[Puppet Users] Is anyone using puppetlabs-firewall with IPv6?
Hi all, I'm cleaning up some puppet manifests, and thought it would be a good opportunity to move from my own monolithic iptables/ip6tables modules to the official puppetlabs-firewall module. But... what's the deal with IPv6? My first concern was that there is no easy way to have simple rules be applied to both iptables and ip6tables. Fair enough, I just wrote a simple wrapper to duplicate rules and that works. But then... ip6tables rules aren't purged. Ouch. https://github.com/puppetlabs/puppetlabs-firewall/issues/168 Isn't anyone using that module with ip6tables? Is there some option or trivial workaround I'm missing? Matthias -- Matthias Saou ██ ██ ██ ██ Web: http://matthias.saou.eu/ ██ Mail/XMPP: matth...@saou.eu ██ ██ GPG: 4096R/E755CC63██ ██ ██ 8D91 7E2E F048 9C9C 46AF ██ ██ ██ ██ 21A9 7A51 7B82 E755 CC63 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] exec is stripping % in the string.
Hi, the most robust way to have puppet execute complex commands is to have puppet deploy a trivial script comprising the command, then execute the script sans arguments. HTH, Felix On 10/03/2013 12:27 AM, Jason Greathouse wrote: I'm trying to pass a url to an exec and at some point all the % characters are being stripped out of the string. Here's my init.pp: service { 'apache2': ensure = running, enable = true, notify = Exec['AWSwait'] } file { '/mnt/WaitResponse.json': ensure = file, owner = 'root', group = 'root', mode = '0644', source = 'puppet:///modules/api/WaitResponse.json' } exec { /usr/bin/curl -T /mnt/WaitResponse.json \${::mt_wait}\: onlyif = '/usr/bin/wget -q -O /mnt/favicon.ico http://localhost/favicon.ico', creates = '/mnt/favicon.ico', alias= 'AWSwait', require = File['/mnt/WaitResponse.json'] } ::mt_wait is being generated by a custom facter script: # facter mt_wait https://cloudformation-waitcondition-us-east-1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A106261427813%3Astack/api-qa-puppet-7/e9e86e20-2bac-11e3-8a8b-50e2416294a8/WaitHandle?Expires=1380837161AWSAccessKeyId=Signature=XX The Scheduling refresh looks correct: puppet-agent[5779]: (/Stage[main]/Api/Service[apache2]) Scheduling refresh of Exec[/usr/bin/curl -T /mnt/WaitResponse.json https://cloudformation-waitcondition-us-east-1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A106261427813%3Astack/api-qa-puppet-7/e9e86e20-2bac-11e3-8a8b-50e2416294a8/WaitHandle?Expires=1380837161AWSAccessKeyId=Signature=XXX;] But when it Exec Refresh runs, the % are missing: puppet-agent[5779]: (/Stage[main]/Api/Exec[/usr/bin/curl -T /mnt/WaitResponse.json https://cloudformation-waitcondition-us-east-1.s3.amazonaws.com/arn3Aaws3Acloudformation3Aus-east-13A1062614278133Astack/api-qa-puppet-7/e9e86e20-2bac-11e3-8a8b-50e2416294a8/WaitHandle?Expires=1380837161AWSAccessKeyId=Signature=XX;]) Triggered 'refresh' from 1 events Is there a better way to pass the variable to exec then a double-quote or someway to escape the %? Thanks, -Jason -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: [windows server 2008 r2] puppet errors in 3.3.0 on exchange database servers
Hi Rob, i just applied the changes to the windows.rb file. The catalog run finished as usual. Thank you ;-) On Thu, Oct 3, 2013 at 8:47 PM, Rob Reynolds r...@puppetlabs.com wrote: This verifies for us that this is a gating issue. Would you feel comfortable helping us verify that we've fixed this issue for you? https://github.com/ferventcoder/facter/blob/874a5a96ac5fa778c50f1e93424850022b1756cf/lib/facter/util/ip/windows.rb#L46-L47 On Thu, Oct 3, 2013 at 1:42 PM, Christian Koep dert...@gmail.com wrote: Yes, thats all i got from *facter --trace --debug* On Thu, Oct 3, 2013 at 8:41 PM, Rob Reynolds r...@puppetlabs.com wrote: Was this the entire log (minus anything you feel sensitive)? On Thu, Oct 3, 2013 at 1:15 PM, cko dert...@gmail.com wrote: https://gist.github.com/anonymous/6814400 On Thursday, October 3, 2013 5:23:05 PM UTC+2, Rob Reynolds wrote: You should be able to run facter --trace --debug On Wed, Oct 2, 2013 at 5:18 PM, cko der...@gmail.com wrote: Hi Ethan, what's the exact command that i would have to use? On Wednesday, October 2, 2013 11:35:29 PM UTC+2, Ethan Brown wrote: Christian - I'm doing the final verification of our fix, and was hoping that I could get the output from Facter run by itself? On Fri, Sep 20, 2013 at 1:36 PM, Rob Reynolds r...@puppetlabs.comwrote: I would say with all of this in mind we move forward with a fix where we look to see that the network adapter itself is also enabled. This is laid out in the ticket that I noted earlier. On Fri, Sep 20, 2013 at 7:44 AM, Rich Siegel rism...@gmail.comwrote: Exchange DAG is essentially a cluster and the adapter in question the dag ip. My guess is the logic for adapters should be modded for when netconnectionid is not null. In general don't try to mess with hidden adapters on dags unless you understand ramifications. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.**com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group** /puppet-users http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/**grou** ps/opt_out https://groups.google.com/groups/opt_out. -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.**com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group**/puppet-usershttp://groups.google.com/group/puppet-users . For more options, visit https://groups.google.com/**grou** ps/opt_out https://groups.google.com/groups/opt_out. -- -- Ethan Brown et...@puppetlabs.com Software Engineer *Join us at PuppetConf 2014, September 23-24 in San Francisco* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group/puppet-usershttp://groups.google.com/group/puppet-users . For more options, visit https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out . -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/_JSpNmSvg_I/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To
[Puppet Users] ReportEvent() failed: The parameter is incorrect. Error
I'm getting this error on a windows server when it's trying to compare 2 files using gnuwin32 diff.exe. Debug: Executing 'C:\GnuWin32\bin\diff -u d:/AICS.CLAIMS.new/ASPX/App.config C:/ Users/BSTEPH~1/AppData/Local/Temp/2/puppet-file20131003-4508-11k0jfs' Error: /Stage[main]/Claims/File[d:/AICS.CLAIMS.new/ASPX/App.config]: Could not e valuate: ReportEvent() failed: The parameter is incorrect. However, when I try it comparing to a backup copy of the file, the diff is executing correctly: C:\Program Files (x86)\Puppet Labs\Puppet\binC:\GnuWin32\bin\diff -u d:/AICS.CL AIMS.new/ASPX/App.config d:/AICS.CLAIMS/ASPX/App.config --- d:/AICS.CLAIMS.new/ASPX/App.config 2013-10-03 14:06:15.400645000 -0500 +++ d:/AICS.CLAIMS/ASPX/App.config 2013-10-01 01:21:56.0 -0500 @@ -1,4 +1,4 @@ - +?xml version=1.0? configuration xmlns=http://schemas.microsoft.com/.NetConfiguration/v2.0; configSections section name=AICS.AppSettings type=AICS.ARCHITECTURE.SERVICES.CONFIGURA TION.AICSConfigurationHandler,AICS.ARCHITECTURE.SERVICES/ Any ideas what the issue might be? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet dashboard stuck pending jobs - MySql Error: Incorrect string value
Hi have add issues with stuck pending jobs on my puppet dashboard. Here is the error message from my delayed_job.log file in /usr/share/puppet-dashboard/log directory. Report.create_from_yaml_file failed with ActiveRecord::StatementInvalid: Mysql::Error: Incorrect string value: '\x96 $bas...' for column 'details' at row 1: INSERT INTO `delayed_job_failures` As anyone encountered this error before ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: [windows server 2008 r2] puppet errors in 3.3.0 on exchange database servers
Christian - Thanks a bunch for taking the time out to verify this. While we believed our fix was correct, I was trying to replicate your network configuration internally to be absolutely certain. I was having difficulty getting the virtual machines configured properly with respect to the 'Microsoft Failover Cluster Virtual Adapter', so it's fantastic to hear that you were able to verify this directly in your environment. On Fri, Oct 4, 2013 at 6:00 AM, Christian Koep dert...@gmail.com wrote: Hi Rob, i just applied the changes to the windows.rb file. The catalog run finished as usual. Thank you ;-) On Thu, Oct 3, 2013 at 8:47 PM, Rob Reynolds r...@puppetlabs.com wrote: This verifies for us that this is a gating issue. Would you feel comfortable helping us verify that we've fixed this issue for you? https://github.com/ferventcoder/facter/blob/874a5a96ac5fa778c50f1e93424850022b1756cf/lib/facter/util/ip/windows.rb#L46-L47 On Thu, Oct 3, 2013 at 1:42 PM, Christian Koep dert...@gmail.com wrote: Yes, thats all i got from *facter --trace --debug* On Thu, Oct 3, 2013 at 8:41 PM, Rob Reynolds r...@puppetlabs.com wrote: Was this the entire log (minus anything you feel sensitive)? On Thu, Oct 3, 2013 at 1:15 PM, cko dert...@gmail.com wrote: https://gist.github.com/anonymous/6814400 On Thursday, October 3, 2013 5:23:05 PM UTC+2, Rob Reynolds wrote: You should be able to run facter --trace --debug On Wed, Oct 2, 2013 at 5:18 PM, cko der...@gmail.com wrote: Hi Ethan, what's the exact command that i would have to use? On Wednesday, October 2, 2013 11:35:29 PM UTC+2, Ethan Brown wrote: Christian - I'm doing the final verification of our fix, and was hoping that I could get the output from Facter run by itself? On Fri, Sep 20, 2013 at 1:36 PM, Rob Reynolds r...@puppetlabs.comwrote: I would say with all of this in mind we move forward with a fix where we look to see that the network adapter itself is also enabled. This is laid out in the ticket that I noted earlier. On Fri, Sep 20, 2013 at 7:44 AM, Rich Siegel rism...@gmail.comwrote: Exchange DAG is essentially a cluster and the adapter in question the dag ip. My guess is the logic for adapters should be modded for when netconnectionid is not null. In general don't try to mess with hidden adapters on dags unless you understand ramifications. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.**com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group** /puppet-users http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/**grou** ps/opt_out https://groups.google.com/groups/opt_out. -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.**com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group** /puppet-users http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/**grou** ps/opt_out https://groups.google.com/groups/opt_out. -- -- Ethan Brown et...@puppetlabs.com Software Engineer *Join us at PuppetConf 2014, September 23-24 in San Francisco* -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@**googlegroups.com. To post to this group, send email to puppet...@googlegroups.com. Visit this group at http://groups.google.com/**group/puppet-usershttp://groups.google.com/group/puppet-users . For more options, visit https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out . -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- Rob Reynolds Developer, Puppet Labs Join us at PuppetConf 2014, September 23-24 in San Francisco -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic,
[Puppet Users] puppet RHEL4
Hi all, We are still running a few dozens of RHEL4 within our Datacenter and I'd like to install a puppet agent to at least collect some inventory (facter) and do a little bit of configuration management. The only puppet agent I managed to found for el4 is 0.22.4 (quite old) which we installed with a facter 1.6.4 and a ruby 1.8.7.72. At first we had issues with requires until we export a RUBYLIB variable to indicate where to find all ruby libraries (/usr/lib/site_ruby/1.8/). Currently, there is no more error at start, but the process still do not run ... Any idea ? Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] onlyif return code
Hello Mike, thanks a lot, file_line works great! I not remember why I don't use file_line for such things. Björn On Thursday, October 3, 2013 2:35:46 AM UTC+2, Mike Delaney wrote: On Wed, Oct 2, 2013 at 4:15 AM, Björn bbecke...@googlemail.comjavascript: wrote: exec{'ensure password policy for pci': cwd = '/bin/', command = /bin/sed -i 's/^password.*cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password, path= /usr/bin:/usr/sbin:/bin, onlyif = grep '^password.*cracklib.so.*' $pam_password, require = Package[$cracklib], } exec{'ensure password policy for pci when nothing is present': cwd = '/bin/', command = echo 'passwordrequisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' $pam_password, path= /usr/bin:/usr/sbin:/bin, onlyif = grep -vq '^password.*cracklib.so.*' $pam_password, require = Package[$cracklib], } } My problem are the exec commands. With the first exec I try to change an existing line with sed. With the second exec I try to add the rule if no line with password.*cracklib is existing. Unfortunately, this exec run when the return code of onlyif is 0. I don't know a command which return 0 when the line isn't available and return 1 when the line is available. May be I'm thinking to complicated? Do you have another solution? Off the top of my head, I can't think of a way to invert grep's exit status like you want (at least not a way that will work in an onlyif), however the use of two execs to modify a file is probably not the ideal solution. Indeed, once the cracklib entry is present in the file, that first exec will fire every time puppet runs, which is probably not what you want either. If you don't want to manage the entire file, you could use either the native augeas type or the file_line type from the stdlib module to accomplish what you want (file_line is probably easier): file_line { 'ensure password policy for pci': path= $pam_password, match = '^password.*cracklib\.so', line = 'passwordrequisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' } -Mike -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: onlyif return code
Unless was also a good hint! But my sed solution was running every time puppet agent run. So I use file_line now. Thanks! On Wednesday, October 2, 2013 1:15:53 PM UTC+2, Björn wrote: Hello, I try to ensure our password policies using /etc/login.defs and PAM cracklib. class pci_policy::password( $cracklib = $pci_policy::params::cracklib, $pam_password = $pci_policy::params::pam_password, ) inherits pci_policy::params { package{$cracklib: ensure = installed, } file{'/etc/login.defs': ensure = present, owner = root, group = root, mode= 0644, source = puppet:///modules/pci_policy/login.defs.$::operatingsystem, require = Package[$cracklib], } exec{'ensure password policy for pci': cwd = '/bin/', command = /bin/sed -i 's/^password.*cracklib.so.*/password requisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password, path= /usr/bin:/usr/sbin:/bin, onlyif = grep '^password.*cracklib.so.*' $pam_password, require = Package[$cracklib], } exec{'ensure password policy for pci when nothing is present': cwd = '/bin/', command = echo 'passwordrequisite pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' $pam_password, path= /usr/bin:/usr/sbin:/bin, onlyif = grep -vq '^password.*cracklib.so.*' $pam_password, require = Package[$cracklib], } } My problem are the exec commands. With the first exec I try to change an existing line with sed. With the second exec I try to add the rule if no line with password.*cracklib is existing. Unfortunately, this exec run when the return code of onlyif is 0. I don't know a command which return 0 when the line isn't available and return 1 when the line is available. May be I'm thinking to complicated? Do you have another solution? Thanks a lot! Björn -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Converting augeas snippet to puppet augeas resource
(apologies in advance for the line wrap) I have the following tidbit of augeas code, which inserts a rule into /etc/sysconfig/iptables as the first rule of a specifically named chain; # augtool insert append before /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1] # augtool match /files/etc/sysconfig/iptables/table/append[. = ''] # /files/etc/sysconfig/iptables/table/append[8] = (none) # augtool set /files/etc/sysconfig/iptables/table/append[. = ''] 'Mayo-Firewall-INPUT' # augtool set /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1]/protocol 'tcp' # augtool set /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1]/match 'tcp' # augtool set /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1]/dport '3' # augtool set /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1]/jump 'ACCEPT' # augtool print /files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1] # /files/etc/sysconfig/iptables/table/append[8] = Mayo-Firewall-INPUT # /files/etc/sysconfig/iptables/table/append[8]/dport = 3 # /files/etc/sysconfig/iptables/table/append[8]/match = tcp # /files/etc/sysconfig/iptables/table/append[8]/protocol = tcp # /files/etc/sysconfig/iptables/table/append[8]/jump = ACCEPT I'd like to convert this to a puppet augeas define. So far, I've got this: define mayo_firewall_insert ($dport, $proto) { augeas { firewall_${title}: context = /files/etc/sysconfig/iptables/table, # incl = /etc/sysconfig/iptables, # lens = iptables.aug, onlyif = match append[dport='$dport'] size != 0, changes = [ insert append before append[. = 'Mayo-Firewall-INPUT'][1], set append[. = ''] 'Mayo-Firewall-INPUT', set append[. = 'Mayo-Firewall-INPUT'][1]/protocol '$proto', set append[. = 'Mayo-Firewall-INPUT'][1]/match '$proto', set append[. = 'Mayo-Firewall-INPUT'][1]/dport '$dport', set append[. = 'Mayo-Firewall-INPUT'][1]/jump 'ACCEPT', ], } However, when I declare a resource using the above define, I get augeas syntax errors, and I'm not sure how to track down the problem: (invoked as 'puppet apply --verbose --debug --detailed-exitcodes --execute include omnibus_node') ... Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Opening augeas with root /, lens path , flags 32 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Augeas version 1.1.0 is installed Warning: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Loading failed for one or more files, see debug for /augeas//error output Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.save/error/pos = 115 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.save/error/line = 3 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.save/error/char = 0 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.save/error/lens = /shares/nfs/unixarch/share/augeas/lenses/dist/shellvars.aug:163.12-.99: Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.save/error/message = Syntax error Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.orig/error/pos = 64 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.orig/error/line = 2 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.orig/error/char = 0 Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.orig/error/lens = /shares/nfs/unixarch/share/augeas/lenses/dist/shellvars.aug:163.12-.99: Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): /augeas/files/etc/sysconfig/iptables.orig/error/message = Syntax error Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Closed the augeas connection ... I'm guessing the augeas tree isn't what I think it is by the time it goes to save, but there doesn't appear to be a way to invoke 'print' or some other, similar augeas command, so I can't tell. Can anyone please advise how I might debug this? Thanks, -- Pat -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Still no nagios joy
On Thursday, October 3, 2013 10:48:10 AM UTC-5, David Thompson wrote: On 10/3/13 9:07 AM, jcbollinger wrote: So, puppet agent --test --environment production fails to create resources findable via REST (and in fact removes them if they're present), but puppet apply foo.pp (with foo.pp containing the statements above) makes them findable (and they show up in nagios_hosts.cfg on the nagios server). With that, I'm ready to call bug. Nevertheless, I hope to be able to help you find a viable workaround, and perhaps to characterize the issue better. though I don't expect using that form will change anything. I'm more interested, though, in the back end. That is, is puppetdb for some reason failing to serve up resources that are in fact recorded in the back-end DB, or are the resources either not making it to the DB in the first place, or are they being purged from the DB between being entered and being queried? That's a very good question. I can certainly find catalog_resource and resource_params records that *look* like they contain appropriate Nagios_host resources, but the REST API says no, and if I run the actual sql query out of the postgres statement log, it says no. The sql query itself is a complex enough to be beyond my db-mojo to understand why it's not finding any Nagios_host resources. If there's any way you can provide the relevant data and query, I daresay someone around here -- maybe me -- will be able to figure out why the query doesn't return any rows. But that might be better deferred, as I think there may be another avenue to pursue first. It looks like enlightenment lies in understanding the difference between the puppet agent and puppet apply runs. Indeed so. You have or can create statement logs showing what happens when you use Puppet apply to export the Nagios_host resources such that they can later be found, and also showing what happens when the same resources are exported as part of catalog compilation. There must be some difference, hopefully more than the identity of the db client machine. That seems a logical place to look for clues. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet://rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Additionally, I should add that the revoked certificate on the Puppet master was also cleaned with the following command: # puppet cert --clean el5-puptest-2.localdomain And the issue persists as outlined above. __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig jacr...@vcu.edu wrote: Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet:// rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Problem solved! Solution was to add the following line to the [main] section of '/etc/puppet/puppet.conf' on the agent: [main] ... certificate_revocation = false ... -- Adam __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:49 AM, J. Adam Craig jacr...@vcu.edu wrote: Additionally, I should add that the revoked certificate on the Puppet master was also cleaned with the following command: # puppet cert --clean el5-puptest-2.localdomain And the issue persists as outlined above. __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig jacr...@vcu.edu wrote: Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet:// rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Still no nagios joy
On 10/4/13 8:52 AM, jcbollinger wrote: It shouldn't make a difference, I don't think, but how are those declarations positioned in your original code? Are they in a class / definition / node block, or are they at top level? In the file modules/nagios_config/manifests/init.pp, I have the functional equivalent of: class nagios_config { if $im_supposed_to_be_monitored { notify {Nagios Base: $fqdn $hostname $ipaddress: } @@nagios_host { $fqdn: ensure = present, alias = $hostname, address = $ipaddress, use = linux-server, } } } ...then in site.pp 'include nagios_config'. Also, is there any chance of resource parameter overrides being in play? Specifically, overrides of the Nagios_hosts' 'ensure' parameters? Nope. I don't do any resource overrides in any of my manifests. -- David Thompson Waisman Center Brain Imaging and Behavior Lab 1500 Highland Ave. Room T133 Madison, WI 53705-2280 (608) 265-6608 dthompson (at) waisman (dot) wisc (dot) edu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet RHEL4
Sure and even rhel6... The trouble is that we host application for client which we cannot migrate :-( So we are stuck with a few RHEL4 we cannot upgrade On Fri, Oct 4, 2013 at 3:50 PM, Dan White y...@comcast.net wrote: Go to RHEL 5 Less trouble in the long run On Oct 4, 2013, at 9:01 AM, yannig rousseau wrote: Hi all, We are still running a few dozens of RHEL4 within our Datacenter and I'd like to install a puppet agent to at least collect some inventory (facter) and do a little bit of configuration management. The only puppet agent I managed to found for el4 is 0.22.4 (quite old) which we installed with a facter 1.6.4 and a ruby 1.8.7.72. At first we had issues with requires until we export a RUBYLIB variable to indicate where to find all ruby libraries (/usr/lib/site_ruby/1.8/). Currently, there is no more error at start, but the process still do not run ... Any idea ? Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/3gwMqrvMJ2g/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] require one file from several environments
I would like to create one file with array, i.e.: $pkg_versions = { soft1 = { prod = 0.0.6, test = 0.0.7 }, soft2 = { prod = 1.1.4, test = 1.1.5 }; } And require this file in several environments. I tried to use require /var/lib/puppet/somedir/etc/file.inc, but puppet can not find it. What solution should I use? Or maybe is it possible to put this array in puppet class, include it in parent classe and get its values? Thanks for help! -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet RHEL4
I had the exact same problem, I am stuck with EL4. I ended up building ruby, openssl and a few other things from source, then installing the puppet gem. I then bundled each program up into an RPM using fpm to deploy. So far its working great, but it took a while to get it working. I recommend while you are doing that, toss newer versions of stuff like python into /opt. It will save you a lot of headaches supporting these machines down the road. On Friday, October 4, 2013 7:53:30 AM UTC-7, yannig rousseau wrote: Sure and even rhel6... The trouble is that we host application for client which we cannot migrate :-( So we are stuck with a few RHEL4 we cannot upgrade On Fri, Oct 4, 2013 at 3:50 PM, Dan White yg...@comcast.net javascript: wrote: Go to RHEL 5 Less trouble in the long run On Oct 4, 2013, at 9:01 AM, yannig rousseau wrote: Hi all, We are still running a few dozens of RHEL4 within our Datacenter and I'd like to install a puppet agent to at least collect some inventory (facter) and do a little bit of configuration management. The only puppet agent I managed to found for el4 is 0.22.4 (quite old) which we installed with a facter 1.6.4 and a ruby 1.8.7.72. At first we had issues with requires until we export a RUBYLIB variable to indicate where to find all ruby libraries (/usr/lib/site_ruby/1.8/). Currently, there is no more error at start, but the process still do not run ... Any idea ? Regards -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/3gwMqrvMJ2g/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com javascript:. To post to this group, send email to puppet...@googlegroups.comjavascript: . Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] /opt/puppet/var/lib/pgsql/9.2/console/PG_9.2_201204301 is full
Hi My agents are failing they are complaining about server is not able to create files in /tmp . I have one / partition and its filled up when i checked the du -hs * output my /opt is occupying 45 GB of space. Please help -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: Still no nagios joy
On Thu, Oct 3, 2013 at 9:48 AM, David Thompson dthomp...@waisman.wisc.eduwrote: On 10/3/13 9:07 AM, jcbollinger wrote: And you're certain that $nagios_server evaluates to true on the machines that nevertheless fail to get the expected Nagios_host resources applied? You could probe that by changing the above to if $nagios_server { Nagios_host | | notify { 'I am a nagios server': } } else { notify { 'I am not a nagios server': } } That will also help you catch the case that the class containing the above is not included in the catalog at all, for then you would see neither the Notify message in the agent log. You can also watch your query log for the query by which Puppet retrieves all the wanted Nagios_host resources; if nothing else is fruitful then the details of the query might reveal some useful information. First to answer. I have one computer that runs nagios. That's the (only) computer that has $nagios_server defined. The computers that I want to monitor have the @@nagios_host {} resource. I've verified this up and down. I've done some more testing, and there's something very funny going on. In my manifests, I have the following: notify {Nagios Base: $fqdn $hostname $ipaddress: } @@nagios_host { $fqdn: ensure = present, alias = $hostname, address = $ipaddress, use = linux-server, } On the hosts to be monitored, I see the notify, and, as I've said, I see the db inserts, but then nothing comes up in the REST query. HOWEVER, if I take the lines above and put them in a separate .pp file and puppet apply that file, then I see the resources via the REST query. My understanding was that once a resource gets defined, that's the end of the story, but it's clearly not what's happening here. So, puppet agent --test --environment production fails to create resources findable via REST (and in fact removes them if they're present), but puppet apply foo.pp (with foo.pp containing the statements above) makes them findable (and they show up in nagios_hosts.cfg on the nagios server). PuppetDB will only return resources for nodes which it haven't been marked inactive...is it possible that's happened for some of your nodes? Hitting http://localhost:8080/v2/nodes on your puppetdb server should dump out everything puppetdb knows about your hosts, including when they were deactivated (or null if they've not been deactivated). though I don't expect using that form will change anything. I'm more interested, though, in the back end. That is, is puppetdb for some reason failing to serve up resources that are in fact recorded in the back-end DB, or are the resources either not making it to the DB in the first place, or are they being purged from the DB between being entered and being queried? That's a very good question. I can certainly find catalog_resource and resource_params records that *look* like they contain appropriate Nagios_host resources, but the REST API says no, and if I run the actual sql query out of the postgres statement log, it says no. The sql query itself is a complex enough to be beyond my db-mojo to understand why it's not finding any Nagios_host resources. You said earlier that some nagios hosts are getting configured, at least on some machines, but I didn't completely understand which hosts are getting configured on which machines. Are there machines that get all the expected hosts? Are there nagios_hosts that get configured on all machines? More generally, what is the nature of the correlation (that you have recognized) between declared nagios host resources and the machines on which puppet manages those resources? Yes, sometimes I've gotten some partial Nagios_host data generated on the nagios server, but never in any discernible or repeatable form. It looks like enlightenment lies in understanding the difference between the puppet agent and puppet apply runs. -- David Thompson Waisman Center Brain Imaging and Behavior Lab 1500 Highland Ave. Room T133 Madison, WI 53705-2280 (608) 265-6608 dthompson (at) waisman (dot) wisc (dot) edu -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@**googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/**group/puppet-usershttp://groups.google.com/group/puppet-users . For more options, visit https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out . -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post