[Puppet Users] Re: Puppetserver External CA with CRL not working

2017-03-24 Thread Steve Viola 
Adrien, thanks for the info and suggestions. Yeah, the crl is the same in 
both locations. According to the puppet documentation 
,
 
this file should be copied from cacrl to hostcrl, but I haven't seen that 
behavior, so I've been manually syncing those up. In my case the values for 
these variables are  '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem' and 
'/etc/puppetlabs/puppet/ssl/crl.pem', respectively.

Good idea with the java arguments. I've gone ahead and added that, and you 
were right, this is a lot of output. Here's a whole bunch of additional 
output:

certpath: PKIXCertPathValidator.engineValidate()...

certpath: X509CertSelector.match(SN: 1

  Issuer: CN=Certificate Authority, O=CRITICALMENTION.COM

  Subject: CN=Certificate Authority, O=CRITICALMENTION.COM)

certpath: X509CertSelector.match returning: true

certpath: YES - try this trustedCert

certpath: anchor.getTrustedCert().getSubjectX500Principal() = 
> CN=Certificate Authority, O=CRITICALMENTION.COM

certpath: --

certpath: Executing PKIX certification path validation algorithm.

certpath: Checking cert1 - Subject: CN=ip-10-0-101-7.ec2.internal, 
> O=CRITICALMENTION.COM

certpath: Set of critical extensions: {2.5.29.15}

certpath: -Using checker1 ... 
> [sun.security.provider.certpath.UntrustedChecker]

certpath: -checker1 validation succeeded

certpath: -Using checker2 ... 
> [sun.security.provider.certpath.AlgorithmChecker]

certpath: Constraints.permits(): SHA256withRSA

certpath: KeySizeConstraints.permits(): RSA

certpath: -checker2 validation succeeded

certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]

certpath: X509CertSelector.match(SN: 6ffe018a

  Issuer: CN=Certificate Authority, O=CRITICALMENTION.COM

  Subject: CN=ip-10-0-101-7.ec2.internal, O=CRITICALMENTION.COM)

certpath: X509CertSelector.match returning: true

certpath: -checker3 validation succeeded

certpath: -Using checker4 ... 
> [sun.security.provider.certpath.ConstraintsChecker]

certpath: ---checking basic constraints...

certpath: i = 1, maxPathLength = 1

certpath: after processing, maxPathLength = 1

certpath: basic constraints verified.

certpath: ---checking name constraints...

certpath: prevNC = null, newNC = null

certpath: mergedNC = null

certpath: name constraints verified.

certpath: -checker4 validation succeeded

certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]

certpath: PolicyChecker.checkPolicy() ---checking certificate policies...

certpath: PolicyChecker.checkPolicy() certIndex = 1

certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2

certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2

certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 
> 2

certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = 
> anyPolicy  ROOT

certpath: PolicyChecker.processPolicies() no policies present in cert

certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2

certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2

certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2

certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null

certpath: PolicyChecker.checkPolicy() certificate policies verified

certpath: -checker5 validation succeeded

certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]

certpath: ---checking timestamp:Fri Mar 24 18:42:35 UTC 2017...

certpath: timestamp verified.

certpath: ---checking subject/issuer name chaining...

certpath: subject/issuer name chaining verified.

certpath: ---checking signature...

certpath: signature verified.

certpath: BasicChecker.updateState issuer: CN=Certificate Authority, 
> O=CRITICALMENTION.COM; subject: CN=ip-10-0-101-7.ec2.internal, 
> O=CRITICALMENTION.COM; serial#: 1878917514
> certpath: -checker6 validation succeeded
> certpath: -Using checker7 ... 
> [sun.security.provider.certpath.RevocationChecker]
> certpath: RevocationChecker.check: checking cert
>   SN: 6ffe018a
>   Subject: CN=ip-10-0-101-7.ec2.internal, O=CRITICALMENTION.COM
>   Issuer: CN=Certificate Authority, O=CRITICALMENTION.COM
> certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
> certpath: RevocationChecker.checkCRLs() possible crls.size() = 1
> certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for 
> CN=ip-10-0-101-7.ec2.internal, O=CRITICALMENTION.COM
> certpath: DistributionPointFetcher.verifyCRL: checking revocation status 
> for
>   SN: 6ffe018a
>   Subject: CN=ip-10-0-101-7.ec2.internal, O=CRITICALMENTION.COM
>   Issuer: CN=Certificate Authority, O=CRITICALMENTION.COM
> certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
> certpath:

Re: [Puppet Users] Custom Facts using awk

2017-03-24 Thread Joshua Schaeffer 
Sorry, I may have been ambiguous with the file extensions.

A text file should end in .txt. This means you define external facts like 
this:

# This is a plain text file that defines two external facts
my_fact1=my_value1
my_fact2=my_value2

An executable program or script should end in whatever extension it is 
written in (a.k.a. .sh, .py, .java, etc). When defining external facts with 
executable scripts or programs what is necessary is that the execute bit is 
set and that the puppet agent can execute them.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/01432219-d29a-4af1-acfb-63c60f646bd9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Custom Facts using awk

2017-03-24 Thread Joshua Schaeffer 
Yes, you can put multiple key=value pairs in a single file. Puppet v4 
supports three known types:


   1. YAML (must end in .yaml)
   2. JSON (must end in .json)
   3. Text (must end in .txt)

When working with .txt files you can only define string values. Arrays and 
hashes are not supported. Also. If your file is a program or script it must 
be executable (execute bit set). The script itself must output key=value. 
So what is required is the:

echo "my_fact=my_value"

This would create the fact call "my_fact" and it would set the value of it 
to "my_value". I don't mess around with external facts to much so I'm not 
100% positive if you can perform the evaluation in the fact declaration, 
but my assumption is you can. What is required is that the key=value 
statement is echo'd to the stdout and that what is echo'd to stdout is the 
literal fact name equal to the literal value. As long as bash performs its 
operations properly then the literal values would be output, not the 
expression. Puppet then will pickup the stdout stream and set the fact 
accordingly. Again, this all an educated guess. Probably should have tested 
it myself, but I'll let that to you. :)

Hope that helps,
Joshua Schaeffer

P.S.

Executable facts on Windows should be known extension types as well and can 
include:

   - .com or .exe
   - .psl (PowerShell)
   - .cmd or .bat (batch script)

On Wednesday, March 22, 2017 at 5:49:53 PM UTC-6, Warron French wrote:
>
> Thanks Rob.  I will try both approaches; for me there is more appeal in 
> simply using a shell script.
>
> Peter, can I generate multiple key=value pairs inside the same shell 
> script?  I don't explicitly have to do it the way you presented with 
>
> key="key_name"
> value="evaluated_expression"
>
> echo "${key}=${value}" Do I?
>
> Can I simple skip the key="key_name" part and just do the 
> expression_evaluation assigned to a variable and then echo them together?
>
> Perhaps I can write shell functions and execute them all?
>
> --
> Warron French
>
>
> On Wed, Mar 22, 2017 at 7:35 PM, Rob Nelson  > wrote:
>
>> That's probably one of the best ways to do this. But...
>>
>> You CAN use double quotes around a string. You will need to escape 
>> characters that will otherwise be interpolated like double quotes and 
>> dollar signs. I'm going off memory but I think `"awk '{print \$1_\$2}'"` 
>> should interpolate to `awk '{print $1_$2}'` properly. This is often tedious 
>> and may require some trial and error to ensure both the double quotes and 
>> the system call that uses it don't interpolate too much but it can work.
>>
>> On Wed, Mar 22, 2017 at 7:07 PM Peter Bukowinski > > wrote:
>>
>>> Hi Warron,
>>>
>>> I'd consider using an external, executable fact to avoid ruby altogether.
>>>
>>>   
>>> https://docs.puppet.com/facter/3.6/custom_facts.html#executable-facts-unix
>>>
>>> Basically, you can write a bash script (or use any language you want),
>>> drop it into '//facts.d/' on your puppet server,
>>> and it will be synced to all your nodes (assuming you use pluginsync).
>>>
>>> The only requirement for executable fact scripts is that they must
>>> return key/value pairs in the format 'key=value'. Multiple keys/values
>>> get their own line. In your case, you could do something like this:
>>>
>>> -
>>> #!/bin/bash
>>>
>>> key="qty_monitors_total"
>>> value=$(your parsing command for /var/log/Xorg.0.log here)
>>>
>>> echo "${key}=${value}"
>>> -
>>>
>>> Save the file as an executable script in the above mentioned path and
>>> it should be available on the next puppet run.
>>>
>>> On Wed, Mar 22, 2017 at 3:24 PM, warron.french >> > wrote:
>>> > Hello, I have finally learned how to write a Custom Fact; and 
>>> duplicated the
>>> > syntax several times over inside the same .rb file.
>>> >
>>> > I am using syntax that looks like the following:
>>> >
>>> > Facter.add('qty_monitors_total') do
>>> >   setcode  do
>>> >  Facter::Util::Resolution.exec('/bin/grep " connected"
>>> > /var/log/Xorg.0.log | cut -d\) -f2,3,4 | grep GPU |sort -u | wc -l')
>>> >   end
>>> > end
>>> >
>>> > I don't know of any other way to do this yet; but that's not my 
>>> concern yet.
>>> >
>>> > What I would like to know is how can I use an awk command within the
>>> > Facter::Util::Resolution.exec('.') line.
>>> >
>>> > I have a need to essentially reproduce the line above but drop   wc -l 
>>> and
>>> > add awk '{ print $2"_"$3"_on_"$1$4 }'
>>> >
>>> > I need the awk command to pretty much look like this; the problem is 
>>> awk
>>> > uses its own single quotes (') and it will break the ruby code.
>>> >
>>> > I am not a ruby developer; so if someone could either tell me:
>>> >
>>> > It's just not possible; or
>>> > do it this way
>>> >
>>> >
>>> > That would be greatly appreciated.  Thank you,
>>> >
>>> > --
>>> > Warron French
>>> >
>>> > --

Re: [Puppet Users] Integrating Puppet (v3.8) with Vault as the Puppet Master CA?

2017-03-24 Thread Turbo Fredriksson 
On Friday, March 10, 2017 at 10:28:06 AM UTC, waz0wski wrote:

Are you hard-set on using Vault? 
>

No, but it have features that I'm interested in exploring more. Such as the 
SSH OTP backend.

I could see myself using that at least.
 

> I use FreeIPA , which includes 
> PKI management (via Dogtag 
> ), and can be used as 
> the CA for puppet and also issue the per-node certs.
>

I've only heard about FreeIPA in passing. I'll have a look at it, thanx!
 

> Technically, Foreman 
> 
>  is 
> doing the work for me
>

Sounds a little like MCOllective (?) - which I'm currently using (with 
great success I might add).

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6c5f6830-8cc2-4c59-bd35-a643582959f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: virtual resource realizing by require?

2017-03-24 Thread jcbollinger 


On Thursday, March 23, 2017 at 11:23:07 AM UTC-5, garima singh wrote:
>
> Hi,
>
> I was wondering if you could find a soultion to putting virtual resource 
> as target to require metaparameter.
>


There is no inherent problem with making a resource depend on a virtual 
resource.  It is syntactically valid, and in itself it is semantically 
valid.  The problem arises if that resource is never realized for the 
target machine, and I suppose that's the issue you want help with.

I have to ensure that some resource is run only when a particular virtual 
> resource is run and successful.
>
>
Every concrete resource in the catalog is applied to the target machine.  
If you want a given resource to not be applied under certain circumstances, 
then you must ensure that it is declared only virtually if at all.  Virtual 
resource realization does not cascade along dependencies; if you're looking 
for a way to make that happen, then you need to take a step back and 
re-think your approach.

Your best option may be to wrap [realization of] the two resources in 
question in a class or defined type, so that you can cause them to be 
realized as a pair.  You may realize the same virtual resource multiple 
times with no ill effects, but this does not achieve the result of 
realization of one resource causing realization of the other.

You might also consider restructuring your manifest set to avoid relying on 
virtual resources at all.  These days it's more conventional to rely on 
external data (i.e. Hiera) to drive decisions about which classes and 
resources to declare, and this can replace the decision of whether to 
*realize* a declared virtual resource with a decision of whether to 
*declare* an ordinary resource in the first place.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3aed0c24-9fef-46ca-8120-f7d1a787807e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.