Re: [Puppet Users] [Dashboard] permission denied error when using apache
On 27 Sep 2011, at 20:49, Russell Van Tassell wrote: Just FYI/FWIW ... Passenger tries to run (setuid) as the user that owns config.ru... not as the apache user. Ref: http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger Thanks! That one finally got me on the right track. Even more information on the subject: http://www.modrails.com/documentation/Users%20guide%20Apache.html#user_switching -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] CPAN package provider?
You can use a define:
define perl::installCPAN () {
exec { cpan_install_$name:
command = /usr/bin/cpan -i \$name\,
timeout = 600,
unless = perl -e \use $name\,
require = Package['perl'],
}
}
On 27.09.2011, at 16:59, Jeffrey Ollie wrote:
Google searches don't turn up anything very promising in terms of a
Puppet CPAN package provider. What are people using to manage Perl
modules installed through CPAN?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Setting file level ACL
On Sep 27, 6:23 pm, Corey Osman co...@logicminds.biz wrote: How do I go about using puppet to set an ACL on a file. I did not see ACL support under the file type. Has anybody done this before without using exec? Example: # Set ACL on directory setfacl -R -d -m mask:007 /directory The command you present as an example can have no Puppet equivalent other than an Exec, because the state change it directs depends on the current state of the resources it affects. Or looking at it from the opposite direction, Puppet has no way to determine whether the affected resources are already in the target state. That is not the way Puppet works, except Exec. If Puppet did support managing file ACLs then it would do so via the File resource type. If you check that type you will find 'owner', 'group', and 'mode' properties, along with several pertinent to SELinux; these are what you have to work with. There is also the 'recurse' property for extending the scope of a directory declaration to all its contents, recursively, but it is likely to cause you trouble if the files affected that way are many or collectively large. It is conceivable that File could be extended to allow you to specify an ACL, but manifests would need to specify the full ACL that was desired, for application via 'setfacl --set' (NOT 'setfacl -- modify' ). It would be tricky to get this right because of the overlap between such a property and File's other properties, but it in principle it could be done. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: create_resources (or variable scoping?) question
On Sep 27, 4:45 pm, Matthias Pigulla m...@webfactory.de wrote:
Replying to myself:
define complex_user($uid, $sshkeys) {
/* ... create user with $name ... */
create_resources(keys_for, $sshkeys)
}
define keys_for($key) { ... }
I just found that when having a $user_name = $name in complex_user, I can
access that in keys_for simply as $user_name and it seems to work (TM).
Is that a legitimate approach or discouraged? I've
readhttp://docs.puppetlabs.com/guides/scope_and_puppet.htmlbut that does not
say anything about definitions?
If your keys_for definition were nested inside your complex_user
definition then I think that would resolve the variable scoping
issue. If it works at all, that is, which I'm not sure it would.
Otherwise, your approach relies on dynamic scoping, which should evoke
a warning in 2.7.x and will fail in 2.8.x.
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] How to check if a given directory exists??
Dear all,
I have a module like this:
class mom_priv_config{
file {
'config':
owner = 'root', group = 'root', mode= '0644',
name= '/var/torque/mom_priv/config',
content = template('w_nodes/mom_priv-config.tpl'),
#notify = Service['pbs_mom']
}
}
which is working great by its own. But all I want is to carry on with
this *ONLY IF* /var/torque/mom_priv directory exists on the client.
If there is no such directory presents, just ignore. How can I do
this? I looked in the net but nothing came out as a solution to me.
Any one can help me with please? Cheers!!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Dashboard parameters to control VIPs?
This is what I had in mind for part of this, yes. Thanks!
Some more explanation of the situation and the goal:
Some of our RHEL servers get assigned a virtual IP address for
application-specific purposes. The first such vip is assigned to
device eth0:1, the second vip to eth0:2, etc. Currently, adding a vip
to a server requires us to ssh to the server, create the
/etc/sysconfig/network-scripts/ifcfg-eth0:X file, add an entry for the
vip to /etc/hosts, and manually bring up the defined interface.
My current goal is to allow an operator to provision a new vip through
Puppet Dashboard, using Dashboard's parameters to define a key=value
relationship between a vip and its IP address. So, the first vip
assigned to a server would get a parameter key of vip1 with a
parameter value of 1.1.1.1. At the next Puppet execution, the new
vip will get provisioned automagically. A second could be be defined
with vip2=2.2.2.2, etc.
Because we don't know in advance how many vips any server will have,
I'm struggling with how to enumerate through an arbitrary number of
parameters to discover all the ones named vip?, such that the end
state is that all of that server's vips are configured and enabled.
Thanks,
Scott
On Tue, Sep 27, 2011 at 10:28 PM, Sandor W. Sklar ssk...@gmail.com wrote:
Perhaps I'm not understanding what you are asking, but I've got this
class network::interface:
class network::interface( $device,
$bootproto = 'static',
$hwaddr,
$ipaddr,
$ipv6init = 'yes',
$mtu = '1500',
$netmask,
$onboot = 'yes' ) inherits network {
# Create the device definition file
file { /etc/sysconfig/network-scripts/ifcfg-$device:
content = template('network/ifcfg.erb'),
}
# Ifdown and ifup the new interface upon changes
exec { ifdown-ifup-$device:
user = 'root',
path = '/etc/sysconfig/network-scripts:/bin:/usr/bin:/
sbin:/usr/sbin',
command = /sbin/ifdown $device ; /sbin/ifup $device,
refreshonly = true,
subscribe = File[/etc/sysconfig/network-scripts/ifcfg-
$device],
}
}
... and the template:
# This file is created by puppet
# DO NOT HAND-EDIT
DEVICE=%= device %
BOOTPROTO=%= bootproto %
% if has_variable?(gateway) then -%
GATEWAY=%= gateway %
% end -%
HWADDR=%= hwaddr %
IPADDR=%= ipaddr %
IPV6INIT=%= ipv6init %
MTU=%= mtu %
NETMASK=%= netmask %
ONBOOT=%= onboot %
Is this what you are looking for?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Exec resource question
On Sep 27, 12:52 pm, Damien Bridges damien3...@gmail.com wrote:
Hi All,
Does anyone know how to add bash code to the exec resource? I was
thinking I could add it to the command section. I thought I could run
the code after I put the link command and options in. However, it
didn't work. My bash code has 'if' statements with $ signs in it. I
want to move block to a directory with its version so it can be sym
linked to /block.
move-block () {
if [[ -s /block/block ! -h /block ]]; then
VERSION= /block/block -v | grep -oE
[0-9] {1,4}. [0-9] {1,3}. [0-9] {1,4}. [0-9] {1,4}
RENAMED_DIR=/block_$VERSION
echo; echo Moving System to
$RENAMED_DIR
rm -rf $RENAMED_DIR
mv /block $RENAMED_DIR
fi
Thanks in advance,
Use single quotes to delimit the command. This will inhibit Puppet
from performing variable interpolation within, and will prevent Puppet
from interpreting the embedded double quotes. Alternatively, you can
use a backslash (\) to quote Puppet metacharacters within a string,
just like in the shell.
With that said, I have to agree with Damien that a script of any
significant complexity ought to be written to a file on the client
system and executed that way. For example, use a File resource to
ensure your script present in /tmp, and run it via an Exec. Be sure
to set up a relationship between the File and Exec resources to ensure
that they are applied in the right order.
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Exec resource question
On Sep 27, 8:44 pm, Jo Rhett jrh...@netconsonance.com wrote: You can't do that, as the IF code is resolved by the puppet master before delivering the compiled catalog to the client. It looks like you want to just make a shell script, push it to the client and run it there. Sorry, no. If statements are not recognized inside resource declarations, which is where the shell code would need to be (preferably in the value of the 'command' property, but possibly in the Exec title). Moreover, the shell code needs to be quoted anyway to feed it to Puppet, and doing so would prevent Puppet from interpreting anything in it even if it were somewhere where Puppet might otherwise consider doing so. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Trying to mount a bunch of directories using a hash
On Sep 27, 11:15 am, Marc Richman marc.rich...@livewiremobile.com
wrote:
I am trying to use a hash to mount a bunch of directories but I am unsure how
to get the value for the key. Feel free to tell me I am going about this the
wrong way.
This is the error I get from my module (init.pp listed below):
Could not retrieve catalog from remote server: Error 400 on SERVER: value is
a required option for Puppet::Parser::Resource::Param at
/etc/puppet/modules/sandbox/mount-content-new/manifests/init.pp:27 on node
bos-test01.contentstore.net
Obviously I don't know how to refer to the inside the mount type
- init.pp -
#
# $Id:$
#
class mount-content-new {
$content = {
'/content/music/beggars' = 'bos-netapp01:/vol/Indy_1/beggars',
'/content/music/bmg' = 'bos-netapp02:/vol/bmg/bmg'
}
$keys = split(inline_template(%= content.keys.join(',') %), ,)
file {[/content,/content/music]:
ensure = directory,
owner = root,
group = root,
mode = 0755,
}
file {$keys:
ensure = directory,
mode = 0755,
}
mount {$keys:
atboot = true,
device = $content[$keys],
ensure = mounted,
fstype = nfs,
options =
rw,bg,hard,intr,rsize=32768,wsize=32768,vers=3,proto=tcp,timeo=600,retrans=2,
dump = 0,
pass = 1
}
}
The short answer to your question is that you can wrap the Mount
resource declaration in a define, and therein use the $name variable:
mount_content { $keys: content_table = $content }
define mount_content($content_table) {
mount {$name:
atboot = true,
device = $content_table[$name],
ensure = mounted,
fstype = nfs,
options =
rw,bg,hard,intr,rsize=32768,wsize=32768,vers=3,proto=tcp,timeo=600,retrans=2,
dump = 0,
pass = 1
}
}
A somewhat cleaner answer, in that it does not require manually
extracting the hash keys (or even values), would be to use the
create_resources() function, something like this:
class mount_content_new {
$content = {
'/content/music/beggars' = { device = 'bos-netapp01:/vol/Indy_1/
beggars' },
'/content/music/bmg' = { device = 'bos-netapp02:/vol/bmg/
bmg' }
}
define mount_one_content ($device) {
file {$name:
ensure = directory,
mode = 0755,
}
mount {$name:
atboot = true,
device = $device,
ensure = mounted,
fstype = nfs,
options =
rw,bg,hard,intr,rsize=32768,wsize=32768,vers=3,proto=tcp,timeo=600,retrans=2,
dump = 0,
pass = 1
}
}
file {[/content,/content/music]:
ensure = directory,
owner = root,
group = root,
mode = 0755,
}
create_resources(mount_one_content, $content)
}
Note the different structure of the $content hash (values are now
hashes), and the correspondence of the keys of the inner hashes with
the parameters of the 'mount_one_content' definition.
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: CPAN package provider?
On Sep 27, 11:13 am, Aaron Grewell aaron.grew...@gmail.com wrote: We're not using CPAN. Modules are installed as RPMs in our environment. As it should be on an RPM-based distro. I strongly recommend installing software only via the system's native package manager. If you violate that by installing Perl itself some other way (e.g. manually), then anything goes for that Perl installation (or Ruby, Python, ...), but if you are using the system's Perl then you should use the system's Perl packages. If you need Perl modules not available pre-packaged then package them yourself; it's not that hard, especially if they are already available from CPAN. Doing otherwise introduces a significant risk of incompatibilities arising and even your Perl modules being mangled, plus it makes management more than twice as hard. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Community Package Repos for Puppet Labs products
Michael, thanks very much for these packages, they are quite helpful. Curious question - is there any coordination with tmz to push these packages into EPEL? On Sep 12, 5:36 pm, Michael Stahnke stah...@puppetlabs.com wrote: I've had a vision of having packages for Puppet, Dashboard, mcollective, facter, et al, available in native packaging formats for as many distributions as possible. I've updatedhttp://yum.puppetlabs.comquite a bit today. We have most of what I laid out in tickethttp://projects.puppetlabs.com/issues/8473. I've updated RPMs for el5, el6, f14, f15. Next I'll do el4 and then SLES. These RPMS are all signed, and the latest released software from Puppet Labs. I've also created a Redmine Project around Community Packaging. My goal would be to get help from the community, specifically on our lesser-used platforms. http://projects.puppetlabs.com/projects/puppet-community-pkg-repo Please use the redmine project to open issues, etc. (This isn't just for yum either) Thanks, Mike -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: CPAN package provider?
On Wed, Sep 28, 2011 at 9:33 AM, jcbollinger john.bollin...@stjude.org wrote: On Sep 27, 11:13 am, Aaron Grewell aaron.grew...@gmail.com wrote: We're not using CPAN. Modules are installed as RPMs in our environment. As it should be on an RPM-based distro. Yes, I wish it could be so... Unfortunately the one system that I need this for is running cPanel on a CentOS 5 system. cPanel installs its own custom Perl (as well as many other packages, including Ruby so I have to install Puppet and Facter via GEM rather than RPMs). I'm trying to get munin installed on this system so that I can monitor the system. Since cPanel installed a custom Perl the CentOS Perl module RPMs won't install. I strongly recommend installing software only via the system's native package manager. If you violate that by installing Perl itself some other way (e.g. manually), then anything goes for that Perl installation (or Ruby, Python, ...), but if you are using the system's Perl then you should use the system's Perl packages. If you need Perl modules not available pre-packaged then package them yourself; it's not that hard, especially if they are already available from CPAN. Doing otherwise introduces a significant risk of incompatibilities arising and even your Perl modules being mangled, plus it makes management more than twice as hard. I totally agree, but since I can't get rid of cPanel and I don't want to go to the trouble of building RPMs for just one system I'm kinda stuck doing it the wrong way. -- Jeff Ollie -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Community Package Repos for Puppet Labs products
So I've just started testing these repos and I ran into problems. First, many of the EL6 RPMs are not signed, so they fail to install with my standard yum config. In the EL6 products repo, for example, only 3 of 12 RPMs are signed. The other issue is that the new puppet dashboard 1.2.1 package is not present at all. Thanks. On Sep 12, 5:36 pm, Michael Stahnke stah...@puppetlabs.com wrote: I've had a vision of having packages for Puppet, Dashboard, mcollective, facter, et al, available in native packaging formats for as many distributions as possible. I've updatedhttp://yum.puppetlabs.comquite a bit today. We have most of what I laid out in tickethttp://projects.puppetlabs.com/issues/8473. I've updated RPMs for el5, el6, f14, f15. Next I'll do el4 and then SLES. These RPMS are all signed, and the latest released software from Puppet Labs. I've also created a Redmine Project around Community Packaging. My goal would be to get help from the community, specifically on our lesser-used platforms. http://projects.puppetlabs.com/projects/puppet-community-pkg-repo Please use the redmine project to open issues, etc. (This isn't just for yum either) Thanks, Mike -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: CPAN package provider?
On Sep 28, 2011, at 7:47 AM, Jeffrey Ollie wrote: On Wed, Sep 28, 2011 at 9:33 AM, jcbollinger john.bollin...@stjude.org wrote: Doing otherwise introduces a significant risk of incompatibilities arising and even your Perl modules being mangled, plus it makes management more than twice as hard. I totally agree, but since I can't get rid of cPanel and I don't want to go to the trouble of building RPMs for just one system I'm kinda stuck doing it the wrong way. high quality rationalization for such a low bar effort. quite simple to build rpm's from cpan modules - there's consistent methodologies for doing just that. Craig -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] How to check if a given directory exists??
On Sep 28, 2011, at 9:37 AM, Sans wrote:
Dear all,
I have a module like this:
class mom_priv_config{
file {
'config':
owner = 'root', group = 'root', mode= '0644',
name= '/var/torque/mom_priv/config',
content = template('w_nodes/mom_priv-config.tpl'),
#notify = Service['pbs_mom']
}
}
which is working great by its own. But all I want is to carry on with
this *ONLY IF* /var/torque/mom_priv directory exists on the client.
If there is no such directory presents, just ignore. How can I do
this? I looked in the net but nothing came out as a solution to me.
Any one can help me with please? Cheers!!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
I'd create a custom fact that checks for the existence of the mom_priv
directory -- something like this:
# mom_priv_test.rb
if FileTest.directory?(/var/torque/mom_priv)
Facter.add(mom_priv_test) do
setcode { true }
end
end
#
Now you can use this fact to wrap your file resource in an if statement:
class mom_priv_config {
if $mom_priv_test == 'true' {
file { '/var/torque/mom_priv/config':
ensure = present,
owner= 'root',
group= 'root',
mode= '0644',
content = template('w_nodes/mom_priv-config.tpl'),
#notify = Service['pbs_mom'],
}
}
}
--
Peter M. Bukowinski
Sr. Systems Engineer
Janelia Farm Research Campus, HHMI
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: CPAN package provider?
Assuming cPanel's Perl isn't too special you might just grab the CentOS SRPM, tweak the dependencies so it will install, give it a custom version number and rebuild. You would then use Yum's version pinning module to block any patches for that specific package to avoid future issues. I totally understand the just make it work idea, but if you do that this system will always be broken. Eventually I find the broken ones come back and bite me... On Wed, Sep 28, 2011 at 7:47 AM, Jeffrey Ollie j...@ocjtech.us wrote: On Wed, Sep 28, 2011 at 9:33 AM, jcbollinger john.bollin...@stjude.org wrote: On Sep 27, 11:13 am, Aaron Grewell aaron.grew...@gmail.com wrote: We're not using CPAN. Modules are installed as RPMs in our environment. As it should be on an RPM-based distro. Yes, I wish it could be so... Unfortunately the one system that I need this for is running cPanel on a CentOS 5 system. cPanel installs its own custom Perl (as well as many other packages, including Ruby so I have to install Puppet and Facter via GEM rather than RPMs). I'm trying to get munin installed on this system so that I can monitor the system. Since cPanel installed a custom Perl the CentOS Perl module RPMs won't install. I strongly recommend installing software only via the system's native package manager. If you violate that by installing Perl itself some other way (e.g. manually), then anything goes for that Perl installation (or Ruby, Python, ...), but if you are using the system's Perl then you should use the system's Perl packages. If you need Perl modules not available pre-packaged then package them yourself; it's not that hard, especially if they are already available from CPAN. Doing otherwise introduces a significant risk of incompatibilities arising and even your Perl modules being mangled, plus it makes management more than twice as hard. I totally agree, but since I can't get rid of cPanel and I don't want to go to the trouble of building RPMs for just one system I'm kinda stuck doing it the wrong way. -- Jeff Ollie -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Community Package Repos for Puppet Labs products
On Wed, Sep 28, 2011 at 7:59 AM, Steve Snodgrass phe...@gmail.com wrote: So I've just started testing these repos and I ran into problems. First, many of the EL6 RPMs are not signed, so they fail to install with my standard yum config. In the EL6 products repo, for example, only 3 of 12 RPMs are signed. The other issue is that the new puppet dashboard 1.2.1 package is not present at all. Thanks. I've fixed this. Thanks for filing the tickets. Mike -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Business Intelligence 2011 (November 12th,Delhi)
Hi, I got to know of an exciting event happening in Delhi on November 12th I guess it will add a great value to all the BI professionals, analysts and business decision makers coming together to build their BI expertise. I believe it is worth attending as there are interesting topics. (See the Sessions below). The Conference starts at 9.00 AM. The Venue:will be updated Shortly The Conference organizers will call you back to confirm. When I called, they had 300 more seats left. Please find below is the url to go through the website: http://tinyurl.com/bidelhi Thanks, Rajesh Sessions on: Emerging Trends and Technologies in the Business Intelligence Market Solution Centricity. The Pivot for Successful BI / DW Implementations Innovative Data Integration - Foundation for Business Intelligence Interactive Business Analytics for Large Data Volumes BI Design and Implementation challenges in Life Sciences Integrating Search and Business Intelligence BI challenges for the SMEs Impact of Social Media and Social CRM Analytics Advanced Analytics: The Next Wave in Business Intelligence -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: CPAN package provider?
On Wed, Sep 28, 2011 at 7:47 AM, Jeffrey Ollie j...@ocjtech.us wrote: I totally agree, but since I can't get rid of cPanel and I don't want to go to the trouble of building RPMs for just one system I'm kinda stuck doing it the wrong way. You might investigate cpan2rpm. It works smoothly for many CPAN modules. I've only seen it fail for modules that didn't specify an author (it tries to extract that for inclusion in rpm metadata). -- Brian Shore Network Redux http://networkredux.com | @devopsec -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Spam (was Re: [Puppet Users] Business Intelligence 2011 (November 12th,Delhi))
Lincy 123 wrote: Hi, I got to know of an exciting event happening in Delhi on November 12th Apologies all - this is spam that slipped through. James -- James Turnbull Puppet Labs 1-503-734-8571 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] I can't seem to create mountpoint and change permissions after mounting in 2.7.3
Hi,
I'm using puppet 2.7.3 on RHEL/CentOS and I have an issue which is now
a big blocking issue within my environment. What I'm trying to
accomplish wit puppet is a create a mountpoint, mount a filesystem on
it and install an application on that filesystems are set proper user/
group and permissions on it, but it fails big time.
The issues I currently run into are about 3 things
1. The file type does not allow multiple directories to be created at
once ('mkdir -p')
2. exec file type create autorequire dependensies which creates
dependency cycles
3. Puppet does not allow duplicate resouces
I have a define named lvm::createfs and what it does is three things
1. Create the mountpoint with an exec {} which used an mkdir -p to
create multiple directories deep at once
2. Create the logical volume with an exec {}
3. Mount the logical volume from step 2 onto the directory from step 1
via Mount {}
Before the filesystem is mounted, the underlaying directory MUST be
owned by root:root with permissions 755. If this is incorrect, some
linux command which do strange things (like the 'rm -R' command)
Once the filesystem is created and mounted, I use puppet to install
applications
After the applications are installed I need to set the application
files in the filesystem to it's proper owner:group and permissions.
To do this I have another define named sysconfig::permissions. All
this define does is use file {} to set owner, group, mode and recurse.
Before I moved to puppet 2.7.3, puppet allowed me to do this without
problems, but since 2.7.3 puppet is more strict and now 60% of al my
modules fail as I use filesystems, apps and permissions everywhere.
Based on the documentation I read about exec {}, I can now explain why
I get dep.cycles, but I'mout of options and have no ideas anymore how
to get this 'simple normal unix task' to work in puppet.
These are the relations I created myself within puppet
1. exec mkdir /a/b/c = mount /a/b/c = file /a/b/c
2. exec logical volume = mount /a/b/c
This setup does not result in a cycle, but when puppet adds an
autorequire between exec mkdir /a/b/c and file a/b/c, it causes the
whole thing to cycle.
Quote from the manual
Autorequires: If Puppet is managing an exec’s cwd or the executable
file used in an exec’s command, the exec resource will autorequire
those files. If Puppet is managing the user that an exec should run
as, the exec resource will autorequire that user.
I don't mind if I have to rewrite my code or start from scratch, but I
need help to create my mountpoint location with root:root/755 and
after mounting allow the same location to have a different owner:group/
permissions.
These are the defines I use at this moment
define lvm::createfs (
$mountpath = undef,
$mountpoint = undef,
$lvsize = undef,
$fstype = undef,
$vgname = undef,
$lvname = ${name},
$requisite = '' ) {
# Load defaults
require lvm::params
# Check mountpath equals root
$rootpath = $mountpath ? {
'/' = undef,
default = $mountpath,
}
# Create directory tree including subdirectories
exec { ${lvm::params::module_label}_mkdir_${mountpath}/$
{mountpoint}:
command = mkdir -p ${mountpath}/${mountpoint},
onlyif = test ! -d ${mountpath}/${mountpoint},
before = Mount[${rootpath}/${mountpoint}],
}
if $requisite != '' {
Exec[${lvm::params::module_label}_mkdir_${mountpath}/$
{mountpoint}] {
require = Mount[${requisite}],
}
}
# Create logical volume and format filesystem
exec { ${lvm::params::module_label}-${vgname}-${lvname}:
logoutput = false,
command = lvcreate -n ${lvname} -L ${lvsize} /dev/${vgname}
mkfs -t ${fstype} /dev/${vgname}/${lvname},
unless= lvs | grep -q '${lvname} .*${vgname}',
before= Mount[${rootpath}/${mountpoint}],
}
# Mount filesystem
mount { ${rootpath}/${mountpoint}:
atboot = true,
device = /dev/${vgname}/${lvname},
ensure = mounted,
fstype = ${fstype},
options = 'defaults',
dump= '1',
pass= '2',
}
if $requisite != '' {
Mount[${rootpath}/${mountpoint}] {
require = Mount[${requisite}],
}
}
} # End define
define sysconfig::permissions (
$sysconfig_module,
$sysconfig_name,
$sysconfig_recurse = 'false',
$sysconfig_owner,
$sysconfig_group,
$sysconfig_mode = undef ) {
# Load defaults
require sysconfig::params
# Set permissions
file { ${sysconfig_module}_${sysconfig_name}:
name= ${sysconfig_name},
recurse = ${sysconfig_recurse},
owner = ${sysconfig_owner},
group = ${sysconfig_group},
}
if $sysconfig_mode != undef {
File[${sysconfig_module}_${sysconfig_name}] {
mode = ${sysconfig_mode},
}
}
} # End define
I call these define from a application class. In the example below a
piece of the MQ class.
class mq {
# Create filesystems
lvm::createfs {
${mq::params::module_label}_opt_mqm:
mountpath = '/opt',
mountpoint =
Re: [Puppet Users] I can't seem to create mountpoint and change permissions after mounting in 2.7.3
Hi,
I don't know the answer to you're problem but have you thought of adding the
required perms at the point you call the mkdir -p?
In your exec..
= 'mkdir -p ... chmod 755 .. chown root...',
This way you are not managing the resource perms twice in puppet. That may ease
some of your problems.
Cheers,
Den
On 29/09/2011, at 8:02, rvlinden rene.vanderlinde...@gmail.com wrote:
Hi,
I'm using puppet 2.7.3 on RHEL/CentOS and I have an issue which is now
a big blocking issue within my environment. What I'm trying to
accomplish wit puppet is a create a mountpoint, mount a filesystem on
it and install an application on that filesystems are set proper user/
group and permissions on it, but it fails big time.
The issues I currently run into are about 3 things
1. The file type does not allow multiple directories to be created at
once ('mkdir -p')
2. exec file type create autorequire dependensies which creates
dependency cycles
3. Puppet does not allow duplicate resouces
I have a define named lvm::createfs and what it does is three things
1. Create the mountpoint with an exec {} which used an mkdir -p to
create multiple directories deep at once
2. Create the logical volume with an exec {}
3. Mount the logical volume from step 2 onto the directory from step 1
via Mount {}
Before the filesystem is mounted, the underlaying directory MUST be
owned by root:root with permissions 755. If this is incorrect, some
linux command which do strange things (like the 'rm -R' command)
Once the filesystem is created and mounted, I use puppet to install
applications
After the applications are installed I need to set the application
files in the filesystem to it's proper owner:group and permissions.
To do this I have another define named sysconfig::permissions. All
this define does is use file {} to set owner, group, mode and recurse.
Before I moved to puppet 2.7.3, puppet allowed me to do this without
problems, but since 2.7.3 puppet is more strict and now 60% of al my
modules fail as I use filesystems, apps and permissions everywhere.
Based on the documentation I read about exec {}, I can now explain why
I get dep.cycles, but I'mout of options and have no ideas anymore how
to get this 'simple normal unix task' to work in puppet.
These are the relations I created myself within puppet
1. exec mkdir /a/b/c = mount /a/b/c = file /a/b/c
2. exec logical volume = mount /a/b/c
This setup does not result in a cycle, but when puppet adds an
autorequire between exec mkdir /a/b/c and file a/b/c, it causes the
whole thing to cycle.
Quote from the manual
Autorequires: If Puppet is managing an exec’s cwd or the executable
file used in an exec’s command, the exec resource will autorequire
those files. If Puppet is managing the user that an exec should run
as, the exec resource will autorequire that user.
I don't mind if I have to rewrite my code or start from scratch, but I
need help to create my mountpoint location with root:root/755 and
after mounting allow the same location to have a different owner:group/
permissions.
These are the defines I use at this moment
define lvm::createfs (
$mountpath = undef,
$mountpoint = undef,
$lvsize = undef,
$fstype = undef,
$vgname = undef,
$lvname = ${name},
$requisite = '' ) {
# Load defaults
require lvm::params
# Check mountpath equals root
$rootpath = $mountpath ? {
'/' = undef,
default = $mountpath,
}
# Create directory tree including subdirectories
exec { ${lvm::params::module_label}_mkdir_${mountpath}/$
{mountpoint}:
command = mkdir -p ${mountpath}/${mountpoint},
onlyif = test ! -d ${mountpath}/${mountpoint},
before = Mount[${rootpath}/${mountpoint}],
}
if $requisite != '' {
Exec[${lvm::params::module_label}_mkdir_${mountpath}/$
{mountpoint}] {
require = Mount[${requisite}],
}
}
# Create logical volume and format filesystem
exec { ${lvm::params::module_label}-${vgname}-${lvname}:
logoutput = false,
command = lvcreate -n ${lvname} -L ${lvsize} /dev/${vgname}
mkfs -t ${fstype} /dev/${vgname}/${lvname},
unless= lvs | grep -q '${lvname} .*${vgname}',
before= Mount[${rootpath}/${mountpoint}],
}
# Mount filesystem
mount { ${rootpath}/${mountpoint}:
atboot = true,
device = /dev/${vgname}/${lvname},
ensure = mounted,
fstype = ${fstype},
options = 'defaults',
dump= '1',
pass= '2',
}
if $requisite != '' {
Mount[${rootpath}/${mountpoint}] {
require = Mount[${requisite}],
}
}
} # End define
define sysconfig::permissions (
$sysconfig_module,
$sysconfig_name,
$sysconfig_recurse = 'false',
$sysconfig_owner,
$sysconfig_group,
$sysconfig_mode = undef ) {
# Load defaults
require sysconfig::params
# Set permissions
file { ${sysconfig_module}_${sysconfig_name}:
name= ${sysconfig_name},
[Puppet Users] Re: How to check if a given directory exists??
Thanks Peter!
Custom fact is a great idea but the downside is one needs to create a
custom-fact each for every check you wanna perform. Isn't there
anything a bit more dynamic, like checking the location on fly ( bash
equivalent: if [ -d /var/torque/mom_priv ]; ) ?? Cheers!!
On Sep 28, 4:33 pm, Peter Bukowinski pmb...@gmail.com wrote:
I'd create a custom fact that checks for the existence of the mom_priv
directory -- something like this:
# mom_priv_test.rb
if FileTest.directory?(/var/torque/mom_priv)
Facter.add(mom_priv_test) do
setcode { true }
end
end
#
Now you can use this fact to wrap your file resource in an if statement:
class mom_priv_config {
if $mom_priv_test == 'true' {
file { '/var/torque/mom_priv/config':
ensure = present,
owner = 'root',
group = 'root',
mode = '0644',
content = template('w_nodes/mom_priv-config.tpl'),
#notify = Service['pbs_mom'],
}
}
}
--
Peter M. Bukowinski
Sr. Systems Engineer
Janelia Farm Research Campus, HHMI
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Announce: New Puppet releases due to CVE-2011-3848 [security]
There has been a vulnerability discovered in Puppet (CVE-2011-3848). # Recommended Action # Puppet Labs has an updated version of Puppet available at the following locations: * http://puppetlabs.com/security/hotfixes * http://puppetlabs.com/downloads/puppet The fixed versions are 2.6.10 in the 2.6.x branch and 2.7.4 in the 2.7.x branch. The hotfixes page also contains updated Puppet packages for Puppet Enterprise versions 1.0, 1.1 and 1.2.x. Puppet Labs has been coordinating with Debian, Ubuntu, EPEL and OpenSuSE maintainers. We expect new packages (with a patch backported in many cases) to be released as soon as possible. Separate release announcements for Puppet 2.6.10 and 2.7.4 are pending. # Explanation # Kristian Erik Hermansen kristian.herman...@gmail.com reported that an unauthenticated directory traversal could drop any valid X.509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. This was found in the 2.7 series of Puppet, but the underlying vulnerability existed in earlier releases and could be accessed with different hostile inputs. There are also some additional quirks of input handling that make it easier to obfuscate the input. This exploits an input quirk where the key in the URI is double-decoded; this would also work for a single URI-encoded input string. On 2.6 this is ignored, but the CN in the Subject of the CSR is used in the same way, and could be exploited to drop the CSR content at an arbitrary location on disk. The suffix .pem is always appended to the location. In the 0.25 series the same CN-based injection can occur, as the underlying flaw still exists. In all cases this requires that the input data can be loaded through OpenSSL as a CSR, and will fail before touching disk if that is not valid data. Be aware that both double-encoded and single-encoded URI patterns will work, equivalently, in Puppet 2.7. No URI decoding is done on the CN of the CSR Subject. # Commit message for fix # I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches. Author: Daniel Pittman dan...@puppetlabs.com Date: Sat Sep 24 12:44:20 2011 -0700 Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen kristian.herman...@gmail.com for the responsible disclosure, and useful analysis, around this defect. Signed-off-by: Daniel Pittman dan...@puppetlabs.com # Note for 0.25 users # If you're still shipping/using 0.25, we have supplied a patch to several distro maintainers that applies cleanly to our git tree, but will not be releasing any upstream source of it. If you have any questions or need additional clarification on anything, please respond to secur...@puppetlabs.com. Thanks, Michael Stahnke Release Manager -- Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Relationship of PE 2.0 to community version?
Dear puppet colleagues, I am really excited about the features in puppet enterprise 2.0. I am especially curious which features from the enterprise version will filter back to the respective open source components, such as dashboard, facter, etc and which will remain proprietary add ons? Any info you can shed on this subject would be very helpful. Bryan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Announce: Puppet 2.6.10 is available [security update]
Puppet 2.6.10 is a maintenance release in the 2.6.x branch. This release is 2.6.9 + a security fix for CVE-2011-3848. Note: Features/fixes that were targeted at 2.6.10 have been moved to 2.6.11. Puppet 2.6.10 is available. Changelog entries are available below. More detailed information is available in on our Release Notes page. Release Notes have been updated: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.10 This release is available for download at: http://puppetlabs.com/downloads/puppet/puppet-2.6.10.tar.gz RPM's are available at http://yum.puppetlabs.com/el Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.10 http://projects.puppetlabs.com/projects/puppet/ Commits: fe2de81 Resist directory traversal attacks through indirections. (CVE-2011-3848) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Announce: Puppet 2.7.4 Available [security + more ]
Puppet 2.7.4 is available. This release of Puppet and includes a security fix for CVE-2011-3848. Puppet 2.7.4 is an enhancement + security release of Puppet on the 2.7.x branch. Due to the security patches included, it is recommended anybody using the 2.7.x series update to 2.7.4. The significant highlights on this release are outlined below. At a high level, there are lots of Windows fixes/features, some storedconfigs indirection, a security patch, and more. This is 2.7.4rc3 + the one security patch for CVE-2011-3848. This release is available for download at: http://downloads.puppetlabs.com/puppet/ Release Notes have been updated: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.4 See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 2.7.4 http://projects.puppetlabs.com/projects/puppet RPM's are available at http://yum.puppetlabs.com/el Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Documentation is available at: http://docs.puppetlabs.com/index.html 2.7.4 Release Notes === ## CVE-2011-3848 Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen kristian.herman...@gmail.com for the responsible disclosure, and useful analysis, around this defect. ## Allow cron vars to have leading whitespace Fix #9440 Patch applied from Jeremy Thornhill. This allows whitespace to appear before cron variables. Previously, whitespace before cron variables would trigger a parse failure, and the crontab, except for the puppet managed portion, would get removed. This addresses that issue. It also includes a test for this issue, added into the tests directory, which seems to be where the crontab tests live. ## Write out a list of resources that are managed by puppet agent Feature #8667 Similar to how the Puppet classes are written out each catalog apply, the list of resources is now being written out to a text file that can be easily used by tools like MCollective. This allows tools that do ad-hoc management of resources to know if they're changing a resource that puppet manages, and adjust behavior accordingly. ## Fix value validation on options Fix #7114 Support single options that legally include a comma like from=host1,host2. We now basically allow either word or key=value as options. That's also what the parsedfile provider currently supports when parsing options. ## GigabitEthernet/TenGigabitEthernet are uncorrectly parsed Fix #7984 The interface name abbreviation to canonical name doesn't return the correct name for GigabitEthernet and doesn't support TenGigabitEthernet interfaces. ## Allow macauthorization provider to work on OS X Lion 10.7 Fix #9143 We've flipped around the confine check so we explicitly exclude the versions of OS X where this provider won't work, rather than working from a whitelist. ## Move complex collect expression error into terminus. Fix #9051 When the StoreConfig system was extracted from core to a set of termini, most of the rules about permitted syntax were pushed down into the same place, to allow them to also be replaced. One set of restrictions were missed, the limitation that complex search criteria (like and, or, or parenthetical expressions) were not permitted, and remained in our parser. Now, they live in the terminus, and we enforce them only there. This ensures that StoreConfigs can be replaced with a back-end that supports complex collection criteria without other changes to the Puppet core. ## Don't rely on error message to detect UAC capable platform Fix #8662 The call to Win32::Security.elevated_privileges? can raise an exception when running on a pre-Vista computer or if the process fails to open its process token. Previously, we were looking at the exception message to determine which case it was. However, Windows 2003 and 2003 R2 return different
