Re: [Puppet Users] How can I have a defined resource depend on a resource that is not in the global scope?
Hi, On 01/07/2012 04:10 AM, bel wrote: I want it to notify an `exec`. However, the only way I could make this work is if I make the `exec` in the global scope (i.e., importing in site.pp). Otherwise, if I define the `exec` resource and do `require = Exec['persist-iptables']`, when the `iptables::hole` resource is defined, it cannot find the `exec` resource. Most surprising. I would have thought that worked, too. I don't think it's good practice anyway. Try putting the exec inside a class (e.g. iptables::persist), include this from your define iptables::hole and require the whole class. Side question: Are you sure this design is sound? Even if the class approach helps, this cannot work: Your 'firewall' resources notify the exec, so they implicitly are before = Exec[...]. They cannot ever require it. As a matter of fact, there is no simple solution that I know of to make puppet run an exec *before* something but only if that something is modified. Still HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet-selinux
Hi all,
I'm having some problems working with puppet-selinux[1]
I've successfully deployed the module in nodes.pp and got it to set
various SELinux modes, by using
class { selinux: mode = 'permissive' }
or
class { selinux: mode = 'enforcing' }
Now I want to load a custom SELinux policy file. According to the docs,
the correct calling syntax is this
selinux::module{ 'resnet-nrpe':
ensure = 'present',
source = 'puppet:///modules/nagios/nrpe/resnet-nrpe.te',
}
However running with that throws this error:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate definition: Class[Selinux] is already defined in file
/etc/puppet/manifests/nodes.pp at line 14; cannot redefine at
/etc/puppet/modules/selinux/manifests/module.pp:40 on node
So it looks like you can't specify a class twice. selinux::module seems
to instantiate selinux automatically. I tried commenting this
declaration but it threw this error instead:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
undefined method `' for {}:Hash on node
So, I don't really know what the best solution is. The module code is
quite simple so I'd be grateful if someone could suggest the best way.
Ultimately, I want the SELinux module deployed on all my boxes,
regardless of whether the box is running in permissive or enforcing mode.
Thanks,
Jonathan
[1] https://github.com/jfryman/puppet-selinux
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: How can I have a defined resource depend on a resource that is not in the global scope?
On Jan 6, 9:10 pm, bel belm...@gmail.com wrote:
I am working on this module:
https://github.com/belminf/puppet-iptables
I have this defined resource:
define iptables::hole ($proto='tcp', $port, $source=undef) {
firewall { 100 input: $name:
chain = 'INPUT',
proto = $proto,
dport = $port,
source = $source,
action = 'accept',
}
}
I want it to notify an `exec`. However, the only way I could make this work
is if I make the `exec` in the global scope (i.e., importing in site.pp).
Otherwise, if I define the `exec` resource and do `require =
Exec['persist-iptables']`, when the `iptables::hole` resource is defined,
it cannot find the `exec` resource.
Can someone help me re-factor this so it doesn't require an import? You are
more than welcomed to modify the code on github.
ALL Puppet resources have global scope. Very likely either your
target exec is not in a class, or you do not ensure that its class is
included before you try to reference it. Here is one way that will
work:
iptables/persist.pp:
---
class iptables::persistance {
exec { 'persist-iptables':
# ...
}
}
iptables/hole.pp:
define iptables::hole ($proto='tcp', $port, $source=undef) {
include 'iptables::persistance'
firewall { 100 input: $name:
# ...
notify = Exec[''persist-iptables']
}
}
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Blocking or gating service restarts?
On Jan 6, 3:52 pm, simonmcc simon.mccart...@gmail.com wrote: inside puppet is it possible to block or stall a service restart until some external component clears the restart? for example, I want to make sure a node is bled down on the load- balancer before allowing the restart to happen. a post restart feature of re-enabling in the load-balancer would also be really useful :-) Generally, Puppet uses a service's init script to manipulate it, so you can alter services' restart behavior by modifying their init scripts. That has the additional advantage that you get the same behavior if the service is ever restarted any other way. There is no way to tell Puppet to start processing one resource, switch to processing a different resource, and later resume with the first. You could possibly split the load balancer bleed-down and spin- up into separate resources, however, and use standard Puppet 'require' and 'before' relationships or resource chaining to establish order of application. That might be advantageous if there are multiple resources you want to manage only while the load-balancer is down. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
On Jan 6, 4:04 pm, David Chin chi...@wfu.edu wrote: Hello, I'm new to puppet, and am working through the Pro Puppet book (Turnbull McCune). After a bit of struggling, I managed to get puppet + passenger + apache mostly working: a simple connect to the server on https port 8140 gives The environment must be purely alphanumeric, not '' Here is what I have running: - RedHat Enterprise Linux 6 - httpd 2.2.15-15.el6 - puppet 2.7.9-1.el6 - puppet-server 2.7.9-1.el6 - mod_passenger 3.0.11-1.el6 - rubygem-rack 1.1.0-2.el6 - facter 1.6.4-1.el6 I just ran into this with Puppet Enterprise on CentOS 6.2. This may be related to a known bug, but it seems slightly different: http://projects.puppetlabs.com/issues/11807 Maybe someone with more experience can offer their view. ~David Klann -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Puppet agent hangs after running a few hours, defunct sh process
On Jan 7, 9:40 pm, Andreas N d...@pseudoterminal.org wrote:
On Friday, January 6, 2012 5:31:34 PM UTC+1, jcbollinger wrote:
Nothing in your log suggests that the Puppet agent is doing any work
when it fails. It appears to apply a catalog successfully, then
create a report successfully, then nothing else. That doesn't seem
like a problem in a module. Nevertheless, you could try removing
classes from the affected node's configuration and testing whether
Puppet still freezes.
John, thanks for your reply. I'll be deploying a node that includes no
modules at all and see if a zombie process appears again.
You said the agent runs for several hours before it hangs. Does it
perform multiple successful runs during that time? That also would
tend to counterindicate a problem in your manifests.
Yes, the agents perform several runs (with no changes to the catalog) and
then simply freeze up, waiting for the defunct sh process to return.
I'm suspicious that something else on your systems is interfering with
the Puppet process; some kind of service manager, for example. You'll
have to say whether that's a reasonable guess. Alternatively, you may
have a system-level bug; there have been a few Ruby bugs and kernel
regressions that interfered with Puppet operation.
Those are all pretty plain Ubuntu 10.04.3 server installations (both i386
and x86_64), especially the ones I deployed this week, which aren't in
production yet. What kind of service manager could there even be that
interferes?
I was thinking along the lines of an intrusion detection system, or
perhaps a monitoring / management tool such as Nagios. That's not to
say that I suspect Nagios in particular -- a lot of people seem to use
it together with Puppet with great success. It sounds like such a
thing is not in your picture, however.
You could try using strace to determine where the failure happens,
though that's not as simple as it may sound.
Simply trying to strace the zombie process only results in an Operation
not permitted. The agent process shows these lines repeatedly:
Process 3741 attached - interrupt to quit
select(8, [7], NULL, NULL, {1, 723393}) = 0 (Timeout)
sigprocmask(SIG_BLOCK, NULL, []) = 0
sigprocmask(SIG_BLOCK, NULL, []) = 0
select(8, [7], NULL, NULL, {2, 0}) = 0 (Timeout)
sigprocmask(SIG_BLOCK, NULL, []) = 0
sigprocmask(SIG_BLOCK, NULL, []) = 0
...
That doesn't tell me anything other than that the puppet agent is blocking
on select() with a timeout of two seconds.
I kinda meant to trace a new agent process so as to catch whatever
happens when it transitions to non-functional state. Nevertheless,
the trace does yield a bit of information. In particular, it shows
that the agent is not fully blocked. In that case, the fact that it
has a defunct child process that it has not collected makes me even
more suspect a Ruby bug. I am also a bit curious what open FD 7 that
Puppet is selecting for might be, but I don't think that's directly
related to your issue.
I suggest you compare the Ruby and kernel versions installed on the
affected nodes to those installed on unaffected nodes. It may also be
useful to compare the Puppet configuration (/etc/puppet/puppet.conf)
on failing nodes to those on non-failing nodes to see whether there
any options are set differently. I am especially curious as to
whether the 'listen' option might be enabled when it does not need to
be (or does it?), but there might be other significant differences.
John
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] copying file(s) from agent to master??
Is there a way to copy file(s) from the Puppet agent back to the master? I know it sounds silly but that's what I need to do. This is one of the s/w-tag files, gets created/modified automatically by the software installation job and then I want to overwrite the tag files on two other agents with this one. Is there a why for doing this? Cheers, San -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] copying file(s) from agent to master??
I think you want to use the filebucket setup for this, I am not 100% familiar with it though. On Mon, Jan 9, 2012 at 10:50 AM, Sans r.santanu@gmail.com wrote: Is there a way to copy file(s) from the Puppet agent back to the master? I know it sounds silly but that's what I need to do. This is one of the s/w-tag files, gets created/modified automatically by the software installation job and then I want to overwrite the tag files on two other agents with this one. Is there a why for doing this? Cheers, San -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] [Debug] Display Ressource attribut
Hi, On 01/05/2012 06:37 PM, Antidot SAS wrote: Hi everyone, Do you if there a way to display a certain ressource attribut. For instance, I want to display the 'require' of the User['test'] not easily AFAIK. You can however scrutinize the catalog in /var/lib/puppet/client_yaml/catalog/. It's best viewed using ruby (e.g. irb) to deserialize the yaml and pretty-print it. The raw YAML is readable enough if you're in a pinch. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: inheritance
HI everyone,
Finally Dan, my inheritance was not working because there was a depency
problem that's why my realization was not working right.
Now regarding the final solution the same schema is applied:
Because I have the following class:
# user_system.pp
#
# Realize the system users
class user::user_system inherits user::virtual {
# Realize system members
Group | tag == 'user_system' | - User | tag == 'user_system' |
}
And the class:
# unixadmins.pp
#
# Realize the members of the Unix team and include any contractors
class user::user_sysadmin inherits user::user_system {
# Realize our team members
Group | tag == 'user_sysadmin' | - User | tag ==
'user_sysadmin' |
}
But apparently was more thinking class heritance as pre-required but this
seems to be the wrong understanding of the concept and the use of class
inheritance as to be used only to redefined ressource or add some; at least
that's what I have understand from John's messages: it should be reserved
for cases where the subclass overrides properties of a superclass's
resources
On Fri, Jan 6, 2012 at 6:42 PM, Dan White y...@comcast.net wrote:
Could you post the final solution ?
I am interested to see the proper way of doing this.
Thanks.
“Sometimes I think the surest sign that intelligent life exists elsewhere
in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin Hobbes)
- Antidot SAS antidot...@gmail.com wrote:
I found out what was the problem: a group wasn't declared right. But you
point out a acknowledge that I misunderstand the class inheritance is
just
to change the defaut attributs not to be executed before, thx for
reminding
me this.
Le 6 janv. 2012 15:22, jcbollinger john.bollin...@stjude.org a
écrit :
On Jan 5, 12:25 pm, Antidot SAS antidot...@gmail.com wrote:
Hi everyone,
I have a quick question for everybody, does the class inheritance
work
for
realizing ressource?
Because I have the following class:
# user_system.pp
#
# Realize the system users
class user::user_system inherits user::virtual {
# Realize system members
Group | tag == 'user_system' | - User | tag ==
'user_system'
|
}
And the class:
# unixadmins.pp
#
# Realize the members of the Unix team and include any contractors
class user::user_sysadmin inherits user::user_system {
# Realize our team members
Group | tag == 'user_sysadmin' | - User | tag ==
'user_sysadmin' |
}
each time a node uses the class 'user::user_sysadmin' the
realisation of
the class 'user::user_system' doesn't work, did I misunderstand the
class
inheritance?
I think you understood correctly, to a point. Given the classes you
specified, if your manifest includes class user::user_sysadmin then I
would expect both Group collections and both User collections to be
realized, with dependencies set up per the chaining operators you
used. You didn't say how you determined that this was not happening,
and without knowing the contents of class user::virtual I cannot
venture a guess.
HOWEVER, what you have shown is not an appropriate use case for class
inheritance. Inheritance can get the job done here (or should be able
to do), but it should be reserved for cases where the subclass
overrides properties of a superclass's resources. Otherwise, it works
as well or better, and is more flexible, to 'include' the erstwhile
parent class instead of inheriting from it:
class user::user_system {
include 'user::virtual '
Group | tag == 'user_system' | - User | tag ==
'user_system' |
}
class user::user_sysadmin {
include 'user::user_system'
Group | tag == 'user_sysadmin' | - User | tag ==
'user_sysadmin' |
}
It is possible that rewriting your classes that way will solve the
problem, but I can hardly be confident without understanding the
nature of the problem in the first place.
John
--
You received this message because you are subscribed to the Google
Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
Cheers,
Dave
--
David Chin, Ph.D.
chi...@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 6, 2012 at 17:04, David Chin chi...@wfu.edu wrote:
Hello,
I'm new to puppet, and am working through the Pro Puppet book
(Turnbull McCune). After a bit of struggling, I managed to get
puppet + passenger + apache mostly working: a simple connect to the
server on https port 8140 gives The environment must be purely
alphanumeric, not ''
Here is what I have running:
- RedHat Enterprise Linux 6
- httpd 2.2.15-15.el6
- puppet 2.7.9-1.el6
- puppet-server 2.7.9-1.el6
- mod_passenger 3.0.11-1.el6
- rubygem-rack 1.1.0-2.el6
- facter 1.6.4-1.el6
I'm sanitizing data here by using puppet.example.com as the server
name.
My /etc/puppet/puppet.conf has:
[main]
server = puppet.example.com
On the puppet server, I am trying to test by doing: puppet agent --
verbose --debug --test
I get the error message:
err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Permission denied - /var/lib/puppet/yaml/facts/
puppet.example.com.yaml
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
Permissions on /var/lib/puppet/yaml/facts:
drwxr-x---. puppet puppet
unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
I manually created the .yaml file by doing: facter -y ${factsdir}/$
(facter fqdn).yaml
Thanks in advance for any pointers.
Cheers,
-- David Chin
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] node parameters
I've been using foreman as an ENC and assigning node parameters for some time
and it was clearly working but it apparently broke somewhere along the way and
I can't tell why.
Here's part of the modules/sudoers/manifests/sudoers_hostgroup.pp
class sudoers::hostgroup {
case hostgroup {
default: {
file{/etc/sudoers.d/admins_web:
ensure = present,
owner = root,
group = root,
mode= 0440,
source = puppet:///modules/sudoers/admins_web,
}
# Puppet maintained file /etc/puppet/deployment_files/ldap_admins_web
file{/etc/puppet/deployment_files/ldap_admins_web:
ensure = present,
owner = root,
group = root,
mode= 0644,
content = generate(/etc/puppet/scripts/ldap-add-host.sh, $fqdn,
admins_web),
require = Class[mod_puppet::deployment_files],
}
}
'database server': {
file{/etc/sudoers.d/admins_database:
ensure = present,
owner = root,
group = root,
mode= 0440,
source = puppet:///modules/sudoers/admins_database,
}
# Puppet maintained file /etc/puppet/deployment_files/ldap_admins_database
file{/etc/puppet/deployment_files/ldap_admins_database:
ensure = present,
owner = root,
group = root,
mode= 0644,
content = generate(/etc/puppet/scripts/ldap-add-host.sh, $fqdn,
admins_database),
require = Class[mod_puppet::deployment_files],
}
}
}
}
and FWIW, some of the nodes that I set up in October and earlier have the files
(puppet/deployment_files/admins_web, /etc/sudoers.d/admins_web) but the new
nodes clearly do not. I'm not sure if it was migrating from puppet 2.6.8 or
foreman from 0.3 to 0.4 but I can clearly see the 'hostgroup' parameters are
attached to the host's yaml file in /var/lib/puppet/yaml/foreman
and just in case, I have tried changing the 'hostgroup' top scope to $hostgroup
and $::hostgroup to no avail.
What am I missing or how can I troubleshoot this?
--
Craig White ~ craig.wh...@ttiltd.com
1.800.869.6908 ~~ www.ttiassessments.com
Need help communicating between generations at work to achieve your desired
success? Let us help!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Puppet agent hangs after running a few hours, defunct sh process
On Jan 7, 2012, at 7:40 PM, Andreas N wrote: That doesn't tell me anything other than that the puppet agent is blocking on select() with a timeout of two seconds. Sounds like #10418. Check your kernel version. https://projects.puppetlabs.com/issues/10418 -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] copying file(s) from agent to master??
Filebucket is the right answer. Good docs on it here: http://docs.puppetlabs.com/references/stable/type.html#file And also the command-line utility to query or manage the bucket: http://docs.puppetlabs.com/man/filebucket.html -Erc -- Eric Shamow Professional Services http://puppetlabs.com/ (c)631.871.6441 On Monday, January 9, 2012 at 11:14 AM, Christopher Johnston wrote: I think you want to use the filebucket setup for this, I am not 100% familiar with it though. On Mon, Jan 9, 2012 at 10:50 AM, Sans r.santanu@gmail.com (mailto:r.santanu@gmail.com) wrote: Is there a way to copy file(s) from the Puppet agent back to the master? I know it sounds silly but that's what I need to do. This is one of the s/w-tag files, gets created/modified automatically by the software installation job and then I want to overwrite the tag files on two other agents with this one. Is there a why for doing this? Cheers, San -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com (mailto:puppet-users@googlegroups.com). To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com (mailto:puppet-users%2bunsubscr...@googlegroups.com). For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com (mailto:puppet-users@googlegroups.com). To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com (mailto:puppet-users+unsubscr...@googlegroups.com). For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] scaling projections for dashboard database?
So I got dashboard up and running on our production system on Thursday before I left. Within 48 hours it had completed filled the /var filesystem. The ibdata1 file is currently at 8GB in size. 1. What size should I expect for ~500 nodes reporting every 30 minutes? 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet-selinux
Just to provide the list archives with some closure, this was tracked
down to be a bug in the puppet-selinux module, which the developer has
now fixed. This is no longer an issue :)
Cheers,
Jonathan
On 09/01/12 11:37, Jonathan Gazeley wrote:
Hi all,
I'm having some problems working with puppet-selinux[1]
I've successfully deployed the module in nodes.pp and got it to set
various SELinux modes, by using
class { selinux: mode = 'permissive' }
or
class { selinux: mode = 'enforcing' }
Now I want to load a custom SELinux policy file. According to the docs,
the correct calling syntax is this
selinux::module{ 'resnet-nrpe':
ensure = 'present',
source = 'puppet:///modules/nagios/nrpe/resnet-nrpe.te',
}
However running with that throws this error:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate definition: Class[Selinux] is already defined in file
/etc/puppet/manifests/nodes.pp at line 14; cannot redefine at
/etc/puppet/modules/selinux/manifests/module.pp:40 on node
So it looks like you can't specify a class twice. selinux::module seems
to instantiate selinux automatically. I tried commenting this
declaration but it threw this error instead:
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
undefined method `' for {}:Hash on node
So, I don't really know what the best solution is. The module code is
quite simple so I'd be grateful if someone could suggest the best way.
Ultimately, I want the SELinux module deployed on all my boxes,
regardless of whether the box is running in permissive or enforcing mode.
Thanks,
Jonathan
[1] https://github.com/jfryman/puppet-selinux
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
Hi Jo, The ibdata1 file only grows and never shrinks so I'd recommend setting/adding innodb_file_per_table in /etc/my.cnf. You'll need to go through the steps to purge it first, google is your friend, first but you'll now longer have the ever growing idbata1 file. You probably have a bunch of old mysql-bin.0* replication logs that can be nuked as well. I'll be happy once the dashboard support PostgreSQL -- Later, Darin On Mon, Jan 9, 2012 at 1:40 PM, Jo Rhett jrh...@netconsonance.com wrote: So I got dashboard up and running on our production system on Thursday before I left. Within 48 hours it had completed filled the /var filesystem. The ibdata1 file is currently at 8GB in size. 1. What size should I expect for ~500 nodes reporting every 30 minutes? 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Database calls in puppet manifests
This sounds like a fine solution. I won't have many, and easy enough to encapsulate the data access in a shell script, and it sounds like I can call generate directly from my template where I need the dynamic values. I may be getting greedy, but if a value doesn't change between runs, will Puppet be smart enough to know the file doesn't need to be updated on the client? On Jan 7, 10:57 am, Nigel Kersten ni...@puppetlabs.com wrote: On Fri, Jan 6, 2012 at 8:45 AM, windowsrefund windowsref...@gmail.comwrote: On Jan 6, 10:25 am, Jeff Sussna j...@ingineering.it wrote: (How) do folks handle situations where puppet variables need to be populated from dynamic database queries? Most folks do not. However, some have spawned a framework called hiera. By default, hiera uses a yaml backend but it can certainly be extended to query a database. In fact, I believe a mongo backend is out there somewhere. Of course, if you wanted, you could even write a custom function for the job. Hiera is probably a cleaner direction though. Another option is to use the generate() function on your master if you've already got a shell/executable script that can get the data for you. If you've got lots of these, it's probably not the best approach, but it's a lower barrier to entry if you're only doing one or two. -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
On Jan 9, 2012, at 11:30 AM, Darin Perusich wrote: The ibdata1 file only grows and never shrinks so I'd recommend setting/adding innodb_file_per_table in /etc/my.cnf. You'll need to go through the steps to purge it first, google is your friend, first but you'll now longer have the ever growing idbata1 file. I'm not tracking this answer. I'm familiar with that option, and it means that instead of one I will have eighteen ever-growing files, right? How does this change the total space used? I have no problem with the database size never getting smaller on disk, I'm just curious what size is expected for it to grow to, and are there any cleanup scripts should should be done to free rows? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
When mysql is running with innodb_file_per_table enabled you can use OPTIMIZE TABLE free space in the table files. When you have a single ibdata file it does not. I'm not aware of any cleanup scripts or what size you should expect the db to grow to. -- Later, Darin On Mon, Jan 9, 2012 at 3:43 PM, Jo Rhett jrh...@netconsonance.com wrote: On Jan 9, 2012, at 11:30 AM, Darin Perusich wrote: The ibdata1 file only grows and never shrinks so I'd recommend setting/adding innodb_file_per_table in /etc/my.cnf. You'll need to go through the steps to purge it first, google is your friend, first but you'll now longer have the ever growing idbata1 file. I'm not tracking this answer. I'm familiar with that option, and it means that instead of one I will have eighteen ever-growing files, right? How does this change the total space used? I have no problem with the database size never getting smaller on disk, I'm just curious what size is expected for it to grow to, and are there any cleanup scripts should should be done to free rows? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Database calls in puppet manifests
On Mon, Jan 9, 2012 at 12:13 PM, Jeff Sussna j...@ingineering.it wrote: This sounds like a fine solution. I won't have many, and easy enough to encapsulate the data access in a shell script, and it sounds like I can call generate directly from my template where I need the dynamic values. I may be getting greedy, but if a value doesn't change between runs, will Puppet be smart enough to know the file doesn't need to be updated on the client? Yes. If you're say using the database call to populate the contents of a text file, and that content does not change between runs, Puppet on the client will not update the file if the contents already match your desired state. On Jan 7, 10:57 am, Nigel Kersten ni...@puppetlabs.com wrote: On Fri, Jan 6, 2012 at 8:45 AM, windowsrefund windowsref...@gmail.com wrote: On Jan 6, 10:25 am, Jeff Sussna j...@ingineering.it wrote: (How) do folks handle situations where puppet variables need to be populated from dynamic database queries? Most folks do not. However, some have spawned a framework called hiera. By default, hiera uses a yaml backend but it can certainly be extended to query a database. In fact, I believe a mongo backend is out there somewhere. Of course, if you wanted, you could even write a custom function for the job. Hiera is probably a cleaner direction though. Another option is to use the generate() function on your master if you've already got a shell/executable script that can get the data for you. If you've got lots of these, it's probably not the best approach, but it's a lower barrier to entry if you're only doing one or two. -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: scaling projections for dashboard database?
Op maandag 9 januari 2012 19:40:00 UTC+1 schreef Jo het volgende: 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? have you tried this? Cleaning old reports http://docs.puppetlabs.com/dashboard/manual/1.2/maintaining.html perhaps also give the 'optimize the database' as try. Stefan -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/YVmoUlouvNcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
On Jan 9, 2012, at 2:16 PM, Stefan Heijmans wrote: Op maandag 9 januari 2012 19:40:00 UTC+1 schreef Jo het volgende: 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? have you tried this? Cleaning old reports http://docs.puppetlabs.com/dashboard/manual/1.2/maintaining.html perhaps also give the 'optimize the database' as try. Yeah I saw these. We had a whopping 3 days of collected reports. I think we want a bit more than that available for browsing ;-) I was wondering if there was some hourly cleanup or something which needed to be done? Is there any reasonable estimate for what amount of space you expect one system to use? I realize this likely varies with the report size, but the rate of growth seems high enough that I'm surprised it wasn't mentioned in the installation docs. I mean, it's grown half a gigabyte in the last 6 hours. With that kind of growth rate, you'd expect a warning to provide enough space for it and how to estimate your needs. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
On Mon, Jan 9, 2012 at 14:47, Jo Rhett jrh...@netconsonance.com wrote: On Jan 9, 2012, at 2:16 PM, Stefan Heijmans wrote: Op maandag 9 januari 2012 19:40:00 UTC+1 schreef Jo het volgende: 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? have you tried this? Cleaning old reports http://docs.puppetlabs.com/dashboard/manual/1.2/maintaining.html perhaps also give the 'optimize the database' as try. Yeah I saw these. We had a whopping 3 days of collected reports. I think we want a bit more than that available for browsing ;-) I was wondering if there was some hourly cleanup or something which needed to be done? Is there any reasonable estimate for what amount of space you expect one system to use? I realize this likely varies with the report size, but the rate of growth seems high enough that I'm surprised it wasn't mentioned in the installation docs. I mean, it's grown half a gigabyte in the last 6 hours. With that kind of growth rate, you'd expect a warning to provide enough space for it and how to estimate your needs. That growth rate seems ... excessive. Ultimately, the size of the stored data is pretty directly related to the size of your YAML reports; can you capture one of those and see how big it is on disk? Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
How often are you running puppet? I have 1200 nodes running a few times a week and our growth is nothing like that. Original message Subject: Re: [Puppet Users] scaling projections for dashboard database? From: Jo Rhett jrh...@netconsonance.com To: puppet-users@googlegroups.com CC: On Jan 9, 2012, at 2:16 PM, Stefan Heijmans wrote: Op maandag 9 januari 2012 19:40:00 UTC+1 schreef Jo het volgende: 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? have you tried this? Cleaning old reports http://docs.puppetlabs.com/dashboard/manual/1.2/maintaining.html perhaps also give the 'optimize the database' as try. Yeah I saw these. We had a whopping 3 days of collected reports. I think we want a bit more than that available for browsing ;-) I was wondering if there was some hourly cleanup or something which needed to be done? Is there any reasonable estimate for what amount of space you expect one system to use? I realize this likely varies with the report size, but the rate of growth seems high enough that I'm surprised it wasn't mentioned in the installation docs. I mean, it's grown half a gigabyte in the last 6 hours. With that kind of growth rate, you'd expect a warning to provide enough space for it and how to estimate your needs. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
A little less than 500 nodes running every 30 minutes. We do have some extensive modules though, and the reports from software deployments are quite large. Can you share what size your database has grown to? On Jan 9, 2012, at 3:55 PM, Christopher Johnston wrote: How often are you running puppet? I have 1200 nodes running a few times a week and our growth is nothing like that. Original message Subject: Re: [Puppet Users] scaling projections for dashboard database? From: Jo Rhett jrh...@netconsonance.com To: puppet-users@googlegroups.com CC: On Jan 9, 2012, at 2:16 PM, Stefan Heijmans wrote: Op maandag 9 januari 2012 19:40:00 UTC+1 schreef Jo het volgende: 2. Are there some database cleanup scripts which I have managed to overlook that need to be run? have you tried this? Cleaning old reports http://docs.puppetlabs.com/dashboard/manual/1.2/maintaining.html perhaps also give the 'optimize the database' as try. Yeah I saw these. We had a whopping 3 days of collected reports. I think we want a bit more than that available for browsing ;-) I was wondering if there was some hourly cleanup or something which needed to be done? Is there any reasonable estimate for what amount of space you expect one system to use? I realize this likely varies with the report size, but the rate of growth seems high enough that I'm surprised it wasn't mentioned in the installation docs. I mean, it's grown half a gigabyte in the last 6 hours. With that kind of growth rate, you'd expect a warning to provide enough space for it and how to estimate your needs. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
Hi All, As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
Thanks for your reply. I was expecting to see something like: + host(good fingerprint here) - host(revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett jrh...@netconsonance.com wrote: The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
I agree. I would open a bug report :) On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: Thanks for your reply. I was expecting to see something like: + host(good fingerprint here) - host(revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett jrh...@netconsonance.com wrote: The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] [Debug] Display Ressource attribut
Look into using notice / notify. sent from my mobile phone On Jan 9, 2012 6:19 PM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: Hi, On 01/05/2012 06:37 PM, Antidot SAS wrote: Hi everyone, Do you if there a way to display a certain ressource attribut. For instance, I want to display the 'require' of the User['test'] not easily AFAIK. You can however scrutinize the catalog in /var/lib/puppet/client_yaml/catalog/. It's best viewed using ruby (e.g. irb) to deserialize the yaml and pretty-print it. The raw YAML is readable enough if you're in a pinch. HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
Done :) https://projects.puppetlabs.com/issues/11854 On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett jrh...@netconsonance.com wrote: I agree. I would open a bug report :) On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: Thanks for your reply. I was expecting to see something like: + host(good fingerprint here) - host(revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett jrh...@netconsonance.comwrote: The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] scaling projections for dashboard database?
On Jan 9, 2012, at 3:31 PM, Daniel Pittman wrote: Is there any reasonable estimate for what amount of space you expect one system to use? I realize this likely varies with the report size, but the rate of growth seems high enough that I'm surprised it wasn't mentioned in the installation docs. I mean, it's grown half a gigabyte in the last 6 hours. With that kind of growth rate, you'd expect a warning to provide enough space for it and how to estimate your needs. That growth rate seems ... excessive. Ultimately, the size of the stored data is pretty directly related to the size of your YAML reports; can you capture one of those and see how big it is on disk? FYI, in 10 hours the database has grown slightly more than 1G. That's an extensive growth rate. Looking at the yaml files, I'm seeing 410k per file * 400 nodes = 160Mb per 30 minutes. Is there really no optimization that is performed on the data stored in the database? Coming up with a few hundred gigabytes of file storage is one thing. Trying to make mysql perform well with 100Gb database is an entirely different matter. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
I couldn't really reproduce it. I would check your CRL revocation and match it with your certificate serial number in puppet cert -p certname. openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text Certificate Revocation List (CRL): ... Revoked Certificates: Serial Number: 0A ... Serial Number: 0C ... puppet cert -p demo.puppetlabs.lan ... Serial Number: 13 (0xd) If these number match, it's revoked. And if your puppet master is still accepting agents with revoked certs, it might be a CRL misconfiguration. It's easy to tell if you resigned a cert by looking at inventory.txt (because the same CN will show up twice): cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt ... 0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT /CN=demo.puppetlabs.lan 0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT /CN=demo.puppetlabs.lan With all the info above, you should be able to tell 0xc is revoked, the server currently have 0xd which is still valid and puppet cert -la should show + demo.puppetlabs.lan. Thanks, Nan On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat gser...@gmail.com wrote: Done :) https://projects.puppetlabs.com/issues/11854 On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett jrh...@netconsonance.com wrote: I agree. I would open a bug report :) On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: Thanks for your reply. I was expecting to see something like: + host (good fingerprint here) - host (revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett jrh...@netconsonance.com wrote: The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they're not?
Thanks for your reply, Nan. I had a look at the ca_crl.pem and the puppet cert -p host output, and the serial number for the host is not listed in the revoked certificates list in ca_crl.pem, yet puppet cert -la shows the certificate as revoked for the host? - Gonzalo On Tue, Jan 10, 2012 at 3:17 PM, Nan Liu n...@puppetlabs.com wrote: I couldn't really reproduce it. I would check your CRL revocation and match it with your certificate serial number in puppet cert -p certname. openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text Certificate Revocation List (CRL): ... Revoked Certificates: Serial Number: 0A ... Serial Number: 0C ... puppet cert -p demo.puppetlabs.lan ... Serial Number: 13 (0xd) If these number match, it's revoked. And if your puppet master is still accepting agents with revoked certs, it might be a CRL misconfiguration. It's easy to tell if you resigned a cert by looking at inventory.txt (because the same CN will show up twice): cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt ... 0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT /CN=demo.puppetlabs.lan 0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT /CN=demo.puppetlabs.lan With all the info above, you should be able to tell 0xc is revoked, the server currently have 0xd which is still valid and puppet cert -la should show + demo.puppetlabs.lan. Thanks, Nan On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat gser...@gmail.com wrote: Done :) https://projects.puppetlabs.com/issues/11854 On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett jrh...@netconsonance.com wrote: I agree. I would open a bug report :) On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: Thanks for your reply. I was expecting to see something like: + host(good fingerprint here) - host(revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett jrh...@netconsonance.com wrote: The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: As per the subject, puppet cert list --all is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine. The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean host and signed the new certificate, and it immediately appears as revoked (even though it's not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to
[Puppet Users] Puppet Triage-A-Thon
Love Puppet? Hate the backlog of tickets? Want to help us out? The Puppet community has grown really fast and a lot of you have logged tickets and issues. We’ve tried to give those tickets as much love as we could but some slip through the cracks and sometimes we get overwhelmed. We’ve recognized this and want to try to get a handle on the backlog of tickets. But we need your help to do this. What we’re going to do is hold a Triage-a-thon hosted locally in our offices, virtually on IRC (Freenode #puppethack) and the Web. http://puppetlabs.com/events/triagepuppet/ We’re going to review all the open tickets in the Puppet project with a view to: * Update and confirm that issues are still relevant * Ensure tickets are in the right status and all the right information is present to help us resolve it * Close any invalid or no longer relevant tickets We’ll assign blocks of tickets to every participant, have documentation explaining what you need to do and provide people on the ground to help you make decisions and answer questions. Triaging starts Saturday January 21st from 7am and last until 4pm (-8 GMT). We’ll also provide pizza, snacks (and beer!) and a venue locally in our Portland, OR offices. Virtually we’ll provide an IRC channel, IM and rewards (t-shirts, patches, stickers, badges, and books) for people who triage tickets and get involved. We’ll also offer Amazon Gift Cards to our top 3 participants! You can register for the event here: http://triagepuppet.eventbrite.com/?ref=ebtn. We hope you'll be interested in attending and helping us make Puppet better. Thanks James -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
