Re: [Puppet Users] Re: Setting requirements using collection -vs- before/require meta-parameters
On Mon, Jun 27, 2011 at 9:36 AM, Jon Jaroker wrote: > > After adding both forms of the dependency (the 'collection' as well as > 'before'), I have not had a failure for the past few days. > > I believe my syntax is right and that the issue is specific to the > dependency. I wonder if a timeout is occurring before the NFS share > is mounted, but this timeout failure is not being reported. I am not > sure how to isolate the issue further, but the workaround has been OK. > > So it looks like we have a bug that I'm still trying to find in the database, and I think it might be affecting you. If you have a class that only declares other classes in it, and doesn't have any resources in it, then it gets removed from the dependency graph. It's clearly a bug, and we're going to fix it. Is this possibly your problem? Does the description fit? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: howto trigger action on another client
On Jun 27, 9:37 am, Andreas Kuntzagk wrote: > Thanks for these infos. I think I got at least a vague idea how this works and > can already use it for some simple cases. > One more question: > If I define checks for the "exported exec" (like "creates" or "onlyif" will > these run on the exporting agent or the executing agent? (my guess is the > second > but want to make sure) The 'unless' and / or 'onlyif' command will run on the same nodes that the main command runs on. Likewise the criterion implied by the 'creates' parameter is evaluated on the same nodes that the main command runs on. In all cases, that means these apply to the node(s) that *collect* the Exec resources. > If this is the case is there a way to run the "exec" depending on some checks > on > the exporting agent? Certainly. Define one or more custom facts embodying the results of your tests (it's pretty easy). Distribute these via Puppet's pluginsync mechanism. Use conditionals based on the fact values to control whether the Exec's are exported, and / or to vary their parameters (e.g. setting unless => '/bin/true' is one way for the exporter to disable execution). In general, facts, including custom facts, are the Puppet means for providing nodes' state details to the puppetmaster. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Custom facts - chicken or the egg
On Jun 27, 12:44 pm, Craig White wrote: > On Jun 25, 2011, at 7:51 AM, Nigel Kersten wrote: > > > On Fri, Jun 24, 2011 at 4:28 PM, Craig White wrote: > > >> 1. I want to require => > >> /etc/puppet/modules/custom/lib/facter/$SOME_CUSTOM_FACT is actually > >> executed and the fact is established before a particular package is > >> installed/configured. I can't seem to find the proper syntax for requiring > >> that fact first - before the attempted installation. > > > If you're distributing facts as plugins in modules like this, the > > pluginsync should cause the fact to be evaluated before the manifests > > are parsed and the catalog is compiled. > > > Something is going wrong if you're not getting your fact evaluated on > > first run. You definitely have pluginsync on on the node? > > > Got this solved - custom facts syntax seems to be a little particular about > 'exec' commands and apparently much prefers 'system' commands and that is why > I was having issues getting it to run - fixed now. Yes, I had pluginsync on > the node. This is not a peculiarity of custom facts. Ruby's 'exec' command (and the shell's and the corresponding family of C functions, etc.) don't just execute a command: they *replace* the currently running process with the specified command. Among other things, that means that the exec'ed command never returns (since there's nothing for it to return to); its exit is instead the end of the program. There are excellent reasons to want that behavior under some circumstances (often in conjunction with 'fork'; at some level this is how 'system' is implemented), but custom facts are not typically among those circumstances. Always choose 'system' instead of 'exec' unless you know exactly why you want the latter. Cheers, John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] gentoo linux and puppet
On Wed, Jun 22, 2011 at 10:19 AM, Peter Berghold wrote: > > err: Could not retrieve catalog from remote server: Error 400 on SERVER: No > support for http method POST > To explain this error a bit more, we've moved the catalog retrieval to a POST rather than a GET to avoid the compile-time size limitations on fact data that we had with GET. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: gentoo linux and puppet
On Mon, Jun 27, 2011 at 14:10, Arthur Nisnevich wrote: > > I ran into this as well. Figuring it had something to do with version > inconsistency, I upgraded my master to 2.7.1 (which is the latest and > greatest that my client ended up with) and it seemed to resolve the > problem. It would. Specifically, we support a *newer* master than clients, but not the other way around. (It might, occasionally, work, but we make no promises in that direction.) So, if you have 2.7 clients you need a 2.7 master. > Note that it DID introduce other unexpected behavior for me, so I > might revert the master and all clients back to an older version for > the time being. YMMV. I trust you filed bugs about those, so we can fix 'em. ;) daniel > > On Jun 22, 11:19 am, Peter Berghold wrote: >> Hi folks, >> >> I am building a server using Gentoo Linux and was about to start automating >> the package loads using puppet. First things first I loaded the latest and >> greatest facter and puppet from gems. Got the new SSL certificate loaded >> and ran puppetd --test and expected to see a base manifest loaded. >> >> Instead here is how it went: >> >> puppetd --test >> err: Could not retrieve catalog from remote server: Error 400 on SERVER: No >> support for http method POST >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> Eh? Never saw that before... >> >> -- >> Peter L. Berghold >> Owner, Shark River Technical Solutions LLC > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: gentoo linux and puppet
I ran into this as well. Figuring it had something to do with version inconsistency, I upgraded my master to 2.7.1 (which is the latest and greatest that my client ended up with) and it seemed to resolve the problem. Note that it DID introduce other unexpected behavior for me, so I might revert the master and all clients back to an older version for the time being. YMMV. On Jun 22, 11:19 am, Peter Berghold wrote: > Hi folks, > > I am building a server using Gentoo Linux and was about to start automating > the package loads using puppet. First things first I loaded the latest and > greatest facter and puppet from gems. Got the new SSL certificate loaded > and ran puppetd --test and expected to see a base manifest loaded. > > Instead here is how it went: > > puppetd --test > err: Could not retrieve catalog from remote server: Error 400 on SERVER: No > support for http method POST > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > Eh? Never saw that before... > > -- > Peter L. Berghold > Owner, Shark River Technical Solutions LLC -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Dashboard without MySQL
On Mon, Jun 27, 2011 at 12:30 PM, Ohad Levy wrote: > On Mon, Jun 27, 2011 at 9:40 PM, Douglas Garstang > wrote: > > On Mon, Jun 27, 2011 at 10:49 AM, Nan Liu wrote: > >> > >> On Mon, Jun 27, 2011 at 10:35 AM, Douglas Garstang > >> wrote: > >> > Actually, to be more specific, our nodes are stored in yaml files, and > >> > I'd > >> > like to keep them that way, and continue to have the yaml files as the > >> > source of truth, not a MySQL database. Puppet dashboard should read > from > >> > those yaml files. > >> > Doug. > >> > >> You can use Dashboard in any of the following combination: > >> > >> ENC > >> Reporting > >> ENC + Reporting. > >> > > > > Kinda wanted to use it for more than reporting. Shame, really. It would > be > > nice if there was a tool that could translate any external node format. > > not sure what do you mean by translate, but Foreman can import > information from other ENC's > > I don't want to import the nodes, I want to leave the node information in YAML files and have Foreman read from that. When edits are made to the nodes, I want the edits to be made to the YAML files. Putting the node config into anything else removes the ability to do revision control, and importing the data info Foreman (I assume) obfuscates it to the point that I can't easily view/edit the files any more. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Ruby script to download files without 'puppet agent'
On Mon, Jun 27, 2011 at 5:55 PM, wrote:
>> On Mon, Jun 27, 2011 at 7:27 AM, wrote:
>>
>>> I don't know if i got the URL right, i did not find any examples on the
>>> REST API documentation for the fileserver.
>>>
>>
>> This should cover it.
>>
>> http://docs.puppetlabs.com/guides/rest_api.html#file-server
>
> This isn't still clear to me. Would appreciate if someone could give a
> concrete example how a path in a module or in the filepath would tanslate.
>
> Here is what i try:
>
> fileserver.conf
> [files]
> path /etc/puppet/manifests/files
> allow 127.0.0.1
> allow *.smobi.mobicorp.test
>
>
> The file is located at /etc/puppet/manifests/files/sudo/sudoers
>
>
> [root@foo me]# ./puppet-wget file_content/sudo/sudoers
> https://foo.bar:8140/file_content/sudo/sudoers
> warning: peer certificate won't be verified in this SSL session
> /usr/lib/ruby/1.8/net/http.rb:2099:in `error!': 403 "Forbidden request:
> foo.bar(10.2.3.4) access to /sudo/sudoers [find] authenticated at line 93
> " (Net::HTTPServerException)
> from ./puppet-wget:56
> from ./puppet-wget:43:in `each'
> from ./puppet-wget:43
>
>
> AFAIK if something is wrong with the certs the server would answer with a
> 401 and not 403. It really looks to me as if i get that path wrong.
>
> --
> #!/bin/env ruby
> #
> # Puppet Wget
> #
> # Downloads files from the puppetmaster without the puppet agent
>
>
> require 'optparse'
> require 'puppet/rails'
> require 'uri'
> require 'net/https'
>
>
> # Parse all Options
> options = {}
> OptionParser.new do |opts|
> opts.banner = "Usage: puppet-wget [options] module/path/to/file"
>
> opts.on("-r", "--recursive", "Download directory recursively") do |r|
> options[:recursive] = r
> end
> end.parse!
>
>
> # Get some settings for the puppet config
> Puppet[:config] = "/etc/puppet/puppet.conf"
> Puppet.parse_config
> puppet_conf = Puppet.settings.instance_variable_get(:@values)[:main]
>
>
> # default values
> puppet_conf[:server] ||= 'puppet'
> puppet_conf[:masterport] ||= '8140'
> puppet_conf[:ssldir] ||= '/etc/puppet/ssl'
>
>
> server = puppet_conf[:server]
> port = puppet_conf[:masterport]
> certpath = puppet_conf[:ssldir] + '/certs/' + ENV['HOSTNAME'] +
> '.pem'
> pkey_path = puppet_conf[:ssldir] + '/private_keys/' + ENV['HOSTNAME'] +
> '.pem'
>
>
> ARGV.each do |filepath|
> url = URI.parse("https://#{server}:#{port}/#{filepath}";)
> req = Net::HTTP::Get.new("#{url.path}?#{url.query}", "Accept" => 's')
>
> puts url
>
> # make ssl request
> connection = Net::HTTP.new(url.host, url.port)
> connection.use_ssl = true
> connection.cert = OpenSSL::X509::Certificate.new(File.read(certpath))
> connection.key = OpenSSL::PKey::RSA.new(File.read(pkey_path))
you are missing the CA file... something like
connection.ca_file = Puppet[:localcacert]
> res = connection.start { |http| http.request(req) }
>
> res.error! unless res.code_type == Net::HTTPOK
> puts res.body
>
> end
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Dashboard without MySQL
On Mon, Jun 27, 2011 at 9:40 PM, Douglas Garstang wrote: > On Mon, Jun 27, 2011 at 10:49 AM, Nan Liu wrote: >> >> On Mon, Jun 27, 2011 at 10:35 AM, Douglas Garstang >> wrote: >> > Actually, to be more specific, our nodes are stored in yaml files, and >> > I'd >> > like to keep them that way, and continue to have the yaml files as the >> > source of truth, not a MySQL database. Puppet dashboard should read from >> > those yaml files. >> > Doug. >> >> You can use Dashboard in any of the following combination: >> >> ENC >> Reporting >> ENC + Reporting. >> > > Kinda wanted to use it for more than reporting. Shame, really. It would be > nice if there was a tool that could translate any external node format. not sure what do you mean by translate, but Foreman can import information from other ENC's Ohad > > Doug. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Dashboard without MySQL
On Mon, Jun 27, 2011 at 10:49 AM, Nan Liu wrote: > On Mon, Jun 27, 2011 at 10:35 AM, Douglas Garstang > wrote: > > Actually, to be more specific, our nodes are stored in yaml files, and > I'd > > like to keep them that way, and continue to have the yaml files as the > > source of truth, not a MySQL database. Puppet dashboard should read from > > those yaml files. > > Doug. > > You can use Dashboard in any of the following combination: > > ENC > Reporting > ENC + Reporting. > > Kinda wanted to use it for more than reporting. Shame, really. It would be nice if there was a tool that could translate any external node format. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet Dashboard without MySQL
On Mon, Jun 27, 2011 at 10:35 AM, Douglas Garstang wrote: > Actually, to be more specific, our nodes are stored in yaml files, and I'd > like to keep them that way, and continue to have the yaml files as the > source of truth, not a MySQL database. Puppet dashboard should read from > those yaml files. > Doug. You can use Dashboard in any of the following combination: ENC Reporting ENC + Reporting. If you have an existing ENC that reads those YAML files you can keep that process intact and only use dashboard for reporting. Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Custom facts - chicken or the egg
On Jun 25, 2011, at 7:51 AM, Nigel Kersten wrote: > On Fri, Jun 24, 2011 at 4:28 PM, Craig White wrote: > >> 1. I want to require => >> /etc/puppet/modules/custom/lib/facter/$SOME_CUSTOM_FACT is actually executed >> and the fact is established before a particular package is >> installed/configured. I can't seem to find the proper syntax for requiring >> that fact first - before the attempted installation. > > If you're distributing facts as plugins in modules like this, the > pluginsync should cause the fact to be evaluated before the manifests > are parsed and the catalog is compiled. > > Something is going wrong if you're not getting your fact evaluated on > first run. You definitely have pluginsync on on the node? Got this solved - custom facts syntax seems to be a little particular about 'exec' commands and apparently much prefers 'system' commands and that is why I was having issues getting it to run - fixed now. Yes, I had pluginsync on the node. > >> 2. It seems that the custom/lib/facter directory is a bit squirrelly in that >> it gags on the automatic backup files created by emacs (FILENAME.rb~) and if >> I create a resource that depends upon a fact, the resource installation >> fails and the fact is never established when I was sort of expecting facter >> to run at the outset of any agent activity. > > Best practice in my opinion is to have all this in version control, > and have your version control system ignore all such backup files, but > it might be worth reporting a feature request to automatically exclude > the common text editor backup files. OK - starting up doesn't always involve best practices ;-)In my case, I am racing to get up to a certain point and working with multiple VMWare images as my test bed and thus working full-time in a production mode and delaying the inevitable switch over to SVN and development & test modes. But I am sure that the issue will still remain in 'development' and 'test' modes if I actively edit in 'lib' directories instead of on my own desktop and commit via SVN. This does however leave the last remaining chicken or the egg issue however and that is if I change the version in my passenger gem setup, it would take 2 separate runs of puppet agent... the first one to update the passenger gem and the next one to discover that 'fact' before the changes are implemented into the nginx & apache templates. I suppose I can leave this messy for now unless someone has a methodology that I can syntactically require the custom 'fact' to be applied immediately after the gem is updated but before the apache & nginx 'configure.pp' is 'notified' by passenger.pp. Thanks Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet Dashboard without MySQL
Actually, to be more specific, our nodes are stored in yaml files, and I'd like to keep them that way, and continue to have the yaml files as the source of truth, not a MySQL database. Puppet dashboard should read from those yaml files. Doug. On Mon, Jun 27, 2011 at 10:24 AM, Douglas Garstang wrote: > All, > > Can puppet dashboard be used WITHOUT MySQL? > > Can't find it documented here: > > > http://docs.puppetlabs.com/guides/installing_dashboard.html#external_node_classification > > Doug. > > -- Regards, Douglas Garstang http://www.linkedin.com/in/garstang Email: doug.garst...@gmail.com Cell: +1-805-340-5627 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Dashboard without MySQL
Oh. That's a deal breaker. :( Makes the puppet dashboard unusable. On Mon, Jun 27, 2011 at 10:32 AM, Jacob Helwig wrote: > On Mon, 27 Jun 2011 10:24:38 -0700, Douglas Garstang wrote: > > > > All, > > > > Can puppet dashboard be used WITHOUT MySQL? > > > > Can't find it documented here: > > > > > http://docs.puppetlabs.com/guides/installing_dashboard.html#external_node_classification > > > > Doug. > > > > There are some MySQLisms in the currently released versions of Dashboard > that we're working on getting rid of, but right now Dashboard does need > MySQL to work properly. > > If all you're interested is external node classification (and not the > report collection) then you might be able to get away with using > something else, as long as you don't mind certain pages blowing up. > > I haven't actually tried this though, and I'm fairly certain that the > main page is one of the ones that will blow up. > > -- > Jacob Helwig > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQGcBAEBAgAGBQJOCL6mAAoJEHJabXWGiqEB2FEMAJoHbfmlqN+Vj1wzUVxqV7rs > 7xzCVkHh6VN4h53kJmSZGnVlfyvjw5Ry/GLg1SboneKJJVbxY84IVsLPEhA+6WiB > R3LMNb+88BrXAfx4aIZjmyLxCDBYRv57y9gYn3tf7TFu32H6fdxa97PPDLdbulIf > kGKQdLianpJijCX4sd0A8fmAmEhR27cY+B2a3dxgGkaxR6zB7FgUwyLXPo5jqka8 > e1zry40+wPk0yVHrRBxV9RM2vB0bIq0wgyUTfsU0EzdD7pK8aGkNJGhVlpXPxMDH > lN5Qdau72A3eF1/kf3sSnhR8JUl1RV+ndMFXjEUZ2UtPcf/uQLoVrzPpQZXYBHZW > XNAPPHbb747M+54QV0OxX7FlMrAz6RGsiFbIYGRRLbn1rQE84+hR+JPdkS8hAocx > JEGfMOVAvgdMsF86t99HK6yDAEWHhzmBgPWXWp43FMFjmg1yZcMe0TYkuvaovhFX > juPi8Cf7N4rAxcSTlLV51YEbsbqCIL3a3jP/0sRSYQ== > =4Xrj > -END PGP SIGNATURE- > > -- Regards, Douglas Garstang http://www.linkedin.com/in/garstang Email: doug.garst...@gmail.com Cell: +1-805-340-5627 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet Dashboard without MySQL
On Mon, 27 Jun 2011 10:24:38 -0700, Douglas Garstang wrote: > > All, > > Can puppet dashboard be used WITHOUT MySQL? > > Can't find it documented here: > > http://docs.puppetlabs.com/guides/installing_dashboard.html#external_node_classification > > Doug. > There are some MySQLisms in the currently released versions of Dashboard that we're working on getting rid of, but right now Dashboard does need MySQL to work properly. If all you're interested is external node classification (and not the report collection) then you might be able to get away with using something else, as long as you don't mind certain pages blowing up. I haven't actually tried this though, and I'm fairly certain that the main page is one of the ones that will blow up. -- Jacob Helwig signature.asc Description: Digital signature
[Puppet Users] Puppet Dashboard without MySQL
All, Can puppet dashboard be used WITHOUT MySQL? Can't find it documented here: http://docs.puppetlabs.com/guides/installing_dashboard.html#external_node_classification Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Setting requirements using collection -vs- before/require meta-parameters
Hello Nigel,
Thank you for clarifying the syntax. I suspect that Puppet does not
apply this dependency consistently. The failure is intermittent. I
am using a clumsy workaround to avoid the dependency failure.
My manifest is written so that 'infrastructure' is separate from
'roles'. On my local workstation, I create a 'local' node using VM
Workstation. When this 'local' node connects, puppet should first
connect the NFS share, which contains the Sun Java binary. I then
assign a "frontend" role to this node. This "frontend" role has a
Java class that expects the binary to exist in the /share directory.
Here is the actual node-role assignment I am using on one of the
testing VMs where the dependency fails:
-
node 'node02' inherits local {
S_nfs::Client <| |> -> Class['role_frontend']
class{ 'role_frontend':
add_sampledata => 'true',
}
s_nfs::client { '/opt/share':
action => 'mount',
share_server => '10.10.10.14',
share_source => '/c/UserSource/Linux',
before => Class['s_java', 'tomcat'],
}
}
-
In the above, I am using BOTH forms of the dependency assignment. I
think this is wrong, but it has made the NFS->Class dependency work
consistently for the past few days.
When only one form of the dependency is used (either the 'collection'
or 'before'), then Class['java'] sometimes fails because the NFS
share is mounted AFTER the class is applied.
I believe that the issue is with Puppet because I make changes ONLY to
Class['s_java'] or Class['tomcat']. The node-role assignment above
does not changed.
As I develop the classes, I restore VM Workstation 'node02' to the
original 'clean' snapshot. This snapshot does not have the NFS share
mounted, so Puppet must first mount the NFS share. When only one form
of the dependency assignment is used, the Class['s_java'] is
incorrectly applied before the NFS mount about 30% of the time.
After adding both forms of the dependency (the 'collection' as well as
'before'), I have not had a failure for the past few days.
I believe my syntax is right and that the issue is specific to the
dependency. I wonder if a timeout is occurring before the NFS share
is mounted, but this timeout failure is not being reported. I am not
sure how to isolate the issue further, but the workaround has been OK.
Regards,
Jon
On Jun 25, 10:12 am, Nigel Kersten wrote:
> On Fri, Jun 24, 2011 at 5:44 PM, Jon Jaroker wrote:
> > Hello,
>
> > Could someone explain why a relationship implemented with a collection
> > is honored by Puppet, but a 'before' or 'require' meta-parameter fails
> > for the example below.
>
> > --- THIS WORKS --
> > Nfs::Client <| |> -> Class['myclass']
> > class { 'myclass': }
> > nfs::client { '/share':}
> >
>
> > -- DEPENDENCY IS NOT HONORED BY PUPPET HERE -
> > class{'myclass': require => Nfs::Client['/share'] }
> > nfs::client{'/share':}
> >
>
> > The nfs share must be mounted before packages can be installed in
> > Class['myclass']. Defining this relationship using 'before' or
> > 'require' meta-parameters did not succeed: In the bottom example,
> > Puppet would attempt to install packages contained in the class even
> > though the nfs share was not mounted.
>
> > I realize that the top example is applying the relationship to all
> > 'nfs::client' defined types (which is fine). But why should this
> > method work while the explicit 'before' or 'require' approach fail?
>
> At first glance I think that should work. What version of Puppet are
> you running?
>
> --
> Nigel Kersten
> Product, Puppet Labs
> @nigelkersten
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 2.6.9 & 2.7.1 packages for Solaris
On 27 Jun 2011, at 15:01, Andreas Kuntzagk wrote: > Mark Phillips wrote: >> I'm not sure what the deal is with sharing the /opt/csw space these days, so >> I'm afraid I can't comment on whether it will play ball or not. The >> dependency list isn't so large, so if you've got CSWruby on your machine you >> may find it all installs correctly. It's your choice I'm afraid Andreas - >> give it a go? > > I will stall this for now since my prio 1 is setting up puppet on our linux > boxes. If later I'm able to config the solaris boxes as well that would be > the icing on the cake. Not a problem. If you have any queries about Puppet on Solaris from the CSW packages just drop me a note. Cheers, --Mark -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Ruby script to download files without 'puppet agent'
> On Mon, Jun 27, 2011 at 7:27 AM, wrote:
>
>> I don't know if i got the URL right, i did not find any examples on the
>> REST API documentation for the fileserver.
>>
>
> This should cover it.
>
> http://docs.puppetlabs.com/guides/rest_api.html#file-server
This isn't still clear to me. Would appreciate if someone could give a
concrete example how a path in a module or in the filepath would tanslate.
Here is what i try:
fileserver.conf
[files]
path /etc/puppet/manifests/files
allow 127.0.0.1
allow *.smobi.mobicorp.test
The file is located at /etc/puppet/manifests/files/sudo/sudoers
[root@foo me]# ./puppet-wget file_content/sudo/sudoers
https://foo.bar:8140/file_content/sudo/sudoers
warning: peer certificate won't be verified in this SSL session
/usr/lib/ruby/1.8/net/http.rb:2099:in `error!': 403 "Forbidden request:
foo.bar(10.2.3.4) access to /sudo/sudoers [find] authenticated at line 93
" (Net::HTTPServerException)
from ./puppet-wget:56
from ./puppet-wget:43:in `each'
from ./puppet-wget:43
AFAIK if something is wrong with the certs the server would answer with a
401 and not 403. It really looks to me as if i get that path wrong.
--
#!/bin/env ruby
#
# Puppet Wget
#
# Downloads files from the puppetmaster without the puppet agent
require 'optparse'
require 'puppet/rails'
require 'uri'
require 'net/https'
# Parse all Options
options = {}
OptionParser.new do |opts|
opts.banner = "Usage: puppet-wget [options] module/path/to/file"
opts.on("-r", "--recursive", "Download directory recursively") do |r|
options[:recursive] = r
end
end.parse!
# Get some settings for the puppet config
Puppet[:config] = "/etc/puppet/puppet.conf"
Puppet.parse_config
puppet_conf = Puppet.settings.instance_variable_get(:@values)[:main]
# default values
puppet_conf[:server] ||= 'puppet'
puppet_conf[:masterport] ||= '8140'
puppet_conf[:ssldir] ||= '/etc/puppet/ssl'
server= puppet_conf[:server]
port = puppet_conf[:masterport]
certpath = puppet_conf[:ssldir] + '/certs/'+ ENV['HOSTNAME'] +
'.pem'
pkey_path = puppet_conf[:ssldir] + '/private_keys/' + ENV['HOSTNAME'] +
'.pem'
ARGV.each do |filepath|
url = URI.parse("https://#{server}:#{port}/#{filepath}";)
req = Net::HTTP::Get.new("#{url.path}?#{url.query}", "Accept" => 's')
puts url
# make ssl request
connection = Net::HTTP.new(url.host, url.port)
connection.use_ssl = true
connection.cert = OpenSSL::X509::Certificate.new(File.read(certpath))
connection.key = OpenSSL::PKey::RSA.new(File.read(pkey_path))
res = connection.start { |http| http.request(req) }
res.error! unless res.code_type == Net::HTTPOK
puts res.body
end
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
On Mon, Jun 27, 2011 at 4:52 PM, j...@squirk.org wrote: > Le 16/06/2011 20:12, Nathan Clemons a écrit : >> Thanks. I think having to go out across the board once every 5 years >> is quite acceptable, although advance warning from the master that >> it's going to happen would definitely be a good thing. >> >> Jean: Kudos to running Puppet for 5 years! :) >> > > yes i was planning to install cfengine when the first puppet appeard, i > really liked the way of thinking of the creator that seemed to me a very > good approach of the issue so i jumped in. > > as i needed to make change to all the nodes i simply recreated a 20year > CA and got to everynode removing the ssl certs and sign again all nodes > on the master. If someone knows how to spot a client coming to puppet > and failing the ssl handcheck it would help a lot to spot the one i > missed out if any ! :) > one simple way is simply to look at foreman puppet certificate list. you can also query it via the api, and evaluate the certificate expire date. Ohad > > regards, > Jean. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Ruby script to download files without 'puppet agent'
On Mon, Jun 27, 2011 at 7:41 AM, wrote: > > On Mon, Jun 27, 2011 at 7:27 AM, wrote: > > > >> We have often the Problem that some files need to be checked for updates > >> faster than the cycle of the puppet agent. I try to solve this with a > >> script which tries to download the files directly from the fileserver of > >> the puppetmaster. So far i couldn't get it to work. > >> > > > > Have you considered using tags instead to filter for a subset of your > > resources? > > I need to check 1 file and 1 directory every 5min from >600 puppet nodes. > As far as i know the puppetmaster still needs to compile the whole > catalog. I did not test this, but i think this would not scale well. Possibly. You could also do something like this. Put the thing you need to check frequently into a module, we'll call it "frequent" for now, and structure your setup with environments like the following: # normal environment [normal] modulepath=/var/lib/puppet/env/normal/modules:/var/lib/puppet/env/frequent/modules [frequent] modulepath=/var/lib/puppet/env/frequent/modules Then you could choose to run every 5 minutes against the "frequent" environment, and you'd have a very minimal catalog for the rapid runs, and a more comprehensive one for your "normal" runs. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Ruby script to download files without 'puppet agent'
> On Mon, Jun 27, 2011 at 7:27 AM, wrote: > >> We have often the Problem that some files need to be checked for updates >> faster than the cycle of the puppet agent. I try to solve this with a >> script which tries to download the files directly from the fileserver of >> the puppetmaster. So far i couldn't get it to work. >> > > Have you considered using tags instead to filter for a subset of your > resources? I need to check 1 file and 1 directory every 5min from >600 puppet nodes. As far as i know the puppetmaster still needs to compile the whole catalog. I did not test this, but i think this would not scale well. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: howto trigger action on another client
Thanks for these infos. I think I got at least a vague idea how this works and
can already use it for some simple cases.
One more question:
If I define checks for the "exported exec" (like "creates" or "onlyif" will
these run on the exporting agent or the executing agent? (my guess is the second
but want to make sure)
If this is the case is there a way to run the "exec" depending on some checks on
the exporting agent?
regards, Andreas
jcbollinger wrote:
On Jun 24, 9:18 am, Andreas Kuntzagk
wrote:
Daniel Maher wrote:
On 06/24/2011 03:39 PM, Andreas Kuntzagk wrote:
Exported resources are the Puppet means for one node to provide
resources for another. In this case, the execution host could export
an Exec resource for the master to collect and apply.
Hmm, in the (very short) time I've been working with puppet I have not
stumbled across exported resources. Any pointer where I should start
reading?
Exported resources are great fun. :)
http://docs.puppetlabs.com/guides/exported_resources.html
http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configura...
According to these exported resources are somewhat similar to virtual resources.
Problem is until now I cannot wrap my brain arount virtual resources so I don't
understand the exported resources examples.
Exported resources are an extended version of virtual resources. It
took me a while to catch on to virtual resources, too, but once I got
it I realized how useful they are. I'll attempt to explain:
Normal resource declarations have two key aspects. First, they
describe a resource, and second, by their presence in a manifest they
indicate that that resource should be managed. For example,
user { "john":
ensure => "absent"
}
describes a User resource whose username is "john", and if it is
present in a node's manifest then that tells Puppet that the matching
user should be managed on that node -- in this case, User john must be
ensured absent from the node.
Virtual resources separate those key aspects. They allow a resource
to be declared (described) without specifying whether that resource
should be managed. For example,
@user { "john":
ensure => "absent"
}
describes a User resource whose username is "john", but by itself it
does not direct the Puppet agent to do anything about that user.
Elsewhere in the manifest, however, that user can be "realized" to
indicate to Puppet that yes, User ["john"] should indeed be managed
(in this example, poor john would then again be ensured absent).
Virtual resources that are not realized for a particular node have no
effect on that node.
There are at least two ways in which this is useful:
1) If there are resources that must be managed only on some nodes,
then it can be clean and convenient to declare them virtually, all in
one place, for all nodes, and then realize just the needed ones on
each node. This is a good alternative to bracketing each resource
with a complicated conditional statement.
2) Although resources, including virtual ones, can only be *declared*
once, virtual resources can be *realized* any number of times. For
instance, if you had several different classes that wanted to drop
files in /etc/cron.d/, then they might all want to ensure that that
directory is present. They can't all declare it, else the
declarations would collide. One possibility would be to declare it
virtually, and let all the classes realize it. (Another would be to
declare it concretely in a separate class, and have the other classes
each include that class.)
Exported resources are much like virtual ones. The main difference is
that exported resources can be collected by any node, not just the
node that declares them. For example, suppose you want all your nodes
to be listed in each other's /etc/hosts file. Each node knows its own
name and IP address (suppose for simplicity that it has only one), but
it doesn't a priori know the others'. You can do this:
# Export a Host resource describing this node:
@@host { "$fqdn":
ip => "$ipaddress",
host_aliases => "$hostname",
ensure => "present"
}
# Collect all nodes' exported Host resources
# (including this node's)
Host <<| |>>
One of the major drawbacks of exported resources is that they require
persistent storage. Puppet uses a database for that, which is a bit
heavy. That's one reason why exported resources may not be worth the
trouble if this is your only use for them.
John
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Ruby script to download files without 'puppet agent'
On Mon, Jun 27, 2011 at 7:27 AM, wrote: > We have often the Problem that some files need to be checked for updates > faster than the cycle of the puppet agent. I try to solve this with a > script which tries to download the files directly from the fileserver of > the puppetmaster. So far i couldn't get it to work. > Have you considered using tags instead to filter for a subset of your resources? > > I don't know if i got the URL right, i did not find any examples on the > REST API documentation for the fileserver. > This should cover it. http://docs.puppetlabs.com/guides/rest_api.html#file-server -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Ruby script to download files without 'puppet agent'
We have often the Problem that some files need to be checked for updates faster than the cycle of the puppet agent. I try to solve this with a script which tries to download the files directly from the fileserver of the puppetmaster. So far i couldn't get it to work. I don't know if i got the URL right, i did not find any examples on the REST API documentation for the fileserver. for example if the file is /etc/puppet/manifests/files/sudo/sudoers fileserver.conf: [files] path /etc/puppet/manifests/files allow 127.0.0.1 allow *.bar to what path would this translate? https://foo.bar:8140/file_content/sudo/sudoers https://bli.bla:8140/file_content/files/sudo/sudoers Greetings Andy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
If you keep your nodes in a nodes.pp file, and you are logging nodes as they check in, you can run a little script that I run from time to time to find nodes that have stopped communicating: #!/bin/bash tail -2 /var/log/messages | grep "Compiled catalog for " | tr -s " " | cut -f 9 -d " " | cut -f 1 -d "." | sort | uniq > /tmp/nodes_checked_in cat /etc/puppet/manifests/nodes.pp | cut -f 2 -d "'" | cut -f 1 -d "." | sort | uniq > /tmp/nodes_expected echo "< nodes checked in, but not expected ... > nodes expected, but not checked in." diff /tmp/nodes_checked_in /tmp/nodes_expected | grep "[<>]" | sort ~Charles~ On Mon, Jun 27, 2011 at 8:52 AM, j...@squirk.org wrote: > Le 16/06/2011 20:12, Nathan Clemons a écrit : > > Thanks. I think having to go out across the board once every 5 years > > is quite acceptable, although advance warning from the master that > > it's going to happen would definitely be a good thing. > > > > Jean: Kudos to running Puppet for 5 years! :) > > > > yes i was planning to install cfengine when the first puppet appeard, i > really liked the way of thinking of the creator that seemed to me a very > good approach of the issue so i jumped in. > > as i needed to make change to all the nodes i simply recreated a 20year > CA and got to everynode removing the ssl certs and sign again all nodes > on the master. If someone knows how to spot a client coming to puppet > and failing the ssl handcheck it would help a lot to spot the one i > missed out if any ! :) > > > regards, > Jean. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 2.6.9 & 2.7.1 packages for Solaris
Mark Phillips wrote: I'm not sure what the deal is with sharing the /opt/csw space these days, so I'm afraid I can't comment on whether it will play ball or not. The dependency list isn't so large, so if you've got CSWruby on your machine you may find it all installs correctly. It's your choice I'm afraid Andreas - give it a go? I will stall this for now since my prio 1 is setting up puppet on our linux boxes. If later I'm able to config the solaris boxes as well that would be the icing on the cake. regards, Andreas Regards, --Mark On 24 Jun 2011, at 08:47, Andreas Kuntzagk wrote: For whatever reason I'm using the opensource packages from blastwave. AFAIU these are not to be mixed with opencsw. So I can't use your packages? regards, Andreas Mark Phillips wrote: CSW packages in experimental - http://buildfarm.opencsw.org/experimental.html#markp Both contain Dom Cleal's patched pkgutil[1] provider that supports 'source'[2] for -t alternative repositories. --Mark [1] https://github.com/domcleal/puppet/blob/tickets/master/8011/lib/puppet/provider/package/pkgutil.rb [2] http://projects.puppetlabs.com/issues/8011 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet CA expired
Le 16/06/2011 20:12, Nathan Clemons a écrit : > Thanks. I think having to go out across the board once every 5 years > is quite acceptable, although advance warning from the master that > it's going to happen would definitely be a good thing. > > Jean: Kudos to running Puppet for 5 years! :) > yes i was planning to install cfengine when the first puppet appeard, i really liked the way of thinking of the creator that seemed to me a very good approach of the issue so i jumped in. as i needed to make change to all the nodes i simply recreated a 20year CA and got to everynode removing the ssl certs and sign again all nodes on the master. If someone knows how to spot a client coming to puppet and failing the ssl handcheck it would help a lot to spot the one i missed out if any ! :) regards, Jean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Permission denied on new Passenger install
This was in the puppet.conf by default when installed through apt.
[user]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
Here's my entire puppet.conf.
[master]
confdir=/etc/puppet
manifestdir=$confdir/manifests
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
autosign=$confdir/autosign.conf
factpath=$vardir/lib/facter
templatedir=$confdir/templates
server = node00.swehack.localdomain
hostcsr = $ssldir/csr_node00.swehack.localdomain.pem
hostpubkey = $ssldir/public_keys/node00.swehack.localdomain.pem
hostcert = $ssldir/certs/node00.swehack.localdomain.pem
hostprivkey = $ssldir/private_keys/node00.swehack.localdomain.pem
ca_name = node00.swehack.localdomain
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
[user]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
rundir=/var/run/puppet
vardir=/var/lib/puppet
statedir = $vardir/state
ssldir=/var/lib/puppet/ssl
privatekeydir = /var/lib/puppet/ssl/private_keys
cadir=$ssldir/ca
templatedir = /etc/puppet/templates
ignoreschedules = true
inventory_port = 8140
ca_port = 8140
statefile = /var/lib/puppet/state/state.yaml
classfile = /var/lib/puppet/state/classes.txt
report_port = 8140
server = node00.swehack.localdomain
lastrunfile = /var/lib/puppet/state/last_run_summary.yaml
pidfile = $rundir/agent.pid
config = /etc/puppet/puppet.conf
puppetdlog = /var/log/puppet/puppetd.log
daemonize = false
hostcert = /etc/puppet/ssl/certs/node00.swehack.localdomain.pem
hostcsr = /etc/puppet/ssl/csr_node00.swehack.localdomain.pem
hostprivkey =
/etc/puppet/ssl/private_keys/node00.swehack.localdomain.pem
hostpubkey = /etc/puppet/ssl/public_keys/node00.swehack.localdomain.pem
I do not have those options set in the apache vhost. I have a working
configuration at work that I've taken over, hence my limited knowledge
in it, and this configuration also sets the SSL options you speak of
in puppet.conf instead of the vhost.
Here's my vhost just for good measure, this is a closed network for
testing anyways so I have nothing to hide. :)
# Based on http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
Listen 8140
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/node00.swehack.localdomain.pem
SSLCertificateFile
/var/lib/puppet/ssl/certs/node00.swehack.localdomain.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you
can try disabling
# CRL checking by commenting the next line, but this is not recommended.
#SSLCARevocationFile /var/lib/puppet/ssl/crl.pem
# Set to require if this puppetmaster doesn't issue certificates
# to puppet clients.
# NB: this requires SSLCACertificateFile
/var/lib/puppet/ssl/certs/ca.pem
# issuing puppet client certificate.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# This is useful for Pound proxying
#RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
# Passenger options that can be set in a virtual host
# configuration block.
PassengerMaxPoolSize 15
PassengerUseGlobalQueue on
PassengerMaxRequests 1
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
Options None
AllowOverride None
Order allow,deny
allow from all
And in the /usr/share/puppet/rack/puppetmasterd directory is where the
config.ru script is.
2011/6/27 Patrick :
> I see 2 likely options:
> 1) You don't have these lines in puppet.conf:
> #ssl_client_header = HTTP_SSL_CLIENT_S_DN
> #ssl_client_verify_header = HTTP_SSL_CLIENT_VERIFY
>
> and you didn't put the equivelent line
Re: [Puppet Users] Permission denied on new Passenger install
I see 2 likely options: 1) You don't have these lines in puppet.conf: #ssl_client_header = HTTP_SSL_CLIENT_S_DN #ssl_client_verify_header = HTTP_SSL_CLIENT_VERIFY and you didn't put the equivelent lines in the apache config files. 2) You put the correct lines in the apache files and the puppet files which doesn't work. Summery: You must change which headers puppet is looking for or what apache names those headers, but NOT both. On Jun 27, 2011, at 12:11 AM, Stefan Midjich wrote: > I installed puppet-passenger from Debian apt and most of the > configuration files mentioned in my Pro Puppet book were already > created and the config.ru script even had the correct owner > permissions. I'm saying this so you'll understand that I have chapter > 4 of the famous Apress book in front of me while I'm doing this and I > have no idea what I've missed. > > This is the output when puppet agent -oDdv is run. > >Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderPw: file pw does not exist >Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does > not exist >Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist >Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderLdap: true value when expecting false >Jun 27 08:55:28 node00 puppet-agent[9861]: Failed to load library > 'selinux' for feature 'selinux' >Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::File::ProviderMicrosoft_windows: feature > microsoft_windows is missing >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > log]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/run/puppet/ > agent.pid]) Autorequiring File[/var/run/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > client_data]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > client_yaml]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state/graphs]) Autorequiring File[/var/lib/puppet/state] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > clientbucket]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state/last_run_summary.yaml]) Autorequiring File[/var/lib/puppet/ > state] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > facts]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > lib]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/etc/puppet/ > puppet.conf]) Autorequiring File[/etc/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction > 69835232135480 >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > log]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > lib]) Autorequiring File[/var/lib/puppet] >Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > facts]) Autorequiring File[/var/lib/puppet] >Jun 27 08:
[Puppet Users] Permission denied on new Passenger install
I installed puppet-passenger from Debian apt and most of the configuration files mentioned in my Pro Puppet book were already created and the config.ru script even had the correct owner permissions. I'm saying this so you'll understand that I have chapter 4 of the famous Apress book in front of me while I'm doing this and I have no idea what I've missed. This is the output when puppet agent -oDdv is run. Jun 27 08:55:28 node00 puppet-agent[9861]: Puppet::Type::User::ProviderPw: file pw does not exist Jun 27 08:55:28 node00 puppet-agent[9861]: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist Jun 27 08:55:28 node00 puppet-agent[9861]: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist Jun 27 08:55:28 node00 puppet-agent[9861]: Puppet::Type::User::ProviderLdap: true value when expecting false Jun 27 08:55:28 node00 puppet-agent[9861]: Failed to load library 'selinux' for feature 'selinux' Jun 27 08:55:28 node00 puppet-agent[9861]: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ log]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/run/puppet/ agent.pid]) Autorequiring File[/var/run/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ client_data]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ client_yaml]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ state]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ state/graphs]) Autorequiring File[/var/lib/puppet/state] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ clientbucket]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ state/last_run_summary.yaml]) Autorequiring File[/var/lib/puppet/ state] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/private]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ facts]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ lib]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/etc/puppet/ puppet.conf]) Autorequiring File[/etc/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction 69835232135480 Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ log]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ lib]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ facts]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ state]) Autorequiring File[/var/lib/puppet] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/private]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl] Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ ssl/public_keys]) Autorequiring File[/var/lib/puppet
