[Puppet Users] Re: Mounting windows fileshare
Hi! I am looking for a way of mounting a windows fileshare without using 'exec net use ...' and haven't found a type that supplies this functionality. https://gist.github.com/ptman/3968655 -- not pretty, but worked for me The windows documentation mentions that to use UNC paths you have to mount the drive first, but makes no mention of how to do this. Depends what you want to use them for. UNC paths actually work as the source parameter for the package type without mounting. At least with puppet 3.x, which I'm using. Cheers, Paul -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: migrating from cfengine to puppet, node wrangling question
Hi Michael This works, but I'm not sure it's the best way about going about it. I'm trying to define host groups in my site.pp file in such a way that when puppet runs on my nodes, they know their functional role and are configured accordingly. May I suggest that you look into using a node classifier (ENC) or at least hiera to separate data from code? I have a module called 'role' with classes like 'workstation' and 'compute' which include other classes. Then I can just assign the class role::workstation or role::compute to a node. Cheers, Paul -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Thanks Pete, but unfortunately that wont work. The nodes are out of my control, and all I can do is to provide their owners client certs via web gui. In addition to that, I would need multiple CA's, as the clients (and puppetmasters) would be destinated for different owners, and they shouldnt share the CA. On Wednesday, February 20, 2013 2:15:33 AM UTC, Pete wrote: You might have better luck using something like FreeIPA and using it's ca cert and setting up certs for each node and using those as the puppet certs. This may help. http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ I had a go at setting it up but I am using FreeIPA 3 and the steps need some changing for that so your mileage may vary. On 20 February 2013 06:15, spankt...@gmail.com javascript: wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to puppetise Task Scheduler on Windows
Thanks for the link. The basic puppet options don't cover enough of the task options - but they are available in an xml (as exported from Task Scheduler). Do you know if there is an option to have a task from an exported xml file on puppet (or how to request it)? Thanks, David. On Wednesday, February 13, 2013 11:11:23 AM UTC, Paul Tötterman wrote: Hi David, Is it possible to manage Task Scheduler through puppet? Yes: http://docs.puppetlabs.com/references/latest/type.html#scheduledtask Cheers, Paul -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Hi, I think I understood your goal well enough, and it's sound in and of itself, but I believe you have some misconceptions on how to implement this. First off, so we're on the same page: The CA is your root certificate. It's a self signed certificate shared by all masters. Only the masters have its private key. They use it to sign all other puppet related certificates. A client certificate is generated by a master based on the CA and a certificate signing request from the agent. It's necessary to either a) have the CSR generated agent side, so the agent has the private key generated itself or b) do all the generating master side and implement a secure way to push the agent's private key to the agent Let's cut right to the bottom line: You do *not* want to create new CAs, ever. You make a CA, make sure its private key is well protected, and stick with that. If you need deploy aditional masters at various times, you need a process that will supply them with the CA and its key. I'm not sure wether you can separate the puppet master from the puppet ca network-wise, but if it's possible, it would be infinitely simpler to stick to a monolithic ca server and do only the other agent/master interaction through loadbalancing. I believe that your core problem at the moment is private key management, but that's only a guess. On 02/19/2013 09:15 PM, spankthes...@gmail.com wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com javascript: wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Question Windows manifests
Hi, On 02/20/2013 06:43 AM, Rakesh Kathpal wrote: file { 'install': path = c:\install.bat, ... exec {'install_sw': file { 'remove': ensure = absent, ... I am quite sure that there is something syntactically wrong my code but donno what? Can someone please shed some light on this? Actually, sorry to say this, but there's something conceptually wrong with this. You're walking into the C-like programming language trap. The thing is - the puppet DSL is nothing like traditional, statement based programming. The above are not three statements that are executed in order. They are supposed to be three properties of system state. You are telling puppet that you want it to make sure three things hold true: 1. c:\install.bat is present and has specific content 2. c:\install.bat is getting executed 3. c:\install.bat is not on your system 1 and 3 are conflicting. Puppet cannot maintain a state in which both are true. You will have a hard time bending puppet towards this behaviour. I suggest you just get rid of the final file resource and let the install.bat remain (but do choose a location that is better suited to store such internal administrative data). Also please note that you probably either want to add refreshonly to your exec resource, but that is rather unclean design (if the execution fails once, puppet will not know it needs to re-run because the file will not notify it again). The better alternative is a sensible creates or unless condition. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] irregular Error: Could not autoload...
Hallo, I am trying to establish an puppet infrastructure, but my server is throwing errors irregulary. Sometimes it workes, sometimes not. The master: puppet master --no-daemonize --verbose --debug --server X --certname X The agent: puppet agent --test --debug --server X ... and the error thrown by the agent: Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not autoload puppet/type/service: Permission denied - getcwd on node X Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run ... and by the server: Error: Could not autoload puppet/type/service: Permission denied - getcwd Error: Could not autoload puppet/type/service: Permission denied - getcwd on node X Error: Could not autoload puppet/type/service: Permission denied - getcwd on node X Error: Could not autoload puppet/type/service: Permission denied - getcwd on node X The problem varies by puppet/type/service, puppet/type/package, puppet/type/augeas And sometimes it just works. What's the reason for that? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Dear Felix, On Wednesday, February 20, 2013 9:58:45 AM UTC, Felix.Frank wrote: Hi, I think I understood your goal well enough, and it's sound in and of itself, but I believe you have some misconceptions on how to implement this. First off, so we're on the same page: The CA is your root certificate. It's a self signed certificate shared by all masters. Only the masters have its private key. They use it to sign all other puppet related certificates. Correct. A client certificate is generated by a master based on the CA and a certificate signing request from the agent. It's necessary to either a) have the CSR generated agent side, so the agent has the private key generated itself or b) do all the generating master side and implement a secure way to push the agent's private key to the agent The b) is the goal here, correct. Let's cut right to the bottom line: You do *not* want to create new CAs, ever. You make a CA, make sure its private key is well protected, and stick with that. If you need deploy aditional masters at various times, you need a process that will supply them with the CA and its key. Incorrect. You *do* want to create new CA's. What about different puppetmasters pools? Imagine you and me, we both want a puppetmasters setup with LB's in front of them, for our own machines, and we'd rather want to have different CA's for our puppetmasters. I'm not sure wether you can separate the puppet master from the puppet ca network-wise, but if it's possible, it would be infinitely simpler to stick to a monolithic ca server and do only the other agent/master interaction through loadbalancing. Dont worry about the details of separation network wise or any other. All I want to do, is to generate complete CA and client certs programatically, using openssl lib - how they're going to be deployed on puppetmasters and puppet clients is out of scope here - it can be via rsync, it can be by embedding CA's into vm images per client base, it can be done in many different ways. A monolithic CA server is out of question, as it becomes a spof. I believe that your core problem at the moment is private key management, but that's only a guess. Incorrect, the problem is to emulate puppet ca/cert behavior using openssl command (and then by openssl lib). On 02/19/2013 09:15 PM, spankt...@gmail.com javascript: wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com javascript: wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On 02/20/2013 11:37 AM, spankthes...@gmail.com wrote: Incorrect. You *do* want to create new CA's. What about different puppetmasters pools? Imagine you and me, we both want a puppetmasters setup with LB's in front of them, for our own machines, and we'd rather want to have different CA's for our puppetmasters. Well, so you'd want *your* agents to receive catalogs from *my* puppet masters? That's a whole different problem altogether. Each agent node will need to run several agents, each with their own view of what the CA and the master certificate is. They could share the agent's private key, but that would actually add complexity. Basically, you probably want separate /var/lib/puppet instances on the agents for each master pool. it can be via rsync Oh, please don't. monolithic CA server is out of question, as it becomes a spof. Not really, the ca service should not see much use during day-to-day operation, but again, I may be wrong about this. Incorrect, the problem is to emulate puppet ca/cert behavior using openssl command (and then by openssl lib). Ah, only you aren't. The puppet ca service works under the premise that the client simply generates a CSR for itself and forwards that to the puppet ca service. Have you had any success signing the certificate using openssl, when the CSR originates with the agent (so, as a start, you do step 2 your way?) Once you have that working, all that's left to do is doing the CSR generation using openssl, which shouldn't be that hard, either. What's hard is not doing it on the agent node. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] autometically create nagios_hostgroup only when a member of a group comes up
Hi Pete, how you doing? You will get duplication if you declare a nagioshost_group with the same name on more than one node... I think you may be missing the point of nagios_hostgroup. It is for declaring a hostgroup in nagios not setting the nagios hostgroup for a node. Yes, I know that I'll get duplication error for obvious reason and that's the whole reason for asking this Q. I know what the hostgroup is for (using Nagios for a while now) and I'm not trying to setting up hostgroup for a node. Perhaps I wasn't clear with my question. I am guessing you are trying to add a node to a hostgroup? You will need to add a hostgroups parameter to your nagios_host declaration and set the hostgroup for the node there. No - I'm not trying to add a node to hostgroup but I was trying to figure out a way to declare a hostgroup only after at least one member of that particular comes online. Suppose, I've three nodes - N1, N2, N3 and two hostgroups - HG1 and HG2. N1 (which is Nagios-server) is being in HG1 and N2 N3 in HG2. I am also reasonably sure you can have empty hostgroups in nagios... Yes you can (overlooked that point, really) until a service (nagios_service type) is defined. I think, my actual question would be, how can I query if a host with certain name (property) is up and only include that service if the node count is at least one or more. I think I can export some sort of resource from a given host and collect it on the master (my Nagios server is co-located with Puppet master)? Any idea what might be the best possible way of doing that? cheers!! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet module(important)
this is resolved! On Wed, Feb 20, 2013 at 2:27 AM, Mamta Garg itsmamta.b...@gmail.com wrote: Hi All, Can anyone please guide ,why this error is coming every time on puppet-dashboard ,while i am assigning class to a node.(please find attched screenshot for error massage) I am using puppet opensource and i have added module with same class name in /etc/puppet/mudules path. -- Thanks and Regards, Mamta Garg -- Thanks and Regards, Mamta Garg -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On 02/20/2013 12:02 PM, spankthes...@gmail.com wrote: Regardless of how much use it has, it is a spof. Once it's down, whole cluster malfunctiones. With monolithic CA server down, all clusters are malfunctioning. I disagree. An SSL connection requires two peers and at least one signed certificate. The client needs to trust the issuer's certificate, but it needs not contact a ca server to re-validate that certificate for each connection. A downtime of the CA service would merely imply that you cannot sign any new certificates for the time being. Have you had any success signing the certificate using openssl, when the CSR originates with the agent (so, as a start, you do step 2 your way?) Once you have that working, all that's left to do is doing the CSR generation using openssl, which shouldn't be that hard, either. What's hard is not doing it on the agent node. No, so far I've complete failure. I tried to do it the Mozilla way, from the link included in original post, but it fails and I cant find out why. I only just looked at that. Lots of script work I won't dive into. I advise to do this bottom up: 1. Set up a plain old puppet master the usual way, make it work with an agent 2. Once that works, add another agent, but don't puppet ca sign its certificate but instead use an openssl invocation. Place the signed certificate in the appropriate location on the master host. The agent should receive it during its next connection. 3. Once that works, generate a CSR on yet a new agent using openssl, put the files in the appropriate locations in /var/lib/puppet/ssl and do an agent run. It should send your CSR to the master. Repeat step 2. 4. Once that works, you're basically there. Doing step 3 on the master node and transferring the files should not be too different. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Class Order: Cant add user without group
Hi, On 02/19/2013 02:24 PM, Alexander Winkler wrote: Could anybody tell me how to add the secgroupY dynamically? (only if it's needed) that's what virtual resources are for. # on all nodes: @group { groupA: gid = 1000, ensure = present, } ### secondary groups @group { secgroupX: gid = 1200, ensure = present, } @group { secgroupY: gid = 1205, ensure present, } # create these on all nodes realize(Group[groupA, secgroupX) Then a wrapper for dynamic realization: define realize_groups() { realize(Group[$name]) } And finally in the userloader define: define userloader ($uid, $gid, $groups, $comment, $password, $sshkeytype, $sshkey) { ... if $groups { realize_groups { $groups: } } ... } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Parameter issue
Hi Pete, I hoped there is a more elegant solution, but looks like there isn't. :) I can't test it today, but putting the variables inside define should work indeed. Thanks for the help! Gergo Erdosi On Wednesday, February 20, 2013 3:39:17 AM UTC+1, Pete wrote: Hi Gerdo, You are on the right track using a define but the problem is one of scope. The version parameter for your define will only get set once in your php::params class because classes are almost singletons in puppet (as in they can exist only once for a node no matter how many times you call them). You will have to set the configure parameters inside your define which will be ugly I know but there isn't any other way around it. I haven't used them but inline templates may help alleviate the ugliness. I would also recommend splitting your define out into a separate file so it's easier to maintain. Hope that helps. Pete. On 20 February 2013 09:04, ge...@timble.net javascript: wrote: Hi, I'm working on a module and run into an issue. I would like to install multiple PHP versions from source. I know the preferred way is packages, but I don't want to maintain a custom APT repository. I have two files: install.pp which does the installation (download, extract, configure, make, make install) and params.pp which provides parameters. https://gist.github.com/gergoerdosi/4990967 https://gist.github.com/gergoerdosi/4991012 The first call to php::install::source { '5.3.21': } runs fine, however when it reaches php::install::source { '5.4.11': }, it downloads 5.3.21 again instead 5.4.11. This is happening because the $url uses $version in params.pp, which doesn't get updated on the second call. This an expected behavior, but I don't know how else could I do it. What I want to do is to provide parameters for the different PHP versions (different URL, configure options etc). Any idea? My Puppet version is 2.7.19. Gergo Erdosi -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Help needed in setting up a simple ENC
puppet maser conf: [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [master] classfile = $vardir/classes.txt localconfig = $vardir/localconfig user = root group = root fileserverconfig = /etc/puppet/fileserver.conf reportdir = /home/logs/puppet/reports masterhttplog = /home/logs/puppet/masterhttp.log masterlog = /home/logs/puppet/puppetmaster.log reports = log,foreman reports=foreman,log templatedir = /etc/puppet/templates node_terminus = exec external_nodes = /etc/puppet/puppet_node_classifier site.pp: #node default { # exec {echo 123: # path = /sbin:/usr/bin:/usr/sbin:/bin, # } #} #node /local-web-cdn-70-200.idc.test.cn/ { #include tools #} run script: [root@puppetmaster-tools yaml]# sh /etc/puppet/puppet_node_classifier local-web-cdn-70-200.idc.test.cn --- environment: production classes: - tools Permission : [root@puppetmaster-tools yaml]# ll /etc/puppet/puppet_node_classifier -rwxr-xr-x 1 root root 133 Feb 20 20:01 /etc/puppet/puppet_node_classifier but agent cat not running: -bash-3.2# puppetd --test err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find default node or by name with 'local-web-cdn-70-200.idc.test.cn, local-web-cdn-70-200.idc.test, local-web-cdn-70-200.idc, local-web-cdn-70-200' on node local-web-cdn-70-200.idc.test.cn warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run if cancel exegesis site.pp ,it work ok, how ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On Wednesday, February 20, 2013 12:00:07 PM UTC, Felix.Frank wrote: On 02/20/2013 12:02 PM, spankt...@gmail.com javascript: wrote: Regardless of how much use it has, it is a spof. Once it's down, whole cluster malfunctiones. With monolithic CA server down, all clusters are malfunctioning. I disagree. An SSL connection requires two peers and at least one signed certificate. The client needs to trust the issuer's certificate, but it needs not contact a ca server to re-validate that certificate for each connection. A downtime of the CA service would merely imply that you cannot sign any new certificates for the time being. And that's already too much. The whole point of this is to avoid spof's of any kind and be able to create redundant, highly available Puppet infrastructure. Unfortunately, I cant accept single CA server. Have you had any success signing the certificate using openssl, when the CSR originates with the agent (so, as a start, you do step 2 your way?) Once you have that working, all that's left to do is doing the CSR generation using openssl, which shouldn't be that hard, either. What's hard is not doing it on the agent node. No, so far I've complete failure. I tried to do it the Mozilla way, from the link included in original post, but it fails and I cant find out why. I only just looked at that. Lots of script work I won't dive into. I advise to do this bottom up: 1. Set up a plain old puppet master the usual way, make it work with an agent 2. Once that works, add another agent, but don't puppet ca sign its certificate but instead use an openssl invocation. Place the signed certificate in the appropriate location on the master host. The agent should receive it during its next connection. 3. Once that works, generate a CSR on yet a new agent using openssl, put the files in the appropriate locations in /var/lib/puppet/ssl and do an agent run. It should send your CSR to the master. Repeat step 2. 4. Once that works, you're basically there. Doing step 3 on the master node and transferring the files should not be too different. And what would be the purpose of that? That still includes using puppet to create CA, and I want to avoid that completely. What the ideal workflow would like is: 1. Puppetmaster's vm's are being booted. No CA nor cert actions taken. 2. User goes to web app, click's 'generate CA' - CA gets generated. 3. User provides node names to generate - CA generated in 2. is being used to generate and sign these. 4. User downloads all files neccessary to place on his puppet nodes. 5. CA and client certs are being placed on vm's booted in 1. 6. User can now use his nodes without any certificate actions required to talk to puppetmasters behind the loadbalancer. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Question Windows manifests
Dear Felix, Thanks a ton for your reply and great piece of information. I will do the needful on my side. Thanks again, Regards, Rakesh K. On Wed, Feb 20, 2013 at 3:41 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, On 02/20/2013 06:43 AM, Rakesh Kathpal wrote: file { 'install': path = c:\install.bat, ... exec {'install_sw': file { 'remove': ensure = absent, ... I am quite sure that there is something syntactically wrong my code but donno what? Can someone please shed some light on this? Actually, sorry to say this, but there's something conceptually wrong with this. You're walking into the C-like programming language trap. The thing is - the puppet DSL is nothing like traditional, statement based programming. The above are not three statements that are executed in order. They are supposed to be three properties of system state. You are telling puppet that you want it to make sure three things hold true: 1. c:\install.bat is present and has specific content 2. c:\install.bat is getting executed 3. c:\install.bat is not on your system 1 and 3 are conflicting. Puppet cannot maintain a state in which both are true. You will have a hard time bending puppet towards this behaviour. I suggest you just get rid of the final file resource and let the install.bat remain (but do choose a location that is better suited to store such internal administrative data). Also please note that you probably either want to add refreshonly to your exec resource, but that is rather unclean design (if the execution fails once, puppet will not know it needs to re-run because the file will not notify it again). The better alternative is a sensible creates or unless condition. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On 02/20/2013 01:28 PM, spankthes...@gmail.com wrote: And what would be the purpose of that? That still includes using puppet to create CA, and I want to avoid that completely. Ah, right. I forgot step 5. Which is replacing the CA with one created using openssl. Of course, all other certs are obsolete after you do that, so you can use your shiny new process of certifying agents to make them new ones. 1. Puppetmaster's vm's are being booted. No CA nor cert actions taken. 2. User goes to web app, click's 'generate CA' - CA gets generated. A simpler alternative might be: 1a. User creates puppetmaster vm for a new pool, that bootstraps itself with a CA certificate 1b. User adds a puppetmaster vm to an existing pool, by cloning another VM That way, you need not even implement a frontend for generating CAs on the fly. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Hi again, to answer the question more succinctly: The purpose of the proposed process is to find and eliminate the points of failure. Once you've completed all those iterations, you will very well know what works and how. Cheers, Felix On 02/20/2013 01:58 PM, Felix Frank wrote: And what would be the purpose of that? That still includes using puppet to create CA, and I want to avoid that completely. Ah, right. I forgot step 5. Which is replacing the CA with one created using openssl. Of course, all other certs are obsolete after you do that, so you can use your shiny new process of certifying agents to make them new ones. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On Wednesday, February 20, 2013 12:58:44 PM UTC, Felix.Frank wrote: On 02/20/2013 01:28 PM, spankt...@gmail.com javascript: wrote: And what would be the purpose of that? That still includes using puppet to create CA, and I want to avoid that completely. Ah, right. I forgot step 5. Which is replacing the CA with one created using openssl. Of course, all other certs are obsolete after you do that, so you can use your shiny new process of certifying agents to make them new ones. Great, except I tried that and failed, therefore this thread ;) I was hoping someone was doing something like that already and know if its possible, and if it is, how to do it properly. 1. Puppetmaster's vm's are being booted. No CA nor cert actions taken. 2. User goes to web app, click's 'generate CA' - CA gets generated. A simpler alternative might be: 1a. User creates puppetmaster vm for a new pool, that bootstraps itself with a CA certificate 1b. User adds a puppetmaster vm to an existing pool, by cloning another VM That way, you need not even implement a frontend for generating CAs on the fly. That's an interesting and tempting perspective, although I have two issues with it: a) it would require user to know what is he doing with puppet ca/certs, and one of the purposes of the web app is to make user's life, and entire process as easy as possible b) I would lost control over how many nodes user could add using that CA, something that would have been applied in the application logic -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Rspec with rspec-hiera-puppet
I have been revisiting this again lately and still haven't been able to get any spec tests working with hiera. Has anyone else had any luck in the last few months? It is easy to make hiera lookups work if there is a default, but I can't seem to write a spec test that provides data to a hiera lookup without a default or to override a default. Thanks, jl On Dec 17, 2012, at 10:24 AM, Justin Lambert jlamb...@infiniteviewtech.com wrote: I've been working on getting spec tests on all of my modules and am down to ones that use hiera and don't have any reasonable defaults. It looks like there is a project on GH (https://github.com/amfranz/rspec-hiera-puppet) that is designed to fill this need, but for the life of me I cannot make it work. FriedBob helped out on the IRC channel some with his solution of including a patch to puppetlabs_spec_helper that was pulled pending further discussion (https://github.com/puppetlabs/puppetlabs_spec_helper/pull/16). I've attempted to make a working example using both the basic and advanced methods of rspec-hiera-puppet (I can live with either one) but cannot get them to work. Does anyone have any experience with this they can lend me a hand? This doesn't seem like it should be this hard - I have to be missing something easy. https://github.com/jlambert121/rspec-hiera-puppet-basic https://github.com/jlambert121/rspec-hiera-puppet-advanced Thanks, jl -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet apply and send reports?
Hi all, I hope somebody can help me with something. We have a rather large number of netbooted nodes that we are running puppet apply via a script and a cron job every 30 minutes I was wondering if there is a way to configure puppet apply, to also send any reports to our dashboard server that is being used for our normal puppet clients and what would be the way to go about doing this? Currently run script runs something like this : puppet apply --config=$PUP/puppet.conf --detailed-exitcodes --onetime --no-daemonize $PUP/manifests/site.pp -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Parameter issue
On Tuesday, February 19, 2013 5:04:36 PM UTC-6, ge...@timble.net wrote: Hi, I'm working on a module and run into an issue. I would like to install multiple PHP versions from source. Yes, that is an issue. I know the preferred way is packages, but I don't want to maintain a custom APT repository. There are good reasons why packages are the preferred way. Why don't you want to maintain a custom repository? John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Rspec with rspec-hiera-puppet
On Wednesday, February 20, 2013 7:45:41 AM UTC-6, Justin Lambert wrote: I have been revisiting this again lately and still haven't been able to get any spec tests working with hiera. Has anyone else had any luck in the last few months? It is easy to make hiera lookups work if there is a default, but I can't seem to write a spec test that provides data to a hiera lookup without a default or to override a default. Before I updated to puppet 3, I patched my copy of puppetlabs_spec_helper so that it would create things it needed to let me test with hiera. Unfortunately, i have not kept up with my tests and have been unable to make sure they still work on puppet3. It is on my list, and I will give an update once I am able to. Thanks, jl On Dec 17, 2012, at 10:24 AM, Justin Lambert jlam...@infiniteviewtech.comjavascript: wrote: I've been working on getting spec tests on all of my modules and am down to ones that use hiera and don't have any reasonable defaults. It looks like there is a project on GH ( https://github.com/amfranz/rspec-hiera-puppet) that is designed to fill this need, but for the life of me I cannot make it work. FriedBob helped out on the IRC channel some with his solution of including a patch to puppetlabs_spec_helper that was pulled pending further discussion ( https://github.com/puppetlabs/puppetlabs_spec_helper/pull/16). I've attempted to make a working example using both the basic and advanced methods of rspec-hiera-puppet (I can live with either one) but cannot get them to work. Does anyone have any experience with this they can lend me a hand? This doesn't seem like it should be this hard - I have to be missing something easy. https://github.com/jlambert121/rspec-hiera-puppet-basic https://github.com/jlambert121/rspec-hiera-puppet-advanced Thanks, jl -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet...@googlegroups.comjavascript: . To unsubscribe from this group, send email to puppet-users...@googlegroups.com javascript:. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
On 02/20/2013 02:38 PM, spankthes...@gmail.com wrote: Ah, right. I forgot step 5. Which is replacing the CA with one created using openssl. Of course, all other certs are obsolete after you do that, so you can use your shiny new process of certifying agents to make them new ones. Great, except I tried that and failed, therefore this thread ;) I was hoping someone was doing something like that already and know if its possible, and if it is, how to do it properly. Well, I disbelieve this has been done, because the way you are proposing to model puppet architecture sounds pretty unique. As I understood, you tried to do steps 1 through 5 in one, which failed. I can think of quite some ways this would happen. Therefor the baby steps. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Howdy! I might suggest starting here: http://projects.puppetlabs.com/projects/1/wiki/certificates_and_security It talks a little about setting up a seperate CA - this is pretty commonly done for HA environments. As far as pre-generating the client certs without Puppet, I'd have a look at ssl/host.rb in the source tree to see how it does it. It has all the logic puppet certificate --generate uses (It seems to call generate_certificate_request), and then the logic --sign uses which calls ca.sign. If you look through that code I'm sure you can figure out the right options to pass openssl to do it. Jason -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] autometically create nagios_hostgroup only when a member of a group comes up
On 2/20/2013 5:09 PM, Sans wrote: [snip] Yes you can (overlooked that point, really) until a service (nagios_service type) is defined. I think, my actual question would be, how can I query if a host with certain name (property) is up and only include that service if the node count is at least one or more. I use a very bad hack to do this. I have a define that looks like this (simplified): define nagios::server::plugin ($inject_class) { include $inject_class } The nagios server listens for exported resources of this type: Nagios::Server::Plugin| | If a class needs to be defined on the nagios server by a node, it simply calls @@nagios::server::plugin { ...: inject_class = some plugin class } and the server will pick it up and realize it. As long as the plugin is a class and not a define (and requires no params), there will be no harm with multiple nodes broadcasting the same plugin; it will still be realized only once. -Taj. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet 3 upgrade issue with auth.conf and fileserver.conf
Hi guys, I just upgraded my puppet 2.7.x to Puppet 3. Upgrade is smooth except for one thing. I'm getting the error below: Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 403 on SERVER: Forbidden request: [hostname] access to /node/[hostname] [find] at :0 Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: Forbidden request: [hostname] access to /file_metadata/plugins [search] at :0 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: [hostname] access to /file_metadata/plugins [find] at :0 Could not retrieve file metadata for puppet://[hostname]/plugins: Error 403 on SERVER: Forbidden request: [hostname] access to /file_metadata/plugins [find] at :0 Info: Loading facts in /etc/puppet/modules/augeas/lib/facter/augeasversion.rb Info: Loading facts in /etc/puppet/modules/concat/lib/facter/concat_basedir.rb Info: Loading facts in /etc/puppet/modules/firewall/lib/facter/ip6tables_version.rb Info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables_version.rb Info: Loading facts in /etc/puppet/modules/mmm/lib/facter/ipaddresses.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/pe_version.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb Info: Loading facts in /etc/puppet/modules/sudo/lib/facter/sudo.rb Info: Loading facts in /etc/puppet/modules/xen/lib/facter/lvm_freespace.rb Info: Loading facts in /var/lib/puppet/lib/facter/ip6tables_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/ipaddresses.rb Info: Loading facts in /var/lib/puppet/lib/facter/lvm_freespace.rb Info: Loading facts in /var/lib/puppet/lib/facter/sudo.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/iptables_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/augeasversion.rb Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: [hostname] access to /catalog/[hostname] [find] at :0 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run I looked at the changelog and telly workarounds but still the same thing. Made sure all the source = 'puppet:///modules/x/x/' auth.conf # allow nodes to retrieve their own node definition path ~ ^/node/([^/]+)$ method find allow $1 # allow nodes to retrieve their own catalog path ~ ^/catalog/([^/]+)$ method find allow $1 # allow all nodes to access the certificates services path /certificate_revocation_list/ca method find allow * # allow all nodes to store their reports path /report method save allow * # Allow all nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from custom # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See Examples # above if you need more granular access control for custom mount points. path /file allow * path /plugins allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated ### clients can also access these paths, though they rarely need to. # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate path /certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier path /certificate/ auth any method find allow * # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / auth any path ~ ^/file_(metadata|content)/files/ auth yes allow puppet.domain.com allow 10.0.0.10 ### fileserver.conf # This file consists of arbitrarily named sections/modules # defining where files are served from and to whom # Define a section 'files' # Adapt the allow/deny settings to your needs. Order # for allow/deny does not matter, allow always takes precedence # over deny [files] path /etc/puppet/files # allow *.example.com allow * [plugins] # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 allow * What am I doing wrong here? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at
[Puppet Users] Re: Parameter issue
Hi John, This Puppet module will be for a Vagrant development environment for about 5-10 people in our team. Setting up an APT repository and building packages each time there is a new release takes too much time. If we used it on production, I would definitely create packages, but I don't see the need in this case. Gergo Erdosi On Wednesday, February 20, 2013 2:56:29 PM UTC+1, jcbollinger wrote: On Tuesday, February 19, 2013 5:04:36 PM UTC-6, ge...@timble.net wrote: Hi, I'm working on a module and run into an issue. I would like to install multiple PHP versions from source. Yes, that is an issue. I know the preferred way is packages, but I don't want to maintain a custom APT repository. There are good reasons why packages are the preferred way. Why don't you want to maintain a custom repository? John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Parameter issue
On Wednesday, February 20, 2013 8:40:48 AM UTC-6, ge...@timble.net wrote: Hi John, This Puppet module will be for a Vagrant development environment for about 5-10 people in our team. Setting up an APT repository and building packages each time there is a new release takes too much time. If we used it on production, I would definitely create packages, but I don't see the need in this case. You will do as you think best, of course. I can't believe, however, that setting up an APT repository is much harder than setting up a YUM repository, which takes maybe five minutes for the basic setup, and almost no time to add / remove packages. As for building packages, it's no harder to build packages than to teach Puppet to install the same software from source. You may need to get over a learning curve, but even that may be minimal if you start from existing packaging for some version of the software you want to build. For the cost of a bit of time spent learning a useful skill, you would gain use of packages for managing the software on your systems, which is a big advantage even before Puppet is considered. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] hiera-gpg causing big increase in catalog compile time
Hi, I've been using hiera for a little while and have started using the hiera-gpg back-end for passwords etc. The problem is, I am seeing a massive increase in catalog compile time when using hiera-gpg. On one particular node where there is quite a lot going on, catalog compile time jumped from 5s to 90s. My typical compile times have gone from around 2s to around 30s. I have the gpg backend listed underneath yaml in my hiera.yaml file, so from what I understand my .gpg config files should only be interrogated if no answer is found in the .yaml files. I only have half a dozen or so vars stored in the .gpg files. By simply removing the gpg backend from hiera.yaml the compile times go back down to normal. I'm using Puppet 3.1.0 installed from apt.puppetlabs.com on Debian Squeeze hiera-gpg 1.1.0 installed from Rubygems. Would appreciate any tips for debugging this problem, thanks in advance. Jon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: migrating from cfengine to puppet, node wrangling question
On Wednesday, February 20, 2013 6:17:29 AM UTC-6, Felix.Frank wrote: On 02/20/2013 09:36 AM, Paul T�tterman wrote: This works, but I'm not sure it's the best way about going about it. I'm trying to define host groups in my site.pp file in such a way that when puppet runs on my nodes, they know their functional role and are configured accordingly. May I suggest that you look into using a node classifier (ENC) or at least hiera to separate data from code? More to the point: The funcionality underneath your current pattern (i.e. dynamic variable scoping) is deprecated in puppet 2.7 and (as I understand) is going away in puppet 3. Dynamic variable scoping is indeed gone in Puppet 3, except (as I understand it) for node-scoped variables. That exception was not originally planned, but but the removal of dynamic scoping proved too big a change otherwise. It would have been different, perhaps, if node-scoped variables had qualified names, but they don't. That doesn't make reliance on node variables a particularly good idea, however. Externalizing the data is a better solution to the problem, and Hiera is my recommendation for accessing such external data. An ENC is another viable option, but even you're already using one I'd advise you to consider Hiera for this particular task. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Access puppet hash name in templates
Hi, I've defined a hash like so in my nodes.pp: net::addr { eth5: rt = { rt1 = { address = '192.168.10.0', netmask = '255.255.255.0', gateway = '192.5.28.19', src = '192.5.28.21' }, } What I can't get to access is the title of the hash in my templates, so I want to print out the title of the hash i.e. eth5, how can I do that? Also I have a variable called $int in my define class in the file for my module (/etc/puppet/modules/net/manifests/addr.pp), how can I access that using the scope.lookupvar function from this template in the same module? Thanks Dan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Multiple Puppet agents on one node?
Hello, can I run two different Puppet agents on one node listening to two different Masters? Thank you for your help. Best regards Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Multiple Puppet agents on one node?
I will ask the obvious: Why do you want to do this ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) - Original Message - From: Michael Hüttermann mich...@huettermann.net To: puppet-users@googlegroups.com Sent: Wednesday, February 20, 2013 12:22:55 PM Subject: [Puppet Users] Multiple Puppet agents on one node? Hello, can I run two different Puppet agents on one node listening to two different Masters? Thank you for your help. Best regards Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en . For more options, visit https://groups.google.com/groups/opt_out . -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Groups membership
Per the docs, the members parameter is only... For directory services where group membership is stored in the group objects, not the users. That is, unless you're using some provider other than groupadd or ldap, that parameter isn't applicable. On Tuesday, February 19, 2013 6:40:34 AM UTC-8, Vlados Vlados wrote: How i can realize group membership? This construction does not work group { developers: ensure = present, members = ['testusers','noname'] } I want in /etc/groups must be: developers:x:1011:testusers,noname Thank you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
I think you're trying to over complicate the situation here. Yes its a single point of failure but unfortunately that is not going to change anytime between now and maybe 6 months. You do not need multiple CAs to use multiple puppet masters. The client needs to have the setting ca_server set to the Puppet Master that is the CA. You need to configure that Puppet master with ca = true. The puppet masters you create need to be configured with ca = false. You can have 300 different puppet masters and each client can connect to the different ones as needed. If you need to limit which clients can connect to which puppet masters then you should look at the auth.conf file. As for a web interface around certificate signing, when each client connects into the CA it will submit its request and if autosign is turned off it should be setup to wait for certificate. The web interface can be a wrapper around the puppet cert face so you can get a list of certificates signed and whats waiting to be signed. You can even set it up to revoke or clean out a certificate. You do not need to call to the command line to do this either, you can interface with the puppet api from rubygems. On Tue, Feb 19, 2013 at 3:15 PM, spankthes...@gmail.com wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Announce: Module puppetlabs/postgresql 2.1.0 Available
A new release of the puppetlabs/postgresql module is now available on the Forge: https://forge.puppetlabs.com/puppetlabs/postgresql/2.1.0 Changelog This release is primarily a feature release, introducing some new helpful constructs to the module. For starters, we've added the line `include 'postgresql_conf_extras.conf'` by default so extra parameters not managed by the module can be added by other tooling or by Puppet itself. This provides a useful escape-hatch for managing settings that are not currently managed by the module today. We've added a new defined resource for managing your tablespace, so you can now create new tablespaces using the syntax: postgresql::tablespace { 'dbspace': location = '/srv/dbspace', } We've added a locale parameter to the `postgresql` class, to provide a default. Also the parameter has been added to the `postgresql::database` and `postgresql::db` defined resources for changing the locale per database: postgresql::db { 'mydatabase': user = 'myuser', password = 'mypassword', encoding = 'UTF8', locale = 'en_NG', } There is a new class for installing the necessary packages to provide the PostgreSQL JDBC client jars: class { 'postgresql::java': } And we have a brand new defined resource for managing fine-grained rule sets within your pg_hba.conf access lists: postgresql::pg_hba { 'Open up postgresql for access from 200.1.2.0/24': type = 'host', database = 'app', user = 'app', address = '200.1.2.0/24', auth_method = 'md5', } Finally, we've also added Travis-CI support and unit tests to help us iterate faster with tests to reduce regression. The current URL for these tests is here: https://travis-ci.org/puppetlabs/puppet-postgresql. Instructions on how to run the unit tests available are provided in the README for the module. A big thanks to all those listed below who made this feature release possible :-). Detailed Changes 2013-01-18 - Simão Fontes simaofon...@gmail.com Flaper Fesp flape...@gmail.com * Remove trailing commas from params.pp property definition for Puppet 2.6.0 compatibility 2013-01-18 - Lauren Rother lauren.rot...@puppetlabs.com * Updated README.md to conform with best practices template 2013-01-09 - Adrien Thebo g...@somethingsinistral.net * Update postgresql_default_version to 9.1 for Debian 7.0 2013-01-28 - Karel Brezina karel.brez...@gmail.com * Add support for tablespaces 2013-01-16 - Chris Price ch...@puppetlabs.com Karel Brezina karel.brez...@gmail.com * Provide support for an 'include' config file 'postgresql_conf_extras.conf' that users can modify manually or outside of the module. 2013-01-31 - jv j...@jeffvier.com * Fix typo in README.pp for postgresql::db example 2013-02-03 - Ken Barber k...@bob.sh * Add unit tests and travis-ci support 2013-02-02 - Ken Barber k...@bob.sh * Add locale parameter support to the 'postgresql' class 2013-01-21 - Michael Arnold git...@razorsedge.org * Add a class for install the packages containing the PostgreSQL JDBC jar 2013-02-06 - fhrbek filip.hb...@gmail.com * Coding style fixes to reduce warnings in puppet-lint and Geppetto 2013-02-10 - Ken Barber k...@bob.sh * Provide new defined resource for managing pg_hba.conf 2013-02-11 - Ken Barber k...@bob.sh * Fix bug with reload of Postgresql on Redhat/Centos 2013-02-15 - Erik Dalén da...@spotify.com * Fix more style issues to reduce warnings in puppet-lint and Geppetto 2013-02-15 - Erik Dalén da...@spotify.com * Fix case whereby we were modifying a hash after creation -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] ruby versions and puppet 3
We're planning a rollout of Puppet 3 on our network. We've been entirely RH5 RH6 for a while, but we are planning on folding in Solaris hosts and possibly AIX as well. The Redhat hosts are running ruby 1.8.7 and the Solaris AIX hosts have ruby 1.9.3p125 My question is, will the differing (but officially supported) ruby versions cause any problems with puppet even though all platforms will be running the same version of Puppet? Bill -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: ruby versions and puppet 3
I've never tried this, but it SHOULD be okay. Puppet is reasonably standoffish about its interfaces, with everything going as yaml or json over HTTP, and part of the goal of that was to eventually do exactly this. We expect this setup to work, and if it doesn't it's a bug. (That's also part of why it uses relatively slow json and yaml instead of fast Marshall, is because Marshall had a bad habit of being incompatible between Ruby versions.) On Wednesday, February 20, 2013 10:10:25 AM UTC-8, Bill Sirinek wrote: We're planning a rollout of Puppet 3 on our network. We've been entirely RH5 RH6 for a while, but we are planning on folding in Solaris hosts and possibly AIX as well. The Redhat hosts are running ruby 1.8.7 and the Solaris AIX hosts have ruby 1.9.3p125 My question is, will the differing (but officially supported) ruby versions cause any problems with puppet even though all platforms will be running the same version of Puppet? Bill -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppet unicorn SIGINT shutdown issue
So I started running puppet under unicorn, and it works, but there is a problem with shutting it down. Whenever you send a SIGINT to the master unicorn process, the worker processes are left running and listening on the socket until they time out and shut themselves down. However if you send it a SIGTERM it shuts down fine . The other interesting point is that when you send the SIGINT, the process writes out Canceling startup, which indicates that rack never fully started. I'm guessing it's because of this that the workers don't get shut down properly. I wrote a really simple rack app to run under unicorn, and it behaves properly with both SIGINT and SIGTERM, so this leads me to believe puppet is doing something unusual with rack. Anyone know why this is occurring? It feels like a bug in puppet, but wasn't sure if unicorn was officially supported or not. Puppet 3.1 with unicorn 4.5.0 -Patrick -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet unicorn SIGINT shutdown issue
Well I figured it out. In `application/master.rb` line 142, puppet is doing `Signal.trap(:INT) ... exit(0)`, which prevents unicorn from getting the signal and shutting down properly. Why is this code there? Any reason I shouldn't be heading right over to the bug tracker and entering in a bug report? -Patrick On 2013/20/02 14:14, Patrick wrote: So I started running puppet under unicorn, and it works, but there is a problem with shutting it down. Whenever you send a SIGINT to the master unicorn process, the worker processes are left running and listening on the socket until they time out and shut themselves down. However if you send it a SIGTERM it shuts down fine . The other interesting point is that when you send the SIGINT, the process writes out Canceling startup, which indicates that rack never fully started. I'm guessing it's because of this that the workers don't get shut down properly. I wrote a really simple rack app to run under unicorn, and it behaves properly with both SIGINT and SIGTERM, so this leads me to believe puppet is doing something unusual with rack. Anyone know why this is occurring? It feels like a bug in puppet, but wasn't sure if unicorn was officially supported or not. Puppet 3.1 with unicorn 4.5.0 -Patrick -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
Dear Matt, On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: I think you're trying to over complicate the situation here. Yes its a single point of failure but unfortunately that is not going to change anytime between now and maybe 6 months. I am aware of that, and I am fine with that. You do not need multiple CAs to use multiple puppet masters. The client needs to have the setting ca_server set to the Puppet Master that is the CA. You need to configure that Puppet master with ca = true. The puppet masters you create need to be configured with ca = false. You can have 300 different puppet masters and each client can connect to the different ones as needed. The thing is, the puppetmasters are exposed to puppet clients via loadbalancer, so they actually appear as one puppetmaster, therefore, they all need to have the same CA installed. If you need to limit which clients can connect to which puppet masters then you should look at the auth.conf file. As for a web interface around certificate signing, when each client connects into the CA it will submit its request and if autosign is turned off it should be setup to wait for certificate. The web interface can be a wrapper around the puppet cert face so you can get a list of certificates signed and whats waiting to be signed. You can even set it up to revoke or clean out a certificate. You do not need to call to the command line to do this either, you can interface with the puppet api from rubygems. That, again, would require running puppetmaster per user, something I really, really want to avoid. On Tue, Feb 19, 2013 at 3:15 PM, spankt...@gmail.com javascript: wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript:. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Multiple Puppet agents on one node?
I'm just curious if this is possible, technically. Is it? On Wednesday, February 20, 2013 6:33:06 PM UTC+1, Ygor wrote: I will ask the obvious: Why do you want to do this ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) -- *From: *Michael Hüttermann mic...@huettermann.net javascript: *To: *puppet...@googlegroups.com javascript: *Sent: *Wednesday, February 20, 2013 12:22:55 PM *Subject: *[Puppet Users] Multiple Puppet agents on one node? Hello, can I run two different Puppet agents on one node listening to two different Masters? Thank you for your help. Best regards Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] remove node parameters with dashboard rake api?
Is there a rake task for removing node parameters from the dashboard? The online dashboard manual is silent on the parameters related to rake tasks altogether. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet agent daemon not seeing a Facter fact
A bit of an update: I ended up doing something very hackish, but it works. Basically, after installing Puppet, I stop the agent, and add a line to /etc/init.d/puppet to source /etc/environment. Then I start the agent. Works fantastically. I do realize this is a little ugly, but in this case was simpler to implement and easier to manage going forward than distributing custom Facter plugins. Thank you John for pointing me in the right direction. Cheers! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How to manually create Puppet CA and client certificates using openssl?
I run an F5 load balancer with SSL termination at the F5 and I dont need to put the CA cert anywhere except the F5. The actual CA signs the certs. The CA cert is only really used to authenticate the client cert. This gives the appearance to my puppet clients that I only have one puppet master when in actuality I have around 4-5 per VIP. As for your last part I'm not really seeing how you think you would need a puppetmaster per user. On Wed, Feb 20, 2013 at 2:59 PM, spankthes...@gmail.com wrote: Dear Matt, On Wednesday, February 20, 2013 5:41:11 PM UTC, Matt wrote: I think you're trying to over complicate the situation here. Yes its a single point of failure but unfortunately that is not going to change anytime between now and maybe 6 months. I am aware of that, and I am fine with that. You do not need multiple CAs to use multiple puppet masters. The client needs to have the setting ca_server set to the Puppet Master that is the CA. You need to configure that Puppet master with ca = true. The puppet masters you create need to be configured with ca = false. You can have 300 different puppet masters and each client can connect to the different ones as needed. The thing is, the puppetmasters are exposed to puppet clients via loadbalancer, so they actually appear as one puppetmaster, therefore, they all need to have the same CA installed. If you need to limit which clients can connect to which puppet masters then you should look at the auth.conf file. As for a web interface around certificate signing, when each client connects into the CA it will submit its request and if autosign is turned off it should be setup to wait for certificate. The web interface can be a wrapper around the puppet cert face so you can get a list of certificates signed and whats waiting to be signed. You can even set it up to revoke or clean out a certificate. You do not need to call to the command line to do this either, you can interface with the puppet api from rubygems. That, again, would require running puppetmaster per user, something I really, really want to avoid. On Tue, Feb 19, 2013 at 3:15 PM, spankt...@gmail.com wrote: Dear Felix, I think you're getting it wrong, let me clarify it a bit. The goal of this is to be able to write web interface for generating puppetmasters CA's and client certificates on demand. An example: install 3 puppetmasters with loadbalancer in front. Use web interface to generate CA and certificates for chosen clients (lets say, 10 machines). Deploy such generated CA's on puppetmasters, and relevant bits on puppet clients to authorize them against these puppetmasters. Whenever there's need for change, use that CA via web interface to add and delete client certificates, redeploy them on puppetmasters and so on. This, while doable via Subprocess functions (Python is the language of choice for me, but that doesnt really matters) and calls to relevant puppet system commands is extremely ugly and not flexible solution. I would love to do it via openssl library, but to do so, I'd need to have a workable way to build CA's and sign (and revoke) client certs via openssl command - so far I cant reach that goal. I hope this makes more sense now. Regards, S. On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: On 02/16/2013 12:20 PM, spankt...@gmail.com wrote: after creating CA and client cert and applying them to puppetmaster, it complains with: Wait, what? You create a new CA, even after agents have already been certified, then create new agent certificates? If your CA changes, you will have to terminate all the (now deprecated) agent certificates and sign new certificates for all agents. Basically, I would expect the outcome you are observing, and you should just follow the instructions given in your log excerpt. Note that you are *not* supposed to remove the CA from the master, only the copy of the agent's certificate. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are
[Puppet Users] Facter Puppet disagree on RHEL 6?
I've run into an odd one on one of my new RHEL 6 boxes. Puppet and Facter seem to disagree about the value of a fact. Puppet version: 2.7.9 Facter version: 1.6.4 Module: puppetlabs-apache apache::params falls through its if structure: if $::osfamily == 'redhat' or $::operatingsystem == 'amazon' { ... } elsif $::osfamily == 'debian' { ... } else { fail(Class['apache::params']: Unsupported operatingsystem: $::operatingsystem or osfamily: $::osfamily) } The module returns the following error: Error 400 on SERVER: Class['apache::params']: Unsupported operatingsystem: RedHat or osfamily: Linux Facter, however, seems to think osfamily is 'RedHat' as it should be: facter -p osfamily RedHat It's very strange. Have any of you seen this one before? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Introducing Puppet Armatures
Hi, I'm very happy to introduce a new project to improve collaboration and design in the Puppet ecosystem: Puppet Armatures. It's a process based on the JEP and PEP frameworks for Java and Python enhancements (respectively). It uses github workflows to iterate on proposed changes early in the design process, publicise the proposals widely, and incorporate feedback quickly; the goal is that once it's time to write code, the design is fully specified and therefore the change will be quicker to merge, better documented, and easier to maintain. https://github.com/puppetlabs/armatures The process is itself an Armature, ARM-0, and it's open to feedback and iteration in the same way any of the actual proposals are. I hope we can work out a process together that's just enough structure to help things along, without imposing a heavy cost on people who want to contribute. (I'd like to call out for credit Henrik Lindberg's work on the structure and Michael Hall's suggestion for the name.) Eric Sorenson - eric.soren...@puppetlabs.com #puppet irc: eric0 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Facter Puppet disagree on RHEL 6?
On Wednesday, February 20, 2013 5:08:27 PM UTC-8, LenR wrote: CaSe SenSitiVe? RedHat vs. redhat? Puppet's == operator is case-insensitive. http://docs.puppetlabs.com/puppet/3/reference/lang_expressions.html#equality If it's a case issue, it's a horrible compatibility-breaking bug. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Facter Puppet disagree on RHEL 6?
I wasn't sure, too many different languages I guess for a test you could code it == RedHat, but we have a lot of RHEL 6 and I suspect would have hit this somewhere. On Wed, Feb 20, 2013 at 7:12 PM, Nick Fagerlund nick.fagerl...@puppetlabs.com wrote: On Wednesday, February 20, 2013 5:08:27 PM UTC-8, LenR wrote: CaSe SenSitiVe? RedHat vs. redhat? Puppet's == operator is case-insensitive. http://docs.puppetlabs.com/puppet/3/reference/lang_expressions.html#equality If it's a case issue, it's a horrible compatibility-breaking bug. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Facter Puppet disagree on RHEL 6?
It's not that simple. Puppet thinks osfamily is 'Linux' whereas facter returns 'RedHat' at the command prompt. On Feb 20, 2013 5:33 PM, Len Rugen lenru...@gmail.com wrote: I wasn't sure, too many different languages I guess for a test you could code it == RedHat, but we have a lot of RHEL 6 and I suspect would have hit this somewhere. On Wed, Feb 20, 2013 at 7:12 PM, Nick Fagerlund nick.fagerl...@puppetlabs.com wrote: On Wednesday, February 20, 2013 5:08:27 PM UTC-8, LenR wrote: CaSe SenSitiVe? RedHat vs. redhat? Puppet's == operator is case-insensitive. http://docs.puppetlabs.com/puppet/3/reference/lang_expressions.html#equality If it's a case issue, it's a horrible compatibility-breaking bug. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] autometically create nagios_hostgroup only when a member of a group comes up
On 20 February 2013 21:39, Sans r.santanu@gmail.com wrote: Hi Pete, how you doing? You will get duplication if you declare a nagioshost_group with the same name on more than one node... I think you may be missing the point of nagios_hostgroup. It is for declaring a hostgroup in nagios not setting the nagios hostgroup for a node. Yes, I know that I'll get duplication error for obvious reason and that's the whole reason for asking this Q. I know what the hostgroup is for (using Nagios for a while now) and I'm not trying to setting up hostgroup for a node. Perhaps I wasn't clear with my question. Ok sorry for my confusion. I am guessing you are trying to add a node to a hostgroup? You will need to add a hostgroups parameter to your nagios_host declaration and set the hostgroup for the node there. No - I'm not trying to add a node to hostgroup but I was trying to figure out a way to declare a hostgroup only after at least one member of that particular comes online. Suppose, I've three nodes - N1, N2, N3 and two hostgroups - HG1 and HG2. N1 (which is Nagios-server) is being in HG1 and N2 N3 in HG2. Yep I get you now. You could possibly check if it's defined before re defining it. If it wasn't an exported resource it might be easier but not sure how to achieve that when realizing exported resources. Tags may help. I just put my hostgroup definitons in a separate class and then set the hostgroups on each host. I do end up with empty ones that way though. I am also reasonably sure you can have empty hostgroups in nagios... Yes you can (overlooked that point, really) until a service (nagios_service type) is defined. I think, my actual question would be, how can I query if a host with certain name (property) is up and only include that service if the node count is at least one or more. I think I can export some sort of resource from a given host and collect it on the master (my Nagios server is co-located with Puppet master)? Any idea what might be the best possible way of doing that? cheers!! You may have to resort to querying puppetdb if you use it or your config store database (puppetdb is easier to query from what I have seen). I haven't needed to do anything like that but I have seen mention of at least one tool for doing puppetdb queries posted on the list. Good luck! Pete. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppet 3 upgrade issue with auth.conf and fileserver.conf
I've found the root cause and the solution to this problem. I was using puppetlabs' puppet modules to setup puppet agent and puppet master. The whole setup puppetized the entire rack folder which contains config.ru. The config.ru from the puppet module is the root cause as it does not match with the new config.ru which is used by puppet 3 ### Puppet 2.7.x config.ru # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $:.unshift('/opt/puppet/lib') $0 = master # if you want debugging: # ARGV --debug ARGV --rack require 'puppet/application/master' # we're usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Application[:master].run ### Puppet 3 config.ru # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $LOAD_PATH.unshift('/opt/puppet/lib') $0 = master # if you want debugging: # ARGV --debug ARGV --rack # Rack applications typically don't start as root. Set --confdir and --vardir # to prevent reading configuration from ~puppet/.puppet/puppet.conf and writing # to ~puppet/.puppet ARGV --confdir /etc/puppet ARGV --vardir /var/lib/puppet # NOTE: it's unfortunate that we have to use the CommandLine class # here to launch the app, but it contains some initialization logic # (such as triggering the parsing of the config file) that is very # important. We should do something less nasty here when we've # gotten our API and settings initialization logic cleaned up. # # Also note that the $0 = master line up near the top here is # the magic that allows the CommandLine class to know that it's # supposed to be running master. # # --cprice 2012-05-22 require 'puppet/util/command_line' # we're usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Util::CommandLine.new.execute Changing the config.ru resolved all my problems above -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Multiple Puppet agents on one node?
On 21 February 2013 06:34, Michael Hüttermann mich...@huettermann.netwrote: I'm just curious if this is possible, technically. Is it? It is theoretically possible but like I said last time it isn't a good idea at all. On Wednesday, February 20, 2013 6:33:06 PM UTC+1, Ygor wrote: I will ask the obvious: Why do you want to do this ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin Hobbes) -- *From: *Michael Hüttermann mic...@huettermann.net *To: *puppet...@googlegroups.com *Sent: *Wednesday, February 20, 2013 12:22:55 PM *Subject: *[Puppet Users] Multiple Puppet agents on one node? Hello, can I run two different Puppet agents on one node listening to two different Masters? Thank you for your help. Best regards Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group/puppet-users?hl=enhttp://groups.google.com/group/puppet-users?hl=en . For more options, visit https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out . -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: AWS OpsWorks announcement using Chef
Great. The company I work for is both a large AWS customer and user of puppet. Very interested in how this progresses. -jim On Wednesday, 20 February 2013 18:40:54 UTC+11, James Turnbull wrote: Vaidas Jablonskis wrote: It makes sense for Amazon to go with something like Chef, because it is more cloud oriented and it's easier to hack something up just to get it up and running quicker. Chef is more like shell scripting on steroids I would say, at least, that's how many people use it. We're going to be talking to AWS about adding Puppet support to OpsWorks soon. It is our understanding from them that this is based on an acquisition they made of a Chef-based solution rather than an endorsement of Chef. More news when we have it! Thanks James -- James Turnbull 1-503-734-8571 To schedule a meeting with me: http://doodle.com/jamtur01 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: AWS OpsWorks announcement using Chef
I hope so, successful James.. I also have many AWS nodes. On Thu, Feb 21, 2013 at 11:44 AM, jim watts jim.wa...@gmail.com wrote: Great. The company I work for is both a large AWS customer and user of puppet. Very interested in how this progresses. -jim On Wednesday, 20 February 2013 18:40:54 UTC+11, James Turnbull wrote: Vaidas Jablonskis wrote: It makes sense for Amazon to go with something like Chef, because it is more cloud oriented and it's easier to hack something up just to get it up and running quicker. Chef is more like shell scripting on steroids I would say, at least, that's how many people use it. We're going to be talking to AWS about adding Puppet support to OpsWorks soon. It is our understanding from them that this is based on an acquisition they made of a Chef-based solution rather than an endorsement of Chef. More news when we have it! Thanks James -- James Turnbull 1-503-734-8571 To schedule a meeting with me: http://doodle.com/jamtur01 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Issue when istalling puppet-server in RHEL 6.
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 (Santiago) On Feb 19, 11:53 pm, Moses Mendoza mo...@puppetlabs.com wrote: On Tue, Feb 19, 2013 at 2:38 AM,DreamBigrajeev.n.i...@gmail.com wrote: Hi , Following is the issue: puppet.repo: [puppetlabs] name=Puppet Labs Packages baseurl=http://yum.puppetlabs.com/el/$releasever/products/$basearch/ enabled=1 gpgcheck=1 gpgkey=http://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs uname -a Linux rniyer-linux 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux $ yum install puppet-server Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager Updating certificate-based repositories. puppetlabs | 1.9 kB 00:00 Not using downloaded repomd.xml because it is older than what we have: Current : Thu Feb 14 12:17:53 2013 Downloaded: Thu Feb 14 12:17:10 2013 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package puppet-server.noarch 0:3.1.0-1.el5 will be installed -- Processing Dependency: puppet = 3.1.0-1.el5 for package: puppet- server-3.1.0-1.el5.noarch -- Running transaction check --- Package puppet.noarch 0:3.1.0-1.el5 will be installed -- Processing Dependency: ruby-augeas for package: puppet-3.1.0-1.el5.noarch -- Processing Dependency: ruby-shadow for package: puppet-3.1.0-1.el5.noarch -- Running transaction check --- Package ruby-augeas.x86_64 0:0.4.1-1.el6 will be installed --- Package ruby-shadow.x86_64 0:1.4.1-13.el6 will be installed -- Finished Dependency Resolution Dependencies Resolved = Package Arch Version Repository Size = Installing: puppet-server noarch 3.1.0-1.el5 puppetlabs 23 k Installing for dependencies: puppet noarch 3.1.0-1.el5 puppetlabs 957 k ruby-augeas x86_64 0.4.1-1.el6 aegisco 21 k ruby-shadow x86_64 1.4.1-13.el6 aegisco 11 k Transaction Summary = Install 4 Package(s) Total size: 1.0 M Total download size: 980 k Installed size: 2.8 M Is this ok [y/N]: If you notice, it is picking the version 3.1.0-1.el5 when it should be picking 3.1.0-1.el6 How can I install using rpm instead of yum? Your issue is pointing to an oddity in your yum config. The puppet.repo file is using $releasever to determine the correct repo path. $releasever is determined by yum by checking the version of the package that provides `redhat-release`, unless you've overridden it in yum.conf. In your case, yum appears to think you're on an el 5 box. What distro/version are you running? What are the contents of /etc/redhat-release ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group athttp://groups.google.com/group/puppet-users?hl=en. For more options, visithttps://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.