Re: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
Hi Edd,
puppet insists in unique resources.
Therefore you can not define the file resource for tar archive twice.
Another option would be to fetch the file via exec (wget/curl/scp),
create a flagfile afterwards and remove the archive after extraction.
Additionally you can set the unless parameter on the exec copy resource
to run only if the destination diretory does not exist.
Example:
class apache-maven-v3 {
# fetch from storage
exec { 'copy_maven_v3':
command = curl http://./apache-maven-v3-bin.tar.gz -o
/usr/local touch /usr/local/java/copy_finished,
creates = '/usr/local/java/copy_finished',
# run only if extracted path does not exist
unless = test -d /usr/local/java/apache-maven-v3,
}
#extract
exec { 'install_maven_v3:
...
}
# remove archive
file { 'delete_copied_archive':
path = '/usr/local/java/...',
ensure = absent,
}
}
kind regards,
Martin
On 05/03/2011 08:37 PM, Edd Grant wrote:
Hi Martin,
Have tried this out and have noticed that the copied .gz file is left
in /usr/share/java after unpacking. I tried adding another file
resource to delete it but because this points to the same filepath as
the initial resource puppet disallows it:
Example below:
class apache-maven-v3 {
require java-app-base
# copy file from puppet master to local system
file { 'copy_maven_v3':
path = /usr/local/java/apache-maven-3.0.3-bin.tar.gz,
source = puppet:///modules/apache-maven-v3/apache-maven-3.0.3-
bin.tar.gz,
}
# extract local file
exec { 'install_maven_v3':
command = /bin/tar zxf /usr/local/java/apache-maven-3.0.3-
bin.tar.gz,
cwd = /usr/local/java,
creates = /usr/local/java/apache-maven-3.0.3,
}
#delete copied archive
# Puppet disallows this...
file { 'delete_copied_archive':
path = /usr/local/java/apache-maven-3.0.3-bin.tar.gz,
ensure = absent,
}
# make sure the order is set properly
File['copy_maven_v3'] - Exec['install_maven_v3'] -
File['delete_copied_archive']
}
gives the following error:
Could not run Puppet configuration client: Cannot alias
File[copy_maven_v3] to [/usr/local/java/apache-maven-3.0.3-
bin.tar.gz]; resource [File, [/usr/local/java/apache-maven-3.0.3-
bin.tar.gz]
] already exists
Is there an elegant puppetesque way of dealing with this? I'm trying
to avoid resorting to exec commands if possible!
Cheers,
Edd
On May 3, 10:45 am, Martin Alfke tux...@gmail.com wrote:
Hi Edd,
here is an example:
class apache-maven-v3 {
# prepare local filesystem
file { 'java_path':
path = /usr/local/java,
ensure = directory,
}
# copy file from puppet master to local system
file { 'copy_maven_v3':
path = /usr/local/java/apache-maven-3.0.3-bin.tar.gz,
source =
puppet:///modules/apache-maven-v3/apache-maven-3.0.3-bin.tar.gz,
}
# extract local file
exec { 'install_maven_v3':
command = /bin/tar zxf
/usr/local/java/apache-maven-3.0.3-bin.tar.gz,
cwd = /usr/local/java,
creates = /usr/local/java/apache-maven-3.0.3,
}
# make sure the order is set properly
File['java_path'] - File['copy_maven_v3'] -
Exec['install_maven_v3']
}
kind regards,
Martin
On 05/03/2011 11:06 AM, Edd Grant wrote:
Hi Nan,
Thanks for the answer - I'm not 100% clear how I could acheive this,
could you expand on your suggestion a little, perhaps with an example?
Would the file resource point at the .gz file in the module? If so how
would I then reference the file resource in the tar command?
Many thanks,
Edd
On May 2, 4:15 pm, Nan Liu n...@puppetlabs.com wrote:
Use a file resource to deploy it to the agent and make the exec depend
on the file resource.
On May 2, 2011, at 7:58, Edd Grant e...@eddgrant.com wrote:
Hi All,
I have defined the following module to untar/unzip and copy the Maven
distributable to a convenient location:
class apache-maven-v3 {
exec { /bin/tar xzf /etc/puppet/modules/apache-maven-v3/files/
apache-maven-3.0.3-bin.tar.gz:
cwd = /usr/local/java,
creates = /usr/local/java/apache-maven-3.0.3,
}
...
}
The above definition executes perfectly however in order to keep the
module portable I want to replace the absolute path to the .gz file
with a puppet:/// URI e.g.
exec { /bin/tar xzf
puppet:///modules/apache-maven-v3/apache-maven-3.0.3-bin.tar.gz:
When I change the class to use the puppet:/// URI I get the following
error:
(/Stage[main]/Apache-maven-v3/Exec[/bin
/tar xzf
puppet:///modules/apache-maven-v3/apache-maven-3.0.3-bin.tar.gz]/return
s) change from notrun to 0 failed: /bin/tar xzf
puppet:///modules/apache-maven-v
3/apache-maven-3.0.3-bin.tar.gz returned 2 instead of one of [0] at /
etc/puppet/
RE: [Puppet Users] templates on puppetmaster, shipped via scp to clients
Subject: [Puppet Users] templates on puppetmaster, shipped via scp to clients Hi folks, I can't run puppet client on my nodes. I want to fake facter info to process templates and ship them via scp to my nodes. Is it possible? Strategies? I think puppet just uses the erb program to process its templates so you should just be able to use that directly, I would expect. -- Russell Howe rh...@moonfruit.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
On 05/03/2011 08:37 PM, Edd Grant wrote:
Hi Martin,
Have tried this out and have noticed that the copied .gz
file is left in /usr/share/java after unpacking.
Is this so bad? I would probably do something like:
$tarball_dir = /usr/local/src
$maven_version = 1.2.3
file { $tarball_dir/apache-maven-$maven_version.tar.gz:
source = puppet:///...
[..]
}
exec { extract maven archive :
command = /usr/bin/tar xzf
$tarball_dir/apache-maven-$maven_version.tar.gz -C /usr/share/java,
require = File[$tarball_dir/apache-maven-$maven_version.tar.gz]
}
Or somesuch and leave the tarball where it is.
If you want to prune old tarballs you could do something ugly like
exec { cleanup old maven tarballs:
command = /bin/find $tarball_dir -name
'apache-maven-*.tar.gz'|/bin/grep -v
apache-maven-$maven_version.tar.gz|/bin/xargs rm -f
}
or do it the puppet way with a load of file { foo: ensure = absent }
or have the first file be file { .../apache-maven.tar.gz: source =
puppet:///.../apache-maven-$maven_version.tar.gz } so that the filename is
invariant, but the contents get replaced with whichever version you pick. This
method has the advantage that you don't get a buildup of old tarballs on the
node.
You could even do
exec { download and extract mvn :
command = /usr/bin/curl
http://foo/apache-maven-$maven_version.tar.gz|/usr/bin/tar xz -C
/usr/share/java,
creates = [...],
}
Many ways to crack this egg, and I'm sure people will suggest others.
--
Russell Howe
rh...@moonfruit.com
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppetmaster revokes just signed certificates
Hi, I have this problem: when I make a new request and sign the client's certificate, then i get a revoked certificate error: err: Could not retrieve catalog from remote server: sslv3 alert certificate revoked I am using same version of puppet on master and clients, tried many times, dates are the same, and cleaned the ssl directory. Can someone help me? Thanks, Matteo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppetmaster revokes just signed certificates
On Wed, May 4, 2011 at 2:09 PM, M C mcsof...@gmail.com wrote: Hi, I have this problem: when I make a new request and sign the client's certificate, then i get a revoked certificate error: err: Could not retrieve catalog from remote server: sslv3 alert certificate revoked I am using same version of puppet on master and clients, tried many times, dates are the same, and cleaned the ssl directory. Can someone help me? since puppet doesn't always refresh the revocation list, and if you did some funny changes to your ssl dir, you might end up using the same certificate serial. try removing all files with CRL on the server and client in thier ssl dir. (and if you use apache, restart it) Ohad -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet not working after switch to passenger - permissions issue?
Hi, as suggested on the list I switched from the standalone puppetmaster to Passenger. I have passenger installed now and edited the apache config as far as I understood. I restarted apache. Now when I run an agent I get: /var/lib/gems/1.8/bin/puppet agent --server node002 --test err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: node039(192.168.73.39) access to /catalog/node039 [find] at line 0 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run In the server log I find this: May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden request: node039(192.168.73.39) access to /catalog/node039 [find] at line 0 May 4 14:13:08 node002 puppet-master[14489]: Forbidden request: node039(192.168.73.39) access to /catalog/node039 [find] at line 0 Here is my apache config: = # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 VirtualHost *:8140 SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /etc/puppet/ssl/certs/node002.pem SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile/etc/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars DocumentRoot /etc/puppet/rack/public/ RackBaseURI / Directory /etc/puppet/rack/ Options None AllowOverride None Order allow,deny allow from all /Directory /VirtualHost Is that a permissions problem? I dont know how that /catalog/node039 URL maps to a file path. regards, Andreas -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppetmaster revokes just signed certificates
Thank you, it solved! Goodbye, Matteo 2011/5/4 Ohad Levy ohadl...@gmail.com On Wed, May 4, 2011 at 2:09 PM, M C mcsof...@gmail.com wrote: Hi, I have this problem: when I make a new request and sign the client's certificate, then i get a revoked certificate error: err: Could not retrieve catalog from remote server: sslv3 alert certificate revoked I am using same version of puppet on master and clients, tried many times, dates are the same, and cleaned the ssl directory. Can someone help me? since puppet doesn't always refresh the revocation list, and if you did some funny changes to your ssl dir, you might end up using the same certificate serial. try removing all files with CRL on the server and client in thier ssl dir. (and if you use apache, restart it) Ohad -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] chicken and the egg.. pushing custom facter plugins for use within puppet..
Although good advice (pluginsync is win) that still doesn't solve the
chicken/egg problem - puppet won't evaluate the new facts on the first run.
We work around it by checking the existence of the fact/value before using
it. Not ideal but it works. (And on brand new hosts, we run puppetd -t
--tags no_such_tag to get the sync done. We actually do it twice, so that
the new values are pushed up to the puppetmaster before the 'real' run, but
that probably isn't strictly necessary.)
On Tue, May 3, 2011 at 11:04 PM, Nan Liu n...@puppetlabs.com wrote:
On Tue, May 3, 2011 at 10:04 PM, Michael Dodwell
michael.dodw...@gmail.com wrote:
Hi,
I've created a number of custom facts that i've added to manifests. If
i add the custom fact, have puppet push the custom fact file to the
host, then after it's pushed it add it to the templates everything
works fine. However if i try and use the module on a fresh host
without the custom facter it fails. When it looks at the templates it
isn't aware of the custom fact yet and errors out.
How can i get it to pull down the facter plugin before it tries to
read the template file?
I have tried:
file {
/etc/somefile:
owner = root,
group = root,
mode= 644,
require = File[/usr/lib/ruby/1.8/facter/custom_fact.rb],
content = template(module/etc/somefile);
}
Any suggestions? I'd prefer not to have to add the custom facter to
the kickstart/jumpstart enviroment.
This is solved with pluginsync option. Puppet will download any custom
facts/providers, so you should not distribute them to the agent as
file resources.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] chicken and the egg.. pushing custom facter plugins for use within puppet..
On Wed, May 4, 2011 at 10:01 AM, Disconnect dc.disconn...@gmail.com wrote:
Although good advice (pluginsync is win) that still doesn't solve the
chicken/egg problem - puppet won't evaluate the new facts on the first run.
Pluginsync should occur before facter executes and facts get submitted
to the server, so it should not be necessary to run puppet twice. Any
more info about your puppet version and system setup?
We work around it by checking the existence of the fact/value before using
it. Not ideal but it works. (And on brand new hosts, we run puppetd -t
--tags no_such_tag to get the sync done. We actually do it twice, so that
the new values are pushed up to the puppetmaster before the 'real' run, but
that probably isn't strictly necessary.)
On Tue, May 3, 2011 at 11:04 PM, Nan Liu n...@puppetlabs.com wrote:
On Tue, May 3, 2011 at 10:04 PM, Michael Dodwell
michael.dodw...@gmail.com wrote:
Hi,
I've created a number of custom facts that i've added to manifests. If
i add the custom fact, have puppet push the custom fact file to the
host, then after it's pushed it add it to the templates everything
works fine. However if i try and use the module on a fresh host
without the custom facter it fails. When it looks at the templates it
isn't aware of the custom fact yet and errors out.
How can i get it to pull down the facter plugin before it tries to
read the template file?
I have tried:
file {
/etc/somefile:
owner = root,
group = root,
mode = 644,
require = File[/usr/lib/ruby/1.8/facter/custom_fact.rb],
content = template(module/etc/somefile);
}
Any suggestions? I'd prefer not to have to add the custom facter to
the kickstart/jumpstart enviroment.
This is solved with pluginsync option. Puppet will download any custom
facts/providers, so you should not distribute them to the agent as
file resources.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Resolving/ Expanding module puppet:/// URI in exec line
On May 3, 2011, at 11:37 AM, Edd Grant wrote: Hi Martin, Have tried this out and have noticed that the copied .gz file is left in /usr/share/java after unpacking. I tried adding another file resource to delete it but because this points to the same filepath as the initial resource puppet disallows it: In my experience, having the file stick around can be helpful if you keep them somewhere out of the way. I'd download it to something like /usr/local/tar_packages and leave it there. If that's a problem, you can use /tmp, which should be cleaned occasionally by the OS. Just make sure to be careful of permissions if it's sensitive; -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Force resigning of existing certificates
I responded to this last night but don't see my reply still this morning so I'm going to respond again. I had a question about if the CA and CRL being signed for 5 years is static or also controlled by ca_ttl. If they are 5y regardless/ static, is there some sort of action I need to take when they expire or does puppet take care of them automatically? Just want to make sure whether upping ca_ttl is good enough for me or if there are other things I need to potentially be aware of. Thanks, Jake On May 3, 3:30 pm, Ohad Levy ohadl...@gmail.com wrote: On Tue, May 3, 2011 at 9:29 PM, Jake - USPS jacob.m.mcc...@usps.gov wrote: Thanks for the response. I found it in the genconf now. Looks like default is 5y. I'll be changing it for my needs. note that the CA itself is signed for 5 years too... (and it seems that the CRL as well - which is wrong). Ohad Thanks! Jake On May 3, 12:53 pm, Matt Wise w...@wiredgeek.net wrote: the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll ultimately need to re-sign the certs for clients when they expire. the default is 1 year though, so it[ll be a while. On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote: Yea, I'm new to puppet ... sounds like now I have to worry about certs eventually expiring and regenerate/sign them to keep nodes happy? Seems Trevor suggests increasing TTL. How can I do this if I wanted to? Thanks, Jake On Apr 28, 9:30 am, Matt Wise w...@wiredgeek.net wrote: Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud Foreman for adding it as functionality though in their own code. For our situation, we ended up writing our own CGI script on the Puppet CA servers as well as a client-side script that runs periodically on the clients to verify whether or not their cert is still valid. When their cert gets close-to-expiring, it checks in with the CGI script and supplies the original CSR that the host used for its first cert request to puppet. Our CGI script then has permissions to run some openssl commands, and generates a whole new cert for the client and passes it back. This all happens over SSL of course, and is only allowed for clients that still have a valid certificate anyways. Its not pretty, but its how we solved the problem... and its worked so far. We have ~600 hosts and they each get a new cert every 25 days. Ideally there would be this functionality built into puppet... when a client checked in, the server would check if the cert is within X days of expiring. If it is, it would generate a new cert and pass it back to the client automatically. Of course this would be an 'option', but it seems like an obvious feature addition. I looked and could not find an actual bug report requesting this functionality explicitly, so I opened one: http://projects.puppetlabs.com/issues/7272 On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS jacob.m.mcc...@usps.gov wrote: OK, just had to post this! I found a solution to my issues that may help others. http://glarizza.posterous.com/managing-puppet-ssl-certificates fyi - as the original author of that script... the same functionality exists within foreman. Ohad Basically a CGI script located on you CA Server. You can pass the hostname/certname that you want to clean via http to the script and have it clean it off the CA Server. More details in the link above. This is working great for me and I'll be using it until similar functionality is included by default in puppet. Regards, Jake On Apr 14, 8:50 am, Jake - USPS jacob.m.mcc...@usps.gov wrote: Nevermind, looks like its in 2.7.0rc1 http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... cb01221 (#3360) Add an allow_duplicate_certs option On Apr 14, 8:45 am,Jake-USPSjacob.m.mcc...@usps.gov wrote: Thanks for the reply. I'm just starting to understand puppet, so I would like not to mess with that ... yet. It does look very interesting though, so thanks for bringing that up. Derek, Thanks for the bug. That looks like it includes some things that I would like ... like the allow duplicate cert and whatnot. It looks like its status closed as of 14 hours ago. Does that mean it is in some release of puppet now, or just that code it ready to eventually be implemented? I'd like to start trying it out right away as my 'solution' doesn't seem to work well with dashboard. Thanks, Jake On Apr 14, 8:41 am, Ohad Levy ohadl...@gmail.com wrote: On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPSjacob.m.mcc...@usps.gov wrote: Also, what is foreman and how could it help. Not familiar with that product. Foreman takes care for the entire process, things like provisioning, class assignments and reportings are all
[Puppet Users] Re: Force resigning of existing certificates
So does that mean those will be update as well (if ca_ttl is set before they are generated) or are they 5y regardless and using anything higher then 5y does not matter? Or are you just throwing a fact out there and it doesn't matter to me and I'll be OK? Thanks, Jake On May 3, 3:30 pm, Ohad Levy ohadl...@gmail.com wrote: On Tue, May 3, 2011 at 9:29 PM, Jake - USPS jacob.m.mcc...@usps.gov wrote: Thanks for the response. I found it in the genconf now. Looks like default is 5y. I'll be changing it for my needs. note that the CA itself is signed for 5 years too... (and it seems that the CRL as well - which is wrong). Ohad Thanks! Jake On May 3, 12:53 pm, Matt Wise w...@wiredgeek.net wrote: the ttl setting is 'ca_ttl' i think in puppet.conf.. and yes, you'll ultimately need to re-sign the certs for clients when they expire. the default is 1 year though, so it[ll be a while. On Apr 29, 2011, at 10:32 AM, Jake - USPS wrote: Yea, I'm new to puppet ... sounds like now I have to worry about certs eventually expiring and regenerate/sign them to keep nodes happy? Seems Trevor suggests increasing TTL. How can I do this if I wanted to? Thanks, Jake On Apr 28, 9:30 am, Matt Wise w...@wiredgeek.net wrote: Unfortunately, this is still a 'missing feature' of Puppet IMO. I applaud Foreman for adding it as functionality though in their own code. For our situation, we ended up writing our own CGI script on the Puppet CA servers as well as a client-side script that runs periodically on the clients to verify whether or not their cert is still valid. When their cert gets close-to-expiring, it checks in with the CGI script and supplies the original CSR that the host used for its first cert request to puppet. Our CGI script then has permissions to run some openssl commands, and generates a whole new cert for the client and passes it back. This all happens over SSL of course, and is only allowed for clients that still have a valid certificate anyways. Its not pretty, but its how we solved the problem... and its worked so far. We have ~600 hosts and they each get a new cert every 25 days. Ideally there would be this functionality built into puppet... when a client checked in, the server would check if the cert is within X days of expiring. If it is, it would generate a new cert and pass it back to the client automatically. Of course this would be an 'option', but it seems like an obvious feature addition. I looked and could not find an actual bug report requesting this functionality explicitly, so I opened one: http://projects.puppetlabs.com/issues/7272 On Apr 27, 2011, at 2:54 PM, Ohad Levy wrote: On Thu, Apr 28, 2011 at 12:17 AM, Jake - USPS jacob.m.mcc...@usps.gov wrote: OK, just had to post this! I found a solution to my issues that may help others. http://glarizza.posterous.com/managing-puppet-ssl-certificates fyi - as the original author of that script... the same functionality exists within foreman. Ohad Basically a CGI script located on you CA Server. You can pass the hostname/certname that you want to clean via http to the script and have it clean it off the CA Server. More details in the link above. This is working great for me and I'll be using it until similar functionality is included by default in puppet. Regards, Jake On Apr 14, 8:50 am, Jake - USPS jacob.m.mcc...@usps.gov wrote: Nevermind, looks like its in 2.7.0rc1 http://groups.google.com/group/puppet-users/browse_thread/thread/b3b5... cb01221 (#3360) Add an allow_duplicate_certs option On Apr 14, 8:45 am,Jake-USPSjacob.m.mcc...@usps.gov wrote: Thanks for the reply. I'm just starting to understand puppet, so I would like not to mess with that ... yet. It does look very interesting though, so thanks for bringing that up. Derek, Thanks for the bug. That looks like it includes some things that I would like ... like the allow duplicate cert and whatnot. It looks like its status closed as of 14 hours ago. Does that mean it is in some release of puppet now, or just that code it ready to eventually be implemented? I'd like to start trying it out right away as my 'solution' doesn't seem to work well with dashboard. Thanks, Jake On Apr 14, 8:41 am, Ohad Levy ohadl...@gmail.com wrote: On Thu, Apr 14, 2011 at 4:31 PM,Jake-USPSjacob.m.mcc...@usps.gov wrote: Also, what is foreman and how could it help. Not familiar with that product. Foreman takes care for the entire process, things like provisioning, class assignments and reportings are all done though it (and many many other features). see http://theforeman.orgformoredetails. Ohad -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to
[Puppet Users] Disable class by exception (not disable service in a class)
Hi,
I don't know if I'm just not getting it, but I'm struggling to find
the way to elegantly disable a class in its entirety. I am aware of
the foo::disabled conventions, but these are about the disabling of
the end service defined by the class, not the class itself. I'm
looking to have an most encompassing default node class and by
exception provide overrides by ENC's with dashboard. Whilst I'm fine
with the concept of adding a class to a node in dashboard to use, for
example, sshd::disabled, but what if I want to just remove all trace
of the class, so a very simple example is a class I've written to
manage /etc/hosts. So it just sticks a templated file there, nothing
worth pasting, but how do I, by exception, ignore the file totally?
I've seen a few interesting things using variables in the class name
(e.g. include foo::$operatingsystem) (from here -
http://m0dlx.com/blog/Puppet_manifests__a_multi_OS_style_guide.html )
and I can see how that variable (not that one obviously, but something
new) could be used to include an empty class instead, but this feels
hacky for the way I would think I could use it here - not least
because I'd have to call include foo::enable or such like for every
module, which can't be good style. My initial thought would be to put
a conditional to bypass a resource, but again assume that's pretty
ugly too.
So again, I just want to wipe out the impact of the class, unmanage as
it were, replace the contents with a nice simple { } regardless of
what it was written to do maybe, not force disabling of the end
result, and I'm assuming there is a great and painfully simple way to
do this with style, but it's missing me right now.
Thanks
Chris
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Force resigning of existing certificates
On Wed, May 4, 2011 at 2:39 PM, Jake - USPS jacob.m.mcc...@usps.gov wrote: I responded to this last night but don't see my reply still this morning so I'm going to respond again. For some reason Google Groups thought your message was spam. I just sent it through. I had a question about if the CA and CRL being signed for 5 years is static or also controlled by ca_ttl. If they are 5y regardless/ static, is there some sort of action I need to take when they expire or does puppet take care of them automatically? Just want to make sure whether upping ca_ttl is good enough for me or if there are other things I need to potentially be aware of. Puppet doesn't take care of them automatically. We've seen a few different methods for automating the renewal process, but we're lacking a definitive guide, which we should all get together. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: templates on puppetmaster, shipped via scp to clients
Thanks Russell and Felix! That makes plenty of sense - the puppet client can do all the manifest and template processing that puppetmaster can do, plus it has access to facter facts. On May 4, 6:31 am, Russell Howe rh...@moonfruit.com wrote: Subject: [Puppet Users] templates on puppetmaster, shipped via scp to clients Hi folks, I can't run puppet client on my nodes. I want to fake facter info to process templates and ship them via scp to my nodes. Is it possible? Strategies? I think puppet just uses the erb program to process its templates so you should just be able to use that directly, I would expect. -- Russell Howe rh...@moonfruit.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
RE: [Puppet Users] Re: templates on puppetmaster, shipped via scp to clients
Sent: 04 May 2011 16:07 To: Puppet Users Subject: [Puppet Users] Re: templates on puppetmaster, shipped via scp to clients Thanks Russell and Felix! That makes plenty of sense - the puppet client can do all the manifest and template processing that puppetmaster can do, plus it has access to facter facts. I mean you don't even necessarily need the puppet client. If you can pass the facter facts into erb you should be able to process the templates directly I think. -- Russell Howe rh...@moonfruit.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Conditionals
On Wed, May 4, 2011 at 8:01 AM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Can I somehow pass variables or other tokens around the catalogue and make conditional decisions in other modules based on them? Excellent question. You more or less can, but you shouldn't. Scoping issues will bite you sooner or later. Not if you either set the variables at top scope or always use fully qualified variables in a class that includes all your other classes. Another method to avoid scoping is to set these as node parameters in your node classifier. For your use case, you should take a hard look at Custom Facts. This will avoid any potential scoping issues but does add the overhead of writing the facts. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Adding multiple sudoer files to sudoers.d
Thanks Nan!
Can I use the define directly within a node specification?
For example:
node abc {
include sudoers::config {group1:}
}
node xyz inherits abc {
include sudoers::config {group2:}
}
Anandha
On Apr 29, 10:04 am, Nan Liu n...@puppetlabs.com wrote:
On Fri, Apr 29, 2011 at 9:53 AM, takrishnan takrish...@yahoo.com wrote:
I would like add multiple sudoer files to the sudoers.d directory and
would like someone to help.
I'm thinking something like should work but it's no.
init.pp
-
class sudoers {
file:
:
:
pkg:
:
:
}
class sudoers::$sudogroup {
file {$dirpath/$sudogroup:
path = $dirpath/$sudogroup,
source = puppet:///modules/sudoers/sudoers.d/
$sudogroup,
require = File[/etc/sudoers.d];
}
}
What you are looking for is a define resource instead of a class.
define sudoers::config {
file { /path/to/sudoers.d/${name}:
source = puppet:///modules/sudoers/sudoers.d/${name},
}
}
The require File[/etc/sudoers.d] should not be necessary, since it's
an implied dependency (puppet knows it's a file under that directory,
and you can find all implied dependency using --graph). You can use
the define like it's any standard resource:
sudoers::config { group1: }
sudoers::config { group2: }
...
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Data Sources CSV files vs Database
Hi all, Presently, I am managing my external data via CSV files. These files are manually changed as required. I would like to have a UI that updates a database (probably postgres) and then have puppet retrieve its external data directly from the database. Has anyone done this? Does this make sense? Thanks in advance for any insight/advice/opinions. Best Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet-dashboard not linking to filebucket or diffs
In my puppet-dashboard when a change is made to files and it shows the
MD5 sums I am never presented a link to view the file or any diffs of
those files. I assume that the text between '[' and ']' is supposed
to be the link but it's just plain text. This is when viewing
individual reports in Puppet-dashboard. I can expand the line under
Events where that change is recorded.
Here's an example...
notice content changed '{md5}7a8ec7feb2846a2cffd246b67d3d7842' to
'{md5}a6175c11d9055942d7970258422b7cdd' /Stage[main]/Sudo/File[/etc/
sudoers]/content/etc/puppet/modules/sudo/manifests/init.pp 12
2011-05-03 10:29 CDT
Nothing in the report is a linked field to allow me to few either
filebucket contents or a diff. I do not know where to begin in
troubleshooting this as I am seeing absolutely no errors in any log
files. I'm running puppet, and puppetmaster 2.6.8 and dashboard
1.1.0. The dashboard is hosted on an Apache server using Passenger.
If there are some debugging or troubleshooting steps that may help
narrow this down please let me know.
Thanks
- Trey
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Passenger Error during the evaluation of config/environment.rb
I have been through all of the instructions for setting up a
PuppetMaster using Passenger. At the present time, when I access
Passenger I receive the Passenger Error page with the message The
application has exited during startup (i.e. during the evaluation of
config/environment.rb). I've looked at the log files and there is
nothing obvious.
When I run puppetmaster everything is working with a 2nd node. Then
when I switch over to Passenger, I get the error.
Any suggestions?
Thanks,
John
Here is some of my configuration information:
config.ru
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = master
# if you want debugging:
# ARGV --debug
ARGV --debug
#ARGV --rack
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
---
*** LOCAL GEMS ***
daemon_controller (0.2.6)
fastthread (1.0.7)
passenger (3.0.7)
rack (1.2.2)
rake (0.8.7)
Running Puppet 2.6.7
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Could not autoload inventory_active_record: uninitialized constant ActiveRecord
Turned out the problem was multiple ruby versions. I tried to install Rails 3, which in turn tried to install Activerecord 3, which required ruby 1.8.7 which I installed. I cleaned up ruby-1.8.7, installed Rails 2.3.4 and its associated components, and now this works. On Apr 29, 9:11 pm, George ge.hepp...@gmail.com wrote: Trying to set up the inventory service on puppet 2.6.8, pretty sure I've met all the dependencies but puppetmaster logs Could not autoload inventory_active_record: uninitialized constantActiveRecord When clients attempt to connect. local gems: *** LOCAL GEMS *** abstract (1.0.0) actionmailer (3.0.7, 2.2.3) actionpack (3.0.7, 2.2.3) activemodel (3.0.7)activerecord(3.0.7) activeresource (3.0.7, 2.2.3) activesupport (3.0.7, 2.3.5, 2.2.3) arel (2.0.9) builder (2.1.2) bundler (1.0.12) erubis (2.6.6) i18n (0.5.0) mail (2.2.19) mime-types (1.16) mysql (2.8.1) polyglot (0.3.1) rack (1.2.2) rack-mount (0.6.14) rack-test (0.5.7) rails (3.0.7) railties (3.0.7) rake (0.8.7) thor (0.14.6) treetop (1.4.9) tzinfo (0.3.27) Installed ruby packages: ruby-1.8.6.383-6.el5.kb ruby-enterprise-debuginfo-1.8.7-1 rubygems-1.3.1-1.el5 ruby-devel-1.8.6.383-6.el5.kb ruby-shadow-1.4.1-7.el5 libselinux-ruby-1.33.4-5.5.el5 rubygem-rake-0.8.7-2.el5 ruby-ri-1.8.6.383-6.el5.kb ruby-libs-1.8.6.383-6.el5.kb ruby-enterprise-1.8.7-1 ruby-irb-1.8.6.383-6.el5.kb ruby-enterprise-rubygems-1.5.0-1 ruby-mysql-2.7.3-1.el5 ruby-augeas-0.3.0-1.el5 ruby-rdoc-1.8.6.383-6.el5.kb -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: How to setup database for Inventory Service
Alessandro Franceschi wrote: Thank you for the feedback. I've momentarily postponed the inventory setup but, for the chronicle, just inserting the query you posted didn't work out of the box. I'll get back on this when sorted out other things. Al Al You should also be able to do: [master] dbmigrate=true In your puppet.conf and Puppet will automatically add the tables. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Passenger Error during the evaluation of config/environment.rb
Hi,
I haven't tested puppet/passenger with those versions of passenger/rake but
they appear high to me.
I use 2.1x of passenger and 1.1 of rake (cant remember exact versions). Higher
versions did not work.
This may or may not be your particular issue as I currently run 2.6.4 of puppet.
Cheers,
Den
On 05/05/2011, at 7:51, PBWebGuy pbweb...@gmail.com wrote:
I have been through all of the instructions for setting up a
PuppetMaster using Passenger. At the present time, when I access
Passenger I receive the Passenger Error page with the message The
application has exited during startup (i.e. during the evaluation of
config/environment.rb). I've looked at the log files and there is
nothing obvious.
When I run puppetmaster everything is working with a 2nd node. Then
when I switch over to Passenger, I get the error.
Any suggestions?
Thanks,
John
Here is some of my configuration information:
config.ru
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = master
# if you want debugging:
# ARGV --debug
ARGV --debug
#ARGV --rack
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
---
*** LOCAL GEMS ***
daemon_controller (0.2.6)
fastthread (1.0.7)
passenger (3.0.7)
rack (1.2.2)
rake (0.8.7)
Running Puppet 2.6.7
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] variables inside a template for my hp ilo device
I am writing a hp ilo module to automatically assign a static ip that is
derived from the IP of the system which is fed in via facter. I basically just
need to change the network the ilo is connected to.
The ruby code works great inside the irb console. However, puppet doesn't seem
to be able to use the variable I have derived from the ipaddress. This is my
first template so I am not exactly sure if I can use ruby syntax inside a
template.
Any ideas on how I can accomplish this?
# Define the two variables which will be used to determin which network the ilo
will go on
ilonet = '21'
gwbit = '240'
dns = '10.0.1.19'
netmask = '255.255.255.0'
iparray = ipaddress.split('.')
iloip = iparray[0] + '.' + iparray[1] + '.' + iparray[2] + '.' + ilonet
gwarray = iloip.split('.')
gateway = gwarray[0] + '.' + gwarray[1] + '.' + gwarray[2] + '.' + gwbit
RIBCL VERSION=2.0
LOGIN USER_LOGIN=adminname PASSWORD=password
SERVER_INFO MODE=write
SERVER_NAME value =%= hostname %/
/SERVER_INFO
RIB_INFO MODE=write
MOD_NETWORK_SETTINGS
SPEED_AUTOSELECT VALUE = Y/
IP_ADDRESS VALUE = %= iloip %/
SUBNET_MASK VALUE = %= netmask %/
GATEWAY_IP_ADDRESS VALUE = %= gateway %/
DNS_NAME VALUE = ilo-%= hostname %/
PRIM_DNS_SERVER value = %= dns %/
DHCP_ENABLE VALUE = N/
DOMAIN_NAME VALUE = /
/MOD_NETWORK_SETTINGS
/RIB_INFO
USER_INFO MODE=write
ADD_USER
USER_NAME=User
USER_LOGIN=admin
PASSWORD=changeme
ADMIN_PRIV value =Y/
REMOTE_CONS_PRIV value =Y/
RESET_SERVER_PRIV value =Y/
VIRTUAL_MEDIA_PRIV value =Y/
CONFIG_ILO_PRIV value=Yes/
/ADD_USER
/USER_INFO
/LOGIN
/RIBCL
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can puppet client make immediate pull after a file's content change by user?
It sounds like you are solving the wrong problem. Why do your users have root privs? If they need root for some things, use sudo to give them only what they need. Or use suid/sgid mechanisms to allow community access to certain resources. If you need to lock down specific files look at the immutable bit that some file systems have. -- vagn On 04/06/2011 05:50 PM, John Chris Richards wrote: Hi all Firstly, I am new in configuration management and all I know about watching files is that client checks a file's check sum every t hour and if a change has occurred then it gets the file from the server. I wonder that if a user changes a file, does the puppet client wait end of the time (t) or is there way to say client if a change occurs in a specific file then make an immediate pull? I mean, I don't want to wait until the time is up. Is there a way to make this in puppet? Thanks in advance. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Can puppet client make immediate pull after a file's content change by user?
It's not ideal but this could very easily be achieved by with Zabbix.
With Zabbix you can have a check, running for example every 30
seconds, that runs a checksum on a specific file. Then a trigger that
is activated if the last known checksum varies from the current
checksum, here's an example from one of the default templates,
{Template - Linux Servers:vfs.file.cksum[/etc/passwd].diff(0)}0.
Then create an action for that trigger. Actions can initiate remote
commands, which you specify to be a manual run of puppet. This can
get extremely resource intensive, and really isn't ideal.
In my environment I personally don't use Zabbix for this but rather
OSSEC to get email notifications upon changes of key files.
- Trey
On Apr 7, 1:10 am, John Chris Richards john.chris.richa...@gmail.com
wrote:
Hi Nan
First of all thanks for your answer
Are you trying to trigger a puppet run when a particular file changes?
Yes, this is what I exactly want to do. For example, if a user changes
/etc/hosts file (via vim for instance), it will be corrupted until the next
run. What if I don't want to wait until the next run?
Thanks again.
2011/4/7 Nan Liu n...@puppetlabs.com
On Wed, Apr 6, 2011 at 2:50 PM, John Chris Richards
john.chris.richa...@gmail.com wrote:
Hi all
Firstly, I am new in configuration management and all I know about
watching files is that client checks a file's check sum every t hour
and if a change has occurred then it gets the file from the server.
I wonder that if a user changes a file, does the puppet client wait
end of the time (t) or is there way to say client if a change occurs
in a specific file then make an immediate pull? I mean, I don't want
to wait until the time is up. Is there a way to make this in puppet?
Puppet agent runs periodically to enforce the catalog, it can replace
the file if it detects any changes, but it doesn't monitor the file to
trigger runs. I suppose you can run puppet continuously (not
recommended), but perhaps if you give some insight on what you are
trying to accomplish would give us a better idea how to achieve it
with puppet. Are you trying to trigger a puppet run when a particular
file changes? Are you trying to monitor several files?
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Adding multiple sudoer files to sudoers.d
On Wed, May 4, 2011 at 12:24 PM, takrishnan takrish...@yahoo.com wrote:
Can I use the define directly within a node specification?
For example:
node abc {
include sudoers::config {group1:}
}
Defines result in a custom resource type, and the sytax is the same as
any other puppet resource:
type { 'title':
attribute = value,
}
In your example above simply:
node abc {
sudoers::config { group1:
}
}
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Data Sources CSV files vs Database
On Wed, May 4, 2011 at 12:51 PM, rjl rjlin...@gmail.com wrote: Hi all, Presently, I am managing my external data via CSV files. These files are manually changed as required. Are you using extlookup function to retrieve the CSV configuration data? I would like to have a UI that updates a database (probably postgres) and then have puppet retrieve its external data directly from the database. You will need to write either a custom function that performs data lookup. Something along the line of: # connect to postgres # sql query using lookup criteria (typically certname) # return data hash Or you can write a custom external node classifier (ENC): http://docs.puppetlabs.com/guides/external_nodes.html Thanks, Nan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: chicken and the egg.. pushing custom facter plugins for use within puppet..
We work around it by checking the existence of the fact/value before using it
Is this done in the template file or somewhere else? Can you please
supply dummy code as an example?
Thanks
On May 5, 12:01 am, Disconnect dc.disconn...@gmail.com wrote:
Although good advice (pluginsync is win) that still doesn't solve the
chicken/egg problem - puppet won't evaluate the new facts on the first run.
We work around it by checking the existence of the fact/value before using
it. Not ideal but it works. (And on brand new hosts, we run puppetd -t
--tags no_such_tag to get the sync done. We actually do it twice, so that
the new values are pushed up to the puppetmaster before the 'real' run, but
that probably isn't strictly necessary.)
On Tue, May 3, 2011 at 11:04 PM, Nan Liu n...@puppetlabs.com wrote:
On Tue, May 3, 2011 at 10:04 PM, Michael Dodwell
michael.dodw...@gmail.com wrote:
Hi,
I've created a number of custom facts that i've added to manifests. If
i add the custom fact, have puppet push the custom fact file to the
host, then after it's pushed it add it to the templates everything
works fine. However if i try and use the module on a fresh host
without the custom facter it fails. When it looks at the templates it
isn't aware of the custom fact yet and errors out.
How can i get it to pull down the facter plugin before it tries to
read the template file?
I have tried:
file {
/etc/somefile:
owner = root,
group = root,
mode = 644,
require = File[/usr/lib/ruby/1.8/facter/custom_fact.rb],
content = template(module/etc/somefile);
}
Any suggestions? I'd prefer not to have to add the custom facter to
the kickstart/jumpstart enviroment.
This is solved with pluginsync option. Puppet will download any custom
facts/providers, so you should not distribute them to the agent as
file resources.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] virtualized resource collections
Hi all,
I'm trying to figure out how to automatically configure my nodes with
amanda backup client.
What I want to achieve is that the server have an entry created in the
/etc/amanda/(Daily|Weekly|Monthly)/disklist.conf file on the server.
The disklist.conf file lists entries like so:
nodename partition alias {
a
bunch
of
vars
}
anothernodename partition alias {
a
bunch
of
vars
}
I want that to come from a 'role' class assignment - ie, a webserver has
the webserver role and has a backup template.
I was hoping to use a define like so:
define amanda::client::takebackup ($type, $period, $compress = undef) {
# take the hostname from the name var.
$myhost = $name
@@file { /etc/amanda/$period/disklist.conf:
ensure = present,
owner = amandabackup,
group = disk,
mode = 0600,
content = template(amanda/$period/$type.erb),
tag = amandabackupdisklist,
}
} #end define
And activate the resource like so:
devel_buildserver.pp:
class roles::devel_buildserver {
include amanda::client
amanada::client::takebackup { $fqdn:
type = dev_build,
period = Daily,
compress = false,
}
} #end class
The erb is like so:
dev_build.erb:
# This is a puppet controlled disklist file for dev_build
%= myhost % / / {
zmc_unix_base
encrypt none
% if has_variable?(compress) then -%
compress client best
% else -%
compress none
% end -%
estimate calcsize server
property zmc_type unix
property zmc_disklist Daily
property zmc_version 3
property zmc_extended_attributes gtar
property zmc_amanda_app gtar
property zmc_show_advanced on
property creation_time 2011-04-19 23:38:01
property zmc_occ 33438030906
property last_modified_time 2011-04-20 18:56:43
exclude /proc,/srv,/sys
property zmc_amcheck_date 20110420185643
zmc_gtar_app
}
Then in the server class I wanted to realize the resource like so:
class amanda::server {
...
some other stuff
...
File | tag == 'amandabackupdisklist' |
}
This is not working. The file is not being realized on the server node. I
don't think the way I've gone about it will ever work though the way I
first thought - hence this call for help... :)
How can I get this to work? What has got me especially worried is the
appending of node data to the disklist.conf file - how to do that?
Cheers,
Den
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
