On Tuesday, April 23, 2013 4:45:59 AM UTC-5, Arnau wrote:
>
> Hi,
>
> I haveA class with several ssh_key resources:
>
> class web_cluster::ssh_keys( $ensure='present') {
> if ! ($ensure in [ "present", "absent" ]) {
> fail("cluster ensure parameter must be absent or present")
> }
>
> # Set local variables based on the desired state
>
> if ($ensure == "present") {
> $service_enable = true
> $service_ensure = running
> $package_ensure = latest
> $file_ensure= file
> $user_ensure= present
> }elsif ($ensure == "absent") {
> $service_enable = false
> $service_ensure = stopped
> $package_ensure = absent
> $file_ensure= absent
> $user_ensure= absent
> }
>
> Ssh_authorized_key {
> type=> 'ssh-rsa',
> }
>
> ssh_authorized_key {
>
> [...]
> 'user@key_3':
> ensure => $hostname ? {
> /host/=> $user_ensure,
> default => absent,
> },
> user=> 'www-bi',
> key => 'XXXx1zKQ==';
> }
>
>
> and every time I run puppet it says:
>
> notice:
> /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure:
> created
> notice: Finished catalog run in 15.78 seconds
>
> but I only have a key there:
>
>
> $ cat .ssh/authorized_keys
> # HEADER: This file was autogenerated at Tue Apr 23 11:27:37 +0200 2013
> # HEADER: by puppet. While it can still be managed manually, it
> # HEADER: is definitely not recommended.
> ssh-rsa user@key_3
>
>
> Running it with debug:
>
>
> notice:
> /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure:
> created
> debug: Flushing ssh_authorized_key provider target
> /data/www-bi/.ssh/authorized_keys
> debug: /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]:
> The container Class[Web_cluster::Ssh_keys] will propagate my refresh event
>
>
> I cannot figure out why puppet is pushing the key everytime it runs.
> I happens with other keys in other servers.
> Could it be becuase of some strange charactes in the key?
>
> # rpm -qa|grep puppet
> puppet-2.7.21-1.el6.noarch
>
>
Puppet appears to not be correctly matching the existing key line to the
declared resource. Inasmuch as Puppet wrote the key line in the first
place, this is almost certainly caused by some characteristic of the data
supplied to it (i.e. the resource properties), most likely the key. Puppet
parses the line via this regular expression:
/^(?:(.+)
)?(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521)
([^ ]+) ?(.*)$/
The most likely way I can see for that to break is if the key contains any
space characters, especially internal or trailing ones. Be sure to check
both the key file and the manifest. You can also try manually matching the
key line with that regex in irb to check how it is being parsed.
If you're running Puppet on Ruby 1.9 then there's an outside chance that
the problem arises from some kind of encoding mismatch. That's pretty
unlikely, but there has to be some explanation for why Puppet does not
correctly read back the key line that it wrote itself.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
