[Puppet Users] Re: Could not back up /home/user/.ssh/authorized_keys: Could not find terminus file for indirection file_bucket_file

[Eric Sorenson]

It is trying to use an old backup mechanism , the way to read the error 
(not that you should have to understand this, it's terrible) is

Could not load a ruby extension named "file.rb" for the "file_bucket_file" 
setting.

The shortest fix is to set "File { backup => false }" in your site.pp. 

--eric0

On Tuesday, June 11, 2019 at 3:48:39 PM UTC-7, brian lamb wrote:
>
> I have an event failure, one for each user.  They use global facter 
> variables for the keys, im not sure if thats relavant.  *What is 
> terminus, does that insinuate endpoint?  **What is indirection, and 
> file_bucket_file? *In my implementation of this, i havent seen those 
> keywords yet, however its remotely possible its from residual code from a 
> v3 manifest, since I am in an upgrade. 
>  Event: Failure
> Export data 
> 
> View run report 
> 
> Resource Ssh_authorized_key[blamb-jumped]
> Resource path Stage[main]/Ssh/Ssh_authorized_key[my_user_key_var]/
> Node affected ws2.vtm-ws.com
> Event timestamp 2019-06-11T02:09:11.212 Z
> Class Ssh
> Config version ws4-cbp-7af07afca4c
> File and line number -
> Property 
> Old Value 
> New Value 
> Message Could not back up /home/blamb/.ssh/authorized_keys: Could not 
> find terminus file for indirection file_bucket_file
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5a0a79d5-0034-448a-8ce3-e123709d4d43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Concerns about Puppet 4 master serving Puppet 3 clients

[Eric Sorenson]

You're correct John - Puppet 4 masters using Puppet Server will work with 
Puppet 3 agents.  If the catalog compiles (Henrik's point), the 
agent/master comms will be fine.

Note the same is not true for Apache/Passenger based Puppet 4 setups - the 
URL rewriting that enables the compatibility is only implemented in 
puppetserver.

--eric

On Tuesday, January 15, 2019 at 5:52:35 AM UTC-8, jcbollinger wrote:
>
>
>
> On Monday, January 14, 2019 at 10:01:21 AM UTC-6, Henrik Lindberg wrote:
>>
>> On 2019-01-14 16:22, Peter Berghold wrote: 
>> > I am about to have our first Puppet 4 Puppet master into our production 
>> > environment. We have a very large community of Puppet 3 "leaf nodes" 
>> > being managed by our old Puppet 3 infrastructure. 
>> > 
>> > What issues might I run into with that and what should I do to mitigate 
>> > this? 
>> > 
>>
>> It is a quite open ended question unfortunately. You may want to start 
>> reading here: https://puppet.com/docs/puppet/4.10/upgrade_major_pre.html 
>> and then come back with more specific questions. 
>>
>
>
> Hmmm.  I took the question to be about whether there were known issues 
> revolving around a P4 master serving catalogs to P3 agents.  I didn't think 
> P4 broke the pattern that the master supports agents from the previous 
> generation.  Or is that less of a pattern than I thought?
>
>
> John
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ece3301a-9651-4238-a02c-3ded8831ad1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Bolt 1.8.0 now available

[Eric Sorenson]

Vlastimil - I'm forwarding this message to the puppet-users list instead of 
puppet-announce.

--eric0

> From: vlastimil.ho...@gmail.com
> Subject: Re: Bolt 1.8.0 now available
> Date: January 4, 2019 at 3:46:31 AM PST
> To: Puppet Announce 
> 
> 
> Hello,
> 
> On Friday, January 4, 2019 at 12:01:51 AM UTC+1, Puppet Product Updates wrote:
> Greetings!
> 
> We're happy to announce the release of Bolt 1.8.0. Highlights in this release 
> include:
> Standard library functions
> 
> how to use those new functions?
> 
> Having a following simple plan:
> 
> plan profiles::test {
>   ctrl::sleep(5)
> }
> 
> Complains about unknown function:
> $ bolt --boltdir=$PWD plan run profiles::test
> Starting: plan profiles::test
> Finished: plan profiles::test in 0.02 sec
> {
>   "kind": "bolt/pal-error",
>   "msg": "Evaluation Error: Unknown function: 'ctrl::sleep'. (file: 
> .../bolt/site/profiles/plans/test.pp, line: 2, column: 3)",
>   "details": {
>   }
> }
> 
> Having Bolt 1.8 from packages for C7:
> $ rpm -q puppet-bolt
> puppet-bolt-1.8.0-1.el7.x86_64
> 
> Thank you,
> Vlastimil Holer
>  
> For more information, check out the release notes: 
> https://puppet.com/docs/bolt/1.x/bolt_release_notes.html 
> 
> 
> To try this version of Bolt, follow the installation instructions for your 
> operating system:
> https://puppet.com/docs/bolt/1.x/bolt_installing.html 
> 
> 
> Thanks!
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E916991D-48D3-4365-97AD-04A230803FF3%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] PUPPET 6.0 : PuppetDB SSL Engine issue

[Eric Sorenson]

Andy, did you get this fixed?

--eric0

On Friday, November 16, 2018 at 9:02:02 AM UTC-8, Andy Hall wrote:
>
> Hmm perhaps I should RTFM : 
> https://puppet.com/docs/puppetdb/6.0/maintain_and_tune.html#redo-ssl-setup-after-changing-certificates
>
> On Friday, 16 November 2018 16:49:20 UTC, Andy Hall wrote:
>>
>> Apologies for the late reply but do you know how to re-create the certs 
>> for PuppetDB ? Is there a specific PuppetDB group who may be able to answer 
>> this ? Thanks very much.
>>
>> On Wednesday, 3 October 2018 19:04:26 UTC+1, Maggie Dreyer wrote:
>>>
>>> If you regenerated your CA as part of fixing the issues with the 
>>> master/agent connection, did you also regenerate the certificates for 
>>> PuppetDB? Not having really any experience with PuppetDB, I could see thi 
>>> error being cause by still using certificates issued by the old certificate 
>>> authority.
>>>
>>> On Wed, Oct 3, 2018 at 10:58 AM Andy Hall  wrote:
>>>
 Just fixed an issue with the puppetserver ca after a 5.x to 6.x upgrade 
 (see post "PUPPET 6.0 : CSR from master does not match the agent public 
 key" for more details) but now experience the following issue with 
 PuppetDB 
 (maybe a problem with the Java KeyStore ?):

 AGENT:

 # puppet agent --test

 Warning: Unable to fetch my node definition, but the agent run will 
 continue:
 Warning: Error 500 on SERVER: Server Error: Could not retrieve facts 
 for andy-puppet6-test.london.company.com: Failed to find facts from 
 PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/
 andy-puppet6-test.london.company.com/facts' on at least 1 of the 
 following 'server_urls': https://ldn1-puppet5.london.company.com:8081

 Info: Retrieving pluginfacts
 Info: Retrieving plugin
 Info: Retrieving locales
 Info: Loading facts

 Error: Could not retrieve catalog from remote server: Error 500 on 
 SERVER: Server Error: Failed to execute 
 '/pdb/cmd/v1?checksum=53837e24e8b91d10fc3a81a657b83258c0ab3f8f=5=
 andy-puppet6-test.london.company.com=replace_facts=1538588583'
  
 on at least 1 of the following 'server_urls': 
 https://ldn1-puppet5.london.company.com:8081

 Warning: Not using cache on failed catalog
 Error: Could not retrieve catalog; skipping run

 MASTER:

 ==> /var/log/puppetlabs/puppetserver/puppetserver.log <==
 2018-10-03T18:49:26.860+01:00 ERROR [qtp1255475413-70] 
 [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
 javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
 at 
 sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
 at 
 sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
 at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
 at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
 at 
 org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
 at 
 org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
 at 
 org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
 at 
 org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
 at 
 org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
 at 
 org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
 at java.lang.Thread.run(Thread.java:748)
 Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine 
 problem
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
 at 
 sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
 at 
 sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
 at java.security.AccessController.doPrivileged(Native Method)
 at 
 

[Puppet Users] Re: Upgrade to puppet-agent 5.3.5 report failure

[Eric Sorenson]

Hi Darragh, the fact that the error message contains a '400' error suggests 
the problem happens on the server when it receives the report. 

My first guess given that error message is also that there's a mix of 
versions installed, but it's weird that it only happens on some reports. 
Maybe there is something malformed in those reports that triggers a 
different code path on the server.

You can save a copy of the reports by adding `store` to the type of report 
submission on the master: `reports = https,store` and see what they look 
like. They should go into a subdirectory 
of /opt/puppetlabs/puppet/cache/reports

HTH
--eric0



On Tuesday, November 27, 2018 at 10:10:53 AM UTC-8, Darragh Bailey wrote:
>
> Hi,
>
>
> Currently in the process of testing out an upgrade to version 5 of the 
> puppet-agent within our local virtual environment used to validate changes 
> before they can be landed and I'm running into a few problems around the 
> report at the end run.
>
> Have 5 VMs in a vagrant environment, that are initially bootstrapped with 
> some scripts to get the puppet 5 packages installed, then uses puppet apply 
> to perform some initial setup around network/apt-caching, followed by 
> applying the 'puppet_server' provisioner which runs puppet agent.
>
> Unfortunately I'm seeing an error, that doesn't occur on all the VM's and 
> I'm not sure how to debug it further or understand what's missing.
>
> vagrant up
> ...
> ==> srv-1: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 30408 exit 1'
> ==> srv-1: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 32434 exit 1'
> ==> srv-1: Error: Could not send report: Error 400 on SERVER: Bad Request: 
> The request body is invalid: Could not intern from json: Internal Error: 
> Puppet Context ':loaders' missing
> 
> ==> srv-3: Warning: Event['previous_value'] contains a Process::Status 
> value. It will be converted to the String 'pid 28777 exit 1'
> ==> srv-3: Error: Could not send report: Error 400 on SERVER: Bad Request: 
> The request body is invalid: Could not intern from json: Internal Error: 
> Puppet Context ':loaders' missing
>
>
> What is also surprising is that it doesn't occur on all of the VM's, and 
> subsequently it doesn't appear if I re-run the provisioning with: vagrant 
> up --provision --provision-with puppet_server
>
> There was a suggestion that there could be some stale code around as the 
> image starts with puppet 3 pre-installed, but I've got the bootstrapping 
> scripts to purge the old packages and delete any files that could have been 
> placed under /var/lib/puppet and /etc/puppet
>
> bash code:
>
> package=puppet5-release-xenial.deb
> env https_proxy=$HTTPS_PROXY wget \
> --quiet --continue -O /tmp/$package 
> https://apt.puppetlabs.com/$package
> dpkg -i /tmp/$package
> export DEBIAN_FRONTEND=noninteractive
> apt-get update
> apt-get purge --yes puppet hiera facter
> rm -rf /var/lib/puppet /etc/puppet
> apt-get install --yes --no-install-recommends puppet-agent=5.3.5-1xenial 
> ruby policykit-1
>
> Currently pinned to 5.3.5 because there was an issues with a subsequent 
> release and decided to just pin to the same version as the upgraded puppet 
> master was running.
>
> I've tried switching the clients to 5.5.8 and I get the same error, so 
> it's not solved by moving to the most recent version.
>
> Grep'ing through /var/lib/puppet hasn't been illuminating, didn't spot 
> anything when switching it to use debug, and neither has been inspecting 
> the puppet master log so I'm not sure where exactly to look?
>
> The quick fix is to disable reporting within the virtual environment, 
> which certainly solves the problem, but seems like the wrong approach.
>
> Any thoughts on how to debug this? What do I need to enable on the puppet 
> master to be able to capture report requests both good and bad so I can see 
> what it is that is being sent that gets rejected, and what should be sent?
>
> --
> Darragh Bailey
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b70320c3-5dfa-4eb5-9c1d-7f5074f1bcf7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet.agent with path

[Eric Sorenson]

Sorry Rafael, I don't understand what you're asking. Can you share the 
puppet code that you are trying to use, and the error message you get?

--eric0

On Wednesday, November 28, 2018 at 5:54:34 AM UTC-8, Rafael Tomelin wrote:
>
> Hi,
>
> How configure path in puppet.agent.
>
> I need path = source /etc/profile . , how configuration this path?
> -- 
>
> Atenciosamente,
>
> Rafael Tomelin
>
> skype: rafael.tomelin
>
> E-mail: rafael.tome...@gmail.com
>
> RHCE  - Red Hat Certified Engineer
> PPT-205 - Puppet Certified Professional 2017
> Zabbix- ZABBIX Certified Specialist
> LPI3 
> ITIL v3
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5c0f935e-c0ff-4202-b48c-79a316f69c87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Multiple compile server and single CA server set up - certificate issues

[Eric Sorenson]

Hi Soham, I would suggest you start with a single server that contains both 
the CA and compile master functionality.

That way you can bootstrap it in a very simple way, using the instructions 
for the new intermediate CA setup in Puppet 6. Once that is working, it is 
much easier to move to a split-out service because you will have a 
functioning CA + Server which can sign the certificates for the other 
compile masters.

You should be able to serve catalogs from a single instance for several 
thousand agents, so don't scale out until you know you need it.

https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html

HTH
--eric0

On Wednesday, November 28, 2018 at 8:24:00 AM UTC-8, Soham Chakraborty 
wrote:
>
> Hi,
>
> Update:
>
> I have made the changes in webserver.conf of the compile master as 
> described in 
> https://puppet.com/docs/puppet/6.0/config_ssl_external_ca.html#task-8039 
> (step 3 in particular), but I still have the same problem :(
>
> On Tuesday, November 27, 2018 at 11:58:54 PM UTC+5:30, Soham Chakraborty 
> wrote:
>>
>> Hi,
>>
>> I am trying to achieve the following in Ubuntu 18.04 (bionic):
>>
>> 1) I want to have several Puppet servers act as compile masters. They 
>> will be load balanced and point to a DNS record in AWS. 
>>
>> 2) All the compile masters will share same Puppet CA server. The CA 
>> server be responsible for only signing certificates and nothing else.
>>
>> This should be reasonably easy to implement but I am not getting odd SSL 
>> errors at every turn. I am looking to know how I should go about creating a 
>> setup like this with open source Puppet. The steps that I am following now 
>> are something like this:
>>
>> 1) Provision the instance from a packer template. I am installing Puppet 
>> 5.5.6 from the packer template.
>> 2) Login to the server and install puppetserver. 
>> 3) Disable internal CA service from services.d/ca.cfg file.
>> 4) Edit puppet.conf to point master to the DNS name of the load balancer. 
>> Don't do any change of ca server for now. Don't run any puppet agent as 
>> well.
>> 5) Provision another instance from the same packer template. 
>> 6) Install puppetserver. 
>> 7) Edit it's puppet.conf to point to the DNS name of the load balancer 
>> and also change ca server to this server itself.
>> 8) Run puppet agent -t on the compile master created in step 1.
>> 9) Sign the cert in CA server. 
>>
>> Is this all that there is? Do I need to do any config change in the 
>> webserver.conf of the Puppet compile master? If so, what would be required 
>> changes? What files should be copied over from the CA server to the compile 
>> server?
>>
>> What files need to be copied over from CA server to the compile server 
>> and where they should be placed? 
>>
>> Right now in my CA server, I am getting this error: 
>>
>> # puppet agent -t
>> Warning: Setting autosign is deprecated.
>>(location: 
>> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in 
>> `issue_deprecation_warning')
>> Warning: Setting ca is deprecated.
>>(location: 
>> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in 
>> `issue_deprecation_warning')
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>> Warning: SSL_connect returned=1 errno=0 state=error: certificate verify 
>> failed: [ok for /CN=puppetserver.org.com]
>> Info: Retrieving pluginfacts
>> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate 
>> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 
>> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com]
>> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: 
>> Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect 
>> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Info: Retrieving plugin
>> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate 
>> additional resources using 'eval_generate': SSL_connect returned=1 errno=0 
>> state=error: certificate verify failed: [ok for /CN=puppetserver.org.com]
>> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could 
>> not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 
>> errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Error: Could not retrieve catalog from remote server: SSL_connect 
>> returned=1 errno=0 state=error: certificate verify failed: [ok for /CN=
>> puppetserver.org.com]
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>> Error: Could not send report: SSL_connect returned=1 errno=0 state=error: 
>> certificate verify failed: [ok for /CN=puppetserver.org.com]
>> root@puppet-ca-server:~#
>>
>> And in Puppet compile master, I am getting:
>>
>> # puppet agent -t
>> Warning: Unable to fetch my node definition, but the agent run will 
>> continue:
>> 

Re: [Puppet Users] Elegant way to supply facts to `puppet apply`

[Eric Sorenson]

You could put that same yaml or json in /etc/puppetlabs/facter/facts.d and 
the whole data structure will be available under $facts ...

--eric0

On Monday, November 26, 2018 at 11:14:27 AM UTC-8, Henrik Lindberg wrote:
>
> On 2018-11-23 03:27, Abhijeet Rastogi wrote: 
> > Hi everyone, 
> > 
> > 
> > puppet lookup command has a nice --facts option which accepts a 
> > structured json/yaml file to upload files. 
> > 
> > Why does that option not exist for puppet apply? Is the environment 
> > variable the only option? 
> > 
>
> There is a way to make it read other facts than the default getting the 
> facts for the node apply is running on. To use that you need to change 
> the facts terminus setting 
> https://puppet.com/docs/puppet/5.3/indirection.html#yaml-terminus-1 
>
> Warning: That is not easy to use. 
>
> For puppet lookup we wanted something simpler and choose to expose the 
> option directly as it is a common use case to experiment with lookup CLI 
> and different facts. 
>
> Suggest you file a ticket with a feature request for puppet apply. 
>
> Best, 
> - henrik 
>
> > Puppet version: 6.0.4 
> > 
> > Thanks, 
> > Abhijeet 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> > Groups "Puppet Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to puppet-users+unsubscr...@googlegroups.com 
> > . 
> > To view this discussion on the web visit 
> > 
> https://groups.google.com/d/msgid/puppet-users/c9c7ea63-cd97-4dbc-9c45-ee78e5cb9d4b%40googlegroups.com
>  
> > <
> https://groups.google.com/d/msgid/puppet-users/c9c7ea63-cd97-4dbc-9c45-ee78e5cb9d4b%40googlegroups.com?utm_medium=email_source=footer>.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>
> -- 
>
> Visit my Blog "Puppet on the Edge" 
> http://puppet-on-the-edge.blogspot.se/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bf91272c-4872-455f-871b-bf1a23edfe83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Enterprise 2019.0.1 now available!

[Eric Sorenson]

Dear Puppet Enterprise Users,

Puppet Enterprise 2019.0.1 is now available.

This is a bug fix and minor functionality release of Puppet Enterprise. All 
users of Puppet Enterprise 2019.0.0 are encouraged to upgrade when possible to 
Puppet Enterprise 2019.0.1.

Puppet Enterprise 2019.0.1 includes agent support for Windows Server 2019. It 
includes fixes that caused errors when upgrading from earlier versions, and it 
enables running agentless tasks over WinRM from the orchestrator.

For information on the bug fixes in this release, see 
https://puppet.com/docs/pe/2019.0/release_notes/release_notes.html

As a current Puppet Enterprise user, you can upgrade to this new version as 
part of your annual subscription. To upgrade, you must upgrade your master, 
PuppetDB, and console servers first, then update your agents.

As always, we want to hear about your experiences with Puppet Enterprise. If 
you have any questions about upgrading, be sure to get in touch with Puppet 
Support.

Eric Sorenson - e...@puppet.com 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9189BE5C-627E-447A-81F8-F83040963372%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Enterprise 2018.1.5 (LTS) is now available

[Eric Sorenson]

Dear Puppet Enterprise Users,

Puppet Enterprise 2018.1.5 is now available.

This is a security and bug fix release of the current Long-Term Support (LTS) 
series of Puppet Enterprise. All users of Puppet Enterprise 2018.1.x are 
encouraged to upgrade as soon as possible to Puppet Enterprise 2018.1.5.

Puppet Enterprise 2018.1.5 adds support for SLES 15 and Windows Server 2019 
agents. It also addresses a number of performance issues for large-scale 
console use and includes customer-requested backports, notably around 
improvements to policy-based certificate autosigning.

For full details of the changes in this release, see 
https://puppet.com/docs/pe/2018.1/release_notes/release_notes.html

As a current Puppet Enterprise user, you can upgrade to this new version as 
part of your annual subscription. When upgrading, you must upgrade your master, 
PuppetDB, and console servers first.

As always, we want to hear about your experiences with Puppet Enterprise. If 
you have any questions about upgrading, be sure to get in touch with Puppet 
Support.

Eric Sorenson - e...@puppet.com 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/267F9972-297F-4CDE-8648-17BC7AF82AF9%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Platform 6.0.3 avaialble

[Eric Sorenson]

Hot on the heels of yesterday's Puppet Platform 5.5.7, we've just release 
Puppet Platform 6.0.3. This is a bugfix release that contains a bump to Puppet. 
Of special note on this release is the continued improvement to the new SSL 
command line workflows introduced in Puppet 6 (PUP-9156) and improvements to 
the handling of Sensitive data (PUP-7580). 

Full release notes for the release are available here: 
https://puppet.com/docs/puppet/6.0/release_notes.html#puppet-603

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/399DD104-A919-4AB9-83F4-4C5F168A0696%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Platform 5.5.7 is now available

[Eric Sorenson]

The latest point release of the Puppet Platform 5 series is now available. 

This is a backwards-compatible bugfix release that contains several important 
fixes for open source and PE users (this release will roll into the next PE 
2018.1.x LTS point release, slated for Nov 6).

For the full list of changes in this release, check out the release notes: 
https://puppet.com/docs/puppet/5.5/release_notes.html#puppet-557 


Special thanks to Jacob Helwig, Kris Bosland, Jorie Tappa, and Josh Cooper for 
fixing PUP-3467 , a bug that 
has existed since the earliest days of Puppet and caused problems for anybody 
managing recursive file resources.

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/579A213F-A081-49BD-B4E9-3083131A1A3D%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: REGRESSION - Re: [Puppet Users] Announcement: Release of Puppet Platform 6.0.1

[Eric Sorenson]

Thanks for reporting this duritong - I wanted to follow up to say that this 
was fixed in 6.0.2 (indeed this was the reason we shipped 6.0.2 after 1 
day:) )

On Wednesday, October 3, 2018 at 1:30:22 AM UTC-7, Peter Meier wrote:
>
> Hi All, 
>
> > We're happy to announce the release of Puppet Platform 6.0.1. This is 
> > primarily a bug release, with some improvements to Puppet, some new 
> > features in Puppet Server, and some new component versions in Puppet 
> > Agent. 
>
> Just a heads up to everybody: There is a pretty severe regression in the 
> exec provider together with cwd, as the behavior of the type/provider 
> changed from 6.0.0 to 6.0.1: 
>
> https://tickets.puppetlabs.com/browse/PUP-9194 
>
> tldr; The cwd param is not respected in 6.0.1 for the commands specified 
> in unless or onlyif. This might trigger an unwanted execution of the 
> command, as the safe-guards in unless/onlyif might fail as they are not 
> anymore executed in the cwd. 
>
> best 
>
> ~pete 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7f2df5c4-d5b7-4931-8899-68c0ca8b3dcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: [Puppet-dev] [Puppet-Users] Puppet Platform 6 Update

[Eric Sorenson]

On Jul 17, 2018, at 2:26 AM, Martin Alfke  wrote:
> 
>> On 17. Jul 2018, at 01:40, Eric Sorenson > <mailto:e...@puppet.com>> wrote:
>> 
>> So my question is - 
>> - do you current use/rely on 'gem install puppet' for your workflows? If so, 
>> what do you do with it? (does anybody use a 'gem install puppet' as their 
>> production "puppet agent" daemon?)
> 
> We install puppet as a gem in CI/CD unit testing.
> 

Hi Martin! Does this use depend on types and providers in puppet's lib/ 
directory? Or is it just having the core puppet code available?


>> - given the above, what would be the easiest/most intuitive way to get those 
>> extracted types into your puppet installation? some ideas we've kicked 
>> around are 
>>  * a puppet type 'meta module' that, akin to a rpm/deb metapackage, doesn't 
>> have content, just dependencies on the actual modules at particular pinned 
>> versions that match the agent package versions
>>  * a Puppetfile that you could point r10k at to get the modules installed
>>  * individual gems for each of the extracted modules with Gemfile 
>> dependencies (note: this is a Bad Idea™)
> 
> We need at least a note how we have to add the module with the separated 
> types/providers.

Yes absolutely

> 
>> 
>> WDYT?
>> --eric0
>> 
>> 
>>> On Jul 16, 2018, at 10:20 AM, Josh Cooper  wrote:
>>> 
>>> I wanted to share some significant developments as we progress towards a 
>>> Puppet Platform 6 release. I encourage you to try out nightly builds 
>>> available in the puppet6 repos:
>>> 
>>> http://nightlies.puppet.com/yum/puppet6-nightly/
>>> http://nightlies.puppet.com/apt/puppet6-nightly/
>>> http://nightlies.puppet.com/downloads/{mac,windows}/puppet6-nightly/
>>> 
>>> 1. Unvendoring Semantic Puppet
>>> 
>>> Previously, the puppet repo, puppet-agent and puppetserver 
>>> vendored/packaged different versions of the semantic_puppet gem. We've 
>>> untangled that mess so that in Platform 6:
>>> 
>>> * puppet has a runtime gem dependency on the semantic_puppet gem
>>> * puppet-agent bundles the semantic_puppet 1.0.2 gem
>>> * puppetserver no longer knows about puppet's transitive gem dependencies
>>> * we can bump the semantic_puppet version in puppet-agent in the future 
>>> without breaking puppetserver running on the same host. The same is true 
>>> for other puppet runtime gem dependencies like fast_gettext and multi_json.
>>> 
>>> See https://tickets.puppetlabs.com/browse/PA-1880 for more details.
>>> 
>>> 2. Puppet Platform 6 requires Ruby 2.3
>>> 
>>> Puppet Platform 6 requires Ruby 2.3 or up, so we can now use modern syntax 
>>> such as keyword arguments, dig, squiggly heredocs, etc. Puppet will error 
>>> when running on unsupported ruby versions such as 2.2, which went EOL on 
>>> March 31, 2018.
>>> 
>>> Since puppetserver runs puppet code in a JRuby interpreter and JRuby 1.7 
>>> conforms to the 1.9.3 Ruby language, we first had to move puppetserver from 
>>> JRuby 1.7 to 9K. In Platform 5, we made it possible to opt into using JRuby 
>>> 9K. In Platform 6, we will drop JRuby 1.7 and only support JRuby 9.1.x.x, 
>>> which conforms to Ruby 2.3.
>>> 
>>> To ensure puppet code does not break puppetserver/JRuby, we've started 
>>> running puppet PRs against JRuby 9K in TravisCI.
>>> 
>>> See https://tickets.puppetlabs.com/browse/PUP-6893 and 
>>> https://tickets.puppetlabs.com/browse/SERVER-2155 for more details.
>>> 
>>> 3. Intermediate CA improvements
>>> 
>>> Currently, customers can set up Puppet to use an intermediate CA by 
>>> manually generating and distributing certificates and keys, installing them 
>>> in the proper locations on disk, for both the master and agent. This is 
>>> time intensive, error prone, and even once these certs have been put in 
>>> place, full validation using CRL chains was not possible.
>>> 
>>> For Puppet 6, we we are making both tooling and functionality improvements 
>>> to this process. In this increment, we have implemented full validation 
>>> with chained certificates and CRLs, and we have changed the agent-side SSL 
>>> bootstrapping to automatically download these full chains from the master 
>>> and store and use them appropriately. It is now no longer necessary for 
>>> intermediate CA users to manually distribute SSL files to their agents. On 
>>> t

[Puppet Users] Re: [Puppet-dev] [Puppet-Users] Puppet Platform 6 Update

[Eric Sorenson]

Another effort that's underway but not yet complete is the extraction of 
non-core types/providers into modules. This addresses some long-standing 
requests to, for example, be able to change the nagios types and OS-specific 
resources without needing to get a full agent release out. The extracted types 
will be available in a modulepath structure in the puppet agent package, so 
(with a few targeted exceptions) there won't be any user-visible changes to 
what's available when you get the package, but an implication that hasn't 
really come up is around using Puppet in rubygem format. The extracted types 
are available on github and on the forge as separate modules, so if you 
currently use some of these extracted types, you'd need a way to get them 
installed locally.

So my question is - 
- do you current use/rely on 'gem install puppet' for your workflows? If so, 
what do you do with it? (does anybody use a 'gem install puppet' as their 
production "puppet agent" daemon?)
- given the above, what would be the easiest/most intuitive way to get those 
extracted types into your puppet installation? some ideas we've kicked around 
are 
  * a puppet type 'meta module' that, akin to a rpm/deb metapackage, doesn't 
have content, just dependencies on the actual modules at particular pinned 
versions that match the agent package versions
  * a Puppetfile that you could point r10k at to get the modules installed
  * individual gems for each of the extracted modules with Gemfile dependencies 
(note: this is a Bad Idea™)

WDYT?
--eric0


> On Jul 16, 2018, at 10:20 AM, Josh Cooper  wrote:
> 
> I wanted to share some significant developments as we progress towards a 
> Puppet Platform 6 release. I encourage you to try out nightly builds 
> available in the puppet6 repos:
> 
> http://nightlies.puppet.com/yum/puppet6-nightly/ 
> 
> http://nightlies.puppet.com/apt/puppet6-nightly/ 
> 
> http://nightlies.puppet.com/downloads/{mac,windows}/puppet6-nightly/ 
> 
> 
> 1. Unvendoring Semantic Puppet
> 
> Previously, the puppet repo, puppet-agent and puppetserver vendored/packaged 
> different versions of the semantic_puppet gem. We've untangled that mess so 
> that in Platform 6:
> 
> * puppet has a runtime gem dependency on the semantic_puppet gem
> * puppet-agent bundles the semantic_puppet 1.0.2 gem
> * puppetserver no longer knows about puppet's transitive gem dependencies
> * we can bump the semantic_puppet version in puppet-agent in the future 
> without breaking puppetserver running on the same host. The same is true for 
> other puppet runtime gem dependencies like fast_gettext and multi_json.
> 
> See https://tickets.puppetlabs.com/browse/PA-1880 
>  for more details.
> 
> 2. Puppet Platform 6 requires Ruby 2.3
> 
> Puppet Platform 6 requires Ruby 2.3 or up, so we can now use modern syntax 
> such as keyword arguments, dig, squiggly heredocs, etc. Puppet will error 
> when running on unsupported ruby versions such as 2.2, which went EOL on 
> March 31, 2018.
> 
> Since puppetserver runs puppet code in a JRuby interpreter and JRuby 1.7 
> conforms to the 1.9.3 Ruby language, we first had to move puppetserver from 
> JRuby 1.7 to 9K. In Platform 5, we made it possible to opt into using JRuby 
> 9K. In Platform 6, we will drop JRuby 1.7 and only support JRuby 9.1.x.x, 
> which conforms to Ruby 2.3.
> 
> To ensure puppet code does not break puppetserver/JRuby, we've started 
> running puppet PRs against JRuby 9K in TravisCI.
> 
> See https://tickets.puppetlabs.com/browse/PUP-6893 
>  and 
> https://tickets.puppetlabs.com/browse/SERVER-2155 
>  for more details.
> 
> 3. Intermediate CA improvements
> 
> Currently, customers can set up Puppet to use an intermediate CA by manually 
> generating and distributing certificates and keys, installing them in the 
> proper locations on disk, for both the master and agent. This is time 
> intensive, error prone, and even once these certs have been put in place, 
> full validation using CRL chains was not possible.
> 
> For Puppet 6, we we are making both tooling and functionality improvements to 
> this process. In this increment, we have implemented full validation with 
> chained certificates and CRLs, and we have changed the agent-side SSL 
> bootstrapping to automatically download these full chains from the master and 
> store and use them appropriately. It is now no longer necessary for 
> intermediate CA users to manually distribute SSL files to their agents. On 
> the server side, we are working to create a puppetserver CLI for setting up 
> and interacting with the CA. See 
> https://tickets.puppetlabs.com/browse/SERVER-2171 
> 

[Puppet Users] Re: Puppet Platform 6 pre-release builds available

[Eric Sorenson]

Hi Al - The main thing is that the certificate authority and network stack 
are going to consolidate onto the puppetserver implementations, rather than 
having a split between ruby/webrick and clojure/puppetserver. So if anyone 
is still using 'puppet master' standalone or apache-based servers, now's 
the time to cut the cord.

On Wednesday, May 2, 2018 at 7:56:41 AM UTC-7, a...@example42.com wrote:
>
> Hei Eric, 
> good news, especially the extra modularization and the agent side 
> functions, from my point of view.
> Are expected in Puppet 6 any remarkable backwards incompatibilities or 
> deprecations?
>
> Best
> Al
>
> On Monday, April 23, 2018 at 11:44:32 PM UTC+2, Eric Sorenson wrote:
>>
>> Hi all, we've started landing changes for what will become Puppet 
>> Platform 6. Here's the News You Can Use relating to the release. 
>>
>> Scope and Timeline 
>> We expect to release it in the fall, and the major features of the 
>> release are currently scoped to be: 
>> - improved secret and ephemeral data handling through the use of a new 
>> API for evaluating functions an the agent at catalog application time (more 
>> on this to come, it's still pretty early in design) 
>> - modularized types and providers;  things like the nagios types will 
>> live in their own module and be included at packaging time. This will make 
>> it easier to get changes into this code and opens the door to including 
>> more modules in packages so, for example, you don't need to download stdlib 
>> separate from puppet. Josh posted a PR to the specifications repo 
>> describing this approach here: 
>> https://github.com/puppetlabs/puppet-specifications/pull/106 
>> - consolidate the CA code onto the clojure CA and provide 1st class 
>> support for intermediate CA signing - this means the Ruby CA and tooling 
>> around it will change in favor of a CLI that supports your actual workflow. 
>>  (PUP-7877 is the epic to follow for this work) 
>>
>>
>> Branches, Builds, and Repos 
>> The upshot is that the 'master' branch of the main platform projects 
>> (puppetdb, puppetserver, facter, puppet) will become the 6.0 versions of 
>> those projects, and PRs that target master can contain larger changes - so 
>> things like improving facter output, changing default settings for things 
>> that had previously been opt-in, etc have a place to land. 
>> In addition to automatic builds that go into the nightly repos, we're 
>> working in iterations towards monthly milestones that contain completed 
>> features and are ready for testing and feedback. As these come out, we'll 
>> post updates to the mailing list describing the contents in more detail and 
>> would love for you to try them out and let us know how it goes. 
>> The release packages are up here for apt/yum systems: 
>> yum: https://yum.puppet.com/puppet6-nightly/ 
>> apt: https://apt.puppet.com/puppet6-nightly/ 
>>
>> and the direct download repos for mac, windows, and eos are here: 
>> http://nightlies.puppet.com/downloads/ 
>>
>> (Note that although the content of the agent packages in particular is 
>> being built off what will become puppet 6, the version numbers won't 
>> reflect that until it's tagged as such.) 
>> Once the release is out, the 'puppet' repo and associated release package 
>> for apt and yum will shift to 'puppet6'; the 'puppet5' repo/release package 
>> will remain as-is so you can stay pinned to that until you're ready to 
>> move. 
>>
>>
>> EOL / Lifecycle of Older versions 
>> The 5.x versions are incorporated into the upcoming PE2018.1 LTS, so the 
>> branches that feed into those versions will be open for changes. But they 
>> need to be targeted bug fixes that won't introduce instability into the 
>> components, so please be judicious when targeting non-master branches with 
>> your PRs. 
>> The 4.x series (puppet-agent 1.10, puppet-server 2.8, etc) will be going 
>> EOL towards the end of 2018. They're already on "deep LTS" mode and only 
>> critical security fixes and hyper-targeted backports are landing on these 
>> branches. 
>>
>> Please let me know if you have any questions. I'm pretty excited about 
>> this release; the slightly longer development timeline and milestone build 
>> process should enable more interesting features and a smoother upgrade 
>> path. 
>>
>> --eric0 
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/594dbe09-5421-4749-b1d2-9b94ea305992%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Platform 6 pre-release builds available

[Eric Sorenson]

Hi all, we've started landing changes for what will become Puppet Platform 6. 
Here's the News You Can Use relating to the release. 

Scope and Timeline
We expect to release it in the fall, and the major features of the release are 
currently scoped to be:
- improved secret and ephemeral data handling through the use of a new API for 
evaluating functions an the agent at catalog application time (more on this to 
come, it's still pretty early in design)
- modularized types and providers;  things like the nagios types will live in 
their own module and be included at packaging time. This will make it easier to 
get changes into this code and opens the door to including more modules in 
packages so, for example, you don't need to download stdlib separate from 
puppet. Josh posted a PR to the specifications repo describing this approach 
here: https://github.com/puppetlabs/puppet-specifications/pull/106
- consolidate the CA code onto the clojure CA and provide 1st class support for 
intermediate CA signing - this means the Ruby CA and tooling around it will 
change in favor of a CLI that supports your actual workflow.  (PUP-7877 is the 
epic to follow for this work)


Branches, Builds, and Repos
The upshot is that the 'master' branch of the main platform projects (puppetdb, 
puppetserver, facter, puppet) will become the 6.0 versions of those projects, 
and PRs that target master can contain larger changes - so things like 
improving facter output, changing default settings for things that had 
previously been opt-in, etc have a place to land. 
In addition to automatic builds that go into the nightly repos, we're working 
in iterations towards monthly milestones that contain completed features and 
are ready for testing and feedback. As these come out, we'll post updates to 
the mailing list describing the contents in more detail and would love for you 
to try them out and let us know how it goes. 
The release packages are up here for apt/yum systems: 
yum: https://yum.puppet.com/puppet6-nightly/
apt: https://apt.puppet.com/puppet6-nightly/

and the direct download repos for mac, windows, and eos are here:
http://nightlies.puppet.com/downloads/

(Note that although the content of the agent packages in particular is being 
built off what will become puppet 6, the version numbers won't reflect that 
until it's tagged as such.)
Once the release is out, the 'puppet' repo and associated release package for 
apt and yum will shift to 'puppet6'; the 'puppet5' repo/release package will 
remain as-is so you can stay pinned to that until you're ready to move.


EOL / Lifecycle of Older versions
The 5.x versions are incorporated into the upcoming PE2018.1 LTS, so the 
branches that feed into those versions will be open for changes. But they need 
to be targeted bug fixes that won't introduce instability into the components, 
so please be judicious when targeting non-master branches with your PRs.
The 4.x series (puppet-agent 1.10, puppet-server 2.8, etc) will be going EOL 
towards the end of 2018. They're already on "deep LTS" mode and only critical 
security fixes and hyper-targeted backports are landing on these branches.

Please let me know if you have any questions. I'm pretty excited about this 
release; the slightly longer development timeline and milestone build process 
should enable more interesting features and a smoother upgrade path.

--eric0


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B7C7D473-4A38-46EE-9969-9D37BAEF7C03%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet agent 1.10.12

[Eric Sorenson]

Yep, this was an error in the build/ship process - we're scrubbing them out 
now. Sorry for the confusion.

--eric0

On Wednesday, April 18, 2018 at 12:25:23 AM UTC-7, Brent wrote:
>
> Just a question
>
> Shouldn't the puppet 5 packages not be in 
> http://apt.puppetlabs.com/pool/stretch/PC1/p/puppet-agent/ removed?
>
> Regards
>
> Brent
> On 18/04/2018 09:18, Brent Clark wrote:
>
> Good day Guys
>
> Anyone else having a problem where the upgrade tries to jump to version 
> 5.3.6-1stretch?
>
> I just want 1.10.12RELEASE.
>
> Regards
>
> Brent
>
> On 18/04/2018 07:00, Garrett Guillotte wrote:
>
> Puppet agent 1.10.12 is a bug-fix release that includes updates for Puppet 
> 4.10.11 , Facter 
> 3.6.10 , Hiera 
> 3.3.3 (which contains no user-facing changes), and pxp-agent 1.5.7. It also 
> contains updates to curl and fixes for Ruby security issues. For details, 
> see https://puppet.com/docs/puppet/4.10/release_notes_agent.html
> There was no public Puppet agent 1.10.11 release.
>
> -- 
> *Garrett Guillotte*
> Technical Writer
> garrett.guillo...@puppet.com
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAP7LywFVkyGtvb4_3epVpdJN%2B1gOFzvekxouZrpBVSf26u4ekg%40mail.gmail.com
>  
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2311bd85-003a-4bda-8bbf-7d8f9cc6f63c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Pre-generated certificates?

[Eric Sorenson]

Yeah, it's a bit of an outlier workflow but I figured I'd ask. The
deafening silence indicates it's probably not a use-case we need to treat
specially.

--eric0

On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters <watter...@gmail.com>
wrote:

> I've done this for a few nodes but I'm not sure how this would be an
> improvement over just enabling autosign.  Private keys should remain
> private to a node and should never be transmitted over the network if
> possible.
>
> On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote:
>>
>> Is anybody out there pre-generating certificates for your agents? I've
>> heard whispered tales of some folks doing this but we're starting work on
>> improving the CA / signing / revocation workflow and it'd be great to talk
>> to somebody directly. The workflow would be using 'puppet cert generate' on
>> the master/CA then distributing both the private key and the resulting
>> certificate in some secure, out-of-band mechanism (cloud-init?) to the
>> nodes, so the agent finds the CA cert as well as its own key/cert pair
>> ready and waiting when it starts up, bypassing the CSR
>> generation/submission completely.
>>
>> --eric0
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/puppet-users/rmC7RsQEUwU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Pre-generated certificates?

[Eric Sorenson]

Is anybody out there pre-generating certificates for your agents? I've 
heard whispered tales of some folks doing this but we're starting work on 
improving the CA / signing / revocation workflow and it'd be great to talk 
to somebody directly. The workflow would be using 'puppet cert generate' on 
the master/CA then distributing both the private key and the resulting 
certificate in some secure, out-of-band mechanism (cloud-init?) to the 
nodes, so the agent finds the CA cert as well as its own key/cert pair 
ready and waiting when it starts up, bypassing the CSR 
generation/submission completely.

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/09846c69-cc85-4cfc-a4ed-f19d24b34776%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] The 2018 Puppet User Survey is up!

[Eric Sorenson]

Hey all, we're running a survey for the next couple of weeks to get a better 
understanding of who's using Puppet, what the mix of operating systems and 
Puppet versions looks like, and how we could make better Puppet products in the 
future. It's going to be open for the next couple of weeks; once it's done I'll 
summarize the results and post some (hopefully interesting) insights from your 
responses.   It's only a few questions and should take less than 5 minutes to 
complete, plus as an added incentive, for every response we'll donate $3 to the 
EFF!

I made a quick blog post about it here: 
https://puppet.com/blog/2018-puppet-user-survey

And here's a direct link to the survey: 
https://www.surveygizmo.com/s3/4227485/puppet-users

--eric0

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/606CDA72-24CA-4051-966D-CD13A99D64A9%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet 4 EOL?

[Eric Sorenson]

Close, the PE2016.4 LTS uses Puppet 4 and is supported through October 
2018. 

--eric0

On Monday, February 12, 2018 at 9:15:20 AM UTC-8, R.I. Pienaar wrote:
>
>
>
> On Mon, 12 Feb 2018, at 17:43, Sven vd wrote: 
> > Hi, 
> > 
> > Currently our infrastructure and code is written with and run by puppet 
> 4 
> > opensource. 
> > 
> > We are using https://yum.puppetlabs.com/el/7/PC1/x86_64/ repos for 
> updates 
> > of our installed software, puppetserver, puppetdb, puppet agent. 
> > 
> > Since puppet 5 was released the puppet 5 packages shifted to another 
> repo 
> > https://yum.puppetlabs.com/puppet/el/7/x86_64/. We are not using this 
> repo 
> > since we are currently on puppet 4 codebase. 
> > 
> > So the question is, how long will the 
> > https://yum.puppetlabs.com/el/7/PC1/x86_64/  repo get updates (security 
> > fixed, improvements etc) and when is open source puppet 4 considered End 
> Of 
> > Life? 
>
>
> if you look at the Puppet Enterprise support cycle and figure out which is 
> the last one with Puppet 4 then you will know when 4 will be EOL.  If I 
> read it right it looks to be around July 2018. 
>
> Upgrade to Puppet 5 from 4 is pretty trivial, so should be easy for you to 
> follow along. 
>
> -- 
> R.I.Pienaar / www.devco.net / @ripienaar 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cdf21006-55db-4f07-bf9b-4463435495fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Best way to change settings on an individual node

[Eric Sorenson]

Hi Jack, for puppet enterprise there's a built-in workflow for assigning 
classes to nodes - the phrase you're looking for is called "node 
classification" in puppet-speak.  here's the relevant 
doc: 
https://puppet.com/docs/pe/2017.3/managing_nodes/grouping_and_classifying_nodes.html

hope this helps!
--eric0

On Thursday, November 2, 2017 at 5:37:29 AM UTC-7, jackandn...@gmail.com 
wrote:
>
> Hi,
> I'm a new puppet enterprise user (first post!) and I need to change 
> some settings on an individual node.  The module is created and it works in 
> my testing, but every method of applying the module to one machine feels 
> like I'm doing it wrong. What is the best way to accomplish this?  Feel 
> free to point me to some documentation, if I'm simply missing something. 
>
> Thanks,
>
> Jack
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b6469759-3713-46d7-ab69-88149b5bb10b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet Bolt 0.6.0 released!

[Eric Sorenson]

Bolt 0.6.0 is released!  This is a feature release of the open-source task 
runner, which includes:

- the ability to read a newline-separated list of nodes from a file using 
'--nodes @file.txt' or from stdin via '--nodes -'
- prompting for a password securely rather than requiring it on the command 
line, if you use the '-p' flag with no argument - thanks to Diana Zvulun @deezx 
for contributing this!
- Bolt now applies command line options, such as --user, --when executing a 
plan with bolt run plan. 

Additionally, a security-related bug was fixed where previously Bolt would did 
not securely verify keys for hosts it had not connected to before.

Complete release notes and more info about bolt: 
https://puppet.com/docs/bolt/0.x/bolt_overview.html

--eric0

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/71CB9F3D-562E-4CF5-9CD0-17885A2E50FE%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Bolt 0.5.1

[Eric Sorenson]

Hi, I'm super excited to announce the initial open-source release of Bolt, a 
new project that lets you easily run commands, scripts, tasks, and task plans 
across your infrastructure.

It's got its own product page on the puppet site: 
https://puppet.com/products/puppet-bolt 
<https://puppet.com/products/puppet-bolt>

Or you can go straight to the tech docs: 
https://puppet.com/docs/bolt/0.5/bolt_overview.html 
<https://puppet.com/docs/bolt/0.5/bolt_overview.html>

If you have real-time questions about Bolt or Puppet Tasks, you can join the 
conversation on slack.puppet.com <http://slack.puppet.com/> #puppet-tasks.

Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/37AF0FFE-142D-4BB2-950D-C0CB09C7C079%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Platform 5.2 available!

[Eric Sorenson]

A new release of the Puppet Platform is available. As a reminder, we're doing 
monthly releases of the platform components (Agent, Server and PuppetDB) which 
are tested and released together. 

Puppet 5.2.0 is a feature and improvement release in the Puppet 5 series that 
also includes several bug fixes. This release ensures that translated strings 
can be loaded in the puppet gem. You can find more information in the Puppet 
5.2 release notes: https://docs.puppet.com/puppet/latest/release_notes.html 

Puppet agent 5.2.0 also includes a new release of Facter, Facter 3.9, which 
contains a new experimental fact, `hypervisors`. This fact returns the names of 
any detected hypervisors and any collected metadata about them.

PuppetDB 5.1.0 is a bugfix and performance release. It contains significant 
schema migrations, most notably for fact storage. It also improves handling of 
binary data in several places. For more information, see the detailed PuppetDB 
release notes: https://docs.puppet.com/puppetdb/latest/release_notes.html

Puppet Server 5.1 contains several new features and bug fixes. New features 
include:
• Automatic CRL refresh on certificate revocation
• Puppet agents retry requests on a configurable delay if Puppet Server 
is busy
• Autosigning supports CA certificate bundles
• Administrators can add Java JARs to be loaded on startup
For more information, see the Puppet Server 5.1 release notes: 
https://docs.puppet.com/puppetserver/latest/release_notes.html 

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4AF9D2B2-38EB-4884-AF90-B0A464F9679F%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Server 2.8.0 available

[Eric Sorenson]

Puppet Server 2.8.0 is now available.  This is a backwards-compatible feature 
release for Puppet 4.x sites, which contains one notable new feature and a few 
bugfixes as well.

The headline feature is that the puppetserver now automatically reloads the CRL 
(certificate revocation list) when a node's certificate is revoked, where 
previously a revoked cert was considered valid until the puppetserver was 
restarted. This feature should make it easier to reprovision nodes with the 
same name/certificate identity as a revoked node, plus reduce manual work when 
revoking. (TK-149)

A special community thank-you goes to Matthias Hörmann, who reported and helped 
troubleshoot SERVER-1671, which is also fixed in this release.


For the full list of changes, check out the release notes: 
https://docs.puppet.com/puppetserver/2.8/release_notes.html#puppet-server-280

To download and install puppet server, follow these instructions: 
https://docs.puppet.com/puppetserver/2.8/install_from_packages.html


Eric Sorenson - e...@puppet.com <mailto:eric.soren...@puppet.com> 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CD46E4D8-26BA-4389-991E-CF4F9C4D6E58%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet 5.0.1: JSON to PSON automatic downgrade doesn't account for binary facts

[Eric Sorenson]

Hi Dominic, thanks for tracking this down and documenting it so thoroughly. 
Some responses inline:

On Tuesday, August 1, 2017 at 9:56:28 PM UTC-7, Dominic Scheirlinck wrote:
>
> Thought I'd leave a note about an issue I ran into when upgrading to 
> Puppet 5.0.1, in case someone else is wrestling with the same thing (also 
> just to provide a result for some poor person Googling it after me). Turned 
> out to be a whole bunch of factors:
>
> - The default serialization format is now JSON (previously PSON), which 
> doesn't support arbitrary binary data (only UTF-8 strings)
> - PUP-7602 is supposed to automatically downgrade back to PSON if there's 
> binary data in the catalog
> - But this doesn't seem to account for binary facts - you get an error on 
> apply: "Error: Failed to apply catalog: Could not render to json: source 
> sequence is illegal/malformed utf-8" 
>
> I surmise that a binary fact is at fault because of a debug message from 
> Facter: "Debug: Facter: Received a log message with invalid encoding:"fact 
> \"ec2_userdata\" has resolved to [...]" (escaped data follows) - and 
> because I'm not shipping binary in my catalog otherwise. This is 
> particularly annoying if you're using local VMs to test your puppet server 
> upgrade, because you won't run into it until you run it on your production 
> EC2 node :)
>
> The EC2 user data is gzipped to work around a user_data size limitation. 
> (i.e. 
> https://www.terraform.io/docs/providers/template/d/cloudinit_config.html#gzip)
>  
> - I guess I'm not close enough to the limit that I could pay the size 
> penalty and base-64 encode the compressed user-data as well - but you can't 
> change user data while the instance is running, so it's not nice as a 
> workaround.
>

Yeah, this is one of the main shifts between pson and json. Since there's 
not type hinting for facter, we assume everything's a string, and while 
pson used to best-effort deal with binary encodings, json won't support it. 
 Seems like you could either un-gzip the user data or b64 encode it.
 

>
> I've seen the Facter blocklists documentation, but it doesn't make it 
> clear whether you can block a specific fact instead of the whole EC2 
> blockgroup - or more accurately, it appears I can't. (I am using 
> ec2_metadata, to get ['placement']['availability-zone'] so I don't want to 
> block the group - I'd only want to block the ec2_userdata fact). I guess I 
> could try overwriting the value with a blank string (a la 
> https://tickets.puppetlabs.com/browse/FACT-1354?focusedCommentId=410038=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-410038
> )?
>

Unfortunately the blocklist is currently at the level of the resolution 
group, as you've discovered. The overwrite would work OK and be pretty 
simple, assuming you don't actually *need* any of the userdata for Puppet 
to run. 

>
> For now, I've just reverted to PSON serialization. That's not deprecated, 
> right? (Just the default was changed?)
>

That's right. One thing to note though... json is way faster. If you can 
get around this, the performance gains probably make it worthwhile to shift 
to json.
 

>
> (Also, I'd file a JIRA ticket, but I'm not sure whether support for binary 
> fact values is desired or necessary, whether Facter should be giving up on 
> passing a fact if it has a binary value, or whether a PUP-7602-style 
> serialization fallback would be better, etc.)
>
>
It'd be great to have a bug on this to talk over the options.  Thanks again 
for the sleuthing!

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0469acb1-8a00-4faf-addc-727c14cff624%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Can I find out about another node?

[Eric Sorenson]

The best way to do this is to use puppetdb, which you can then query from 
manifests using the puppetdb_query() function.

Your query would look like (untested but i think this is right...)

$nodes_array = puppetdb_query('inventory[certname] { resources { type = 
"OurSystem" } }')

(You may see references to "exported resources" which accomplishes a 
similar goal but IMO querying is better because it has a superset of 
exported resource functionality and you don't need to know beforehand which 
resources you want to mark as being 'collectable'.)

HTH
--eric0

On Wednesday, July 5, 2017 at 7:34:26 AM UTC-7, Robert Inder wrote:
>
> I'm using Puppet (3.8) to set up installations of a system for different 
> clients.
>
> We have a number of servers running "live" installations, 
> and others running corresponding development installations.
>
> There is a module for the system, and each node has a separate
> instance for each client that that machine is to support.
>
> I'd like to tell the development system for a given client 
> where to find the corresponding "live" installation.
>
> Can I do that?  Can an instance of a OurSystem resource for client
> "Edinburgh"  on node "devel9"  determine which other
> node also has an instance of OurSystem for "Edinburgh"?
>
> Robert.
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2af106e9-9cc0-43fc-a381-65974f4d1959%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 5 Platform released!

[Eric Sorenson]

I have run out of superlatives to try to express how excited I am for this 
release: the Puppet 5 Platform is available for download now.

The primary goals of this release are to harmonize numbering across the major 
components (Puppet Agent, PuppetDB, Puppet Server) to "5", as a first step 
towards delivering these components as a unified platform; include Hiera 5 with 
eyaml as a built-in capability; provide clean UTF-8 support; move network comms 
to fast, interoperable JSON. Our current Ruby versions are EOL'ed, so we're 
moving to MRI Ruby 2.4 on the agent and (opt-in) jruby9k on the server. The 
PE-only puppet-server metrics service is now open-sourced. 

In addition to the features, there are some substantial performance boosts 
waiting for you. According to our perf testing (thanks Doug!):

• Puppet 5 Agent run-times were 30% lower at equivalent loads. (Average 
of 8 seconds vs 5.5 seconds)
• Puppet 5 Server CPU utilization was at least 20% lower than Puppet 4 
in all scenarios.
• CPU utilization for Puppet 5 PuppetDB and PostgreSQL were also lower 
in all scenarios.
• Puppet 5 catalog compile times reported by Puppet Server were between 
7-10% lower than Puppet 4.
• Puppet 5 scaled to an additional 40% increase in the number of agents 
while Puppet 4 agent run-times became dangerously high.

This is a "semver major" with some backwards incompatibilities, but we have 
worked very hard to retain module compatibility with Puppet 4.x modules. With a 
few careful (and hopefully rarely used) exceptions, module code that works 
under Puppet 4 should not need revision to work under Puppet 5. 

For a full list of changes and download instructions, check out the full 
release notes: https://docs.puppet.com/puppet/5.0/release_notes.html 
<https://docs.puppet.com/puppet/5.0/release_notes.html>

I'd like to send out huge thanks to the Puppet teams who worked on this release 
and to community members who provided feedback on both the design discussions 
and early preview releases — extra special thanks to Josh Cooper for 
shepherding this out the door. It has a special significance for me since it's 
version five and (by total coincidence!) yesterday was my five year anniversary 
at Puppet :) I think it's going to be a great release series.

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/81AB014B-1F4C-4658-9F9E-DCDD648C03D7%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: new Puppet 5 Platform nightly builds available

[Eric Sorenson]

tl;dr: There are new builds in the 'puppet5-nightly' repos. Please give them a 
spin and let us know what you find!

Since we pushed the first builds of what will become the Puppet 5 Platform 
packages into the repos, a *lot* has been going on. We're nearing code-complete 
on the release and it seemed like a good time to push out some pipin' hot 
builds and remind everyone that it's coming Real Soon Now[tm].

Just to get it out of the way -- I say this every time I talk about Puppet 5 
and this post is no exception:
*** No puppet module code that works on Puppet 4 will need changing for Puppet 
5 ***

Additionally:
*** Puppet 3 agents can talk to Puppet 5 masters running under 
puppet-server-5.x ***

There are some changes that I think are pretty awesome but are a bit deep under 
the hood. The main one, and the primary reason we are really interested in your 
feedback on the current builds, is that all of the network comms use standard 
JSON. Previously there was a mix of YAML and PSON ("pure" json, meaning pure 
ruby, meaning it couldn't use any of the perf optimizations in jruby or MRI's 
built-in json libraries). In addition to increasing interoperability, we expect 
this to have significant performance speedups for pretty much everyone. 

Speaking of Ruby, another significant change (and one of the main reasons we 
incurred a semver major-version bump) is that the agent ruby version is now MRI 
Ruby 2.4.1. On the puppet-server side, we have opt-in support for JRuby 9k, 
which is a Ruby 2.x compliant interpreter. So plugin code should be more 
consistent between agents and masters, but gems installed into the Ruby 
runtimes will need reinstallation (because /usr/lib/ruby/gems/x.y.z is 
version-dependent).

If this is news to you, check out the original thread on puppet-dev:
https://groups.google.com/d/topic/puppet-dev/-H1pHJM6NLE/discussion

and here's the blog post from when the repositories first went live:
https://puppet.com/blog/full-visibility-and-control-of-your-infrastructure-new-puppet-releases

If you just want to dive in, try out Puppet 5 Platform by installing the 
"puppet5-nightly-release" package from https://apt.puppet.com/ or 
https://yum.puppet.com/ for deb- and rpm-based Linux distributions. For Mac or 
Windows systems, go to https://downloads.puppet.com/ and click on mac/ or 
windows/, then navigate to the puppet5-nightly subdirectory.

Please try these builds out in your vagrant environments, sandboxes, and labs! 
Let us know what you run into - if you tag your JIRA tickets with an "Affected 
Version" field of "PUP 5.0.0" this causes alarm bells to ring in Puppet HQ :)

Cheers
--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9BEF42BD-2455-4C05-8E90-CB04D8F6BCB4%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Ticket Backlog triages

[Eric Sorenson]

Hi All – we're trying to get on top of the backlogs of Jira tickets. Those of 
you who have been around for a while might remember this was the original 
purpose of the "Triage-A-Thon" events, when we parcelled out batches of Redmine 
tickets for categorization, clean-up, and prioritization. (Hi, @kartar!)

I wanted to let everyone know that this activity is going on, so if you see 
updates on long-dormant Jira tickets it doesn't come as a surprise. Although 
the commentary as we're dispositioning the tickets is boilerplate copy-pasta, 
these are not automatic mass-closures. Teams are going through the tickets in 
batches and spending some time on each one. If you get mail about a ticket that 
you feel is dispositioned incorrectly (such as "Cannot reproduce", when you can 
provide a repro case), please re-open them.

Additionally, if you're interested in helping out, the query we're working 
through is publicly available here:
https://tickets.puppetlabs.com/issues/?filter=25600#

The workflow and response text for triaging tickets is available here:
https://docs.puppet.com/community/puppet_projects_workflow.html#workflow-for-bugs

The benefit at the end of all of this will be that we will be able to provide 
much better response time for new issues as they come in.

Eric Sorenson - e...@puppet.com 
director of product, ecosystem and platform

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B4C79B78-F85E-42E9-A0D9-5830D4640843%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: noob problem: Could not find a directory environment named 'development'

[Eric Sorenson]

Hi Peter, this is a known problem that is tracked 
in https://tickets.puppetlabs.com/browse/PUP-6739

--eric0

On Friday, February 17, 2017 at 11:53:50 AM UTC-8, Peter K wrote:
>
> I fixed my site.pp and that got my hiera lookups working...but I still 
> dont' understand the puppet config results.
> -peter
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cc142983-8f66-495c-b1f4-0f0eee00cc10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: hiera deep hash merges broken

[Eric Sorenson]

That's great to hear François, thank you for testing the patch! Our plan at 
this point is to accumulate a couple more fixes and ship a new build by 
Tuesday 21 Feb -

I don't want to generate a new build containing only the fix in PUP-7215 
because 
(a) there is QA work underway on the current release that may turn up new 
things that need fixing by the end of the week
(b) there is a simple workaround in PUP-7216 which is that you can 
s/hiera_hash/lookup/ as the function that you call.  

--eric0

On Wednesday, February 15, 2017 at 10:35:32 AM UTC-8, François Lafont wrote:
>
> On 02/15/2017 05:44 PM, Moses Mendoza wrote: 
>
> > Thanks all for the reports. A fix is in progress / en route, trackable 
> via 
> > https://tickets.puppetlabs.com/browse/PUP-7215 
>
> Ah ok, thanks Moses for the information. 
>
> I have tested in my testing VM and the commit of Thomas Hallgren seems 
> to work well. :) 
>
> François Lafont 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f434713b-bb4d-4446-95af-e864d3e57123%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5

[Eric Sorenson]

Hey, it looks like everyone found this, but I wanted to add that we updated 
this document with the hiera.yaml v5 format late last week, so if you were 
looking for it outside of the google doc, it's up and running.

https://docs.puppet.com/puppet/4.9/lookup_quick.html#there-are-two-hierayaml-formats-now

This is an interim update while the docs team work on the full update, 
which will be out in the next week or two.

--eric0

On Tuesday, February 14, 2017 at 9:22:53 AM UTC-8, Bob wrote:
>
> The spec appears to be here -
>
> https://docs.puppet.com/puppet/4.9/lookup_quick.html
>
> On Wednesday, February 8, 2017 at 8:37:32 AM UTC+13, Joshua Schaeffer 
> wrote:
>>
>> Okay I see that they are actually preparing to release Puppet 4.9.2 which 
>> is supposed to fix these issues. Does this mean they will release a new 
>> puppet-agent package part of the PC1? Where can I go to track the progress 
>> of this minor release?
>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5f3712f1-90a2-4f19-8447-9bffdbc77239%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.9.0 released!

[Eric Sorenson]

Hi All,

I’m excited to announce the release of Puppet Agent 1.9.0, which includes 
Puppet 4.9.0. There’s lots of good stuff in this release, but a few highlights 
include: 

• Hiera 5 - a successor of the experimental Puppet lookup feature - is 
built into Puppet 4.9. This allows you to have Hiera data embedded in modules 
as well as per-environment hierarchies, provides an "explain" feature for easy 
debugging, and has significant performance improvements. Read more here: 
https://docs.puppet.com/puppet/latest/lookup_quick.html

• Fixes for several bugs related to Unicode and UTF-8 support in 
Puppet. 

• New fact: `cloud`. This new top-level fact is intended for 
discovering whether a node is running on a given public cloud provider. In this 
first release, it currently detects whether a Linux-based node is running in 
Azure, and provides that information in the cloud.provider fact.

Deprecations in this release include deprecations of several Puppet faces, as 
well as Puppet support for the Ruby 2.0 series. 

For a complete list of Puppet 4.9.0 features, bug fixes, and deprecations, 
please see the release notes at 
https://docs.puppet.com/puppet/4.9/release_notes.html. 

Special thanks to community member Shawn Ferry for contributing several fixes 
for Puppet on Solaris. 

Two caveats: 

In Puppet 4.9.0, we removed the vendored `semantic` gem, replacing it with 
`semantic_puppet`.  We learned this causes an issue with any module based on 
https://github.com/garethr/puppet-module-skeleton/, since the skeleton loads 
the `semantic` gem from Puppet's vendor dir to validate a module's 
metadata.json.  We’re planning to ship a Puppet 4.9.1 gem ASAP that will warn 
that this has been removed (but does not fail directly). 
https://tickets.puppetlabs.com/browse/PUP-7156

Additionally, if you have a "classic" hiera.yaml config file in an environment 
root (perhaps because your control repository has one checked in, and r10k 
deploys it into /etc/puppet/code/environments//hiera.yaml), you'll 
see the error "a hiera.yaml version 3 cannot be used in an environment". This 
will become a warning instead of a hard error, and until then you can move it 
into a subdirectory where it will be ignored. 
https://tickets.puppetlabs.com/browse/PUP-7165

New Platform Support 

• This release adds puppet-agent packages for Fedora 25. 

EOL Platforms 

As of this release, we are no longer providing puppet-agent packages for the 
following platforms:
• Ubuntu 10.04 (Lucid)
• Ubuntu 15.10 (Wily)
• Mac OS X 10.9
• SLES 10
• Fedora 22

To install or upgrade Puppet Agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html

For information on upcoming platform end-of-life (EOL) for Puppet Agent, please 
see our Platform Support Lifecycle page: 
https://puppet.com/content/platform-support-lifecycle


Eric Sorenson - eric.soren...@puppet.com 
director of product, puppet ecosystem

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7BBBDDE1-3606-45EA-8B6A-D95647EE18FF%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Over-engineering rant

[Eric Sorenson]

On Monday, January 9, 2017 at 6:56:34 AM UTC-8, John Gelnaw wrote:
>
> On Sunday, January 8, 2017 at 2:31:33 PM UTC-5, Rob Nelson wrote:
>>
>> There are a lot of very valid issues and concerns you bring up here. I do 
>> want to start by saying, however, that puppet 4 is more than 6 months old - 
>> about 20 months to be precise - and most of the significant language 
>> changes were introduced somewhat earlier in the future parser in puppet 3. 
>> These changes should be easier to take in for sure, but that is at least 3x 
>> more to catch up on. I hope that doesn't sound like a harsh response, but I 
>> think it's more accepted that after 1.5-2 years, most moving projects will 
>> require significant re-learning.
>>
>
> I've been using "future parser" in Puppet 3 for a while-- I absolutely had 
> to have iteration, and a few other features, so I *thought* I had been 
> keeping up with puppet development.
>
> I had a similar reaction to the OP when I looked at the NTP code-- 
> "ek!!!".
>
> Although knowing that it's optional is a good thing, and knowing it's 
> available is also good-- it is something of an overwhelming example of 
> "wall of code".  Then again, for those who say NTP is simple-- I point and 
> laugh in your general direction.  The fact that NTP *can* be as simple as a 
> drift file and an NTP host, doesn't mean it's always that easy, and I 
> respect the amount of effort in making that module work. 
>

> Having said that, my ntp class is a bit simpler, and resembles the classic 
> "package / file / service" puppet class, because that's all my site 
> requires. 
>

I'd like to point out that this ntp module is also deliberately a test case 
for *all* of the puppet 4 language features, and as such is kind of a 
"reference module", so it certainly could be simpler but is intended to 
both do something useful and provide a working example of things like EPP 
and the type system. Helen Campbell wrote up a walk-through of the features 
that she and David Schmitt implemented in it here: 
 https://puppet.com/blog/ntp-puppet-4-language-update


Most of my bitterness towards puppet comes from the 3.x series, where the 
> API was a moving target, and upgrading to the "latest" puppet 3.x package 
> could break your world.  It's gotten significantly better, but I'm still 
> only about halfway up the puppet 3.x --> 4.x cliff.  ;)
>

Can you give me an example of backwards-incompatible API changes in the 3.x 
series? I'm not being snarky; we had long debates (way too long, in some 
cases) about semantic versioning and did extra work to not introduce 
breaking changes into the 3.x. The goal was rebuilding trust that new 
versions behave like you'd expect given the version number, so I'm dismayed 
to hear that those efforts failed and things broke for you anyway :(

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/abc1ef48-403c-4073-8d20-b22654946279%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Problem with test run

[Eric Sorenson]

Hi Joe, It's an agent-side setting (the facts are "stringified" on the 
agent before the server ever sees them) so it needs to happen on the 
agents. But if you're not currently managing your config file with puppet 
itself you can use a module like 
this: https://forge.puppet.com/cjtoolseram/puppetconf

just make sure to set stringify_facts in the 'main' or 'agent' sections of 
the config and you should be good to go.



On Tuesday, January 3, 2017 at 2:40:54 PM UTC-8, Joe wrote:
>
> Rob, is there a way to set 'stringify_facts = false' globally on the 
> puppet server or this must be done on all clients? I just hit this with a 
> puppetlabs module and setting to false on the agent worked. Obviously I 
> would rather set t once on the server.
>
> Thanks
>
> On Sunday, November 6, 2016 at 10:44:09 AM UTC-7, ddough...@gmail.com 
> wrote:
>>
>> facter tells me this:
>>
>> os => {"family"=>"RedHat", "name"=>"OracleLinux", 
>> "release"=>{"major"=>"6", "full"=>"6.6", "minor"=>"6"}}
>>
>> but puppet agent --test tells me this:
>>
>> [root@q061oracl0901 puppet]# puppet agent --test
>> Info: Retrieving pluginfacts
>> Info: Retrieving plugin
>> Info: Loading facts
>> Error: Could not retrieve catalog from remote server: Error 500 on 
>> SERVER: {"message":"Server Error: Evaluation Error: Error while evaluating 
>> a Resource Statement, Data Provider type mismatch: Got String when a 
>> hash-like object was expected to access value using 'name' from key '
>> facts.os.name' on node 
>> q061oracl0901.dqscust.local","issue_kind":"RUNTIME_ERROR"}
>> Warning: Not using cache on failed catalog
>> Error: Could not retrieve catalog; skipping run
>> [root@q061oracl0901 puppet]#
>>
>> Client is v3.8.7
>>
>> Running Foreman1.13 on the server.  
>>
>> I can telnet to 8140 from the client to the server.  The agent was 
>> running successfully for a while.  I added the grub2 class and removed it. 
>>  I also put the client into a host group.  I've now removed it to try to 
>> troubleshoot the problem.  Any ideas?
>>
>> Thanks,
>> Dan
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/21f380e6-2e30-49f2-b362-35eecf7bce9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Single Enterprise Puppet Master to support 2 Control Repos

[Eric Sorenson]

Hi Thomas, have you tried the `puppet generate type` workflow described on 
that doc to avoid the problems with environment bleed-through? You said you 
failed w/the elasticsearch module and I'm wondering if that is because the 
`generate` stuff is not working, or whether there's another part of the 
problem.

On Monday, November 28, 2016 at 10:24:29 AM UTC-8, Thomas Müller wrote:
>
>
>
> Am Montag, 28. November 2016 19:06:55 UTC+1 schrieb Rob Nelson:
>>
>> This will work but I would caution against it. Only recently has per 
>> environment segregation been implemented and there are still some issues 
>> present (I believe most fixes showed up in 4.8.0 but not sure). You don't 
>> want the same module at two different versions for each group being mixed 
>> and matched improperly. But, it's a judgement call if that's more worrisome 
>> than an extra PE master. 
>>
>
>
> I can confirm that the issue with different versions of the same module in 
> different environments with native ruby types/providers is a real problem. 
> Just encountered it with the elasticsearch module which we wanted to 
> upgrade. I utterly failed because new types were added and some types 
> changed. 
>
> If multiple independent teams are working on the same master you will 
> likely hit this issue faster than with only one team.
>
> https://docs.puppet.com/puppet/latest/reference/environment_isolation.html 
> 
>  
>
> - Thomas
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0beaf7b8-4218-4de2-9eac-73ff5e597597%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Upcoming End-of-Life for Puppet 3 & older versions of component projects

[Eric Sorenson]

Hi all, 
In July, we announced the end-of-life for Puppet Enterprise 3.x but I realized 
I've not been super clear about what that means for the open-source versions of 
its component projects. There's now a general statement on the Enterprise 
Support Lifecycle page:

https://puppet.com/misc/puppet-enterprise-lifecycle

And to be very specific, once Puppet Enterprise 3.x goes end-of-life on 
December 31 2016, there will be no further releases of the following major 
series of projects:

Puppet 3.x
PuppetDB 2.x and 3.x
Puppet Server 1.x
Hiera 1.x and 2.x
Facter 2.x

If you're still using Puppet 3, there's a ton of helpful resources on Upgrade 
home page:

https://docs.puppet.com/upgrade/

We had a whole track at PuppetConf dedicated to the subject and you can watch 
the videos if you're more of a visual learner. The talks are all clustered 
together in this youtube playlist, starting with Rob Nelson's "Enjoying the 
Journey from Puppet 3 to 4" here:

https://www.youtube.com/watch?v=FWnj0xQOZN8=23=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

For realtime help, you can drop into the #upgraders channel on the Puppet 
Community Slack; sign up at https://slack.puppet.com/ if you're not already 
logged in.

Thanks and happy upgrading!
--eric0

Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet ecosystem product manager

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/AEAEDE3E-6985-4929-9E0C-567221D5DB7F%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Prevent certificate collisions due to servers going up and down with same hostname

[Eric Sorenson]

Hi Iván - I think there are a couple of approaches that could work for you.

1 - you could continue to provision as you do today, but include a step in 
the shut-down that cleans a certificate. It is possible to add a rule to 
the auth.conf file that permits access to puppet's HTTPS endpoints which 
allows a node to delete its own certificate.  There's a blog post about it 
here:

http://www.nightbluefruit.com/blog/2015/02/allowing-puppet-agents-manage-their-own-certificates/

But I would suggest doing something a little nicer with the auth.conf 
rules, like this for /etc/puppetlabs/puppetserver/conf.d/auth.conf
{
"allow" : "$1",
"match-request" : {
"method" : "delete",
"path" : "/puppet-ca/v1/certificate_status/([^/]+)$",
"query-params" : {},
"type" : "path"
},
"name" : "nodes deleting their own certs",
"sort-order" : 500
}

2 - You can indeed re-use the same cert and key for all your nodes. I have 
used this setup in production and it works pretty well but it is not a 
common best practice.  I have a write-up of how to do it 
here: https://gist.github.com/ahpook/1182243  but it is probably a bit out 
of date now.  

I would suggest going to option #1 but either could work for you.  hope 
this helps!

--eric0

On Tuesday, October 25, 2016 at 7:42:47 AM UTC-7, Iván del Castillo Zamora 
wrote:
>
> Hi!
>
> We have a setup with a puppetmaster CA and several servers (AWS instances) 
> which are spawned depending on the workload. On a daily basis from 50 to 
> 100 instances can be spawned and shutdown (not at the same time), and what 
> occurs is that a new server can have the IP and hostname . When a new 
> certificate is created due to a new instance, this goes down after a while 
> and if right after that a new instance with this just released IP (an IP 
> 1.2.3.4 sets the hostname ip-1-2-3-4 in AWS, for example) is spawned, we 
> get the usual SSL error as the private key has changed (a new one was 
> generated in the last instance). 
> I have tried a quite dirty solution which involved a task running almost 
> continuously which took every certificate from the SSL folder in the 
> puppetmaster, and as the hostname(certname) includes the IP(just replace - 
> with .), the script checked every IP against the whole list of IPs we have 
> up at that moment, but in the end we are facing some race conditions due to 
> timings so it just worked fine for a while.
>
> It seems that we need a solution that is in sync with the state of the 
> server when it boots up and it is shut down. Not all instances involved in 
> this are located in a "Auto Scaling Group", so a solution I checked related 
> to send notifications to a SNS queue sadly would not work for us.
>
> We though of a solution which involved creating a new certificate, which 
> should be stored in disk and add the directive certname in puppet.conf so 
> every server presents the same certificate with the same private key and 
> cert. We are already using autosign and as the puppetserver is only on the 
> local network and firewalled it should not be a security issue to share the 
> same certificate among our servers. We tested it manually, but we are 
> afraid we will face another issue we did not foresee as it happened with 
> the task I mentioned before.
>
> Has anyone tried any of these solutions or are using a different approach?
>
> Thanks a lot!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/79367be2-ccb5-4494-9fe7-1fa7cc8f7260%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Struggling with setting up a Manageable Puppet Infrastructure?

[Eric Sorenson]

Awesome, Ger! Your talks and blog posts are always great and the puppet 
infra you recommend is very clean. Best wishes for your class.

--eric0

On Friday, July 1, 2016 at 3:42:18 AM UTC-7, Ger Apeldoorn wrote:
>
> Hi all!
>
> I see people struggle with their Puppet setups over and over again. It 
> doesn’t fit right, makes it hard for people to work together and changes 
> are risky and complicated. The smallest change might be the one that makes 
> your servers keel over.
>
> I have found that there is a sound infrastructure that has proven its 
> robustness and flexibility in many companies.
>
> Unfortunately, there are a lot of people that are still struggling. I have 
> done talks about the Manageable Puppet Infrastructure at conferences and 
> have had setup instructions on my site for years, but although some people 
> could get by with this, it was still lacking a bit.
>
> In the last few weeks, I have been working on an online course/tutorial at 
> udemy.com. This course (Build your own Manageable Puppet Infrastructure) 
> consists of hours of practical video lectures and you can follow me 
> step-by-step to setup your own MPI.
>
> *The end-result of taking this course is a production-ready Manageable 
> Puppet Infrastructure.*
>
> If you act fast; this link will be valid until *July 8th* and gives you a 
> *40% 
> discount*.
>
>
> https://www.udemy.com/manageable-puppet-infrastructure/?couponCode=PUPUSERS40
>
> Kind regards,
> Ger
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3a40baf6-cede-4346-b5e2-1981354af2a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet's CA with an external issued CA-Certificate

[Eric Sorenson]

This is not fully supported yet, but can work with a couple of caveats - 
the question has come up a few times recently.

Can you please try my draft HOWTO documentation at this gist, and let me 
know how it works for you? You can reply here or comment on the gist if 
there are specific lines that you run into trouble with.

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

On Thursday, June 23, 2016 at 11:17:37 PM UTC-7, Christoph Fiehe wrote:
>
> This is exactly the use case, I require in my scenario. I must have 
> several Puppet CAs, each acting as intermediate CA that has an individual 
> CA certificate signed by a single root CA. Each intermediate CA signes the 
> certificates of some puppet agents. I have created a small picture to show 
> you how the scenario should look like.The root puppetmaster acts as a 
> bootstrapping node that should set up different nodes as puppetmaster when 
> someone assignes the puppetmaster role to this new node.
>
>
>
>
> 
>
> Has anybody an idea, if this scenario can be realized with the help of 
> Puppet? The most interesting question is how Puppet behaves when you assign 
> "ca = true" to an agent node and assign "ca_server =  CA>".
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d3846c57-7694-4fa7-b1e8-60dbb830f879%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Eric Sorenson]

On Thu, 9 Jun 2016, Rob Nelson wrote:


Eric

Sidebar question I've always had. There's the puppet gem that is commonly
used for rspec-puppet. Could that gem (plus its deps, facter, hiera, etc.)
suffice for some or all use cases?


Sure, there are definitely people who run the whole stack from gems. (There 
are other people who call those people crazy, but that's a different 
conversation)


This becomes weirder with Facter 3 due to the C++ components; right now the 
puppet Gemfile specifies facter-2.4.4, which works fine but at some point 
there may be divergence between that gem and the latest mainline C++-facter.



Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1606221447050.10015%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Trouble creating a release RPM from puppetlabs/puppet source repo

[Eric Sorenson]

Matt, I would like to understand this better and help you adopt Puppet into 
your environment.

This is not a rhetorical question, but it might sound like one: Do you 
rebuild your linux distribution from source RPMs? Because that is very 
similar to what the AIO Puppet agent bundle is: a mini distribution with 
the dependencies ending up in one artifact.

People outside Puppet can (and have) successfully rebuilt AIO, and there 
are also sucessful packaging efforts that take JUST the Puppet 4 source and 
build a standalone RPM from it in the manner of the puppet 3 packages:

puppet-4.2.1-3.fc24.src.rpm 


But our recommendation is to use the all-in-one obviously; it's what's 
tested extensively and what ships in puppet enterprise. 

--eric

On Wednesday, June 8, 2016 at 2:01:43 AM UTC-7, Matt Larson wrote:
>
> Sorry for not getting back soon, Dan.
>
> Good question.
>
> I work for a draconian company that only allows installing FOSS after our 
> infosec team has vetted the source code and then built from source; an 
> impossible hand-waving exercise, I know... but it is what it is.
>
> On Friday, June 3, 2016 at 2:51:10 PM UTC-4, LinuxDan wrote:
>>
>> First Silly Question: Why ?
>> What do you need to do that cannot be done with the RPM's from a 
>> Puppetlabs repo ?
>>
>> Dan White | d_e_...@icloud.com
>> 
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> On Jun 03, 2016, at 02:44 PM, Matt Larson  wrote:
>>
>>
>> I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) 
>> instance, but I'm seeing errors.  I also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>  
>>
>> The output actually gets pretty far along, but stops at with this error: 
>> "install: cannot stat ext/redhat/puppet.conf: no such file or directory". 
>> If I fix that problem by manually editing the SPEC file, I just get more 
>> errors, so clearly there is no need to go down a rabbit hole since this 
>> must work for someone else, right?
>>
>> I'm also posted in 
>> https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/
>>
>> Ideas?
>>
>> Thanks in Advance,
>> Matt
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/07f2aed4-eb2b-4d32-aebb-e05dd0377817%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Multiple CA setup.

[Eric Sorenson]

Check out this WIP doc where I describe how to get intermediate certs 
working. It *is* possible but there are a couple of caveats described in 
the doc.

If anyone's motivated to try this out and let me know how it works for you 
I'd be hugely appreciative. I got it to "works for me" level of readiness 
but would like some further validation so we can move it up to being a 
supported configuration with the bugs ironed out:

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

On Wednesday, June 8, 2016 at 9:34:25 AM UTC-7, Salty Old Cowdawg wrote:
>
> @Dan White:  that link was pretty much what I was looking for.  I take it 
> then you have openssl sign certs for each master (grand and remote) and 
> configure Puppet to use those certs. 
>
> The tricky part is going to be installing the new certs in production.  
> Sorta like changing a tire when the car is still moving. 
>
> On Wed, Jun 8, 2016 at 10:57 AM Dan White  wrote:
>
>> Could the regional masters be set up as intermediate certificate 
>> authorities ?
>> I found a link that describes the basics.
>>
>> https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html
>>
>> Dan White | d_e_wh...@icloud.com
>> 
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>>
>>
>> On Jun 08, 2016, at 10:40 AM, Peter Berghold  
>> wrote:
>>
>> In the puppet setup that I have where I work it has been increasingly 
>> more desirable if not required to have each of our data centers be able to 
>> operate standalone. Because of this I've been Googling around looking for a 
>> methodology to allow multiple certificate authorities in puppet. Currently 
>> we have our grand master puppet server in one Data Center and we have 
>> several Puppet Masters in other data centers in geographically diverse 
>> areas. When a new client is added with our current setup that new client 
>> has to reach out and get it certificate signed by The Grandmaster. This is 
>> getting us through setting up puppet currently but long-term this is 
>> undesirable.
>>
>> Can anybody point me to a methodology for setting up multiple certificate 
>> authorities that actually works? Looks like the pages on the topic I have 
>> read so far are outdated.
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/CAArvnv2OQP5QcG9TTy_EVTursMkUdW2MhB7%3D_ZPiH7XnQ1mWrQ%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/f5735e75-81af-4ab4-820d-3aec36d3157b%40me.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aebdd4da-b782-4a9f-9d6f-b8902d8359a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Agent 1.5.1 available

[Eric Sorenson]

Puppet Agent 1.5.1 is now available. This is a bugfix release that includes 
Puppet and Facter versions with a handful of fixes; no other components are 
update from the Puppet Agent 1.5.0 release a couple of weeks ago.

Notably, a couple of erroneous facts on Solaris are now correct 
("solaris_zones" and "productname"); Chuck Schweitzer found (and Thomas 
Hallgren fixed) a problem using Data in Modules with Hiera; and the 
Henrik/Thomas wrecking crew also fixed a problem with autorequires that broke 
puppetlabs-aws and puppet-archive, among other modules.

Check out the full release notes here: 
https://docs.puppet.com/puppetserver/latest/release_notes.html

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html


Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4B23907C-50EA-40E6-A7D9-E1A8819465D8%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] History of possible usage of EPP URIs in the form of "'puppet:////.epp"?

[Eric Sorenson]

I'm CC'ing Jo Rhett directly here in case he doesn't come across this 
organically --

The only place the puppet:/// syntax has ever been valid is in the 'source' 
attribute for File resources; the epp function, like template(), is 
expanded on the master during compilation and the contents are included in 
the catalog so it doesn't make sense to include a URL reference (which 
would be expanded on the agent).

--eric0

On Sunday, May 22, 2016 at 6:33:36 PM UTC-7, David Karr wrote:
>
> On 05/22/2016 06:22 PM, Henrik Lindberg wrote: 
> > On 23/05/16 03:07, David Karr wrote: 
> >> On Sunday, May 22, 2016 at 5:37:22 PM UTC-7, Henrik Lindberg wrote: 
> >> 
> >> On 23/05/16 02:26, David Karr wrote: 
> >> > In "Learning Puppet 4", there are a couple of variations of calls 
> >> to the 
> >> > "epp" function.  Some of them use the syntax that I find in the 
> >> actual 
> >> > Puppet docs, which is just "/.epp", but some of 
> them 
> >> use 
> >> > something that looks more like a URI, like 
> >> > "puppet:.epp".  I've determined that the former 
> >> is the 
> >> > only syntax that Puppet 4 accepts, unless I'm missing some 
> >> configuration 
> >> > option.  Did Puppet ever use the "puppet:.epp" 
> >> syntax, 
> >> > and if so, what was the history of that going away? 
> >> > 
> >> 
> >> It would be great if you could include pointers to where the 
> >> different 
> >> notations can be found. 
> >> 
> >> 
> >> You mean within the book?  If that's what you mean, I can provide 
> >> approximate search locations, but I'm reading the book on Safari, so I 
> >> don't have page numbers. 
> >> 
> > Duh, book - I did not read carefully enough. :-) I though you found 
> > examples in the puppet documentation or puppet site. 
>
> I had a feeling there was some confusion there.  :) I had earlier found 
> the official doc page (that you reference below), and it references the 
> "/.epp" syntax, which is the only one I found to work.  I 
> did report this in the book errata list, if it matters. 
>
> By your lack of an answer to my original actual question, I'm guessing 
> you know of no ancient Puppet implementation history where the 
> "puppet:.epp" syntax was valid? Although the syntax as 
> described this way in the book obviously doesn't work in Puppet 4 (and 
> the docs are consistent with that), I find it hard to believe the author 
> came up with this syntax on a lark :) , which makes me think that this 
> used to be valid at some point in the past. 
>
> > 
> >> The first occurrence is where the "epp()" function syntax is first 
> >> mentioned, in chapter 13, section "Using Puppet EPP Templates". On this 
> >> page, it has two clear examples, one using the "/.epp" 
> >> form, and the other using the "puppet:.epp" form, and 
> >> the text that describes the required syntax only mentions the latter. 
> >> 
> >> The next occurrence is in chapter 14, section "Calling Other Modules", 
> >> and this example uses the "puppet:.epp" syntax. 
> >> 
> >> I believe these are the only locations within the book that talk about 
> >> the syntax of the argument to the "epp()" function. 
> >> 
> >> 
> >> 
> >> IIRC, the implementation of EPP use the same resolution to find a 
> >> template as the ERB template support does, so some investigation is 
> >> needed to find the real answer. The documentation / examples may 
> >> be in 
> >> error too. 
> >> 
> >> 
> >> The book indicated that the ERB template syntax uses 
> >> "/.epp", but I didn't test that. 
> >> 
> > 
> > The official documentation is here: 
> > 
> https://docs.puppet.com/puppet/latest/reference/lang_template.html#referencing-files
>  
> > 
>
> Yup, found that already.  Thanks. 
>
> > 
> > - henrik 
> > 
> >> 
> >> -- 
> >> You received this message because you are subscribed to the Google 
> >> Groups "Puppet Users" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> >> an email to puppet-users+unsubscr...@googlegroups.com 
> >> . 
> >> To view this discussion on the web visit 
> >> 
> https://groups.google.com/d/msgid/puppet-users/9b00b220-6501-4209-827a-4368dacac105%40googlegroups.com
>  
> >> 
> >> <
> https://groups.google.com/d/msgid/puppet-users/9b00b220-6501-4209-827a-4368dacac105%40googlegroups.com?utm_medium=email_source=footer>.
>  
>
> >> 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cb657005-1e41-411a-9761-2cfee295ce31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Announce: Puppet Agent 1.5.0, Puppet Server 2.4.0

[Eric Sorenson]

On May 19, 2016, at 5:54 PM, Eric Sorenson <eric.soren...@puppet.com 
<mailto:eric.soren...@puppet.com>> wrote:
> 
>   * Puppet 4.5.0 - Also primarily a bugfix release, with improvements in the 
> type system and a few hotly awaited fixes for systemd and the DNF package 
> manager. The release notes mention new functions (including a function named 
> "new") that need

... to be added to the type reference on the website, but for now you can check 
out the inline docs at:
 https://github.com/puppetlabs/puppet/tree/master/lib/puppet/functions 
<https://github.com/puppetlabs/puppet/tree/master/lib/puppet/functions>

(WHUPS! Thanks Rob Nelson for pointing out my half-baked sentence.)

Eric Sorenson - eric.soren...@puppet.com <mailto:eric.soren...@puppet.com> - 
freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3FE92236-E9CE-45CD-B7EB-0094A55BBBD2%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Agent 1.5.0, Puppet Server 2.4.0

[Eric Sorenson]

I'm excited to announce a new batch of backwards-compatible feature releases 
for the Puppet Agent and Server.  There's a lot to take in here, so check out 
the release notes and take the code for a test-drive before you yell out 
"YOLO!" and upgrade all of production.

Puppet Server 2.4.0 - A slew of bugfixes and an enhancement to the 
trapperkeeper auth.conf implementation that allows you to use certificate 
extensions in your auth.conf rules. So for example you can assign your trusted 
management nodes a certificate that contains new authorization extensions 
indicating they ought to have higher privilege, then match those extensions in 
the rules that permit cert management or catalog request commands, avoiding the 
need to keep a list of privileged hostnames in your auth.conf.
Check out the full release notes here: 
https://docs.puppet.com/puppetserver/latest/release_notes.html 
<https://docs.puppet.com/puppetserver/latest/release_notes.html>

Puppet Agent 1.5.0 - All-in-one Agent package contains updated component 
versions, including a new feature release of Puppet.
  * Ruby 2.1.9 update
  * Puppet 4.5.0 - Also primarily a bugfix release, with improvements in the 
type system and a few hotly awaited fixes for systemd and the DNF package 
manager. The release notes mention new functions (including a function named 
"new") that needs
  * Facter 3.1.7 - Bugfixes for GCE and one particularly nasty recursion / 
fork-bomb that could happen if facter was invoked from inside a fact (I know...)
  * Hiera 3.2.0 - There's a backwards-compatible change that moves the default 
location of hiera.yaml out of the 'codedir' and back into 'config'. Read up on 
the backstory at HI-490 or on the puppet-dev thread[1], but the tl;dr is that 
we realized having this file (whose contents are frequently managed by puppet) 
inside the code dir (which is managed by r10k) was a mistake, and this change 
unwinds that, hopefully without introducing any additional badness. 
Release notes for each of these are linked from the main puppet-agent note: 
https://docs.puppet.com/puppet/4.5/reference/release_notes_agent.html 
<https://docs.puppet.com/puppet/4.5/reference/release_notes_agent.html>

Special community shout-out to Matthew Gyurgyik (whose name I admit i 
copy-pasted from JIRA) for working through the systemd issues! 

Eric Sorenson - eric.soren...@puppet.com <mailto:eric.soren...@puppet.com> - 
freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[1]: https://groups.google.com/d/topic/puppet-dev/NQBK0vdp2E0/discussion 
<https://groups.google.com/d/topic/puppet-dev/NQBK0vdp2E0/discussion>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5F9C86BD-A678-44B2-91CC-C371F17F912E%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Upgrading Puppet from 2.7 to 4

[Eric Sorenson]

Hi Chris, in addition to all the practical advice for moving through the 
upgrade cycles that you have gotten already, I would suggest taking a step 
back and analyzing your existing code-base to understand what the actual 
business function of the existing code is for the nodes. You can spend a 
ton of time doing things like adjusting syntax and eliminating deprecation 
warnings on a module, only to find out that the only host that is using 
that module was turned off a year ago and nobody noticed! 

So it might help to just draw out with a whiteboard or sticky notes what 
the existing mapping of puppet code to groups of machines looks like, what 
you think it SHOULD look like, and talk it over with your management/team 
to make sure the new setup is going the right direction. It's possible that 
you can save yourself a ton of work, plus be able to build a really good 
plan of the most valuable places to spend time. 

--eric0

On Monday, May 9, 2016 at 4:12:43 AM UTC-7, christg76 wrote:
>
> Thanks to everyone for the comments! I think I first need to do some 
> preliminary testing in order to assess the quality of the code and to see 
> what the real challenges are, and to ultimately decide on a strategy, ie 
> upgrade vs transition/migration.
> Ramin K: OS of the Master is Debian Wheezy. Have you actually done the 
> upgrade?
> Andrew Grimberg: This approach in fact sounds as if its the best way, 
> considering also what Henrik says below about new 
> versions/modules/tooling/practices. But it sounds like a massive amount of 
> work, particularly since we do not have any unit tests or similar in place. 
> Did you have any unit tests in place with the old code, or if not are you 
> implementing them with the new code?
>
> Chris
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5bde60c1-2f44-45f3-b659-6d9bb3b0de93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: possibility for autosign (or disable certificate control) for any host within one environment

[Eric Sorenson]

Puppet needs certificates in order to work, but you can autosign any 
incoming request without manual intervention using autosign:

https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

--eric0

On Thursday, May 12, 2016 at 5:29:44 AM UTC-7, Mr Dandy wrote:
>
> Is it possible to configure the Puppetmaster for special environment that 
> does not chase hostname/certificates, without signing and it was publicly 
> available?
>
> My case: I've have some manifests and modules which i want to use on any 
> workstation in my office. Because all workstation have different names and 
> they may be the same (or change) - for this environment is necessary to 
> switch off any control over certificates, it is a public environment that can 
> benefit anyone without any action from puppet server ( puppet sign ... )
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e1a576e6-ca43-4552-ae22-cd7a925205f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: use_srv_records doesn't work

[Eric Sorenson]

Hi Sinux, what version of puppet are you using? There was a bug in this 
area but it was fixed quite a while ago, in Puppet 3.1.0: 
 https://projects.puppetlabs.com/issues/18161

Can you paste the output of `puppet -tv --debug 2>&1 | grep SRV`

it should have some lines like:

Debug: Searching for SRV records for domain: dummy.example.com
Debug: Found 0 SRV records for: _x-puppet-ca._tcp.dummy.example.com


Note that if you already have a signed cert for the host, a CRL and CA 
certificate, the agent will not contact the CA server.

On Thursday, May 12, 2016 at 7:11:17 AM UTC-7, sinux shen wrote:
>
> hi there,
>
> I am in the middle of setting multiple master with single CA, if I 
> statically set:
> ca_server = 
> server = 
> in puppet.conf, it works well,
>
> but to make if more smart, I use srv settings, here is my conf:
> [main]
> vardir = /var/lib/puppet
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
> use_srv_records = true
> srv_domain = mydomain.example.com
>
> [agent]
> listen   = true
> pluginsync   = true
> report   = true
> ignoreschedules  = true
> daemon   = false
> classfile= $vardir/classes.txt
>
> I found that when agent run, it didn't query SRV record like 
> _x-puppet-ca._tcp for getting CA Server, instead, it assume that "puppet" 
> is the CA server and trying to talk to it, but in our environment, we don't 
> use "puppet" as the CA server's hostname,  it does tried to resovle 
> _x-puppet._tcp and _x-puppet-fileserver._tcp though, can anyone please take 
> a look or give me some hint please.
>
> BTW, even I specifically set ca_server in the "main" part together with 
> use_srv_records, it still doesn't work
>
> Thanks
> Sinux
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/53a0b9c4-1480-4e43-88f1-8d772a44f3a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Good documentation somewhere for doing a cert-roll?

[Eric Sorenson]

On Friday, May 13, 2016 at 2:57:57 PM UTC-7, Dan Mahoney wrote:
>
> Hey there puppet-users deinzens. 
>
> One of my puppet agents helpfully reminded me that my root CA cert is due 
> to expire within a few months, and I'm wondering what the best way to go 
> about rolling it over would be. 
>
> A lot of my reading suggests something like "burn everything involving 
> certificates to the ground and start your entire CA infrastructure over 
> from scorched earth" is an approximation of the way to go. 
>

Hi Dan, this is a good and timely post. I'm working on some related issues
regarding Puppet's CA that may help you out. Your thinking on this is 
roughly correct -- things are a lot harder than they need to be, but the
above advice to nuke everything and start over is both overly simplistic
and wrong-headed.

Note that my comments here are specifically about the Clojure CA that
is included in puppetserver, not the Ruby CA; most things apply to both
but the past couple of years of server-side bugfixes and development energy
have gone into the Clojure CA, and Puppet 5 will consolidate
all the CA-side cert lifecycle onto this codebase. 
 

>
> From the various looks and reading I've done, this was one of those parts 
> of puppet that had some serious technical debt involved in authoring it. 
>
> I've likened puppet's SSL config to how I might manage an SSL cert on my 
> webserver/clients, and I'm seeing a disconnect, since many of the things 
> I'd do in those cases don't work here.. 
>

You're right that the agent SSL code is very old and badly needs an 
overhaul.
For some interesting historical context, check out this Redmine bug and
the related issues that it links to:

https://projects.puppetlabs.com/issues/3143
 

> In short -- I think the following problems still exist: 
>
> * There's still no support for putting multiple certificate files as the 
> puppet CA -- all must still be signed by a common root entity.  Is this 
> correct?  (In the "web" analogy, my browser could have lots of built-in 
> and additional trust-points, both corporate and as-shipped). 
>

Have you verified experientially that this doesn't work in current Puppet
versions? I am working on one variant of this (chain-of-trust with root
and intermediate CA in $ssldir/certs/ca.pem) and it does work. That's
slightly different to what you're saying though, which is that any issuer
in that file should be considered valid. Due to some confusion in the
CA code (see https://tickets.puppetlabs.com/browse/SERVER-1315 ) the
ca_crt.pem which the agent downloads can't contain a bundle, but I believe
if you "pre-seed" a valid bundle into that location the agent code will do
the right thing.

You're right that the agent does not support a CApath, in openssl parlance: 
a directory
of hashed CA certs, any of which are valid. The server side farms out its 
SSL verification
to the underlying web stack, so it ought to be tolerant of agents issued 
from
multiple CAs checking in. I haven't tried this angle yet.
 

>
> * There's no directive I can find whereby puppet agents can, within N days 
> of expiry, re-request their certificate, while maintaining a valid one in 
> the meantime.  On the puppet master, a duplicate cert is treated as an 
> absolute error and must be purged from both sides with extreme prejudice 
> and started over. 
>

The first part is true, the second is controlled by the 
'allow-duplicate-certs' CA setting
which will allow later requests to overwrite newer ones. 
 

>
> * There's no way the puppet master itself can have multiple trust points. 
> (I.e. old CA and new CA) -- in the real world, of course, I can have 
> multiple CA files from which I can trust clients, for example, for SMTP 
> auth. 
>

* Puppet has no concept of a CA Path, rather than a CA file.  And since 
> certificates are multi-line blocks in text files, they're a real pain to 
> manipulate with Augeas or shell scripts. 
>

As I said above, on the master the cert verification is delegated to the
web server layer (jetty in the case of the puppetserver, apache or nginx
or (gah) webrick for non-puppetserver setups). So agent verification on the 
master has a lot more going for it than the agents verifying the master's
identity. 
 

>
> * There's no way the master can say "multiple public keys for the same 
> cert are bad, but we will re-sign *existing* keys that are merely near 
> expiry." (Which is a thing we might do in PGP).  And even if we could 
> define such a policy, there's no support in the agent to do such a thing. 
>
 

>
> * There's no way to have the puppet-master auto-sign a cert, based on the 
> presence of some sort of file or hash on the node, similar to the above. 
>

There's nothing built-in that does either of these things. But policy-based
autosigning provides an API that lets you do this based on some
'a priori' knowledge you have of the node: 

https://docs.puppet.com/puppet/4.4/reference/ssl_autosign.html

This is an interesting line of thought 

[Puppet Users] Announce: Puppet Server 2.3.2 Available (SECURITY)

[Eric Sorenson]

Hi all, hot on the heels of yesterday's releases 
we have a new Puppet Server release up today: 2.3.2.

This is primarily a security fix which addresses a 
LOW RISK (3.5 CVSS3 score) security hole described at:
https://puppet.com/security/cve/cve-2016-2785

Read the full release notes here:
https://docs.puppet.com/puppetserver/2.3/release_notes.html#puppet-server-232

For more information on the Puppet Server including 
installation and upgrade instructions, read this:
https://docs.puppet.com/puppetserver/2.3/index.html


Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/774b5ec0-9993-4eaa-9e9a-e08abc6a622e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 3.8.7 available!

[Eric Sorenson]

Puppet 3.8.7 is now available for download. This is a backwards-compatible 
bugfix release that includes a couple of backported fixes from 4.x to the 
"future" parser, improvements for Puppet's launchd and systemd service 
providers, and other miscellaneous patches. 

Read the release notes here for the changelog:
https://docs.puppet.com/puppet/3.8/reference/release_notes.html#puppet-387

And view the whole list of bugs included in the release here:
https://tickets.puppetlabs.com/issues/?filter=19117

For installation and upgrade instructions, read this:
https://docs.puppet.com/puppet/3.8/reference/pre_install.html

Special community shout-out for this release goes to Clay Caviness for the 
launchd bug report and pull request in PUP-6073. You rock, Clay!

Eric Sorenson - eric.soren...@puppet.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4e5d3aa5-a0b6-4506-b19b-5703bbad6df8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Is there a solid EOL date for the Puppet 3.8 release family?

[Eric Sorenson]

Oh boy. It could, I guess, it's HTML so anything is possible.  But the 
canonical location for the component versions is on the docs site which is its 
own CMS and it's a lot of data:

https://docs.puppetlabs.com/pe/latest/overview_version_table.html



On Mar 22, 2016, at 1:50 PM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote:

> Security releases are really all that's important to most compliance-focused 
> orgs.
> 
> Could that page link to the versions of each sub-component that is included?
> 
> Thanks!
> 
> Trevor
> 
> On Tue, Mar 22, 2016 at 11:37 AM, Eric Sorenson <eric.soren...@puppetlabs.com 
> <mailto:eric.soren...@puppetlabs.com>> wrote:
> Sorry for the slow reply, we had some internal ducks to get in a row.  The 
> enterprise support page now shows the current support dates for all the 
> recent series:
> 
> https://puppetlabs.com/misc/puppet-enterprise-lifecycle 
> <https://puppetlabs.com/misc/puppet-enterprise-lifecycle>
> 
> As a practical matter we're going to provide open-source releases of 
> components of a particular PE series for as long as that PE series is 
> supported; outside of security fixes though, the content of releases behind 
> the current one will be driven largely by customer requests. 
> 
> --eric0
> 
> On Wednesday, March 16, 2016 at 9:57:05 AM UTC-7, Trevor Vaughan wrote:
> Certainly possible, but deductions aren't stated facts on URLs that you can 
> put in front of management.
> 
> Trevor
> 
> On Wed, Mar 16, 2016 at 10:41 AM, Miguel Di Ciurcio Filho 
> <mig...@instruct.com.br <mailto:mig...@instruct.com.br>> wrote:
> On Wed, Mar 16, 2016 at 10:12 AM, Trevor Vaughan <tvaug...@onyxpoint.com 
> <mailto:tvaug...@onyxpoint.com>> wrote:
> > Thanks Carthik. Unfortunately, we need to know this for all of the
> > components, FOSS or otherwise.
> >
> 
> I think one can deduce that, if PE 3 series has an EOL set to July 28,
> 2016, all FOSS components present there will most definitely not be
> supported anymore also.
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users%2bunsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com>.
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.
> 
> 
> 
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 <tel:%28410%29%20541-6699>
> 
> -- This account not approved for unencrypted proprietary information --
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com?utm_medium=email_source=footer>.
> 
> For more options, visit https://groups.google.com/d/optout 
> <https://groups.google.com/d/optout>.
> 
> 
> 
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> 
> -- This account not approved for unencrypted proprietary information --
> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "Puppet Users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/puppet-users/15QSPcvkGDI/unsubscribe 
> <https://groups.google.com/d/topic/puppet-users/15QSPcvkGDI/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to 
> puppet-users+unsubscr...@googlegroups.com 
> <mailto:puppet-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CANs%2BFoW04-0UUP4%2BkJCdkFvWky%3DV1E7O9Rqn-8Xt7tw9NTPHVg%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/puppet-users/CANs%2BFoW04-0UUP4%2BkJCdkFvWky%3DV1E7O9Rqn-8Xt7tw9NTPHVg%40mail.gmail.com?utm_medium=email_source=footer>.
> For more opti

Re: [Puppet Users] Is there a solid EOL date for the Puppet 3.8 release family?

[Eric Sorenson]

Sorry for the slow reply, we had some internal ducks to get in a row.  The 
enterprise support page now shows the current support dates for all the 
recent series:

https://puppetlabs.com/misc/puppet-enterprise-lifecycle

As a practical matter we're going to provide open-source releases of 
components of a particular PE series for as long as that PE series is 
supported; outside of security fixes though, the content of releases behind 
the current one will be driven largely by customer requests. 

--eric0

On Wednesday, March 16, 2016 at 9:57:05 AM UTC-7, Trevor Vaughan wrote:
>
> Certainly possible, but deductions aren't stated facts on URLs that you 
> can put in front of management.
>
> Trevor
>
> On Wed, Mar 16, 2016 at 10:41 AM, Miguel Di Ciurcio Filho <
> mig...@instruct.com.br> wrote:
>
>> On Wed, Mar 16, 2016 at 10:12 AM, Trevor Vaughan  
>> wrote:
>> > Thanks Carthik. Unfortunately, we need to know this for all of the
>> > components, FOSS or otherwise.
>> >
>>
>> I think one can deduce that, if PE 3 series has an EOL set to July 28,
>> 2016, all FOSS components present there will most definitely not be
>> supported anymore also.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/CAK6Yst%3DNT5%2B2aXG3PNEy9M2X0o6w791dWT9_za1gWefj7cwy%3DQ%40mail.gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
>
> -- This account not approved for unencrypted proprietary information --
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e0bddb7b-f9a7-47cf-a34a-8dad8876edf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announcing Puppet Server 2.3.0 / Puppet 4.4.0

[Eric Sorenson]

I'm really excited to announce the arrival of new feature releases:
Puppet 4.4.0 and Puppet Server 2.3.0. The headline feature here is 
Static Catalogs: file resources with 'puppet:///' source attributes
will now include the checksum of the file inside the catalog, rather
than requiring additional http requests to the master as the catalog
is being applied. This both dramatically improves performance and closes
a "loophole" where agents could get file content that didn't match the
catalog's original intent.  You can read more (much, much more) about this
on the doc site: 
http://docs.puppetlabs.com/puppet/4.4/reference/static_catalogs.html

In addition, there are several other noteworthy features including an
awesome community contribution:
* Felix Frank worked tirelessly to close a very long-standing feature
  request that ties in with static catalogs: HTTP(S) file sources.
  Now you can use plain http webservers as the `source` for file resources,
  so if you have content that's large in size or managed outside Puppet's
  fileserver, you can just point at it. Vielen dank, Felix! (PUP-1073)
  
* There's a new API endpoint in the Puppet Server, `environment_classes`, 
that
  improves upon the old resource_types endpoint to enumerate classes, their
  parameters, and default values. (SERVER-1110)

* The Puppet Server now reloads configuration immediately upon receiving a 
  HUP signal, lowering restart times if you are changing values. (SERVER-86)

* The Puppet 4 Language continues to improve: now you can alias Types 
directly
  in your manifests, there's a new Iterable type, and you can now reference
  earlier parameters in a class, define, or function. (various tickets)

There's a lot more, so please read the release notes for details:

Puppet Server: 
http://docs.puppetlabs.com/puppetserver/latest/release_notes.html
Puppet: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html

Puppet 4.4.0 is contained inside the puppet-agent-1.4.0 package that Melissa
announced yesterday, as well as being independently downloadable as a gem or
tarball

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1eaaa14c-943d-4ec0-bd19-9e45ba5ce625%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: puppet catalog compilation job queue idea

[Eric Sorenson]

The first and most significant chunk of the direct puppet work, namely a 
production-ready version of "static catalogs" is going out in Puppet 4.4.0. 
You can preview the documentation for it 
here: 
https://github.com/puppetlabs/puppet-docs/blob/master/source/puppet/4.4/reference/static_catalogs.md

Future work is around the other stuff you mentioned - especially 
precompilation. 

--eric0

On Tuesday, March 8, 2016 at 7:02:40 AM UTC-8, R.I. Pienaar wrote:
>
> I believe the thing thats happening here is called Direct Puppet, there 
> were some puppet conf talks about this you might want to look at the 
> videos. 
>
> But it's around reworking the compile flow so you can pre-compile things, 
> re-run 
> earlier compiled things, redo the static catalogs and even rewriting the 
> compiler 
> in C++ 
>
> There are stuff happening on Jira at the moment, but I'd guess lots of 
> this will 
> be PE only if recent blogs are anything to go by 
>
> - Original Message - 
> > From: "jcbollinger"  
> > To: "puppet-users"  
> > Sent: Tuesday, 8 March, 2016 15:51:31 
> > Subject: Re: [Puppet Users] Re: puppet catalog compilation job queue 
> idea 
>
> > On Monday, March 7, 2016 at 7:57:33 PM UTC-6, SG Madurai wrote: 
> >> 
> >> Hi John, Thank you for the update. 
> >> 
> >> Pardon me if i am asking about things that have been clarified/ settled 
> >> already. 
> >> 
> >> From what i understand, agent run times are primarily determined by 
> >> - catalog compilation time at master 
> >> - the time for agent to apply catalog on its node 
> >> 
> >> 
> > 
> > Both of those are contributors.  The former is rarely a major one. 
>  There 
> > is also time spent by the agent computing facts, which is usually even 
> > less, but can be costly if costly custom facts are installed. 
> > 
> > Also, catalog application often is not an agent-only activity, as it 
> > commonly involves the agent obtaining files from the master's file 
> server. 
> > This can be very expensive for both the agent and the master. 
> > 
> > 
> > 
> >> So was basically wondering if there is an option to separate these 2 
> >> functions and manage these 2 independent of each other (at times 
> convenient 
> >> for each of these activities) 
> >> 
> >> 
> > 
> > Nodes have as much control as they want to exercise of when and how 
> often 
> > they perform catalog runs.  If they run the agent in daemon mode then 
> they 
> > can configure the run interval, but they also have the option of running 
> it 
> > at the times they choose via a scheduler, such as cron, or on-demand 
> either 
> > manually or via a remote-control system such as MCollective. 
> > 
> > The master does perform some caching to speed catalog building, but as I 
> > already said, it is impractical for it to cache whole catalogs for 
> direct 
> > service to clients.  The problem here lies in determining accurately and 
> > efficiently when cached catalogs are stale. 
> > 
> > 
> > 
> >> If these concerns shouldn't arise with running multiple puppet masters 
> w/ 
> >> puppet db (or by imply upgrading...we are on v3.8 btw), then will 
> explore 
> >> that option first. 
> >> 
> > 
> > 
> > If your master(s) do not adequately serve the catalog request load, then 
> > the quickest solution is often to empower them by running more 
> puppetmatser 
> > threads, adding CPU, adding RAM, increasing network bandwidth, and/or 
> > shutting down other services.  "Shutting down other services" might 
> include 
> > moving PuppetDB to a separate machine.  Do also attend to the 
> possibility 
> > of uneven load: some kinds of site configurations lend themselves to 
> highly 
> > uneven load on the master, such that it sometimes gets transiently 
> > overloaded even though it has sufficient capacity for its average load. 
> > 
> > If individual catalog compilations are taking a long time, then it is 
> > probably worthwhile investigating why that is.  It may well be the case 
> > that you can realize substantial improvements by modifying your manifest 
> > set.  If the master is bogged down at the file server then you are 
> probably 
> > managing either large numbers of files or very large files, or both, in 
> an 
> > inefficient way; this is an area where it is relatively easy to shoot 
> > yourself in the foot. 
> > 
> > If none of those alternatives yield the catalog service bandwidth you 
> need, 
> > then the next logical step is multiple masters. 
> > 
> > 
> >> 
> >> I couldn't be sure if these configuration options (multiple puppet 
> masters 
> >> w/ puppet db) by itself can take care of the issues we are facing with 
> >> agent runs  in our environment 
> >> (timeouts, slowness..) 
> >> 
> >> We have one puppet master (v3.8) managing 150-200 nodes in an 
> environment. 
> >> 
> > 
> > 
> > That's a fairly substantial load for a single master, but whether it's 
> at 
> > or beyond the capacity you should expect depends 

[Puppet Users] Announce: Puppet 3.8.5 available

[Eric Sorenson]

Puppet 3.8.5 is now available. This is a bugfix release that contains 
performance improvements to catalog compilation and Mac OS X service 
management, along with fixes for Windows agents and the Puppet 4 language 
parser. See the full release notes here:

http://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html

For installation and upgrade instructions, see this doc:

http://docs.puppetlabs.com/puppet/3.8/reference/pre_install.html

A special community shout-out for this release to Github user 'earsdown' 
for the PR to fix PUP-5212, which added HTTP proxy support to the PIP 
package provider. 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/162976e8-f3a4-4af5-a211-a0900f3b4aa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.4 available

[Eric Sorenson]

Puppet Agent 1.3.4 is now available! This is a bugfix release of the
all-in-one Puppet 4 based installer, which bundles Ruby, Facter, Puppet,
and other components into a single package for all supported operating
systems.

Notable changes in this release:
* Support for Ubuntu 'Wily Werewolf'
* Puppet 4.3.2 - big batch of bugfixes, for everything from the new
  "puppet lookup" command to catalog performance profiling to the
  yumrepo provider. Plus bonus speed boosts for all catalog compilation!
  See full Puppet release notes for details: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html
* Facter and Hiera got version bumps to support the new Ubuntu packages;
  Facter has one functionality fix (FACT-1246) but Hiera does not contain
  code changes.

See the release notes for the puppet agent package here:
http://docs.puppetlabs.com/puppet/latest/reference/release_notes_agent.html

To install or upgrade puppet-agent, follow the getting started directions: 
http://docs.puppetlabs.com/puppet/latest/reference/index.html 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/232a99d4-176e-4052-bfd3-554793a1c05b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Serving files from custom mount point in Puppet 4

[Eric Sorenson]

On Jan 12, 2016, at 6:21 AM, kashif <kashif.a...@gmail.com> wrote:

> Hi Eric
> 
> rpm -qa | grep puppet
> puppet-agent-1.3.2-1.el6.x86_64
> puppetlabs-release-pc1-1.0.0-1.el6.noarch
> puppetserver-2.2.1-1.el6.noarch
> 
> cat /etc/puppetlabs/puppet/fileserver.conf
> 
> [site_files]
>path /etc/puppetlabs/codes/files
>allow *


This should be /etc/puppetlabs/code/files ...

> 
> I haven't changed auth.conf file 
> cat /etc/puppetlabs/puppetserver/conf.d/auth.conf
> 
>  [ ... ]
> Test manifest
> 
> file { '/root/puppet_test':
>source => "puppet:///site_files/puppet-test",
>ensure => present,
>  }
> 
> Error
> Puppet Not authorized to call find on /file_metadata/site_files/puppet-test 
> with {:links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore", 
> :rest=>"site_files/puppet-test"
> 

This message is on the agent, there should be a corresponding message in the 
server logs -- can you include that if you still have trouble after fixing the 
'codes' -> 'code' path in fileserver.conf?

Eric Sorenson - eric.soren...@puppetlabs.com 
<mailto:eric.soren...@puppetlabs.com> - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4589B455-3D30-4210-93D8-8E47BEE13BC7%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Serving files from custom mount point in Puppet 4

[Eric Sorenson]

It is not deprecated at all.

Can you please post your configuration (fileserver.conf, auth.conf, and the 
puppet manifest which causes the error) along with the exact error messages?

--eric0

On Monday, January 11, 2016 at 1:57:34 AM UTC-8, kashif wrote:
>
> Hi
>
> Is serving files from custom mount point depreciated in puppet 4? I 
> configured fileserver.conf file in same way as  in puppet 3 but it is not 
> working. I could not find any explicit statement in puppet 4 documents 
> about custom mount points. Has any one managed to serve from custom mount 
> point in puppet 4?
>
> Thanks
>
> Kashif
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/52abb73e-2dd1-45f1-b974-761c24fbab85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-server 1.1.3 and 2.2.1 available!

[Eric Sorenson]

New bugfix releases of Puppet Server for Puppet 3.x and 4.x installations are
now available. The primary change for both of these releases is a fix for a
memory leak triggered by enabling the `max-requests-per-instance` setting.

Check out the release notes here:
http://docs.puppetlabs.com/puppetserver/latest/release_notes.html

Here are the installation and upgrade instructions for Puppet Server 2.x /
Puppet 4.x sites:
http://docs.puppetlabs.com/puppetserver/2.2/install_from_packages.html

And here are the instructions for Puppet Server 1.x / Puppet 3.x sites:
http://docs.puppetlabs.com/puppetserver/1.1/install_from_packages.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1512091708520.2130%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.2 available

[Eric Sorenson]

Puppet Agent 1.3.2 is now available. This is a follow-up release to 
Monday's 1.3.1 release which includes a fix to the root CA bundle included 
in the package.

In puppet-agent 1.3.0 and 1.3.1, the included bundle of CA certificates was 
smaller than the system bundles used in puppet-agent 1.2.7 and earlier, 
which could cause Puppet features that rely on the omitted CA certificates 
to fail. This release resolves the issue by expanding the certificate 
bundle to be more comparable to the set provided by other vendors.

You can see links to the full release notes for puppet-agent and individual 
components here: 

http://docs.puppetlabs.com/puppet/4.3/reference/about_agent.html 

To install or upgrade puppet-agent, follow the getting started directions: 

http://docs.puppetlabs.com/puppet/4.3/reference/index.html 

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
puppet platform // coffee // techno // bicycles 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/13fe3408-88ab-49e1-b7c5-2c2367b21cc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent 1.3.1 available.

[Eric Sorenson]

Puppet Agent 1.3.1 is now available. This is a bugfix release of the 
all-in-one agent, which bundles up Ruby, Puppet, Facter, and other components 
into a single package.


This release includes the following updates:

* Facter 3.1.3 fixes a regression where the `puppetversion` fact was not
  reported.
* Puppet 4.3.1 fixes a bug where variables like `calling_module` were not
  available in hiera.
* pxp-agent 1.0.1 fixes an internal race condition between the completion of
  an action command and the corresponding metadata file being updated.

You can see links to the full release notes for puppet-agent and individual 
components here:


http://docs.puppetlabs.com/puppet/4.3/reference/about_agent.html

To install or upgrade puppet-agent, follow the getting started directions:

http://docs.puppetlabs.com/puppet/4.3/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/alpine.OSX.2.20.1511301353230.91886%40fermium.corp.puppetlabs.net.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 3.8.4 available

[Eric Sorenson]

Puppet 3.8.4 is available. This is a bugfix release which fixes a performance 
problem with directory environments, a security vulnerability when Puppet 
generated its CA key, and a small grab-bag of other bugs.

You can see the full release notes here:

https://docs.puppetlabs.com/puppet/3.8/reference/release_notes.html#puppet-384

Here's the complete list of bugs fixed in the release:

https://tickets.puppetlabs.com/issues/?filter=15901

To install or upgrade puppet, follow the installation guide:

https://docs.puppetlabs.com/guides/install_puppet/pre_install.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/C61C6148-3DCB-43B7-A521-B2BE412EF757%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: puppet-agent-1.2.7 available

[Eric Sorenson]

Puppet Agent 1.2.7 is now available. This is a minor release of the all-in-one 
agent, which bundles up Ruby, Puppet, Facter, and other components into a 
single package.


The primary purpose of this release is to prepare for upcoming Puppet 
Enterprise support for Solaris and AIX. Notable changes in this release:


* Puppet 4.2.3 - updated from 4.2.2 (Solaris and AIX improvements, fixes to
  tag filtering, performance, etc)
* Facter 3.1.1 - updated from 3.1.0 (Solaris and AIX fixes)
* Hiera 3.0.4 - updated from 3.0.3 (only acceptance test changes)
* Packaging fixes to puppet-agent itself (for Mac OS X, Solaris, AIX)

You can see the full release notes for puppet-agent and links to the 
individual components here:


http://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

New for this release, this page now describes changes to the puppet-agent 
package itself, independent of the component release notes.


To install or upgrade puppet-agent, follow the getting started directions:

http://docs.puppetlabs.com/puppet/4.2/reference/index.html


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Announce: puppet-agent-1.2.5 now available!

[Eric Sorenson]

Puppet Agent 1.2.5 is out! This is a new minor release of the all-in-one agent
bundle which contains no updated component code, but fixes bugs in packaging
and service management.

* Includes mcollective 2.8.6, which fixes an issue when trying to start
  mcollectived on Solaris 10.
* Changes the package filenames on Mac OS X to use major and minor versions,
  e.g. puppet-agent-1.2.5-1.osx10.10.dmg, instead of codenames, e.g.
  puppet-agent-1.2.5-1.yosemite.dmg

You can find out more about the all-in-one puppet-agent package here:
https://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

The installation and upgrade instructions are linked from the main docs page:
https://docs.puppetlabs.com/puppet/4.2/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Security: Potential exposure of CA key under puppetserver

[Eric Sorenson]

A couple of updates:

- Yes, a CVE will be issued.

- The remediation steps below are a little wonky, and my subject line is 
inaccurate. The same exposure happens for CA keys generated by running a 
webrick 'puppet master', or passenger-based packages, or by puppet server. 
By far the simplest thing is to make sure your privatekeydir 
($ssldir/private_keys) and CA private keys ($ssldir/ca/ca_key.pem) are 
"chmod o-rwx" rather than running the 'puppet cert' or 'agent' commands as 
I said below.

- In addition to the CA key being exposed, if you used puppetserver to 
generate your _host_ key on the CA, that key and the 'privatekeydir' 
directory will have too-lenient permissions.

--eric0

On Tuesday, September 29, 2015 at 9:47:57 PM UTC-7, Eric Sorenson wrote:
>
> We've identified and are fixing a condition in puppet where the 
> auto-generated 
> CA private key is created with too-leinent permissions. We feel the 
> exposure is 
> pretty limited (it would require a local user account on the CA system, to 
> discover and copy/modify the CA key before additional puppet commands run) 
> but 
> will be releasing patched versions which do not have the problem. I wanted 
> to 
> post this publicly so users could evaluate their own site and remediate if 
> necessary, in advance of an upstream software release. 
>
> You could be affected if: 
> - you used puppet server or puppet master to automatically generate a CA 
>keypair and certificate and have NEVER restarted the process 
> - you never subsequently ran a puppet agent, cert, or other subcommands 
>which use the certificate subsystem, on the host with the CA keypair. 
>
> You will not be affected if: 
> - you run Puppet Enterprise to initialize your CA 
> - you have ever run 'puppet agent' or other 'puppet cert' commands as root 
> on the host with the keypair. 
> - you have ever restarted your puppet master/puppet server process. Ever. 
> Really. 
>
> The immediate fix is to either: 
> - run `puppet agent` as root on the server which has the CA key 
> - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` 
>
> A huge thank you/merci to Francois Lafont for reporting this issue. 
>
> For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 
>
> Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
> puppet platform // coffee // techno // bicycles 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/502f17b2-85ed-4a99-a56b-379f4f407402%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Security: Potential exposure of CA key under puppetserver

[Eric Sorenson]

We've identified and are fixing a condition in puppet where the auto-generated
CA private key is created with too-leinent permissions. We feel the exposure is
pretty limited (it would require a local user account on the CA system, to
discover and copy/modify the CA key before additional puppet commands run) but
will be releasing patched versions which do not have the problem. I wanted to
post this publicly so users could evaluate their own site and remediate if
necessary, in advance of an upstream software release.

You could be affected if:
- you used puppet server or puppet master to automatically generate a CA
  keypair and certificate and have NEVER restarted the process
- you never subsequently ran a puppet agent, cert, or other subcommands
  which use the certificate subsystem, on the host with the CA keypair.

You will not be affected if:
- you run Puppet Enterprise to initialize your CA
- you have ever run 'puppet agent' or other 'puppet cert' commands as root on 
the host with the keypair.
- you have ever restarted your puppet master/puppet server process. Ever. 
Really.

The immediate fix is to either:
- run `puppet agent` as root on the server which has the CA key
- as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem`

A huge thank you/merci to Francois Lafont for reporting this issue.

For more details, see https://tickets.puppetlabs.com/browse/PUP-5274

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Announce: Puppet-Agent 1.2.4, Puppet 4.2.2, Facter 3.1.0

[Eric Sorenson]

Puppet Agent 1.2.4 is out! This is a new minor release of the all-in-one
agent bundle which incorporates updates to Puppet, Facter, Hiera, and 
Mcollective.


* Puppet 4.2.2, a bugfix release which includes an important Windows security
  fix: 
https://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html#puppet-422

* Facter 3.1.0, a backwards-compatible feature release of Facter which adds
  support for OpenBSD and Solaris facts, improves the network interface facts,
  and fixes a regression that caused Docker containers on systemd hosts to
  erroneously report themselves not to be virtual:
  https://docs.puppetlabs.com/facter/3.1/release_notes.html#facter-310

* Mcollective 2.8.5, which reverted a problem renaming the mcollective service
  on Mac OS X and improves the init script on SUSE.

* Hiera 3.0.3, which is a tag-only release (necessary for tooling, no
  functional changes)

You can find out more about the all-in-one puppet-agent package here:
https://docs.puppetlabs.com/puppet/4.2/reference/about_agent.html

The installation and upgrade instructions are linked from the main docs page:
https://docs.puppetlabs.com/puppet/4.2/reference/index.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

Re: [Puppet Users] Re: PL policy toward fixing known bugs in PE 3.8.x

[Eric Sorenson]

On Fri, 26 Jun 2015, Vince Skahan wrote:


yup - appreciate the responselet me know if you want me to open a
ticket to get this into the next 3.8.x (via my work email).


Yep, that's definitely the way to go. https://support.puppetlabs.com/

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

Last night we rolled a patch release which includes a fix for FACT-1055, a
regression which inadvertently broke backward compatibility for external facts
that are not pluginsync'ed from modules: 
https://tickets.puppetlabs.com/browse/FACT-1055


The new AIO bundle (puppet-agent-1.2.1) is available in all of the Puppet
Collection 1 repositories.

I also neglected to mention in the original announcement that we now have
package repositories for Debian Jessie and Mac OS X Mavericks (10.9) and
Yosemite (10.10) and these OSes will be part of the regular release pipelines
going forward.

On Wed, 24 Jun 2015, Eric Sorenson wrote:


There's a new All-in-One Puppet Agent release available! This release bundles
new versions of several component projects and is downloadable now through 
the Puppet Collection 1 repository.


* Puppet 4.2 includes several features and bug fixes, and officially 
deprecates
  Windows 2003. Release notes here: 
http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html

* Facter 3, the rewritten C++-based facter, is now the baseline Facter
  implementation. Read more here: 
https://puppetlabs.com/blog/speeding-up-puppet-on-windows

* Hiera 3 is included, which contains a change to the default
  hierarchy and datadir location. This is technically a semver break, so 
it's
  a new major version. The gory details: 
http://docs.puppetlabs.com/hiera/3.0/release_notes.html


Get installation instructions and read about Puppet Collections, our 
Linux-distribution-style repositories for Puppet related projects, here: 
https://puppetlabs.com/blog/welcome-puppet-collections


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles



Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

We got a bug report about Facter 3 not picking up external facts that 
aren't pluginsynced from modules; this was an unexpected regression and 
we're rolling out a quick Facter 3.0.1 which fixes the issue. You can see 
more details here:  

https://docs.puppetlabs.com/facter/3.0/release_notes.html#regression--break-cant-find-manually-installed-external-facts


The bug itself is being tracked here: 
https://tickets.puppetlabs.com/browse/FACT-1055 
https://www.google.com/url?q=https%3A%2F%2Ftickets.puppetlabs.com%2Fbrowse%2FFACT-1055sa=Dsntz=1usg=AFQjCNH_TSw9zJ7JJzMzeJ-4x-kkgYkUZg

Thanks to Erik Dalén and James Ralston for raising this issue and testing 
the fix.

--eric0

On Wednesday, June 24, 2015 at 7:23:28 PM UTC-7, Eric Sorenson wrote:

 There's a new All-in-One Puppet Agent release available! This release 
 bundles 
 new versions of several component projects and is downloadable now through 
 the 
 Puppet Collection 1 repository. 

 * Puppet 4.2 includes several features and bug fixes, and officially 
 deprecates 
 Windows 2003. Release notes here: 
 http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html 
 * Facter 3, the rewritten C++-based facter, is now the baseline Facter 
 implementation. Read more here: 
 https://puppetlabs.com/blog/speeding-up-puppet-on-windows 
 * Hiera 3 is included, which contains a change to the default 
 hierarchy and datadir location. This is technically a semver break, so 
 it's 
 a new major version. The gory details: 
 http://docs.puppetlabs.com/hiera/3.0/release_notes.html 

 Get installation instructions and read about Puppet Collections, our 
 Linux-distribution-style repositories for Puppet related projects, here: 
 https://puppetlabs.com/blog/welcome-puppet-collections 

 Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 
 puppet platform // coffee // techno // bicycles 


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d16dc6ed-dfbe-4467-8208-1f6455ea0fd8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: PL policy toward fixing known bugs in PE 3.8.x

[Eric Sorenson]

On Thursday, June 25, 2015 at 2:43:34 PM UTC-7, Vince Skahan wrote:

 I'm fiddling with PE 3.8.1 to understand the pros+cons of potentially 
 updating our 3.7.0 PE server to that as a path toward the coming soon 4.x 
 version of PE.

 Unfortunately, even doing the initial module installations to 3.8.1 
 immediately showed issues. In this case, I ran into the error in module.rb 
 mentioned in PUP 3121 and fixed with the two-line patch in 
 https://github.com/puppetlabs/puppet/pull/3310 - trivial bug, trivial 
 patch to PE. 

 According to the PUP the bug was fixed in 4.0.0 (great) but not fixed in 
 the PE 3.8.x versions that came out after that (not so great).  
 Hand-patching my PE setup fixed the issue, but there's something that 
 doesn't feel right about needing to hand-patch a commercial product to get 
 it to work.


Hi Vince, thanks for the note. I'm sorry you ran into this issue.
 

 Questions:

- why wasn't it fixed in the 3.8.1 PE commercial product ?  If PE is 
your flagship commercial product, why would you 'not' backport trivial 
fixes like this for your 'paying' customers ?


We absolutely do backport upstream fixes into the commercial releases, for 
exactly the reasons that you describe. We do not backport *every* change, 
as that gets insanely complicated really quickly. It's generally safer and 
less confusing to regularly rebase onto newer upstream releases instead of 
cherry-picking individual fixes. 

The process generally is that customers who are getting bit by bugs raise 
support requests through the commercial support team, who work with product 
management (my team) and the developers to get fixes prioritized, coded and 
released.  This particular bug didn't have any commercial support tickets 
associated with it, nor any high community priority around it, so it just 
slotted into the normal flow of upstream-into-product release train.


- what, if anything, are you fixing in the 3.8.x PE commercial product 
at this point ?

 So, PE3.8.0 released April 28 and PE 3.8.1 released June 18; this might be 
too few data points to draw a trendline, but should show that we're 
actively maintaining and improving the line. Going back a little further, 
we maintained PE2.8 for 18 months into the lifecycle of the PE3.x series, 
which should be a proof point that it's not just talk. These were security 
and bugfix releases that contained either bumped OSS component versions 
where possible, or cherry-picked bugfixes that came in according to the 
process I outlined above.


- what can we expect in term of bug fixes in the 6 or more month 
window between Open Source 4.x and PE 4.x in terms of supporting your 
'paying' customers ?

 I'm not sure why you keep putting quotes around 'paying'. It's real, 
actual money from real customers, who we love a lot. :)

Do you mean fixes into the PE3.x series? Or fixes to 4.x that happen in 
open-source? The 4.0-4.1-4.2 release cycle in OSS since April is exactly 
this: responding to community bugs, filing off the rough edges, and 
preparing it to ship in PE this summer.


- 

 I guess I'm not understanding the business model here.  It's great you're 
 moving forward to 4.0 and it's improvements, but if your for-pay product 
 has bugs that will be around for a year plus (ex: this one) until your 
 commercial 4.0-based product eventually appears, even assuming we jump 
 day-one to that (we wouldn't, as 'that' will need time to mature), why 
 would we pay the money to run buggy software ?


Some of this is due to the long delay in getting Open-Source Puppet 4.0 out 
the door. The 'master' puppet branch had been accumulating fixes like this 
one throughout 2014 in anticipation of a Nov 2014 Puppet 4 release, which 
ended up not happening until April 2015. The open-source to commercial flow 
tends to be about 3 months for any given version, absent the distortion 
caused by these big major version bumps (which we're trying to minimize by 
doing more frequent, smaller versions going forward).

Literally all software has bugs. It's about having an escalation path from 
the support side to fix the ones you care about, plus enough value-add 
features, scale improvements, and workflows from the product to make it 
valuable to you.
 


 Confused in the PL approach toward support of their 'commercial' vs. 'open 
 source' product lines.


Hope this helps. You can see the release timeline and support lifecycle I 
was talking about 
here: https://puppetlabs.com/misc/puppet-enterprise-lifecycle

--eric0

-- 
Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet

[Puppet Users] Announce: Puppet Agent 1.2, Facter 3, Puppet 4.2, Hiera 3

[Eric Sorenson]

There's a new All-in-One Puppet Agent release available! This release bundles
new versions of several component projects and is downloadable now through the 
Puppet Collection 1 repository.


* Puppet 4.2 includes several features and bug fixes, and officially deprecates
   Windows 2003. Release notes here: 
http://docs.puppetlabs.com/puppet/4.2/reference/release_notes.html
* Facter 3, the rewritten C++-based facter, is now the baseline Facter
   implementation. Read more here: 
https://puppetlabs.com/blog/speeding-up-puppet-on-windows
* Hiera 3 is included, which contains a change to the default
   hierarchy and datadir location. This is technically a semver break, so it's
   a new major version. The gory details: 
http://docs.puppetlabs.com/hiera/3.0/release_notes.html

Get installation instructions and read about Puppet Collections, our 
Linux-distribution-style repositories for Puppet related projects, here: 
https://puppetlabs.com/blog/welcome-puppet-collections


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

Re: [Puppet Users] Open Source 4.0 version identifier vs. very different rpm and dpkg package versions

[Eric Sorenson]

On Mon, 22 Jun 2015, Jason Slagle wrote:

On 6/22/15, 3:08 PM, Vince Skahan vinceska...@gmail.com wrote:


On Thursday, June 18, 2015 at 4:18:37 PM UTC-7, Ken Bowley wrote:

This is better than what is currently being used, but I'm strongly in the AIO
idea to be stupid.  Split it into multiple packages and use proper
dependencies like every other sane packaging system has done for a long, long
time.

If all you do is bump the version of facter, then only have me download and
install the meta package that depends on the new facter, and the new facter
package, not everything.


Agree.   Thought I'd chime in (late) as the original poster.

Versioning starting with 4.x is a good start, but I still think your AIO
approach is wrong.

Have collector rpms that 'require' the pieces of the puzzle and package
hiera/etc. in individually bundled standalone packages.  If you do that:
* you can keep versioning facter to 2.x.y if you want
* you can keep versioning puppetserver any way you want
* and just version the collection (bundle, pick a term) with the 4.x.x
identifier you want to publicize as release-4.x.x


If all anybody had to deal with were $osfamily==redhat systems, I feel pretty 
certain this is exactly what we'd do. But it's just not. Just to start from 
first principles, the primary goals of the packaging project were:


- unify the agent across open-source and PE so testing, delivery, and upgrades
  are as smooth as possible
- provide a consistently great out-of-the-box experience so you can get fresh
  Puppet versions with batteries included on any supported OS

I love metapackages too, but short of porting yum to Windows, Mac OS X, and 
Solaris I don't see how they meet those requirements.



To update the client, 'yum update puppet' and have it update the sub-pieces it
needs (hiera/mco/etc.)


So this happens today, it's just in all in one package :)


To update the server, 'yum update puppetserver' and have it do the server
piece.


And this is actually what happens today.


Lastly, if it's me, I would not bundle the agent/client stuff 'in' the
puppetserver package.  I would 'require' the client-stuff to be co-installed
with the server stuff using the packaging mechanisms the os providers already
give you.


This is also what happens today; there is no agent stuff in the puppetserver 
package.


(in other words, release 'empty' rpms that require x and y and z - works 
great if you don't cause dependency hell by getting too fancy)



FWIW, +1 from me too.  It seems like a lot of places that do packaging like
this end up doing it this way.


Fair enough.


If I¹m only doing a security update to facter, I shouldn¹t have to replace a
gigantic bundle with whatever else it pulls In.  I can see you release
management people hating this later, as well as security teams.


So the puppet-agent package is 17 megabytes on EL7, so gigantic is a bit of 
an overstatement here. Agreed that the release pipeline is more complicated, 
and I can definitely understand the desire to just update the one thing that 
needs a bugfix.



I suspect this confusion will hinder deployment ­ the AIO packaging is
certainly in the cons category for us.


I really want to understand this, because it's a big deal. (My life goal at 
this point is to get as many people as possible upgraded to Puppet 4, so 
anything that gets in the way of that is a problem!) There's been a bunch of 
different points in the thread, some of them about the numbering and some 
about the packaging itself; what would reduce the confusion for you?


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

Re: [Puppet Users] Open Source 4.0 version identifier vs. very different rpm and dpkg package versions

[Eric Sorenson]

On Thu, 7 May 2015, jcf wrote:



I don't think that reflects a firm grasp of the nature of the problem.  The issue is that 
the new thing here is not the thing that the package's version number should 
be describing in the first place.  I don't care about the newness of AIO layout and 
packaging, and I don't expect many others will either.  People don't install Puppet for 
its packaging.  I do care about the versions of various components of the system, but not 
everyone will, and anyway, we have already established that an AIO package's version 
number is not a good vehicle for communicating information about versions of auxilliary 
components.  Focus on what's important.  To your audience.


I am also pretty baffled that this is considered hard, or even a matter for 
debate. Principle of Least Surprise, or just have the contents match the tin.


FWIW I find this argument pretty compelling and would like to advance the
version number of the next release of puppet-agent to '4.something'.

Our current thinking is that this will be a matched to the puppet version, 
with an extra digit on the end of the version number that indicates component 
revisions other than Puppet itself.


So specifically, the next release will be puppet-agent-4.2.0.0; a hypothetical 
rev to include a not-very-hypothetical openssl update would be included in a 
puppet-agent-4.2.0.1 package.


(We can't use the release field as suggested up-thread, because some packaging 
systems don't view numbers not part of the 'version' field to be an upgrade.)


Does that align more closely with the least-surprising thing, to you?

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Puppet Users] Re: puppetserver and LDAP terminus

[Eric Sorenson]

Hi Steve, thanks for tracking this down! The LDAP node terminus is a useful 
but pretty cobwebby corner of Puppet (IIRC it predates the existence of the 
External Node Classifier API which is what most sites are using now). So as 
you found its docs do not get a lot of love and there are no acceptance/CI 
tests that cover its use.

I have a couple of comments inline. Our education team ran across this 
issue, which is why I'm replying to a months-old thread. We're tracking it 
in JIRA at https://tickets.puppetlabs.com/browse/SERVER-711

On Tuesday, February 3, 2015 at 2:40:50 PM UTC-8, Steve Huston wrote:

 So, I've spent another day beating on this problem and finally 
 achieved success.  We started with: 

  # puppetserver gem install ruby-ldap 

 Nobody pointed out, either here or in the documentation, that when 
 using puppetserver you have to use jruby-ldap instead.  Once I did 
 that, the gem installed, yay!  But it still didn't work.  When the 
 server attempted to do a lookup it would still report that the search 
 failed, even though tcpdump showed it asking for the CN and getting 
 the right answer. 

 After quite a bit of prodding and help from a colleague I found that 
 jruby-ldap does not have a to_hash method in LDAP::Entry.  This was 
 confirmed by a bit of code and comment at the top of 

 https://github.com/alibby/ldap_authenticated/blob/master/lib/ldap_authenticated.rb
  
 https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Falibby%2Fldap_authenticated%2Fblob%2Fmaster%2Flib%2Fldap_authenticated.rbsa=Dsntz=1usg=AFQjCNHByxK-zpNHjvHylNOMedsrd7ciBw
  

 I inserted that code into the ruby module, since I would have to 
 manually upgrade that but the puppetserver RPM might get upgraded (and 
 wipe out that change), and got a little further.  Now, however, it 
 failed with another error: Puppet Cannot reassign variable macaddress 
 on node syrinx.astro.princeton.edu 


It seems like the to_hash change would be better off as a patch to the 
upstream module vs a monkey-patch in Puppet. 
 


 On our old server running under passenger, if I look at 
 /var/lib/puppet/yaml/node/syrinx.astro.princeton.edu I see there's 
 both a macaddress and a macAddress, so I realized what's going on 
 - the downcase in that code snippet is causing two facts to appear at 
 once. 


That's not great either :( 


 All in all, this tells me a few things: 

 1) The documentation for using LDAP with the new puppetserver needs to 
 be updated to reflect not only that one must use 'jruby-ldap' (and 
 puppetserver gem install at that) but that the tests listed (running 
 ruby -rpuppet -e 'p Puppet.features.ldap?' and such) are incorrect as 
 they will report 'true' if you have the gem installed through the 
 normal system commands but puppetserver will not see it. 


That's true. Would you be willing to work up a pull request against the 
puppet-docs repo with the things you've learned? The source markdown for 
the guide is here:

https://github.com/puppetlabs/puppet-docs/blob/master/source/guides/ldap_nodes.markdown
 


 2) There needs to be a patch, perhaps somewhere in puppetserver, that 
 makes sure the jruby-ldap LDAP::Entry class has a 'to_hash' method (or 
 code around the necessity of needing it), for example: 

 if RUBY_PLATFORM =~ /^java.*/i 
   class LDAP::Entry 
  def to_hash 
 h = {} 
 get_attributes.each { |a| h[a.to_sym] = self[a] } 
 h[:dn] = [dn] 
 h 
  end 
   end 
 end 


As I said, I think this would be better as an upstream patch to the 
jruby-ldap project, especially since you found another project that had to 
do the same thing.  Carrying individual monkey-patches against upstream 
projects is a practice that rarely ends well in my experience.

 

 3) I discovered when I spun up my VM this morning that puppetserver 
 failed to start because it wanted to create a /var/run/puppet (which 
 it does not appear to actually use thereafter).  Since /var/run is on 
 a tmpfs on RHEL7, and owned by root, yet the puppetserver process runs 
 as user 'puppet', this will fail on every reboot.  Admittedly I'm not 
 running the puppetlabs RPM, but our package maintainer does a very 
 good job of making sure that the scripts and setups are duplicated if 
 he rebuilds something - please correct me if the logic to recreate 
 this directory is included somewhere and I can point it out to him to 
 fix in our repository. 


This one is fixed in Puppet Server 1.0.8 and 2.1.0: 
https://tickets.puppetlabs.com/browse/SERVER-336

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f2cb5d50-7ea5-45a0-9e5e-c117eda82fe3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 4.1 and Facter 2.4.4 available!

[Eric Sorenson]

Hi, Puppet 4.1 and Facter 2.4.4 have been released and rolled up into a new 
Puppet Agent All-in-One package (puppet-agent-1.1.0).

Puppet 4.1.0 is a feature release in the Puppet 4 series. This release's main 
focus was improvements to the Puppet language, but it also includes some 
improvements to resource types and a few miscellaneous fixes.
Also notable in this release: we're officially deprecating Rack and 
WEBrick-based Puppet master servers.

You can read the full release notes for Puppet here: 
https://docs.puppetlabs.com/puppet/latest/reference/release_notes.html

Facter 2.4.4 is a bug fix release in the Facter 2.4 series. It also deprecates 
the `--puppet` command line option, since it caused circular load dependencies. 
To run Facter in Puppet's context, you should use the `puppet facts` command 
instead.

The full release notes for Facter are here: 
https://docs.puppetlabs.com/facter/2.4/release_notes.html

You can download the updated puppet-agent-1.1.0 packages by following the 
directions here:

Linux: https://docs.puppetlabs.com/puppet/4.1/reference/install_linux.html
Windows: https://docs.puppetlabs.com/puppet/4.1/reference/install_windows.html

The releases are available as individual files on http://rubygems.org (as gems) 
and http://downloads.puppetlabs.com/ (as tarballs).

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/AC05992E-5300-498F-94BE-598A612DAAEB%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: check if user exist

[Eric Sorenson]

The canonical way to do this is like this:

http://serverfault.com/questions/350230/how-can-i-have-puppet-only-set-password-when-creating-a-user

There's an open feature request 
here: https://tickets.puppetlabs.com/browse/PUP-1331

Feel free to add yourself as a watcher and add a comment describing your 
use case, those help bugs bubble up to the top.


On Friday, May 8, 2015 at 6:11:22 AM UTC-7, jcbollinger wrote:



 On Thursday, May 7, 2015 at 11:22:43 PM UTC-5, Alfredo De Luca wrote:

 Hi John.
 I am aware that if I say userxx ensure is present will work but what I 
 want is the first time create the user aNd set a default password but then 
 when the user changes it own pass I just wanna check if is present and not 
 resetting the password.


 Then as I said, create and use a custom fact to evaluate the user's 
 existence prior to the catalog request.  Also, consider configuring agents 
 to not apply cached catalogs.

 You could perhaps create a custom provider for the User type, too, to 
 perform the evaluation at the time of application.  That could work to 
 achieve the behavior you describe, but it will probably produce anomolies 
 in the form of reported updates to the affected user(s) that in fact change 
 nothing.


 John




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4de5b415-4c14-4eae-9c29-42cdd929e00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] All-in-One Release Candidates for EL7 available

[Eric Sorenson]

Many of you probably saw this on The Twitternets but I figured I would post 
here as well: There are now release candidate builds of Puppet 4 and 
Puppet-Server 2 available for EL7. The long-form writeup is at 
bit.ly/1FBUJUN or you can jump straight to the installation 
instructions: http://docs.puppetlabs.com/puppet/pre4.0/reference/

Please give it a try!

--eric0


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a423b7bb-d878-4cde-9a0b-7cc48bf869c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: anifests can now be written in pure Ruby. Example please?

[Eric Sorenson]

Ugh, thanks for pointing this out, this is really old and is not true any 
more. Looks like Mike Hall just pushed a docs change to remove this 
reference.

As Den pointed out, the main feature that people used the Ruby DSL for 
(loops/iteration) is now available in the Puppet 4 parser.

On Saturday, March 14, 2015 at 12:49:25 PM UTC-7, spare...@gmail.com wrote:

 Hi,
 According to official Puppet documenttion:


 https://docs.puppetlabs.com/guides/faq.html#why-does-puppet-have-its-own-language


 As for just using Ruby as the input format, Puppet 2.6.0 actually added 
 this functionality, and manifests can now be written in pure Ruby. However, 
 this capability should be used carefully and avoided where possible: the 
 full grammar of Ruby is often *too* much functionality, and we believe 
 systems administrators should be able to model their datacenters in a 
 higher-level system


 Is above statement true for latest version of puppet as well ? 
 Can somebody give a  simple example please ?

 Thanks.
  



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/86e4f8e1-46ce-485c-bda8-7fc6aea6d9d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: non-English puppet resources?

[Eric Sorenson]

Hi Chris, there are a few different resources, depending on what 
language and what specific resources you're interested in.

We now have many of the docs on the main puppetlabs documentation site 
available in Spanish: http://docs.puppetlabs.com/es/

There's an active Brasilian puppet user group who have a blog aggregator 
website similar to Planet Puppet: http://puppet-br.org/ and mailing list: 
https://groups.google.com/forum/#!forum/puppet-users-br

The Belgian puppet users group has an irc channel #puppet-be ... In fact 
the PUG site is probably a good jumping-off point because most of the 
meetup groups have some discussion or links off their group 
pages: https://puppetlabs.com/community/PUG

--eric0

On Friday, March 13, 2015 at 10:29:28 AM UTC-7, Christopher Wood wrote:

 Are there any puppet resources (blogs, howtos, videos) in languages other 
 than English? 

 I'm getting all sorts of results for cloth puppets and politics but can't 
 seem to find any blog lists or anything. (Or maybe I am but I can't tell 
 due to not speaking those languages.) 


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f06eb71d-9a1a-4a42-8d02-fa1f7dffc2da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] 2015 Devops survey - please weigh in

[Eric Sorenson]

Hi all, please excuse the marketing digression, but this is pretty important – 
if you saw my keynote at Puppet Camp LA or Phoenix last month, we talked about 
the results of the DevOps Survey and how you can use it to convince your 
organization that your work with Puppet helps the bottom line in addition to 
making your life easier. Well, in partnership with IT Revolution, we launched 
our fourth annual DevOps Survey this week. 

Over a thousand people have completed the 2015 DevOps Survey so far, and the 
feedback has been outstanding. If you haven't taken the survey yet, please take 
a few minutes to do so. We want to make sure your voice is heard: 
http://www.surveygizmo.com/s3/1984283/3da98c772733

This year, we’ve added questions to better understand impacts of team 
structure, practices, and other aspects of DevOps culture on IT performance and 
the bottom line. Diversity is very important to us, so this year's survey also 
asks about gender and diversity in tech. We've also added questions to try to 
understand the pervasiveness of burnout in our field, which has gained tragic 
relevance lately. Please weigh in and spread the word.

Everyone who participates will get the survey results once they're all tallied. 
Plus you'll be entered to win prizes, including Raspberry Pi and Arduino 
Starter Kits, a $200 Amazon gift card, and more.

Thanks and we look forward to your feedback.


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E7435DA8-0238-43A5-AA28-D3DD0F09F326%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] 2015 Devops survey - please weigh in

[Eric Sorenson]

On Friday, March 13, 2015 at 10:21:26 AM UTC-7, Tim Skirvin wrote:

 Eric Sorenson eric.soren...@puppetlabs.com writes: 

  Diversity is very important to us, so this year's survey also asks about 
  gender and diversity in tech. 

 I am still concerned that this is being accomplished through the 
 use of misogynist language.  I hope that nobody is turned away from the 
 field simply by going through this survey! 


Hi Tim, I think Alanna, Nigel, and Nicole joined this conversation as well, 
but the goal here is not to assert this statement as something the study 
authors believe, or they think YOU should believe, but rather as a 
statement expressing *one possible* belief, in order to register reactions 
ranging from 'strongly agree' to 'strongly disagree'. Sounds like you (and 
me as well for what it's worth) strongly disagree.

(A bit of context for everyone else: 
https://plus.google.com/+Puppetlabs/posts/c8KovYUGsrE
https://twitter.com/nicolefv/status/575127090200104962 )

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a617b3cd-26d6-41f1-9901-8361af6e807f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet IRC Channel !!

[Eric Sorenson]

Hi Vishvendra, there is lots of activity on #puppet -- are you sure you are 
connected to a Freenode server, which is connected to the rest of the 
network?

You can check this with '/list #puppet' in your IRC client, it should show 
~1000 users and this topic:

03:33 [freenode] -!- #puppet 1053 Puppet Enterprise 3.7: 
http://puppetlabs.com/puppet/whats-new | Puppet 3.7.3: http://bit.ly/QJqeXr 
| Help:
 http://{ask,docs}.puppetlabs.com | Beaker users read this! 
http://bit.ly/1zE2DYU | Bugs/Improvements: https://tickets.puppetlabs.com/ 
| Logged at
 http://bit.ly/11ifvbU | Community guidelines: http://bit.ly/1wTNy65 | 
Don't ask to ask, just ask your question!

On Friday, January 30, 2015 at 1:56:07 AM UTC-8, Vishvendra Chauhan wrote:

  Hello Friends,

 Is there any problem in *#puppet* IRC channel ?. As from last three days, 
 there is no participants in this. 
  

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/172402a4-3055-4ea6-a838-1ec2d7139029%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet 3.7.4 available

[Eric Sorenson]

Puppet 3.7.4 is a bug fix release in the Puppet 3.7 series. In addition to 
fixing a handful of bugs, it includes some final changes to the future parser 
to prepare for Puppet 4.0.

Check out the release notes for more information:  
https://docs.puppetlabs.com/puppet/3.7/reference/release_notes.html#puppet-374

You can see the full list of changes on the release's JIRA page: 
https://tickets.puppetlabs.com/browse/PUP/fixforversion/12033

If you're installing Puppet for the first time, follow the Installation Guide: 
https://docs.puppetlabs.com/guides/install_puppet/pre_install.html


Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/D5F91DEF-D835-4AF9-A9AF-0CA0CBFF741E%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet Server 1.0.2 available!

[Eric Sorenson]

On Wednesday, January 21, 2015 at 5:40:27 AM UTC-8, Mike Hendon wrote:

 Triggering a refresh when you've changed manifests is also a pain.


Mike do you mean using the environment refresh API is a pain? 

https://docs.puppetlabs.com/puppetserver/latest/release_notes.html#new-feature-admin-api-for-refreshing-environments

Or are you having to do a full restart?

We're looking at adding more CLI convenience around these APIs so if it's 
the former, this is good info to have. 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a3f6d2bd-fe83-4c7c-928c-4c7e3b0fa7a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Anyone scripting around certificate authority?

[Eric Sorenson]

Hiya, one of the cool things in the new Puppet Server is a re-implementation of 
Puppet's certificate authority code. The implementation up to last week's 1.0.0 
release is pretty strictly backwards-compatible with the Ruby implementation, 
using the same filesystem layout, same HTTP endpoints, etc., but early next 
year we need to start making some changes and I wanted to solicit some feedback 
to see what y'all are using. So, some questions:

- Are you using scripts which run and parse output from `puppet cert`, `puppet 
certificate`, `puppet ca`, `puppet certificate_request` and/or `puppet 
certificate_revocation_list`? If so, what do the scripts do with the commands, 
and what output do they expect?  (As an aside one of the problems we're aiming 
to fix is the multiplicity of confusingly overlapping functionality available 
in these subcommands)

- Are you using the HTTP API around certificates in your own 
tooling/automation? These are endpoints like `/certificate/ca`, 
`/certificate/some host name`, 
`/environment/certificate_revocation_list/ca` , 
`/environment/certificate_request/`, `/environment/certificate_status`  
Same question -- what do you use the endpoints to accomplish, and are there 
particularly important pieces of data in the output for your use-cases?

- Are you using any programs which load the Puppet Ruby code as a library in 
order to make use of the certificate-related classes/methods directly? Is that 
because there was something you couldn't do through the command-line or REST 
APIs? I would be pretty surprised if anyone was doing this but you're going to 
have to make the deepest changes so it's important for me to understand what 
you're relying on.

- Are you making use of stuff that lives in the CA filesystem in your own 
tooling, that does NOT go through any of the Puppet APIs? If so, STOP DOING 
THAT! Just kidding, sorta. But it would be very interesting to know whether 
you're using things like the `serial` or `inventory.txt` files in your scripts 
or workflows.

Feel free to follow-up here or on 
https://tickets.puppetlabs.com/browse/SERVER-270

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/88A5A55B-EFA9-4A83-93E8-1BE563A71AD1%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: trouble getting list of nodes via PE 3.7 Rest API

[Eric Sorenson]

Looks like you got some good responses on your Ask question... All good now?

On Tuesday, December 16, 2014 3:22:26 PM UTC-8, red wrote:

 I guess I really don't need to list the nodes.  I just wanted to try out 
 the PE3.7 rest api.  What I really need to be able to do is add 
 nodegroups.  I had been using the console rake api for this, but the 
 console rake api is to be depreciated.  I put the details of what I have 
 tried, and what goes wrong here:


 http://ask.puppetlabs.com/question/15040/need-help-understand-pe-37-rest-api/

 I'd really appreciate it if someone could help me out :)  

 On Tue, Dec 16, 2014 at 7:02 AM, Byron Miller byr...@gmail.com wrote:

 Looks like you're using puppetDB api to query your puppet master?

 try just

 puppetmaster:443/{environment}/nodes - environment being production or 
 whatever the default env is.

 or if querying puppetdb try /v3 api endpoint instead of /v1


 On Monday, December 15, 2014 11:41:17 PM UTC-6, red wrote:

 Hi,

 Hi,

 I am trying out the PE 3.7 Rest API and I am unfamiliar with curl. I 
 think I need to execute this ...

 # /usr/bin/curl -v -X GET \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  --cert /etc/puppetlabs/puppet/ssl/certs/puppetmaster-1.example.com.pem 
 \
  --key 
  /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster-1.example.com.pem 

  --insecure https://puppetmaster-1:443/v1/nodes

 ... but this results in this output :

 /usr/bin/curl -v -X GET --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem 
 --cert /etc/puppetlabs/puppet/ssl/certs/puppetmaster-1.example.com.pem 
 --key 
 /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster-1.example.com.pem 
 --insecure https://puppetmaster-1:443/v2/nodes
 * About to connect() to puppetmaster-1 port 443 (#0)
 *   Trying 10.29.120.143... connected
 * Connected to puppetmaster-1 (10.29.120.143) port 443 (#0)
 * Initializing NSS with certpath: sql:/etc/pki/nssdb
 * warning: ignoring value of ssl.verifyhost
 * skipping SSL peer certificate verification
 * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 * Server certificate:
 *   subject: CN=puppetmaster-1.example.com
 *   start date: Dec 14 20:36:42 2014 GMT
 *   expire date: Dec 14 20:36:42 2019 GMT
 *   common name: puppetmaster-1.example.com
 *   issuer: CN=Puppet CA generated on puppetmaster-1.example.com 
 at 2014-12-15 12:...
  GET /v2/nodes HTTP/1.1
  User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
  Host: puppetmaster-1
  Accept: */*
 
  HTTP/1.1 303 See Other
  Date: Mon, 15 Dec 2014 23:08:41 GMT
  Server: Jetty(9.1.z-SNAPSHOT)
  Location: /auth/login?redirect=%2Fv2%2Fnodes
  Content-Length: 0
  Connection: close
 
 * Closing connection #0

 But no node list! I only have one node, my puppetmaster.  What am I 
 doing wrong?

 Thanks



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3f3a4dee-74c1-450a-9bf3-44f06e20c641%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Announce: Puppet Server 1.0.0 available!

[Eric Sorenson]

We're pleased to announce that Puppet Server 1.0.0 is now available.

This release is the official one point oh version of Puppet Server. In
accordance with the [Semantic Versioning](http://semver.org) specification,
we're declaring the existing public API of this version to be the
baseline for backwards-incompatible changes, which will trigger another
major version number. (No backwards-incompatible changes were introduced
between 0.4.0 and this version.)

In addition, the following features were added:

 * (SERVER-151, SERVER-150) Created a HTTP endpoint to trigger a complete
   refresh of the entire JRuby pool.
 * (SERVER-204) Added CLI tools to execute the `ruby` and `irb` commands using
   Puppet server's JRuby environment.
 * (SERVER-221) Initialize run_mode earlier
 * (SERVER-114, SERVER-112) Added a HTTP endpoint to trigger a flush of the
   Puppet environment cache.

This is also the first release where the Puppet Server documentation
is available on the main docs.puppetlabs.com site.

See the complete release notes for details about these features:
https://docs.puppetlabs.com/puppetserver/1.0/release_notes.html

For a list of all changes in this release, check out the JIRA page:
https://tickets.puppetlabs.com/browse/SERVER/fixforversion/12023/

To install and start using Puppet Server instead of Apache+Passenger or
Webrick, follow this guide:
https://docs.puppetlabs.com/puppetserver/1.0/install_from_packages.html

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2D579959-C815-4FAA-B90D-634E26D75BAD%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] [puppet apply --ordering = manifest] is not working as expected

[Eric Sorenson]

On Nov 24, 2014, at 6:56 AM, jcbollinger john.bollin...@stjude.org wrote:

 I would advise you to avoid that thought process.  Puppet is not a script 
 engine, and puppet manifests are not scripts.  Wishing that they were, and 
 using the --ordering = manifest option to try to make it so, is likely to 
 lead to grief (as indeed it seems to have done in this case).  I've never 
 much seen the point of that option, actually.  People who are clueful enough 
 to know about it and to know why it might be useful are also clueful enough 
 to write their manifests so that they don't rely on it.  It is better for 
 your manifest set to be self-contained than for its correctness to depend on 
 the options with which puppet is run.

It will make more sense when it becomes the default ordering so new users won't 
have to be aware of it to make use of it.




 Those are all resource declarations.  Specifically, declarations of resources 
 of defined types, whose definitions happen to be in modules.

Ah, yep, I didn't read closely enough and missed that. Thanks for the 
correction.

 
 That may, in fact, be the key issue here, because everything else aside, I 
 don't see any reason why Puppet should not behave as Kyle expects.  It may be 
 that the --ordering = manifest option does not work correctly for 
 declarations at top scope.  I would file a bug report.
 
 The good thing is that there are workarounds available, which generally boil 
 down to producing a superior manifest.  Recommendations (choose ALL of the 
 following):
 Don't sweat the relative order in which resources are applied where it 
 doesn't actually matter.  For example, if neither postgres nor SQLite is 
 initially installed, it surely doesn't matter which is installed first.
 Where it does matter that one resource is managed before another, express it 
 in your manifests.  That's what the chaining arrows and the 'require' family 
 of metaparameters are for.  (See the resource ordering docs.)
 Organize your code into classes, and keep top-scope declarations to a minimum.

I totally agree with all of this.

Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/216909BC-D26D-4AB7-A6DA-3B079BDD0D0D%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet variable with a custom fact

[Eric Sorenson]

On Thursday, November 20, 2014 9:22:29 AM UTC-8, Wil Cooley wrote:

 (Aside: Does anyone have a link to a diagram of the dance the master and 
 agent do? I've been meaning to try to make one on websequencediagrams.com 
 but not gotten around to it.)

I made one for the SSL bootstrapping sequence 
here: 
http://ask.puppetlabs.com/question/25/how-can-i-troubleshoot-problems-with-puppets-ssl-layer/

And one for the agent/master communication which I haven't found a good 
place for on ask: 
https://dl.dropboxusercontent.com/u/18472980/puppet-agent-timeseq.png 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e08c76c9-3e45-4b16-907c-c5fc3f2d931a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: workarounds for ruby segfaults on puppet master

[Eric Sorenson]

On Wednesday, November 19, 2014 9:02:00 AM UTC-8, Tim.Mooney wrote:


 Since RHEL 6.x has alternate versions of some packages (including ruby) 
 available via its Software Collections Library (SCL), I'm tempted to 
 try switching our puppet master to use the ruby193-* packages from 
 SCL.  A minor downside is that I won't be able to use the Puppet Labs 
 packages 
 anymore, at least on the master. 


Hi Tim, why is it that you wouldn't be able to use the packages on the 
master?

I think you should be able to point your apache 'PassengerRuby' directive 
at the SCL ruby and be good to go.

Another alternative that I'd recommend is to use the new puppetserver 
package, which runs the master under JRuby and replaces the whole 
Apache+Passenger+MRI ruby part of the stack.
 

 The big concern I have relates to how advisable it is to use a different 
 version of ruby on the master vs. all of the clients?  Have other RHEL 
 users tried this, with any success? 


It's generally fine as the execution paths are quite different for agent 
code vs master.

That's why it's been possible to move to JRuby under Puppet Server and 
leave the agents as they are on MRI.

--eric0

 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/696d901f-b007-481c-b082-127bfca8e78c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: [puppet apply --ordering = manifest] is not working as expected

[Eric Sorenson]

Hi Kyle -- 

On Friday, November 21, 2014 1:46:19 PM UTC-8, Kyle Purdon wrote:

 TL:DR Using the --ordering = manifest option does not seem to apply to 
 module commands.

 Using this parameter I would expect puppet to apply my manifest (site.pp) 
 in the order it is written (script like execution).

 It appears to do so for everything except module commands. The following 
 commands get executed after all done even though they are commands in the 
 middle of the manifest. Both are module commands.

 rbenv::plugin { sstephenson/ruby-build: latest = true }
 rbenv::build { $EDB_RUBY_VERSION: global = true }

 nsidc_nfs::sharemount { /disks/backups: project = backups, options = 
 ro }


Hmm, I think you need to use the 'contain' function in conjunction with the 
ordering so that these classes work the way you expect. 

https://docs.puppetlabs.com/references/3.7.latest/function.html#contain

There's a great blog post by Zachary Stern about 
this: http://puppetlabs.com/blog/class-containment-puppet
 


 # INSTALL EMACS BECAUSE IT'S THE BEST EDITOR
 notify { installing emacs: }
 if str2bool($INSTALL_EMACS) {
   package { [emacs24]: ensure = present }
 }


Aha, here's your real problem :)

--eric0 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/afd4ce04-ae12-46d3-b1c2-dc023499319b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppetmaster 3.7.3 startup times when many environments exist

[Eric Sorenson]

This sounds like it's related to the following 
bug: https://tickets.puppetlabs.com/browse/PUP-3389

Can you please add any troubleshooting info you have onto that ticket? We 
are aware of the issue and are interested in characterizing it to build a 
fix.

Thanks!

On Wednesday, November 12, 2014 8:41:38 AM UTC-8, hecto...@gmail.com wrote:

 Hello,

 My problem: it takes 2 minutes and 14 seconds for the puppetmaster to 
 start (and it uses 100% cpu). It also seems to take way longer if spawned 
 by Apache/passenger.

 We run a larger-than-average Puppet setup, with 1892 different puppet 
 environments, each of them different from each other.

 Traditionally we have not used environments, but rather played with the 
 modulepath variable to simulate them (since before they were implemented 
 as such this was the way to do it).

 Now I am trying to enable environments the proper way, by setting 
 environmentpath etc.

 Strace shows that the puppetmaster will try to read every single 
 environment directory and environment.conf file during startup and it is 
 obviously setting up some underlying configuration as it takes a 
 considerable large amount of time for every environment.

 I don't know how far in 3.x this goes since we never cared to test them.

 My questions:

   * Any idea how to workaround it (other than keeping our modulepath-based 
 configuration, which works well)
   * Assuming this is a just a warm up time, will a low 
 environment_timeout setting cause the retriggering of such slow 
 operations as the ones happening during the puppetmaster start on a regular 
 basis?
  
 Even as a one-time warm-up time this is not acceptable for us so I guess 
 we will keep using our current way, even with the deprecation warnings. 
 Note I think the new environments-way makes totally sense and the model 
 fits better for large diverse setups like ours. It just does not work well.

 If any developer is watching this list, it would be good to now if this 
 can be considered a bug (I can open a ticket), or is part of the 
 environment's feature. Regards!

 Hector


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f10c749b-3cb4-46e6-9fd2-d7ca8fa26db8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: puppet certification

[Eric Sorenson]

Just make sure you've tried the sample tests! Good luck!!

http://puppetlabs.com/services/certification/puppet-professional-practice-exam



On Wednesday, November 12, 2014 7:56:30 AM UTC-8, pankaj sehgal wrote:

 Hi Everyone,

 I am going to write puppet certification next week.
 any last minutes study or important topics i should go through...any 
 suggestion will help !!!

 Thanks,
 -Pankaj


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7e8f5a53-3a29-4d16-8e11-2ad2e9ae9c5b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.