Re: [Puppet Users] Re: Puppet Certificate Issues

I had difficulties with the stock puppetdb entrypoint script. I wound up changing it thusly: #!/bin/bash if [ ! -d "/etc/puppetlabs/puppetdb/ssl" ]; then set -e /opt/puppetlabs/bin/puppet config set certname ${HOSTNAME} if [ ! -f "/etc/puppetlabs/puppet/ssl/certs/ca.pem" ];

Re: [Puppet Users] Puppet 4 open source EOL

On Wednesday, August 15, 2018 at 12:54:02 PM UTC-4, Branan Purvine-Riley wrote: > > That's correct. At this point we have no more scheduled PC1 releases, and > would only do one for a security issue. In October we will stop releasing > it entirely. > > The new PE LTS release is based on

[Puppet Users] Re: exec resource stuck during the install of an Oracle Client on Windows

If I recall, you should be able to do something similar with the "start" command under cmd.exe: start /wait Which is effectively what you're doing under powershell. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this

[Puppet Users] Re: How to Orchestrate State, such as use IPs of new systems for config other systems

On Friday, April 27, 2018 at 9:31:24 PM UTC-4, Joaquin Menchaca wrote: > > Hello Puppeteers, > > Relearning Puppet (converting Ansible, Chef knowledge), not sure best > approach for this. How can I configure systems based on state of another > system? Essentially, I would use a tool like

[Puppet Users] Re: puppet "package" resource type for multi-file installer

refreshonly and notify are your friends. file { 'zipfile': notify Exec['unzip'], source => 'file:///downloads/someZipFile.zip' } exec { 'unzip zipfile -d /some/file': alias => 'unzip', refreshonly => true, notify => Exec['installer'] } exec { '/some/file/setup.exe /a': alias =>

Re: [Puppet Users] Re: Unable to run source using 'exec' resource

jcbollinger has it right. You're setting environment variables, and then exiting the environment. Here's what is effectively happening: # bash # source ./opensh.rc echo $OS_TOKEN fbed3beb36960f2b3e1b # exit # echo $OS_TOKEN # When you tell Puppet to do an exec, it spawns a new instance of

[Puppet Users] Re: Can I use Puppet to run system updates?

On Monday, April 13, 2009 at 2:23:06 PM UTC-4, thierry.th...@gmail.com wrote: > > Hello, > > Reading the doc I could not find if Puppet could help running system > updates. > Help, yes. But I'd advise against trying to do them directly in puppet. > I would like to get started with several

[Puppet Users] Re: Puppet Agent Hang when PuppetServer Crashes...

On Monday, January 1, 2018 at 5:52:10 PM UTC-5, Matt Wise wrote: > > *Puppet Agent: 5.3.2* > *Puppet Server: 5.1.4 - Packaged in Docker, running on Amazon ECS* > I'm running a docker-compose based puppet setup, and had the same problem. Short version was to increase the java heap size for the

[Puppet Users] Re: Conditional actions based on result of other actions?

Most of your examples we handle through something like ossec and a monitoring package, but you could theoretically do something like: require pkg::wget if (! defined(Package['wget'])) { exec 'command': { } } ... which *should* require the resource 'pkg::wget' to be compiled first, and

[Puppet Users] Re: Can puppet master and agent communicate with certificates

On Friday, December 15, 2017 at 8:22:34 AM UTC-5, Harish Kothuri wrote: > > Hi, > > Is there a way, we can disable puppet CA completely and have PM and PA > communicates seamlessly? > What's the point in using certificates if you're going to disable the only mechanism for verifying them? --

[Puppet Users] Re: Disable Puppet Agent SSL Authentication

We solved a similar problem by copying the host's cert and keys off to a separate server, and then as part of the build process, we (re)downloaded the client's cert/keys. All of ours was done with scp and host keys, since it was linux based, but no reason you can't do something similar with

[Puppet Users] Re: Creating a user without a shadow entry

On Monday, July 24, 2017 at 5:33:09 PM UTC-4, William Korb wrote: > > Hello fellow Puppeteers and thanks in advance for any assistance you may > be able to offer. > > We have a rather non-standard requirement on our Puppet-managed Linux > systems, and I'm trying to figure out if/how Puppet can

[Puppet Users] Re: Patch Automation By Puppet

Having been foolish enough to say "Sure, we can do that" in response to the relatively complicated patch scenario my supervisor wanted us to implement, I can offer advice, if not code-- Our code is heavily dependent on our environment, and probably wouldn't make much sense. It's also fairly

Re: [Puppet Users] stop service after install

On Wednesday, May 17, 2017 at 5:06:33 PM UTC-4, Poil wrote: > > I'm agree with "Debian is just by design stupid, thinks starting all > services" > All other integration are really fine, but auto-starting after install is > terrible for all configuration management : > Change a path (mysql

[Puppet Users] Re: Have Puppet remove a user when the associated class which created it is removed

On Friday, May 5, 2017 at 2:22:27 PM UTC-4, James Perry wrote: > > As I keep tweaking our Puppet/Foreman setup, I was wondering if it was > somehow possible to auto-magically remove uses when the associated class is > removed from the server. All of our Puppet code is under source code >

Re: [Puppet Users] stop service after install

On Monday, May 15, 2017 at 8:16:38 AM UTC-4, R.I. Pienaar wrote: > > > debian will not overwrite configs on package install - suggest you put a > config down that does what you want first. > Or, I dunno, maybe he could could tie the service to the config file, and restart apache when the

[Puppet Users] Re: Need to put iterative value in a file

The two ways I can think of, you can use ssh_authorized_key as part of a defined type, or you can create a file resource with a template, and use iteration within the template. Iteration within the template requires "future parser" or Puppet 4.x. -- You received this message because you are

Re: [Puppet Users] How to dynamically change sudoers

I use a template for a single /etc/sudoers: # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # Of course, if you do, Puppet will completely rewrite it 30 minutes later. # Defaultsenv_reset <% unless @cmd_aliases.empty? -%> # Cmnd alias

[Puppet Users] Re: removing "minimum_uid=1000" value from all my pam config files

On Thursday, March 30, 2017 at 1:58:46 PM UTC-4, Peter K wrote: > > I'm trying to remove a specific configuration value, "minimum_uid=1000", > from multiple lines in several files (currently 5 files) in /etc/pam.d/. > A typical line looks like this: > auth [success=1 default=ignore]

Re: [Puppet Users] Subscribe for external module resources

On Tuesday, March 14, 2017 at 11:40:26 AM UTC-4, Warron French wrote: > > Gleb, you are running a cronjob to control the interval at which your > Puppet Clients are checking in? > > Did you know that you could instead use the option of *runinterval *within > the /etc/puppet/puppet.conf file

[Puppet Users] Re: Configure Puppet master as a universal caching proxy server

On Monday, March 13, 2017 at 10:23:28 AM UTC-4, Patryk Bęza wrote: > > I'm Puppet's new user and I have a simple question regarding Puppet > design: *is it possible to configure Puppet master as a universal, OS > agnostic >

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

On Monday, March 6, 2017 at 9:16:45 AM UTC-5, jcbollinger wrote: > > > On Sunday, March 5, 2017 at 6:56:11 PM UTC-6, John Gelnaw wrote: > >> I created a second "mount point" in puppet via fileserver.conf, pointing >> to a location outside the puppet gi

Re: [Puppet Users] Manage delivery and execution of RPMs not in YUM

On Friday, March 3, 2017 at 8:31:00 AM UTC-5, Michael Watters wrote: > > This would be the ideal but you *can* use the rpm provider when needed. > For example: > > package { 'jdk': > ensure => installed, > provider => 'rpm', > source => '/pub/oracle/jdk-8-linux-x64.rpm', > } > > >

[Puppet Users] Re: Could not find class defined for specific environment when running puppet agent

I would ignore everything past "Using cached catalog from environment 'ops'" in your debugging, as it's cached and therefore probably represents a previous state of the puppet master catalog. Especially for testing, you can replace your puppet run with: service puppet stop && puppet agent

[Puppet Users] Re: Specifying dependency ordering inside of lambda functions

I can think of three options: 1) Break the user / group definitions into their own classes, and "require" the group class in your user definition class. 2) In some cases, Puppet does an implicit require-- it's possible your code would work as-is, and the catalog would recognize the need to

[Puppet Users] Re: Why do my SERVER certs get revoked?

On Tuesday, February 14, 2017 at 11:56:27 AM UTC-5, Dayton Jones wrote: > > I'm intermittently getting > Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify failed: [certificate revoked for > /CN=my.puppet.master] > > when clients try to

[Puppet Users] Re: MCollective server cannot connect to ActiveMQ broker

On Tuesday, January 31, 2017 at 3:36:20 AM UTC-5, Isabell Cowan wrote: > > I've been trying all do to set up MCollective on my puppet cluster. No > matter what I do, I can't seem to get the MCollective server to connect. > The MCollective server(s) are running mostly on Ubnutu Xenial. The >

Re: [Puppet Users] How to read in file into array of hashes to use build start script template

On Friday, January 20, 2017 at 12:28:02 PM UTC-5, James Perry wrote: > > Thanks. > > The reason I have a CSV is that is what is provided from the users out of > their own private database where they keep this data. I have to take the > detail as it is given. Now I can manually process the data

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

Set up hiera correctly, add a yaml file to your hierarchy, and and translate the CSV file to YAML: I'm a perl geek, so: #!/bin/perl while(<>) { chomp; tr/A-Z/a-z/; my @a = split(/\,/); push(@{$hash{$a[0]}}, $a[1]); } for my $srv (sort(keys(%hash))) { print "startup::$srv\n"; for

[Puppet Users] Re: How to read in file into array of hashes to use build start script template

Set up hiera correctly, add a yaml file to your hierarchy, and and translate the CSV file to YAML: I'm a perl geek, so: #!/bin/perl while(<>) { chomp; tr/A-Z/a-z/; my @a = split(/\,/); push(@{$hash{$a[0]}}, $a[1]); } for my $srv (sort(keys(%hash))) { print "startup::$srv\n"; for

Re: [Puppet Users] Over-engineering rant

On Tuesday, January 10, 2017 at 3:19:45 PM UTC-5, Eric Sorenson wrote: > > > I'd like to point out that this ntp module is also deliberately a test > case for *all* of the puppet 4 language features, and as such is kind of a > "reference module", so it certainly could be simpler but is intended

Re: [Puppet Users] Over-engineering rant

On Tuesday, January 10, 2017 at 12:37:14 AM UTC-5, R.I. Pienaar wrote: > > So how many times have you verified you didn't talk to an evil CA when > you > > originally connected an agent? > > Every time? I logged into my known CA using a non Puppet means, I know > it's > the known CA

Re: [Puppet Users] Over-engineering rant

On Monday, January 9, 2017 at 2:39:38 PM UTC-5, R.I. Pienaar wrote: > > > Because if i can convince your client to connect to $evil_ca, then what? > How's it to know its a new legit ca and not a new bad ca? > The same way it "knew" when you originally provisioned it-- It didn't. In fact, the

Re: [Puppet Users] Over-engineering rant

On Monday, January 9, 2017 at 10:10:08 AM UTC-5, R.I. Pienaar wrote: > > > so we're on the same page are you just saying in general the NTP module > has too much > going on and its too huge for a "simple" piece of software? > Mostly, it was the unexpected syntax. Somehow, I completely missed

Re: [Puppet Users] Over-engineering rant

On Sunday, January 8, 2017 at 2:31:33 PM UTC-5, Rob Nelson wrote: > > There are a lot of very valid issues and concerns you bring up here. I do > want to start by saying, however, that puppet 4 is more than 6 months old - > about 20 months to be precise - and most of the significant language >

Re: [Puppet Users] lspci via facter

I've been using the following code for a really long time now-- I think I 'borrowed' it from someone else. # videocards.rb controllers = [] output = %x{lspci} output.each_line {|s| controllers.push($1) if s =~ /VGA

Re: [Puppet Users] Array Iteration for Community Edition of Puppet(3.8)

On Sunday, January 1, 2017 at 2:41:16 AM UTC-5, R.I. Pienaar wrote: > > > Puppet 3 is now dead, upgrade to Puppet 4 - it's free - and you too can > enjoy > features designed to solve your problem > While understandable, that's something of an irritating answer-- It underlies a problem I've

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

Hate replying to myself. As you noticed, "profile" and "datacenter" are also not defined. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[Puppet Users] Re: Puppet3 | hiera | role -> Problem role/mysql.yaml not used -> example from rnelson0.com with mysql

On Wednesday, December 21, 2016 at 11:37:38 AM UTC-5, Denny Fuchs wrote: > > hi, > > I try to understand the example from > https://rnelson0.com/2015/02/02/deploying-mysql-with-puppet-without-disabling-selinux/comment-page-1/ > > with MySQL. > > At this moment, most parts are working, except

[Puppet Users] Re: r10k, git and .gitignore

We used Gavin's approach and created a "downloads" mount within Puppet, so Puppet still handles the file transfer, but it's from a different set of directories outside of the git repo(s). Also, for anyone creating .deb / .rpm package files, if you aren't using 'fpm', you should be. -- You

Re: [Puppet Users] puppet does not like ~ in file name

On Thursday, November 10, 2016 at 12:55:21 PM UTC-5, Fabrice Bacchella wrote: > > > > Le 10 nov. 2016 à 18:22, Rob Nelson a > écrit : > > > > That said, who decided a tilde to start a file name was good for > anything but a temp file??? I understand you have no choice as

[Puppet Users] Re: Very frequent "Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key." on Windows

On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote: > > Thanks for your reply Andrew, sadly I guess that wont be an option as the > pain of resigning the actual certificate for erroneous hosts are less the > re-signing every certificate for all existing hosts. After all

[Puppet Users] Re: Warning: Unable to fetch my node definition, but the agent run will continue:

Some things to keep in mind for successful ENC scripts... First, on the agent, run: # facter fqdn This is the node name that will be reported to the puppet master (equivalent to 'hostname -f'). If it doesn't match expectations, fix that first-- preferably via DNS, but /etc/hosts is a valid

Re: [Puppet Users] Moment of duhh.... Trying to wrap my head around some condition statements.

if ($productname =~ /Z640/) { file { ... } exec { ... } } 'productname' is a fact which usually represents your system model. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails

[Puppet Users] Re: How to handle predictable network interface names

I went the other direction-- we deploy all of our servers (and most of our workstations) via cobbler, so all new RHEL 7 and CentOS 7 boxes have "net.ifnames=0" in the default profile, both pre and post install. I don't agree with upstream's complaint... udev-persistent rules, while a bit of a

Re: [Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

You can also use: # openssl x509 -in ca_cert.pem -text -noout to see all the fields of the SSL cert. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

Many thanks for the re-signing of the CA idea. I can report that it worked for me, although I had to run the webrick version of puppetmaster to regenerate the puppet master's certificate. Since I have a full mcollective deployment as well, I was able to use the following steps to automate the

[Puppet Users] Re: puppet agent heartbeat

On Wednesday, February 17, 2016 at 10:37:46 AM UTC-5, moons...@gmail.com wrote: > > is there any way we can check the heartbeat of puppet agents? > > and if agent is down can puppet try to bring up the server. > It may be a bit primitive, but I've been using crontab to "manually" run the

[Puppet Users] Re: mcollective setup question

Was there ever a solution to this issue? I appear to be having a similar (if not the same) issue: By adding some debug code to client.rb, it appears that the replies I'm getting have no requestid at all. Log.warn(Ignoring a message that did not pass security validations) ---