollective-package-client-4.4.0-1.el6.noarch
puppetlabs-release-6-11.noarch
puppet-3.8.1-1.el6.noarch
mcollective-common-2.8.2-1.el6.noarch
mcollective-service-client-3.1.3-1.el6.noarch
mcollective-puppet-agent-1.10.0-1.el6.noarch
mcollective-facter-facts-1.0.0-1.noarch
puppet-server-3.8.1-1.el6.noarch

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1Ac%3DEKOanL4kjGjJtJksjPRLJfomYtAa6Edv%2BLpVcx-NA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] MCollective - Unable to see/interact with client nodes

2015-06-02 Thread Tom Tucker

Puppet Peeps,


I am tinkering with the community edition of Puppet (version info below)
with MCollective.  In my environment I want to test basic MCollective
functionality without the SSL overhead.



Everything looks fine in the logs, but when I run ‘mco ping’ from either
the client or server I only see that single node in the output.  Assuming I
run this from the master node running ActiveMQ and MCollective, how do I
interact/see with my other clients?





MCO ping example from the server

##

server# mco ping

server.mydomain.pem  time=19.03 ms





 ping statistics 

1 replies max: 19.03 min: 19.03 avg: 19.03

server#









Client/Server Data

##

server# rpm -qa | egrep -i 'pup|mcol'

puppetserver-1.0.8-1.el6.noarch

mcollective-service-common-3.1.3-1.el6.noarch

mcollective-2.8.2-1.el6.noarch

mcollective-puppet-common-1.10.0-1.el6.noarch

mcollective-nettest-agent-3.0.4-1.el6.noarch

mcollective-client-2.8.2-1.el6.noarch

mcollective-service-agent-3.1.3-1.el6.noarch

mcollective-puppet-client-1.10.0-1.el6.noarch

mcollective-nettest-common-3.0.4-1.el6.noarch

mcollective-nettest-client-3.0.4-1.el6.noarch

puppetlabs-release-6-11.noarch

puppet-3.8.1-1.el6.noarch

mcollective-common-2.8.2-1.el6.noarch

mcollective-service-client-3.1.3-1.el6.noarch

mcollective-puppet-agent-1.10.0-1.el6.noarch

mcollective-facter-facts-1.0.0-1.noarch

puppet-server-3.8.1-1.el6.noarch

server#



server# cat /etc/mcollective/server.cfg | grep -v '^$' | grep -v '^#'

daemonize = 1

securityprovider = psk

plugin.psk = unset

connector = activemq

direct_addressing = 1

plugin.activemq.pool.size = 1

plugin.activemq.pool.1.host = server.mydomain.com

plugin.activemq.pool.1.port = 61613

plugin.activemq.pool.1.user = mcollective

plugin.activemq.pool.1.password = mysexypassword





identity = server.mydomain.com.pem

factsource = yaml

plugin.yaml = /etc/mcollective/facts.yaml

classesfile = /var/lib/puppet/state/classes.txt



collectives = mcollective

main_collective = mcollective



registerinterval = 600



rpcaudit = 1

rpcauditprovider = logfile

plugin.rpcaudit.logfile = /var/log/mcollective-audit.log





logger_type = file

loglevel = info

logfile = /var/log/mcollective.log

keeplogs = 5

max_log_size = 2097152

logfacility = user



libdir = /usr/libexec/mcollective

server#







client# rpm -qa | egrep -i '^pup|^mco'

mcollective-common-2.8.2-1.el5

mcollective-puppet-client-1.10.0-1.el5

puppet-3.8.1-1.el5

mcollective-service-client-3.1.3-1.el5

mcollective-client-2.8.2-1.el5

puppetlabs-release-5-11

mcollective-puppet-common-1.10.0-1.el5

mcollective-service-common-3.1.3-1.el5

client#



client#cat /etc/mcollective/client.cfg | grep -v '^$' | grep -v '^#'

securityprovider = psk

plugin.psk = unset

connector = activemq

plugin.activemq.pool.size = 1

plugin.activemq.pool.1.host = server.mydomain.com

plugin.activemq.pool.1.port = 61613

plugin.activemq.pool.1.user = mcollective

plugin.activemq.pool.1.password = sexypassword

factsource = yaml

plugin.yaml = /etc/mcollective/facts.yaml



default_discovery_method = mc

direct_addressing_threshold = 10

ttl = 60

color = 1

rpclimitmethod = first



collectives = mcollective

main_collective = mcollective



libdir = /usr/libexec/mcollective



logger_type = console

loglevel = warn

client#

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1C%3DDvsj01h7X3t2dk76Ciu8-kEFd0%2B_ud5orkLu5OL4Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Sort by IP in ERB (related to puppetlabs-haproxy and MODULES-1919)

2015-04-07 Thread Tom Limoncelli

The puppetlabs-haproxy module has a minor annoyance where by the
bind statements are sorted lexicographically instead of by IP
address.  (Full description here:
https://tickets.puppetlabs.com/browse/MODULES-1919)

My attempt to fix this bug was to change the ERB template:

diff --git a/templates/fragments/_bind.erb b/templates/fragments/_bind.erb
index e60983a..a04d021 100644
--- a/templates/fragments/_bind.erb
+++ b/templates/fragments/_bind.erb
@@ -1,6 +1,6 @@
 % require 'ipaddr' -%
 %- if @bind -%
-%- @bind.sort.map do |address_port, bind_params| -%
+%- @bind.sort_by { |address_port, bind_params|
address_port.split('.').map{ |octet| octet.to_i} }.map do
|address_port, bind_params| -%
   bind %= address_port -% %= Array(bind_params).join( ) %
 %- end -%
 %- else -%

This works.  However, the results are slightly different on old
versions of Ruby.  If you look at the TravisCI output, you'll see
slightly different results for Ruby 1.8.7.  It looks like something
changed in Ruby 1.9.

https://travis-ci.org/puppetlabs/puppetlabs-haproxy/builds/57502529

I don't have a lot of deep Ruby knowledge. Can anyone suggest either a
way to fix the code or the test?

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgkUrMMV%3DcvSD69Z-%3DVbK%3Dd1pHnu8QK37uLAOpZ%3DJb53_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Generating firewall rules without connection tracking.

2015-04-07 Thread Tom Limoncelli

The puppetlabs-firewall module has a provider called firewall{} which
builds a rule. I've written a wrapper that either calls it (without
any changes) or, if track = false, generates an equivalent set of
rules that does not use the Linux firewall connection tracking
mechanism. This is useful if you are a high-volume web site and
connection tracking has become a resource hog.

When track = false, four rules are generated instead:

1. the raw table, chain=PREROUTING, same source and destination, jump=NOTRACK.
2. the raw table, chain=OUTPUT, swap the source and destination, jump=NOTRACK.
3. the filter table, chain=INPUT, same source and destination.
4. the filter table, chain=OUTPUT, swap the source and destination.

NOTE: However if this is an OUTPUT rule, swap the chain in 1 and 2,
and 3 and 4. If you are using ipsets, reverse them in rules 2 and 4.
(Easy to remember, right?)

You can generate these 4 rules by hand, but it is error prone...
especially if you are making many such rules.

My employer (Stack Exchange, Inc.) has graciously me permission to
open source it:
https://github.com/StackExchange/stackexchange-superfirewall

Enjoy!

Tom

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D9E_wF0NJ%2BFDO_UBWYxvGiHTH6fgyhoYuKXihE4TVf5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Use of hash in a conditional assignment doesn't work

2015-03-24 Thread Tom Limoncelli

I'd like to assign $v one hash if $y == 'foo' and a different hash if
$y == 'bar'.  However it seems like conditional assignments aren't
permitted.

$ puppet --version
3.7.3

$ cat -n hash-condeq.pp
 1 $y = 'foo'
 2
 3 $v = $y ? {
 4  'foo' = { 'x' = 'xfoo', 'y' = 'yfoo', },
 5  'bar' = { 'x' = 'xbar', 'y' = 'ybar', }
 6 }
 7
 8 notice($v)
 9 notice($v['y'])
$ puppet apply hash-condeq.pp
Error: Could not parse for environment production: Syntax error at
'{'; expected '}' at /tmp/hash-condeq.pp:4 on node
ny-tlim01.ds.stackexchange.com
Error: Could not parse for environment production: Syntax error at
'{'; expected '}' at /tmp/hash-condeq.pp:4 on node
ny-tlim01.ds.stackexchange.com

If I do it the long way and use a case statement, it works:

$ cat -n hash-case.pp
 1 $y = 'foo'
 2
 3 case $y {
 4  'foo': {
 5  $v = { 'x' = 'xfoo', 'y' = 'yfoo', }
 6  }
 7  'bar': {
 8  $v = { 'x' = 'xbar', 'y' = 'ybar', }
 9  }
10 }
11
12 notice($v)
13 notice($v['y'])
$ puppet apply hash-case.pp
Notice: Scope(Class[main]): xxfooyyfoo
Notice: Scope(Class[main]): yfoo
Notice: Compiled catalog for ny-tlim01.ds.stackexchange.com in
environment production in 0.06 seconds
Notice: Finished catalog run in 0.02 seconds

Is there a way to do this with conditional assignments?  I'm updating
code that has a lot of conditional assignments and the data structure
is changing from an array to a hash. The conversion is going to be a
lot more work if there is no syntax that permits conditional
assignment of hashes.

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmARtfxrNU_ioGbMDcSRW%2BRJbycYxCHXBmyTTr7s%2BJXXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Use of hash in a conditional assignment doesn't work

2015-03-24 Thread Tom Limoncelli

On Tue, Mar 24, 2015 at 1:11 PM, Nick Howes nickho...@gmail.com wrote:
 On Tuesday, 24 March 2015 15:22:16 UTC, Tom Limoncelli wrote:

 I'd like to assign $v one hash if $y == 'foo' and a different hash if
 $y == 'bar'.  However it seems like conditional assignments aren't
 permitted.

 $ puppet --version
 3.7.3

 $ cat -n hash-condeq.pp
  1 $y = 'foo'
  2
  3 $v = $y ? {
  4  'foo' = { 'x' = 'xfoo', 'y' = 'yfoo', },
  5  'bar' = { 'x' = 'xbar', 'y' = 'ybar', }
  6 }
  7
  8 notice($v)
  9 notice($v['y'])
 $ puppet apply hash-condeq.pp


 I know most people have a lot of manifests that would be a pain to upgrade,
 but your example works fine in the new parser (`--parser future`) among
 other improvements. If that's an option for you at all I'd recommend it.

This afternoon I figured out a solution that is less verbose.
However, it is good to know this will be fixed in  `--parser future`.

Thanks!
Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmazCcV07pZxvRY0dai5J9sHD28xgAyhGy22Px%3DuM9wSw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Copying a hash with changes

2015-03-04 Thread Tom Limoncelli

On Sat, Feb 28, 2015 at 2:25 PM, Dan White d_e_wh...@icloud.com wrote:

 $new_hash = {
   'log' = ${log_ip} local0,
 }

 $global_options = merge ( $haproxy::params::global_options, $new_hash )


Thanks, Dan!  I'll do that while I wait for Puppet 4.0 (or when I can use
the future parser).

On Sun, Mar 1, 2015 at 6:37 PM, Henrik Lindberg 
henrik.lindb...@cloudsmith.com wrote:

 In Puppet 4.0 (and in 3x with parser=future) you can do this (i.e. merge a
 hash) directly in the Puppet Language:

 $global_options = $haproxy::params::global_options + {
 'log' = {log_ip} local0
   }


Henrik, that's great!  I look forward to that addition to Puppet!

Tom
-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgmDJ1RntWGY4TVwMZRS5apfAGGf%2BkTxkGQPWQpjWmKNVw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Copying a hash with changes

2015-02-28 Thread Tom Limoncelli

I want to copy a hash to a variable but change some settings along the way.

For example:

I have $haproxy::params::global_options (which is a hash) and I want
to create a copy with some changes.

I tried this:
  $global_options = $haproxy::params::global_options += {
  'log' =  ${log_ip} local0,
  }
But that gives me:
Error: Syntax error at '+='; expected '}' at ...

If I do:
  $global_options = $haproxy::params::global_options
  $global_options['log'] = ${log_ip} local0
This gives me:
Error: Assigning to the hash 'global_options' with an existing key
'log' is forbidden

Suggestions?

Tom

-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAHVFxgnmdYrNOUdujza-EE0M5KyMZDR%3Dzt3wB-5tvbh8%3DaC4-w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL Cert automation for service

2015-01-04 Thread Tom Noonan

Hello, list:
   I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself.  What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages.  This will allow me to
use CA certs for trust without the pain of hand managing my CA.
   I'm hoping someone had trod this path and can provide pointers, as
this is difficult to Google as I'm not interested in Puppet's internal
certs.  Thanks.

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150102193428.1796f2b6%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Filebucket

2014-10-29 Thread Tom Tucker

Hello. I have a file bucket question.  I believe I have file bucket
configured correctly.  I am able to backup a change file and restore it  My
question is how do get a list of files for a particular host or revisions
for a particular file.


Thanks

Info: /Stage[main]/Sudo/File[/etc/sudoers]: Filebucketed /etc/sudoers to
main with sum a22374b27a4cde79f8416648e567a77c

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CoGd8wCH5Yy668NZiRn%3DiopnMAjSMUH1Nrxorezvx8_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Calling external modules

2014-10-03 Thread Tom Tucker

I am trying to call another class that is not located in the current
working directory.  What is the correct way of doing this?


$mypath/modules/web_app/init.pp

if $hostname =~ /^some_www_regex$/ {

include some_class_A
include some_class_B
include app_tier::class_A  # Doesn't work...trying to call an external
class...
 }


Thank you for your  time,

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1CA1VyxZtjBtf36U6itC9YE9tFOxerRrZXWm%3DMSYx2VNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Calling external modules

2014-10-03 Thread Tom Tucker

Disregard...

In my app_tier::class_A file I needed to define the class::module.

#cat class_A.pp
class app_tier::class_A {
blah


On Fri, Oct 3, 2014 at 1:06 PM, Tom Tucker tktuc...@gmail.com wrote:


 I am trying to call another class that is not located in the current
 working directory.  What is the correct way of doing this?


 $mypath/modules/web_app/init.pp

 if $hostname =~ /^some_www_regex$/ {

 include some_class_A
 include some_class_B
 include app_tier::class_A  # Doesn't work...trying to call an external
 class...
  }


 Thank you for your  time,





-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1BS84JQo6HDdLKePjDz2PY7o7xz-xsYSztwZY6dL%2BJgeA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Git Repo Strategy

2014-09-30 Thread Tom Tucker

I just got back from PuppetConf last week and several presenters mentioned
using more than one Git repo with Puppet. Some even recommend having a
repo per module. For our initial Puppet deployment this seems a bit
excessive. My plan was to have three repos for each of our environments
(Dev, QA and Production). The contents of these repos would contain Puppet
Enterprise directory of /etc/puppetlabs/puppet.

Deployment strategy

- Upload changes to Dev repo

- Deploy Dev changes to Dev master

- Test

- Merge Dev changes to QA repo

- Rinse and repeat

Thoughts? Any tips for a Puppet and Git newbie in regards to file
hierarchy, Git repo strategies, etc.

Thank you in advance,

Tom

Sample tree and repo of /etc/puppetlabs/puppet

# tree *

auth.conf

autosign.conf

console.conf # File excluded this is site specific. We will have a
unique Puppet master for each env.

environments

├── development

│ ├── hieradata

│ │ └── environmentX.yaml

│ ├── manifests

│ │ └── site.pp

│ └── modules

└── production

fileserver.conf

hieradata

├── defaults.yaml

├── master.mydomain.com.yaml

└── production.yaml

hiera.yaml [error opening dir]

manifests

├── hieradata

│ └── hostgroups.yaml

└── site.pp

modules

├── custom

puppet.conf # File excluded this is site specific. We will have a unique
Puppet master for each env.

puppetdb.conf # File excluded this is site specific. We will have a
unique Puppet master for each env.

routes.yaml

ssl # Directory excluded this is site specific

extra lines removed

# cat hiera.yaml

---

:hierarchy:

- hieradata/fqdn/%{::fqdn}

- %{environment}/%{::osfamily}

- %{environment}/hieradata/%{::network_location}

- %{environment}/hieradata/%{::systemrole}

- hieradata/common

:backends:

- yaml

:yaml:

:datadir: /etc/puppetlabs/puppet/environments

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAGymF1DKrTsh%2BNO%3DQLMpP1pM80ac3MMxvbo2p0aN9q9USXLj5Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Based way to exclude systems?

2014-09-24 Thread Tom Tucker

I would like to use a profile that would be applied against all Linux based
systems to ensure they have an appropriate /etc/ntp.conf based on their
data center location as defined by Hiera.  My question is how do I deploy
this client based ntp.conf to all Linux systems, but also ensure my four
Linux based NTP server feeding these clients continue to have unique server
based NTP configs?



In other words

I have four data centers and 2000+ systems.  If you are a Linux system and
not marked as an NTP server then use this client ntp.conf.



What is the best way to achieve such?



Thanks in advance,

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAGymF1AH34zHUF7BQJY-noAcw5d4GRo7KPJKwm82D2oT3s4jug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker


I've been chasing this for a few hours.  I created my own user management 
module and Puppet can't find it.  I must be overlooking something obvious 
here.  Module path, ownership, permission, etc. have all been checked.  Any 
ideas?


Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/hostint.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Could not find class sismon_account for dpupmstr4901.domain.com on node 
dpupmstr4901.domain.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run



# Init passes validation

[root@dpupmstr4901 manifest]# puppet parser validate init.pp
[root@dpupmstr4901 manifest]# 

# modulepath
##
[root@dpupmstr4901 manifest]# puppet config print modulepath
/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules



[root@dpupmstr4901 rc3.d]# cd -
/etc/puppetlabs/puppet/modules/sismon_account/manifest

[root@dpupmstr4901 manifest]# ls
init.pp


[root@dpupmstr4901 manifest]# cat init.pp 
 class sismon_account {

 file { /data/home:
ensure = directory,
  }

 group {'sismon':
  ensure = present,
  gid = 3997,
   }

  user { sismon:
   ensure   = present,
   comment  = sismon@${hostname},
   gid  =  3997,
   home = /data/home/sismon,
   password = *,
   password_max_age = 9,
   password_min_age = 0,
   shell= /bin/bash,
   uid  = 3997,
   managehome = true,
  }

 file { /data/home/sismon/.ssh:
ensure = directory,
owner = 3997,
group = 3997,
mode  = 0775,
  }

 file { /data/home/sismon/.ssh/authorized_keys:
owner   = 3997,
group   = 3997,
mode= 0400,
source  = 
puppet://$::server/modules/sismon_account/data/home/sismon/.ssh/authorized_keys,
 }

}

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7ec4e20a-d8d5-4094-8a4b-8fdced5a71ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker

/.puppet/ssl/ca/requests]{:path=/var/lib/peadmin/.puppet/ssl/ca/requests,
 
:mode=755, :ensure=:directory, :loglevel=:debug, :links=:follow, 
:backup=false}'
Debug: Using settings: adding file resource 'signeddir': 
'File[/var/lib/peadmin/.puppet/ssl/ca/signed]{:path=/var/lib/peadmin/.puppet/ssl/ca/signed,
 
:mode=755, :ensure=:directory, :loglevel=:debug, :links=:follow, 
:backup=false}'
Debug: Using settings: adding file resource 'capass': 
'File[/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass]{:path=/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass,
 
:mode=640, :ensure=:file, :loglevel=:debug, :links=:follow, 
:backup=false}'
Debug: Using settings: adding file resource 'serial': 
'File[/var/lib/peadmin/.puppet/ssl/ca/serial]{:path=/var/lib/peadmin/.puppet/ssl/ca/serial,
 
:mode=644, :ensure=:file, :loglevel=:debug, :links=:follow, 
:backup=false}'
Debug: Using settings: adding file resource 'cert_inventory': 
'File[/var/lib/peadmin/.puppet/ssl/ca/inventory.txt]{:path=/var/lib/peadmin/.puppet/ssl/ca/inventory.txt,
 
:mode=644, :ensure=:file, :loglevel=:debug, :links=:follow, 
:backup=false}'
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_crt.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_key.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_pub.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/ca_crl.pem]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/private]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/requests]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/signed]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/private/ca.pass]: 
Autorequiring File[/var/lib/peadmin/.puppet/ssl/ca/private]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/serial]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: /File[/var/lib/peadmin/.puppet/ssl/ca/inventory.txt]: Autorequiring 
File[/var/lib/peadmin/.puppet/ssl/ca]
Debug: Finishing transaction 30373520
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Using cached certificate for dpupmstr4901.domain.com
Debug: Using settings: adding file resource 'pidfile': 
'File[/var/lib/peadmin/.puppet/var/run/master.pid]{:path=/var/lib/peadmin/.puppet/var/run/master.pid,
 
:ensure=:file, :loglevel=:debug, :links=:follow, :backup=false}'
Debug: Finishing transaction 29941320
Notice: Starting Puppet master version 3.6.2 (Puppet Enterprise 3.3.0)



On Sunday, August 10, 2014 4:14:47 PM UTC-4, Tom Tucker wrote:


 I've been chasing this for a few hours.  I created my own user management 
 module and Puppet can't find it.  I must be overlooking something obvious 
 here.  Module path, ownership, permission, etc. have all been checked.  Any 
 ideas?


 Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/hostint.rb
 Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
 Could not find class sismon_account for dpupmstr4901.domain.com on node 
 dpupmstr4901.domain.com
 Warning: Not using cache on failed catalog
 Error: Could not retrieve catalog; skipping run



 # Init passes validation
 
 [root@dpupmstr4901 manifest]# puppet parser validate init.pp
 [root@dpupmstr4901 manifest]# 

 # modulepath
 ##
 [root@dpupmstr4901 manifest]# puppet config print modulepath
 /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules



 [root@dpupmstr4901 rc3.d]# cd -
 /etc/puppetlabs/puppet/modules/sismon_account/manifest

 [root@dpupmstr4901 manifest]# ls
 init.pp


 [root@dpupmstr4901 manifest]# cat init.pp 
  class sismon_account {

  file { /data/home:
 ensure = directory,
   }

  group {'sismon':
   ensure = present,
   gid = 3997,
}

   user { sismon:
ensure   = present,
comment  = sismon@${hostname},
gid  =  3997,
home = /data/home/sismon,
password = *,
password_max_age = 9,
password_min_age = 0,
shell= /bin/bash,
uid  = 3997,
managehome = true,
   }

  file { /data/home/sismon/.ssh:
 ensure = directory,
 owner = 3997,
 group = 3997,
 mode  = 0775,
   }

  file { /data/home/sismon/.ssh/authorized_keys:
 owner   = 3997,
 group   = 3997,
 mode= 0400,
 source  = 
 puppet://$::server/modules/sismon_account/data/home/sismon/.ssh/authorized_keys,
  }

 }



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid

[Puppet Users] Re: PE 3.3 - Could not find class

2014-08-10 Thread Tom Tucker

Thanks, Chris.  It was a typo with the manifests name.

On Sunday, August 10, 2014 4:14:47 PM UTC-4, Tom Tucker wrote:


 I've been chasing this for a few hours.  I created my own user management 
 module and Puppet can't find it.  I must be overlooking something obvious 
 here.  Module path, ownership, permission, etc. have all been checked.  Any 
 ideas?


 Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/hostint.rb
 Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
 Could not find class sismon_account for dpupmstr4901.domain.com on node 
 dpupmstr4901.domain.com
 Warning: Not using cache on failed catalog
 Error: Could not retrieve catalog; skipping run



 # Init passes validation
 
 [root@dpupmstr4901 manifest]# puppet parser validate init.pp
 [root@dpupmstr4901 manifest]# 

 # modulepath
 ##
 [root@dpupmstr4901 manifest]# puppet config print modulepath
 /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules



 [root@dpupmstr4901 rc3.d]# cd -
 /etc/puppetlabs/puppet/modules/sismon_account/manifest

 [root@dpupmstr4901 manifest]# ls
 init.pp


 [root@dpupmstr4901 manifest]# cat init.pp 
  class sismon_account {

  file { /data/home:
 ensure = directory,
   }

  group {'sismon':
   ensure = present,
   gid = 3997,
}

   user { sismon:
ensure   = present,
comment  = sismon@${hostname},
gid  =  3997,
home = /data/home/sismon,
password = *,
password_max_age = 9,
password_min_age = 0,
shell= /bin/bash,
uid  = 3997,
managehome = true,
   }

  file { /data/home/sismon/.ssh:
 ensure = directory,
 owner = 3997,
 group = 3997,
 mode  = 0775,
   }

  file { /data/home/sismon/.ssh/authorized_keys:
 owner   = 3997,
 group   = 3997,
 mode= 0400,
 source  = 
 puppet://$::server/modules/sismon_account/data/home/sismon/.ssh/authorized_keys,
  }

 }



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cf16c28b-08d0-4c40-bfd6-ff79ce6cd04c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] CF3 to PE 3.3 - Hiera Question

2014-08-06 Thread Tom Tucker


I’m in the process of migrating from CFEngine 3 to PE 3.3 so please pardon 
me if my terminology is off.

With CFEngine I could build arrays, define a hostname regex  or define 
network segment variables to gain further control.  How do you do this with 
Hiera?

CFEngine Examples
###
web_regex expression = classmatch(^web\d+$)
mail_servers_array or = { mailA, mailB, mailC, someSYS, someSYS2}; 
DC1_DEV_NET or = { ipv4_10_225_172 };
DC2_QA_NET or = { ipv4_10_224_136 };

For example….
If your hostname matches the “web_regex” and you reside in the DC2_QA_NET 
 then do X, Y and Z.

Thanks in advance for your time and assistance.  

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1b81679f-ef7e-4711-be43-012db728ce5d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL error when after restarting httpd. CA information missing/or wrong?

2014-07-08 Thread Tom Hallam

It took a bit of digging - but I did workout what the issue was. I'll give
the solution first and then an overview of how I diagnosed the issue It
may be useful to others with SSL issues.

I was running Puppet on a Red Hat server. By default Red Hat installs an
SSL configuration in /etc/httpd/conf.d. The Puppet server's default
configuration is also installed in /etc/httpd/conf.d and loads before the
SSL configuration. I'd moved the puppet configuration (a virtual host /
site ) to /etc/httpd/sites-available so it now loads after the SSL
configuration and is in the same location as other sites / virtual hosts.
Unfortunately the default Red Hat SSL configuration includes a virtual host
with a self signed certificate. Unlike other SSL configuration these are
not commented out.

SSL certificates are selected on a per IP basis. The first one loaded by
Apache for an IP takes precedence. The Red Hat SSL certificate was
therefore loading and the one in the Puppet configuration was being
silently ignored. The solution was simple: comment out the unused virtual
host configuration in the default Red Hat SSL configuration.

I'll follow up later on how I debugged this issue.

Tom

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/13c73ae2-a9b3-4f27-915d-a8190715ed3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL error when after restarting httpd. CA information missing/or wrong?

2014-07-08 Thread Tom Hallam

OK, so this is a straight line version of how I debugged the issue. There
were a couple more dead ends than described here.

The first thing to notice is the error. I was getting: certificate verify
failed: [self signed certificate for
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001.
This told me a couple of things:

- The certificate verification was failing.
- The identity given in the certificate was:

/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001.

I checked the configuration of the Puppet virtual site. It all looked OK.
I then turned to openssl (https://www.openssl.org/docs/apps/x509.html) to
check the certificates. I used the following (substituting the certificate
file for cert.pem) to print out the server and CA certificates used in the
configuration:

openssl x509 -in cert.pem -noout -text

I decided to have a look at the certificates I got if I connected to the
server. Again openssl is your friend (
http://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server).

I ran the following with output to separate files for the WEBrick and
Apache servers.

openssl s_client -showcerts -connect ecm-rhl-001:8140 /dev/null WEBrick.certs
openssl s_client -showcerts -connect ecm-rhl-001:8140 /dev/null Apache.certs

This gave me 2 files each with 2 certificates in it. The first certificate
is the server certificate and the second is the CA certificate. A brief
inspection of the files showed that the first certificate was different
whilst the second the same: ie the server certificates differed but the CA
certificates were the same. I confirmed this further by splitting each
certificate out to a separate file and using openssl to print text
representations as per check on configured certificates above.

So where were the different certificates coming from? Openssl (again) lets
me print out and md5 for a certificate and a private key. The md5 will
match for matching certificates and keys.

openssl x509 -noout -modulus -in signed/ecm-rhl-001.pem | openssl md5
openssl rsa -noout -modulus -in private_keys/ecm-rhl-001.pem | openssl md5

This allowed me to check that the certificate and private keys matched. It
also gave me a quick way to check what keys the certificates that I
retrieved from the servers matched. All checked out OK. I still could not
locate the illusive certificate that was being returned by the Apache
server. I checked a number of possible keys and

So I went back to look at the Apache configuration and checked all of them
for 'SSLCertificateFile' using grep. This showed the that SSL
Configuration had a certificate defined in it by default. A quick check
using the previous Openssl commands showed that it matched the one returned
by the Apache server. A few comments to remove the unwanted site from the
Apache configuration and everything was working again.

I've installed ssl on a number of Apache servers (debian package, ubuntu
package compiled from source) over the last 15 years or so and this is
the first time the ssl configuration has included a live ssl virtual host
definition.

Tom

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/0553fe0f-cfdd-4041-b6d3-2529b685544a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL error when after restarting httpd. CA information missing/or wrong?

2014-06-25 Thread Tom Hallam

Hi everybody

I've been running puppet under Apache/Passenger for some time.  I restarted 
Apache this morning I'm getting the following error

---
[root@ecm-rhl-032 ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [self signed certificate for 
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ECM-RHL-001/emailAddress=root@ECM-RHL-001]
Info: Retrieving pluginfacts
---

If I switch back to the WEBrick server it all works...
Apache/Passenger configuration has not been changed.

Digging into SSL, it looks like the CA information is missing when I run 
Apache/Passenger but not when I run WEBrick.

Where does WEBrick get its Certificate information from?  How do I check 
what values it's using?
Where does the Puppet agent get its Certificate information from?  How do I 
check what values it's using?

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/955cd265-1c50-4d42-a573-3e5c3db98c6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: MySQL Module Root Password issue RHEL6

2014-04-23 Thread Tom Ford

We are having exactly the same problem on Debian Wheezy - did you ever find 
a solution Justin?

We have set root_password to the new password we want to use and 
old_root_password = ''. The /.my.cnf is created with the root password but 
root's password is still blank (if you check the the mysql.user table, 
password column to confirm).
In addition setting remove_default_accounts = true is not deleting the 
default mysql accounts or the test database.

Any ideas?


On Thursday, 6 February 2014 02:55:19 UTC, Justin Sevier wrote:

 Hi All,

 I did search and found this article before I posted:  
 https://groups.google.com/forum/#!searchin/puppet-users/mysql$20root/puppet-users/nEZ9bDcaBJE/4O0hN459g9oJ

 Unfortunately there really wasn't a resolution as far as I can see.  


 *The situation:*I am trying to setup a test environment to evaluate if 
 Puppet will work to automate my deployments.  I deployed a couple vm's from 
 my templates which have RHEL 6 and MySQL is already pre-installed.  I am 
 trying to get MySQL installed with a root password but it appears to not be 
 working.  I have run the following to try and remove all traces of MySQL:

 yum remove mysql 
 rm -f /etc/my.cnf
 rm -rf /var/lib/mysql
 rm -rf /etc/mysql
 rm -rf /etc/mysql/conf.d
 rm -f /var/log/mysqld.log.rpmsave
 rm -rf /var/backup/mysql
 rm -f /etc/cron.daily/mysqlbackup
 rm -f /root/.mysql_history
 rm -f /.my.cnf

 When I attempt to install with Puppet MySQL installs but I can login with 
 no password.  The /.my.cnf file is created with the correct password but 
 even if I try to login with it using mysql -uroot -p and specify the 
 password it fails.  It really seems as though the password is NOT being 
 set?  

 I am using the following in my site.pp for testing:

 class { '::mysql::server':
   root_password = 'passwordtest',
   override_options = { 'mysqld' = { 'max_connections' = '1024' } }
 }

 Below you'll find the complete output of the debug run.  I'm hoping 
 someone can point me in the right direction as I haven't been able to 
 figure this out now for a few days.


 debug: /Stage[main]/Mysql::Server::Config/before: requires 
 Class[Mysql::Server::Service]
 debug: /File[/etc/mysql/conf.d]/notify: subscribes to 
 Class[Mysql::Server::Service]
 debug: /Stage[deploy_app]/before: requires Stage[deploy]
 debug: /Stage[main]/Mysql::Server::Install/before: requires 
 Class[Mysql::Server::Config]
 debug: /Stage[main]//require: requires Class[Stdlib]
 debug: /File[/.my.cnf]/require: requires Mysql_user[root@localhost]
 debug: /Stage[setup_app]/before: requires Stage[deploy_app]
 debug: /Stage[main]/Mysql::Server::Providers/before: requires 
 Anchor[mysql::server::end]
 debug: /Stage[setup]/before: requires Stage[main]
 debug: /File[/etc/my.cnf]/notify: subscribes to 
 Class[Mysql::Server::Service]
 debug: /Stage[main]/Mysql::Server/Anchor[mysql::server::start]/before: 
 requires Class[Mysql::Server::Install]
 debug: /Stage[main]/Mysql::Server::Service/before: requires 
 Class[Mysql::Server::Root_password]
 debug: /File[/etc/httpd/conf.d/ewh.conf]/notify: subscribes to 
 Service[httpd]
 debug: /File[/etc/mysql]/notify: subscribes to 
 Class[Mysql::Server::Service]
 debug: /Stage[main]/Mysql::Server::Root_password/before: requires 
 Class[Mysql::Server::Providers]
 debug: /Stage[setup_infra]/before: requires Stage[deploy_infra]
 debug: /Stage[runtime]/require: requires Stage[main]
 debug: /Stage[runtime]/before: requires Stage[setup_infra]
 debug: /Stage[deploy_infra]/before: requires Stage[setup_app]
 debug: /File[/etc/mysql/conf.d]: Autorequiring File[/etc/mysql]
 debug: /Schedule[daily]: Skipping device resources because running on a 
 host
 debug: /Schedule[monthly]: Skipping device resources because running on a 
 host
 debug: /Schedule[hourly]: Skipping device resources because running on a 
 host
 debug: /Schedule[never]: Skipping device resources because running on a 
 host
 debug: Prefetching yum resources for package
 debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm --version'
 debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa 
 --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} 
 %{RELEASE} %{ARCH}
 ''
 debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -q 
 mysql-server --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| 
 %{VERSION} %{RELEASE} %{ARCH}
 '
 debug: Package[mysql-server](provider=yum): Ensuring = present
 debug: Puppet::Type::Package::ProviderYum: Executing '/usr/bin/yum -d 0 -e 
 0 -y install mysql-server'
 debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -q 
 mysql-server --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| 
 %{VERSION} %{RELEASE} %{ARCH}
 '
 notice: /Stage[main]/Mysql::Server::Install/Package[mysql-server]/ensure: 
 created
 debug: /Stage[main]/Mysql::Server::Install/Package[mysql-server]: The 
 container Class[Mysql::Server::Install] will propagate my refresh event
 debug:

Re: [Puppet Users] Re: MySQL Module Root Password issue RHEL6

2014-04-23 Thread Tom Ford

/.my.cnf is correct, /root/.my.cnf is never created.
I am using puppet 2.7.23 from the debian wheezy repositories, I think the 
problem is that the 2.X versions of the puppetlabs/mysql module are not 
fully compatible with this version of puppet. I think perhaps it is missing 
some facts or other feature - strange that it does not error though!

On Wednesday, 23 April 2014 20:06:31 UTC+1, Cristian Falcas wrote:

 Is this a typo? 
 rm -f /.my.cnf 

 I think it should be /root/.my.cnf 

 Best regards 
 Cristian Falcas 


 On Wed, Apr 23, 2014 at 6:01 PM, Tom Ford explos...@gmail.comjavascript: 
 wrote: 
  We are having exactly the same problem on Debian Wheezy - did you ever 
 find 
  a solution Justin? 
  
  We have set root_password to the new password we want to use and 
  old_root_password = ''. The /.my.cnf is created with the root password 
 but 
  root's password is still blank (if you check the the mysql.user table, 
  password column to confirm). 
  In addition setting remove_default_accounts = true is not deleting the 
  default mysql accounts or the test database. 
  
  Any ideas? 
  
  
  On Thursday, 6 February 2014 02:55:19 UTC, Justin Sevier wrote: 
  
  Hi All, 
  
  I did search and found this article before I posted: 
  
 https://groups.google.com/forum/#!searchin/puppet-users/mysql$20root/puppet-users/nEZ9bDcaBJE/4O0hN459g9oJ
  
  
  Unfortunately there really wasn't a resolution as far as I can see. 
  
  The situation: 
  I am trying to setup a test environment to evaluate if Puppet will work 
 to 
  automate my deployments.  I deployed a couple vm's from my templates 
 which 
  have RHEL 6 and MySQL is already pre-installed.  I am trying to get 
 MySQL 
  installed with a root password but it appears to not be working.  I 
 have run 
  the following to try and remove all traces of MySQL: 
  
  yum remove mysql 
  rm -f /etc/my.cnf 
  rm -rf /var/lib/mysql 
  rm -rf /etc/mysql 
  rm -rf /etc/mysql/conf.d 
  rm -f /var/log/mysqld.log.rpmsave 
  rm -rf /var/backup/mysql 
  rm -f /etc/cron.daily/mysqlbackup 
  rm -f /root/.mysql_history 
  rm -f /.my.cnf 
  
  When I attempt to install with Puppet MySQL installs but I can login 
 with 
  no password.  The /.my.cnf file is created with the correct password 
 but 
  even if I try to login with it using mysql -uroot -p and specify the 
  password it fails.  It really seems as though the password is NOT being 
 set? 
  
  I am using the following in my site.pp for testing: 
  
  class { '::mysql::server': 
root_password = 'passwordtest', 
override_options = { 'mysqld' = { 'max_connections' = '1024' } } 
  } 
  
  Below you'll find the complete output of the debug run.  I'm hoping 
  someone can point me in the right direction as I haven't been able to 
 figure 
  this out now for a few days. 
  
  
  debug: /Stage[main]/Mysql::Server::Config/before: requires 
  Class[Mysql::Server::Service] 
  debug: /File[/etc/mysql/conf.d]/notify: subscribes to 
  Class[Mysql::Server::Service] 
  debug: /Stage[deploy_app]/before: requires Stage[deploy] 
  debug: /Stage[main]/Mysql::Server::Install/before: requires 
  Class[Mysql::Server::Config] 
  debug: /Stage[main]//require: requires Class[Stdlib] 
  debug: /File[/.my.cnf]/require: requires Mysql_user[root@localhost] 
  debug: /Stage[setup_app]/before: requires Stage[deploy_app] 
  debug: /Stage[main]/Mysql::Server::Providers/before: requires 
  Anchor[mysql::server::end] 
  debug: /Stage[setup]/before: requires Stage[main] 
  debug: /File[/etc/my.cnf]/notify: subscribes to 
  Class[Mysql::Server::Service] 
  debug: /Stage[main]/Mysql::Server/Anchor[mysql::server::start]/before: 
  requires Class[Mysql::Server::Install] 
  debug: /Stage[main]/Mysql::Server::Service/before: requires 
  Class[Mysql::Server::Root_password] 
  debug: /File[/etc/httpd/conf.d/ewh.conf]/notify: subscribes to 
  Service[httpd] 
  debug: /File[/etc/mysql]/notify: subscribes to 
  Class[Mysql::Server::Service] 
  debug: /Stage[main]/Mysql::Server::Root_password/before: requires 
  Class[Mysql::Server::Providers] 
  debug: /Stage[setup_infra]/before: requires Stage[deploy_infra] 
  debug: /Stage[runtime]/require: requires Stage[main] 
  debug: /Stage[runtime]/before: requires Stage[setup_infra] 
  debug: /Stage[deploy_infra]/before: requires Stage[setup_app] 
  debug: /File[/etc/mysql/conf.d]: Autorequiring File[/etc/mysql] 
  debug: /Schedule[daily]: Skipping device resources because running on a 
  host 
  debug: /Schedule[monthly]: Skipping device resources because running on 
 a 
  host 
  debug: /Schedule[hourly]: Skipping device resources because running on 
 a 
  host 
  debug: /Schedule[never]: Skipping device resources because running on a 
  host 
  debug: Prefetching yum resources for package 
  debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm 
 --version' 
  debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa 
  --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0

Re: [Puppet Users] Emergency Certificate Revocation Procedure

2014-04-09 Thread Tom

Hi Matthew,

Use your imagination. Puppet is not directly accessible to the
internet, but there are puppet clients which are. Shared web servers,
mail servers etc. I'm paid to be paranoid..

Thanks. Tom.

On 08/04/14 20:43, Matthew Burgess wrote:

On 8 Apr 2014 09:29, Tom t...@t0mb.net mailto:t...@t0mb.net wrote:

Hi,

In light of the recently publicised vulnerability in OpenSSL
versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have
any recommendations on a procedure to regenerate new master
certificates and then revoke, clean and re-sign all client SSL
certificates?

Whilst I can't offer any direct answer to your question, and agree
that it's a generally useful thing to have in the toolbox, I'm
slightly inquisitive as to why you feel that action is necessary for
this vulnerability. Is your Puppet Master accessible publically via
the Internet and if so, why is that? If it isn't directly accessible
via the Internet who/what is it that you think could have exploited
the vulnerability?

Thanks,

Matt

--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com
mailto:puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com?utm_medium=emailutm_source=footer.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5344F7EC.4040807%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Emergency Certificate Revocation Procedure

2014-04-09 Thread Tom

Thank you Nan,

It looks like Puppet Labs have recognised the importance of this, and I
guess this thread should defer to the guidance that Eric Sorenson just
posted to the list!

Thank you for your help!

Tom.

On 08/04/14 15:01, Nan Liu wrote:
On Tue, Apr 8, 2014 at 12:57 AM, Tom t...@t0mb.net
mailto:t...@t0mb.net wrote:

In light of the recently publicised vulnerability in OpenSSL
versions provided on RHEL6/CentOS6http://heartbleed.com/
http://heartbleed.com/, do you have any recommendations on a
procedure to regenerate new master certificates and then revoke,
clean and re-sign all client SSL certificates?

I think it'd be great in my organisation to have a bullet proof
procedure for the future, as well as getting around this currently
problem.

Thanks for any assistance.

Puppet Labs had a CVE around a puppet master certificate issue. It
only replaces the master cert, but from what I recall a module
automates this step. You can see if the remediation tool kit is still
suitable for this purpose:

http://puppetlabs.com/security/cve/cve-2011-3872

http://puppetlabs.com/security/cve/cve-2011-3872/faq#q9
http://puppetlabs.com/security/cve/cve-2011-3872/faq#q11

Thanks,

Nan
--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com
mailto:puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com?utm_medium=emailutm_source=footer.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5344F71D.5070106%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Emergency Certificate Revocation Procedure

2014-04-08 Thread Tom


Hi,

In light of the recently publicised vulnerability in OpenSSL versions 
provided on RHEL6/CentOS6http://heartbleed.com/ 
http://heartbleed.com/, do you have any recommendations on a procedure 
to regenerate new master certificates and then revoke, clean and re-sign 
all client SSL certificates?


I think it'd be great in my organisation to have a bullet proof 
procedure for the future, as well as getting around this currently problem.


Thanks for any assistance.

Tom.

--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5343ABEF.5040101%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet fails to run if ruby1.8 is not installed.

2014-04-04 Thread Tom Poulton

I was running into this problem as well so I ran:

*sudo cp -r /usr/lib/ruby/site_ruby/1.8/* 
/usr/local/share/ruby/site_ruby/2.0/*

/usr/local/share/ruby/site_ruby/2.0/ is part of the $LOAD_PATH so I figured 
why not stick the files in there and see what happens, now I can run *puppet 
--version* plus *facter ipaddress* etc. That's all I've run so far so there 
might be some weirdness down the line, but it's a start!?

It would be better if it was a symlink or something so you wouldn't have to 
run this again after a yum update, but hopefully puppetlabs will ralease a 
new RPM soon that works, I'm guessing they will now that AWS are running 
ruby 2.0.0 as default!?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ada194cd-89bb-49dd-841b-39c4f2cbf42b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] hiera_config ignored if in an environment block

2014-04-02 Thread Tom Blich

Per-environment Blocks

Blocks named for 
environmentshttp://docs.puppetlabs.com/guides/environment.html are 
the most specific, and can override settings in the run mode blocks. Only a 
small number of settings (specifically: modulepath, manifest, manifestdir,
 and templatedir) can be set in a per-environment block; any other settings 
will be ignored and read from a run mode or main block.


Any idea of when hiera_config might be one of these variables that can be 
put in envrionment blocks? 

puppet config print shows that they've changed, but they are not utilized.

Unless I'm missing something.




Thanks,
Tom


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/284ef7ff-c800-49c7-aa70-d2503dc9109c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Using Puppet with a self-signed ssl certificate

2014-03-26 Thread Tom Albrecht

The corporate environment I'm in is doing ssl decryption on their traffic, 
and therefore requires a corporate self-signed ssl certificate to be 
installed on any clients throughout the enterprise.

I have a puppet server (CentOS 6.5) with the cert installed, and the agent 
on the server will no longer connect to itself.  I get the following error:

[root@foo certs]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [self signed certificate in certificate chain 
for ...]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [self signed certificate 
in certificate chain for ...]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...] Could 
not retrieve file metadata for puppet://taisrsvr01/plugins: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...]
Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for ...]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [self signed 
certificate in certificate chain for ...]

The ... is information on the self-signed cert.  I've already been 
banging my head just trying to get the whole ssl cert stuff working, and 
it's very possible I screwed something up.

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/07a90abe-0a78-4630-a09a-3e99a23ec546%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam

Hi All

I've been running Puppet using the build in web server and I'm now moving
to Apache and Passenger. I've completed the installation and started
testing. If I run

puppet agent --test --noop

I get the following error (domain removed)

Warning: Unable to fetch my node definition, but the agent run will
continue:

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [certificate signature failure for
/CN=ecm-rhl-001...]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [certificate signature
failure for /CN=ecm-rhl-001...]

Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=ecm-rhl-001]
Could not retrieve file metadata for puppet://puppet/plugins:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed: [certificate signature failure for
/CN=ecm-rhl-001...]

Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=ecm-rhl-001...]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=ecm-rhl-001...]

If I turn apache off and the built in webserver back on it all works.

The server I'm running puppet on server that has a CNAME puppet that
points to its real name ecm-rhl-001 Apache site is configured with
ecm-rhl-001... as the servername and puppet... as server alias. The
system returns 'ecm-rhl-001' for hostname and 'ecm-rhl-001' for
hostname -f. The certificate has ecm-rhl-001... as its CN and
puppet... as one of its alt names. Obviously the cert is OK as it
works with the built in webserver. It looks like I'm missing something in
the apache SSL or Passenger configuration but I have no idea what.

I've tried various permutations of servername and serveralias without
success. Changing the server name in the agent configuration so it users
the real name instead of the CNAME also does not fix the issue.

Any suggestions?

Tom

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam

Hi

Just tried

openssl s_client -connect puppet...:8140 -showcerts /dev/null /tmp/file


To get the certificates from each server and they are not the same.  I've 
checked /etc/puppet/ssl and the Pasenger configuration is giving me the 
same certificates as are in there.  Can't find ones that match WebBricks 
certificates.


Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c3960d51-8be5-4db6-8090-1d9c3c2b2a57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam

Ahh, those lines are different. The ones I have point to
/etc/puppet/ssl Yep, the cert you've just pointed to look like they
match what I'm getting from WebBrick.

On Sunday, 23 March 2014 01:59:50 UTC+8, Spencer Krum wrote:

You should have several lines in your apache vhost pointing to specific
ssl certs. Can you verify that all these paths are correct?

Specifically the lines beginning with SSL in
http://docs.puppetlabs.com/guides/passenger.html#create-and-enable-the-puppet-master-vhost

On Sat, Mar 22, 2014 at 7:51 AM, Tom Hallam thalla...@gmail.com wrote:

Hi All

I've been running Puppet using the build in web server and I'm now moving
to Apache and Passenger. I've completed the installation and started
testing. If I run

puppet agent --test --noop

I get the following error (domain removed)

Warning: Unable to fetch my node definition, but the agent run will
continue:

Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed: [certificate signature failure
for /CN=ecm-rhl-001...]

Info: Retrieving plugin

Error: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=ecm-rhl-001...]

Warning: Not using cache on failed catalog

Error: Could not retrieve catalog; skipping run

Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=ecm-rhl-001...]

If I turn apache off and the built in webserver back on it all works.

The server I'm running puppet on server that has a CNAME puppet
that points to its real name ecm-rhl-001 Apache site is configured
with ecm-rhl-001... as the servername and puppet... as server
alias. The system returns 'ecm-rhl-001' for hostname and
'ecm-rhl-001' for hostname -f. The certificate has ecm-rhl-001...
as its CN and puppet... as one of its alt names. Obviously the cert is
OK as it works with the built in webserver. It looks like I'm missing
something in the apache SSL or Passenger configuration but I have no idea
what.

Any suggestions?

Tom

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.comhttps://groups.google.com/d/msgid/puppet-users/f21d077a-14f8-4712-a0d6-8e8bfeb0652a%40googlegroups.com?utm_medium=emailutm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Spencer Krum
(619)-980-7820

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3c30c2ee-e5de-4dce-b7e4-e434f9ed2880%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

2014-03-22 Thread Tom Hallam

Hi Spencer

That's fixed the ssl issue.  Not sure where I got the /etc/puppet/ssl... 
from.  

I've got some access denied issues now.  Trace them down another day

Thanks for the help

Tom

On Sunday, 23 March 2014 02:16:12 UTC+8, Tom Hallam wrote:

 Ahh, those lines are different.  The ones I have point to 
 /etc/puppet/ssl  Yep, the cert you've just pointed to look like they 
 match what I'm getting from WebBrick.  




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e74a9abd-f533-4908-93ef-090c54fccf4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet agent gives error undefined method `empty?' for nil:NilClass

2014-02-25 Thread Tom Hanstra

I have a puppet master which has over 50 puppet agents talking to it just
fine. But I have one particular server on which the agent, after
connecting and exchanging keys, gives the following error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
undefined method `empty?' for nil:NilClass at
/etc/puppet/modules/server/iptables/manifests/init.pp:7 on node
curatevanilla.library.nd.edu
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Having read other posts, and knowing that we do use hiera, this looks like
a hiera problem. If I comment out classes which don't use hiera, the agent
will run them all. But add any in which use hiera and that will be the
class which fails (iptables above is just the first one it hits).

How do I best track down where the problem really is? I have made sure
that the /etc/hiera.yaml file is in place and it matches other servers
which work. I've tried clearing out /var/lib/puppet on the server and
letting that get rebuilt. If I move /var/lib/hiera out of the way, it does
not get rebuilt, probably because the download does not get that far. Any
suggestions on what might allow me to find the conflict.

Thanks,
Tom

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/2b9fe2ac-6646-44e0-b344-1b65d35e2e27%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] package conflict resolution method:

2013-11-01 Thread Tom Noonan

Hello, list:
I have two puppet modules that are unrelated to each other, but
both have (unrelated) Python scripts that parse YAML.  As such, both
have a block like the following in their manifests for the PyYAML script
dependency:

  package { 'PyYAML':
ensure  = installed,
  }

If I try and include both modules on the same server this
causes an obvious conflict as the PyYAML package is now defined in two
different package{} blocks.
Can the list please advise on what best practice is in this
case?  I'd prefer not to create a whole other module just to do a class
dependency for PyYAML, but if that is best practice so be it.  Please
let me know if I'm overlooking any other solutions.  Thanks!

--Tom N.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20131101160320.736bf186%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] package conflict resolution method:

2013-11-01 Thread Tom Noonan

That looks like a good solution, thanks!

On Fri, 1 Nov 2013 14:11:44 -0700
Ryan Coleman r...@puppetlabs.com wrote:

 On Fri, Nov 1, 2013 at 2:03 PM, Tom Noonan t...@tjnii.com wrote:
 
  Can the list please advise on what best practice is in this
  case?
 
 
 Hi Tom,
 
 The puppetlabs/stdlib module includes the ensure_packages() and
 ensure_resource() functions. Both are intended for expressing common
 resources which will only be included in your catalog if they're not
 already in it. You can read more about it here:
 http://forge.puppetlabs.com/puppetlabs/stdlib
 
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20131101161629.0fd702d0%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Upgraded to Puppet 3.3.1 and custom facts broke

2013-10-22 Thread Tom Limoncelli

I found the issue.  It turns out to be related to the use of Rack on
the Puppet Master.

I'll document the issue so the mailing list archive can help others.


Tom


On Tue, Oct 22, 2013 at 12:20 AM, Tom Limoncelli t...@whatexit.org wrote:
 I upgraded to puppet 3.3.1 and my clients can no longer access custom
 facts or types.  pluginsync = true in [main] for both clients and the
 server.  I suspect a problem with pluginsync because the master is
 able to load the custom facts.

 I looked at syslog on both machines and didn't find any error or
 warning messages; just the usual messages minus the ones about loading
 custom facts.

 The first run after the upgrade resulted in messages about deleting
 the custom facts (filebucketing them).  That makes me suspect
 fileserver.conf.  According to our git repo, none of the *.conf files
 changed.  Did their interpretation change?

 puppet agent -t -d -v doesn't show anything unusual (except the
 missing lines about syncing)

 Where should I start looking to debug this?

 Thanks,
 Tom
 P.S. I'm using CentOS6.4.

 --
 Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
 Skype: YesThatTom
 Blog:  http://EverythingSysadmin.com



-- 
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog:  http://EverythingSysadmin.com

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Upgraded to Puppet 3.3.1 and custom facts broke

2013-10-22 Thread Tom Limoncelli

I found the issue. It turns out to be related to the use of Rack on
the Puppet Master.

I'll document the issue so the mailing list archive can help others:

When upgrading to Puppet 3.0.0 the release notes say that config.ru
needs to be updated:
http://docs.puppetlabs.com/puppet/3/reference/release_notes.html#break-puppet-master-rack-configuration-is-changed

If you don't make those changes, there is a chance that things will
continue to work. At least at our site it seems to have continued to
work. I guess we were lucky. However some change between 3.2.4 and
3.1.1 made those changes required.

Without those changes, in particular the line with --confdir, the
Puppet Master is pointing to the wrong directory and is unable to do
its job. However there are no errors or warnings. The first symptom
is that custom facts and types (and maybe more) are deleted at the
next client run. The other symptom is that if you turn off Rack and
run puppet master directly things start to work (of course, without
all the benefits of Rack).

Updating the file as specified in the URL above and restarting Rack
fixes the problem.

Tom

On Tue, Oct 22, 2013 at 12:20 AM, Tom Limoncelli t...@whatexit.org wrote:
I upgraded to puppet 3.3.1 and my clients can no longer access custom
facts or types. pluginsync = true in [main] for both clients and the
server. I suspect a problem with pluginsync because the master is
able to load the custom facts.

I looked at syslog on both machines and didn't find any error or
warning messages; just the usual messages minus the ones about loading
custom facts.

The first run after the upgrade resulted in messages about deleting
the custom facts (filebucketing them). That makes me suspect
fileserver.conf. According to our git repo, none of the *.conf files
changed. Did their interpretation change?

puppet agent -t -d -v doesn't show anything unusual (except the
missing lines about syncing)

Where should I start looking to debug this?

Thanks,
Tom
P.S. I'm using CentOS6.4.

--
Email: t...@whatexit.orgWork: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Including files in a template

2013-10-01 Thread Tom Noonan

Hello, folks:

I want to include a file into my templates to deduplicate code.
However, I'm running into problems with the module path.  If I try to
include the relative path with code like the following it fails:

# Fails
require 'foo.rb'

However, a fully qualified path succeeds:

# Works as expected
require '/etc/puppet/modules/foobar/templates/foo.rb'

While the latter works it causes problems if I want to move the
module.  Am I overlooking something here?  I've grepped through the
variables passed into the templates and I don't see any paths passed in
that I could use.

Thanks in advance.

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Including files in a template

2013-10-01 Thread Tom Noonan

 % require File.dirname(__FILE__) + /foo.rb %
This suits my needs perfectly.  Thanks!

On Tue, 1 Oct 2013 06:32:15 -0700 (PDT)
jcbollinger john.bollin...@stjude.org wrote:

 
 
 On Tuesday, October 1, 2013 7:02:00 AM UTC-5, Sneha More wrote:
 
  Hi,
 You can use here the concept of partial template.
  Try including 
 
  %= scope.function_template(foo.rb) %
 
  This may help you, please refer 
  http://somethingsinistral.net/blog/partial-templates-with-puppet/
  Here is the link, someone has faced the similar issue as including
  file in template, refer 
  http://stackoverflow.com/questions/16551717/how-to-include-a-subtemplate-in-a-puppet-template
  .
 
 
 
 
 That invokes the Puppet template() function with argument foo.rb,
 but from name and usage that appears to be a Ruby source file as
 opposed to an ERB template.  The stackoverflow link looks promising,
 however, in that the discussion there demonstrates a technique for
 determining the template file's location from within the file itself,
 using the __FILE__ variable. To apply that to 'require'ing a Ruby
 source file you would probably end up with something like this:
 
 % require File.dirname(__FILE__) + /foo.rb %
 
 
 John
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: hiera oddities

2013-09-30 Thread Tom Hanstra

Spot on!  Thanks for pointing this out.

Tom

On Friday, September 27, 2013 1:35:42 PM UTC-4, Ellison Marks wrote:

 Prefix doesn't return a string, it returns an array. I think this gets 
 stringified in the error message, but it screws up the lookup. Try 
 hiera($role_value[0]).

 On Friday, September 27, 2013 9:32:12 AM UTC-7, Tom Hanstra wrote:

 I'm having a real trouble getting hiera to work as expected.

 My current setup has a puppet master and an agent.  On both I have the 
 same /etc/hiera.yaml file linked into the /etc/puppet directory.  I've also 
 been able to confirm that hiera is seeing the right json files in 
 /var/lib/hiera.

 What I'm seeing right now is that if I hard code a value (in my case a 
 value called role_puptest1).  In the class I'm working on, if I hardcode 
 that value into the hiera lookup:

 $server_role = hiera('role_puptest1')

 then puppet  agent runs just fine.  However, if I build the value 
 role_puptest1 from other information, for instance like this:

$role_value = prefix([$hostname],'role_')
$server_role = hiera($role_value)

 I get this error when running the puppet agent:

 Error: Could not retrieve catalog from remote server: Error 400 on 
 SERVER: Could not find data item role_puptest1 in any Hiera data file and 
 no default supplied at 
 /etc/puppet/modules/server/iptables2/manifests/init.pp:9 on node 
 puptest1.library.nd.edu

 Based on the error, it is parsing the role_value properly (still has 
 role_puptest1), but it is not finding the value in the file.  At the same 
 time, command line hiera on both my agent and my master find the file 
 properly:

 puptest1 800$ hiera role_puptest1
 role_LOCKSS

 So, why is the generated value which comes up with the same string of 
 data not finding the record in the hiera data file?

 I'm using hiera 1.2.1 and puppet 3.2.4 on RHEL 6.

 Thanks,
 Tom




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] hiera oddities

2013-09-30 Thread Tom Hanstra

Pete: Thanks for pointing this out as well.  It explains some things that 
were confusing me about how I was using hiera.  I appreciate the 
information.

Tom

On Saturday, September 28, 2013 7:16:00 AM UTC-4, Peter Meier wrote:

 -BEGIN PGP SIGNED MESSAGE- 
 Hash: SHA1 

  My current setup has a puppet master and an agent.  On both I have 
  the same /etc/hiera.yaml file linked into the /etc/puppet 
  directory.  I've also been able to confirm that hiera is seeing the 
  right json files in /var/lib/hiera. 

 Note: if you want to go with plain master/agent setup, there is no 
 need to setup hiera on the client. As the agent gets a compiled 
 catalog from the master that can be seen as kind of static, at least 
 all the hiera lookups are done when the agent receives the catalog. 

 ~pete 

 -BEGIN PGP SIGNATURE- 
 Version: GnuPG v1.4.14 (GNU/Linux) 
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 

 iEYEARECAAYFAlJGumsACgkQbwltcAfKi394RgCfQ8+6+7uqJx02XO9wKux/Qb2k 
 W8QAoK/tCiEO3Q2w4gY1q/3GENSqrI07 
 =nmWj 
 -END PGP SIGNATURE- 


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] hiera oddities

2013-09-27 Thread Tom Hanstra

I'm having a real trouble getting hiera to work as expected.

My current setup has a puppet master and an agent.  On both I have the same 
/etc/hiera.yaml file linked into the /etc/puppet directory.  I've also been 
able to confirm that hiera is seeing the right json files in /var/lib/hiera.

What I'm seeing right now is that if I hard code a value (in my case a 
value called role_puptest1).  In the class I'm working on, if I hardcode 
that value into the hiera lookup:

$server_role = hiera('role_puptest1')

then puppet  agent runs just fine.  However, if I build the value 
role_puptest1 from other information, for instance like this:

   $role_value = prefix([$hostname],'role_')
   $server_role = hiera($role_value)

I get this error when running the puppet agent:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: 
Could not find data item role_puptest1 in any Hiera data file and no 
default supplied at 
/etc/puppet/modules/server/iptables2/manifests/init.pp:9 on node 
puptest1.library.nd.edu

Based on the error, it is parsing the role_value properly (still has 
role_puptest1), but it is not finding the value in the file.  At the same 
time, command line hiera on both my agent and my master find the file 
properly:

puptest1 800$ hiera role_puptest1
role_LOCKSS

So, why is the generated value which comes up with the same string of data 
not finding the record in the hiera data file?

I'm using hiera 1.2.1 and puppet 3.2.4 on RHEL 6.

Thanks,
Tom


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-08-21 Thread Tom Poulton

Well I've been using an initial solution for the past month or two which
seems to be working ok.

I have a custom puppet function that reads the version of the artifact
being deployed and I add that to the mcollective facts.yaml file at the
same time that the artifact is deployed. I've also got a groovy script
which I've put up on GitHub (
https://github.com/TomPoulton/mcollective-synchronous-puppet/blob/master/deployment_trigger.groovy)

that runs as part of the Jenkins deployment job that finds the correct
instances, triggers a puppet run, then waits until all the instances show
the new version in their facts. It handles the situation where puppet is
already running, and also has timeouts so the script doesn't run forever.

The only problem is that sometimes (although it's started to get more
frequent) the script reaches it's timeout waiting for the new version to
show in the facts, the timeout is pretty generous and is certainly longer
than a puppet run and an mcollective restart would take, and the facts are
being updated correctly. Does mcollective have a cache or something that
would prevent the new values being returned to the mco client on the Jenins
box?

Thanks

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: User Resource Type | non-unique UID

2013-08-16 Thread tom . russell

3 years on, it did indeed :) Thanks!

On Wednesday, 6 October 2010 16:59:14 UTC+1, CraftyTech wrote:

 I answered my own question from the documentation.. 
 allowdupe = true 

 Hope it helps someone else looking for a similar answer. 

 On Oct 6, 11:29 am, CraftyTech hmmed...@gmail.com wrote: 
  Hello All, 
  
   Is there a way in puppet to define a User resource with a non- 
  unique UID? i.e, 
 @user { 'user1': 
  tag = 'test', 
  uid = '' 
  } 
  
 @user { 'user2': 
  tag = 'test', 
  uid = '' 
  } 
  If I do it like this, I get an error saying that the UID is not 
  unique 
  
  Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: file_line assistance

2013-07-31 Thread Tom Hanstra

No, I don't have pluginsync enabled, but when I attempt to do so I get this 
error:

Info: Retrieving plugin
Error: Could not retrieve plugin: Parameter source failed on 
File[/var/lib/puppet/lib]: Could not understand source 
puppet://lib_puppet2.library.nd.edu/plugins: the scheme puppet does not 
accept registry part: lib_puppet2.library.nd.edu (or bad hostname?)

I've been searching the web, but have not found the combination to get past 
this. Documentation only suggests enabling pluginsync on both master and 
agent, which is not enough.  What else am I missing?

Thanks,
Tom


On Tuesday, July 30, 2013 5:24:41 PM UTC-4, Tom Hanstra wrote:

 I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
 puppetlabs.

 I'm attempting to use file_line to add a line to a file.  I've dumbed this 
 down to basically the test script:

 class hs_puptest1 {

file { '/tmp/testfile':
  ensure = present
}-
file_line { 'test_line':
  line = 'Some data',
  path = '/tmp/testfile',
}
 }

 The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
 line to the file.  I don't even see file_line executed:

 puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
 Info: Caching catalog for puptest1.library.nd.edu
 Info: Applying configuration version '1375219378'
 Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
 Notice: Finished catalog run in 1.86 seconds
 puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
 puptest1.library.nd.edu|root no_ora /etc/puppet 675$

 What am I doing wrong?  What might be missing?

 Thanks,
 Tom
 hans...@nd.edu


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: file_line assistance

2013-07-31 Thread Tom Hanstra

Well, the hostname was the problem.  That never tripped me up before, but 
I'll keep it in mind for future reference!

Thanks,
Tom

On Tuesday, July 30, 2013 5:24:41 PM UTC-4, Tom Hanstra wrote:

 I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
 puppetlabs.

 I'm attempting to use file_line to add a line to a file.  I've dumbed this 
 down to basically the test script:

 class hs_puptest1 {

file { '/tmp/testfile':
  ensure = present
}-
file_line { 'test_line':
  line = 'Some data',
  path = '/tmp/testfile',
}
 }

 The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
 line to the file.  I don't even see file_line executed:

 puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
 Info: Caching catalog for puptest1.library.nd.edu
 Info: Applying configuration version '1375219378'
 Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
 Notice: Finished catalog run in 1.86 seconds
 puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
 puptest1.library.nd.edu|root no_ora /etc/puppet 675$

 What am I doing wrong?  What might be missing?

 Thanks,
 Tom
 hans...@nd.edu


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Puppet3 key exchange on RHEL6

2013-07-30 Thread Tom Hanstra

I'm attempting to run Puppet 3.2.3 on RHEL6 and am running into key 
problems.

The keys seem to be exchanged, or at least the puppet master receives the 
key from the client:

lib_puppet2.library.nd.edu|root no_ora /var/lib/puppet 1029$ puppet cert 
list --all
+ puptest1.library.nd.edu (SHA256) 
D4:3C:F5:4B:14:66:3C:97:55:3E:A1:F9:D7:88:13:78:A1:32:C7:B7:EB:9B:70:CA:73:BC:0E:13:47:D0:B6:B1

But when I attempt to connect from the agent, I get what look to be key 
problems:

puptest1.library.nd.edu|root no_ora ~ 639$ puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate signature failure for 
/CN=lib_puppet2.library.nd.edu]
Info: Retrieving plugin
Error: Could not retrieve plugin: Parameter source failed on 
File[/var/lib/puppet/lib]: Could not understand source 
puppet://lib_puppet2.library.nd.edu/plugins: the scheme puppet does not 
accept registry part: lib_puppet2.library.nd.edu (or bad hostname?)
Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [certificate signature failure for 
/CN=lib_puppet2.library.nd.edu]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [certificate 
signature failure for /CN=lib_puppet2.library.nd.edu]

I've cleared /var/lib/puppet/ssl numerous times on both sides but every 
time I get back to this point.  

I'm open to any and all ideas.  Does anyone have this working on any RHEL6 
servers?  I had no trouble with puppet 2.6 but am running into other 
problems there with older versions of puppet, so I wanted to get puppet3 
running.  But I seem to have hit a wall.

Thanks,
Tom Hanstra
hans...@nd.edu

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Puppet3 key exchange on RHEL6

2013-07-30 Thread Tom Hanstra

This can all safely be ignored. A reboot of both the master and agent
servers was able to clear things up. I'm not sure if the times were
slightly off or something else, but rebooting took care of things.

Tom

On Tuesday, July 30, 2013 4:00:27 PM UTC-4, Tom Hanstra wrote:

I'm attempting to run Puppet 3.2.3 on RHEL6 and am running into key
problems.

The keys seem to be exchanged, or at least the puppet master receives the
key from the client:

lib_puppet2.library.nd.edu|root no_ora /var/lib/puppet 1029$ puppet cert
list --all
+ puptest1.library.nd.edu (SHA256)
D4:3C:F5:4B:14:66:3C:97:55:3E:A1:F9:D7:88:13:78:A1:32:C7:B7:EB:9B:70:CA:73:BC:0E:13:47:D0:B6:B1

But when I attempt to connect from the agent, I get what look to be key
problems:

puptest1.library.nd.edu|root no_ora ~ 639$ puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed: [certificate signature failure
for /CN=lib_puppet2.library.nd.edu]
Info: Retrieving plugin
Error: Could not retrieve plugin: Parameter source failed on
File[/var/lib/puppet/lib]: Could not understand source puppet://
lib_puppet2.library.nd.edu/plugins: the scheme puppet does not accept
registry part: lib_puppet2.library.nd.edu (or bad hostname?)
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=
lib_puppet2.library.nd.edu]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=lib_puppet2.library.nd.edu]

I've cleared /var/lib/puppet/ssl numerous times on both sides but every
time I get back to this point.

I'm open to any and all ideas. Does anyone have this working on any RHEL6
servers? I had no trouble with puppet 2.6 but am running into other
problems there with older versions of puppet, so I wanted to get puppet3
running. But I seem to have hit a wall.

Thanks,
Tom Hanstra
hans...@nd.edu

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] file_line assistance

2013-07-30 Thread Tom Hanstra

I'm running puppet 3.2.3 with the current (4.1.0) stdlib set from 
puppetlabs.

I'm attempting to use file_line to add a line to a file.  I've dumbed this 
down to basically the test script:

class hs_puptest1 {

   file { '/tmp/testfile':
 ensure = present
   }-
   file_line { 'test_line':
 line = 'Some data',
 path = '/tmp/testfile',
   }
}

The puppet agent puptest1 creates /tmp/testfile, but it does not add the 
line to the file.  I don't even see file_line executed:

puptest1.library.nd.edu|root no_ora /etc/puppet 673$ puppet agent --test
Info: Caching catalog for puptest1.library.nd.edu
Info: Applying configuration version '1375219378'
Notice: /Stage[main]/Hs_puptest1/File[/tmp/testfile]/ensure: created
Notice: Finished catalog run in 1.86 seconds
puptest1.library.nd.edu|root no_ora /etc/puppet 674$ cat /tmp/testfile
puptest1.library.nd.edu|root no_ora /etc/puppet 675$

What am I doing wrong?  What might be missing?

Thanks,
Tom
hans...@nd.edu

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-14 Thread Tom Lanyon

Hi John

On 14/06/2013, at 12:06 AM, jcbollinger john.bollin...@stjude.org wrote:
 
 On Wednesday, June 12, 2013 9:15:22 AM UTC-5, Tom Lanyon wrote:
 On 05/06/2013, at 11:51 PM, jcbollinger [...] wrote: 
  I don't much like that general approach in the first place on account of 
  the $requested_package parameter.  That you encounter difficulty when you 
  try something a bit dodgy should not be surprising. 
 
 Can you explain this further so I can understand the issue? 
 
 Initially, it was mostly a gut feeling.  After having had time to step back 
 from the issue and return to it fresh, I think it's a combination of things, 
 mostly revolving around what you're actually modeling, and how you're 
 modeling it.
 
 Basically, the 'myapp' definition represents one package chosen from a list 
 of mutually exclusive packages.  If that's all it is, then its name is 
 misleading -- it should be more generic -- and it should probably take the 
 exclusive list as a second parameter.  On the other hand, if it is indeed 
 supposed to be something specific, then it doesn't take much advantage of 
 that.  In particular -- and here's where my previous comment came from -- if 
 it supposed to represent something specific to your application, then why 
 doesn't it know anything about the application's package names?
 
 Also, if the point is supposed to be that only one version of the application 
 can be installed at a time, and the definition is specific to that 
 application, then it really ought to be a class instead.

Alas, the whole intention of this is that multiple versions of the package must 
be installed at the same time.  This is where the problem lies, in that we have 
no way to clean up old unused versions once they're no longer needed.

We have instances of an application MyApp, which utilise a shared Package in 
many to one relationship:

Package[one] ___ MyApp[app1]

Package[two] ___ MyApp[app2]
\___ MyApp[app3]

Package[three] _ MyApp[app4]
  \_ MyApp[app5]
  \_ MyApp[app6]

In the above example, if we upgraded MyApp[app2] and MyApp[app3] to 
Package[three], we'd still have Package[two] installed on all of the hosts but 
no MyApp instances would be using it.  This is the unused Package we're trying 
to clean up with Puppet (there's no longer a MyApp resource definition which 
references Package[two]).

There is no mutually exclusive packages or any other such conflicts.


  In fact, despite my dissatisfaction with your approach, you can indeed do 
  this without defined(), and without even disrupting your current structure 
  very much.  Here's one way I think would work: 
  
  # This class ensures all known app packages are 
  # by default purged 
  class app::packages { 
 $apps = split($::app_packages, ',') 
 package { $apps: 
 ensure = 'purged' 
 } 
  } 
  
  # Overrides the requested package to be declared 
  # present instead of purged. 
  define app::myapp($requested_package) { 
 include 'app::packages' 
 Package| title == $requested_package | { 
 ensure = 'present' 
 } 
  } 
  
  # no separate package_cleanup required 
 
 
 OK, I wondered whether we could do something like this however - forgive my 
 naivety - I still can't see how this could be a complete solution without 
 something like defined(). 
 
 As an example... your above snippet works fine to ensure already installed 
 packages remain installed, but what if we wanted to install a brand new 
 version of app::myapp?  Because a 'package' resource with title 
 $requested_package does not yet exist, the Package|| collector matches no 
 resources and the new package is not installed.  The only solution that I 
 can come up with is to check whether such a resource is already defined and, 
 if not, define one. 
 
 You appear to have a serious misunderstanding.  Resource collectors have no 
 direct relationship with or dependency on which resources are already 
 installed on the target system.  They work exclusively with resource 
 declarations in your manifests, and they do so at catalog compilation time.  
 Moreover, they are independent of parse order (though the example anyway 
 ensures a parse order that would work if collectors were parse-order 
 dependent).

No, I understand this.

 Explanation of the example:
   • class app::packages declares all of the possible application 
 packages, specifying the intended state for each one as 'purged'.  If that is 
 the only thing applied to the target node then it will cause the removal of 
 each and every one of those packages that is installed.  ('purged' is 
 stronger than 'absent'.  The former is more sure to remove the specified 
 package, but the latter takes care to avoid causing any other packages to be 
 removed, and therefore fails if any other package depends on the target 
 package.)  It is necessary that the list of possible packages include every 
 one that you may want to have

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-12 Thread Tom Lanyon

Hi John,

Sorry for the delayed reply.

On 05/06/2013, at 11:51 PM, jcbollinger john.bollin...@stjude.org wrote:
 
 Sorry, I should have been clearer that this occurs when Package[package-434] 
 IS declared elsewhere. !defined(Package[package-434]) therefore is false, 
 so just by referencing the existing declaration within the defined() call it 
 seems to incite an implicit dependency. 
 
 If that's really what's happening then you should be able to create a simple 
 test case that demonstrates it.  That would be a worthy subject for a bug 
 report.

I'll see what I can do.

 Is this implicit dependency expected behaviour or am I doing something 
 Bad(tm)? 
 
 Both. 
 
 Supposing that the target package is not declared elsewhere (so that the 
 !defined() condition is true) the definition will declare the package 
 itself to ensure it absent, and in that case you would expect a 
 relationship between the defined-type instance and the resource declared by 
 it.  If elsewhere you have specific references to that package, applicable 
 resource parameter defaults, or collectors that will match that package, 
 then you can get relationships with it that are not evident from the 
 defined type body. 
 
 On the other hand, defined() is evil.  Do not use it.  Ever. 
 
 I had this discussion with someone on #puppet IRC earlier and they ended up 
 with Oh, in your case, defined() is probably actually what you want. 
 
 No.  defined() is never what you want.  It may at times seem expedient, but 
 it's bad news every time.

OK, understood.

 define myapp ($requested_package){ 
 
  package { $requested_package: 
ensure = present 
  } 
 
  define package_cleanup { 
$installed_package = $title 
 
if $installed_package != $requested_package { 
  package { $installed_package: 
ensure = purged 
  } 
} 
  } 
 
  # assuming a facter fact named 'installed_packages' 
  package_cleanup { split($::installed_packages, ','): } 
 } 
 
 I don't much like that general approach in the first place on account of the 
 $requested_package parameter.  That you encounter difficulty when you try 
 something a bit dodgy should not be surprising.

Can you explain this further so I can understand the issue?



 In fact, despite my dissatisfaction with your approach, you can indeed do 
 this without defined(), and without even disrupting your current structure 
 very much.  Here's one way I think would work:
 
 # This class ensures all known app packages are
 # by default purged
 class app::packages {
$apps = split($::app_packages, ',') 
package { $apps:
ensure = 'purged'
}
 }
 
 # Overrides the requested package to be declared
 # present instead of purged.
 define app::myapp($requested_package) {
include 'app::packages'
Package| title == $requested_package | {
ensure = 'present'
}
 }
 
 # no separate package_cleanup required


OK, I wondered whether we could do something like this however - forgive my 
naivety - I still can't see how this could be a complete solution without 
something like defined().

As an example... your above snippet works fine to ensure already installed 
packages remain installed, but what if we wanted to install a brand new version 
of app::myapp?  Because a 'package' resource with title $requested_package does 
not yet exist, the Package|| collector matches no resources and the new 
package is not installed.  The only solution that I can come up with is to 
check whether such a resource is already defined and, if not, define one.

Your guidance is appreciated.

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] defined() implicitly requiring resource reference

2013-06-04 Thread Tom Lanyon

I'm testing a 'cleanup' stage which runs after Stage[main] and removes a bunch 
of package resources.

To do this, I tried a simple check of defined(Package[foo]) combined with a 
custom facter fact (called 'app_packages'):

 class app::package::cleaner {
 
   define check_and_remove {
 if !defined(Package[$title]) {
   package { $title:
 ensure = absent
   }
 }
   }
 
   $apps = split($::app_packages, ',')
   check_and_remove { $apps: }
 
 }
 
 node 'foo' {
   class { 'app::package::cleaner': stage = 'cleanup' }

 }

Unfortunately, this results in a dependency cycle.  It appears that putting the 
Package[$title] resource reference in defined() actually invokes an implicit 
dependency between my cleanup helper resource in the cleanup stage and the 
original Package resource in the main stage.

 Augeas[redacted] = Service[iptables] = Class[Iptables] = Stage[main] = 
 Stage[cleanup] = Class[App::Package::Cleaner] = 
 App::Package::Cleaner::Check_and_remove[package-434] = Package[package-434] 
 = Exec[app-graceful-restart] = Class[App] = Stage[main]

Is this implicit dependency expected behaviour or am I doing something Bad(tm)?

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] defined() implicitly requiring resource reference

2013-06-04 Thread Tom Lanyon

Hi John,

Thanks for the reply.

On 05/06/2013, at 12:33 AM, jcbollinger john.bollin...@stjude.org wrote:
 On Tuesday, June 4, 2013 1:22:08 AM UTC-5, Tom Lanyon wrote:
 I'm testing a 'cleanup' stage which runs after Stage[main] and removes a 
 bunch of package resources. 
 
 To do this, I tried a simple check of defined(Package[foo]) combined with a 
 custom facter fact (called 'app_packages'): 
 
  class app::package::cleaner { 
  
define check_and_remove { 
  if !defined(Package[$title]) { 
package { $title: 
  ensure = absent 
} 
  } 
} 
  
$apps = split($::app_packages, ',') 
check_and_remove { $apps: } 
  
  } 
  
  node 'foo' { 
class { 'app::package::cleaner': stage = 'cleanup' } 
 
  } 
 
 Unfortunately, this results in a dependency cycle.  It appears that putting 
 the Package[$title] resource reference in defined() actually invokes an 
 implicit dependency between my cleanup helper resource in the cleanup stage 
 and the original Package resource in the main stage. 
 
  Augeas[redacted] = Service[iptables] = Class[Iptables] = Stage[main] = 
  Stage[cleanup] = Class[App::Package::Cleaner] = 
  App::Package::Cleaner::Check_and_remove[package-434] = 
  Package[package-434] = Exec[app-graceful-restart] = Class[App] = 
  Stage[main] 
 
 Does it do that when Package[package-434] is already declared elsewhere, or 
 only when it is not?

Sorry, I should have been clearer that this occurs when Package[package-434] IS 
declared elsewhere. !defined(Package[package-434]) therefore is false, so 
just by referencing the existing declaration within the defined() call it seems 
to incite an implicit dependency.


 Is this implicit dependency expected behaviour or am I doing something 
 Bad(tm)? 
 
 Both.
 
 Supposing that the target package is not declared elsewhere (so that the 
 !defined() condition is true) the definition will declare the package itself 
 to ensure it absent, and in that case you would expect a relationship between 
 the defined-type instance and the resource declared by it.  If elsewhere you 
 have specific references to that package, applicable resource parameter 
 defaults, or collectors that will match that package, then you can get 
 relationships with it that are not evident from the defined type body.
 
 On the other hand, defined() is evil.  Do not use it.  Ever.

I had this discussion with someone on #puppet IRC earlier and they ended up 
with Oh, in your case, defined() is probably actually what you want.

  I usually attribute its malignancy to the parse-order dependency it 
 inherently creates -- which is indeed a serious problem -- but in this case I 
 think trying to use it to approach your problem it has also obfuscated your 
 manifests enough to confuse you about the scope and nature of some of your 
 other declarations.
 
 Instead of using defined(), you can apply logic farther upstream to make the 
 correct declaration in the first (one) place or to apply resource parameter 
 overrides to the correct resources.  Alternatively, you can simply determine 
 by other means what packages need to be ensured absent, such as by filtering 
 a list of possible packages against a list of packages that are supposed to 
 be installed.  Some of those options may still susceptible to the problem you 
 observed, however, if relevant relationships spring from declarations 
 elsewhere, as I described they may do.

I've tried this other ways, but here's an example of why farther upstream logic 
doesn't work:

define myapp ($requested_package){

  package { $requested_package:
ensure = present
  }

  define package_cleanup {
$installed_package = $title

if $installed_package != $requested_package {
  package { $installed_package:
ensure = purged
  }
}
  }

  # assuming a facter fact named 'installed_packages'
  package_cleanup { split($::installed_packages, ','): }
}

# now in the case of:
#   $::installed_packages = 'one,two,three'
# with:
myapp { 'oneA': requested_package = 'one' }
myapp { 'twoA': requested_package = 'two' }
myapp { 'oneB': requested_package = 'one' }

# we'd end up with package conflicts because
# Myapp[oneA] will define Package[one] (present)
# then define Package[two], Package[three] (absent),
# and Myapp[twoA] will try and define Package[two]
# (present) and fail with a non-uniqueness error.

I don't see how this is doable without defined() or some other check of the 
catalog to see what packages are needed elsewhere.  Do you have any 
suggestions?


 For the record, however, no order-of-application relationship should be 
 implied by the reference itself.  Therefore, when the referenced Package is 
 declared elsewhere (so that the !defined() condition is false), there should 
 be a relationship between App::Package::Cleaner::Check_and_remove[foo] and 
 Package[foo] only if that relationship is declared somewhere else.

I'd hoped that using a Stage to run after everything else would sort

Re: [Puppet Users] module dependancy

2013-05-29 Thread Tom De Vylder

Hi,

Class ['pythonpip'] - Class ['myapp'] 

… should do the trick for you.

Regards,
Tom

On 14 May 2013, at 20:36, Matt F mfan2...@gmail.com wrote:

 I have two modules, and I'm having some dependacy problems: 
 
 1 - Install python pip:
 
 class pythonpip::install {
 file {/root/.pip:
 ensure = directory,
 owner  = root,
 group  = root,
 mode   = 755
 }
 file {/root/.pip/pip.conf:
 ensure  = present,
 source = 'puppet:///modules/pythonlinux/pip.conf',
 mode= 0644,
 }
 }
 
 
 2 - install some python packages via pip:
 
 class myapp::install {
 package {
 mechanize:
 provider = pip;
 numpy:
 provider = pip;
 pandas:
 provider = pip;
 reportlab:
 provider = pip;
 }
 }
 
 I want to make sure tha the pythonpip::install is alway run before the 
 myapp::install. How can I do that?
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.
  
  

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-21 Thread Tom Poulton

So I get the move to systemd (whatever that is) if that's what Fedora uses,
but why rename the service, that means I have to add a special case in my
puppet module just for Fedora to set the name of the service resource to
puppetagent? Unless it's a change they're going to roll out to all their
supported environments in which case that makes sense (sort of)!?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-20 Thread Tom Poulton

Yep that worked, I had to enable the puppetlabs-devel repo in
/etc/yum.repos.d/puppetlabs.repo (instead of yum
--enablerepo=puppetlabs-devel) but it works fine now, lesson learned :)

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-20 Thread Tom Poulton

Wait... spoke too soon:

*Error: Could not start Service[puppet]: Execution of '/sbin/service puppet
start' returned 6: *
*Error: /Stage[main]/Puppet/Service[puppet]/ensure: change from stopped to
running failed: Could not start Service[puppet]: Execution of
'/sbin/service puppet start' returned 6:*

If I do sudo service puppet start:
*Redirecting to /bin/systemctl start  puppet.service*
*Failed to issue method call: Unit puppet.service failed to load: No such
file or directory. See system logs and 'systemctl status puppet.service'
for details.*
*
*
The only puppet service files are below and there's no puppet file in
/etc/init.d/:
/usr/lib/systemd/system/puppetagent.service
/usr/share/puppet/ext/systemd/puppetagent.service
/usr/share/puppet/ext/systemd/puppetmaster.service

Any ideas? Is this just another stupid mistake?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-17 Thread Tom Poulton

I setup the Puppet Labs yum repo via sudo rpm -ivh
http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-6.noarch.rpm


So far between me and a colleague we've tried:
F18 GNOME:
Seemed fine I think (but GNOME 3 didn't play nice with VirtualBox, very
very slow)

F18 KDE: Initially running Puppet 2.7.X
The client worked fine but the Puppet Dashboard kept throwing errors that's
what made me realise we were running 2.7 (I didn't bother to check the yum
install process as I assumed the Fedora repo would be up to date)

F18 KDE: Running Puppet 3.1.1
Ruby errors above. I upgraded my colleagues machine today and ran into
exactly the same problem

From that I'm thinking this might be specific to the F18 KDE version, maybe
ruby is setup in an odd fashion on this spin??

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-17 Thread Tom Poulton

Hahaha, I didn't even think about that, I just copied the script blindly
from out EC2 setup, that'll teach me

I'll test it out on Monday morning and update

If that is the answer: thanks in advance

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Workaround for Puppet 3 not working in Fedora 18

2013-05-16 Thread Tom Poulton

I'm using Fedora 18 KDE in VirtualBox, fresh install this morning with full 
updates using yum.

I installed puppet by adding the puppet labs yum repo and then sudo yum 
install puppet, so now I'm running puppet version 3.1.1

Running puppet --version or sudo puppet agent --test gave me the 
following error:

*/usr/share/rubygems/rubygems/custom_require.rb:36:in `require': cannot 
load such file -- puppet/util/command_line (LoadError)*
* from /usr/share/rubygems/rubygems/custom_require.rb:36:in `require'*
* from /usr/bin/puppet:3:in `main'*

As far as I can tell with my limited knowledge of Ruby, Linux and Puppet, 
/usr/bin/puppet has a line require 'puppet/util/command_line' which 
executes via /usr/bin/ruby. The custom_require.rb script (part of ruby) 
then looks for a file puppet/util/command_line relative to itself which it 
can't find.

Looking at an AWS Linux box where puppet is working, I can see that the 
custom_require.rb file is located at 
/usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb, whereas on my 
Fedora box the file is located at 
/usr/share/rubygems/rubygems/custom_require.rb, the problem is that puppet 
has installed it's ruby files in /usr/lib/ruby/site_ruby/1.8, but they 
should actually be in /usr/share/rubygems.

The first fix was to add RUBYLIB=/usr/lib/ruby/site_ruby/1.8 in 
/etc/environment and export RUBYLIB=/usr/lib/ruby/site_ruby/1.8 at the 
beginning of /etc/rc.d/init.d/puppet but that felt pretty dirty so now I've 
done this:

*sudo mv /usr/lib/ruby/site_ruby/1.8/* /usr/share/rubygems/
*
*sudo rm -r /usr/lib/ruby/site_ruby/1.8
*
*sudo ln -s /usr/share/rubygems /usr/lib/ruby/site_ruby/1.8*

If anyone has a better solution I'm all ears, ideally I'd like to just use 
yum for puppet and any of it's dependencies, tweak the puppet.conf file and 
everything work (like it does in EC2, etc), Do I have to install another 
version of ruby?? Or set an environment variable before installing puppet 
so it knows where to put the files?? Maybe it's just Fedora's weird ruby 
install process?

Here's a yum list just in case:

$ sudo yum list installed | grep ruby
libselinux-ruby.x86_64 2.1.12-7.3.fc18  @updates   
 
ruby.x86_641.9.3.392-29.fc18@updates   
 
ruby-augeas.x86_64 0.4.1-4.fc18 @fedora 

ruby-irb.noarch1.9.3.392-29.fc18@updates   
 
ruby-libs.x86_64   1.9.3.392-29.fc18@updates   
 
ruby-shadow.x86_64 1.4.1-17.fc18@fedora 

rubygem-bigdecimal.x86_64  1.1.0-29.fc18@updates   
 
rubygem-io-console.x86_64  0.3-29.fc18  @updates   
 
rubygem-json.x86_641.6.8-1.fc18 @updates   
 
rubygem-rdoc.noarch3.12-6.fc18  @updates   
 
rubygems.noarch1.8.25-6.fc18@updates 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-05-14 Thread Tom Poulton

I'll have a play around in the next few days when I get a chance and report 
back

I'm thinking a little foreground agent is probably the way to go for now as 
a quick fix, and then I'll work on something cleaner once we start phase 
2 in a couple of months

Thanks for the pointers, much appreciated


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] MCollective deployment pattern

2013-05-13 Thread Tom Poulton

Hi all

I have a scenario in mind for MCollective and I was looking for 
some feedback

The basic idea is this:
1) A code push to Git triggers a Jenkins build
2) A successful build triggers automatic deployment to an automated 
functional test environment
3) Functional tests run automatically and the results are reported etc

This is just basic CI practice and 1) and 3) are sorted, the only issues 
are with 2) and the trigger for 3). The deployment job in Jenkins just 
copies files up to the Puppet master ready for deployment and service 
restarts etc etc, however with a basic puppet setup one has to wait for the 
clients to run to pickup the new changes and restart services etc and only 
then can Jenkins run the automated tests.

So the plan is for Jenkins to trigger a run on all the required Puppet 
clients via MCollective (filtered by environment), synchronously wait for 
the clients to finish and then run the tests. This has another advantage in 
that we can back off the Puppet run interval (as important changes are 
triggered by MCollective) which gives the Puppet master a bit of breathing 
room, and the clients can just check-in every hour or so to check 
everything is in order.

This also extends to deployments to other environments that have manual 
deployment triggers such as a QA environment. Even though the deployment is 
triggered by the QA team, the upload of the artifacts, running of puppet 
clients and notification of a successful deployment should all be automated.

1): Does this make sense as a pattern, if not what is the best practice for 
implementing this part of the CI and CD pipeline with puppet / jenkins / 
mcollective etc?

2): How would this work in practice. I can run mco puppet runonce which 
is fine, but if I filter by environment mco puppet runonce --environment 
aft I get the Cannot specify any custom puppet options when the daemon is 
running error. I can workaround this by stopping the daemons on every box, 
however this means that the clients no-longer check in periodically. Is 
there a fix for this or would you recommend turning them off anyway when 
using a tool such as MCollective and doing ALL configuration updates via 
MCollective triggers?

3) I need to do some more testing now, but just in case anyone knows off 
the top of their heads, will an MCollective runonce call be synchronous, 
i.e. will the mco call only finish once each client has reported that they 
have finished their runs? If it's not, does anyone know of a good way to 
check for a finished deployment (some command line wizardry with mco puppet 
status / mco puppet summary, etc)?

I have done my research with Google and read a fair amount about 
MCollective from various sources during the investigation and 
implementation, however if this is already documented or I'm missing 
something stupid I apologise in advance

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] MCollective deployment pattern

2013-05-13 Thread Tom Poulton

Thanks for the quick reply

The -W environment=foo tip is very useful and definitely solves one 
problem. I appreciate that the synchronous part could get pretty nasty, 
rather you than me :) In the meantime have you got any tips on the best 
(most reliable) way to check up on triggered runs, you mentioned inspecting 
them or querying my reporting infrastructure: to be honest I'm 
pretty familiar with puppet in terms of writing modules etc, but I haven't 
really looked into the reporting or querying side of things at all, and 
I'm definitely a newcomer to MCollective, feel free to just dump a load of 
keywords and I can google around if that's easier?

We're running Puppet Open Source but we do have Puppet Dashboard running if 
that offers any querying options against the DB or something?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Advice on module organization

2013-03-15 Thread Tom Melendez

Hi Folks,

Like to get some advice on module organization.  I have a system that
has a few different components.  One or more components can be
installed on a host.  The hosts also have a type dimension.  This
type dimension could (should) ideally be used to configure the
system (fill in a bunch of variables).  Problem is, I'm not sure how
the best way to do this in puppet.

I'm running puppet 2.7x.

To illustrate, I'd like to do something like this (pseudo syntax):

node 'foo.example.com' {
include module::component(systemType = foobar)
include module::component2(systemType = foobar)
}

node 'foo2.example.com' {
include module::component(systemType = foobar2)
include module::component3(systemType = foobar2)
}

or, maybe even better

node 'foo.example.com' {
include module(components = [component1,component2], systemType
= foobar)
}

node 'foo2.example.com' {
include module(components = [component1,component3], systemType
= foobar2)
}

In the above illustration, the value of componentType can determine
which files to load, as well as a bunch of variables (40-60 variables)
which would be used for things like ensuring directories are present,
ownership, users installed, etc..

I was thinking that each component would be a class, which is fine in
itself, but my real problem is the movement of these variables
(configuration).  There are a lot of components, and enough variables
that I don't want to add them to each class.  I want to be able to do
something like:

class mymodule(components, componentType) {
$myconfig = getConfig($componentType)
# can I loop through components?
include mymodule::component($myconfig)
}

Hopefully that's descriptive enough.  Feel free to ask questions.
Ultimately, my major goal is to boil the configuration down to a
single location, as the configurations (systemTypes).  Some like this
would work (I think) if calling the class could be dynamic:
http://docs.puppetlabs.com/guides/parameterized_classes.html#appendix-smart-parameter-defaults

Thanks in advance for the feedback,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger

2013-02-26 Thread Tom Blich

Do you know where I might be able to change where it's looking for the 
specific rack version for 1.1.0?

Thanks,
Tom


On Friday, February 22, 2013 5:29:59 PM UTC-8, Matt wrote:

 It looks like its trying to use a specific rack gem version but you do 
 not have that version installed or you have two versions installed and 
 its picking up the latest. It could be that you also have another 
 passenger application where the versions conflict? 

 (can't activate rack (~ 1.1.0, runtime) for [], already activated 
 rack-1.5.2 for []) (process 8729, thread #Thread:0x7fed2a6fc358): 

 On Fri, Feb 22, 2013 at 7:17 PM, Tom Blich bunk...@gmail.comjavascript: 
 wrote: 
  Had puppet-dashboard-1.2.21 running via instructions provided here: 
  
  http://docs.puppetlabs.com/dashboard/passenger.html 
  
  Upgraded to puppet-dashboard-1.2.22 and now get the following error: 
  
[ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 
  19:12:17.188 ]: *** Exception RuntimeError in 
  PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~ 
 1.1.0, 
  runtime) for [], already activated rack-1.5.2 for []) (process 8729, 
 thread 
  #Thread:0x7fed2a6fc358): 
  from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
  `require_frameworks' 
  from ./config/../vendor/rails/railties/lib/initializer.rb:134:in 
 `process' 
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send' 
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run' 
  from ./config/environment.rb:14 
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
  `gem_original_require' 
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
 `require' 
  from config.ru:4 
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
  `instance_eval' 
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
  `initialize' 
  from config.ru:1:in `new' 
  from config.ru:1 
  [Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down 
  [Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not configured 
  [hint: SSLSessionCache] 
  [Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled (wrapper: 
  /usr/sbin/suexec) 
  [Fri Feb 22 19:13:37 2013] [warn] module php5_module is already loaded, 
  skipping 
  [Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for digest 
  authentication ... 
  [Fri Feb 22 19:13:37 2013] [notice] Digest: done 
  [Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 
  Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 OpenSSL/1.0.0-fips 
  configured -- resuming normal operations 
  
  Not sure how to fix it. 
  
  Thanks, 
  Tom 
  
  -- 
  You received this message because you are subscribed to the Google 
 Groups 
  Puppet Users group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to puppet-users...@googlegroups.com javascript:. 
  To post to this group, send email to 
  puppet...@googlegroups.comjavascript:. 

  Visit this group at http://groups.google.com/group/puppet-users?hl=en. 
  For more options, visit https://groups.google.com/groups/opt_out. 
  
  


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] upgraded to puppet 1.2.22 from 1.2.21 and get error

2013-02-22 Thread Tom Blich



[ pid=1870 thr=69908823898540 file=utils.rb:176 time=2013-02-22 
16:39:47.170 ]: *** Exception RuntimeError in 
PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~ 1.1.0, 
runtime) for [], already activated rack-1.5.2 for []) (process 1870, thread 
#Thread:0x7f29d53af358):
  from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
`require_frameworks'
  from ./config/../vendor/rails/railties/lib/initializer.rb:134:in `process'
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
  from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
  from ./config/environment.rb:14
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`gem_original_require'
  from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`require'
  from config.ru:4
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`instance_eval'
  from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`initialize'
  from config.ru:1:in `new'
  from config.ru:1

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: upgraded to puppet 1.2.22 from 1.2.21 and get error

2013-02-22 Thread Tom Blich

I can get this working via running via WEBrick, but get the error when 
running it via passenger in apache.

Not sure yet how to get this working via apache so I can SSL and LDAP 
authenticate it.


On Friday, February 22, 2013 2:46:57 PM UTC-8, Tom Blich wrote:



 [ pid=1870 thr=69908823898540 file=utils.rb:176 time=2013-02-22 
 16:39:47.170 ]: *** Exception RuntimeError in 
 PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~ 1.1.0, 
 runtime) for [], already activated rack-1.5.2 for []) (process 1870, thread 
 #Thread:0x7f29d53af358):
   from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
 `require_frameworks'
   from ./config/../vendor/rails/railties/lib/initializer.rb:134:in 
 `process'
   from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
   from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
   from ./config/environment.rb:14
   from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
 `gem_original_require'
   from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
 `require'
   from config.ru:4
   from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
 `instance_eval'
   from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
 `initialize'
   from config.ru:1:in `new'
   from config.ru:1


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] puppet-dashboard-1.2.22 - unable to get it running under Apache/Passenger

2013-02-22 Thread Tom Blich

Had puppet-dashboard-1.2.21 running via instructions provided here:

http://docs.puppetlabs.com/dashboard/passenger.html

Upgraded to puppet-dashboard-1.2.22 and now get the following error: 

  [ pid=8729 thr=70328297972140 file=utils.rb:176 time=2013-02-22 
19:12:17.188 ]: *** Exception RuntimeError in 
PhusionPassenger::Rack::ApplicationSpawner (can't activate rack (~ 1.1.0, 
runtime) for [], already activated rack-1.5.2 for []) (process 8729, thread 
#Thread:0x7fed2a6fc358):
from ./config/../vendor/rails/railties/lib/initializer.rb:271:in 
`require_frameworks'
from ./config/../vendor/rails/railties/lib/initializer.rb:134:in `process'
from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
from ./config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
from ./config/environment.rb:14
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in 
`gem_original_require'
from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from config.ru:4
from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`instance_eval'
from /usr/lib/ruby/gems/1.8/gems/rack-1.5.2/lib/rack/builder.rb:55:in 
`initialize'
from config.ru:1:in `new'
from config.ru:1
[Fri Feb 22 19:12:46 2013] [notice] caught SIGTERM, shutting down
[Fri Feb 22 19:13:37 2013] [warn] Init: Session Cache is not configured 
[hint: SSLSessionCache]
[Fri Feb 22 19:13:37 2013] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Fri Feb 22 19:13:37 2013] [warn] module php5_module is already loaded, 
skipping
[Fri Feb 22 19:13:37 2013] [notice] Digest: generating secret for digest 
authentication ...
[Fri Feb 22 19:13:37 2013] [notice] Digest: done
[Fri Feb 22 19:13:37 2013] [notice] Apache/2.2.15 (Unix) DAV/2 
Phusion_Passenger/3.0.19 PHP/5.3.20 mod_ssl/2.2.15 OpenSSL/1.0.0-fips 
configured -- resuming normal operations

Not sure how to fix it. 

Thanks,
Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Module to add another puppetmaster?

2012-12-27 Thread Tom Fox

Thanks. Good point about the cert. Unfortunately Netscalers are the 
standard in my environment and to the best of my knowledge there is no 
love from puppet for them so pool management will still require some key 
pressing.




Matthew Black wrote:

The fastest way to rapidly scale is to have SSL terminated at the load
balancer so you do not need to update the the ssl certificate. The
configuration to do it depends on what is being used for the load
balancer. If you are using an F5 LTM then you can easily handle the
SSL termination at the F5 and add new puppet servers to the pool with
the F5 module from puppetlabs.

If you are using Apache then you would follow the same principle with
the SSL terminated at the Apache load balancer. If you use
mod_passenger you are already terminating SSL at the Apache layer so
its not too different at that point.

On Thu, Dec 27, 2012 at 2:08 PM, Tom Foxtom...@gmail.com  wrote:

I'm working on getting my system setup for rapid scaling. Without resorting
to some ugly hacks what is the preferred method of adding more
puppetmasters? My puppetmasters sit behind a load balancer vip so the
certificate needs to be updated when I add a puppetmaster.

Does anyone have a module written for this already?

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.




--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Reporting for masterless Puppet?

2012-12-20 Thread Tom Linkin

If you use the 'reports' setting in the [main] section of your puppet.conf, 
your puppet apply report will be run through the report processors you specify. 

-- 
Tom Linkin
Professional Services Engineer
http://puppetlabs.com/
twitter: @trlinkin



On Thursday, December 20, 2012 at 7:44 PM, Mitchell Hashimoto wrote:

 Hi,
 
 A lazy google search brings up nothing definitive, so I ask the mailing list:
 
 Does reporting work with masterless Puppet? Can it be enabled? 
 
 Best,
 Mitchell
 
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com 
 (mailto:puppet-users@googlegroups.com).
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com 
 (mailto:puppet-users+unsubscr...@googlegroups.com).
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Question on modeling multiple services sharing configuration

2012-12-16 Thread Tom Linkin

You may also want to consider looking at the concat module that R.I. Pienaar 
has on github. It should allow you to easily do the fragments on a common file 
like you described. 
https://github.com/ripienaar/puppet-concat

As for the way you expose the configuration properties as class parameters for 
the services, are you saying the actual names of $foo/$bar/$baz, for instance, 
would inform as to what information they need except it is not consistent 
between services which values go in which file? I suppose you could hide the 
detail of which property to which file if needed, however, parameterized 
classes do not work like functions. The parameters, at declaration time, can be 
declared in any order. Additionally, even if you could enforce the order in 
which they were passed, simply ordering them does not seem very intuitive 
still. Your best bet is to expose parameters with meaningful names, and 
document if it still is not very clear. 

-- 
Tom Linkin
Professional Services Engineer
http://puppetlabs.com/
twitter: @trlinkin



On Sunday, December 16, 2012 at 9:41 AM, Jason Slagle wrote:

 
 
 On 12/16/2012 01:09 AM, Roman Shaposhnik wrote:
  Hi!
  
  I would appreciate any advice on the best practices
  on how to model a collection of services that each
  has its own configuration file, but also share a common
  one.
  
  Now, the trouble is, that the common configuration file
  is not *really* just a place for the common configuration
  to reside, but also may have sections dedicated to holding
  properties of a particular service (just like /etc/puppet/puppet.conf
  has [main] [agent] and [master] sections).
  
  Thus, in reality, the configuration properties are
  per service and whether they need to go into a common
  configuration file or a service-specific one is NOT cleanly
  partitioned and is pretty awkward to remember. Which
  means I really don't want to expose the common config
  explicitly to the end user.
  
  Instead, I'd like to expose the natural hierarchy of:
  
  class service1($foo, $bar, $baz) {
  }
  .
  class serviceN($qoo, $zoo) {
  }
  
  but the question then becomes -- how can I model a
  common configuration file behind user's back so that
  $foo, $bar and $qoo end up there.
  
  At first I was thinking that I could utilize a singleton
  non-parameterized class and include it multiple
  times in all of the serviceX class definitions, but it
  seems I can't pass any values into it.
  
  I suppose I can still do that and create a skeleton
  of the common config in that singleton class
  that would later be manipulated either by augeas or
  concat patterns, but this seems to be pretty heavyweight.
  
  What would you, guys, recommend?
 
 This is a pattern I feel augeas is awesome at. I just did a similar 
 thing for puppet.conf on my end.
 
 Make the common configuration file virtual. Give it a default dummy 
 configuration file with replace = false (I do this because creating a 
 file with augeas seems a bit shaky to me).
 
 Then have each of the other services realize the common configuration 
 file and use augeas to add their own specific configuration elements.
 
 If the file is an inifile style, creating a lens is pretty trivial - you 
 can see the puppet file lens (Which is in 
 /usr/share/augeas/lenses/dist/puppet.aug on ubuntu) for an example.
 
 Jason
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com 
 (mailto:puppet-users@googlegroups.com).
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com 
 (mailto:puppet-users+unsubscr...@googlegroups.com).
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Could not render to pson

2012-12-06 Thread Tom Owens

I found this error in syslog:

Dec  3 16:43:15 0x0x0tuna puppet-agent[16790]: 
(/Stage[main]/Tuna/File[/u/net/profile/common/zoom.so.32/hpsw.so]/content) 
change from {md5}9913d05900c2fd8cd14ef2efec728457 to 
{md5}fe7db3112ffcea0f80fbda99b7da408c failed: Could not back up 
/u/net/profile/common/zoom.so.32/hpsw.so: Could not render to pson: 
\340\215\203

As far as I can tell, the agent on this client box is trying to push 
/u/net/profile/common/zoom.so.32/hpsw.so into the filebucket on the puppet 
master and failing.  Since that backup fails, it won't receive the new 
file, which is a problem.

Does anybody have any ideas on how to fix this?  Or at least a better idea 
how to diagnose why it's failing?  I do not have this issue with text 
files.  hpsw.so is a shared library in Linux.

Thanks,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/re0nCcocQLQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Proposed change to the broker RESTful API and CLI to handle parameters needed in additional broker plugins

2012-11-20 Thread Tom McSweeney

 moving 
forward), along with the impact those changes might have on the existing 
Puppet broker plugin.

Cheers,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/oglM2TCqHZEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Change Tab behavior in 3.0+

2012-10-15 Thread Tom Swartz

Hey all,

I have a question regarding the choice to move to spaces (rather than tabs) 
in the editor.

May I ask the reasoning behind this?

Furthermore, is there a way to revert to the 'old style' that used tabs 
instead? I prefer this, as it makes the code look cleaner.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/f2Z9I2nloeYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Change Tab behavior in 3.0+

2012-10-15 Thread Tom Swartz

I should say that this referrs to Geppetto and the Geppetto Eclipse plugin. 
Sorry.

If this is the wrong group to post, could someone point me to the proper 
section?

On Monday, October 15, 2012 11:57:38 AM UTC-4, Tom Swartz wrote:

 Hey all,

 I have a question regarding the choice to move to spaces (rather than 
 tabs) in the editor.

 May I ask the reasoning behind this?

 Furthermore, is there a way to revert to the 'old style' that used tabs 
 instead? I prefer this, as it makes the code look cleaner.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/MEzaFlLe_KcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

1 2 >

1 - 100 of 159 matches

Mail list logo