[Puppet Users] Re: MySQL settings for puppet dashboard
Nobody an idea? My actual solution is to send COMMIT; to the MySQL Server and then run puppet agent --test what leads to Background Tasks - All systems go. But that can't be The Solution. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DO5HTeS5MCgJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] how to refresh ssh/authorized_keys file content ?
Hi, On 06/12/2012 07:39 PM, eduardo wrote: Hi all, How to refresh ssh/authorized_keys file content ? I'm trying massive loading keys. I need refresh authorized_keys file content. I try delete file before call ssh_authorized_key : please don't. This is *not* how you are supposed to interact with authorized keys. Either use the ssh_autherized_key type *or* fiddle with the file, but don't mix them. exec { del_${user_local}_authorized_keys: command = rm /home/$user_local/.ssh/ authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown $user_local:$user_local /home/$user_local/.ssh/authorized_keys, path = '/bin:/usr/bin', } First run only delete file and in the second one I got desired result. I think is possible create content file using template but before leave ssh_authorized_key resource type way I want to know any other chance. A template would work. You can also try simply pruning all unmanaged keys, so puppet will clear all unwanted stuff out. Take note that this will affect keys of *all* users (I believe), so you have to manage all keys on the system in question. resources { ssh_authorized_key: purge = true } HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppetdb setup issue
Hi thx for the reply here are the info: -- nslookup puppetdb.fqdn Server: 10.10.200.29 Address: 10.10.200.29#53 puppetdb.fqdn canonical name = puppetmaster.fqdn Name: puppetmaster.fqdn Address: 10.10.200.17 -- keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 12, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): 02:B5:21:B9:F7:72:4A:48:67:12:47:FF:0A:DE:B5:1D -- keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 12, 2012, trustedCertEntry, Certificate fingerprint (MD5): 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 -- puppet cert --fingerprint ca puppetmaster.fqdn ca 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 So it seems that the certificates are not right? -- On the master: ntpq -p remote refid st t when poll reach delay offset jitter == +ntp1 198.82.1.204 3 u 986 1024 377 0.106 -1.399 0.323 *ntp2 129.70.132.32 3 u 54 1024 377 0.376 0.338 0.903 LOCAL(0) .LOCL. 12 l 14h 64 0 0.000 0.000 0.000 As you see the server is up to date. Does that help? Regards, JM On Tue, Jun 12, 2012 at 10:46 PM, Nick Lewis n...@puppetlabs.com wrote: On Tuesday, June 12, 2012 7:39:22 AM UTC-7, A_SAAS wrote: Hi everyone, I am trying to setup the new puppetdb on my environment (currently it worked great with mysql databases). All the setup was made by package for debian squeeze and puppet is used with passenger. Here are the configuration files: -- cat /etc/puppetdb/conf.d/jetty.ini [jetty] # Hostname to list for clear-text HTTP. Default is localhost #host = localhost # Port to listen on for clear-text HTTP. host = puppetdb.fqdn port = 8080 ssl-host = puppetdb.fqdn ssl-port = 8081 keystore = /etc/puppetdb/ssl/keystore.jks truststore = /etc/puppetdb/ssl/truststore.jks key-password = uTyCY6damAQn9KInqCLuvAO53 trust-password = uTyCY6damAQn9KInqCLuvAO53 -- cat /etc/puppet/puppetdb.conf [main] server = pupperdb.fqdn port = 8081 -- netstat -tulanp |egrep '808|543' tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 16224/postgres tcp 0 0 127.0.0.1:5432 127.0.0.1:9232 ESTABLISHED 27554/postgres: pup tcp 0 0 127.0.0.1:5432 127.0.0.1:9230 ESTABLISHED 27552/postgres: pup tcp 0 0 127.0.0.1:5432 127.0.0.1:9229 ESTABLISHED 27551/postgres: pup tcp 0 0 127.0.0.1:5432 127.0.0.1:9231 ESTABLISHED 27553/postgres: pup tcp6 0 0 10.10.200.17:8080 :::* LISTEN 27496/java tcp6 0 0 10.10.200.17:8081 :::* LISTEN 27496/java tcp6 0 0 127.0.0.1:9232 127.0.0.1:5432 ESTABLISHED 27496/java tcp6 0 0 127.0.0.1:9195 127.0.0.1:5432 TIME_WAIT - tcp6 0 0 127.0.0.1:9230 127.0.0.1:5432 ESTABLISHED 27496/java tcp6 0 0 127.0.0.1:9193 127.0.0.1:5432 TIME_WAIT - tcp6 0 0 127.0.0.1:9194 127.0.0.1:5432 TIME_WAIT - tcp6 0 0 127.0.0.1:9229 127.0.0.1:5432 ESTABLISHED 27496/java tcp6 0 0 127.0.0.1:9231 127.0.0.1:5432 ESTABLISHED 27496/java tcp6 0 0 127.0.0.1:9192 127.0.0.1:5432 TIME_WAIT - -- Once everything is started: 2012-06-12 16:33:13,841 DEBUG [main] [bonecp.BoneCPDataSource] JDBC URL = jdbc:postgresql://localhost:5432/puppetdb, Username = puppetdb, partitions = 5, max (per partition) = 10, min (p er partition) = 1, helper threads = 3, idle max age = 60 min, idle test period = 240 min 2012-06-12 16:33:13,979 INFO [main] [cli.services] Starting broker 2012-06-12 16:33:14,729 DEBUG [main] [page.PageFile] Page File: /usr/share/puppetdb/mq/localhost/KahaDB/db.data, Recovering page file... 2012-06-12 16:33:14,790 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,795 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:14,977 INFO [main] [journal.Journal] ignoring zero length, partially initialised journal data file: db-1.log number = 1 , length = 0 2012-06-12 16:33:14,987 DEBUG [main] [page.PageFile] Page File: /usr/share/puppetdb/mq/localhost/scheduler/scheduleDB.data, Recovering page file... 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:15,034 DEBUG [main] [index.BTreeIndex] loading 2012-06-12 16:33:15,109 INFO [main] [cli.services] Starting 2 command processor threads 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting query server 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting database compactor (60 minute interval) 2012-06-12 16:33:15,124 INFO [clojure-agent-send-off-pool-2] [mortbay.log] Logging to
[Puppet Users] can we avoid notify/subscribe firing on a mode change?
I managed to have a booboo tonight by restarting a process which really shouldn't be. What I ran into was that a mode change caused subscribe to fire and the process to restart. Is it just me, or should subscribe/notify only fire on content changes? Also given that replace only affects file contents, this means that you can never change the mode of a file for new installs only, either. So it's always a risk of restarting a process. And when I slapped myself over the head on this, I seemed to remember a discussion about making this granular. But I've searched and searched and I can't find the discussion. Can someone clue-by-4 me, or did I misremember this? And if I did misremember, can anyone think of a reason that I shouldn't file a bug over this issue? I have thought and thought and I just can't find a situation where I think that changing the mode should cause a refresh. Owner or group in some circumstances, but not many. I think that the default should be content only, with an option to say any attribute. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Contributing pieces of a global value from multiple places
Hi, I use an augeas resource that manages the FW_CONFIGURATIONS_$zone entry in etc/sysconfig/SuSEfirewall2. augeas {fwservice_${svc}-$zone: context = /files/etc/sysconfig/SuSEfirewall2, onlyif= match FW_CONFIGURATIONS_$zone/value[.='$svc'] size == 0, changes = [ set FW_CONFIGURATIONS_$zone/value[.='$svc'] $svc, ], load_path = $augeas::params::lense_path, require = Augeas::Lense['shellvars_list.aug'], notify= Service[firewall], } Each service adds a config file to /etc/sysconfig/SuSEfirewall2.d/services/ For example, in svn (the svn pkg supplies it own services file) … firewall::service{svnserve: allow = true, require = Package[${svn::params::svn_apache_pkg}], } Cheers On 12/06/2012, at 5:49 AM, Michael Smith wrote: Hi, I'm using Puppet to configure SuSEfirewall2. I have a class that lets me set a list of ports to open in a variable in /etc/sysconfig/SuSEfirewall2. It's just a wrapper around an Augeas resource. How can I make it so multiple classes can contribute a list of ports to my firewall class? For example: class class1 { firewall::tcp { '123': } } class class2 { firewall::tcp { '456': } } # this would result in ports 123 and 456 being open # (FW_SERVICES_EXT_TCP=123 456 in the firewall config file) include class1 include class2 I think I need a way to append 123 and 456 to some kind of global variable so my firewall class can pass the variable to an Augeas resource. Is something like this possible? Thanks, Mike -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] can we avoid notify/subscribe firing on a mode change?
- Original Message - From: Jo Rhett jrh...@netconsonance.com To: puppet-users@googlegroups.com Sent: Wednesday, June 13, 2012 9:33:35 AM Subject: [Puppet Users] can we avoid notify/subscribe firing on a mode change? I managed to have a booboo tonight by restarting a process which really shouldn't be. What I ran into was that a mode change caused subscribe to fire and the process to restart. Is it just me, or should subscribe/notify only fire on content changes? its just you :P Also given that replace only affects file contents, this means that you can never change the mode of a file for new installs only, either. So it's always a risk of restarting a process. sounds like replace should maybe be expanded to also support giving other properties the same treatment perhaps? And when I slapped myself over the head on this, I seemed to remember a discussion about making this granular. But I've searched and searched and I can't find the discussion. Can someone clue-by-4 me, or did I misremember this? And if I did misremember, can anyone think of a reason that I shouldn't file a bug over this issue? I have thought and thought and I just can't find a situation where I think that changing the mode should cause a refresh. Owner or group in some circumstances, but not many. I think that the default should be content only, with an option to say any attribute. I can think of a few, but really any case where a files mode out of the box from say RPM prevent some other service from functioning because it relies on this file. File mode change - dependant service restart. Lots of daemons ship files like accessible only by $daemon:$daemon when what we need is $daemon:$otherdaemon or maybe $daemon:$group_of_daemons. You want to notice $otherdaemon that it can now read that file etc -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] can we avoid notify/subscribe firing on a mode change?
On Jun 13, 2012, at 1:50 AM, R.I.Pienaar wrote: I can think of a few, but really any case where a files mode out of the box from say RPM prevent some other service from functioning because it relies on this file. File mode change - dependant service restart. Lots of daemons ship files like accessible only by $daemon:$daemon when what we need is $daemon:$otherdaemon or maybe $daemon:$group_of_daemons. You want to notice $otherdaemon that it can now read that file etc Good point. I outright stole and p0wned your words here for http://projects.puppetlabs.com/issues/14998 -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppetdb setup issue
OK, I have manged to have the same signature (Apparently using --config doesn't help for generating certificats :D) So now is the deal: # keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 13, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 -- # puppet cert fingerprint puppetmaster.fqdn --digest=md5 --config=/etc/puppet/conf/puppet.conf puppetmaster.fqdn FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 -- But still not the same for truststore.jks: # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 13, 2012, trustedCertEntry, Certificate fingerprint (MD5): DA:38:CE:13:8A:20:8B:C1:4C:1C:2C:99:27:5F:53:05 -- And stil having the issue with the agent: # date puppet agent -t --noop ; date Wed Jun 13 12:18:51 CEST 2012 info: Retrieving plugin info: Loading facts in meminbytes info: Loading facts in facter_dot_d info: Loading facts in root_home info: Loading facts in puppet_vardir info: Loading facts in meminbytes info: Loading facts in facter_dot_d info: Loading facts in root_home info: Loading facts in puppet_vardir err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for test-puppet.fqdn to PuppetDB at puppetmaster.fqdn:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Wed Jun 13 12:18:54 CEST 2012 On the master: 2012-06-13 12:28:51,828 WARN [789688662@qtp-1034385146-6] [mortbay.log] EXCEPTION javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201) at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:675) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) As you can see in the log the date seems pretty the same. On Wed, Jun 13, 2012 at 10:20 AM, Antidot SAS antidot...@gmail.com wrote: Hi thx for the reply here are the info: -- nslookup puppetdb.fqdn Server: 10.10.200.29 Address: 10.10.200.29#53 puppetdb.fqdn canonical name = puppetmaster.fqdn Name: puppetmaster.fqdn Address: 10.10.200.17 -- keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 12, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): 02:B5:21:B9:F7:72:4A:48:67:12:47:FF:0A:DE:B5:1D -- keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 12, 2012, trustedCertEntry, Certificate fingerprint (MD5): 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 -- puppet cert --fingerprint ca puppetmaster.fqdn ca 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 So it seems that the certificates are not right? -- On the master: ntpq -p remote refid st t when poll reach delay offset jitter == +ntp1 198.82.1.204 3 u 986 1024 377 0.106 -1.399 0.323 *ntp2 129.70.132.32 3 u 54 1024 377 0.376 0.338 0.903 LOCAL(0) .LOCL. 12 l 14h 64 0 0.000 0.000 0.000 As you see the server is up to date. Does that help? Regards, JM On Tue, Jun 12, 2012 at 10:46 PM, Nick Lewis n...@puppetlabs.com wrote: On Tuesday, June 12, 2012 7:39:22 AM UTC-7, A_SAAS wrote: Hi everyone, I am trying to setup the new puppetdb on my environment (currently it worked great with mysql databases). All the setup was made by package for debian squeeze and puppet is used with passenger. Here are the configuration files: -- cat /etc/puppetdb/conf.d/jetty.ini [jetty] # Hostname to list for clear-text HTTP. Default is localhost #host = localhost # Port to listen on for clear-text HTTP. host = puppetdb.fqdn port = 8080 ssl-host = puppetdb.fqdn ssl-port = 8081 keystore = /etc/puppetdb/ssl/keystore.jks truststore = /etc/puppetdb/ssl/truststore.jks key-password = uTyCY6damAQn9KInqCLuvAO53 trust-password = uTyCY6damAQn9KInqCLuvAO53 -- cat /etc/puppet/puppetdb.conf [main] server =
Re: [Puppet Users] Re: puppetdb setup issue
HI everyone, Finally got it, once the certificats were recreated forgot to restart puppetdb... Sorry. Thx for the tips :D On Wed, Jun 13, 2012 at 12:31 PM, Antidot SAS antidot...@gmail.com wrote: OK, I have manged to have the same signature (Apparently using --config doesn't help for generating certificats :D) So now is the deal: # keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 13, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 -- # puppet cert fingerprint puppetmaster.fqdn --digest=md5 --config=/etc/puppet/conf/puppet.conf puppetmaster.fqdn FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 -- But still not the same for truststore.jks: # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 13, 2012, trustedCertEntry, Certificate fingerprint (MD5): DA:38:CE:13:8A:20:8B:C1:4C:1C:2C:99:27:5F:53:05 -- And stil having the issue with the agent: # date puppet agent -t --noop ; date Wed Jun 13 12:18:51 CEST 2012 info: Retrieving plugin info: Loading facts in meminbytes info: Loading facts in facter_dot_d info: Loading facts in root_home info: Loading facts in puppet_vardir info: Loading facts in meminbytes info: Loading facts in facter_dot_d info: Loading facts in root_home info: Loading facts in puppet_vardir err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for test-puppet.fqdn to PuppetDB at puppetmaster.fqdn:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Wed Jun 13 12:18:54 CEST 2012 On the master: 2012-06-13 12:28:51,828 WARN [789688662@qtp-1034385146-6] [mortbay.log] EXCEPTION javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201) at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:675) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) As you can see in the log the date seems pretty the same. On Wed, Jun 13, 2012 at 10:20 AM, Antidot SAS antidot...@gmail.comwrote: Hi thx for the reply here are the info: -- nslookup puppetdb.fqdn Server: 10.10.200.29 Address: 10.10.200.29#53 puppetdb.fqdn canonical name = puppetmaster.fqdn Name: puppetmaster.fqdn Address: 10.10.200.17 -- keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 12, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): 02:B5:21:B9:F7:72:4A:48:67:12:47:FF:0A:DE:B5:1D -- keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 12, 2012, trustedCertEntry, Certificate fingerprint (MD5): 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 -- puppet cert --fingerprint ca puppetmaster.fqdn ca 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 So it seems that the certificates are not right? -- On the master: ntpq -p remote refid st t when poll reach delay offset jitter == +ntp1 198.82.1.204 3 u 986 1024 377 0.106 -1.399 0.323 *ntp2 129.70.132.32 3 u 54 1024 377 0.376 0.338 0.903 LOCAL(0) .LOCL. 12 l 14h 64 0 0.000 0.000 0.000 As you see the server is up to date. Does that help? Regards, JM On Tue, Jun 12, 2012 at 10:46 PM, Nick Lewis n...@puppetlabs.com wrote: On Tuesday, June 12, 2012 7:39:22 AM UTC-7, A_SAAS wrote: Hi everyone, I am trying to setup the new puppetdb on my environment (currently it worked great with mysql databases). All the setup was made by package for debian squeeze and puppet is used with passenger. Here are the configuration files: -- cat /etc/puppetdb/conf.d/jetty.ini [jetty] # Hostname to list for clear-text HTTP. Default is localhost #host = localhost # Port to listen on for clear-text HTTP. host = puppetdb.fqdn port = 8080
Re: [Puppet Users] Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.
Hi, On 06/12/2012 08:53 PM, Scott Merrill wrote: I built a test client, and from the top-level Puppet Master I ran `puppet cert generate test.domain`. I installed the generated files onto the test machine. However, this test client is unable to connect to any of the subordinate Masters. I get the following error: I'm shooting in the dark here, but have you tried copying the generated certificates to you subordinate masters as well? I.e., in /var/lib/ssl/ca... HTH, Felix -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppetdb: UTF-8 byte sequence
On Wednesday, June 13, 2012 5:51:22 AM UTC-5, A_SAAS wrote: Me again regarding puppetdb, I have the following warning message: Jun 13 12:49:15 puppetmaster puppet-master[28444]: Ignoring invalid UTF-8 byte sequences in data to be sent to PuppetDB Do I have to worry? I don't know any relevant specifics about PuppetDB, but on general principles I would say that to the extent you rely on the data curated by PuppetDB to be correct, yes, you should worry. The message suggests data stream corruption between PuppetDB and whatever other part of the master is talking to it at that point. Probably they disagree about what character encoding to use, but whatever the cause of the problem, the message suggests that PuppetDB interpreted the data in question differently than its source intended. There is a bug of some kind in there, so I would file a ticket. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/sA34MXwimyYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Best way to relate keys, or stuff multiple values into a single key in hiera?
On Tuesday, June 12, 2012 5:51:06 PM UTC-5, Wolf Noble wrote: Hi John, Thanks a bunch. This seems incredibly sensible. If I'm understanding your suggestion properly, I interpret the best thing to do as something like: mymodule::repos { $region_repos = hiera('region_repos' , '' ) $dc_repos = hiera('dc_repos' , '' ) if $region_repos { create_resources('yumrepo', $region_repos)) } if $dc_repos { create_resources('yumrepo', $dc_repos)) } #... } and then I could override them like us-east/foo/qa/webservers/web02.qa.myfoo.com.yaml region_repos: dc_repos: foodc_qa_repo: { descr: foodc-qa, baseurl: http://myfoo.com/foodc-repo, gpgkey: http://myfoo.com/foodcrepo/key, gpgcheck: 1, enabled: 1, enablegroups: 0 } with the known caveat that I'd have to explicitly redeclare the entire hash at the most relevant tier if I wanted to change any element of the hash already defined. Did I miss anything? I don't see any obvious errors or omissions. In particular, you are correct that overriding repos declared at a lower level will involve declaring an entirely new hash (of hashes) at the appropriate higher level. That's one of the costs attending complex data. All in all, it looks nicely fleshed out. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Ts3RcypLci0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: How should I run/start puppetmaster using Apache/Passenger??
It's working now; the problem was definitely with the port setting. Thanks to all of you for your help. cheers, San -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/bvKil-2dfGwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: members of collected resources
On Tuesday, June 12, 2012 4:57:13 PM UTC-5, Adam Heinz wrote: Is it possible to get the value of a member variable on a collected resource? Something like Host | name == 'nagios' | $nagiosip = Host[nagios]::ip Gepetto has red lined all of my guesses so far. Generally speaking, it is not possible to get the value of *any* property of *any* previously-declared resource from within your manifests. There may be some kind of workaround involving inline templates or Ruby DSL, but only because they cannot do their jobs without opening a window to parts of Puppet that manifests are not intended to twiddle. I would recommend instead recording host 'nagios''s IP in a class variable or an external data file, and having other nodes retrieve it from there. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/17uCFAf-e-YJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key.
On Wed, Jun 13, 2012 at 7:26 AM, Felix Frank felix.fr...@alumni.tu-berlin.de wrote: On 06/12/2012 08:53 PM, Scott Merrill wrote: I built a test client, and from the top-level Puppet Master I ran `puppet cert generate test.domain`. I installed the generated files onto the test machine. However, this test client is unable to connect to any of the subordinate Masters. I get the following error: I'm shooting in the dark here, but have you tried copying the generated certificates to you subordinate masters as well? I.e., in /var/lib/ssl/ca... Thanks for the suggestion. I hadn't tried that before. I just did, but it didn't change the error message. I should have pointed out that each subordinate master has ca = false in puppet.conf, to ensure that none of the subordinate masters try to do any CA stuff. All CA activities should only be performed on the top-level master. Any other suggestions are greatly appreciated. Thanks, Scott -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] HTTP 400 errors when using storeconfigs
As mentioned in my previous thread at http://groups.google.com/group/puppet-users/browse_thread/thread/d491889c89c1a0e0/2ba280696d1ecf96?lnk=gstq=matthew+burgess#2ba280696d1ecf96, I'm seeing intermittent errors on my nodes of the form: Wed May 30 18:02:24 +0100 2012 Puppet (err): undefined method `' for [2.7.14, 2.7.14]:Array on node master.domain.com Wed May 30 18:02:24 +0100 2012 Puppet (err): undefined method `' for [2.7.14, 2.7.14]:Array on node master.domain.com Wed May 30 18:02:24 +0100 2012 Puppet (err): undefined method `' for [2.7.14, 2.7.14]:Array on node master.domain.com Wed May 30 18:02:24 +0100 2012 Puppet (err): undefined method `' for [2.7.14, 2.7.14]:Array on node master.domain.com Upon further investigation I've managed to, I think, finger the blame on storeconfigs. I've set up a new puppet master, completely segregated from the rest of the puppet infrastructure, so there is a total of 1 puppet master and 1 puppet client in this environment. An ENC is configured that currently states that this node should not have any manifests applied. With storeconfigs set to true, and pointing to a MySQL database on the same host, I can reliably trigger the issue using puppet-load.rb. As soon as I set storeconfigs to false, and restart httpd (puppet is being served behind mod_passenger), a puppet-load run with 100 concurrent clients works with 100% success. Now, the storeconfigs instructions at http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration mentions the use of a message broker, which was going to be by next plan of attack, but I guess at the moment I'm just kind of interested to see if anyone else has hit problems similar to mine and what kind of scaling they've achieved using plain storeconfigs without a message broker. Thanks, Matt. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: HTTP 400 errors when using storeconfigs
On Wed, Jun 13, 2012 at 2:53 PM, Matthew Burgess matthew.2.burg...@googlemail.com wrote: As soon as I set storeconfigs to false, and restart httpd (puppet is being served behind mod_passenger), a puppet-load run with 100 concurrent clients works with 100% success. Sorry, this should read 20 concurrent clients. 100 concurrent clients happens to work as well, but that's way above the level of scaling we require at present. In addition, the tests were run after performing a 'puppetd --test' to store the initial config in the DB. With no manifests being applied, I'm not expecting any further writes to the DB during the test runs. Is that a reasonable assumption, and therefore is it also reasonable to assume that I should be focusing my efforts on mysql read optimisations/tuning? Regards, Matt. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: HTTP 400 errors when using storeconfigs
I ran into this issue when Active(Record|Model|Support) had a version higher than 3.0.11. I'm running RHEL6 x64 with Ruby 1.8.7 from RPM and MySQL gem 2.8.1 built from source, if that rings true for you. Which versions of the installed gems do you have? And if you run the puppet master as puppet master --no-daemonize -vd does it give any pertinent output for us to look at? As for data reads/writes, every time a node checks in, if storedconfigs is on, it will update the facts and some other ancillary information in the database. I've got about 400 nodes in my setup and it's still not very demanding on MySQL even with quite a lot of data going in and out, so the stock config values should suffice while you spend time tracking down all the other issues with getting the environment stood up. Good luck! -Jared On 06/13/2012 10:28 AM, Matthew Burgess wrote: On Wed, Jun 13, 2012 at 2:53 PM, Matthew Burgess matthew.2.burg...@googlemail.com wrote: As soon as I set storeconfigs to false, and restart httpd (puppet is being served behind mod_passenger), a puppet-load run with 100 concurrent clients works with 100% success. Sorry, this should read 20 concurrent clients. 100 concurrent clients happens to work as well, but that's way above the level of scaling we require at present. In addition, the tests were run after performing a 'puppetd --test' to store the initial config in the DB. With no manifests being applied, I'm not expecting any further writes to the DB during the test runs. Is that a reasonable assumption, and therefore is it also reasonable to assume that I should be focusing my efforts on mysql read optimisations/tuning? Regards, Matt. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Hiera - can't convert Array into String error
I had some issues with using boolean logic with data being fed to me by hiera. I went for a slightly hacky option of: might help you, might be a BadIdea(™) (untested) class foo::params{ bool_to_be_tempname = hiera('some_TorF_key_as_a_string') case bool_to_be_tempname { [tT][rR][uU][eE]: { bool_to_be = true } default: { bool_to_be = false } } } On Jun 13, 2012, at 7:40 AM, Michael Knox wrote: Hi, I've been moving from extlookup to hiera, and it's generally gone fairly smoothly, but I've run into a problem with one of our defines ... I get this error: err: Could not retrieve catalog from remote server: Error 400 on SERVER: can't convert Array into String at ... The define uses an exec to install Perl CPAN modules and sets log output based on a hiera lookup. exec{cpan_load_${title}: cut … logoutput = hiera('cpan_logoutput'), } If I remove that line, everything runs through fine. The yaml for hiera: --- cpan_logoutput: true Any ideas on what could be triggering this error? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Inheritance of classes in Ruby DSL
I have the same question (see https://groups.google.com/forum/?fromgroups#!searchin/puppet-users/inheritance$20ruby$20dsl/puppet-users/RtMbu8yFZCc/Zet8ackZgnYJ) and need this behavior for my project. Is inheritance possible at all with the Ruby DSL? If not, should we create an issue for that? Am Dienstag, 15. Mai 2012 10:16:22 UTC+2 schrieb alxrem: Hello. Is it possible to describe inheritance of classes in Ruby DSL? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/znY_U_OhB1sJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Best way to relate keys, or stuff multiple values into a single key in hiera?
Awesome! I wonder about one other thing though, Is create_resources likely to balk if there are values in the hash that are irrelevant for the resource type being fed? ie: if I have a region_repos hash that has both yum values, and apt values… (assuming that a debian sibling to the yumrepo type comes along at some point in the future) and feed them both via the same key, is that likely going to cause me pain? or should the key be geared more to one or the other, i.e.: region_yumrepo: foo_repo: { .. } region_aptsource foo_aptsource: { … } just trying to think about where the pointy/sharp parts of this might be. On Jun 13, 2012, at 8:24 AM, jcbollinger wrote: On Tuesday, June 12, 2012 5:51:06 PM UTC-5, Wolf Noble wrote: Hi John, Thanks a bunch. This seems incredibly sensible. If I'm understanding your suggestion properly, I interpret the best thing to do as something like: mymodule::repos { $region_repos = hiera('region_repos' , '' ) $dc_repos = hiera('dc_repos' , '' ) if $region_repos { create_resources('yumrepo', $region_repos)) } if $dc_repos { create_resources('yumrepo', $dc_repos)) } #... } and then I could override them like us-east/foo/qa/webservers/web02.qa.myfoo.com.yaml region_repos: dc_repos: foodc_qa_repo: { descr: foodc-qa, baseurl: http://myfoo.com/foodc-repo, gpgkey: http://myfoo.com/foodcrepo/key, gpgcheck: 1, enabled: 1, enablegroups: 0 } with the known caveat that I'd have to explicitly redeclare the entire hash at the most relevant tier if I wanted to change any element of the hash already defined. Did I miss anything? I don't see any obvious errors or omissions. In particular, you are correct that overriding repos declared at a lower level will involve declaring an entirely new hash (of hashes) at the appropriate higher level. That's one of the costs attending complex data. All in all, it looks nicely fleshed out. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Ts3RcypLci0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: HTTP 400 errors when using storeconfigs
On Wed, Jun 13, 2012 at 3:58 PM, Jared Ballou jbal...@jballou.com wrote: I ran into this issue when Active(Record|Model|Support) had a version higher than 3.0.11. I'm running RHEL6 x64 with Ruby 1.8.7 from RPM and MySQL gem 2.8.1 built from source, if that rings true for you. Which versions of the installed gems do you have? And if you run the puppet master as puppet master --no-daemonize -vd does it give any pertinent output for us to look at? Thanks for the quick response, Jared. It all sounds far too familiar :-) I'm running a RHEL 5.8 x86_64 server here. Ruby is 1.8.7-299 from aegisco's repository and rubygems-1.8.5 from the same location. I did try with activerecord-3.2.6 but quickly ran into http://projects.puppetlabs.com/issues/9290 so downgraded to 3.0.15. Based on your message I've tried both 3.0.11 and 3.0.10 and still have the same results. All gems are installed via 'gem install --local --verbose gem name' $ gem list *** LOCAL GEMS *** activemodel (3.0.10) activerecord (3.0.10) activesupport (3.0.10) addressable (2.2.8) arel (2.0.10) builder (2.1.2) cookiejar (0.3.0) daemon_controller (1.0.0) em-http-request (1.0.2) em-socksify (0.2.0) eventmachine (1.0.0.beta.4) fastthread (1.0.7) http_parser.rb (0.5.3) i18n (0.5.0) json (1.7.3) multi_json (1.3.6) mysql (2.8.1) passenger (3.0.12) rack (1.4.1) rake (0.9.2.2) tzinfo (0.3.,33) In terms of output from the puppet master, I get nothing of note with those options. If I try with: # puppet master --no-daemonize --debug --trace --verbose --logdest /tmp/puppetmaster.log I get the results in the attached log. As for data reads/writes, every time a node checks in, if storedconfigs is on, it will update the facts and some other ancillary information in the database. I've got about 400 nodes in my setup and it's still not very demanding on MySQL even with quite a lot of data going in and out, so the stock config values should suffice while you spend time tracking down all the other issues with getting the environment stood up. That's all useful info, thanks! Regards, Matt. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. puppetmaster.log Description: Binary data
RE: [Puppet Users] Re: HTTP 400 errors when using storeconfigs
On Wed, Jun 13, 2012 at 3:58 PM, Jared Ballou jbal...@jballou.com wrote: I ran into this issue when Active(Record|Model|Support) had a version higher than 3.0.11. I'm running RHEL6 x64 with Ruby 1.8.7 from RPM and MySQL gem 2.8.1 built from source, if that rings true for you. Which versions of the installed gems do you have? And if you run the puppet master as puppet master --no-daemonize -vd does it give any pertinent output for us to look at? Thanks for the quick response, Jared. It all sounds far too familiar :-) I'm running a RHEL 5.8 x86_64 server here. Ruby is 1.8.7-299 from aegisco's repository and rubygems-1.8.5 from the same location. I did try with activerecord-3.2.6 but quickly ran into http://projects.puppetlabs.com/issues/9290 so downgraded to 3.0.15. Based on your message I've tried both 3.0.11 and 3.0.10 and still have the same results. Are you perhaps running into a max db connection issue (this should be recorded in logs). We set something like wait_timeout=60 in our mysql my.cnf to kill idle connections that don't seem to get properly reused. This email communication and any files transmitted with it may contain confidential and or proprietary information and is provided for the use of the intended recipient only. Any review, retransmission or dissemination of this information by anyone other than the intended recipient is prohibited. If you receive this email in error, please contact the sender and delete this communication and any copies immediately. Thank you. http://www.encana.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: HTTP 400 errors when using storeconfigs
On Wed, Jun 13, 2012 at 4:54 PM, Kinzel, David david.kin...@encana.com wrote: Are you perhaps running into a max db connection issue (this should be recorded in logs). We set something like wait_timeout=60 in our mysql my.cnf to kill idle connections that don't seem to get properly reused. I don't think so. I can reproduce the failure by restarting the puppet master, then running puppet-load.rb with '--concurrency 2' *twice*. The first time will always succeed; both clients complete successfully. The 2nd and subsequent invocations will always fail with the 400 error. If anyone here is able to share their production apache vhost configs including any passenger directives, I'd be grateful, just so I can compare with mine that were cobbled together via various online sources. Regards, Matt. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: members of collected resources
On Wed, Jun 13, 2012 at 9:37 AM, jcbollinger john.bollin...@stjude.orgwrote: I would recommend instead recording host 'nagios''s IP in a class variable or an external data file, and having other nodes retrieve it from there. Yeah, I put it in my ENC as a global variable. Not very elegant, but it works. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] breaking up long lines
Is there a line continuation character, such as space_newline or space\newline ? I thought I had found a reference to how you could do it, but I can't find it now. We are using 2.7.2 Thank you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/BSKS7x7hMfAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Having trouble adding a new node. Either get an empty catalog or Could not find class errors.
I'm trying to add a new node and I'm having some issues. To simplify things, I'm currently just trying to get this node working with an existing role which has been in place for a while and I have tested to confirm it definitely is working on other nodes. This is what I get from the node when running the puppet client: http://pastie.org/4081819 On the server I don't seem to get any errors, I get an informational message that says: puppetmasterd[30611]: Compiled catalog for atgpqamysql1.bcinfra.net in 3.45 seconds And here is the config: [root@anole (puppetmaster) puppet]# cat manifests/nodes/atgpqamysql1.bcinfra.net.pp node 'atgpqamysql1.bcinfra.net' { $system_environment = production include webapp-new-rsyslog } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/SCs0u4K5td0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Setting up puppetmaster
I am deploying a new puppetmaster. I have old puppet nodes running. The old master is completely gone. On puppet client, sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose But name or service not known, so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file. I ran again, now SSL problem: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this http://pastebin.com/mc1dbXdH Been 5 minutes, I cancelled it, realize it wouldn't go anywhere... Then I tried this on the master sudo puppetca --sign server1 It said... err: Could not call revoke: Could not find a serial number for server1 Did this sudo puppetca --sign giab10 err: Could not call sign: Could not find certificate request for giab10 sudo puppetca --list --all + my_puppet_master (finderprint value goes here) What should I do? Neither is contacting each other? Please help? Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/wnpR1A1VUyQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Setting up puppetmaster
Okay. I can signed now.. sudo puppetca -s server1 Did this on master, and then ran the test command on agent... will throw sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose warning: peer certificate won't be verified in this SSL session info: Caching certificate for server1 err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run On Wednesday, June 13, 2012 4:20:49 PM UTC-4, repoman wrote: I am deploying a new puppetmaster. I have old puppet nodes running. The old master is completely gone. On puppet client, sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose But name or service not known, so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file. I ran again, now SSL problem: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this http://pastebin.com/mc1dbXdH Been 5 minutes, I cancelled it, realize it wouldn't go anywhere... Then I tried this on the master sudo puppetca --sign server1 It said... err: Could not call revoke: Could not find a serial number for server1 Did this sudo puppetca --sign giab10 err: Could not call sign: Could not find certificate request for giab10 sudo puppetca --list --all + my_puppet_master (finderprint value goes here) What should I do? Neither is contacting each other? Please help? Thanks -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jeD1MrsiyG0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Having trouble adding a new node. Either get an empty catalog or Could not find class errors.
I was able to fix this. There was something very wonky with the version of puppet that this server had installed. I installed a slightly newer (still way out of date) version and it's now working fine. On Wednesday, June 13, 2012 1:17:43 PM UTC-6, Dan Finn wrote: I'm trying to add a new node and I'm having some issues. To simplify things, I'm currently just trying to get this node working with an existing role which has been in place for a while and I have tested to confirm it definitely is working on other nodes. This is what I get from the node when running the puppet client: http://pastie.org/4081819 On the server I don't seem to get any errors, I get an informational message that says: puppetmasterd[30611]: Compiled catalog for atgpqamysql1.bcinfra.net in 3.45 seconds And here is the config: [root@anole (puppetmaster) puppet]# cat manifests/nodes/atgpqamysql1.bcinfra.net.pp node 'atgpqamysql1.bcinfra.net' { $system_environment = production include webapp-new-rsyslog } -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3_M7ri3Fff0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] PE install fail
It could be the localhost name isn't resolving as the PE installer expects it to. Could you please paste the /etc/hosts file from the instance you're installing on? Also, I'm happy to try and diagnose this directly, could you let me know the AMI ID you're using and what EC2 zone you're in? If you do a copy of the answers file with passwords redacted would be a great help to me quickly reproducing the issue. We definitely shouldn't be bombing out like this and I'd really like to fix this as soon as possible. Thanks, -Jeff On Wed, Jun 13, 2012 at 1:11 PM, Toky toky.c...@gmail.com wrote: Hello all, I'm trying to install PE(2.5.1) on a fresh m1.large AWS instance (Centos). I got the hostname entry on the hosts file setup (the installer wont run if its not set). The installation starts using the answer file I provide and everything seems fine until it gets to installing the console... I've tried this on 4 different instances (fresh installs not even updates) and it keeps crapping out on the same spot, i'm pasting the the last few lines of the install log and appending the file too. last few lines: -- execute(ALTER TABLE reports ADD CONSTRAINT fk_reports_node_id FOREIGN KEY (node_id) REFERENCES nodes(id) ON DELETE CASCADE;) - 0.5053s -- execute(ALTER TABLE resource_events ADD CONSTRAINT fk_resource_events_resource_status_id FOREIGN KEY (resource_status_id) REFERENCES resource_statuses(id) ON DELETE CASCADE;) - 0.0876s -- execute(ALTER TABLE resource_statuses ADD CONSTRAINT fk_resource_statuses_report_id FOREIGN KEY (report_id) REFERENCES reports(id) ON DELETE CASCADE;) - 0.0921s -- execute(ALTER TABLE report_logs ADD CONSTRAINT fk_report_logs_report_id FOREIGN KEY (report_id) REFERENCES reports(id) ON DELETE CASCADE;) - 0.0797s -- execute(ALTER TABLE metrics ADD CONSTRAINT fk_metrics_report_id FOREIGN KEY (report_id) REFERENCES reports(id) ON DELETE CASCADE;) - 0.0883s == AddReportForeignKeyConstraints: migrated (0.8708s) == RemoveUrlFromNodes: migrating = -- remove_column(:nodes, :url) - 0.1389s == RemoveUrlFromNodes: migrated (0.1391s) ** chown -Rvf puppet-dashboard:puppet-dashboard /var/log/pe-puppet-dashboard/* changed ownership of `/var/log/pe-puppet-dashboard/development.log' to puppet-dashboard:puppet-dashboard changed ownership of `/var/log/pe-puppet-dashboard/production.log' to puppet-dashboard:puppet-dashboard ** cd /opt/puppet/share/console-auth; PATH=/opt/puppet/sbin:/opt/puppet/bin:$PATH rake db:migrate rake aborted! Access denied for user 'auth_user'@'localhost' (using password: YES) /opt/puppet/share/console-auth/Rakefile:105 (See full trace by running task with --trace) (in /opt/puppet/share/console-auth) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/keZoq-3ZUvUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Setting up puppetmaster
- Original Message - | Okay. I can signed now.. | sudo puppetca -s server1 | Did this on master, and then ran the test command on agent... will | throw | | sudo puppet agent --server puppetmaster --waitforcert 60 --test | --verbose | | warning: peer certificate won't be verified in this SSL session | info: Caching certificate for server1 | err: Could not retrieve catalog from remote server: hostname was not | match | with the server certificate | warning: Not using cache on failed catalog | err: Could not retrieve catalog; skipping run I just finished a migration and the issues I ran into were making sure that the DNS names resolved correctly to the new host and that the new host SSL key was signed by the original CA -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier Success is to be measured not so much by the position that one has reached in life but as by the obstacles they have overcome. - Booker T. Washington -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Setting up puppetmaster
On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote: err: Could not retrieve catalog from remote server: hostname was not match with the server certificate Hey, repoman, This is a dns_alt_names problem. (Setting info: http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames) Short version is that the hostname you contact the puppet master at MUST be included in its SSL certificate. By default, only the master's certname and the special default hostname puppet are included. If puppetmaster isn't the certname of your master (check by running puppet master --configprint certname), you'll need to either re-generate its cert or configure agents to use one of the names in its certificate. To view the cert and confirm that puppetmaster isn't in it: puppet cert print (whatever the master's certname is) To regenerate the master's cert: puppet cert clean (whatever the master's certname is) puppet cert generate --dns_alt_names puppetmaster (whatever the master's certname is) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8Yr6Xv5XOm0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Announce: Puppet 2.7.16 Available
Puppet 2.7.16 is a maintenance release for Puppet in the 2.7.x series. (Puppet 2.7.15 died in the thunderdome). The release notes below include notes from the 2.7.15 series, so you may see some changes repeated from previous emails. Downloads are available at: * Source https://downloads.puppetlabs.com/puppet/puppet-2.7.16.tar.gz Windows package is available at https://downloads.puppetlabs.com/windows/puppet-2.7.16.msi RPMs are available at https://yum.puppetlabs.com/el or /fedora Debs are available at https://apt.puppetlabs.com Mac package is available at https://downloads.puppetlabs.com/mac/puppet-2.7.16.dmg See the Verifying Puppet Download section at: https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.7.16: http://projects.puppetlabs.com/projects/puppet/ ## Puppet 2.7.16 Release Notes ## (#8858) Explicitly set SSL peer verification mode. In Ruby 1.8 the Net::HTTP library defaults to skipping peer verification when no mode is explicitly set. Ruby 1.9, on the other hand, does not: it defaults to verification of the peer certificate - leading to failure when we depended on the default value in our HTTP setup. This changes to explicitly set the verification mode, ensuring we get consistent results across all Ruby versions. *Significantly improve compilation performance when using modules When autoloading classes/defines, the typeloader constructs a set of possible locations for the class, based on its name. Effectively, it will look in the canonical locations corresponding to each namespace in the fully-qualified name. So for each namespace, it will ask the environment for a Puppet::Module instance for that module, to ask it which of the module's potentially manifests match the class it's looking for. To answer that request, the environment instantiates a Puppet::Module. This amounts to potentially thousands of Puppet::Module instances being created, because it does this many times (based on nesting of the class name) per include/autoload/import. When Puppet::Module instances are created, they parse and load their metadata.json file, in part to validate their use. This implies that each compilation results in metadata.json being parsed thousands of times, which is extremely slow (and obviously provides no actual benefit). Fortunately, the environment object already keeps a list of Puppet::Module instances for every module in its modulepath. The fix applied here is simply to change the environment such that it provides modules by looking them up in its cached list, resulting in up to an order of magnitude improvement in compilation time. *Colorize console output on Windows Previously, `Puppet[:color]` was false on Windows, because the Windows console does not support ANSI escape sequences. The win32console gem converts ANSI color escape sequences into Win32 console API calls to change the foreground color, etc. If the output stream has been redirected to a file, then the gem does not translate the sequences, instead preserving them in the stream, as is done on Unix. To disable colorized output specify `color=false` or `--color=false` on the command line. This commit adds a `Puppet.features.ansicolor?` feature that defines whether ANSI color escape sequences are supported. On Windows, this is only true if the win32console gem can be loaded. On other platforms, the value is always true. The win32console gem will be packaged into the Windows installer, and so, `Puppet[:color]` now defaults to true. If the gem can't be loaded, then puppet will revert to its previous behavior. (#8174) Allow defines to reference topscope Because the compiler re-assigned the topscope, looking up topscope vars or facts from a defined resource type was causing deprecation warnings when it should not be. By cherry-picking commits b02aa930a03a282588e81f65e14f47a138a4b9f0 and c995be16bc9e3ad8dbad9d21b49df76de5b72ea9 the topscope is no longer re-assigned and so defined resource types can now lookup these kinds of variables without problem. Evaluate node classes either in top or node scope Classes that are tied to a node should be preferred to be evaluated in the node scope, but if we don't have one then they should be in the top scope (#14297) Handle upstart services better The previous changes to the upstart provider didn't take into account services that may have upstart jobs in /etc/init with no corresponding symlink to upstart-job in /etc/init.d. This fix adds /etc/init/$service.conf to the search path in the upstart provider. In order to allow upstart to use debian as its parent, this commit adds methods for enabled?, enable and disable. Without this fix, using a debian style init script on ubuntu requires manually
[Puppet Users] Re: puppetdb: UTF-8 byte sequence
Because the serialization format (JSON) and the database both require UTF-8 character encoding for their data, puppetdb needs to encode strings before it sends them from the puppet master to the puppetdb server. Due to limitations in Puppet's representation of strings (character encoding is not explicitly specified), it's not possible for us to do anything too fancy when we encounter a byte sequence that is not directly representable in UTF-8. Thus, when this scenario occurs, you will see the warning that you mentioned. This does mean that we will be discarding the invalid bytes. Whether or not this is cause for concern in your particular case depends on which resource triggered the warning, and what your use case for that resource is. If the offending resource is an exported resource that other nodes are relying on, then this could cause problems. If the offending resource is one that you query or report on, then your data could be skewed slightly. Otherwise, this is effectively harmless for you. One thing that we should do on our end, though, is try to provide a bit more context to the warning message to help you try to identify which resource is causing the warning. To that end I've filed the following ticket: http://projects.puppetlabs.com/issues/15016 (Also worth noting: in the existing/old storeconfigs, the behavior for handling this scenario is undefined... so for us, this warning is a first step towards providing comprehensive, robust support for handling string encoding.) We are definitely interested in hearing more details about your setup if this does cause you any problems. Thanks for the feedback! Chris On Wednesday, June 13, 2012 6:06:38 AM UTC-7, jcbollinger wrote: On Wednesday, June 13, 2012 5:51:22 AM UTC-5, A_SAAS wrote: Me again regarding puppetdb, I have the following warning message: Jun 13 12:49:15 puppetmaster puppet-master[28444]: Ignoring invalid UTF-8 byte sequences in data to be sent to PuppetDB Do I have to worry? I don't know any relevant specifics about PuppetDB, but on general principles I would say that to the extent you rely on the data curated by PuppetDB to be correct, yes, you should worry. The message suggests data stream corruption between PuppetDB and whatever other part of the master is talking to it at that point. Probably they disagree about what character encoding to use, but whatever the cause of the problem, the message suggests that PuppetDB interpreted the data in question differently than its source intended. There is a bug of some kind in there, so I would file a ticket. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/PZtYDMbV1XQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Define - Class dependencies not respected
Hello, I'm encountering an issue which I think is a bug, but I want to propose it here before filing it for good @puppetlabs, and be sure it's not just a misunderstanding. Actually, I often use a construction where a main class would include some small others that build a complete service (install, config, service ) Relationship are given (and respected) in the main class between those subclasses. However, I found out that is a defined type is stating that it requires the main class, this won't mean it requires the subclasses. Here is an example, ran on Ubuntu with the package ldap. ### define () { Class[ 'test'] - Aaaa[ $name ] file { '/etc/slapd.d/define': ensure = file, content = 'define', } } class test { Class[ 'install' ] - Class[ 'config'] include install include config } class install { package { 'slapd': ensure = 'present', } } class config { file { '/etc/slapd.d/config': ensure = file, content = 'config', } } node default { { 'test': } include test } notice: /Stage[main]//Node[default]/Aaaa[test]/File[/etc/slapd.d/define]/ensure: current_value absent, should be file (noop) notice: Aaaa[test]: Would have triggered 'refresh' from 1 events notice: Node[default]: Would have triggered 'refresh' from 1 events notice: /Stage[main]/Install/Package[slapd]/ensure: current_value purged, should be present (noop) notice: Class[Install]: Would have triggered 'refresh' from 1 events notice: /Stage[main]/Config/File[/etc/slapd.d/config]/ensure: current_value absent, should be file (noop) notice: Class[Config]: Would have triggered 'refresh' from 1 events notice: Class[Main]: Would have triggered 'refresh' from 1 events notice: Stage[main]: Would have triggered 'refresh' from 3 events notice: Finished catalog run in 0.18 seconds As we can see, the define Aaaa[test] is created before the class, and in this case Puppet would fail because the folder /etc/slapd.d/ would not exist before the file /etc/slapd.d/define is created in it. This could of course be fixed by requiring the subclass install directly, but I think that is unexpected. I hope some will be able to shine my lights on this Puppet behaviour. Thanks -- Bruno Léon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Announce: Puppet Dashboard 1.2.9 Available
This is a maintenance and security release of Puppet Dashboard. It includes contributions from Erik Dalén, Matthaus Litteken, and Aaron Patterson. Security content includes a patch to address CVE-2012-2695, SQL Injection Vulnerability in Ruby on Rails. This release is available for download at: https://downloads.puppetlabs.com/dashboard/puppet-dashboard-1.2.9.tar.gz Debian packages are available at https://apt.puppetlabs.com RPM packages are available at https://yum.puppetlabs.com See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 1.2.9: http://projects.puppetlabs.com/projects/dashboard Documentation is available at: http://docs.puppetlabs.com/dashboard/index.html 1.2.9 Security Fixes === Patch to Address SQL Injection Vulnerability in Ruby on Rails There is a SQL injection vulnerability in Active Record, in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-2695. Patch content from Aaron Patterson. Additional information available here: https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/l4L0TEVAz1k CVE Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695 1.2.9 Bug Fixes === *Fix the node:classes rake task Wrong variable name was used so it always exited with NameError 1.2.9 Changelog === Erik Dalén (1) d114b09 Fix the node:classes rake task Matthaus Litteken (1) 8fed1f8 Update contributors in readme Aaron Patterson (1) 1c7437 Patch activerecord for CVE-2012-2695 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Apache mod_cache/mod_disk_cache...?
On Wed, Jun 13, 2012 at 10:29 AM, Matt W m...@nextdoor.com wrote: Any thoughts on this problem? With caching enabled, we could make the response-times and CPU-time for requesting files significantly faster. We'd even be able to cache the puppet manifests for short periods when clients request them over-and-over-and-over (i.e., during first boot/configuration of a system). I think the main question here is why does Puppet add a ? to the end of each file-download request even if there is no meta-data attached? In Puppet 2.6 and earlier all of the Facter data for a node was passed to the master as a query parameter when the catalog is requested. We've changed this in Puppet 2.7 to POST the data to avoid the length limit on the GET URI. As you see in your logs for file meta data, we also pass resource parameters directly in the URI. recurse=true and such. What's likely happening is that we always set the query string for all REST API requests. Even if the parameters are an empty hash or what not. You might want to consider the caching in nginx. I've successfully deployed this configuration at a large customer site and it does respect query parameters. -Jeff On Saturday, June 9, 2012 8:37:10 PM UTC-4, Matt W wrote: Is anybody using mod_cache/mod_disk_cache with Puppet? I found a post talking about it here (http://paperairoplane.net/?p=380) and I tried to implement it .. but I found that nothing was being cached. Near as I can tell, Apache refuses to cache any URL that has a query-string attached to it: (http://httpd.apache.org/docs/2.2/caching.html) • If the URL included a query string (e.g. from a HTML form GET method) it will not be cached unless the response specifies an explicit expiration by including an Expires: header or the max-age or s-maxage directive of the Cache-Control: header, as per RFC2616 sections 13.9 and 13.2.1. However, when you look at the mod_cache doc itself (http://httpd.apache.org/docs/2.2/mod/mod_cache.html#cacheignorequerystring) Ordinarily, requests with query string parameters are cached separately for each unique query string. This is according to RFC 2616/13.9 done only if an expiration time is specified. TheCacheIgnoreQueryString directive tells the cache to cache requests even if no expiration time is specified, and to reply with a cached reply even if the query string differs. From a caching point of view the request is treated as if having no query string when this directive is enabled. These two things seem at-odds with eachother. When I turn 'cacheignorequerystring' On in Apache, the caching starts to work ... but as I understand it, it menas that a request for /foo.sh?bar will cache and return the same result as /foo.sh?xyz ... thus making the query string completely ignored. However, if I leave it off, I get no caching at all because Puppet seems to make every single file request with a ? attached to it: Jun 10 00:17:59.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadata/modules/zk/ssl/cacert.pem? HTTP/1.1 200 330 - - 0/6260 Jun 10 00:17:59.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadata/modules/zk/ssl/zookeeper.XYZ.com.key? HTTP/1.1 200 346 - - 0/4499 Jun 10 00:17:59.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadata/modules/stunnel/stunnel? HTTP/1.1 200 328 - - 0/4703 Jun 10 00:18:00.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadatas/modules/zk/code?recurse=truelinks=managechecksum_type=md5 HTTP/1.1 200 660 - - 0/7805 Jun 10 00:18:02.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadata/modules/zk/upstart? HTTP/1.1 200 323 - - 0/4843 Jun 10 00:18:03.00 puppetmaster-20372704.cloud.XYZ.com apache: puppetmaster-20372704.cloud.XYZ.com:443 204.236.165.198 - - - puppet.XYZ.com:8140 GET /production/file_metadatas/modules/prod_ve/certs?recurse=truelinks=managechecksum_type=md5 HTTP/1.1 200 2765 - - 0/16361 If Puppet did not have the ? at the end of the URL, I think that Apache would cache the requests... but obviously this still prevents me from caching the catalogs. Any thoughts? —Matt On Saturday, June 9, 2012 8:37:10 PM UTC-4, Matt W wrote: Is anybody using mod_cache/mod_disk_cache with Puppet? I found a post talking about it here (http://paperairoplane.net/?p=380) and I tried to implement it .. but I found that nothing was being cached. Near as I can tell, Apache refuses to cache any URL that has a query-string attached to
[Puppet Users] Announce: Facter 1.6.10
Facter 1.6.10 is a maintenance release candidate in the 1.6.x branch with bug fixes. It includes contributions from Hailee Kenney, Josh Cooper, Jeff Weiss, Stefan Shulte, and Moses Mendoza. This release is available for download at: https://downloads.puppetlabs.com/facter/facter-1.6.10.tar.gz https://apt.puppetlabs.com https://yum.puppetlabs.com See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet#Verifying+Puppet+Downloads Please report feedback via the Puppet Labs Redmine site, using an affected version of 1.6.10: http://projects.puppetlabs.com/projects/facter/ Release Notes at: https://projects.puppetlabs.com/projects/facter/wiki/Wiki Facter 1.6.10 Highlights == (#10261) Detect x64 architecture on Windows Previously, the hardwaremodel fact was using RbConfig::CONFIG['host_cpu'] for Windows, but this returns i686 on a 64-bit OS, which is incorrect. And this caused the architecture fact to be reported as i386, which is also wrong. This commit updates the hardwaremodel fact on Windows to return the appropriate cpu model, e.g. x64, i686, etc. Based on that, the architecture fact will either be x86 or x64, and can be used to install architecture-specific packages, e.g. splunk-4.2.4-110225-x64-release.msi. (#13678) Allow passing shell built-ins to exec method on windows The former exec method tried to run the command on windows no matter wether it could be found on the filesystem or not. This allowed end users to run shell-builtins with the exec method. The new exec method always tried to expand the binary first and returned nil if the binary was not found. This commit now restores the old behaviour on windows: Even if we fail to expand the command, we will try to run the command in the exact same way as it was passed to the exec method in case it is indeed a shell built-in. But we will now raise a deprecation warning. Reason for deprecating this even if we cannot find it, just run it behaviour: We may want to predetermine the paths where facter tries to find binaries in the future. A fall back behaviour may then lead to strange results. Most built-ins can be expressed in pure ruby anyways. (#13678) Join PATHs correctly on windows On windows File.join joins with the File::SEPARATOR which is '/' on windows. While a lot of the windows API and the ruby filetests allow / as a separator we should use File::ALT_SEPARATOR ('\' on windows) to create pathnames on windows Bump Facter epoch to 1 This commit bumps the facter epoch to 1. This is to address the errant release of a facter 2.0rc to the Puppet Labs yum production repository, which may have been then installed unintentionally by its users. Facter 1.6.10 Changelog === Josh Cooper (4) f42896d (#14764) Stub architecture fact when Windows facts run on Linux 964d1f0 (#12864) Close registry key ab025bb Revert Revert (#12864) Windows: get primary DNS from registry 478386d (#10261) Detect x64 architecture on Windows Hailee Kenney (1) b050eb1 (#14582) Fix noise in LSB facts Jeff Weiss (1) f44ca52 (maint) Fix hardware model fact for ruby 1.9 Stefan Shulte (12) 2043244 (#13678) Remove deprecation msg triggerd by the ipaddress6 fact d118d81 (#13678) Add filename extension on absolute paths on windows 85654b0 (#13678) Allow passing shell built-ins to exec method on windows 8f4c016 (#13678) Single quote paths on unix with spaces 2d164e8 (#13678) Join PATHs correctly on windows e7e7e8f (#13678) Extend spec tests for expand_command 0fea7b0 maint: Add shared context for specs to imitate windows or posix 60d0cd2 (#13678) Fix spec failures on windows 121a2ab (#13678) Fix quoting in expand_command 55b1125 (#13678) Add more unit tests for new methods 9086c0a (#13678) Add RDoc documentation for new methods 165ace4 (#13678) Convert command to absolute paths before executing Moses Mendoza(3) 35067dc Bump Facter epoch to 1 d6a3e91 Make package task depend on tar in Rakfile 6cc881d Use git describe in Rakefile to determine pkg ver -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Setting up puppetmaster
Hi Nick and James, You want me to do that on Master? I just did. I can't do that on the client. Master: $ puppet master --configprint certname master (I am using alias name from now on... you see it is not puppetmaster) $ puppet cert clean master notice: Revoked certificate with serial 2 notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/ca/signed/master.pem' notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/certs/master.pem' notice: Removing file Puppet::SSL::Key master at '/var/lib/puppet/ssl/private_keysmaster.pem' $ puppet cert generate --dns_alt_names puppetmaster master notice: master has a waiting certificate request notice: Signed certificate request for master notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/ca/requests/master.pem' notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/certificate_requests/master.pem' Now I see the following in master.pem X509v3 Subject Alternative Name: DNS:master, DNS:puppetmaster But ran the test again, and still complain not matched./ Thanks. On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund wrote: On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote: err: Could not retrieve catalog from remote server: hostname was not match with the server certificate Hey, repoman, This is a dns_alt_names problem. (Setting info: http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames ) Short version is that the hostname you contact the puppet master at MUST be included in its SSL certificate. By default, only the master's certname and the special default hostname puppet are included. If puppetmaster isn't the certname of your master (check by running puppet master --configprint certname), you'll need to either re-generate its cert or configure agents to use one of the names in its certificate. To view the cert and confirm that puppetmaster isn't in it: puppet cert print (whatever the master's certname is) To regenerate the master's cert: puppet cert clean (whatever the master's certname is) puppet cert generate --dns_alt_names puppetmaster (whatever the master's certname is) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LHyvbXqLHPMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Hiera - can't convert Array into String error
Thanks, It appears to be something internal to the hiera function, so I'll have to go digging in there to find out what's going on. Cheers On 14/06/2012, at 1:06 AM, Wolf Noble wrote: I had some issues with using boolean logic with data being fed to me by hiera. I went for a slightly hacky option of: might help you, might be a BadIdea(™) (untested) class foo::params{ bool_to_be_tempname = hiera('some_TorF_key_as_a_string') case bool_to_be_tempname { [tT][rR][uU][eE]: { bool_to_be = true } default: { bool_to_be = false } } } On Jun 13, 2012, at 7:40 AM, Michael Knox wrote: Hi, I've been moving from extlookup to hiera, and it's generally gone fairly smoothly, but I've run into a problem with one of our defines ... I get this error: err: Could not retrieve catalog from remote server: Error 400 on SERVER: can't convert Array into String at ... The define uses an exec to install Perl CPAN modules and sets log output based on a hiera lookup. exec{cpan_load_${title}: cut … logoutput = hiera('cpan_logoutput'), } If I remove that line, everything runs through fine. The yaml for hiera: --- cpan_logoutput: true Any ideas on what could be triggering this error? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.