[Puppet Users] puppet kick failing
puppet kick ceased working for me when I upgraded to 2.6.3; I've also tried it with 2.7.10 and get the same result: r...@npuppet.ucar.edu $ puppet kick vanilla.cms.ucar.edu Triggering vanilla.cms.ucar.edu Host vanilla.cms.ucar.edu failed: Server hostname 'vanilla.cms.ucar.edu' did not match server certificate; expected ca vanilla.cms.ucar.edu finished with exit code 2 Failed: vanilla.cms.ucar.edu I've tried using --vardir and --ssldir flags, as suggested by http://projects.puppetlabs.com/issues/11431, but get the same result. Has anyone else seen this? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet kick failing
On Fri, 24 Feb 2012 12:39:20 -0500 Adam Heinz a...@metricwise.net wrote: I upgraded from puppet 0.25.5 to 2.6.12 recently and ended up doing puppetca --clean then --sign again for each of my hosts. Seemed a bit brute force, but it got me out of the bind. I tried cleaning out and regenerating the cert for my test client, but I get the same result-- I can run the agent successfully from the client, but puppet kick fails with the same error. On Fri, Feb 24, 2012 at 12:30 PM, Dan Urist dur...@ucar.edu wrote: puppet kick ceased working for me when I upgraded to 2.6.3; I've also tried it with 2.7.10 and get the same result: r...@npuppet.ucar.edu $ puppet kick vanilla.cms.ucar.edu Triggering vanilla.cms.ucar.edu Host vanilla.cms.ucar.edu failed: Server hostname 'vanilla.cms.ucar.edu' did not match server certificate; expected ca vanilla.cms.ucar.edu finished with exit code 2 Failed: vanilla.cms.ucar.edu I've tried using --vardir and --ssldir flags, as suggested by http://projects.puppetlabs.com/issues/11431, but get the same result. Has anyone else seen this? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet kick failing
Never mind-- the issue was that my client is a virtual server (linux vserver) and the host's puppet agent had the default bind address of 0.0.0.0, so it was grabbing all the addresses and the agent couldn't start on the vserver. I changed the bind address for the host, started the agent on the client and now puppet kick is working. The errors were a bit cryptic, though... On Fri, 24 Feb 2012 11:29:17 -0700 Dan Urist dur...@ucar.edu wrote: On Fri, 24 Feb 2012 12:39:20 -0500 Adam Heinz a...@metricwise.net wrote: I upgraded from puppet 0.25.5 to 2.6.12 recently and ended up doing puppetca --clean then --sign again for each of my hosts. Seemed a bit brute force, but it got me out of the bind. I tried cleaning out and regenerating the cert for my test client, but I get the same result-- I can run the agent successfully from the client, but puppet kick fails with the same error. On Fri, Feb 24, 2012 at 12:30 PM, Dan Urist dur...@ucar.edu wrote: puppet kick ceased working for me when I upgraded to 2.6.3; I've also tried it with 2.7.10 and get the same result: r...@npuppet.ucar.edu $ puppet kick vanilla.cms.ucar.edu Triggering vanilla.cms.ucar.edu Host vanilla.cms.ucar.edu failed: Server hostname 'vanilla.cms.ucar.edu' did not match server certificate; expected ca vanilla.cms.ucar.edu finished with exit code 2 Failed: vanilla.cms.ucar.edu I've tried using --vardir and --ssldir flags, as suggested by http://projects.puppetlabs.com/issues/11431, but get the same result. Has anyone else seen this? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] database server and port settings for puppet-dashboard
I'm trying to install puppet-dashboard v1.2.1. In database.yml.example there aren't any settings for the database server and port; neither are there any documented at http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html Does puppet dashboard require that its database be running on the local host on the default port? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet repository from puppetlabs
2.6.3 is available from https://launchpad.net/~mathiaz/+archive/puppet-backports. I haven't had any issues with it. On Thu, 16 Jun 2011 08:00:38 -0700 Craig White craig.wh...@ttiltd.com wrote: I installed using gem instead of Lucid packages - not exactly for that reason (we are using ruby-enterprise and not Lucid ruby packages). Craig On Jun 15, 2011, at 8:56 PM, Asif Iqbal wrote: Hi All, Is there a ubuntu repository managed by puppetlabs? I am using lucid and latest puppet package it offers is 0.25.4. I could of course just download source, or a deb from debian or newer ubuntu, or get it using gem. But would be nice if there is a PPA available for lucid, cuz it would work nicely with routine upgrade. puppetdashboard worked nicely with the puppet labs ppa deb http://apt.puppetlabs.com/ubuntu lucid main and deb-src deb-src http://apt.puppetlabs.com/ubuntu lucid main Please advise. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet user parameters
From http://projects.puppetlabs.com/issues/5620, it appears puppet now supports password_min_age and password_max_age parameters for the user resource, though these aren't documented at http://docs.puppetlabs.com/guides/types/user.html (should I file a bug for this?) Are these solaris-specific, or will they work elsewhere? I could use this functionality on Debian/Ubuntu). Are there other new params available? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Run stage introduces dependency cycle
A little background: I'm using puppet to manage the configurations of a group of linux vservers running Ubuntu Lucid. Ubuntu has switched to using upstart for their boot process; unfortunately there are some peculiar interactions with vservers which causes openssh to hang during upgrade, so I need to remove the upstart init script for openssh and revert back to the sysvrc script instead. Since this needs to happen before any openssh upgrade, I've tried putting the code that does this into a class that will be run first, like this: class disable_upstart_for_sshd { file { '/etc/init/ssh.conf': ensure = absent } exec { '/usr/sbin/update-rc.d ssh defaults': creates = '/etc/rc3.d/S20ssh' } } stage { pre: before = Stage[main] } class { disable_upstart_for_sshd': stage = pre; } Now, if /etc/init/ssh.conf exists, puppet will correctly remove it and the run will complete without error, but on the *next* and all subsequent puppet runs I get a long dependency cycle error. If /etc/init/ssh.conf does not exist, I get no errors (on multiple runs). If I remove the run stage code, I get no errors (on multiple runs). There are no explicit references to /etc/init/ssh.conf in any other modules (it's owned by the openssh-server package). So, is this a bug? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Run stage introduces dependency cycle
On Fri, 28 Jan 2011 09:58:31 -0800 Patrick kc7...@gmail.com wrote: On Jan 28, 2011, at 9:28 AM, Dan Urist wrote: Now, if /etc/init/ssh.conf exists, puppet will correctly remove it and the run will complete without error, but on the *next* and all subsequent puppet runs I get a long dependency cycle error. If /etc/init/ssh.conf does not exist, I get no errors (on multiple runs). If I remove the run stage code, I get no errors (on multiple runs). There are no explicit references to /etc/init/ssh.conf in any other modules (it's owned by the openssh-server package). This shouldn't be possible. The dependencies should be calculated before puppet even checks if that file exists. I would first doublecheck to make sure you aren't changing puppet's environment with the first run or using a custom fact that changes depending on that file. I don't have any custom facts; not sure what you mean by changing the environment, though? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Run stage introduces dependency cycle
I've entered a bug for this: http://projects.puppetlabs.com/issues/6064 On Fri, 28 Jan 2011 11:01:53 -0700 Dan Urist dur...@ucar.edu wrote: On Fri, 28 Jan 2011 09:58:31 -0800 Patrick kc7...@gmail.com wrote: On Jan 28, 2011, at 9:28 AM, Dan Urist wrote: Now, if /etc/init/ssh.conf exists, puppet will correctly remove it and the run will complete without error, but on the *next* and all subsequent puppet runs I get a long dependency cycle error. If /etc/init/ssh.conf does not exist, I get no errors (on multiple runs). If I remove the run stage code, I get no errors (on multiple runs). There are no explicit references to /etc/init/ssh.conf in any other modules (it's owned by the openssh-server package). This shouldn't be possible. The dependencies should be calculated before puppet even checks if that file exists. I would first doublecheck to make sure you aren't changing puppet's environment with the first run or using a custom fact that changes depending on that file. I don't have any custom facts; not sure what you mean by changing the environment, though? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Run stage introduces dependency cycle
On Fri, 28 Jan 2011 11:13:18 -0800 Nan Liu n...@puppetlabs.com wrote: This does not appear to be a bug. There's an implicit dependency for the file /etc/init/ssh.conf on file resource /etc/init. File /etc/init is in stage main, and File /etc/init/ssh.conf in in stage pre which cause a dependency loop. In this case, I would simply make the ssh package depend on the changes you've implemented. package { ssh: ensure = latest, require = Class[disable_upstart_for_sshd], } I have a module for openssh; the problem with this approach is that I wanted to keep that module as generic as possible so I can use it on other OS versions where this hack isn't necessary. Do you have a suggestion for a more general workaround? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Run stage introduces dependency cycle
On Fri, 28 Jan 2011 11:40:38 -0800 Nan Liu n...@puppetlabs.com wrote: You can require disable_upstart class as a conditional by operating system and it should be part of your ssh module rather than a separate class. If I understand correctly, you mean I shouldn't use run stages at all. The problem with this approach is that I want to keep my openssh module as general as possible, so only do this behavior when running in a vserver. I guess I could try to use a custom fact for this, but I'd rather not have that logic in the openssh module (I have another module that handles configuration specific to vservers, so would prefer to keep it there). This seems like a reasonable use case for run stages. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Exec dependent on directory
I have the following test code in a manifest: file { '/tmp/testdir': ensure = directory, owner = root, group = root, mode = 0755, checksum = mtime; } exec { 'testdir_updated': command = 'touch /tmp/testdir_updated', subscribe = File['/tmp/testdir'], refreshonly = true; } This doesn't appear to work; i.e. if I touch /tmp/testdir or add a file to it (which changes the mtime of the directory), the exec doesn't get run. It runs with every puppetd invocation if I remove 'refreshonly = true'. I'm using puppet v.2.6.1 on Ubuntu Lucid. I could swear this used to work, and I thought this is/was a common technique. Am I missing something, or is this a bug? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: nginx + passenger + puppetmaster
I've switched to using nginx+unicorn, and haven't had any issues. The only hassle for me is that I'm running it under Ubuntu, and unicorn isn't (yet) packaged by Debian/Ubuntu, so I had to install it via gems and don't have the advantage of automated updates. On Thu, 23 Sep 2010 07:40:21 -0700 (PDT) Jakub Heichman kuba.heich...@gmail.com wrote: On 29 June, 19:44, Dan Urist dur...@ucar.edu wrote: I have this in my puppet.conf: [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY [..] proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For Hi Dan, I had the same problem, it looks like 'proxy_set_header' option will not have any effect with Passenger module. I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param' options instead. This seems to work for me: nginx.conf: passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; [puppetmasterd] ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY Kind regards, Jakub -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] redmine workflow
If I have an issue with status Needs more information and I've added more information, should I update the status to Ready for testing? I haven't submitted a patch, just more information. The only other option available to me is Closed. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Easiest way to create named pipes?
Can the puppet file type create named pipes (fifo's)? This doesn't seem to be an option for the ensure parameter, but there's also a type parameter, though the docs describe it as A read-only state to check the file type; not sure what that's for? Or do I need to use mkfifo in an exec? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] files/templates from sub-modules
On Fri, 10 Sep 2010 15:13:06 -0700 Nigel Kersten nig...@google.com wrote: On Fri, Sep 10, 2010 at 3:02 PM, Dan Urist dur...@ucar.edu wrote: Is it possible to have a sub-module that has its own files and templates directories? For example, if I create a sub-module base::logrotate with a template path like this: base/logrotate/templates I've tried this, but when I try to access a template from my base class with a relative URL like this template(base/logrotate/logrotate.conf) filesystem path: base/templates/logrotate/logrotate.conf works with template(base/logrotate/logrotate.conf) Does that make more sense? Yes! Thanks. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] files/templates from sub-modules
Is it possible to have a sub-module that has its own files and templates directories? For example, if I create a sub-module base::logrotate with a template path like this: base/logrotate/templates I've tried this, but when I try to access a template from my base class with a relative URL like this template(base/logrotate/logrotate.conf) it can't find it. Also, a little background, just in case there's a better solution for what I want to do. I've split up my modules into two directories, package and node. The package directory contains generic modules to configure packages and related groups of packages; the node directory contains modules to configure classes of nodes for my site. These are site-specific and heritable (for example, I have base = vserver = drupalvserver). Since I want to keep the package modules completely generic so I can use them from within different node modules (I will have apachevserver in future, etc.), it makes sense for site-specific files and templates to live within the node module hierarchy. The problem is, it's difficult to keep track of which files/templates are associated with which package modules, and there are namespace collisions; e.g. the nginx package has an nginx.conf file, but so does the logrotate package. To get around this I've been naming them PACKAGE_filename, but it would be much cleaner to have sub-modules for my node packages, named for their respective package modules, that would contain their files/templates. Hope that makes sense... -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] file() function requires absolute paths?
I have the following in my puppet.conf, to define an environment called dev: [dev] manifest=/usr/local/puppet/dev/site.pp modulepath=/usr/local/puppet/dev/modules/package:/usr/local/puppet/dev/modules/node My rationale for this is that I'm splitting my modules into two types-- a package type that handles configuration of individual packages and is generic, and a node type that defines classes of nodes and has site-specific configuration. I have the following in one of my node classes: include monit monit::monitrc { monitrc: content = file(puppet://$servername/modules/vserver/monitrc) } The absolute path of the monitrc file is /usr/local/puppet/dev/modules/node/vserver/files/monitrc. Unfortunately, this is giving me the error Files must be fully qualified. I've also tried a puppet:/// URL and a relative path with the same result. Does the file() function only support fully qualified paths? This seems inconsistent, since the template() function appears to support at least relative paths according to http://docs.reductivelabs.com/guides/modules.html. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] file() function requires absolute paths?
On Thu, 9 Sep 2010 10:24:13 -0700 Jeff McCune j...@puppetlabs.com wrote: On Thu, Sep 9, 2010 at 10:19 AM, Dan Urist dur...@ucar.edu wrote: [snip] Does the file() function only support fully qualified paths? Yes. I recommend looking into copying the logic from the template() function into the file() function and submitting a patch. Alternatively, you could use the template() function and just not have any erb in the template. Thanks for the clarification; unfortunately I don't have time to work up a patch, but I have submitted a feature request: http://projects.reductivelabs.com/issues/4749 -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Errors in 2.6.1
On Mon, 6 Sep 2010 16:52:05 -0700 Nigel Kersten nig...@google.com wrote: I've actually always considered this to be relatively comprehensible. Client and server start with a clean slate. Client requests module X Server parses module X via autoloading, complains about parse error. Client requests module X Server tells you it can't find it as it's not going to reattempt parsing unless the file changes. Does it really impact upon debugging that much? I've also found the inconsistency in the errors very confusing, but this explanation makes perfect sense. What do you think makes more sense? To not present the parsing error to the client at all? Or to continuously try and parse manifests even though the server thinks that they have a parse error? Maybe cache the error for consistency if that's not too much work, or at least document the behavior, maybe as a FAQ? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] variable set in site.pp not visible in nodes.pp
On Thu, 02 Sep 2010 23:32:43 +0200 Peter Meier peter.me...@immerda.ch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have another glitch with 2.6.1-rc2 that worked in 0.25-- I set a global variable in my site.pp that is used in my nodes.pp, but it's no longer set there, though it still is in my modules. Is this a bug, or a design change? I have a similar setup that works. But do you set it before or after you import nodes.pp? And do you have a minimal setup that reproduces that? I've done a little bit more digging, and it looks like the variable is set within a node definition, but not outside it. site.pp: $testvar = TESTVAR_VALUE import nodes nodes.pp: notice(testvar outside node is: ${testvar}) node 'test.puppet.cms.ucar.edu' { notice(testvar inside node is: ${testvar}) } In my logs, I get: puppet-master[3757]: (Scope(Class[main])) testvar outside node is: puppet-master[3757]: (Scope(Node[test.puppet.cms.ucar.edu])) testvar inside node is: TESTVAR_VALUE If I then attempt to assign the variable in nodes.pp, but outside of the node definition, I get an error: nodes.pp: $testvar = TESTVAR_SET_IN_NODES notice(testvar outside node is: ${testvar}) node 'test.puppet.cms.ucar.edu' { notice(testvar inside node is: ${testvar}) } Here's the error log entry: puppet-master[3754]: (Scope(Class[main])) testvar outside node is: TESTVAR_SET_IN_NODES puppet-master[3754]: Cannot reassign variable testvar at /usr/local/puppet/dev/site.pp:18 on node test.puppet.cms.ucar.edu puppet-master[3754]: Cannot reassign variable testvar at /usr/local/puppet/dev/site.pp:18 on node test.puppet.cms.ucar.edu So it looks like there are two different scopes now? In 0.25, I was setting the variable outside of the node definition; I was using this to set some path variables. Is this a bug, or was this change intended? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] variable set in site.pp not visible in nodes.pp
On Fri, 03 Sep 2010 17:39:46 +0200 Peter Meier peter.me...@immerda.ch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So it looks like there are two different scopes now? In 0.25, I was setting the variable outside of the node definition; I was using this to set some path variables. Is this a bug, or was this change intended? Hmm the only difference to how I use such variables is that I have everything within the site.pp, so the variable declaration and the nodes. Can you try if that works? That does indeed work. What I could imagine is that imports are now evaluated before variables. But if this is a behavior change between 0.25 and 2.6 you should file a bug report. at least it should be document. That seems like a pretty major change in behavior to me... global variables are no longer really global? Anyway, I've filed a bug: http://projects.reductivelabs.com/issues/4717 Thanks for your help. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] $name uppercased
I'm not sure if this is a bug or an intentional change, but I'm seeing the $name variable in my manifests initial-uppercased in 2.6.1-rc2; 0.25 didn't do this. Since I use this to generate some path variables in my modules, I now have to downcase it with an inline_template, which isn't a major inconvenience but certainly isn't pretty. Should I report this as a bug, or was this an intended change that I missed? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] variable set in site.pp not visible in nodes.pp
I have another glitch with 2.6.1-rc2 that worked in 0.25-- I set a global variable in my site.pp that is used in my nodes.pp, but it's no longer set there, though it still is in my modules. Is this a bug, or a design change? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] auth failure under unicorn with 2.6.1rc2
I took your suggestion and tried Puppet.notice() statements in rest.rb and was able to dump out the whole request (after a crash course in ruby syntax). I didn't realize there was a mapping from the nginx config file parameters to the actual request parameters; this appears to have fixed it in puppet.conf (these are the actual request parameters): ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY The relevant lines from my nginx config are: proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-Client-DN $ssl_client_s_dn; Thanks for your help. On Fri, 27 Aug 2010 09:34:03 +0200 Brice Figureau brice-pup...@daysofwonder.com wrote: On Thu, 2010-08-26 at 15:09 -0600, Dan Urist wrote: On Thu, 26 Aug 2010 22:34:59 +0200 Brice Figureau brice-pup...@daysofwonder.com wrote: On 26/08/10 21:55, Dan Urist wrote: I'm trying to set up a puppetmaster under unicorn using the ubuntu maverick packages (currently at version 2.6.1rc2), and I'm getting the following error: r...@test.puppet.cms.ucar.edu $ puppetd -t err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: test.puppet.cms.ucar.edu(128.117.224.193) access to /catalog/test.puppet.cms.ucar.edu [find] at line 98 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I'm using the standard auth.conf, but if I turn off auth by adding this to the top of the file everything works: path / auth no allow * Of course you understand the security risk if you run with this auth.conf :) Yes, I just tried this for testing. OK, I prefer to check :) Has anyone seen this, or know of a workaround? The usual cause is that the SSL end point didn't propagate to the master the fact that this node's certificate validates. This is usally done by adding some HTTP headers in the request, and you need to tell puppet what those headers are. For rack you need to set: [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY I have this, but it's under master rather than puppetmasterd. I've tried it under puppetmasterd and I'm getting the same failure. Yes, you should use master for 2.6, but puppetmasterd for 0.25. Off course you also need to configure the ssl endpoint to set those headers when the cerficate is valid (and also when it's invalid). You didn't mention what was the SLL endpoint in your configuration so I can't really help for this. I'm using nginx, and I've followed the docs at: http://projects.puppetlabs.com/projects/1/wiki/Using_Unicorn The relevant parts of my nginx config, per the doc, are: proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-Client-DN $ssl_client_s_dn; Note that the config snippets I sent you refers those headers as SSL_CLIENT_VERIFY and not X_CLIENT_VERIFY. Either correct the configuration or nginx, but both should use the same header names. proxy_set_header X-SSL-Issuer $ssl_client_i_dn; proxy_read_timeout 120; So as far as I can see, those headers are being set. Any hints on debugging this? There are several possibilities: * check puppet uses the correct $ssldir. I've already seen people using a different $ssldir when running the master differently, in which case the master regenerates a CA, and client certs are not compatible anymore. * check that the client cert is valid (ie it was signed by your master current $ssldir CA). This can be done with openssl * run nginx in debug mode to check it sets correctly the upstream headers * use tcpdump/wireshard to capture the http traffic between nginx and unicorn and check the headers are there and correct. * add some Puppet.notice() statements in puppet ruby rack adapter (in lib/puppet/network/http/rack/rest.rb) around line 93 to print the various values and which branch of the if is taken. Hope that helps, -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] auth failure under unicorn with 2.6.1rc2
I'm trying to set up a puppetmaster under unicorn using the ubuntu maverick packages (currently at version 2.6.1rc2), and I'm getting the following error: r...@test.puppet.cms.ucar.edu $ puppetd -t err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: test.puppet.cms.ucar.edu(128.117.224.193) access to /catalog/test.puppet.cms.ucar.edu [find] at line 98 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I'm using the standard auth.conf, but if I turn off auth by adding this to the top of the file everything works: path / auth no allow * Has anyone seen this, or know of a workaround? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] auth failure under unicorn with 2.6.1rc2
On Thu, 26 Aug 2010 22:34:59 +0200 Brice Figureau brice-pup...@daysofwonder.com wrote: On 26/08/10 21:55, Dan Urist wrote: I'm trying to set up a puppetmaster under unicorn using the ubuntu maverick packages (currently at version 2.6.1rc2), and I'm getting the following error: r...@test.puppet.cms.ucar.edu $ puppetd -t err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: test.puppet.cms.ucar.edu(128.117.224.193) access to /catalog/test.puppet.cms.ucar.edu [find] at line 98 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I'm using the standard auth.conf, but if I turn off auth by adding this to the top of the file everything works: path / auth no allow * Of course you understand the security risk if you run with this auth.conf :) Yes, I just tried this for testing. Has anyone seen this, or know of a workaround? The usual cause is that the SSL end point didn't propagate to the master the fact that this node's certificate validates. This is usally done by adding some HTTP headers in the request, and you need to tell puppet what those headers are. For rack you need to set: [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY I have this, but it's under master rather than puppetmasterd. I've tried it under puppetmasterd and I'm getting the same failure. Off course you also need to configure the ssl endpoint to set those headers when the cerficate is valid (and also when it's invalid). You didn't mention what was the SLL endpoint in your configuration so I can't really help for this. I'm using nginx, and I've followed the docs at: http://projects.puppetlabs.com/projects/1/wiki/Using_Unicorn The relevant parts of my nginx config, per the doc, are: proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-Client-DN $ssl_client_s_dn; proxy_set_header X-SSL-Issuer $ssl_client_i_dn; proxy_read_timeout 120; So as far as I can see, those headers are being set. Any hints on debugging this? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] auth failure under unicorn with 2.6.1rc2
On Thu, 26 Aug 2010 16:58:19 -0400 Mathias Gug math...@ubuntu.com wrote: Hi, Excerpts from Brice Figureau's message of Thu Aug 26 16:34:59 -0400 2010: On 26/08/10 21:55, Dan Urist wrote: I'm trying to set up a puppetmaster under unicorn using the ubuntu maverick packages (currently at version 2.6.1rc2) Starting from maverick you may wanna look at the puppetmaster-passenger package. Installing this package will automatically setup puppetmaster to run under apache2 + mod_ssl + mod_passenger. apache2 ssl configuration is automatically done by the package itself. I have a working puppet server running under apache/passenger for 0.25.4; I'd really like to get it running under nginx for performance and consistency, though, since that's what most of the rest of my site is using. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] nginx + passenger + puppetmaster
Has anyone gotten puppetmaster running under nginx with passenger? I've tried various permutations of setting headers in the nginx config file, but am still getting Forbidden request errors from the client. -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.