[Puppet Users] any way to debug a Puppet custom function?

2016-09-19 Thread Thomas Cheng 
Hi howdies,

 Recently I'm picking up some legacy puppet codes in my new company. the 
puppet code base has custom functions written in ruby before.

One major issue is: how to debug the custom functions to figure out the 
logic inside? Can I copy/paste into an external general ruby script and 
debug it with 'ruby -rdebug

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

2016-09-19 Thread Neil - Puppet List 
Hello Trevor,

I put this in when we did a fairly big puppet upgrade. This meant I could
direct a few clients to the upgraded server upgrade the agents see how that
went then do all dev service before moving others.

I guess we could have done that in a number of other ways but this worked
well for me and I like not configuring the clients differently, by changing
their server setting, as I did the upgrade

In a similar manner I've used it to experient with different node
classifiers not something I think DNS records would allow.

Before I used environments I used it for other changes like upgrading
modules such as puppet labs Apache by having the newer version only on one
puppet server and directing some clients there.

So in general the benefit is when you do not want the same puppet version
or code on all puppet servers.

Overhead of running a pair of tiny vms for the loadbal is tiny for me as we
run a dozen or so other loadbal pairs.

Neil

On 19 Sep 2016 21:28, "Trevor Vaughan"  wrote:

> Hi Neil,
>
> Thanks for sharing that config, it's quite useful.
>
> Did you see any large benefit of this versus using DNS SRV records (yes, I
> understand the actual load balancing implications).
>
> I'm curious if the extra infrastructure was worth the effort.
>
> I'm partial to a fan-out DNS SRV structure, but that doesn't really help
> with load unless your servers are active rejecting above a given connection
> load.
>
> Thanks,
>
> Trevor
>
> On Mon, Sep 19, 2016 at 5:09 AM, Neil - Puppet List <
> maillist-pup...@iamafreeman.com> wrote:
>
>> Hello
>>
>> One extra thing to mention is I have got into issues with configuring the
>> loadbal itself through puppet, as broken loadbal config breaks the puppet
>> service which means the loadbal can;t be fixed via puppet, so admin login
>> is required on these servers.
>>
>> Thanks
>>
>> Neil
>>
>> On 19 September 2016 at 10:07, Neil - Puppet List <
>> maillist-pup...@iamafreeman.com> wrote:
>>
>>> Hello
>>>
>>> Below is a slightly edited version of the haproxy.cfg
>>>
>>> All the backends except the ca require a valid client cert 'http-request
>>>  deny unless { ssl_c_verify 0 }'
>>>
>>> global
>>>   chroot  /var/lib/haproxy
>>>   daemon
>>>   group  haproxy
>>>   log  127.0.0.1 local4
>>>   log  127.0.0.1 local5 notice
>>>   maxconn  2
>>>   pidfile  /var/run/haproxy.pid
>>>   stats  socket /var/run/haproxy.stat mode 600
>>>   tune.ssl.default-dh-param  2048
>>>   user  haproxy
>>>
>>> defaults
>>>   log  global
>>>   maxconn  2
>>>   option  redispatch
>>>   retries  3
>>>   timeout  http-request 10s
>>>   timeout  queue 1m
>>>   timeout  connect 10s
>>>   timeout  client 1m
>>>   timeout  server 1m
>>>   timeout  check 10s
>>>
>>> frontend hastats
>>>   bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>>> no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-
>>> RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-
>>> SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-
>>> AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-
>>> GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-
>>> SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>   default_backend  ibe_hastats
>>>   mode  http
>>>   option  httplog
>>>   rspadd  Strict-Transport-Security:\ max-age=31536000
>>>
>>> frontend puppet
>>>   bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>>> ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
>>> /etc/haproxy/ca_crl.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-
>>> RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-
>>> SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-
>>> AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-
>>> GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-
>>> SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
>>>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
>>>   acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
>>>   acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
>>>   acl  environment_production path_beg /production/catalog
>>>   default_backend  be_puppet_stable
>>>   http-request  set-header X-SSL   %[ssl_fc]
>>>   http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
>>>

[Puppet Users] Puppet -- Powershell script

2016-09-19 Thread Shivayogi Kamat 
I have an application which requires a local account to be required  for 
the configuration.
I have created a module inside that I have 2 folders :

i. files
ii.manifests

under manifests init file I have the below code:

class xyz {

exec { ' app_config':

 command => ' C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe 
-file c:\provisioning\modules\xyz\files\config1.ps1 '
}
}

Under files folder there are 2 files

i.  config1.ps1

ii. app_execute.bat

Under config1.ps1 I am creating a local user :
$user = $env:COMPUTERNAME/Testing

$Credentials = New-Object -TypeName 
System.management.Automation.PScredential -ArgumentList $user, 
("test@3456", | Convertto-securestring -ASplaintext -force)

Start-Process C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe 
-Credential $Credentials -ArgumentList " Start-Process 
C:\Windows\System32\cmd.exe -file 
c:\provisioning\c:\provisioning\modules\xyz\files\app_execute.bat "

Under app_execute.bat

c:\puppet\app.bat -f c:\puppet\responsefile.rsp

The log file shows that the powershell file config1.ps1 got executed 
successfully, but the application log file is not getting generated, but 
when executed manually the config1.ps1 the app will get configured.

Not sure, in config1.ps1, I am using a start-process which will create a 
separate process using the local account.

I think the puppet is not waiting for the above config1.ps1 to be completed 
succesfully.

Not sure why it is coming out without executing fully, Is there any 
condition, as we need to execute only  one file inside init, as I am 
initiating 2 processes.

Please advise.

 
 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/501ee411-8aa3-4a1e-9847-2381abca9fe4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

2016-09-19 Thread Trevor Vaughan 
Hi Neil,

Thanks for sharing that config, it's quite useful.

Did you see any large benefit of this versus using DNS SRV records (yes, I
understand the actual load balancing implications).

I'm curious if the extra infrastructure was worth the effort.

I'm partial to a fan-out DNS SRV structure, but that doesn't really help
with load unless your servers are active rejecting above a given connection
load.

Thanks,

Trevor

On Mon, Sep 19, 2016 at 5:09 AM, Neil - Puppet List <
maillist-pup...@iamafreeman.com> wrote:

> Hello
>
> One extra thing to mention is I have got into issues with configuring the
> loadbal itself through puppet, as broken loadbal config breaks the puppet
> service which means the loadbal can;t be fixed via puppet, so admin login
> is required on these servers.
>
> Thanks
>
> Neil
>
> On 19 September 2016 at 10:07, Neil - Puppet List <
> maillist-pup...@iamafreeman.com> wrote:
>
>> Hello
>>
>> Below is a slightly edited version of the haproxy.cfg
>>
>> All the backends except the ca require a valid client cert 'http-request
>>  deny unless { ssl_c_verify 0 }'
>>
>> global
>>   chroot  /var/lib/haproxy
>>   daemon
>>   group  haproxy
>>   log  127.0.0.1 local4
>>   log  127.0.0.1 local5 notice
>>   maxconn  2
>>   pidfile  /var/run/haproxy.pid
>>   stats  socket /var/run/haproxy.stat mode 600
>>   tune.ssl.default-dh-param  2048
>>   user  haproxy
>>
>> defaults
>>   log  global
>>   maxconn  2
>>   option  redispatch
>>   retries  3
>>   timeout  http-request 10s
>>   timeout  queue 1m
>>   timeout  connect 10s
>>   timeout  client 1m
>>   timeout  server 1m
>>   timeout  check 10s
>>
>> frontend hastats
>>   bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>> no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
>> ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-
>> AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-
>> RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-
>> CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>   default_backend  ibe_hastats
>>   mode  http
>>   option  httplog
>>   rspadd  Strict-Transport-Security:\ max-age=31536000
>>
>> frontend puppet
>>   bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
>> ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
>> /etc/haproxy/ca_crl.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:EC
>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>> E-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-
>> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
>> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-
>> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
>> ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-
>> AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-
>> RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-
>> CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
>>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
>>   acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
>>   acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
>>   acl  environment_production path_beg /production/catalog
>>   default_backend  be_puppet_stable
>>   http-request  set-header X-SSL   %[ssl_fc]
>>   http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
>>   http-request  set-header X-SSL-Client-SHA1   %{+Q}[ssl_c_sha1]
>>   http-request  set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
>>   http-request  set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
>>   http-request  set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
>>   http-request  set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
>>   http-request  set-header X-SSL-Client-Not-After  %{+Q}[ssl_c_notafter]
>>   mode  http
>>   option  forwardfor
>>   option  httplog
>>   use_backend  be_puppet_ca if use_ca
>>   use_backend  be_puppet_dev if use_dev
>>   use_backend  be_puppet_foreman if use_foreman
>>
>> backend be_puppet_ca
>>   mode  http
>>   server  sys-puppet-ca-prod-0 sys-puppet-ca-prod-0:8140 check inter 15s
>> rise 2 fall 2
>>
>> backend be_puppet_dev
>>   balance  source
>>   hash-type  map-based
>>   http-request  deny unless { ssl_c_verify 0 }
>>   mode  http
>>   server  sys-puppet-app-prod-0 sys-puppet-app-prod-0:8140 check inter
>> 15s rise 2 fall 2
>>
>> backend be_puppet_foreman
>>   balance  source
>>   hash-type  map-based
>>   http-request  deny unless { ssl_c_verify 0 }
>>   mode  http
>>

Re: [Puppet Users] I'd like to see you at PuppetConf 2016

2016-09-19 Thread Trevor Vaughan 
Mike,

You couldn't keep me away man

Even if you wanted to

Which you probably do

I'm bad at haiku

T

On Fri, Sep 16, 2016 at 11:31 AM, Michael Stahnke 
wrote:

> PuppetConf is coming up in just about a month, in San Diego, CA. It would
> be wonderful to see you there. If you haven't been to one before, it's a
> great time to learn about all things automations and DevOps. The talk
> line-up this year looks stellar, and the hallways will be packed with
> people sharing tips, stories, disasters, and their vision of the future
> when it comes to automation.
>
> PuppetConf is great not only because you connect with other folks doing
> Puppet stuff, but because the attendees are among the best systems people
> in the world. You get a chance to learn from them, as well as the
> sessions.  Join us a day early for the contributor summit for open forums
> if that works for you.
>
> I want to invite you to come, but time is running out for the cheaper
> tickets. Today is the last day for the 20% off price.
>
> Michael Stahnke
> Director of Engineering
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/CAMto7L%2BRv6Qwkqpn1rcDSQn6DSStZj_
> 4EtVrCVgD6zfbnpwNxw%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANs%2BFoVxdgbJBYmjYrakqbjO7jPq7ZCGUT1s3TNwdxqH0pRkFw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] HOWTO ERB Template generate an array of files

2016-09-19 Thread warron.french 
Thanks for the feedback John, much appreciated.

--
Warron French


On Mon, Sep 19, 2016 at 9:12 AM, jcbollinger 
wrote:

>
>
> On Sunday, September 18, 2016 at 3:42:36 AM UTC-5, Warron French wrote:
>>
>> Hi, thanks Peter.
>>
>> I am writing this module to write it based on the design I have had
>> because... being a little lazy I guess you might say/think.  I know that I
>> could do a link, but I believe for something like this an actual file might
>> be required, because if the main file is deleted, then the banner is lost
>> entirely because the links will be broken.
>>
>>
>>
> As Peter said, If you have people randomly deleting system files then you
> have a bigger problem.  Furthermore, making three regular files in that
> case is only a partial mitigation of such a risk, because losing any one of
> the files still impacts consumers of that file.
>
> But the main point I wanted to raise here is that this is one of the
> things Puppet is *for*.  Whether you use regular files or symlinks, if
> one or more of them is deleted or modified then you can expect Puppet to
> restore it on the next catalog run.  Moreover, if you have reporting
> enabled then the update will be reported to you.  This may or may not be
> sufficient for your purposes.
>
>
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/98a119b6-067c-4fe6-a513-a5b83704f772%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQkPoRRR%2By6cSDpOf4FP24kHcNkZ5pj8MjTz-%3DOwNBDOZg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: notify resource different between 3 and 4?

2016-09-19 Thread R.I.Pienaar 


> On 19 Sep 2016, at 15:31, jcbollinger  wrote:
> 
> 
> 
>> On Friday, September 16, 2016 at 12:11:26 PM UTC-5, Christopher Wood wrote:
>> While trying to figure out the reduce function with notice/notify I happened 
>> across this thing. It looks like an unquoted array in the notify resource's 
>> message only appears as its first array item. Not sure if it's a bug. 
>> 
>> I couldn't find any documentation to say if this was intended and I couldn't 
>> really tell what the type was doing with the self.should bit. I am not 
>> actually a programmer. 
>> 
>> $ cat /tmp/xx.pp 
>> $array = ["one", "two", "three"] 
>> 
>> notify { 'notify one': 
>>   message => "${array}", 
>> } 
>> 
>> notify { 'notify two': 
>>   message => $array, 
>> } 
>> 
>> With puppet 3 I see this: 
>> 
>> $ puppet --version 
>> 3.8.7 
>> $ puppet apply /tmp/xx.pp 
>> Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an 
>> empty data set 
>> Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an 
>> empty data set 
>> Notice: Compiled catalog for mail82c40.carrierzone.com in environment 
>> production in 0.03 seconds 
>> Notice: one 
>> Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 
>> 'one' 
>> Notice: onetwothree 
>> Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
>> 'onetwothree' 
>> Notice: Finished catalog run in 0.05 seconds 
>> 
>> With puppet 4 I see this: 
>> 
>> $ puppet --version 
>> 4.6.2 
>> $ puppet apply /tmp/xx.pp 
>> Notice: Compiled catalog for cwl.hostopia.com in environment production in 
>> 0.09 seconds 
>> Notice: [one, two, three] 
>> Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
>> '[one, two, three]' 
>> Notice: one 
>> Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 
>> 'one' 
>> Notice: Applied catalog in 0.11 seconds 
> 
> 
> I see a difference between 3.8 and 4.6 with respect to the result of 
> interpolating an array into a string.  In Puppet 3 (and earlier) you get a 
> concatenation of the stringifications of all the elements, whereas in Puppet 
> 4, you get a more formatted representation.  I would have expected such a 
> change to be applied during a major version update -- so between 3.x and 4.0 
> -- but a quick browse of the release notes does not appear to mention it.

This is not a puppet behaviour change. Newer Ruby does nicer looking to_s on 
arrays that's why


> 
> You called out the unquoted array being bound to the 'message' parameter of 
> the second Notify, but that seems to have exactly the same behavior in the 
> two Puppet outputs you present.  In both cases, the message is taken as the 
> first element of the array.  As R.I. observed, you should not bind an array 
> to a parameter that expects a string.  Given that you did so, I think Puppet 
> handled the situation in a reasonable way.  I'm uncertain whether that 
> behavior is documented.
> 
> 
> John
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/eadea0df-b342-47b9-a3e3-daa981d128b7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E14BBDEE-2291-45BD-96BB-0D3D06AD3E21%40devco.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: notify resource different between 3 and 4?

2016-09-19 Thread jcbollinger 


On Friday, September 16, 2016 at 12:11:26 PM UTC-5, Christopher Wood wrote:
>
> While trying to figure out the reduce function with notice/notify I 
> happened across this thing. It looks like an unquoted array in the notify 
> resource's message only appears as its first array item. Not sure if it's a 
> bug. 
>
> I couldn't find any documentation to say if this was intended and I 
> couldn't really tell what the type was doing with the self.should bit. I am 
> not actually a programmer. 
>
> $ cat /tmp/xx.pp 
> $array = ["one", "two", "three"] 
>
> notify { 'notify one': 
>   message => "${array}", 
> } 
>
> notify { 'notify two': 
>   message => $array, 
> } 
>
> With puppet 3 I see this: 
>
> $ puppet --version 
> 3.8.7 
> $ puppet apply /tmp/xx.pp 
> Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an 
> empty data set 
> Fact file /etc/facter/facts.d/monit_fail_count was parsed but returned an 
> empty data set 
> Notice: Compiled catalog for mail82c40.carrierzone.com in environment 
> production in 0.03 seconds 
> Notice: one 
> Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 
> 'one' 
> Notice: onetwothree 
> Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
> 'onetwothree' 
> Notice: Finished catalog run in 0.05 seconds 
>
> With puppet 4 I see this: 
>
> $ puppet --version 
> 4.6.2 
> $ puppet apply /tmp/xx.pp 
> Notice: Compiled catalog for cwl.hostopia.com in environment production 
> in 0.09 seconds 
> Notice: [one, two, three] 
> Notice: /Stage[main]/Main/Notify[notify one]/message: defined 'message' as 
> '[one, two, three]' 
> Notice: one 
> Notice: /Stage[main]/Main/Notify[notify two]/message: defined 'message' as 
> 'one' 
> Notice: Applied catalog in 0.11 seconds 
>


I see a difference between 3.8 and 4.6 with respect to the result of 
interpolating an array into a string.  In Puppet 3 (and earlier) you get a 
concatenation of the stringifications of all the elements, whereas in 
Puppet 4, you get a more formatted representation.  I would have expected 
such a change to be applied during a major version update -- so between 3.x 
and 4.0 -- but a quick browse of the release notes does not appear to 
mention it.

You called out the unquoted array being bound to the 'message' parameter of 
the second Notify, but that seems to have exactly the same behavior in the 
two Puppet outputs you present.  In both cases, the message is taken as the 
first element of the array.  As R.I. observed, you should not bind an array 
to a parameter that expects a string.  Given that you did so, I think 
Puppet handled the situation in a reasonable way.  I'm uncertain whether 
that behavior is documented.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/eadea0df-b342-47b9-a3e3-daa981d128b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] HOWTO ERB Template generate an array of files

2016-09-19 Thread jcbollinger 


On Sunday, September 18, 2016 at 3:42:36 AM UTC-5, Warron French wrote:
>
> Hi, thanks Peter.
>
> I am writing this module to write it based on the design I have had 
> because... being a little lazy I guess you might say/think.  I know that I 
> could do a link, but I believe for something like this an actual file might 
> be required, because if the main file is deleted, then the banner is lost 
> entirely because the links will be broken.
>
>
>
As Peter said, If you have people randomly deleting system files then you 
have a bigger problem.  Furthermore, making three regular files in that 
case is only a partial mitigation of such a risk, because losing any one of 
the files still impacts consumers of that file.

But the main point I wanted to raise here is that this is one of the things 
Puppet is *for*.  Whether you use regular files or symlinks, if one or more 
of them is deleted or modified then you can expect Puppet to restore it on 
the next catalog run.  Moreover, if you have reporting enabled then the 
update will be reported to you.  This may or may not be sufficient for your 
purposes.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/98a119b6-067c-4fe6-a513-a5b83704f772%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

2016-09-19 Thread Neil - Puppet List 
Hello

One extra thing to mention is I have got into issues with configuring the
loadbal itself through puppet, as broken loadbal config breaks the puppet
service which means the loadbal can;t be fixed via puppet, so admin login
is required on these servers.

Thanks

Neil

On 19 September 2016 at 10:07, Neil - Puppet List <
maillist-pup...@iamafreeman.com> wrote:

> Hello
>
> Below is a slightly edited version of the haproxy.cfg
>
> All the backends except the ca require a valid client cert 'http-request
>  deny unless { ssl_c_verify 0 }'
>
> global
>   chroot  /var/lib/haproxy
>   daemon
>   group  haproxy
>   log  127.0.0.1 local4
>   log  127.0.0.1 local5 notice
>   maxconn  2
>   pidfile  /var/run/haproxy.pid
>   stats  socket /var/run/haproxy.stat mode 600
>   tune.ssl.default-dh-param  2048
>   user  haproxy
>
> defaults
>   log  global
>   maxconn  2
>   option  redispatch
>   retries  3
>   timeout  http-request 10s
>   timeout  queue 1m
>   timeout  connect 10s
>   timeout  client 1m
>   timeout  server 1m
>   timeout  check 10s
>
> frontend hastats
>   bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
> no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:
> AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>   default_backend  ibe_hastats
>   mode  http
>   option  httplog
>   rspadd  Strict-Transport-Security:\ max-age=31536000
>
> frontend puppet
>   bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
> ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
> /etc/haproxy/ca_crl.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:
> AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
>   acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
>   acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
>   acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
>   acl  environment_production path_beg /production/catalog
>   default_backend  be_puppet_stable
>   http-request  set-header X-SSL   %[ssl_fc]
>   http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
>   http-request  set-header X-SSL-Client-SHA1   %{+Q}[ssl_c_sha1]
>   http-request  set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
>   http-request  set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
>   http-request  set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
>   http-request  set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
>   http-request  set-header X-SSL-Client-Not-After  %{+Q}[ssl_c_notafter]
>   mode  http
>   option  forwardfor
>   option  httplog
>   use_backend  be_puppet_ca if use_ca
>   use_backend  be_puppet_dev if use_dev
>   use_backend  be_puppet_foreman if use_foreman
>
> backend be_puppet_ca
>   mode  http
>   server  sys-puppet-ca-prod-0 sys-puppet-ca-prod-0:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_dev
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-0 sys-puppet-app-prod-0:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_foreman
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-1 sys-puppet-app-prod-1:8140 check inter 15s
> rise 2 fall 2
>
> backend be_puppet_stable
>   balance  source
>   hash-type  map-based
>   http-request  deny unless { ssl_c_verify 0 }
>   mode  http
>   server  sys-puppet-app-prod-2 sys-puppet-app-prod-2:8140 check inter 15s
> rise 2 fall 2
>
> backend ibe_hastats
>   mode  http
>   stats  uri /hastats/
>   stats  realm HAStatistics
>   stats  auth admin:PASSWORDFORADMINACCESSTOSTATSPAGE
>   stats  admin if TRUE
>
> On 18 September 2016 at 09:10, Gareth Rushgrove 
> wrote:
>
>> On 17 September 2016 at 15:06, Neil - Puppet List
>>

Re: [Puppet Users] A Scalable HA Setup with on 2 configs, check this out !

2016-09-19 Thread Neil - Puppet List 
Hello

Below is a slightly edited version of the haproxy.cfg

All the backends except the ca require a valid client cert 'http-request
 deny unless { ssl_c_verify 0 }'

global
  chroot  /var/lib/haproxy
  daemon
  group  haproxy
  log  127.0.0.1 local4
  log  127.0.0.1 local5 notice
  maxconn  2
  pidfile  /var/run/haproxy.pid
  stats  socket /var/run/haproxy.stat mode 600
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  log  global
  maxconn  2
  option  redispatch
  retries  3
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s

frontend hastats
  bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
no-sslv3 ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  default_backend  ibe_hastats
  mode  http
  option  httplog
  rspadd  Strict-Transport-Security:\ max-age=31536000

frontend puppet
  bind 0.0.0.0:8140 ssl no-sslv3 crt /etc/ssl/private/puppet.lse.ac.uk.pem
ca-file /etc/haproxy/ca_crt.pem verify optional crl-file
/etc/haproxy/ca_crl.pem ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate/
  acl  use_ca path_reg ^/[a-z0-9\-\.]*/certificate_request/
  acl  use_dev ssl_c_s_dn(cn) -m sub -- -dev
  acl  use_foreman ssl_c_s_dn(cn) -m beg testforemanclient
  acl  environment_production path_beg /production/catalog
  default_backend  be_puppet_stable
  http-request  set-header X-SSL   %[ssl_fc]
  http-request  set-header X-SSL-Client-Verify %[ssl_c_verify]
  http-request  set-header X-SSL-Client-SHA1   %{+Q}[ssl_c_sha1]
  http-request  set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
  http-request  set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
  http-request  set-header X-SSL-Issuer%{+Q}[ssl_c_i_dn]
  http-request  set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
  http-request  set-header X-SSL-Client-Not-After  %{+Q}[ssl_c_notafter]
  mode  http
  option  forwardfor
  option  httplog
  use_backend  be_puppet_ca if use_ca
  use_backend  be_puppet_dev if use_dev
  use_backend  be_puppet_foreman if use_foreman

backend be_puppet_ca
  mode  http
  server  sys-puppet-ca-prod-0 sys-puppet-ca-prod-0:8140 check inter 15s
rise 2 fall 2

backend be_puppet_dev
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-0 sys-puppet-app-prod-0:8140 check inter 15s
rise 2 fall 2

backend be_puppet_foreman
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-1 sys-puppet-app-prod-1:8140 check inter 15s
rise 2 fall 2

backend be_puppet_stable
  balance  source
  hash-type  map-based
  http-request  deny unless { ssl_c_verify 0 }
  mode  http
  server  sys-puppet-app-prod-2 sys-puppet-app-prod-2:8140 check inter 15s
rise 2 fall 2

backend ibe_hastats
  mode  http
  stats  uri /hastats/
  stats  realm HAStatistics
  stats  auth admin:PASSWORDFORADMINACCESSTOSTATSPAGE
  stats  admin if TRUE

On 18 September 2016 at 09:10, Gareth Rushgrove 
wrote:

> On 17 September 2016 at 15:06, Neil - Puppet List
>  wrote:
> > Hello
> >
> > I've run multiple puppet masters behind ha proxy for a few years now. I
> have
> > multiple masters, with haproxy rules directing some clients to particular
> > masters. I only have one puppet master as CA. I've about 600 clients.
> >
> > Initially I was concerned about only having one CA. But all it does is
> sign
> > new clients and revoke old. Haproxy trusts the clients based on this CA
> and
> > a revoke list from the CA.
> >
> > If the CA went down all existing clients would are fine, I've tested
> that. I
> > can't sign new clients or revoke existing until I